RE: [ActiveDir] WMI and >Vista
So, here you go! Select * from Win32_OperatingSystem where Version >= "6.0" -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Sunday, January 21, 2007 4:24 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] WMI and >Vista A very highly academic question to see if there's a way to even build such a filter :-) Alain Lissoir wrote: > It is hard to guarantee what the version # of the next OS will be :) > obviously, but I would do something like: > > Select * from Win32_OperatingSystem where Version >= "6.0" > > What's the reasoning or issue behind this specific "weird" question? :) > > /Alain > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA > aka Ebitz - SBS Rocks [MVP] > Sent: Sunday, January 21, 2007 1:24 PM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] WMI and >Vista > > But can you do a detection of Vista and Vista+next OS? > > It's a weird request I know > > Alain Lissoir wrote: > >> Btw, if the goal is just to detect, Vista (and not the SKU a I replied >> below), then: >> >> Select * from Win32_OperatingSystem where Version = "6.0" >> >> will make it. >> The Vista RTM build is "6.0.6000" regardless of the SKU (Vista Flavor). >> >> 5.0 Windows 2000, all flavors (SKU) >> 5.1 XP 32-bit, all flavors (SKU) >> 5.2 XP 64-bit if client, Windows Server 2003 if Server >> 6.0 Windows Vista, all flavors >> 6.0 Longhorn Server for now, but this may change ... Still under >> > development > >> as you know. >> >> HTH. >> /Alain. >> >> -Original Message- >> From: Alain Lissoir [mailto:[EMAIL PROTECTED] >> Sent: Sunday, January 21, 2007 11:46 AM >> To: 'ActiveDir@mail.activedir.org' >> Subject: RE: [ActiveDir] WMI and >Vista >> >> Have you looked at the OperatingSystemSKU property? This is a property >> > added > >> in Vista to support the distinction between Vista Home, Ultimate, >> > Business, > >> etc ... >> http://msdn2.microsoft.com/en-gb/library/aa394239.aspx >> >> OperatingSystemSKU Data type: uint32 >> >> Stock Keeping Unit (SKU) number for the operating system. >> >> Windows Server 2003, Windows XP, Windows 2000, and Windows NT 4.0: This >> property is not available. >> >> Possible SKU values are: >> >> Value Meaning >> 0 Undefined >> 1 Ultimate Edition >> 2 Home Basic Edition >> 3 Home Basic Premium Edition >> 4 Enterprise Edition >> 5 Home Basic N Edition >> 6 Business Edition >> 7 Standard Server Edition >> 8 Datacenter Server Edition >> 9 Small Business Server Edition >> 10 Enterprise Server Edition >> 11 Starter Edition >> 12 Datacenter Server Core Edition >> 13 Standard Server Core Edition >> 14 Enterprise Server Core Edition >> 15 Enterprise Server IA64 Edition >> 16 Business N Edition >> 17 Web Server Edition >> 18 Cluster Server Edition >> 19 Home Server Edition >> 20 Storage Express Server Edition >> 21 Storage Standard Server Edition >> 22 Storage Workgroup Server Edition >> 23 Storage Enterprise Server Edition >> 24 Server For Small Business Edition >> 25 Small Business Server Premium Edition >> >> >> -Original Message- >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, >> > CPA > >> aka Ebitz - SBS Rocks [MVP] >> Sent: Sunday, January 21, 2007 11:00 AM >> To: ActiveDir@mail.activedir.org >> Subject: [ActiveDir] WMI and >Vista >> >> If one wanted to build a WMI query that would capture Vista "and" any >> other workstation OS after Vista... how would one build that query? >> >> I know that this will capture Vista: >> Select * from Win32_OperatingSystem where Version = "6.0.6000" >> >> But will this catch any version of Vista after XP if, on the odd chance >> they change the build number? >> >> I know that you can also add a ProductType=1 that captures the >> workstation only and not servers. >> >> But how can you build a WMI query string for Group policy filtering that >> is smart enough to capture Vista OS and whatever comes out after Vista >> (and yes, they are already looking for ideas for the next version see >
RE: [ActiveDir] WMI and >Vista
It is hard to guarantee what the version # of the next OS will be :) obviously, but I would do something like: Select * from Win32_OperatingSystem where Version >= "6.0" What's the reasoning or issue behind this specific "weird" question? :) /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Sunday, January 21, 2007 1:24 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] WMI and >Vista But can you do a detection of Vista and Vista+next OS? It's a weird request I know Alain Lissoir wrote: > Btw, if the goal is just to detect, Vista (and not the SKU a I replied > below), then: > > Select * from Win32_OperatingSystem where Version = "6.0" > > will make it. > The Vista RTM build is "6.0.6000" regardless of the SKU (Vista Flavor). > > 5.0 Windows 2000, all flavors (SKU) > 5.1 XP 32-bit, all flavors (SKU) > 5.2 XP 64-bit if client, Windows Server 2003 if Server > 6.0 Windows Vista, all flavors > 6.0 Longhorn Server for now, but this may change ... Still under development > as you know. > > HTH. > /Alain. > > -Original Message- > From: Alain Lissoir [mailto:[EMAIL PROTECTED] > Sent: Sunday, January 21, 2007 11:46 AM > To: 'ActiveDir@mail.activedir.org' > Subject: RE: [ActiveDir] WMI and >Vista > > Have you looked at the OperatingSystemSKU property? This is a property added > in Vista to support the distinction between Vista Home, Ultimate, Business, > etc ... > http://msdn2.microsoft.com/en-gb/library/aa394239.aspx > > OperatingSystemSKU Data type: uint32 > > Stock Keeping Unit (SKU) number for the operating system. > > Windows Server 2003, Windows XP, Windows 2000, and Windows NT 4.0: This > property is not available. > > Possible SKU values are: > > Value Meaning > 0 Undefined > 1 Ultimate Edition > 2 Home Basic Edition > 3 Home Basic Premium Edition > 4 Enterprise Edition > 5 Home Basic N Edition > 6 Business Edition > 7 Standard Server Edition > 8 Datacenter Server Edition > 9 Small Business Server Edition > 10 Enterprise Server Edition > 11 Starter Edition > 12 Datacenter Server Core Edition > 13 Standard Server Core Edition > 14 Enterprise Server Core Edition > 15 Enterprise Server IA64 Edition > 16 Business N Edition > 17 Web Server Edition > 18 Cluster Server Edition > 19 Home Server Edition > 20 Storage Express Server Edition > 21 Storage Standard Server Edition > 22 Storage Workgroup Server Edition > 23 Storage Enterprise Server Edition > 24 Server For Small Business Edition > 25 Small Business Server Premium Edition > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA > aka Ebitz - SBS Rocks [MVP] > Sent: Sunday, January 21, 2007 11:00 AM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] WMI and >Vista > > If one wanted to build a WMI query that would capture Vista "and" any > other workstation OS after Vista... how would one build that query? > > I know that this will capture Vista: > Select * from Win32_OperatingSystem where Version = "6.0.6000" > > But will this catch any version of Vista after XP if, on the odd chance > they change the build number? > > I know that you can also add a ProductType=1 that captures the > workstation only and not servers. > > But how can you build a WMI query string for Group policy filtering that > is smart enough to capture Vista OS and whatever comes out after Vista > (and yes, they are already looking for ideas for the next version see > Steve Riley's blog with questions about firewalls in the next version if > you don't believe me > http://blogs.technet.com/steriley/archive/2007/01/18/it-s-your-turn-what-imp > rovements-would-you-like-in-windows-firewall-and-ipsec.aspx > > Also, can you do: > select * from Win32_OperatingSystem where Caption contains "Vista" ? > > > > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ma/default.aspx > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ma/default.aspx > > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] WMI and >Vista
Btw, if the goal is just to detect, Vista (and not the SKU a I replied below), then: Select * from Win32_OperatingSystem where Version = "6.0" will make it. The Vista RTM build is "6.0.6000" regardless of the SKU (Vista Flavor). 5.0 Windows 2000, all flavors (SKU) 5.1 XP 32-bit, all flavors (SKU) 5.2 XP 64-bit if client, Windows Server 2003 if Server 6.0 Windows Vista, all flavors 6.0 Longhorn Server for now, but this may change ... Still under development as you know. HTH. /Alain. -Original Message- From: Alain Lissoir [mailto:[EMAIL PROTECTED] Sent: Sunday, January 21, 2007 11:46 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] WMI and >Vista Have you looked at the OperatingSystemSKU property? This is a property added in Vista to support the distinction between Vista Home, Ultimate, Business, etc ... http://msdn2.microsoft.com/en-gb/library/aa394239.aspx OperatingSystemSKU Data type: uint32 Stock Keeping Unit (SKU) number for the operating system. Windows Server 2003, Windows XP, Windows 2000, and Windows NT 4.0: This property is not available. Possible SKU values are: Value Meaning 0 Undefined 1 Ultimate Edition 2 Home Basic Edition 3 Home Basic Premium Edition 4 Enterprise Edition 5 Home Basic N Edition 6 Business Edition 7 Standard Server Edition 8 Datacenter Server Edition 9 Small Business Server Edition 10 Enterprise Server Edition 11 Starter Edition 12 Datacenter Server Core Edition 13 Standard Server Core Edition 14 Enterprise Server Core Edition 15 Enterprise Server IA64 Edition 16 Business N Edition 17 Web Server Edition 18 Cluster Server Edition 19 Home Server Edition 20 Storage Express Server Edition 21 Storage Standard Server Edition 22 Storage Workgroup Server Edition 23 Storage Enterprise Server Edition 24 Server For Small Business Edition 25 Small Business Server Premium Edition -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Sunday, January 21, 2007 11:00 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] WMI and >Vista If one wanted to build a WMI query that would capture Vista "and" any other workstation OS after Vista... how would one build that query? I know that this will capture Vista: Select * from Win32_OperatingSystem where Version = "6.0.6000" But will this catch any version of Vista after XP if, on the odd chance they change the build number? I know that you can also add a ProductType=1 that captures the workstation only and not servers. But how can you build a WMI query string for Group policy filtering that is smart enough to capture Vista OS and whatever comes out after Vista (and yes, they are already looking for ideas for the next version see Steve Riley's blog with questions about firewalls in the next version if you don't believe me http://blogs.technet.com/steriley/archive/2007/01/18/it-s-your-turn-what-imp rovements-would-you-like-in-windows-firewall-and-ipsec.aspx Also, can you do: select * from Win32_OperatingSystem where Caption contains "Vista" ? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] WMI and >Vista
Have you looked at the OperatingSystemSKU property? This is a property added in Vista to support the distinction between Vista Home, Ultimate, Business, etc ... http://msdn2.microsoft.com/en-gb/library/aa394239.aspx OperatingSystemSKU Data type: uint32 Stock Keeping Unit (SKU) number for the operating system. Windows Server 2003, Windows XP, Windows 2000, and Windows NT 4.0: This property is not available. Possible SKU values are: Value Meaning 0 Undefined 1 Ultimate Edition 2 Home Basic Edition 3 Home Basic Premium Edition 4 Enterprise Edition 5 Home Basic N Edition 6 Business Edition 7 Standard Server Edition 8 Datacenter Server Edition 9 Small Business Server Edition 10 Enterprise Server Edition 11 Starter Edition 12 Datacenter Server Core Edition 13 Standard Server Core Edition 14 Enterprise Server Core Edition 15 Enterprise Server IA64 Edition 16 Business N Edition 17 Web Server Edition 18 Cluster Server Edition 19 Home Server Edition 20 Storage Express Server Edition 21 Storage Standard Server Edition 22 Storage Workgroup Server Edition 23 Storage Enterprise Server Edition 24 Server For Small Business Edition 25 Small Business Server Premium Edition -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Sunday, January 21, 2007 11:00 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] WMI and >Vista If one wanted to build a WMI query that would capture Vista "and" any other workstation OS after Vista... how would one build that query? I know that this will capture Vista: Select * from Win32_OperatingSystem where Version = "6.0.6000" But will this catch any version of Vista after XP if, on the odd chance they change the build number? I know that you can also add a ProductType=1 that captures the workstation only and not servers. But how can you build a WMI query string for Group policy filtering that is smart enough to capture Vista OS and whatever comes out after Vista (and yes, they are already looking for ideas for the next version see Steve Riley's blog with questions about firewalls in the next version if you don't believe me http://blogs.technet.com/steriley/archive/2007/01/18/it-s-your-turn-what-imp rovements-would-you-like-in-windows-firewall-and-ipsec.aspx Also, can you do: select * from Win32_OperatingSystem where Caption contains "Vista" ? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] 100% CPU utilization when querying Win32_Account on DC
You must take into account that not everyone is a Win32 API or LDAP API C or C++ developer to write its own logic and create its own tool to perform the management task their business requires. Abstraction layers like WMI, ADSI, CDO, XMLDOM, WSH, ADO and so on ... are helping thousands of people to write scripts and applications without having to dig into the API programming level. Both worlds have pros and cons. The API programming level requires a more specific programming knowledge, the abstraction layers introduce a proxy, simplifies the access pattern and obviously have a performance cost. I think that none of the two worlds have to be rejected, they just need to be used correctly and when appropriate. This why Microsoft is documenting Win32 API, COM interfaces and .NET API. If the COM abstraction layers were that yuck, programming environments like WSH and/or VB6 would have not been so heavily used and successful. Are abstraction layers perfect? Clearly not. Are they useful? Yes for sure. Is there room for improvement? Always. Regards, /Alain Alain LISSOIR http://www.LissWare.Net> cid:609343613@02122006-153C <mailto:[EMAIL PROTECTED]> [EMAIL PROTECTED] Home Page: http://www.LissWare.Net http://www.LissWare.Net> Where am I? http://map.LissWare.Net http://map.LissWare.Net> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, December 02, 2006 1:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 100% CPU utilization when querying Win32_Account on DC Good post but yuck. Amazing how many issues you avoid by avoiding ADSI, WMI, CDOEXM, and the other MSFT frameworks designed to make life "easier"... -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Saturday, December 02, 2006 12:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 100% CPU utilization when querying Win32_Account on DC Let me step in here to give you some more background ... J WMI is a 3-tier architecture (See figure at <http://msdn.microsoft.com/library/en-us/wmisdk/wmi/wmi_architecture.asp> http://msdn.microsoft.com/library/en-us/wmisdk/wmi/wmi_architecture.asp). The SMS client runs at the level of the client API (3) and submits the WQL query to WMI at layer 2 (Core WMI service). This query is handled by WMI core. WMI Core looks after the class in the WQL query (i.e. Win32_Account) and locates the provider supporting it. In this case, the provider is CIMWin32 implemented by CIMWin32.DLL (I skip the explanation about how WMI does that unless someone is interested). Because that CIMWin32 provider does not support WQL query parsing and is not handling them by itself, WMI core takes the initiative to actually converts this query into a full enumeration request to the provider, meaning that the provider is actually building ALL instances of Win32_Account with all their characteristics. Once the collection is built, WMI core receives the result set and is then post-filtering the enumeration set to match the WHERE clause of the WQL query, which in turn returns the result set requested by the client (SMS in this case). This is the way how WMI core works with all WMI providers not supporting WQL queries natively (I mean supporting query at the level of the provider itself). Actually, this enumeration technique is implemented to support WQL queries even for providers not supporting WQL queries in their code by design. A WMI provider may have many capabilities (i.e. Get, Put, enumerations, events, etc) and one of them is to support WQL queries (which actually is off-loading WMI core do to the job I just described). This explanation does not solve your issue, here, but it gives you the explanation of the "why" where the actual solution is to implement a WMI provider that supports natively WQL queries and actually performs the right SAM or LDAP queries against AD (I mean properly scoped). It would be a sort of WMI provider converting WQL queries into SAM/LDAP queries to put it short. This class was created way before AD did exist. The presence of AD increases dramatically the number of accounts available. Although this class with this provider was working fine during the NT 4.0 time (yes, this class dates from that period), it is challenged in large AD infrastructure, Make a test with a small AD infrastructure where you have only 2000 accounts, and everything will be fine. I can bet that your AD installation is way bigger ... Now, if you use WMI a lot to query the SAM and AD and if you feel this is an area where some enhancements can be made, let it me know and I will be pleased to communicate this data point to the team in charge of WMI and the team in charge of Active Directory, So, we can let them know that it is an important scenario to enhance and supp
RE: [ActiveDir] 100% CPU utilization when querying Win32_Account on DC
Let me step in here to give you some more background ... J WMI is a 3-tier architecture (See figure at <http://msdn.microsoft.com/library/en-us/wmisdk/wmi/wmi_architecture.asp> http://msdn.microsoft.com/library/en-us/wmisdk/wmi/wmi_architecture.asp). The SMS client runs at the level of the client API (3) and submits the WQL query to WMI at layer 2 (Core WMI service). This query is handled by WMI core. WMI Core looks after the class in the WQL query (i.e. Win32_Account) and locates the provider supporting it. In this case, the provider is CIMWin32 implemented by CIMWin32.DLL (I skip the explanation about how WMI does that unless someone is interested). Because that CIMWin32 provider does not support WQL query parsing and is not handling them by itself, WMI core takes the initiative to actually converts this query into a full enumeration request to the provider, meaning that the provider is actually building ALL instances of Win32_Account with all their characteristics. Once the collection is built, WMI core receives the result set and is then post-filtering the enumeration set to match the WHERE clause of the WQL query, which in turn returns the result set requested by the client (SMS in this case). This is the way how WMI core works with all WMI providers not supporting WQL queries natively (I mean supporting query at the level of the provider itself). Actually, this enumeration technique is implemented to support WQL queries even for providers not supporting WQL queries in their code by design. A WMI provider may have many capabilities (i.e. Get, Put, enumerations, events, etc) and one of them is to support WQL queries (which actually is off-loading WMI core do to the job I just described). This explanation does not solve your issue, here, but it gives you the explanation of the "why" where the actual solution is to implement a WMI provider that supports natively WQL queries and actually performs the right SAM or LDAP queries against AD (I mean properly scoped). It would be a sort of WMI provider converting WQL queries into SAM/LDAP queries to put it short. This class was created way before AD did exist. The presence of AD increases dramatically the number of accounts available. Although this class with this provider was working fine during the NT 4.0 time (yes, this class dates from that period), it is challenged in large AD infrastructure, Make a test with a small AD infrastructure where you have only 2000 accounts, and everything will be fine. I can bet that your AD installation is way bigger ... Now, if you use WMI a lot to query the SAM and AD and if you feel this is an area where some enhancements can be made, let it me know and I will be pleased to communicate this data point to the team in charge of WMI and the team in charge of Active Directory, So, we can let them know that it is an important scenario to enhance and support better. No commitments here, but I will be pleased to convey the message. Hope this helps a bit ... PS: However, if you feel you have WMI issues, you can always use the WMI Diagnosis Tool 1.0. You can find pointers to it (+Webcast) at http://www.lissware.net. Note, we will release the version 2.0 early next year. Regards, /Alain Alain LISSOIR http://www.LissWare.Net> cid:114265316@01122006-02BE _ <mailto:[EMAIL PROTECTED]> [EMAIL PROTECTED] Home Page: http://www.LissWare.Net http://www.LissWare.Net> Where am I? http://map.LissWare.Net http://map.LissWare.Net> _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Friday, December 01, 2006 7:36 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 100% CPU utilization when querying Win32_Account on DC Thanks Susan, but I think this case is different - we are talking about different WMI class and in my case the query hangs and never returns results. The ITMU issue is probably a result of intensive load on the CPU when performing the query you pointed to, but in my case if I let it run for hours it still never finishes. I am far from being well versed in WMI, but I'd suspect that here the problem is caused by WMI not using paging in the query or very inefficient processing when using both LocalAccout=True and SidType=1 keys. Guy From: [EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, December 01, 2006 5:12 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 100% CPU utilization when querying Win32_Account on DC http://www.myitforum.com/articles/8/view.asp?id=9048 http://www.myitforum.com/articles/8/view.asp?id=9284 Rod's been tracking that on myitforum and the Patch management listserve for a while now. Guy Teverovsky wrote: > > Hi all, > > Recently I had a case where we experiences high CPU utilization after > deploying SMS client to DCs. > By now we have identified
RE: [ActiveDir] Creating WMI Filters
Interesting ... So, there are again ... WMIDiag usage:http://www.microsoft.com/technet/scriptcenter/topics/help/wmidiag.mspx WMIDiag FAQ: http://blogs.msdn.com/wmi/archive/2006/05/12/596266.aspx WMIDiag Download:http://www.microsoft.com/downloads/details.aspx?FamilyID=d7ba3cd6-18d1-4d05-b11e-4c64192ae97d&DisplayLang=en WMIDiag webcast:http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032290320&Culture=en-US WMI Troubleshooting:http://www.microsoft.com/technet/scriptcenter/topics/help/wmi.mspx From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Moon, BrendanSent: Wednesday, November 08, 2006 12:59 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Creating WMI Filters Your URLs got mangled by OWA. Hope all is well with you! - Brendan Moon [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain LissoirSent: Wednesday, November 08, 2006 2:37 PMTo: ActiveDir@mail.activedir.orgCc: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Creating WMI Filters 1/ Can we see the WMI filter? :) That will help ... 2/ Have you run WMIDiag on your XP SP2 machine to asses the WMI state? WMIDiag usage:http://www.microsoft.com/technet/scriptcenter/topics/help/wmidiag.mspx WMIDiag FAQ: http://blogs.msdn.com/wmi/archive/2006/05/12/596266.aspx WMIDiag Download:http://www.microsoft.com/downloads/details.aspx?FamilyID=d7ba3cd6-18d1-4d05-b11e-4c64192ae97d&DisplayLang=en WMIDiag webcast:http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032290320&Culture=en-US WMI Troubleshooting:http://www.microsoft.com/technet/scriptcenter/topics/help/wmi.mspx From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.Sent: Wednesday, November 08, 2006 10:35 AMTo: ActiveDir@mail.activedir.orgCc: [EMAIL PROTECTED]Subject: [ActiveDir] Creating WMI Filters On my Windows XP SP2 workstation I get a “Generic Failure” when I try to create or import a WMI Filter. On my Windows 2003 SP1 Domain Controller I am able to create the filter. What could be stopping me from being able to on my XP workstation. I can’t find anything on the web about this. Thanks Justin A. Salandra MCSE Windows 2000 & 2003 Network and Technology Services Manager Catholic Healthcare System 646.505.3681 - office 917.455.0110 - cell [EMAIL PROTECTED]
RE: [ActiveDir] Creating WMI Filters
1/ Can we see the WMI filter? :) That will help ... 2/ Have you run WMIDiag on your XP SP2 machine to asses the WMI state? WMIDiag usage:http://www.microsoft.com/technet/scriptcenter/topics/help/wmidiag.mspx WMIDiag FAQ: http://blogs.msdn.com/wmi/archive/2006/05/12/596266.aspx WMIDiag Download:http://www.microsoft.com/downloads/details.aspx?FamilyID=d7ba3cd6-18d1-4d05-b11e-4c64192ae97d&DisplayLang=en WMIDiag webcast:http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032290320&Culture=en-US WMI Troubleshooting:http://www.microsoft.com/technet/scriptcenter/topics/help/wmi.mspx From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.Sent: Wednesday, November 08, 2006 10:35 AMTo: ActiveDir@mail.activedir.orgCc: [EMAIL PROTECTED]Subject: [ActiveDir] Creating WMI Filters On my Windows XP SP2 workstation I get a “Generic Failure” when I try to create or import a WMI Filter. On my Windows 2003 SP1 Domain Controller I am able to create the filter. What could be stopping me from being able to on my XP workstation. I can’t find anything on the web about this. Thanks Justin A. Salandra MCSE Windows 2000 & 2003 Network and Technology Services Manager Catholic Healthcare System 646.505.3681 - office 917.455.0110 - cell [EMAIL PROTECTED]
RE: [ActiveDir] Vista & WMI
The caption is not corrupted. The branding introduces a (R) and a (TM). First, under Vista, the Win32_OperatingSystem class is a singleton class now, meaning that you can locate the UNIQUE instance of that as follows: Set colOperatingSystems = objWMIService.Get ("Win32_OperatingSystem=@") It didn't make sense to enumerate this class when there is actuall only 1 instance of the class available. However you can continue to enumerate as before so, your script does not break on "before Vista platforms". Next to test the Windows version, and not get your script breaking downlevel, you should use the following coding technique: If Instr (objOperatingSystem.Caption, "Vista") > 0 Then If objOperatingSystem.OperatingSystemSKU = 3 Then WScript.Echo "Home Basic Premium Edition" wscript.quit End If End If To test the operating SKU (Home, Ultimate, Basic, etc), you should use OperatingSystemSKU property. If you are pure Vista (and Longhorn server) and just need to determine the SKU of the OS: Set colOperatingSystems = objWMIService.Get ("Win32_OperatingSystem=@") Select Case objOperatingSystem.OperatingSystemSKU Case 0 WScript.Echo "Undefined" Case 1 WScript.Echo "Ultimate Edition" Case 2 WScript.Echo "Home Basic Edition" Case 3 WScript.Echo "Home Basic Premium Edition" Case 4 WScript.Echo "Enterprise Edition" Case 5 WScript.Echo "Home Basic N Edition" . . . HTH /Alain http://msdn.microsoft.com/library/default.asp?url=""> OperatingSystemSKU Data type: uint32 Stock Keeping Unit (SKU) number for the operating system. Windows Server 2003, Windows XP, Windows 2000, and Windows NT 4.0: This property is not available. Possible SKU values are: Value Meaning 0 Undefined 1 Ultimate Edition 2 Home Basic Edition 3 Home Basic Premium Edition 4 Enterprise Edition 5 Home Basic N Edition 6 Business Edition 7 Standard Server Edition 8 Datacenter Server Edition 9 Small Business Server Edition 10 Enterprise Server Edition 11 Starter Edition 12 Datacenter Server Core Edition 13 Standard Server Core Edition 14 Enterprise Server Core Edition 15 Enterprise Server IA64 Edition 16 Business N Edition 17 Web Server Edition 18 Cluster Server Edition 19 Home Server Edition 20 Storage Express Server Edition 21 Storage Standard Server Edition 22 Storage Workgroup Server Edition 23 Storage Enterprise Server Edition 24 Server For Small Business Edition 25 Small Business Server Premium Edition From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Thursday, October 19, 2006 2:56 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Vista & WMI I’m trying to get a script working in Vista with no success. For some reason the OS caption on Vista looks corrupted, but when I enter it as it’s displayed in wmic, my script ignores it. I even tried to correct it, and still no success. Here’s the script: Dim WshShell strComputer = "." Set WshShell = WScript.CreateObject("WScript.Shell") On Error Resume Next ' If Workstation, exit script Dim objWMIService, colOperatingSystems, objOperatingSystem, strComputer, objFSO Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2") Set colOperatingSystems = objWMIService.ExecQuery ("Select * from Win32_OperatingSystem") For Each objOperatingSystem in colOperatingSystems If objOperatingSystem.Caption = "Microsoft Windows 2000 Professional" then wscript.quit If objOperatingSystem.Caption = "Microsoft Windows XP Professional" then wscript.quit If objOperatingSystem.Caption = "Microsoftr Windows VistaT Ultimate" then wscript.quit If objOperatingSystem.Caption = "Microsoft Windows Vista Ultimate" then wscript.quit Next ' Check / Set registry settings for screen saver. Logoff user if settings are updated Dim isLocked, ssTimeout, ssActive, ScrnSave, wmi, objSet isLocked = WshShell.RegRead ("HKCU\Control Panel\Desktop\ScreenSaverIsSecure") ssTimeout = WshShell.RegRead ("HKCU\Control Panel\Desktop\ScreenSaveTimeout") ssActive = WshShell.RegRead ("HKCU\Control Panel\Desktop\ScreenSaveActive") ScrnSave = WshShell.RegRead ("HKCU\Control Panel\Desktop\SCRNSAVE.EXE") If (isLocked = 0) or (CInt(ssTimeout) >900) Or (ssActive = 0) Or (ScrnSave = "") Then WshShell.RegWrite "HKCU\Control Panel\Desktop\ScreenSaverIsSecure",1,"REG_SZ" WshShell.RegWrite "HKCU\Control Panel\Desktop\ScreenSaveActive",1,"REG_SZ" WshShell.RegWrite "HKC
RE: [ActiveDir] sample vbs script
Thank you ... _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade Sent: Tuesday, June 06, 2006 3:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] sample vbs script Even though Compaq "let me go" these are still my favourites... -Original Message- From: [EMAIL PROTECTED] on behalf of Alain Lissoir Sent: Tue 06/06/2006 21:41 To: ActiveDir@mail.activedir.org Cc: Subject: RE: [ActiveDir] sample vbs script Look at http://www.lissware.net, White Papers section. February 2000 (Compaq Active Answers): <http://users.skynet.be/alain.lissoir/hp/Part%201%20-%20Understanding%20Micr osoft%20WSH%20and%20ADSI%20in%20Windows%202000.pdf> Part 1 - Understanding the Microsoft WSH and the ADSI in Windows 2000 <http://users.skynet.be/alain.lissoir/hp/Part%201%20-%20Understanding%20Micr osoft%20WSH%20and%20ADSI%20in%20Windows%202000%20(Scripts%20Kit).zip> (Script Kit) <http://users.skynet.be/alain.lissoir/hp/Part%202%20-%20The%20powerful%20com bination%20of%20WSH%20and%20ADSI%20under%20Windows%202000.pdf> Part 2 - The powerful combination of WSH and ADSI under Windows 2000 <http://users.skynet.be/alain.lissoir/hp/Part%202%20-%20The%20powerful%20com bination%20of%20WSH%20and%20ADSI%20under%20Windows%202000%20(Scripts%20Kit). zip> (Script Kit) _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry Sent: Tuesday, June 06, 2006 1:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] sample vbs script There are several in the TechNet Script Center http://www.microsoft.com/technet/scriptcenter/scripts/ad/users/manage/defaul t.mspx _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Antonio Aranda Sent: Tuesday, June 06, 2006 12:29 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] sample vbs script Could some one send me a sample vbs script that creates AD user accounts? Thanks Antonio ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. Thank you. http://www.stockport.gov.uk ** <>
RE: [ActiveDir] sample vbs script
Look at http://www.lissware.net> http://www.lissware.net, White Papers section, page 73, Sample 22, line 460 and 462. 459: 460:objUser.Put "homeDirectory", "\\" & strAccountComputer & _ 461:"\" & strUserID & "$" 462:objUser.Put "homeDrive", cHomeDrive 463: February 2000 (Compaq Active Answers): http://users.skynet.be/alain.lissoir/hp/Part 1 - Understanding Microsoft WSH and ADSI in Windows 2000.pdf> Part 1 - Understanding the Microsoft WSH and the ADSI in Windows 2000 http://users.skynet.be/alain.lissoir/hp/Part 1 - Understanding Microsoft WSH and ADSI in Windows 2000 (Scripts Kit).zip> (Script Kit) http://users.skynet.be/alain.lissoir/hp/Part 2 - The powerful combination of WSH and ADSI under Windows 2000.pdf> Part 2 - The powerful combination of WSH and ADSI under Windows 2000 http://users.skynet.be/alain.lissoir/hp/Part 2 - The powerful combination of WSH and ADSI under Windows 2000 (Scripts Kit).zip> (Script Kit) _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Antonio Aranda Sent: Tuesday, June 06, 2006 5:10 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] sample vbs script Thanks for the help so far But does any one know how to add the attribute "Home Folder"? Not the "Local Path" but the "Connect:" with letter drive using vbs script? Thanks Again Antonio Aranda <>
RE: [ActiveDir] sample vbs script
Look at http://www.lissware.net, White Papers section. February 2000 (Compaq Active Answers):Part 1 - Understanding the Microsoft WSH and the ADSI in Windows 2000 (Script Kit) Part 2 - The powerful combination of WSH and ADSI under Windows 2000 (Script Kit) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Passo, LarrySent: Tuesday, June 06, 2006 1:17 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] sample vbs script There are several in the TechNet Script Center http://www.microsoft.com/technet/scriptcenter/scripts/ad/users/manage/default.mspx From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Antonio ArandaSent: Tuesday, June 06, 2006 12:29 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] sample vbs script Could some one send me a sample vbs script that creates AD user accounts? Thanks Antonio
RE: [ActiveDir] AD, LDAP, and VB Script
There are tons of books on this matter. I'm sure one in this DL will give you good references. You can always start with the White Papers I wrote awhile ago about WSH, ADSI and AD/Exchange at http://www.lissware.net. HTH /Alain From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Navroz ShariffSent: Thursday, May 25, 2006 6:49 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD, LDAP, and _vbscript_ Dear group, Can anyone recommend books or references regarding querying AD via LDAP using _vbscript_? I am a native C++ and JAVA programmer and am very interested in learning how one goes about doing that. Joe, your set of tools from joeware-very handy set of tools thank you-were they written in C, C++? If so, do you use Borland or Studio.net to write and compile them? Thank you, -Shariff
RE: [ActiveDir] Extending AD Schema
Don't know if you have an access though ... http://www.windowsitpro.com/Articles/Index.cfm?ArticleID=41666&DisplayTab=Ar ticle March 2004 (Windows & .NET Magazine): Deactivating Schema Extensions Reasons for Deactivation -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Monday, March 20, 2006 4:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Extending AD Schema As others have indicated, there is no easy way to back out of a schema extension. The trick is to thoroughly test beforehand in a representative lab environment. There are some suggestions regarding this here: http://www.activedir.org/article.aspx?aid=24#13 Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adeel Ansari Sent: Tuesday, 21 March 2006 11:01 a.m. To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Extending AD Schema AD Guys and Gals, Is there is a way to backout of AD Schema extension? We have a project that requires AD Schema extension. The vendor has a tool that will make changes in AD schema automatically. However, we are little conscious about it. Is it possible to export the current AD schema and then make extension. Would it be possible to import it back again? Can you guys/gals share your experience with schema extensions / updates? Thanks, Adeel List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] WMIDiag is a New Utility for Diagnosing and Helping in Repairing Problems with the WMI Service
For those of you interested ... WMIDiag is a New Utility for Diagnosing and Helping in Repairing Problems with the WMI Service. It works from Windows 2000 up to 2003 (including XP and all SPs). WMIDiag usage: http://www.microsoft.com/technet/scriptcenter/topics/help/wmidiag.mspx WMIDiag Download: http://www.microsoft.com/downloads/details.aspx?FamilyID=d7ba3cd6-18d1-4d05-b11e-4c64192ae97d&DisplayLang=en WMIDiag webcast tomorrow: Title: Troubleshooting Windows Management Instrumentation (WMI)Date/Time: 3/8/2006 9:30 AM PacificDuration: 60 minutesPresenter: Alain Lissoir Attendee Registration URL: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032290320&Culture=en-US Regards,/Alain Alain LISSOIR [EMAIL PROTECTED] Home Page: http://www.LissWare.Net Where am I? http://map.LissWare.Net
RE: [ActiveDir] Script to determine a machine's site
If you prepare the latest version of the WinPE CD with the Add-ons (inc. WSH, ADSI and WMI), then you have the Win32_NetworkConfigurationSetting class. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, February 06, 2006 5:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Script to determine a machine's site Does PE have ipconfig? If not can you copy it over? -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, February 06, 2006 9:48 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Script to determine a machine's site Thanks for the feedback, Deji, Guido, joe et al. The one piece of code I'm missing now is one that can determine a machine's IP address. Any suggestions how that may be done (again, assume the machine is not joined to a domain and is running PE). I can then feed that address into the logic that I do have (similar to that outlined below). neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 03 February 2006 23:21 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Script to determine a machine's site I don't have the script I wrote for this handy, but the logic I used is this: Get host's IP Address Split it into whatever subnet mask use in your subnet/site configurations. Do a CaseCase Else looking for a match. If you get a match, that computer is in that site. e.g. IP is 192.168.100.201 Subnet Mask is /16 192.168.100 = SiteA 192.168.101 = SiteB 192.168.102 = SiteC 192.168.103 = SiteC So, you go Select Case IPAddy Case "192.168.100" : strSiteName = "SiteA" Case "192.168.101" : strSiteName = "SiteB" Case "192.168.102", "192.168.103" : strSiteName = "SiteC" . Works in PE HTH Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of joe Sent: Fri 2/3/2006 2:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Script to determine a machine's site Actually DsAddressToSiteNames will only take socket addresses (PSOCKET_ADDRESS, type AF_INET) to translate, the parameter that takes the dnshostname is the one to specify what DC you want to resolve the addresses to subnet/sites on. Actually the previously mentioned ATSN[1] utiltity is a light wrapper over this call. joe [1] Note the initials - I am not great with tool names. The best tool name I have isn't even a name I thought up and I haven't made the tool yet. I just know what I want it to do and what its name will be. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Greene, Adam S Sent: Friday, February 03, 2006 3:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Script to determine a machine's site The function call DsAddressToSiteNames will take a dnsHostName and give you the site it belongs to. If you cannot implement that call, there are scripts out there that do a brute force query of AD for sites and subnets to get you the site name. Search for the function call and "DsAddressToSiteNames vbscript" to find them on google. With a lot of sites and subnets, that approach could get unwieldy though. If you can call a remote web service from your vbscript or write a win32 implementation of the call, that would be a better way to go. There is code out there on doing a C# version. -Adam From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, February 03, 2006 7:52 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Script to determine a machine's site Does anyone have a script which can: - Interrogate the local machine for its IP address and mask - Determine the subnet which the machine resides in - Determine the site that corresponds to the that subnet And all this must be possible on a machine which is not joined to a domain. Ideally, the script should work when WinPE is running, too, as the machine is being built. Any ideas? neil PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a)
RE: [ActiveDir] Schema Extension
Title: Message If you have a web access to ITPro or a paper copy of these issues, you can refer to articles of September 2001 (Windows 2000 Magazine):Diving into the Active Directory Schema November 2001 (Windows 2000 Magazine):Extending the Active Directory Schema March 2004 (Windows & .NET Magazine):Deactivating Schema Extensions Reasons for Deactivation at http://www.lissware.net HTH /Alain From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wyatt, DavidSent: Monday, February 06, 2006 3:00 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Schema Extension Does anyone know of a supported procedure to extend the schema in Windows 2003 SP1 FFL AD? This message contains confidential information and is intended only for the individual or entity named. If you are not the named addresseeyou should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.E-mail transmission cannot be guaranteed to be secure or error-freeas information could be intercepted, corrupted, lost, destroyed, arrivelate or incomplete, or contain viruses. The sender therefore does notaccept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version.This message is provided for informational purposes and should notbe construed as an invitation or offer to buy or sell any securities orrelated financial instruments.GAM operates in many jurisdictions and is regulated or licensed in those jurisdictions as required.
RE: [ActiveDir] OT: WMI to retrieve DHCP leases
There is no WMI exposure of the DHCP settings and data. Sorry. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mitch ReidSent: Wednesday, January 25, 2006 1:08 PMTo: ActiveDir.OrgSubject: [ActiveDir] OT: WMI to retrieve DHCP leases I'm trying to write a _vbscript_ to pull current DHCP leases from a 2003 DHCP server. I can do it with NETSH but I'd like to do it only with WMI in VBS. The closest I could find was dhcpobj.dll from the 2000 Resource Kit. However it doesn't appear to be able to pull leases. Is this possible? Thanks, Mitch.
RE: [ActiveDir] CPU/Memory usage & .vbs?
Have a look at http://www.lissware.net, Volume 1 Sample 5.18 to 5.19 - WatchInstanceStateWithRefreshMethod.wsf Sample 5.20 - WatchInstanceCollectionStateWithRefresher.wsf Volume 2 Sample 3.77 to 3.78 - WMICounterMonitor.wsf Sample 3.79 - PerfMonProv.mof Sample 3.80 - PerfMonClasses.Mof Sample 3.81 - NTProcesses.wsf All these scripts represent techniques and technologies to gather such a data. You can also have a look at http://www.microsoft.com/technet/scriptcenter/scripts/default.mspx WMI Code Creator v1.0 can also help you: http://www.microsoft.com/downloads/details.aspx?FamilyID=2cc30a64-ea15-4661-8da4-55bbc145c30e&DisplayLang=en HTH /Alain From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Sunday, January 22, 2006 7:47 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] CPU/Memory usage & .vbs? Yeah I think WMI is about it for you for this type of stuff from script. Look through the archives for posts from Alain Lissoir (PM for WMI at MS) as he has several links for free tools to automate creating scripts to gather info like this. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Sunday, January 22, 2006 11:52 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] CPU/Memory usage & .vbs? WMI is a pretty easy way to get this done. What's your comfort level with scripting? Have you seen this? http://www.activexperts.com/activmonitor/windowsmanagement/adminscripts/monitoring/performance/ On 1/22/06, Harding, Devon <[EMAIL PROTECTED]> wrote: That being said. I'm looking for a script that will output the current memory usage (in percentage) & the top cpu processes. Is this possible? wmi? From: [EMAIL PROTECTED] on behalf of Michael B. SmithSent: Sat 1/21/2006 6:14 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: .vbs mailing list?Although my most useful information about tough _vbscript_ questions hascome from here and from Robbie Allen's various books, there is [EMAIL PROTECTED].-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Harding, DevonSent: Saturday, January 21, 2006 12:17 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: .vbs mailing list?Is there a VBSript mailing list out there?-Devon-__ This message and any attachments are solely for the intendedrecipient and may contain confidential or privileged information.If you are not the intended recipient, any disclosure, copying, useor distribution of the information included in the message and any attachments is prohibited. If you have received this communicationin error, please notify us by reply e-mail and immediately andpermanently delete this message and any attachments. Thank You.List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive:http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Automagically move AD computers into new/appropriate OU
DSMOVE combined with DSQUERY (Win2003) C:\>For /F "delims=*" %i in ('dsquery * "ou=MyOU,DC=LissWare,dc=Net" -filter "(&(objectClass=computer)(name=J*))"') do dsmove -newparent "ou=MyComputers,dc=LissWare,dc=net" %i /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Danny Sent: Monday, January 09, 2006 7:09 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Automagically move AD computers into new/appropriate OU Is there a way to automagically place new AD computers into the correct OU, as opposed to the built-in Computer container? Thanks, ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] WMI OS Caption
Here you go. Set objWMIServices = Getobject ("winmgmts:root\CIMv2")Set objWMIInstances = objWMIServices.InstancesOf ("Win32_OperatingSystem")For Each objWMIInstance In objWMIInstances WScript.Echo objWMIInstance.CaptionNext You can also use an enhanced version of scriptomatic, called WMI Code Creator v1.0 http://www.microsoft.com/downloads/details.aspx?FamilyID=2cc30a64-ea15-4661-8da4-55bbc145c30e&DisplayLang=en It generates C#, VB.NET and _vbscript_ WMI code. /Alain From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, December 28, 2005 11:57 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] WMI OS Caption Devon, download scriptomatic. It’ll build the code you require. :m:dsm:cci:mvp marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Wednesday, December 28, 2005 5:41 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] WMI OS Caption How can I print out the OS Caption from WMI? Trying to incorporate in a .vbs Devon Harding Windows Systems Engineer Southern Wine & Spirits - BSG 954-602-2469 __This message and any attachments are solely for the intended recipientand may contain confidential or privileged information. If you are notthe intended recipient, any disclosure, copying, use or distribution ofthe information included in the message and any attachments isprohibited. If you have received this communication in error, pleasenotify us by reply e-mail and immediately and permanently delete thismessage and any attachments. Thank You.
RE: [ActiveDir] Win32Shutdown Method & Win2003
Shutdown.Exe -l -t 0 But I'm sure that many other people have many other good tool to suggest. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Thursday, December 15, 2005 8:15 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Win32Shutdown Method & Win2003 All of the below are correct. I’m running the script by itself just to work out this part. On 2003(SP1) servers, we get the Generic Failure, on 2000 systems, it does nothing. What would be a good external tool in the meantime? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain LissoirSent: Wednesday, December 14, 2005 10:30 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Win32Shutdown Method & Win2003 Ok. I think we are facing a bug in the TS context with WMI. Let me investigate. I will file a bug about this. I gonna get back to you but this may take a little while. I understand that: - You are an admin of the box. - The WMI privileges are granted in the script - You are TSing into a 2003 server - You cannot logoff or even shutdown the system with the Win32Shutdown method even with the Force (4) flag. - In which context are you running that script? Not a logon script I presume, right? :) Can you give me more data about your scenario? - Are you 2003 RTM or SP1? Please answer these questions. In the meantime, you will have to shell an external tool ... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Wednesday, December 14, 2005 2:13 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Win32Shutdown Method & Win2003 Force (4) also gives the same result. Generic Error. And does not log off the user. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh ParmarSent: Wednesday, December 14, 2005 3:47 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Win32Shutdown Method & Win2003 YUP, you should add 4, Here is some codeConst LOGOFF = 0 Const SHUTDOWN = 1 Const REBOOT = 2 Const FORCE = 4 Const POWEROFF = 8 For Each objPC In GetObject("winmgmts:{(shutdown)}").ExecQuery("Select * from Win32_OperatingSystem") objPC.Win32Shutdown LOGOFF + FORCE Next On 12/15/05, Darren Mar-Elia <[EMAIL PROTECTED]> wrote: Devon- Are you getting an actual error or just that it doesn't work? I ran your script on my test W2003 box and it worked just fine. I ran it as administrator at the server's console. How are you running this script? At the console or in a TS session? The latter may be problematic. Also, you might want to try: objSystem.Win32Shutdown 4 which I think is forced logoff. That would get around issues where some process is preventing the normal logoff. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Harding, DevonSent: Wednesday, December 14, 2005 9:52 AM To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Win32Shutdown Method & Win2003 Same error From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Alain LissoirSent: Wednesday, December 14, 2005 11:26 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Win32Shutdown Method & Win2003 On 2003? Or 2000? Hmmm ... can you try with this :) objWMILocator.Security_.Privileges.AddAsString "SeRemoteShutdownPrivilege", True From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Harding, DevonSent: Wednesday, December 14, 2005 7:39 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Win32Shutdown Method & Win2003 I still get the same error running on a server: Generic Error It seem to be giving an error right at this point: objSystem.Win32Shutdown 0 Here is the whole script: Set objWMILocator = CreateObject ("WbemScripting.SWbemLocator") objWMILocator.Security_.Privileges.AddAsString "SeShutdownPrivilege", True Set objWMIServices = objWMILocator.ConnectServer(strComputerName, cWMINameSpace, strUserID, strPassword) Set objSystemSet = GetObject("winmgmts:{impersonationLevel=impersonate,(Shutdown)}").InstancesOf("Win32_OperatingSystem") For Each objSystem In objSystemSet objSystem.Win32Shutdown 0 Next From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Alain LissoirSent: Wednesday, December 14, 2005 9:38 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Win32Shutdown Method & Win2003 Have you tried your script as a plain admin on server? I wonder if it is not a question of privileges ... Try to add to your script the following before connecting to the Root\CIMv2 namespace. Then retry ... Set objWMILocator=CreateObject ("WbemScripting.SWbemLocator") objWMILocator.Security_.Privileges.AddAsString "SeShutdownPrivilege", True Set objWMIServices = objWMILocator.ConnectServer(strComputerName, cWMINameSpace, strUserID, strPassword) From: [EMAIL PROTECTE
RE: [ActiveDir] Win32Shutdown Method & Win2003
Ok. I think we are facing a bug in the TS context with WMI. Let me investigate. I will file a bug about this. I gonna get back to you but this may take a little while. I understand that: - You are an admin of the box. - The WMI privileges are granted in the script - You are TSing into a 2003 server - You cannot logoff or even shutdown the system with the Win32Shutdown method even with the Force (4) flag. - In which context are you running that script? Not a logon script I presume, right? :) Can you give me more data about your scenario? - Are you 2003 RTM or SP1? Please answer these questions. In the meantime, you will have to shell an external tool ... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Wednesday, December 14, 2005 2:13 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Win32Shutdown Method & Win2003 Force (4) also gives the same result. Generic Error. And does not log off the user. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh ParmarSent: Wednesday, December 14, 2005 3:47 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Win32Shutdown Method & Win2003 YUP, you should add 4, Here is some codeConst LOGOFF = 0 Const SHUTDOWN = 1 Const REBOOT = 2 Const FORCE = 4 Const POWEROFF = 8 For Each objPC In GetObject("winmgmts:{(shutdown)}").ExecQuery("Select * from Win32_OperatingSystem") objPC.Win32Shutdown LOGOFF + FORCE Next On 12/15/05, Darren Mar-Elia <[EMAIL PROTECTED]> wrote: Devon- Are you getting an actual error or just that it doesn't work? I ran your script on my test W2003 box and it worked just fine. I ran it as administrator at the server's console. How are you running this script? At the console or in a TS session? The latter may be problematic. Also, you might want to try: objSystem.Win32Shutdown 4 which I think is forced logoff. That would get around issues where some process is preventing the normal logoff. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Harding, DevonSent: Wednesday, December 14, 2005 9:52 AM To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Win32Shutdown Method & Win2003 Same error From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Alain LissoirSent: Wednesday, December 14, 2005 11:26 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Win32Shutdown Method & Win2003 On 2003? Or 2000? Hmmm ... can you try with this :) objWMILocator.Security_.Privileges.AddAsString "SeRemoteShutdownPrivilege", True From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Harding, DevonSent: Wednesday, December 14, 2005 7:39 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Win32Shutdown Method & Win2003 I still get the same error running on a server: Generic Error It seem to be giving an error right at this point: objSystem.Win32Shutdown 0 Here is the whole script: Set objWMILocator = CreateObject ("WbemScripting.SWbemLocator") objWMILocator.Security_.Privileges.AddAsString "SeShutdownPrivilege", True Set objWMIServices = objWMILocator.ConnectServer(strComputerName, cWMINameSpace, strUserID, strPassword) Set objSystemSet = GetObject("winmgmts:{impersonationLevel=impersonate,(Shutdown)}").InstancesOf("Win32_OperatingSystem") For Each objSystem In objSystemSet objSystem.Win32Shutdown 0 Next From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Alain LissoirSent: Wednesday, December 14, 2005 9:38 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Win32Shutdown Method & Win2003 Have you tried your script as a plain admin on server? I wonder if it is not a question of privileges ... Try to add to your script the following before connecting to the Root\CIMv2 namespace. Then retry ... Set objWMILocator=CreateObject ("WbemScripting.SWbemLocator") objWMILocator.Security_.Privileges.AddAsString "SeShutdownPrivilege", True Set objWMIServices = objWMILocator.ConnectServer(strComputerName, cWMINameSpace, strUserID, strPassword) From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Harding, DevonSent: Wednesday, December 14, 2005 5:23 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Win32Shutdown Method & Win2003 This script is part of a another script that upon logon, checks certain registry values, then if the values are not set, the script then sets the value and logoff the current user. Like I said before, it works on Windows XP but not servers. Why? From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Steve ShaffSent: Tuesday, December 13, 2005 7:38 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Win32Shutdown Method & Win2003 The shutdown command works. Give that a shot. S From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Harding,
RE: [ActiveDir] Win32Shutdown Method & Win2003
The aim here is to logoff users with the WMI method Win32Shutdown (parameter 0 = Logoff), not to shutdown the machine :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za VueSent: Wednesday, December 14, 2005 7:05 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Win32Shutdown Method & Win2003 I use PsShutdown.exe from www.systeminternals.com(free). Create single batch file and run it.Here is my batch script to reboot all servers at once.c:\tools\shutdown -r \\server1 (-r restart the machine)c:\tools\shutdown -r \\server2c:\tools\shutdown -r \\server3c:\tools\shutdown -r \\server4c:\tools\shutdown -r \\server5c:\tools\shutdown -r \\server6etc. etc.PsShutdown.exe is just renamed to shutdown.exe.-Z.V.Alain Lissoir wrote: Have you tried your script as a plain admin on server? I wonder if it is not a question of privileges ... Try to add to your script the following before connecting to the Root\CIMv2 namespace. Then retry ... Set objWMILocator=CreateObject ("WbemScripting.SWbemLocator") objWMILocator.Security_.Privileges.AddAsString "SeShutdownPrivilege", True Set objWMIServices = objWMILocator.ConnectServer(strComputerName, cWMINameSpace, strUserID, strPassword) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Harding, DevonSent: Wednesday, December 14, 2005 5:23 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Win32Shutdown Method & Win2003 This script is part of a another script that upon logon, checks certain registry values, then if the values are not set, the script then sets the value and logoff the current user. Like I said before, it works on Windows XP but not servers. Why? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Steve ShaffSent: Tuesday, December 13, 2005 7:38 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Win32Shutdown Method & Win2003 The shutdown command works. Give that a shot. S From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Harding, DevonSent: Tuesday, December 13, 2005 2:34 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Win32Shutdown Method & Win2003 I’m using the following script to logoff a workstation. It works fine on XP workstations but does not seem to work on Windows 2000/2003 servers. Any Ideas? Set objSystemSet = GetObject("winmgmts:{impersonationLevel=impersonate,(Shutdown)}").InstancesOf("Win32_OperatingSystem") For Each objSystem In objSystemSet objSystem.Win32Shutdown 0 Next Devon Harding Windows Systems Engineer Southern Wine & Spirits - BSG 954-602-2469 __This message and any attachments are solely for the intended recipientand may contain confidential or privileged information. If you are notthe intended recipient, any disclosure, copying, use or distribution ofthe information included in the message and any attachments isprohibited. If you have received this communication in error, pleasenotify us by reply e-mail and immediately and permanently delete thismessage and any attachments. Thank You. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Win32Shutdown Method & Win2003
On 2003? Or 2000? Hmmm ... can you try with this :) objWMILocator.Security_.Privileges.AddAsString "SeRemoteShutdownPrivilege", True From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Wednesday, December 14, 2005 7:39 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Win32Shutdown Method & Win2003 I still get the same error running on a server: Generic Error It seem to be giving an error right at this point: objSystem.Win32Shutdown 0 Here is the whole script: Set objWMILocator = CreateObject ("WbemScripting.SWbemLocator") objWMILocator.Security_.Privileges.AddAsString "SeShutdownPrivilege", True Set objWMIServices = objWMILocator.ConnectServer(strComputerName, cWMINameSpace, strUserID, strPassword) Set objSystemSet = GetObject("winmgmts:{impersonationLevel=impersonate,(Shutdown)}").InstancesOf("Win32_OperatingSystem") For Each objSystem In objSystemSet objSystem.Win32Shutdown 0 Next From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain LissoirSent: Wednesday, December 14, 2005 9:38 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Win32Shutdown Method & Win2003 Have you tried your script as a plain admin on server? I wonder if it is not a question of privileges ... Try to add to your script the following before connecting to the Root\CIMv2 namespace. Then retry ... Set objWMILocator=CreateObject ("WbemScripting.SWbemLocator") objWMILocator.Security_.Privileges.AddAsString "SeShutdownPrivilege", True Set objWMIServices = objWMILocator.ConnectServer(strComputerName, cWMINameSpace, strUserID, strPassword) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Wednesday, December 14, 2005 5:23 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Win32Shutdown Method & Win2003 This script is part of a another script that upon logon, checks certain registry values, then if the values are not set, the script then sets the value and logoff the current user. Like I said before, it works on Windows XP but not servers. Why? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve ShaffSent: Tuesday, December 13, 2005 7:38 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Win32Shutdown Method & Win2003 The shutdown command works. Give that a shot. S From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Tuesday, December 13, 2005 2:34 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Win32Shutdown Method & Win2003 I’m using the following script to logoff a workstation. It works fine on XP workstations but does not seem to work on Windows 2000/2003 servers. Any Ideas? Set objSystemSet = GetObject("winmgmts:{impersonationLevel=impersonate,(Shutdown)}").InstancesOf("Win32_OperatingSystem") For Each objSystem In objSystemSet objSystem.Win32Shutdown 0 Next Devon Harding Windows Systems Engineer Southern Wine & Spirits - BSG 954-602-2469 __This message and any attachments are solely for the intended recipientand may contain confidential or privileged information. If you are notthe intended recipient, any disclosure, copying, use or distribution ofthe information included in the message and any attachments isprohibited. If you have received this communication in error, pleasenotify us by reply e-mail and immediately and permanently delete thismessage and any attachments. Thank You.
RE: [ActiveDir] Win32Shutdown Method & Win2003
Have you tried your script as a plain admin on server? I wonder if it is not a question of privileges ... Try to add to your script the following before connecting to the Root\CIMv2 namespace. Then retry ... Set objWMILocator=CreateObject ("WbemScripting.SWbemLocator") objWMILocator.Security_.Privileges.AddAsString "SeShutdownPrivilege", True Set objWMIServices = objWMILocator.ConnectServer(strComputerName, cWMINameSpace, strUserID, strPassword) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Wednesday, December 14, 2005 5:23 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Win32Shutdown Method & Win2003 This script is part of a another script that upon logon, checks certain registry values, then if the values are not set, the script then sets the value and logoff the current user. Like I said before, it works on Windows XP but not servers. Why? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve ShaffSent: Tuesday, December 13, 2005 7:38 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Win32Shutdown Method & Win2003 The shutdown command works. Give that a shot. S From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Tuesday, December 13, 2005 2:34 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Win32Shutdown Method & Win2003 I’m using the following script to logoff a workstation. It works fine on XP workstations but does not seem to work on Windows 2000/2003 servers. Any Ideas? Set objSystemSet = GetObject("winmgmts:{impersonationLevel=impersonate,(Shutdown)}").InstancesOf("Win32_OperatingSystem") For Each objSystem In objSystemSet objSystem.Win32Shutdown 0 Next Devon Harding Windows Systems Engineer Southern Wine & Spirits - BSG 954-602-2469 __This message and any attachments are solely for the intended recipientand may contain confidential or privileged information. If you are notthe intended recipient, any disclosure, copying, use or distribution ofthe information included in the message and any attachments isprohibited. If you have received this communication in error, pleasenotify us by reply e-mail and immediately and permanently delete thismessage and any attachments. Thank You.
RE: [ActiveDir] Convert to .vbs
Yes, same feature. However, if you reuse the functions listed below, you just need to execute the calls. That is pretty simple. My functions just make a reference to a objLogFileName which is a file handler a I log all activities to a file. You can get rid of that. You call. But if you want to make this from WSH, that's the way to go. The functions coming out of my books are generic and reusable for most circumstances. The code is not specific to any specific registry changes. The functions wrap the WSH Reg feature. HTH /Alain ' ---' Write the registry (Be sure that user has right to create it)WriteRegistry objLogFileName, "HKCU\Software\MyRegistryKey\Registry Access", _ "ValueRegBinary", "REG_BINARY", _ -2147483647WriteRegistry objLogFileName, "HKCU\Software\MyRegistryKey\Registry Access", _ "ValueRegDWord", "REG_DWORD", _ 642522WriteRegistry objLogFileName, "HKCU\Software\MyRegistryKey\Registry Access", _ "ValueRegExpandSz", "REG_EXPAND_SZ", _ "This is an expanded '%SystemRoot%' string"WriteRegistry objLogFileName, "HKCU\Software\MyRegistryKey\Registry Access", _ "ValueRegSz", "REG_SZ", _ "This is another string" ' ---' Read the registry.Dim varRegValue varRegValue = ReadRegistry (objLogFileName, "HKCU\Software\MyRegistryKey\Registry Access", _ "ValueRegBinary", "REG_BINARY")varRegValue = ReadRegistry (objLogFileName, "HKCU\Software\MyRegistryKey\Registry Access", _ "ValueRegDWord", "REG_DWORD")varRegValue = ReadRegistry (objLogFileName, "HKCU\Software\MyRegistryKey\Registry Access", _ "ValueRegExpandSz", "REG_EXPAND_SZ")varRegValue = ReadRegistry (objLogFileName, "HKCU\Software\MyRegistryKey\Registry Access", _ "ValueRegMultiSz", "REG_MULTI_SZ")varRegValue = ReadRegistry (objLogFileName, "HKCU\Software\MyRegistryKey\Registry Access", _ "ValueRegSz", "REG_SZ") ' ---' Delete the registry keys created.DeleteRegistry objLogFileName, "HKCU\Software\MyRegistryKey\Registry Access", _ "ValueRegBinary"DeleteRegistry objLogFileName, "HKCU\Software\MyRegistryKey\Registry Access", _ "ValueRegDWord"DeleteRegistry objLogFileName, "HKCU\Software\MyRegistryKey\Registry Access", _ "ValueRegExpandSz"DeleteRegistry objLogFileName, "HKCU\Software\MyRegistryKey\Registry Access", _ "ValueRegSz"DeleteRegistry objLogFileName, "HKCU\Software\MyRegistryKey\Registry Access", _ "ValueRegMultiSz"DeleteRegistry objLogFileName, "HKCU\Software\MyRegistryKey\Registry Access", _ ""DeleteRegistry objLogFileName, "HKCU\Software\MyRegistryKey", _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Monday, December 12, 2005 8:11 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Convert to .vbs Is this the same thing? http://msdn.microsoft.com/library/default.asp?url=""> I’m trying to make the script as least complicated as possible. -Devon From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain LissoirSent: Saturday, December 10, 2005 1:16 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Convert to .vbs I already replied to a similar question from you, Devon! :) http://www.mail-archive.com/activedir@mail.activedir.org/msg36034.html Have a look at http://www.lissware.net, vol 1, Sample 1.01 to 1.25 - WSHScript.vbs. This script contains all subroutines you need to read, write registry, env. variables, etc ... from .vbs. With this cscript, you will easily convert your kix script below into a .vbs. You just need to tweak the function calls and return codes accordingly and reuse the set of registry keys your kix script references. strLastRun = ReadRegistry (objLOGFileHandle, "HKLM\Software\LisswareNet\MySoftware", _ "LastRun", _ "REG_SZ") WriteRegistry objLOGFileHandle, "HKLM\Software\LisswareNet\MySoftware", _ "L
RE: [ActiveDir] Convert to .vbs
I already replied to a similar question from you, Devon! :) http://www.mail-archive.com/activedir@mail.activedir.org/msg36034.html Have a look at http://www.lissware.net, vol 1, Sample 1.01 to 1.25 - WSHScript.vbs. This script contains all subroutines you need to read, write registry, env. variables, etc ... from .vbs. With this cscript, you will easily convert your kix script below into a .vbs. You just need to tweak the function calls and return codes accordingly and reuse the set of registry keys your kix script references. strLastRun = ReadRegistry (objLOGFileHandle, "HKLM\Software\LisswareNet\MySoftware", _ "LastRun", _ "REG_SZ") WriteRegistry objLOGFileHandle, "HKLM\Software\LisswareNet\MySoftware", _ "LastRun", "REG_SZ", _ Now HTH. Private Function GetRunTimeEnvInfo (classRunTimeEnvironmentInfo) Private Function LogRunTimeEnvInfo (objFileName, classRunTimeEnvironmentInfo) Private Function ReadRegistry (objFileName, strKeyName, KeyValueName, strRegType) Private Function WriteRegistry (objFileName, strKeyName, KeyValueName, strRegType, varRegKeyValue) Private Function DeleteRegistry (objFileName, strKeyName, KeyValueName) Private Function EnumerateDriveConnections (objFileName) Private Function ConnectNetworkDrive (objFileName, strDriveLetter, strShareName) Private Function DisconnectNetworkDrive (objFileName, strDriveLetter, boolConfirm) Private Function EnumeratePrinterConnections (objFileName) Private Function ConnectWindowsNetworkPrinter (objFileName, strShareName, boolDefault) Private Function ConnectNetworkPrinter (objFileName, strLPT, strShareName) Private Function DisconnectNetworkPrinter (objFileName, strLPT, boolConfirm) Private Function ReadEnvironmentVariable (objFileName, strEnvironmentType, strVarName) Private Function CreateEnvironmentVariable (objFileName, strEnvironmentType, strVarName, varValue) Private Function RemoveEnvironmentVariable (objFileName, strEnvironmentType, strVarName) Private Function GetAllEnvironmentVariables (objFileName, strEnvironmentType) Private Function ReadCommandLineArgument (objFileName, strParameterList) Private Function ErrorHandler (objFileName, strFunctionName, Err, boolPopupErrors) Private Function CreateTextFile (strFileName) Private Function CloseTextFile (objFileName) Private Function WriteToFile (objFileName, strText) /Alain From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Friday, December 09, 2005 9:00 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Convert to .vbs I need to convert this kix scrip into a smaller, faster .vbs script. Can it be done? ; If workstation, exit script If @ProductType = "Windows 2000 Professional" or @ProductType = "Windows XP Professional" or @ProductType = "Windows NT Workstation" cls Exit Endif ; Check / Set VNC application hooks for logon.scr screen saver $ReturnCode = KeyExist("HKCU\Software\ORL\VNCHooks\Application_Prefs\logon.scr") If $ReturnCode=0 Addkey("HKCU\Software\ORL\VNCHooks\Application_Prefs\logon.scr") WriteValue("HKCU\Software\ORL\VNCHooks\Application_Prefs\logon.scr","use_Deferral",1,"reg_dword") WriteValue("HKCU\Software\ORL\VNCHooks\Application_Prefs\logon.scr","use_use_GetUpdateRect",1,"reg_dword") WriteValue("HKCU\Software\ORL\VNCHooks\Application_Prefs\logon.scr","use_KeyPress",1,"reg_dword") WriteValue("HKCU\Software\ORL\VNCHooks\Application_Prefs\logon.scr","use_LButtonUp",1,"reg_dword") WriteValue("HKCU\Software\ORL\VNCHooks\Application_Prefs\logon.scr","use_MButtonUp",1,"reg_dword") WriteValue("HKCU\Software\ORL\VNCHooks\Application_Prefs\logon.scr","use_RButtonUp",1,"reg_dword") WriteValue("HKCU\Software\ORL\VNCHooks\Application_Prefs\logon.scr","use_Timer",0,"reg_dword") EndIf ; Check / Set registry settings for BGINFO $ReturnCode = KeyExist("HKCU\Software\Winternals") If $ReturnCode = 0 Addkey("HKCU\Software\Winternals") EndIf $ReturnCode = KeyExist("HKCU\Software\Winternals\BGInfo") If $ReturnCode = 0 Addkey("HKCU\Software\Winternals\BGInfo") WriteValue("HKCU\Software\Winternals\BGInfo","Background",0,"reg_dword") WriteValue("HKCU\Software\Winternals\BGInfo","Foreground",16777215,"reg_dword") EndIf ; Run BGINFO from NetLogon share Run @Ldrive + "\bginfo.exe /i\\bsgad1\netlogon\newbginfo.bgi /timer:0" ; Check / Set registry settings for screen saver. Logoff user if settings are updated $IsLocked = ReadValue("HKCU\Control Panel\Desktop","ScreenSaverIsSecure") $SSTimeOut = ReadValue("HKCU\Control Panel\Desktop","ScreenSaveTimeout") $SSAct
RE: [ActiveDir] envoirment variables
How do you set the variable? By changing the registry content? By using the COM interfaces of WSH? Did you try to open an other CMD.EXE (process) after setting the variable? This could be the issue. Try with Sample 2.26 to 2.30 - WMIEnv.wsf,vol 2, at http://www.lissware.net. This one sets the env variable with WMI. Choose the name, the value and the env. type. It should work in a logon script but I suspect that the current process doesn't get the env. refreshed. C:\>WMIEnv.wsfMicrosoft (R) Windows Script Host Version 5.6Copyright (C) Microsoft Corporation 1996-2001. All rights reserved. Environment variable with its value is missing. Usage: WMIEnv.wsf [EnvVariable] /Env:value /Action:value [/Force[+|-]] [/Machine:value] [/User:value] [/Password:value] Options: EnvVariable : The environment variable name with its value.Env : Specify the environment type: [system] for the system, [user] for the current user, [Domain\UserAccount] for any other user account.Action : Specify the operation to perform: [list] or [create] or [update] or [delete].Force : Force a creation if the update fails, force an update if the creation fails.Machine : Determine the WMI system to connect to. (default=LocalHost)User : Determine the UserID to perform the remote connection. (default=none)Password : Determine the password to perform the remote connection. (default=none)Example: WMIEnv.wsf /Action:List WMIEnv.wsf MyVariable=MyValue /Env:MYXPDOMAIN\Alain.Lissoir /Action:Create WMIEnv.wsf MyOtherVariable=MyValue /Env:SYSTEM /Action:Create WMIEnv.wsf MyOtherVariable /Env:SYSTEM /Action:Delete From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Thursday, December 08, 2005 1:27 PMTo: activedirectorySubject: [ActiveDir] envoirment variables I have a logon script via a user gpo that sets enviorment variables. However those variables are never set. Gpresult claims the gpo was processed and i have nothing in my event logs. The script was set to run synchronously. Is that the issue. are the variables not there to set yet? thanks
RE: [ActiveDir] Exporting Mailbox rights
Where are you running the script? On your workstation or your server? On your workstation is the ESM installed? If yes, can you try to run the script with the /E2KStore+ switch instead? Is this error message coming with an error # 0x8007203A? From: Amy Hunter [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 06, 2005 2:18 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exporting Mailbox rights Thank you Alain, I followed your instructions, I registered the DLL's on my PC then ran the following command from the XYZ folder For /F "delims=*" %1 in ('dsquery * "ou=group mailboxes,ou=spinnaker,dc=org" -filter "(objectClass=user)"') do WMIManageSD.Wsf /E2KMailbox:"%1" /Decipher+ /ADSI+ This runs and it does pick up the group mailbox in this OU. I then receive a message saying "WMIManageSD.Wsf(888, 19) (null): The server is not operational" Do I need to specify somewhere in the script my domain/server details? Am I able to output this information into a text file? thanks for your help, sorry I am being a pain. Amy ;-) Alain Lissoir <[EMAIL PROTECTED]> wrote: Do you have the Functions folder available? It contains a series of functions used by WMIManageSD.Wsf Next you must register the DLL with REGSVR32 in the resource folder. Then you are all set. By default, WMIManageSD.Wsf must be in Folder XYZ while Functions folder must be at the same level. Root + Functions | + XYZ Otherwise you can change the "..\Functions" reference to an absolute path and point to the exact location of the Functions folder in your installation (you call). To run against a group of MB in an OU, just query the users you have in that OU with DSQUERY (or any equivalent tool) and combine them in a command like: (one single when you type. Line is cut for readability reasons in this mail). For /F "delims=*" %i in ('dsquery * "ou=group mailboxes,OU=,DC=spinnaker,DC=org" -filter "(objectClass=user)"') do WMIManageSD.Wsf /E2KMailbox:"%1" /Decipher+ /ADSI+ HTH. PS: Don't forget the + at the end of the /Decipher+ and /ADSI+ switches. From: Amy Hunter [mailto:[EMAIL PROTECTED] Sent: Monday, December 05, 2005 4:41 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exporting Mailbox rights Hi Alain, thanks for your response, it all looks very clever. ; I have tried running the following command: WMIManageSD.Wsf /E2KMailbox:"cn=POTrust,ou=group mailboxes,OU=,DC=spinnaker,DC=org" /adsi WMIManageSD.Wsf /E2KMailbox:"cn=POTrust,ou=group mailboxes,OU=,DC=spinnaker,DC=org" /decipher I receive this error "c:\WMIManageSD.Wsf(155, 39) Windows Script Host: Cannot retrieve referenced URL : ..\Functions\SecurityInclude.vbs" when I open this script, i can't see any reference to this Also, How can I run this against all group mailboxes in an OU> any ideas? Amy ;-) Ps...sorry if I sound lame, scripting is not an area I spent too much time with Yet.< /DIV> Alain Lissoir <[EMAIL PROTECTED]> wrote: You can look at http://www.lissware.net, volume 2, Sample 4.02 to 4.13 - WMIManageSD.Wsf (and associated sub-functions in the Functions folder). Syntax to use in red below (the script supports Filesystem, Share, ADObject with Extended Rights, Exchange Mailbox, Registry Key, WMI namespace). Microsoft (R) Windows Script Host Version 5.6Copyright (C) Microsoft Corporation 1996-2001. All rights reserved. Usage: WMIManageSD.Wsf [/FileSystem:value] [/Share:value] [/ADObject:value] [/E2KMailbox:value] [/E2KStore[+|-]] [/RegistryKey:value] [/WMINameSpace:value] [/ViewSD[+|-]] [/Owner:value] [/Group:value] [/SDControls:value] [/AddAce[+|-]] [/DelAce[+|-]] [/Trustee:value] [/ACEMask:value] [/ACEType:value] [/ACEFlags:value] [/ObjectType:value] [/InheritedObjectType:value] [/SACL[+|-]] [/Decipher[+|-]] [/ADSI[+|-]] [/SIDResolutionDC[+|-]] [/Machine:value] [/User:value] [/Password:value] Options: FileSystem : Get the security descriptor of the specified file or directory path.Share : Get the security descriptor of the specified share name.ADObject : Get the security descriptor of the specified distinguished name AD object.E2KMailbox : Get the security descriptor of the Exchange 2000 mailbox specified by AD user distinguished name.E2KStore : Specify if th e security descriptor must come from the Exchange 2000 store.Re
RE: [ActiveDir] Exporting Mailbox rights
Do you have the Functions folder available? It contains a series of functions used by WMIManageSD.Wsf Next you must register the DLL with REGSVR32 in the resource folder. Then you are all set. By default, WMIManageSD.Wsf must be in Folder XYZ while Functions folder must be at the same level. Root + Functions | + XYZ Otherwise you can change the "..\Functions" reference to an absolute path and point to the exact location of the Functions folder in your installation (you call). To run against a group of MB in an OU, just query the users you have in that OU with DSQUERY (or any equivalent tool) and combine them in a command like: (one single when you type. Line is cut for readability reasons in this mail). For /F "delims=*" %i in ('dsquery * "ou=group mailboxes,OU=,DC=spinnaker,DC=org" -filter "(objectClass=user)"') do WMIManageSD.Wsf /E2KMailbox:"%1" /Decipher+ /ADSI+ HTH. PS: Don't forget the + at the end of the /Decipher+ and /ADSI+ switches. From: Amy Hunter [mailto:[EMAIL PROTECTED] Sent: Monday, December 05, 2005 4:41 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exporting Mailbox rights Hi Alain, thanks for your response, it all looks very clever. I have tried running the following command: WMIManageSD.Wsf /E2KMailbox:"cn=POTrust,ou=group mailboxes,OU=,DC=spinnaker,DC=org" /adsi WMIManageSD.Wsf /E2KMailbox:"cn=POTrust,ou=group mailboxes,OU=,DC=spinnaker,DC=org" /decipher I receive this error "c:\WMIManageSD.Wsf(155, 39) Windows Script Host: Cannot retrieve referenced URL : ..\Functions\SecurityInclude.vbs" when I open this script, i can't see any reference to this Also, How can I run this against all group mailboxes in an OU> any ideas? Amy ;-) Ps...sorry if I sound lame, scripting is not an area I spent too much time with Yet.< /DIV> Alain Lissoir <[EMAIL PROTECTED]> wrote: You can look at http://www.lissware.net, volume 2, Sample 4.02 to 4.13 - WMIManageSD.Wsf (and associated sub-functions in the Functions folder). Syntax to use in red below (the script supports Filesystem, Share, ADObject with Extended Rights, Exchange Mailbox, Registry Key, WMI namespace). Microsoft (R) Windows Script Host Version 5.6Copyright (C) Microsoft Corporation 1996-2001. All rights reserved. Usage: WMIManageSD.Wsf [/FileSystem:value] [/Share:value] [/ADObject:value] [/E2KMailbox:value] [/E2KStore[+|-]] [/RegistryKey:value] [/WMINameSpace:value] [/ViewSD[+|-]] [/Owner:value] [/Group:value] [/SDControls:value] [/AddAce[+|-]] [/DelAce[+|-]] [/Trustee:value] [/ACEMask:value] [/ACEType:value] [/ACEFlags:value] [/ObjectType:value] [/InheritedObjectType:value] [/SACL[+|-]] [/Decipher[+|-]] [/ADSI[+|-]] [/SIDResolutionDC[+|-]] [/Machine:value] [/User:value] [/Password:value] Options: FileSystem : Get the security descriptor of the specified file or directory path.Share : Get the security descriptor of the specified share name.ADObject : Get the security descriptor of the specified distinguished name AD object.E2KMailbox : Get the security descriptor of the Exchange 2000 mailbox specified by AD user distinguished name.E2KStore : Specify if th e security descriptor must come from the Exchange 2000 store.RegistryKey : Get the security descriptor of the specified registry key.WMINameSpace : Get the security descriptor of the specified WMI Name space.ViewSD : Decipher the security descriptor.Owner : Set the security descriptor owner.Group : Set the security descriptor group.SDControls : Set the security descriptor control flags.AddAce : Add a new ACE to the ACL.DelAce : Remove an existing ACE from the ACL.Trustee : Specify the ACE mask (granted user, group or machine account).ACEMask : Specify the ACE mask (granted rights).ACEType : Specify the ACE type (allow or deny the ACE mask).ACEFlags : Specify the ACE flags (ACE mask inheritance).ObjectType : Specify which object type, property set, or property an ACE refers to.InheritedObjectType : Specify the GUID of an object that will inherit the ACE.SACL : Manage the System ACL (auditing) (default=Discretionary ACL).Decipher : Decipher the security descriptor.ADSI : Retrieve the security descriptor with ADSI.SIDResolutionDC : Domain Controller to use for SID resolution.Machine : Determine the WMI system to connect to. (default=LocalHost)User
RE: [ActiveDir] Exporting Mailbox rights
You can look at http://www.lissware.net, volume 2, Sample 4.02 to 4.13 - WMIManageSD.Wsf (and associated sub-functions in the Functions folder). Syntax to use in red below (the script supports Filesystem, Share, ADObject with Extended Rights, Exchange Mailbox, Registry Key, WMI namespace). Microsoft (R) Windows Script Host Version 5.6Copyright (C) Microsoft Corporation 1996-2001. All rights reserved. Usage: WMIManageSD.Wsf [/FileSystem:value] [/Share:value] [/ADObject:value] [/E2KMailbox:value] [/E2KStore[+|-]] [/RegistryKey:value] [/WMINameSpace:value] [/ViewSD[+|-]] [/Owner:value] [/Group:value] [/SDControls:value] [/AddAce[+|-]] [/DelAce[+|-]] [/Trustee:value] [/ACEMask:value] [/ACEType:value] [/ACEFlags:value] [/ObjectType:value] [/InheritedObjectType:value] [/SACL[+|-]] [/Decipher[+|-]] [/ADSI[+|-]] [/SIDResolutionDC[+|-]] [/Machine:value] [/User:value] [/Password:value] Options: FileSystem : Get the security descriptor of the specified file or directory path.Share : Get the security descriptor of the specified share name.ADObject : Get the security descriptor of the specified distinguished name AD object.E2KMailbox : Get the security descriptor of the Exchange 2000 mailbox specified by AD user distinguished name.E2KStore : Specify if the security descriptor must come from the Exchange 2000 store.RegistryKey : Get the security descriptor of the specified registry key.WMINameSpace : Get the security descriptor of the specified WMI Name space.ViewSD : Decipher the security descriptor.Owner : Set the security descriptor owner.Group : Set the security descriptor group.SDControls : Set the security descriptor control flags.AddAce : Add a new ACE to the ACL.DelAce : Remove an existing ACE from the ACL.Trustee : Specify the ACE mask (granted user, group or machine account).ACEMask : Specify the ACE mask (granted rights).ACEType : Specify the ACE type (allow or deny the ACE mask).ACEFlags : Specify the ACE flags (ACE mask inheritance).ObjectType : Specify which object type, property set, or property an ACE refers to.InheritedObjectType : Specify the GUID of an object that will inherit the ACE.SACL : Manage the System ACL (auditing) (default=Discretionary ACL).Decipher : Decipher the security descriptor.ADSI : Retrieve the security descriptor with ADSI.SIDResolutionDC : Domain Controller to use for SID resolution.Machine : Determine the WMI system to connect to. (default=LocalHost)User : Determine the UserID to perform the remote connection. (default=none)Password : Determine the password to perform the remote connection. (default=none)Examples: >>Viewing Security descriptors ... >>Files and Folders --- WMIManageSD.Wsf /FileSystem:C:\MyDirectory /Decipher+ WMIManageSD.Wsf /FileSystem:C:\MyDirectory /Decipher+ /ADSI+ WMIManageSD.Wsf /FileSystem:C:\MyDirectory\MyFile.Txt /Decipher+ WMIManageSD.Wsf /FileSystem:C:\MyDirectory\MyFile.Txt /Decipher+ /ADSI+ >>Share --- WMIManageSD.Wsf /Share:MyDirectory /Decipher+ >>AD object --- WMIManageSD.Wsf /ADObject:"user;CN=MyUser,CN=Users,DC=LissWare,DC=Net" /Decipher+ WMIManageSD.Wsf /ADObject:"CN=MyUser,CN=Users,DC=LissWare,DC=Net" /Decipher+ /ADSI+ >>Exchange 2000 mailbox --- WMIManageSD.Wsf /E2KMailbox:"CN=MyUser,CN=Users,DC=LissWare,DC=Net" /Decipher+ WMIManageSD.Wsf /E2KMailbox:"CN=MyUser,CN=Users,DC=LissWare,DC=Net" /Decipher+ /ADSI+ WMIManageSD.Wsf /E2KMailbox:"CN=MyUser,CN=Users,DC=LissWare,DC=Net" /Decipher+ /E2KStore+ >>Registry WMIManageSD.Wsf /RegistryKey:HKLM\SOFTWARE\Microsoft /Decipher+ /ADSI+ >>WMI namespace --- WMIManageSD.Wsf /WMINameSpace:Root\CIMv2 /Decipher+ >>Adding ACE in Security descriptors ... >>Files (Rights) -- WMIManageSD.Wsf /FileSystem:C:\MyDirectory\MyFile.Txt /Trustee:LissWareNET\MyUser /ACEType:ACCESS_ALLOWED_ACE_TYPE /ACEMask:FILE_GENERIC_READ /ACEFlags:NONE /AddAce+ WMIManageSD.Wsf /FileSystem:C:\MyDirectory\MyFile.Txt /Trustee:BUILTIN\Administrators /ACEType:ACCESS_A
RE: [ActiveDir] FSMO role transfer
Once you are known for your automation capabilities (WSH, MONAD, programming tools, Perl, whatever), believe me there are companies (usually with large deployments) that are more than happy to hire you on a project. I cannot say that it is the case for all companies (it is also a question of awareness), but as far as I'm concerned, all my professional experience has been made this way because of scripting/automation (from CMD to any kind of programming and automation technique). Once they know how much time they can save, how fast things can be done, they are more than happy to pay to price to get this type of knowledge on board. /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Thursday, December 01, 2005 7:25 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FSMO role transfer While I agree with the "scripting making you a better admin" part, I've never worked for an employer who offered me more $$ because of scripting. Or any interview or employer who cared other than "thats cool" attitude when i wrote a script to automate something. maybe i'm working for the wrong people. I've just been teaching myself VBScript in the past few months and I've written some scripts for my employer alone and with the help of this list(alot of help) and lately i've been gainng the confidence no to rely on this list as much, but my scripting is more for my own personal benfit and knowldge rather than $$ driven because my employer has never indicated that the ability to script was something that was a real value in his/her mind. Scripting, to the employers i've worked for seems more like knowing about this list- a personal resource that you as an employee chose to use to perform your job better or gain more info, but not something that in and of itself is valued, it seems. Again, i could be working for the wrong people. Also, ironically, i've yet to work in a Windows shop where i met someone who knew how to script. In fact, in Joe's salary chart of $35,000 to $240,000, I fall in the next to last category. I started at the first/lowest range and in less than 4 years got to ~ the next to last one without knowing any scripting at all. i guess thats a sign of the lack of uniformity in the industry. on the other hand, i think you should know how to script to be a good admin and i've been busting my butt of late to do just that. but like i said, its just for my own knowldge that i choose to do so. i don't expect any $$ for it or advance in my career just my random thoughts... On 12/1/05, joe <[EMAIL PROTECTED]> wrote: Wow I feel heat directed at me :o) A non-scripting admin can not survive very well if at all in a large org unless the org is willing to spend a lot of money for extra admins to cover the overhead of wading through the GUI. Take my last ops position as an example. Three people handling a Fortune 5 AD. Couldn't feasibly done with the GUI. How long does it take you to enter 100 new subnets? What if you need to expire 8,000 users a day until you have expired all 200,000 users? Is that real admin work or is it clerk work if you are simply clicking on something in a GUI? If I were a manager of a business, I would rather pay a contractor or other service $10 or $15 an hour to click buttons for something like that than pay $40,$60,$100, $150 an hour to someone who is supposed to keep things running. So back to the 100 subnets question. How long in Sites and Services? Hours? What are the chances of a mistake? High? Now you write a script to do it, how long? Maybe hours to write it and then seconds to minutes to run for ever after? Chances of a mistake? Low for entry, also severely reduced for supplied data if script has sanity checks in it? Also once in script form it is that much easier to say put on a web site and delegate to others to do by entering basic answers to basic questions in a form. Don't create 100 subnets in small org? What other items do you do that are no-brainer work that could be scripted. If you didn't have that workload how much other work could you get done? Rarely are admins ever really doing hard admin type thinking/troubleshooting work constantly except for the folks who take on escalations from lower level admins. Possibly this is different in the SBS world and there is no repetitive work being done that isn't better served by a script, I don't have that experience, I would expect however that there is quite a bit that could be scripted or else Susan wouldn't have the I would rather see something safe from MS than a script from someone in the backroom attitude. A saying I have used here in the past that I always us
RE: [ActiveDir] VBSCRIPT ADSI IADs Get Method
Title: Message If you want more ADSI explanations and samples, you can have a look at the White Paper section at http://www.lissware.net. HTH /Alain From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, December 01, 2005 6:01 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] _vbscript_ ADSI IADs Get Method > As a complete aside, is there a reason for the odd capitalisation which always > seems to be used for sAMAccountName? SAMAccountName would seem much better? It is simply convention. The lDAPDisplayName is usually the cn of the schema object stripped of hypens and the first letter lowercased. As to why? I don't have that info but if I thought about it I would say it was thought up by a programmer, probably a c/c++ programmer. Most variable conventions in the programming world set the first character of the variable lowercase or possibly even the whole first set of characters which specify a var type like say obj or int (or i for int) or str, etc. If truly interested I would say go do a google for hungarian notation and Charles Simonyi. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve RochfordSent: Thursday, December 01, 2005 6:09 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] _vbscript_ ADSI IADs Get Method I've done this kind of thing but (as Jeremy has said) it seems really inefficient to have to make all those calls. As an example, suppose I have a list of students whose accounts I want to deactivate. I'll get that as a list of sAMAccountNames (because the student ID number is used for their username). I now need to query active directory to get the distinguishedname and then bind to that object to do things to it. For some purposes I know I can use getobject("WinNT://domain/samaccountname") but that isn't always suitable. What I want is something which allows me to specify the sAMAccountName in the LDAP: string. As a complete aside, is there a reason for the odd capitalisation which always seems to be used for sAMAccountName? SAMAccountName would seem much better? Steve -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge deSent: 30 November 2005 20:14To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] _vbscript_ ADSI IADs Get Method It is possible... you only have to do it another way... query AD for the object that matches a certain sAMAccountName --- sDomainDNSW2Kx = "ADCORP.LAN" ssAMAccountName = "JORGE" Set oConnection = CreateObject("ADODB.Connection")Set oCommand = CreateObject("ADODB.Command")oConnection.Provider = "ADsDSOObject"oConnection.Open "ADs Provider" Set oCommand.ActiveConnection = oConnectionsQuery = "SELECT DistinguishedName FROM 'LDAP://" & sDomainDNSW2Kx & "' WHERE sAMAccountName = '" & ssAMAccountName & "'"oCommand.CommandText = sQuerySet oResults = oCommand.ExecutesObjDN = oResults.Fields("DistinguishedName") --- cheers, Jorge From: [EMAIL PROTECTED] on behalf of Burkes, Jeremy [Contractor]Sent: Wed 11/30/2005 9:05 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] _vbscript_ ADSI IADs Get Method Nevermind, just found the answer to my own question, and it is no, must use the persons CN, no other attributes are accepted, good to know. Thanks for the potential help. Jeremy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy [Contractor]Sent: Wednesday, November 30, 2005 3:02 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] _vbscript_ ADSI IADs Get Method Everyone, I am trying to write a _vbscript_ to connect to a user account using the samaccountname attribute to update some info. Is this even possible and if so can someone provide a code sample, I would think it would look something like this for Test in the Microsoft domain: LDAP://sAMAccountName=Test, OU=Users,DC=Microsoft,DC=COM or LDAP://sAMAccountName=Test,CN=Users,DC=Microsoft,DC=COM Then again, maybe this is not even possible. If not should I use ADO instead even though I am returning 1 record with each query, seems inefficient way to me when I can just use an ADSI pointer. Jeremy --Jeremy BurkesSystem Analyst/MIS SPHQ[EMAIL PROTECTED]PH: 202-764-1270 Fax: 202-764-1503
RE: [ActiveDir] Kix to .vbs
Have a look at http://www.lissware.net, vol 1, Sample 1.01 to 1.25 - WSHScript.vbs. This script contains all subroutines you need to read, write registry, env. variables, etc ... from .vbs. With this cscript, you will easily convert you kix script below into a .vbs. You just need to tweak the fucntion calls and return codes accordingly and reuse the set of registry keys your kix script references. HTH. Private Function GetRunTimeEnvInfo (classRunTimeEnvironmentInfo) Private Function LogRunTimeEnvInfo (objFileName, classRunTimeEnvironmentInfo) Private Function ReadRegistry (objFileName, strKeyName, KeyValueName, strRegType) Private Function WriteRegistry (objFileName, strKeyName, KeyValueName, strRegType, varRegKeyValue) Private Function DeleteRegistry (objFileName, strKeyName, KeyValueName) Private Function EnumerateDriveConnections (objFileName) Private Function ConnectNetworkDrive (objFileName, strDriveLetter, strShareName) Private Function DisconnectNetworkDrive (objFileName, strDriveLetter, boolConfirm) Private Function EnumeratePrinterConnections (objFileName) Private Function ConnectWindowsNetworkPrinter (objFileName, strShareName, boolDefault) Private Function ConnectNetworkPrinter (objFileName, strLPT, strShareName) Private Function DisconnectNetworkPrinter (objFileName, strLPT, boolConfirm) Private Function ReadEnvironmentVariable (objFileName, strEnvironmentType, strVarName) Private Function CreateEnvironmentVariable (objFileName, strEnvironmentType, strVarName, varValue) Private Function RemoveEnvironmentVariable (objFileName, strEnvironmentType, strVarName) Private Function GetAllEnvironmentVariables (objFileName, strEnvironmentType) Private Function ReadCommandLineArgument (objFileName, strParameterList) Private Function ErrorHandler (objFileName, strFunctionName, Err, boolPopupErrors) Private Function CreateTextFile (strFileName) Private Function CloseTextFile (objFileName) Private Function WriteToFile (objFileName, strText) /Alain From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Monday, November 14, 2005 8:49 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Kix to .vbs What would be the simplest way to convert this kix scrip to ..vbs? ; If workstation, exit script If @ProductType = "Windows 2000 Professional" or @ProductType = "Windows XP Professional" or @ProductType = "Windows NT Workstation" cls Exit Endif ; Check / Set VNC application hooks for logon.scr screen saver $ReturnCode = KeyExist("HKCU\Software\ORL\VNCHooks\Application_Prefs\logon.scr") If $ReturnCode=0 Addkey("HKCU\Software\ORL\VNCHooks\Application_Prefs\logon.scr") WriteValue("HKCU\Software\ORL\VNCHooks\Application_Prefs\logon.scr","use_Deferral",1,"reg_dword") WriteValue("HKCU\Software\ORL\VNCHooks\Application_Prefs\logon.scr","use_use_GetUpdateRect",1,"reg_dword") WriteValue("HKCU\Software\ORL\VNCHooks\Application_Prefs\logon.scr","use_KeyPress",1,"reg_dword") WriteValue("HKCU\Software\ORL\VNCHooks\Application_Prefs\logon.scr","use_LButtonUp",1,"reg_dword") WriteValue("HKCU\Software\ORL\VNCHooks\Application_Prefs\logon.scr","use_MButtonUp",1,"reg_dword") WriteValue("HKCU\Software\ORL\VNCHooks\Application_Prefs\logon.scr","use_RButtonUp",1,"reg_dword") WriteValue("HKCU\Software\ORL\VNCHooks\Application_Prefs\logon.scr","use_Timer",0,"reg_dword") EndIf ; Check / Set registry settings for BGINFO $ReturnCode = KeyExist("HKCU\Software\Winternals") If $ReturnCode = 0 Addkey("HKCU\Software\Winternals") EndIf $ReturnCode = KeyExist("HKCU\Software\Winternals\BGInfo") If $ReturnCode = 0 Addkey("HKCU\Software\Winternals\BGInfo") WriteValue("HKCU\Software\Winternals\BGInfo","Background",0,"reg_dword") WriteValue("HKCU\Software\Winternals\BGInfo","Foreground",16777215,"reg_dword") EndIf ; Run BGINFO from NetLogon share Run @Ldrive + "\bginfo.exe /i\\gsfps\netlogon\newbginfo.bgi /timer:0" ; Check / Set registry settings for screen saver. Logoff user if settings are updated $IsLocked = ReadValue("HKCU\Control Panel\Desktop","ScreenSaverIsSecure") $SSTimeOut = ReadValue("HKCU\Control Panel\Desktop","ScreenSaveTimeout") $SSActive = ReadValue("HKCU\Control Panel\Desktop","ScreenSaveActive") $ScrnSave = ReadValue("HKCU\Control Panel\Desktop","SCRNSAVE.EXE") If $IsLocked = 0 or (VAL($SSTimeOut) > 900) or $SSActive = 0 or $ScrnSave = "" WriteValue("HKCU\Control Panel\Desktop","ScreenSaverIsSecure","1","reg_sz") WriteValue("HKCU\Control Panel\Desktop","ScreenSaveActive","1","reg_sz") WriteValue("HKCU\Control Panel\Desktop","ScreenSaveTimeout","900","reg_sz") WriteValue("HKCU\Control Panel\Desktop","SCRNSAVE.EXE","%system root%\system32\logon.
RE: [ActiveDir] Distribute file to all desktop
Title: Distribute file to all desktop Have a look at http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKit/58846816-8fda-4083-9345-922c362b6ba6.mspx However, I don't remember for sure if it is possible to start the app once it is installed. One here will certainly confirmed this or not. /Alain From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tashildar, Dinesh (Cognizant)Sent: Wednesday, November 09, 2005 10:57 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Distribute file to all desktop It’s a simple exe. Regards,Dinesh TashildarExt:182 | Vnet 21182 > Change in number From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain LissoirSent: Thursday, November 10, 2005 12:23 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Distribute file to all desktop Is this a large app or a simple .exe? Pushing via GPO? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tashildar, Dinesh (Cognizant)Sent: Wednesday, November 09, 2005 10:46 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Distribute file to all desktop James, Thanks for inputs… I didn’t get you, what do you mean by “have it initialize and advise when the user “took” the survey” ? I am thinking to push this survey in two ways 1. Push it through SMS – Only problem I can think, if sms client is not installed on client desktop then he/she will get survey. I don’t want to add SMS client dependency on it. 2. Login script would be a good option but survey will run only in case of user log in to desktop. I am looking for similar way (tool or script) like SMS but it does not have client dependency. We wanted to make this survey mandatory to all users, if we send mail and ask users to go and run it from specified location then few users might not open survey as well. Regards,Dinesh TashildarExt:182 | Vnet 21182 > Change in number From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Blair, JamesSent: Thursday, November 10, 2005 11:06 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Distribute file to all desktop Dinesh, You could do it through AD and roll out a login script. If it were me I would rather get the *.exe put on a network share, have it initialise and advise when the user "took" the survey...Batch file could look something like this: CLS@echo offTITLE Company Surveyif not exist c:\ScriptFlag md c:\ScriptFlagif exist \\%Server%\%Share%\%UserName%.flag goto :eof\\%Server%\%Share%\*.exeecho %date% %time% %UserName% > c:\ScriptFlag\%UserName%.flagCopy c:\ScriptFlag\%UserName%.flag \\%Server%\%Share%\EXIT You would of course replace %Sever% and %Share% to suit. James From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tashildar, Dinesh (Cognizant)Sent: Thursday, November 10, 2005 3:08 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Distribute file to all desktop Hi, Our company is company with one survey which in the exe format. We wanted to push this exe to desktops which are connected to our corporate network. Anyone aware of way to do this in Windows environment? Any freeware tools? Regards,Dinesh TashildarCognizant Technology Solutions India Pvt. Ltd.Tel : 91-20-56062600 Extn : 182 > Change in numberVnet : 21182 > Change in number This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information.If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Any unauthorised review, use, disclosure, dissemination, forwarding, printing or copying of this email or any action taken in reliance on this e-mail is strictly prohibited and may be unlawful.Visit us at http://www.cognizant.com This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information.If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Any unauthorised review, use, disclosure, dissemination, forwarding, printing or copying of this email or any action taken in reliance on this e-mail is strictly prohibited and may be unlawful.Visit us at http://www.cognizant.com This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information.If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Any unauthorised review, use, disclosure, dissemination, forwa
RE: [ActiveDir] Distribute file to all desktop
Title: Distribute file to all desktop Is this a large app or a simple .exe? Pushing via GPO? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tashildar, Dinesh (Cognizant)Sent: Wednesday, November 09, 2005 10:46 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Distribute file to all desktop James, Thanks for inputs… I didn’t get you, what do you mean by “have it initialize and advise when the user “took” the survey” ? I am thinking to push this survey in two ways 1. Push it through SMS – Only problem I can think, if sms client is not installed on client desktop then he/she will get survey. I don’t want to add SMS client dependency on it. 2. Login script would be a good option but survey will run only in case of user log in to desktop. I am looking for similar way (tool or script) like SMS but it does not have client dependency. We wanted to make this survey mandatory to all users, if we send mail and ask users to go and run it from specified location then few users might not open survey as well. Regards,Dinesh TashildarExt:182 | Vnet 21182 > Change in number From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Blair, JamesSent: Thursday, November 10, 2005 11:06 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Distribute file to all desktop Dinesh, You could do it through AD and roll out a login script. If it were me I would rather get the *.exe put on a network share, have it initialise and advise when the user "took" the survey...Batch file could look something like this: CLS@echo offTITLE Company Surveyif not exist c:\ScriptFlag md c:\ScriptFlagif exist \\%Server%\%Share%\%UserName%.flag goto :eof\\%Server%\%Share%\*.exeecho %date% %time% %UserName% > c:\ScriptFlag\%UserName%.flagCopy c:\ScriptFlag\%UserName%.flag \\%Server%\%Share%\EXIT You would of course replace %Sever% and %Share% to suit. James From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tashildar, Dinesh (Cognizant)Sent: Thursday, November 10, 2005 3:08 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Distribute file to all desktop Hi, Our company is company with one survey which in the exe format. We wanted to push this exe to desktops which are connected to our corporate network. Anyone aware of way to do this in Windows environment? Any freeware tools? Regards,Dinesh TashildarCognizant Technology Solutions India Pvt. Ltd.Tel : 91-20-56062600 Extn : 182 > Change in numberVnet : 21182 > Change in number This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information.If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Any unauthorised review, use, disclosure, dissemination, forwarding, printing or copying of this email or any action taken in reliance on this e-mail is strictly prohibited and may be unlawful.Visit us at http://www.cognizant.com This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information.If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Any unauthorised review, use, disclosure, dissemination, forwarding, printing or copying of this email or any action taken in reliance on this e-mail is strictly prohibited and may be unlawful.Visit us at http://www.cognizant.com
RE: [ActiveDir] OT: Robocopy command..
Have you looked at /MIR? (Mirror) It adds files in the target folder added in the source folder. It updates files in the target folder updated in the source folder. It removes files in the target folder removed in the source folder. Untouched files just stay as they are and they are not copied over. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank AbagnaleSent: Tuesday, October 25, 2005 3:05 AMTo: ActiveSubject: [ActiveDir] OT: Robocopy command.. Hi. I have used robocopy to copy an entire folder content from oldserver1 to newserver1. I want to keep this data on the newserver consistent however, I only want it to copy file changes and additional files that have been created, not the entire folder content. I was thinking of using robocopy d:\source d:\destination /e /IT /log:e:\log.txt /r:1 does anyone have any thoughts about the parameters I've used? thanks frank Yahoo! FareChase - Search multiple travel sites in one click.
RE: [ActiveDir] Need ADSI Scripting help.
You can find more ADSI script samples (kinda of library) at http://www.lissware.net Go to the White Paper section and download the scripts and WP for free. WHITE PAPERS: October 2000 (Compaq Active Answers): Part 1 - Introduction to the use of Exchange 2000 with Windows Script Host (Script Kit) Part 2 - Managing Exchange with Scripts - Advanced Topics (Script Kit) February 2000 (Compaq Active Answers): Part 1 - Understanding the Microsoft WSH and the ADSI in Windows 2000 (Script Kit) Part 2 - The powerful combination of WSH and ADSI under Windows 2000 (Script Kit) HTH /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, October 20, 2005 4:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Need ADSI Scripting help. Well if you have a list of DNs, you will then create a loop in the script that loops through connecting to those DNs and then grab the UAC attribute and check to see if the account is disabled (bit 1 is lit, aka value 2) sort of like set o=getobject("LDAP://cn=someuser,cn=users,dc=joe,dc=com") uac=o.useraccountcontrol if ((uac & 2)=2) then wscript.echo "disabled" else wscript.echo "enabled" joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jitendra Kalyankar Sent: Thursday, October 20, 2005 5:36 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Need ADSI Scripting help. Wow! Thanks Joe for your reply & also thanks Mark too. I tried my best to explain to my manager but in vein so I am back to square one. If my own manager is not comfy with it what will I tell the Security! I know the scripts are as dangerous as your util or even more so but those who know how to go about it, not the one who will be using it. Yeah it would be even better if your oldcmp would guage intelligence ;-), can you do that? :-D Anyways I will continue using your utilities free or not. Care to shed more light on the question I asked? And I guess its more of want to know how you did it than what my company requires. Anyways I will find it out sooner or later. But anyways thanks very much guys for your help. Sincerely, Jitendra Kalyankar On 10/20/05, joe <[EMAIL PROTECTED]> wrote: > Just as an FYI, scripts are just as dangerous or more so. It is why I > wrote oldcmp in the first place. Too many people biting themselves in > the ass. I don't know how I could put more rubber bumpers on that tool > unless I started asking questions to gauge levels of intelligence and > whether or not certain switches should be allowed. :o) > > I understand the security department route though too. If they are > antsy because it is freeware, let me know and I can charge you 100k or > so for it and you get everything you get now plus a bill. :o) > > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Jitendra > Kalyankar > Sent: Thursday, October 20, 2005 4:29 PM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] Need ADSI Scripting help. > > I know about the Oldcmp.exe, but the thing is the tool is really > powerful and I don't want Jr. Sys. Admins doing something or deleting > something that they are not suppose to. And again I will have to go > through the security department route to use it. Too much hassel > > Hope that explains my situation. > > Sincerely, > Jitendra Kalyankar > > On 10/20/05, Creamer, Mark <[EMAIL PROTECTED]> wrote: > > Before you do this, see oldcmp at www.joeware.net > > > > http://www.joeware.net/win/free/index.htm > > > > > > > > > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Jitendra > > Kalyankar > > Sent: Thursday, October 20, 2005 4:14 PM > > To: ActiveDir@mail.activedir.org > > Subject: [ActiveDir] Need ADSI Scripting help. > > > > I am looking for some example script and/or help for the script I am > > writing for my company. What I want to achieve is if I run the > > script against the machine list which will be in the text file, it > > should give me the output in the text file saying which machine > > account is enabled, disabled or not found. > > > > I know how to manipulate the text files using fso object but I am > > not sure what do I need to use to get the attributes of computer > > container in AD. Any help in this regard is highly appreciated and valued. > > > > Please let me know if you need more information abou this. > > > > -- > > Thanks, > > Jitendra Kalyankar > > List info : http://www.activedir.org/List.aspx > > List FAQ: http://www.activedir.org/ListFAQ.aspx > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > This e-mail transmission contains information that is intended to be > confidential and privileged. If you receive this e-mail and you are > not a named addressee you are hereby notified that you are not > authorized to read, print, retain, copy or disseminate
RE: [ActiveDir] Kix to VBS
I meant if you are Windows 2000 and above ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Monday, October 17, 2005 5:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kix to VBS If you are Windows and above and don't need REG_MULTI_SZ updates, I would go for WSH (pretty simple model). If you need to do more complex stuffs, I would use WMI (which is actually used from WSH as it is the scripting engine). /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Monday, October 17, 2005 9:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kix to VBS Which method is preferred, WSH or WMI? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Monday, October 17, 2005 12:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kix to VBS Look at http://www.lissware.net, Volume 1, Sample 1.01 to 1.25 - WSHScript.vbs, which uses a series of functions. In this list of functions, you will find two generic routines to play with: ReadRegistryFunction.vbs and WriteRegistryFunction.vbs. With these two, you are all set. I reproed the ReadRegistry one below. Note that from the WSH object model, RegWrite method does not support REG_MULTI_SZ. If you need to update REG_MULTI_SZ, you need to use the WMI model. For this see http://www.lissware.net, Vol 2, Sample 3.03 to 3.09 - WMIRegistry.wsf (Second code exerpt below). HTH. ' Author: Alain Lissoir ([EMAIL PROTECTED]) ' ' ISBN 182664 - Understanding WMI Scripting (Digital Press) ' ISBN 182990 - Leveraging WMI Scripting (Digital Press) ' WSH Technique Private Function ReadRegistry (objFileName, strKeyName, KeyValueName, strRegType) Dim strRegKey Dim varRegKeyValue() Dim intIndice Dim strTempValue On Error Resume Next strRegKey = strKeyName & "\" & KeyValueName WriteToFile objFileName, "** Reading registry '" & strRegKey & "'(" & strRegType & ")." strTempValue = WshShell.RegRead (strRegKey) If Err.Number Then ErrorHandler objFileName, "ReadRegistry", Err, boolErrorPopup Exit Function End If Select Case strRegType Case "REG_BINARY" ReDim varRegKeyValue(Ubound(strTempValue)) For intIndice = 0 to Ubound(strTempValue) varRegKeyValue (intIndice) = "&h" & Right("00" & Hex(strTempValue(intIndice)), 2) WriteToFile objFileName, _ strRegKey & "(" & UCase(strRegType) & ") -> " & varRegKeyValue(intIndice) Next Case "REG_DWORD" ReDim varRegKeyValue(0) varRegKeyValue(0) = "&h" & Hex (strTempValue) WriteToFile objFileName, _ strRegKey & "(" & UCase(strRegType) & ") -> " & varRegKeyValue(0) Case "REG_MULTI_SZ" ReDim varRegKeyValue(Ubound(strTempValue)) For intIndice = 0 to Ubound(strTempValue) varRegKeyValue (intIndice) = strTempValue(intIndice) WriteToFile objFileName, _ strRegKey & "(" & UCase(strRegType) & ") -> " & varRegKeyValue(intIndice) Next Case "REG_EXPAND_SZ" ReDim varRegKeyValue(0) varRegKeyValue(0) = WshShell.ExpandEnvironmentStrings (strTempValue) WriteToFile objFileName, _ strRegKey & "(" & UCase(strRegType) & ") -> " & varRegKeyValue(0) Case Else ReDim varRegKeyValue(0) varRegKeyValue(0) = strTempValue WriteToFile objFileName, _ strRegKey & "(" & UCase(strRegType) & ") -> " & varRegKeyValue(0) End Select ReadRegistry = varRegKeyValue End Function ' WMI technique -- Select Case intKeyType Case REG_SZ intRC = objWMIClass.SetStringValue (intHiveType, _ strBaseKey, _ strKeyName, _
RE: [ActiveDir] Kix to VBS
If you are Windows and above and don't need REG_MULTI_SZ updates, I would go for WSH (pretty simple model). If you need to do more complex stuffs, I would use WMI (which is actually used from WSH as it is the scripting engine). /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Monday, October 17, 2005 9:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kix to VBS Which method is preferred, WSH or WMI? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Monday, October 17, 2005 12:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kix to VBS Look at http://www.lissware.net, Volume 1, Sample 1.01 to 1.25 - WSHScript.vbs, which uses a series of functions. In this list of functions, you will find two generic routines to play with: ReadRegistryFunction.vbs and WriteRegistryFunction.vbs. With these two, you are all set. I reproed the ReadRegistry one below. Note that from the WSH object model, RegWrite method does not support REG_MULTI_SZ. If you need to update REG_MULTI_SZ, you need to use the WMI model. For this see http://www.lissware.net, Vol 2, Sample 3.03 to 3.09 - WMIRegistry.wsf (Second code exerpt below). HTH. ' Author: Alain Lissoir ([EMAIL PROTECTED]) ' ' ISBN 182664 - Understanding WMI Scripting (Digital Press) ' ISBN 182990 - Leveraging WMI Scripting (Digital Press) ' WSH Technique Private Function ReadRegistry (objFileName, strKeyName, KeyValueName, strRegType) Dim strRegKey Dim varRegKeyValue() Dim intIndice Dim strTempValue On Error Resume Next strRegKey = strKeyName & "\" & KeyValueName WriteToFile objFileName, "** Reading registry '" & strRegKey & "'(" & strRegType & ")." strTempValue = WshShell.RegRead (strRegKey) If Err.Number Then ErrorHandler objFileName, "ReadRegistry", Err, boolErrorPopup Exit Function End If Select Case strRegType Case "REG_BINARY" ReDim varRegKeyValue(Ubound(strTempValue)) For intIndice = 0 to Ubound(strTempValue) varRegKeyValue (intIndice) = "&h" & Right("00" & Hex(strTempValue(intIndice)), 2) WriteToFile objFileName, _ strRegKey & "(" & UCase(strRegType) & ") -> " & varRegKeyValue(intIndice) Next Case "REG_DWORD" ReDim varRegKeyValue(0) varRegKeyValue(0) = "&h" & Hex (strTempValue) WriteToFile objFileName, _ strRegKey & "(" & UCase(strRegType) & ") -> " & varRegKeyValue(0) Case "REG_MULTI_SZ" ReDim varRegKeyValue(Ubound(strTempValue)) For intIndice = 0 to Ubound(strTempValue) varRegKeyValue (intIndice) = strTempValue(intIndice) WriteToFile objFileName, _ strRegKey & "(" & UCase(strRegType) & ") -> " & varRegKeyValue(intIndice) Next Case "REG_EXPAND_SZ" ReDim varRegKeyValue(0) varRegKeyValue(0) = WshShell.ExpandEnvironmentStrings (strTempValue) WriteToFile objFileName, _ strRegKey & "(" & UCase(strRegType) & ") -> " & varRegKeyValue(0) Case Else ReDim varRegKeyValue(0) varRegKeyValue(0) = strTempValue WriteToFile objFileName, _ strRegKey & "(" & UCase(strRegType) & ") -> " & varRegKeyValue(0) End Select ReadRegistry = varRegKeyValue End Function ' WMI technique -- Select Case intKeyType Case REG_SZ intRC = objWMIClass.SetStringValue (intHiveType, _ strBaseKey, _ strKeyName, _ varKeyNameValue) Case REG_MULTI_SZ intRC = objWMIClass.SetMultiStringValue (intHiveType, _
RE: [ActiveDir] Kix to VBS
Look at http://www.lissware.net, Volume 1, Sample 1.01 to 1.25 - WSHScript.vbs, which uses a series of functions. In this list of functions, you will find two generic routines to play with: ReadRegistryFunction.vbs and WriteRegistryFunction.vbs. With these two, you are all set. I reproed the ReadRegistry one below. Note that from the WSH object model, RegWrite method does not support REG_MULTI_SZ. If you need to update REG_MULTI_SZ, you need to use the WMI model. For this see http://www.lissware.net, Vol 2, Sample 3.03 to 3.09 - WMIRegistry.wsf (Second code exerpt below). HTH. ' Author: Alain Lissoir ([EMAIL PROTECTED]) ' ' ISBN 182664 - Understanding WMI Scripting (Digital Press) ' ISBN 182990 - Leveraging WMI Scripting (Digital Press) ' WSH Technique Private Function ReadRegistry (objFileName, strKeyName, KeyValueName, strRegType) Dim strRegKey Dim varRegKeyValue() Dim intIndice Dim strTempValue On Error Resume Next strRegKey = strKeyName & "\" & KeyValueName WriteToFile objFileName, "** Reading registry '" & strRegKey & "'(" & strRegType & ")." strTempValue = WshShell.RegRead (strRegKey) If Err.Number Then ErrorHandler objFileName, "ReadRegistry", Err, boolErrorPopup Exit Function End If Select Case strRegType Case "REG_BINARY" ReDim varRegKeyValue(Ubound(strTempValue)) For intIndice = 0 to Ubound(strTempValue) varRegKeyValue (intIndice) = "&h" & Right("00" & Hex(strTempValue(intIndice)), 2) WriteToFile objFileName, _ strRegKey & "(" & UCase(strRegType) & ") -> " & varRegKeyValue(intIndice) Next Case "REG_DWORD" ReDim varRegKeyValue(0) varRegKeyValue(0) = "&h" & Hex (strTempValue) WriteToFile objFileName, _ strRegKey & "(" & UCase(strRegType) & ") -> " & varRegKeyValue(0) Case "REG_MULTI_SZ" ReDim varRegKeyValue(Ubound(strTempValue)) For intIndice = 0 to Ubound(strTempValue) varRegKeyValue (intIndice) = strTempValue(intIndice) WriteToFile objFileName, _ strRegKey & "(" & UCase(strRegType) & ") -> " & varRegKeyValue(intIndice) Next Case "REG_EXPAND_SZ" ReDim varRegKeyValue(0) varRegKeyValue(0) = WshShell.ExpandEnvironmentStrings (strTempValue) WriteToFile objFileName, _ strRegKey & "(" & UCase(strRegType) & ") -> " & varRegKeyValue(0) Case Else ReDim varRegKeyValue(0) varRegKeyValue(0) = strTempValue WriteToFile objFileName, _ strRegKey & "(" & UCase(strRegType) & ") -> " & varRegKeyValue(0) End Select ReadRegistry = varRegKeyValue End Function ' WMI technique -- Select Case intKeyType Case REG_SZ intRC = objWMIClass.SetStringValue (intHiveType, _ strBaseKey, _ strKeyName, _ varKeyNameValue) Case REG_MULTI_SZ intRC = objWMIClass.SetMultiStringValue (intHiveType, _ strBaseKey, _ strKeyName, _ varKeyNameValue) Case REG_EXPAND_SZ intRC = objWMIClass.SetExpandedStringValue (intHiveType, _ strBaseKey, _ strKeyName, _ varKeyNameValue) Case REG_BINARY intRC = objWMIClass.SetBinaryValue (intHiveType, _ strBaseKey, _ strKeyName, _ varKeyNameValue) Case REG_DWOR
RE: [ActiveDir] Knowing when users were deleted.
Eventtriggers tool uses WMI WQL query as described in my previous mail referring to the WMI scripting technique. Nothing different except that you don't have to deal with a script ... but if you have a script you master the logic better. /Alain From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of YannSent: Friday, October 14, 2005 8:29 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Knowing when users were deleted. true. I was looking rather for free tools, and i found the free eventriggers tool form the 2k3 rktools that did the job. It alerts you in real time for a specific eventID. You can tell eventriggers to do a particular action such as using dumpel.exe to dump the 630 id (frecnh specific id i presume) that corresponds to a deleted object action. Notice that eventriggers.exe only works on w2k3/XP machine. Cheers, YannDaniel Gilbert <[EMAIL PROTECTED]> a écrit : Yann,There are some utilities you can purchase that will alert you when anobject is deleted, added, modified...Dan> Original Message > Subject: [ActiveDir] Knowing when users were deleted.> From: Yann <[EMAIL PROTECTED]>> Date: Thu, October 13, 2005 11:56 pm> To: ActiveDir@mail.activedir.org> > > Hi there, > > I wonder if there is a way to know when a user has been deleted from AD other than using security audt, because at the time of the deletion, i forgot to activate the audit :( > > So my boss urge me to find the guilty user AND the time of deletion. > I looked for attributes in adsi and found that there is the whencreated, whenmodified attribute but not whendeletedtimestamp one. > > Any idea ?> > Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! Messenger> Téléchargez le ici ! List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! MessengerTéléchargez le ici !
RE: [ActiveDir] Knowing when users were deleted.
Another possibility is the pure scripting way ... and leverage WMI with two event WQL queries: 1/ Select * From __InstanceDeletionEvent Within 60 Where TargetInstance ISA "ds_user" 2/ Select * From __InstanceCreationEvent Where TargetInstance ISA "Win32_NTLogEvent"And TargetInstance.Logfile = "Audit" You can use a logic similar to Sample 3.54 - GroupMonitor.wsf (at http://www.lissware.net, volume 2) but just need to adapt it to users. The same reasoning can be used to monitor FSMO role changes (Sample 3.55 and Sample 3.56 - FSMOMonitor.wsf). These two scripts send an email containing info about the modified object. Tweak them to meet your requirements with the WQL queries 1/ and 2/. You can download the script freely from my site. Enable object access auditing and you can eventually run the script as a Windows Service (yes) on the DC.Then you are all set! You can watch the web cast at http://go.microsoft.com/fwlink/?LinkId=39643 where I explain how to run scripts as Windows service with the right security context. HTH. /Alain From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of YannSent: Friday, October 14, 2005 8:18 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Knowing when users were deleted. Hi Freddy, The information you gave rocks ! I did not think using the Last modified date attribute and query it with the magic joe's tool : -> "adfind -default -showdel -f isdeleted=TRUE" It saves my job ! :) The security audit is now configured and on. Thanks for your help. YannFreddy HARTONO <[EMAIL PROTECTED]> a écrit : Hi Yann, You can find at the deletedobject folder via adfind -showdel and see the Last modified date - that would be when the object is deleted. But as for who deleted - I dont think you can find it without the auditing. Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9740 - temp From: Yann [mailto:[EMAIL PROTECTED] Sent: Friday, October 14, 2005 2:57 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Knowing when users were deleted. Hi there, I wonder if there is a way to know when a user has been deleted from AD other than using security audt, because at the time of the deletion, i forgot to activate the audit :( So my boss urge me to find the guilty user AND the time of deletion. I looked for attributes in adsi and found that there is the whencreated, whenmodified attribute but not whendeletedtimestamp one. Any idea ? Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! MessengerTéléchargez le ici ! Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! MessengerTéléchargez le ici !
RE: [ActiveDir] Monitor software installation using WMI
Title: Message Another solution I'm just thinking about is to leverage the registry property provider to expose the registry hive containing the list of Add/Remove Programs in WMI. See http://msdn.microsoft.com/library/default.asp?url=""> #pragma namespace(".\\ROOT\\CIMV2") [dynamic: ToInstance, provider("RegProv"), ClassContext("local|HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall")]class Win32Reg_InstalledPrograms{ [key] string ProdID; [PropertyContext("DisplayName")] string DisplayName; [PropertyContext("InstallDate")] string InstallDate; [PropertyContext("Publisher")] string Publisher; [PropertyContext("DisplayVersion")] string Version;}; Another solution is to monitor that registry key with ther event registry provider. See http://www.lissware.net , Sample 6.17 - GenericEventAsyncConsumer.wsf and use a WQL query like: To detect any change made on that key value, the following WQL event query can be used (to watch the Schema Update allows of the NTDS parameters for instance ... as we have another thread related to schema changes) Select * FROM RegistryValueChangeEvent Where Hive='HKEY_LOCAL_MACHINE' AND KeyPath='SYSTEM\\CurrentControlSet\\Services\\NTDS\\Parameters' AND ValueName='Schema Update Allowed' Now, if you want to detect all changes made to any key values below the same registry key hive, the following WQL Event query must be used: Select * FROM RegistryKeyChangeEvent Where Hive='HKEY_LOCAL_MACHINE' AND KeyPath='SYSTEMX\CurrentControlSet\\Services\\NTDS\\Parameters If you want to detect all changes made to any key values under the following registry key hive and all child registry entries, use the following: HKLM\SYSTEM\CurrentControlSet\Services\NTDS The following WQL event query must be used: Select * FROM RegistryTreeChangeEvent Where Hive='HKEY_LOCAL_MACHINE' AND RootPath='SYSTEM\\CurrentControlSet\\Services\\NTDS' Just use the registry hive for the Add/Remove Programs instead! :) HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall More details in the books ;) /Alain From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain LissoirSent: Friday, October 07, 2005 7:35 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Monitor software installation using WMI If the application is installed as an MSI package, you can track it. If not, WMI will not help as WMI only surfaces MSI installed applications Leverage the Win32_Product WMI class in a WQL query such as: Select * From __InstanceCreationEvent Within 10 Where TargetInstance ISA 'Win32_Product' You can use Sample 6.17 - GenericEventAsyncConsumer.wsf from volume 1 at http://www.lissware.net The Sample 3.15 to 3.17 - WMIMSI (JScript).wsf, volume 2 at http://www.lissware.net shows how to use that class as well. HTH. /Alain From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pavan HothaSent: Friday, October 07, 2005 7:09 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Monitor software installation using WMI Hi, I am trying to write a script to monitor the new software installation on windows XP Prof system. The objective is to receive a email notification from the system once a new software is installed on the system. Is it possible to do this ? Pavan Hotha This message is confidential and may also be legally privileged. If you are not the intended recipient, please notify [EMAIL PROTECTED] immediately. You should not copy it or use it for any purpose, nor disclose its contents to any other person. The views and opinions expressed in this e-mail message are the author's own and may not reflect the views and opinions of ADP.
RE: [ActiveDir] GPO Permissions with .vbs
Is it running interactively first? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, October 07, 2005 8:08 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] GPO Permissions with .vbs Error messages? Do you get anything? Do you know for sure the script is running? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Friday, October 07, 2005 9:28 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] GPO Permissions with .vbs Well it didn’t work….here’s the script: strComputer = "." strNewCmd = "C:\PROGRA~1\INTERN~1\iexplore.exe -new http://www.domain.com" Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2") Set colScheduledTasks = objWMIService.ExecQuery("Select * from Win32_ScheduledJob") For Each objTask in colScheduledTasks intJobID = objTask.JobID strCurCmd = objTask.Command If strCurCmd = strNewCmd Then Set objInstance = objWMIService.Get("Win32_ScheduledJob.JobID=" & intJobID) objInstance.Delete End If Next Set objNewJob = objWMIService.Get("Win32_ScheduledJob") errJobCreated = objNewJob.Create (strNewCmd, "11.00-240", True , 1 OR 2 OR 4 OR 8 OR 16, , , JobID) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, October 06, 2005 9:01 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] GPO Permissions with .vbs I can't visualize why it shouldn't work. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Thursday, October 06, 2005 2:14 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] GPO Permissions with .vbs It’ll only schedule tasks on logon scripts, not startup. Someone correct me if I’m wrong. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich MilburnSent: Thursday, October 06, 2005 11:41 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] GPO Permissions with .vbs Can you set it to be a startup script instead of a logon script (computer configuration > software section of GPO instead of user configuration > software section) then it will run with privs, not as the non-admin. ---Rich MilburnMCSE, Microsoft MVP - Directory ServicesSr Network Analyst, Field Platform DevelopmentApplebee's International, Inc.4551 W. 107th StOverland Park, KS 66207913-967-2819---"I am always doing that which I can not do, in order that I may learn how to do it." - Pablo Picasso From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Thursday, October 06, 2005 9:48 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] GPO Permissions with .vbs The problem is the at.exe command can only be run by administrators. How can I allow non-admins to run at.exe therefore allowing my script to work. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander KooiSent: Wednesday, October 05, 2005 6:01 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] GPO Permissions with .vbs What is your OS? Is it a user specific task or a computer based task? If it is a task scheduled to run after the user logs on I'm sure it is permissions, or lack there of. Tim Vander Kooi Microsoft Systems Administrator Explorer Pipeline From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Wednesday, October 05, 2005 3:56 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] GPO Permissions with .vbs I created a GPO for all Domain Users to run a .vbs script to create a Scheduled Task. It works with Domain Admins, but not with regular users. How can I fix this? Devon Harding Windows Systems Engineer Southern Wine & Spirits - BSG 954-602-2469 __This message and any attachments are solely for the intended recipientand may contain confidential or privileged information. If you are notthe intended recipient, any disclosure, copying, use or distribution ofthe information included in the message and any attachments isprohibited. If you have received this communication in error, pleasenotify us by reply e-mail and immediately and permanently delete thismessage and any attachments. Thank You. ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthoriz
RE: [ActiveDir] Monitor software installation using WMI
Title: Message If the application is installed as an MSI package, you can track it. If not, WMI will not help as WMI only surfaces MSI installed applications Leverage the Win32_Product WMI class in a WQL query such as: Select * From __InstanceCreationEvent Within 10 Where TargetInstance ISA 'Win32_Product' You can use Sample 6.17 - GenericEventAsyncConsumer.wsf from volume 1 at http://www.lissware.net The Sample 3.15 to 3.17 - WMIMSI (JScript).wsf, volume 2 at http://www.lissware.net shows how to use that class as well. HTH. /Alain From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pavan HothaSent: Friday, October 07, 2005 7:09 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Monitor software installation using WMI Hi, I am trying to write a script to monitor the new software installation on windows XP Prof system. The objective is to receive a email notification from the system once a new software is installed on the system. Is it possible to do this ? Pavan Hotha This message is confidential and may also be legally privileged. If you are not the intended recipient, please notify [EMAIL PROTECTED] immediately. You should not copy it or use it for any purpose, nor disclose its contents to any other person. The views and opinions expressed in this e-mail message are the author's own and may not reflect the views and opinions of ADP.
RE: [ActiveDir] WMI Filters - Domain Specific
No. Combine them :) Select * from Win32_ComputerSystem WHERE DomainRole = VALUE And Domain = "contoso.com" From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Friday, October 07, 2005 6:23 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] WMI Filters - Domain Specific I’d like create a policy that ONLY runs on workstations that are members from a specific domain. Would I have to use both query’s? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain LissoirSent: Thursday, October 06, 2005 11:16 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] WMI Filters - Domain Specific Nope. With the query below you gonna have the servers as well :) You must narrow the scope of the query such as: Select * from Win32_ComputerSystem WHERE DomainRole = VALUE Where value is: 1 for Standalone Workstation 2 for Member Workstation 3 for Standalone Server 4 for Member Server 5 for Backup Domain Controller 6 for Primary Domain Controller HTH /Alain From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-EliaSent: Thursday, October 06, 2005 3:09 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] WMI Filters - Domain Specific You might try: Select * from Win32_ComputerSystem WHERE domain = "contoso.com" From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Thursday, October 06, 2005 1:17 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] WMI Filters - Domain Specific What is the WMI filter to specify all Workstations in a specific domain? Devon Harding Windows Systems Engineer Southern Wine & Spirits - BSG 954-602-2469 __This message and any attachments are solely for the intended recipientand may contain confidential or privileged information. If you are notthe intended recipient, any disclosure, copying, use or distribution ofthe information included in the message and any attachments isprohibited. If you have received this communication in error, pleasenotify us by reply e-mail and immediately and permanently delete thismessage and any attachments. Thank You.
RE: [ActiveDir] WMI Filters - Domain Specific
Nope. With the query below you gonna have the servers as well :) You must narrow the scope of the query such as: Select * from Win32_ComputerSystem WHERE DomainRole = VALUE Where value is: 1 for Standalone Workstation 2 for Member Workstation 3 for Standalone Server 4 for Member Server 5 for Backup Domain Controller 6 for Primary Domain Controller HTH /Alain From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-EliaSent: Thursday, October 06, 2005 3:09 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] WMI Filters - Domain Specific You might try: Select * from Win32_ComputerSystem WHERE domain = "contoso.com" From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Thursday, October 06, 2005 1:17 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] WMI Filters - Domain Specific What is the WMI filter to specify all Workstations in a specific domain? Devon Harding Windows Systems Engineer Southern Wine & Spirits - BSG 954-602-2469 __This message and any attachments are solely for the intended recipientand may contain confidential or privileged information. If you are notthe intended recipient, any disclosure, copying, use or distribution ofthe information included in the message and any attachments isprohibited. If you have received this communication in error, pleasenotify us by reply e-mail and immediately and permanently delete thismessage and any attachments. Thank You.
RE: [ActiveDir] Schema design best practices
If you go on http://www.lissware.net, you will find: Two pointers to two articles about AD schema design and mechanic. You will also find a White Paper for WSH and ASDI under Windows 2000 (but still valid for 2003) where a script is screening the AD schema to get any information you may want to know about attributes, classes, searches, index, etc. HTH /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, September 27, 2005 7:41 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema design best practices Personally, I use admod, good interface I think. The worst part is currently you have to manually figure out what the searchflags value needs to be. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, September 27, 2005 10:36 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema design best practices Ok, I had that info but thought you were suggesting there was a 'friendly' interface to this :) Thanks again, neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of joe Sent: 27 September 2005 15:25 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema design best practices Yep, you can add additional attributes to it. Some of them won't work, say like memberof or other linked attributes and pwdLastSet[1] and possibly some other SAM Account management attributes. You need to set the proper searchflags value, specifically Bit 3, value 0x8. See http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/ad schema/a_searchflags.asp joe [1] More accurately, it would be preserved but gets set to 0 on recovery anyway for some reason even when you mark passwords to be recovered. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, September 27, 2005 9:06 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema design best practices Thanks joe - I appreciate the feedback. We're certainly on the same wavelength :) Could you expand a little on the below comment please? I appreciate that w2k3 sp1 added sidhistory to the list of attributes whose data is retained when an object is reanimated but I was not aware that extra attributes could be added to this list(?) "Preserve on tombstone - load this baby up, makes undeletes more useful" neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of joe Sent: 23 September 2005 17:13 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema design best practices Additional attibute to index - objectClass and company specific mods Add to the PAS - Usually company specific items Copied when object is copied - none, don't recommend using ADUC for anything other than small orgs Container index - would depend on whether you do a lot of one level searches for something, overall, I don't believe I have seen much call for this. Preserve on tombstone - load this baby up, makes undeletes more useful ManagedBy applied to users, good idea. I think I would consider a whole suite of object lifecycle management additions though as well. Last reviewed, next review (in case of special items not reviewed on normal schedule), where it is in the lifecycle process , etc. For schema mods, drop schema fsmo in isolated site (i.e. not replicating often), make changes. If they look good, move another DC into the site and watch it replicate across and doublecheck for issues again. If that is good, open up replication to site or drag DCs back to main sites. If you have a large environment, drag to different far removed sites so that your updates can start propogating out from multiple locations, puttin a DC in a site that it doesn't have high connectivity to for the short period of time to replicate in schema mods shouldn't be too troublesome. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, September 23, 2005 9:31 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Schema design best practices I'm looking for some schema design best practices, based upon experience. For example: Are there additional attributes which you would suggest be: indexed added to the PAS replicated when a user is duplicated indexed for containerised searches? Are there classes to which you would add other attributes? (e.g. add managedBy to User) I'm also interested to hear views regarding Schema mods and how they should be performed in a controlled fashion (lag sites etc). I have my own views on all of the above but am keen to hear the views of others. Thanks, neil > ___ > Neil Ruston > Global Technical Infrastructure > Nomura International plc > Telephone: +44 (0) 20 7521 3481 > > > PLEASE READ:
RE: [ActiveDir] LIL OT system Reg size script
Why not using WMI to achieve this? Just keep the file list as you did below and use WMI to update the registry size. Check: Sample 4.14 - SetWin32_RegistrySizeWithAPI (Direct Properties).wsf or Sample 4.15 - SetWin32_RegistrySizeWithAPI (Indirect Properties).wsf at http://www.lissware.net, volume 1 samples. HTH /Alain From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITCSent: Tuesday, September 06, 2005 8:00 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] LIL OT system Reg size script We recently had an issue where a policy seems to be causing the registry size to blow up on several of our servers. We Believe we have found the culprit policy and are looking into it but we want to monitor things. On this front I am trying to put to gether a script that will go thru a list of our servers and check the file sys of the system registry. i.e. check admin$\system32\config\system here is what i have On Error Resume Next Const ForReading = 1 Set objFSO = CreateObject("Scripting.FileSystemObject")Set objTextFile = objFSO.OpenTextFile("e:\scripts\servers.txt", ForReading) Do Until objTextFile.AtEndOfStream strComputer = objTextFile.Readline ' = ' Insert your code here ' = WScript.Echo WScript.Echo "==" WScript.Echo "Computer: " & strComputer WScript.Echo "==" Set objFile = objFSO.GetFile("admin$\system32\config\system")Set objItem = strComputer.objFile WScript.Echo "FileSize: " & objItem.FileSize ' = ' End ' = Loop objTextFile.Close Where am I going wrong? Jeff
RE: [ActiveDir] AD attribute
In addition to the information provided below, you can refer to those articles (if you have an access ...): http://www.win2000mag.com/Articles/Index.cfm?ArticleID=21839 http://www.win2000mag.com/Articles/Index.cfm?ArticleID=22540 http://www.winnetmag.com/Article/ArticleID/41666/41666.html /Alain Complete list of articles at http://www.lissware.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marc A. Mapplebeck Sent: Friday, August 19, 2005 10:19 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD attribute This is a step by step to add the attribute and extend the display specifier to allow it to be modified. http://www.informit.com/articles/article.asp?p=169630&rl=1 Hope this helps - Marc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: August 19, 2005 13:55 To: activedirectory Subject: [ActiveDir] AD attribute My org wants to put social security #'s in AD as a user attrib(hidden from users, of course) How would I go about doing this? Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown
Great! You're welcome! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh KshirsagarSent: Tuesday, August 16, 2005 3:15 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown Hi Alain, We set the revision level in the security descriptor in the meta code. And it indeed works fine. Thanks for all your time and guidance. This has indeed come out to be a product defect. Thanks again, Mayuresh. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain LissoirSent: Friday, August 12, 2005 2:49 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown Rebuild because the revision required is not set. When building a security descriptor under Windows, you are building an object containing ACE (DACL and SACL). Doing this on Windows is easy as we have the APIs for it (Win32, ADSI, WMI, etc ...) Under Unix by manipulating an SDDL string to construct the security descriptor is an other story as don't have the API to build the MS security descriptor... but I'm pretty sure that your problem comes from the fact that the revision level is not set properly. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh KshirsagarSent: Friday, August 12, 2005 8:15 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown For solving this error, Microsoft says, rebuild security object. What does this imply? And how can I rebuild the security object? Any help, would be beneficial. Thanks, Mayuresh. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh KshirsagarSent: Friday, August 12, 2005 2:36 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown Hi Alain, This error is being returned by the meta directory server. For which I don’t have the access to code. At them most I can find the reason and try to eliminate it. I would be just converting the binary SID to text transformation and give it to the Meta directory for settings. Any idea why this would be caused? Regards, Mayuresh From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain LissoirSent: Friday, August 12, 2005 12:07 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown Have you been checking the script sample I gave in the attached mail? It shows the value required for the revision level. ADS_ACL_REVISION_DS is set to 4. objDACL.AclRevision = ADS_ACL_REVISION_DS ' "Self" Trustee Set objACE = CreateObject("AccessControlEntry") objACE.Trustee = "Self" objACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED objACE.AccessMask = E2K_MB_READ_PERMISSIONS Or _ E2K_MB_FULL_MB_ACCESS Or _ E2K_MB_SEND_AS objACE.AceFlags = ADS_ACEFLAG_INHERIT_ACE objDACL.AddAce objACE Set objACE = Nothing From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh KshirsagarSent: Friday, August 12, 2005 4:59 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown Hi, I tried setting the msexchmailboxsecuritydescriptor attribute. But am facing an error “the revision level is unknown”. Any known issue you know that might be causing this? Thanks, Mayuresh From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh KshirsagarSent: Friday, August 12, 2005 6:32 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MailBox permissioning Hi All, Found a perl function in laman.pm. which converts sid to string: sub SidToString { return undef unless unpack("C", substr($_[0], 0, 1)) == 1; return undef unless length($_[0]) == 8 + 4 * unpack("C", substr($_[0], 1, 1)); my $sid_str = "S-1-"; $sid_str .= (unpack("C", substr($_[0], 7, 1)) + (unpack("C", substr($_[0], 6, 1)) << 8) + (unpack("C", substr($_[0], 5, 1)) << 16) + (unpack("C",substr($_[0], 4, 1)) << 24)); for $loop (0 .. unpack("C", substr($_[0], 1, 1)) - 1) { $sid_str .= "-" . unpack("I", substr($_[0], 4 * $loop + 8, 4)); } return $sid_str; } Hope this will do the job. What all will be required to do the job, setting mailboxsecurity description and masteraccoundsid is enough? Or do I also need something else. Thanks, Mayuresh. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh KshirsagarSent: Thursday, August 11, 2005 7:55 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDi
RE: [ActiveDir] ok, last one really
On MSDN, you can find some sample scripts to read from a file. See at http://msdn.microsoft.com/library/en-us/script56/html/sgWorkingWithFiles.asp For instance, Dim fso, ts Const ForReading = 1 Set fso = CreateObject("Scripting. FileSystemObject") Set ts = fso.OpenTextFile("c:\test.txt", ForReading, True) strComputer = ts.ReadLine() ts.Close() Depending on the format of your file, you can read a single line and split the comma separated computer names or You can loop and read lines one-by-one if you have a computer name per line. Your call ... For a book on scripting and WMI, you can always have a look at my web site ;) http://www.lissware.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Friday, August 12, 2005 7:46 AM To: activedirectory Subject: [ActiveDir] ok, last one really How can i change this script so i can just feed it a file of computer names so i can automate the changing of dns servers in the client properties? SCRIPT- On Error Resume Next strComputer = "." arrNewDNSServerSearchOrder = Array("192.168.0.1", "192.168.0.2") Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2") Set colNicConfigs = objWMIService.ExecQuery _ ("SELECT * FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = True") WScript.Echo VbCrLf & "Computer: " & strComputer For Each objNicConfig In colNicConfigs WScript.Echo VbCrLf & " Network Adapter " & objNicConfig.Index WScript.Echo "DNS Server Search Order - Before:" If Not IsNull(objNicConfig.DNSServerSearchOrder) Then For Each strDNSServer In objNicConfig.DNSServerSearchOrder WScript.Echo "" & strDNSServer Next End If intSetDNSServers = _ objNicConfig.SetDNSServerSearchOrder(arrNewDNSServerSearchOrder) If intSetDNSServers = 0 Then WScript.Echo "Replaced DNS server search order list." Else WScript.Echo "Unable to replace DNS server search order list." End If Next WScript.Echo VbCrLf & String(80, "-") Set colNicConfigs = objWMIService.ExecQuery _ ("SELECT * FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = True") For Each objNicConfig In colNicConfigs WScript.Echo VbCrLf & " Network Adapter " & objNicConfig.Index WScript.Echo "DNS Server Search Order - After:" If Not IsNull(objNicConfig.DNSServerSearchOrder) Then For Each strDNSServer In objNicConfig.DNSServerSearchOrder WScript.Echo "" & strDNSServer Next End If Next END OF SCRIPT also, can anyone recommend a good VBscript book for Windows admining so i can leave you guys alone? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown
Rebuild because the revision required is not set. When building a security descriptor under Windows, you are building an object containing ACE (DACL and SACL). Doing this on Windows is easy as we have the APIs for it (Win32, ADSI, WMI, etc ...) Under Unix by manipulating an SDDL string to construct the security descriptor is an other story as don't have the API to build the MS security descriptor... but I'm pretty sure that your problem comes from the fact that the revision level is not set properly. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh KshirsagarSent: Friday, August 12, 2005 8:15 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown For solving this error, Microsoft says, rebuild security object. What does this imply? And how can I rebuild the security object? Any help, would be beneficial. Thanks, Mayuresh. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh KshirsagarSent: Friday, August 12, 2005 2:36 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown Hi Alain, This error is being returned by the meta directory server. For which I don’t have the access to code. At them most I can find the reason and try to eliminate it. I would be just converting the binary SID to text transformation and give it to the Meta directory for settings. Any idea why this would be caused? Regards, Mayuresh From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain LissoirSent: Friday, August 12, 2005 12:07 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown Have you been checking the script sample I gave in the attached mail? It shows the value required for the revision level. ADS_ACL_REVISION_DS is set to 4. objDACL.AclRevision = ADS_ACL_REVISION_DS ' "Self" Trustee Set objACE = CreateObject("AccessControlEntry") objACE.Trustee = "Self" objACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED objACE.AccessMask = E2K_MB_READ_PERMISSIONS Or _ E2K_MB_FULL_MB_ACCESS Or _ E2K_MB_SEND_AS objACE.AceFlags = ADS_ACEFLAG_INHERIT_ACE objDACL.AddAce objACE Set objACE = Nothing From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh KshirsagarSent: Friday, August 12, 2005 4:59 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown Hi, I tried setting the msexchmailboxsecuritydescriptor attribute. But am facing an error “the revision level is unknown”. Any known issue you know that might be causing this? Thanks, Mayuresh From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh KshirsagarSent: Friday, August 12, 2005 6:32 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MailBox permissioning Hi All, Found a perl function in laman.pm. which converts sid to string: sub SidToString { return undef unless unpack("C", substr($_[0], 0, 1)) == 1; return undef unless length($_[0]) == 8 + 4 * unpack("C", substr($_[0], 1, 1)); my $sid_str = "S-1-"; $sid_str .= (unpack("C", substr($_[0], 7, 1)) + (unpack("C", substr($_[0], 6, 1)) << 8) + (unpack("C", substr($_[0], 5, 1)) << 16) + (unpack("C",substr($_[0], 4, 1)) << 24)); for $loop (0 .. unpack("C", substr($_[0], 1, 1)) - 1) { $sid_str .= "-" . unpack("I", substr($_[0], 4 * $loop + 8, 4)); } return $sid_str; } Hope this will do the job. What all will be required to do the job, setting mailboxsecurity description and masteraccoundsid is enough? Or do I also need something else. Thanks, Mayuresh. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh KshirsagarSent: Thursday, August 11, 2005 7:55 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MailBox permissioning Thanks for the pointer. Also does anyone know any perl module which converts the binary sid to test sid? The win32 module wont work because the script will be inoked from HP-UX. Regards, Mayuresh. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Thursday, August 11, 2005 3:39 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MailBox permissioning O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCRC;;;S-1-5-21-3308934242-2785796821-2776977491-2370); In the example above, you have a classic output that contains SDDL (Security Descriptor Definition Language) O:sid is the SID
RE: [ActiveDir] last scripting question, I promise :)
I would try that on server, no on XP ... XP doesn't (and never) hosts a DHCP server ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Friday, August 12, 2005 7:33 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] last scripting question, I promise :) why is it when i type "netsh dhcp server" or "netsh dhcp", i get command not found? I'm running this on a win xp sp2 box. thanks On 8/12/05, Almeida Pinto, Jorge de <[EMAIL PROTECTED]> wrote: > try NETSH > > http://www.microsoft.com/resources/documentation/windows/xp/all/proddo > cs/en-us/netsh_dhcp.mspx > http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library > /ServerHelp/09e89260-0759-4d6a-8fca-cf98b34cb1cd.mspx > > http://www.windowsitpro.com/Windows/Article/ArticleID/4/4.html > > Jorge > > > > > From: [EMAIL PROTECTED] on behalf of Tom Kern > Sent: Fri 8/12/2005 3:43 PM > To: activedirectory > Subject: [ActiveDir] last scripting question, I promise :) > > > > This is one I could'nt find any resource on- How can I script > assigning DHCP scopes and options to WIn2k DHCP servers? > > We have a ton of scopes here and manually doing it is a huge pain. > can this be scripted via WMI or some other way in windows 2000? > > thanks guys > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. > > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] query service
You can use this URL http://www.microsoft.com/technet/scriptcenter/scripts/default.mspx And/or you can refer to (for the WMI part) to Sample 2.60 to 2.64 - WMIServices.wsf, vol 2, at http://www.lissware.net HTH /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Thursday, August 11, 2005 7:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] query service Yup. You'd want WMI for that. Or more precisely a combination of ADSI (to enumerate machines) and WMI (to query for the service). For sample WMI scripts to enumerate services, check out http://www.microsoft.com/technet/scriptcenter/scripts/os/services/defaul t.mspx -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Thursday, August 11, 2005 7:11 PM To: activedirectory Subject: [ActiveDir] query service is it possible to write a script to query every member server/dc in your domain to search if a specific service is running like dhcp or dns and spit that out to a text file or html? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Schema Updates
Title: Schema Updates Don't you any Forest Functional level requirement to get this schema update implemented? I know you can update the schema at any functional level, but the features you have at the schema level can be dependent of the Forest Functional level. That said, the error "The system can not find the file specified. (0x80070002)", doesn't sound like a schema error. Maybe is there an LDIF file missing during the schema upgrade? Just some ideas ... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos MagalhaesSent: Thursday, August 11, 2005 1:48 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates And the method you are using, if you using script or LDIF please post the text in your email too so we can diagnose the problem. Carlos From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: 11 August 2005 09:15 PMTo: Send - AD mailing listSubject: RE: [ActiveDir] Schema Updates Your thinking is accurate but there are many other potential preventive factors, a great deal more detail re: the errors you're experiencing would help. --Dean WellsMSEtechnology* Email: [EMAIL PROTECTED]http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, August 11, 2005 2:59 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Schema Updates Hi, I am having some problems updating the schema for Avaya Unified Messaging. It is my thinking that in Windows 2003 the schema is already enabled for updates as long as you are in the Schema Admins group. In Windows 2000 you had to enable the Schema to be updated. Am I correct or misguided? Thanks! Travis Abrams
RE: [ActiveDir] 2 quick favors
In XP/2003, you run WSH 5.6. In 2000, you have WSH 5.1, that could be the reason. If you have troubles with the script as mentioned in an other reply, try this one. I just tweaked it a bit. Microsoft (R) Windows Script Host Version 5.6 Copyright (C) Microsoft Corporation 1996-2001. All rights reserved. Looking inside 'configurationNamingContext' CN=Default-First-Site-Name (site) (No Group Policy Defined) Looking inside 'DefaultNamingContext' DC=LissWare (domainDNS) Found an existing Policy: 'Windows Service Policy' (groupPolicyContainer) GPLink=LDAP://cn={0154628E-C9EE-48C2-8FD3-306599C0B88D},cn=policies,cn=syste m,DC=LissWare,DC=Net cn={0154628E-C9EE-48C2-8FD3-306599C0B88D} (DirectoryString) instanceType=4 (INTEGER) objectCategory=CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=LissW are,DC=Net (DN) displayName=Windows Service Policy (DirectoryString) distinguishedName=CN={0154628E-C9EE-48C2-8FD3-306599C0B88D},CN=Policies,CN=S ystem,DC=LissWare,DC=Net (DN) flags=0 (INTEGER) gPCFileSysPath=\\LissWare.Net\SysVol\LissWare.Net\Policies\{0154628E-C9EE-48 C2-8FD3-306599C0B88D} (DirectoryString) gPCFunctionalityVersion=2 (INTEGER) gPCMachineExtensionNames=[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4 FB-11D0-A0D0-00A0C90F574B}] (DirectoryString) name={0154628E-C9EE-48C2-8FD3-306599C0B88D} (DirectoryString) showInAdvancedViewOnly=True (Boolean) versionNumber=5 (INTEGER) whenChanged=21-Dec-2004 00:18:00 (GeneralizedTime) whenCreated=20-Dec-2004 23:50:40 (GeneralizedTime) DC=LissWare (domainDNS) Found an existing Policy: 'Default Domain Policy' (groupPolicyContainer) GPLink=LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=Syste m,DC=LissWare,DC=Net cn={31B2F340-016D-11D2-945F-00C04FB984F9} (DirectoryString) instanceType=4 (INTEGER) objectCategory=CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=LissW are,DC=Net (DN) displayName=Default Domain Policy (DirectoryString) distinguishedName=CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=S ystem,DC=LissWare,DC=Net (DN) flags=0 (INTEGER) gPCFileSysPath=\\LissWare.Net\sysvol\LissWare.Net\Policies\{31B2F340-016D-11 D2-945F-00C04FB984F9} (DirectoryString) gPCFunctionalityVersion=2 (INTEGER) gPCMachineExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957D-50 9E-11D1-A7CC-F87571E3}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}][{827D319E- 6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A gPCUserExtensionNames=[{3060E8D0-7020-11D2-842D-00C04FA372D4}{3060E8CE-7020- 11D2-842D-00C04FA372D4}] (DirectoryString) isCriticalSystemObject=True (Boolean) name={31B2F340-016D-11D2-945F-00C04FB984F9} (DirectoryString) showInAdvancedViewOnly=True (Boolean) systemFlags=-1946157056 (INTEGER) versionNumber=65546 (INTEGER) whenChanged=08-Jun-2004 21:11:01 (GeneralizedTime) whenCreated=01-Jun-2004 19:07:23 (GeneralizedTime) OU=Domain Controllers (organizationalUnit) Found an existing Policy: 'Default Domain Controllers Policy' (groupPolicyContainer) GPLink=LDAP://CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=Syste m,DC=LissWare,DC=Net cn={6AC1786C-016F-11D2-945F-00C04fB984F9} (DirectoryString) instanceType=4 (INTEGER) objectCategory=CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=LissW are,DC=Net (DN) displayName=Default Domain Controllers Policy (DirectoryString) distinguishedName=CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=S ystem,DC=LissWare,DC=Net (DN) flags=0 (INTEGER) gPCFileSysPath=\\LissWare.Net\sysvol\LissWare.Net\Policies\{6AC1786C-016F-11 D2-945F-00C04fB984F9} (DirectoryString) gPCFunctionalityVersion=2 (INTEGER) gPCMachineExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957D-50 9E-11D1-A7CC-F87571E3}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0- B4FB-11D0-A0D0-00A0C90F574B}] (DirectoryString) isCriticalSystemObject=True (Boolean) name={6AC1786C-016F-11D2-945F-00C04fB984F9} (DirectoryString) showInAdvancedViewOnly=True (Boolean) systemFlags=-1946157056 (INTEGER) versionNumber=12 (INTEGER) whenChanged=31-Mar-2005 19:40:09 (GeneralizedTime) whenCreated=01-Jun-2004 19:07:23 (GeneralizedTime) HTH /Alain -Original Message- From: Alain Lissoir [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 10, 2005 6:29 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] 2 quick favors For 1/, try this one below. For 2/ I don't have one close but I'm sure some folks here can feed you ... The script doesn't dump in a text file, but that's an easy addition. HTH ' FindGPOLinks v1.04.vbs - Version 1.04 - Alain Lissoir ' ' WSH Script browsing the 'DefaultNamingContext' and the 'configurationNamingContext' ' to retrieve the Group Policies linked to AD objects. ' This should facilitate the search of created policies in the Active Directory. ' ' The script is using a basic LDAP acces
RE: [ActiveDir] MailBox permissioning
You can download a script doing the job from http://users.skynet.be/garbage/CreateExchangeMBInMultiForest.zip C:\>CreateMB.wsfMicrosoft (R) Windows Script Host Version 5.6Copyright (C) Microsoft Corporation 1996-2001. All rights reserved. Usage: CreateMB.wsf /AcctSRV:value /ExSRV:value [/UserID:value] Options: AcctSRV : Specifies the FQDN of a GC in the Account Forest.ExSRV : Specifies the non-FQDN of an Exchange server in the Exchange Forest.UserID : Sepcifies the existing account UserID in the Account Forest.Examples: CreateMB.wsf /AcctSRV:MyDC.MyAccountDomain.Com /ExSRV:MyExchangeSRV /UserID:James.Bond The script is a little bit complicated but it provides the most granular approach to understand how to customize attributes. It makes use of ADSI to create an Exchange Server 2000/2003 mailbox in this context. The script must be run in the Exchange Forest and seeks the necessary information in the Account Forest. Although Microsoft does not officially support the exclusive use of ADSI to create an Exchange Server 2000/2003 mailbox, this discovery will be of great value to set up tools synchronization tools as most work on low level attributes settings and mapping techniques. The script touches a list of attributes documented in a white paper listed at http://www.lissware.net, "The powerful combination of WSH and ADSI under Windows 2000". When working in a Multi-Forest context, some attributes with Exchange Server 2000/2003 Active Directory schema extensions take on a particular meaning or configuration. There are three important attributes used in this context: The msExchUserAccountControl Attribute The msExchUserAccountControl mirrors the account status stored in the userAccountControl attribute. The userAccountControl attribute controls the disabled/enabled state of the user account. When the user is enabled, bit 1 of the userAccountControl attribute is set to 0 and the msExchUserAccountControl attribute is set to 0. When the user account is disabled, bit 1 of the userAccountControl attribute is set to 1 and the msExchUserAccountControl attribute is set to 2. When the msExchUserAccountControl attribute is set to 2, it tells the Exchange store to perform a logon for the associated external user account. The msExchMasterAccountSID Attribute The msExchMasterAccountSID attribute is set in two circumstances: - When the ADC creates a Windows 2000 user account from an Exchange 5.5 mailbox, the Primary NT account SID set on the Exchange 5.5 mailbox is copied to the msExchMasterAccountSID attribute. - When an external account is associated with an Exchange Server 2000/2003 mailbox, the msExchMasterAccountSID attribute is set with the SID of the associated external user account. The SID contained in the objectSID attribute of the user account in the Account Forest is set to the msExchMasterAccountSID attribute of the mailbox-enabled disabled user account in the Exchange Forest. This configuration is required to ensure that the Exchange Server 2000/2003 mailbox is accessible to accounts located in the Account Forest. The msExchMailboxSecurityDescriptor Attribute Mailbox security is defined in the msExchMailboxSecurityDescriptor Active Directory attribute. However, the msExchMailboxSecurityDescriptor attribute is not the real security descriptor for the Exchange Server 2000/2003 mailbox; this descriptor is stored in the Exchange Store. The msExchMailboxSecurityDescriptor attribute is just a shadow of that security descriptor. This behavior is particularly important when one wants to update the security of an Exchange Server 2000/2003 mailbox. Refer to http://www.exchangeadmin.com/Articles/Index.cfm?ArticleID=38190 (complete list at http://www.lissware.net), Exchange Server 2000 SP2 CDOEXM Updates for more information about the particularities of the Exchange Server 2000/2003 mailbox security descriptor and how it should be updated. Granting an associated external user account on the Exchange Server 2000/2003 mailbox modifies the security descriptor by adding an Access Control Entry (ACE) to the Discretionary Access List (ACL) of the descriptor. Only one associated external user account can be granted on a mailbox. Outlook and the GAL The Account Forest holds accounts without any particular information related to Exchange Server 2000/2003. In such a case, it is very important that Outlook clients access GCs that are part of the Exchange Forest in order to use a populated GAL. Exchange Server 2000/2003 specifies the GC location via the DSProxy component. The Outlook MAPI client saves the GC referral received by Exchange Server 2000/2003 to the following registry key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\ CurrentVersion\Windows Messaging Subsystem\Profiles\ \dca740c8c042101ab4b908002b2fe182 Value name: 001e6602 Value type: STRING Value data: http://support.microsoft.com/default.aspx?scid=kb;en-us;2722
RE: [ActiveDir] 2 quick favors
For 1/, try this one below. For 2/ I don't have one close but I'm sure some folks here can feed you ... The script doesn't dump in a text file, but that's an easy addition. HTH ' FindGPOLinks v1.04.vbs - Version 1.04 - Alain Lissoir ' ' WSH Script browsing the 'DefaultNamingContext' and the 'configurationNamingContext' ' to retrieve the Group Policies linked to AD objects. ' This should facilitate the search of created policies in the Active Directory. ' ' The script is using a basic LDAP access in the current user context, ' so, you should have enough rights to access AD objects. ' ' Change in version 1.04 ' ' - Add an error Handler in the "ShowMemberInfo" Private Sub ' ' Change in version 1.02 ' ' - Query the schema to get the property list associated to the 'groupPolicyContainer' class. ' - Display only the defined properties for that class. ' - For the defined properties, the scripts shows the syntax to be used by the property. ' - Take in account the fact that more than one policy can be defined at the container level. ' ' Change in version 1.01 ' ' - Add some code to bind to the GPLink LDAP Pointer to extract some properties. ' ' Any comments or questions:EMail:[EMAIL PROTECTED] Option Explicit Dim ObjRoot Dim Object Dim ObjMember ' --- WScript.Echo WScript.Echo "Looking inside 'configurationNamingContext'" Set objRoot = GetObject("LDAP://RootDSE") Object = objRoot.Get("configurationNamingContext") Call LookInsideObject (Object) Set Object = Nothing Set objRoot = Nothing ' --- WScript.Echo WScript.Echo "Looking inside 'DefaultNamingContext'" Set objRoot = GetObject("LDAP://RootDSE") Object = objRoot.Get("DefaultNamingContext") Call LookInsideObject (Object) Set Object = Nothing Set objRoot = Nothing WScript.Quit (0) ' --- Private Sub LookInsideObject (Object) Dim objMember Dim Member Set objMember = GetObject ("LDAP://" & Object) if objMember.Class <> "sitesContainer" And _ objMember.Class <> "container" And _ objMember.Class <> "configuration" _ Then Call ShowMemberInfo (objMember) For Each Member in objMember If Member.Class = "domainDNS" Or _ Member.Class = "organizationalUnit" Or _ Member.Class = "sitesContainer" Or _ Member.Class = "site" Or _ Member.Class = "container" _ Then Call LookInsideObject (Member.Name & "," & Object) Next Set objMember = Nothing End Sub ' --- Private Sub ShowMemberInfo (Object) Dim longStartPolicyPath Dim longEndPolicyPath Dim strPolicyPathSource Dim strPolicyPath Dim objPolicy Dim objPolicyClassDef Dim objPolicyProperty Dim strPropertyName Object.GetInfo If Object.GPLink = "" Then WScript.Echo Object.Name & " (" & Object.Class & ")" WScript.Echo "(No Group Policy Defined)" WScript.Echo End If strPolicyPathSource = Object.GPLink While (strPolicyPathSource <> "") WScript.Echo Object.Name & " (" & Object.Class & ")" ' Extract each LDAP pointer from the GPLink. longStartPolicyPath = InStr(1, strPolicyPathSource, "[", vbTextCompare) longEndPolicyPath = InStr(1, strPolicyPathSource, "]", vbTextCompare) strPolicyPath = Mid(strPolicyPathSource, longStartPolicyPath + 1, longEndPolicyPath - 4) strPolicyPathSource = Mid(strPolicyPathSource, longEndPolicyPath + 1) Set objPolicy = GetObject(strPolicyPath) objPolicy.GetInfo WScript.Echo "Found an existing Policy: '" & objPolicy.Get("displayName") & "' (" & objPolicy.Class & ")" WScript.Echo " GPLink=" & strPolicyPath Set objPolicyClassDef = GetObject (objPolicy.Schema) On error Goto ErrorHandler For Each strPropertyName In objPolicyClassDef.MandatoryProperties Set objPolicyProperty = GetObject (objPolicyClassDef.Parent + "/" + strPropertyName) WScript.Echo " " & strPropertyName & "=
RE: [ActiveDir] Logon script with Admin rights **Work Around**
All these points are true, you just need to mention to be complete: 1 The Python engine is not part of the Windows platform and therefore, it must be deployed on every system ... 2 VBScript (or WSH actually, which is the infrastructure allowing to run VBScript or JSCript in Windows) comes for free in the OS since Windows 2000 The latter explains why VBScript is so often used despite its downsides. Cheers, /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Jessop Sent: Thursday, July 28, 2005 12:52 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Logon script with Admin rights **Work Around** You might want to look at alternatives to VBScript. I have been using VBScript for some time now. I has several points in it's favour. 1. Simplicity 2. Many examples. However it has certain limitations. 1. Limited syntax 2. No GUI (except HTAs which awkward to write) 3. Very limited free library support. Recently I have been doing things in Python. It's can be as simple as VBScript but comes with a huge number of 'built in' libraries including GUIs, Sockets and much more. Access to ActiveX objects works well and up to now have had no problems. It is also well documented and supported. Regards Peter Jessop List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use
No. It doesn't use DIRSYNC. To be honest, I would like, but that is another story. Just a question of priority among the millions of things to do in WMI ... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I always assumed that the WMI call is using DirSynch under the covers. That seemed to me to be the only way it would be able to accomplish the notifications. It's good to know that that is not the case. Thanks Alain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Tuesday, July 19, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I just want to stress the fact that WMI is not an auditing technology per se. All what WMI does is polling AD for changes at regular intervals. Based on WQL query and changes, it notifies the WMI consumer that there was a change. No auditing information is available out of WMI. Windows Auditing must be used to gather the "who did it". Moreover, I advise you to scope your WQL query very well (narrow scope) for good performance. /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use WMI Actually has an asynronous call that you can use to monitor specific objects. It will notify you when the object changes and what the original and new values are. Adam Lissoir wrote some scripts that demonstrate this. I think these links still work: http://www.LissWare.Net See "Sample 3.54 - GroupMonitor.wsf" -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, July 08, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I'm interested in identifying the programming interfaces used by products like Quest's Change Manager for Active Directory and NetPro's AD-related change monitoring products. The existing ADSI and LDAP interfaces do not appear to offer the degree of granularity that these products are capable of obtaining in terms of AD changes that they can monitor & report on. I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated async event notification API functions that it provides, and I'm thinking that AD has to have something similar. However, the MSDN Platform SDK documentation doesn't identify anything in way of API functions or COM interfaces [e.g. ADSI] that are capable of providing the sort of event notification that I'm needing to use in my application. I'm looking to track object creation, deletion, rename, move and modification of attributes. In the case of modified attributes, for single valued attributes, I need to know the before & after values, and in the case of multi-valued attributes, I need to know which individual value was added to or removed from the attribute's value list. Does anybody have any recommendations on what sorts of programming interfaces are available that can provide this degree of granularity in AD event monitoring? TIA, Chuck -- Chuck Chopp ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com RTFM Consulting Services Inc. 864 801 2795 voice & voicemail 103 Autumn Hill Road 864 801 2774 fax Greer, SC 29651 Do not send me unsolicited commercial email. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use
I just want to stress the fact that WMI is not an auditing technology per se. All what WMI does is polling AD for changes at regular intervals. Based on WQL query and changes, it notifies the WMI consumer that there was a change. No auditing information is available out of WMI. Windows Auditing must be used to gather the "who did it". Moreover, I advise you to scope your WQL query very well (narrow scope) for good performance. /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use WMI Actually has an asynronous call that you can use to monitor specific objects. It will notify you when the object changes and what the original and new values are. Adam Lissoir wrote some scripts that demonstrate this. I think these links still work: http://www.LissWare.Net See "Sample 3.54 - GroupMonitor.wsf" -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, July 08, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I'm interested in identifying the programming interfaces used by products like Quest's Change Manager for Active Directory and NetPro's AD-related change monitoring products. The existing ADSI and LDAP interfaces do not appear to offer the degree of granularity that these products are capable of obtaining in terms of AD changes that they can monitor & report on. I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated async event notification API functions that it provides, and I'm thinking that AD has to have something similar. However, the MSDN Platform SDK documentation doesn't identify anything in way of API functions or COM interfaces [e.g. ADSI] that are capable of providing the sort of event notification that I'm needing to use in my application. I'm looking to track object creation, deletion, rename, move and modification of attributes. In the case of modified attributes, for single valued attributes, I need to know the before & after values, and in the case of multi-valued attributes, I need to know which individual value was added to or removed from the attribute's value list. Does anybody have any recommendations on what sorts of programming interfaces are available that can provide this degree of granularity in AD event monitoring? TIA, Chuck -- Chuck Chopp ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com RTFM Consulting Services Inc. 864 801 2795 voice & voicemail 103 Autumn Hill Road 864 801 2774 fax Greer, SC 29651 Do not send me unsolicited commercial email. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use
WMI can be used for the monitoring but the capabilities are quite limited with the current WMI provider implementation. Despite this, it could be useful is some very specific pin-point monitoring cases. However, in your case, you definitively need something else. NETPRO solution seems to me the best match for what you need. However, I suspect that NETPRO uses this API (Polling for Changes Using the DirSync Control) http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/polli ng_for_changes_using_the_dirsync_control.asp Don't know ... Only them can confirm ... :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Monday, July 11, 2005 8:48 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use Grillenmeier, Guido wrote: > Chuck - what exactly are you trying to achieve/monitor? I need to monitor for creation, deletion, renaming and moving of user objects, group objects and for objects based on 2 or 3 other application-specific object classes in AD. Additionally, I need to monitor for modification of some standard attributes and some custom/aux attributes on user & group objects. In the case of memership types of attributes that are multi-valued, when one of those attributes changes, I need to know what individual value is being added to or removed from the attribute's value list. This needs to be done for all user & group objects in the tree; there is no feasible way to limit the scope of object instances that need to monitored. When the events are received, the application will consolidate them and forward them on to an "engine" that will take certain actions depending on which particular events have occurred. I would prefer notification of the desired changes to be delivered asynchronously, but I can poll for them if necessary. DirSync and LDAP and monitoring the uSNChanged attribute are all methods that fail to provide this degree of granularity. To use DirSync or LDAP searches would effectively require me to maintain a partial replica of the entire AD tree with which to perform comparisons of objects that are reported in the DirSync result-set. > AD itself doesn't provide a real event-driven model for notification > of changes to objects, but for single object monitoring you can get > quite far with WMI event queries (which in the background read the > instance of an object and then continuously poll for any changes to > the object in AD > - no matter if direct or through replication). > This will be ok for "poor man's" monitoring of a few special objects > (such as sensitive groups), but not for monitoring changes in all of > AD (both NetPro and Quest deploy agents to the DCs to intercept > changes that occur on DCs to reach their goal) Yes, I understand that an agent is required on each DC to intercept the required changes. It is the method(s) that those agents [in Quest's & NetPro's products] are using that I'm looking for. I need the same degree of functionality in terms of fine grained event monitoring. As stated above, the # of objects involved is too large to use WMI. All users & groups in the tree will end up needing to be monitored along with several other classes of objects. -- Chuck Chopp ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com RTFM Consulting Services Inc. 864 801 2795 voice & voicemail 103 Autumn Hill Road 864 801 2774 fax Greer, SC 29651 Do not send me unsolicited commercial email. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Scripting changing of Exchange Admin Group for Contacts
You will find a series of articles on Exchange scripting at http://www.microsoft.com/technet/scriptcenter/hubs/exchange.mspx Mail-enabled, mailbox-enabled contacts are covered. HTH /Alain _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frost, David: #CIO-BPI Sent: Friday, June 24, 2005 7:30 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Scripting changing of Exchange Admin Group for Contacts Can anyone offer some guidance on whether it is possible to script the change of the associated Exchange Admin Group for mail enabled contacts? I have a large number of mail enabled contacts that I would like to move from one Exchange Admin Group to another without deleting and recreating them. David Frost Directory Engineering, Messaging, Directories and PKI Engineering Services Industry Canada email:[EMAIL PROTECTED] (613) 957-8442 <>
RE: [ActiveDir] Scripting Delegation Question
Deleting an ACE is obviously supported. Supporting removal of ACE is a granular way requires an extensive regression testing, which way more complex than removing all ACE using the same trustee. Therefore, it is more than just implementing the feature in the tool. That's why it is not supported even though if technically this should work fine. I've been doing some testing with the script below and it works great so far. HTH /Alain From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, May 20, 2005 10:07 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Scripting Delegation Question > Microsoft doesn't support this and this is why no tool doing this exists. I am confused, what specifically isn't supported? Deleting a single ACE is obviously supported, the reason DSACLS doesn't do it I would bet is programmer laziness versus anything being unsupported. You would have to add additional switches to specify the specific ACL to remove versus simply yanking all of the ACEs with a specific secprin. The latter is much much easier to implement. DSACLS has lots of shortcuts like that, look at the case sensitivity for more examples there. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain LissoirSent: Friday, May 20, 2005 7:10 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Scripting Delegation Question Check out the script at http://users.skynet.be/alain.lissoir/conferences/WMIManageSD.zip I wrote for my books. This script is fully documented in my WMI books at http://www.lissware.net (Vol 2). It supports the management of security descriptors for files, folders, file shares, registry, WMI namespaces, AD, Exchange 2000/2003 mailboxes. It requires the registration of some resource DLLs where it is started in order to work. For instance, if you want to delegate "Modify the membership of a group" (as the delegation wizard displays). The command line to for WMIManageSD.Wsf is: Set OU="OU=Department,DC=LissWare,DC=NET" Set TRUSTEE="VMLissWareNET\Alain.Lissoir" Cscript.Exe //Nologo WMIManageSD.Wsf /ADObject:"%OU%" ^ /Trustee:%TRUSTEE% ^ /ACEType:ADS_ACETYPE_ACCESS_ALLOWED_OBJECT ^ /ACEMask:ADS_RIGHT_DS_READ_PROP,ADS_RIGHT_DS_WRITE_PROP ^ /ACEFlags:ADS_ACEFLAG_CONTAINER_INHERIT_ACE,ADS_ACEFLAG_INHERIT_ONLY_ACE ^ /ObjectType:{BF9679C0-0DE6-11D0-A285-00AA003049E2} ^ /InheritedObjectType:{BF967A9C-0DE6-11D0-A285-00AA003049E2} ^ /AddAce+ /ADSI+ Then to undelegate one ACE, you specify the exact same command line, but you use the /DelAce and /Granular+ switches instead. If you dont't specify the /Granular+ switch, then it removes all ACEs for the trustee. If you do, it removes the ACE specified for the trustee. Set OU="OU=Department,DC=LissWare,DC=NET" Set TRUSTEE="VMLissWareNET\Alain.Lissoir" Cscript.Exe //Nologo WMIManageSD.Wsf /ADObject:"%OU%" ^ /Trustee:%TRUSTEE% ^ /ACEType:ADS_ACETYPE_ACCESS_ALLOWED_OBJECT ^ /ACEMask:ADS_RIGHT_DS_READ_PROP,ADS_RIGHT_DS_WRITE_PROP ^ /ACEFlags:ADS_ACEFLAG_CONTAINER_INHERIT_ACE,ADS_ACEFLAG_INHERIT_ONLY_ACE ^ /ObjectType:{BF9679C0-0DE6-11D0-A285-00AA003049E2} ^ /InheritedObjectType:{BF967A9C-0DE6-11D0-A285-00AA003049E2} ^ /DelAce+ /ADSI+ /Granular+ Note that even though this may work in most cases, Microsoft doesn't support this and this is why no tool doing this exists. HTH /Alain From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan HolmeSent: Friday, May 20, 2005 10:20 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Scripting Delegation Question I am at the latter stages of a script to ‘pump out’ delegation from a business administrative model description. I’ve had great luck automating DSACLS to drive delegation. Now I’ve hit a wall though and maybe someone can help. DSACLS won’t let you remove a single permission. It will let you remove all permissions for a security principal; it will let you deny; but it won’t remove an allowed permission. My goal is to be able to drive a delegation of “almost full control” of users & groups, whereby an admin group can do everything except delete, because we want to provision the deletion process to avoid accidental deletions. I’d like to delegate this as I would in the UI: click “Full Control” then UNCHECK “Delete” and “Delete Subtree”. Does anyone have any ideas how to script this? I’d prefer not to have to dive into the security des
RE: [ActiveDir] Least Privilege User Account Provisioning for AD AND Exchange
Did I say it is a recommended way? I didn't :-) Doing this works so far but it has its downside too and you pointed clearly the risks and issues. That's why Microsoft only recommends CDOEXM (even though the current CDOEXM is embedding the same logic inside the CreateMailbox method). The recommended way with scripts is described at http://msdn.microsoft.com/library/default.asp?url=""> /Alain From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, May 20, 2005 10:08 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Least Privilege User Account Provisioning for AD AND Exchange I ***absolutely*** do not recommend setting legacyExchangeDN this way. It is absolutely critical that the LEDN be unique in the ORG and there is no attempt verify that uniqueness. Best to just let the RUS set it as you don't need to. If you absolutely want to do it, I would recommend querying any DCs being used by any RUS instances to verify the LEDN value is unique. As a person stuck trying to find why certain things are working in squirrely ways in Exchange, duped LEDN's is a very popular reason. The only objects I can think of that you must create the LEDN for if creating through a script are Query Based DLs. Interestingly enough, MS has no mechanism for creating mail enabled Query Based DLs, I bugged this with MS last year. On top of that, doing the method I mentioned below won't work with them as well because the RUS won't populate many of the values so you have to populate most of the info yourself, but again, LEDN is critical to get right. I would also recommend against setting the mail addresses as well and let the recipient policies handle it. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain LissoirSent: Wednesday, May 18, 2005 11:34 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Least Privilege User Account Provisioning for AD AND Exchange Yes, you can script it with a pure ADSI code initializing required attributes. It is true that MS doesn't support this method as only the CDOEXM way is supported. You can find details at http://www.lissware.net , White Papers section, Part 2 - The powerful combination of WSH and ADSI under Windows 2000 (Script Kit). See Sample 20 Enabling E-Mail on object for Exchange 2000 with ADSI. Code can create the mailbox-enabled definition and/or mail-enable a trustee (group or user). You can also refer to http://www.exchangeadmin.com/Articles/Index.cfm?ArticleID=38190 for more info about mailbox security as it is often the next question after provisionning the mailbox in AD (only if you have Windows IT Pro subscription). Note that creating the mailbox definition in AD with ADSI does not create the mailbox. It gets created in the store when the first message is received or when the user connects the first time. That's for the code logic. Now regarding the rights the initialize these attributes, they rely on the default Exchange and AD security (which can always be tweaked but it is not trivial). Code excerpt: .: .: .: 14:Option Explicit 15: 16:Const NO_CREATE_MB = 0 17:Const CREATE_MB = 1 18: 19:' -- 20:Private Sub EnableEmailAddress (objObject, _ 21: strExchangeComputer, _ 22: strOrganization, _ 23: strExchangeAdminGroup, _ 24: strExchangeStorageGroup, _ 25: strExchangeMailboxStore, _ 26: boolMB) ..: 45: Set ObjRoot = GetObject("LDAP://RootDSE") 46: strRootDomainNC = objRoot.Get("RootDomainNamingContext") 47: strConfigNC = ObjRoot.Get("configurationNamingContext") ..: 51: ' -- 52: Set objRootDomainNC = GetObject("LDAP://" & strRootDomainNC) 53: 54: ' Retrieve a constructed property, so 1st we do a GetInfoEx 55: objRootDomainNC.GetInfoEx Array("canonicalName"), 0 56: strRootDNSDomainName = objRootDomainNC.Get("canonicalName") 57: ' Remove the / at the end 58: strRootDNSDomainName = Mid (strRootDNSDomainName, 1, Len(strRootDNSDomainName) - 1) ..: 63: ' Build the path with the Microsoft Exchange organization path 64: strOrganizationDN = "CN=" & strOrganization & _ 65: ",CN=Microsoft Exchange,CN=Services," & strConfigNC 66: 67: ' -- 68: Select Case objObject.Class 69: Case "user" 70: strRecipient = EliminateSpaces (LCase (objObject.FirstName) & _ 71:
RE: [ActiveDir] Scripting Delegation Question
Check out the script at http://users.skynet.be/alain.lissoir/conferences/WMIManageSD.zip I wrote for my books. This script is fully documented in my WMI books at http://www.lissware.net (Vol 2). It supports the management of security descriptors for files, folders, file shares, registry, WMI namespaces, AD, Exchange 2000/2003 mailboxes. It requires the registration of some resource DLLs where it is started in order to work. For instance, if you want to delegate "Modify the membership of a group" (as the delegation wizard displays). The command line to for WMIManageSD.Wsf is: Set OU="OU=Department,DC=LissWare,DC=NET" Set TRUSTEE="VMLissWareNET\Alain.Lissoir" Cscript.Exe //Nologo WMIManageSD.Wsf /ADObject:"%OU%" ^ /Trustee:%TRUSTEE% ^ /ACEType:ADS_ACETYPE_ACCESS_ALLOWED_OBJECT ^ /ACEMask:ADS_RIGHT_DS_READ_PROP,ADS_RIGHT_DS_WRITE_PROP ^ /ACEFlags:ADS_ACEFLAG_CONTAINER_INHERIT_ACE,ADS_ACEFLAG_INHERIT_ONLY_ACE ^ /ObjectType:{BF9679C0-0DE6-11D0-A285-00AA003049E2} ^ /InheritedObjectType:{BF967A9C-0DE6-11D0-A285-00AA003049E2} ^ /AddAce+ /ADSI+ Then to undelegate one ACE, you specify the exact same command line, but you use the /DelAce and /Granular+ switches instead. If you dont't specify the /Granular+ switch, then it removes all ACEs for the trustee. If you do, it removes the ACE specified for the trustee. Set OU="OU=Department,DC=LissWare,DC=NET" Set TRUSTEE="VMLissWareNET\Alain.Lissoir" Cscript.Exe //Nologo WMIManageSD.Wsf /ADObject:"%OU%" ^ /Trustee:%TRUSTEE% ^ /ACEType:ADS_ACETYPE_ACCESS_ALLOWED_OBJECT ^ /ACEMask:ADS_RIGHT_DS_READ_PROP,ADS_RIGHT_DS_WRITE_PROP ^ /ACEFlags:ADS_ACEFLAG_CONTAINER_INHERIT_ACE,ADS_ACEFLAG_INHERIT_ONLY_ACE ^ /ObjectType:{BF9679C0-0DE6-11D0-A285-00AA003049E2} ^ /InheritedObjectType:{BF967A9C-0DE6-11D0-A285-00AA003049E2} ^ /DelAce+ /ADSI+ /Granular+ Note that even though this may work in most cases, Microsoft doesn't support this and this is why no tool doing this exists. HTH /Alain From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan HolmeSent: Friday, May 20, 2005 10:20 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Scripting Delegation Question I am at the latter stages of a script to ‘pump out’ delegation from a business administrative model description. I’ve had great luck automating DSACLS to drive delegation. Now I’ve hit a wall though and maybe someone can help. DSACLS won’t let you remove a single permission. It will let you remove all permissions for a security principal; it will let you deny; but it won’t remove an allowed permission. My goal is to be able to drive a delegation of “almost full control” of users & groups, whereby an admin group can do everything except delete, because we want to provision the deletion process to avoid accidental deletions. I’d like to delegate this as I would in the UI: click “Full Control” then UNCHECK “Delete” and “Delete Subtree”. Does anyone have any ideas how to script this? I’d prefer not to have to dive into the security descriptor using VBScript, but if that’s what it takes I’ll do that, if someone has a sample. THANKS! Dan (BTW: Yes, I’ll be posting this tool for everyone once it’s finished)
RE: [ActiveDir] Least Privilege User Account Provisioning for AD AND Exchange
Yes, you can script it with a pure ADSI code initializing required attributes. It is true that MS doesn't support this method as only the CDOEXM way is supported. You can find details at http://www.lissware.net , White Papers section, Part 2 - The powerful combination of WSH and ADSI under Windows 2000 (Script Kit). See Sample 20 Enabling E-Mail on object for Exchange 2000 with ADSI. Code can create the mailbox-enabled definition and/or mail-enable a trustee (group or user). You can also refer to http://www.exchangeadmin.com/Articles/Index.cfm?ArticleID=38190 for more info about mailbox security as it is often the next question after provisionning the mailbox in AD (only if you have Windows IT Pro subscription). Note that creating the mailbox definition in AD with ADSI does not create the mailbox. It gets created in the store when the first message is received or when the user connects the first time. That's for the code logic. Now regarding the rights the initialize these attributes, they rely on the default Exchange and AD security (which can always be tweaked but it is not trivial). Code excerpt: .: .: .: 14:Option Explicit 15: 16:Const NO_CREATE_MB = 0 17:Const CREATE_MB = 1 18: 19:' -- 20:Private Sub EnableEmailAddress (objObject, _ 21: strExchangeComputer, _ 22: strOrganization, _ 23: strExchangeAdminGroup, _ 24: strExchangeStorageGroup, _ 25: strExchangeMailboxStore, _ 26: boolMB) ..: 45: Set ObjRoot = GetObject("LDAP://RootDSE") 46: strRootDomainNC = objRoot.Get("RootDomainNamingContext") 47: strConfigNC = ObjRoot.Get("configurationNamingContext") ..: 51: ' -- 52: Set objRootDomainNC = GetObject("LDAP://" & strRootDomainNC) 53: 54: ' Retrieve a constructed property, so 1st we do a GetInfoEx 55: objRootDomainNC.GetInfoEx Array("canonicalName"), 0 56: strRootDNSDomainName = objRootDomainNC.Get("canonicalName") 57: ' Remove the / at the end 58: strRootDNSDomainName = Mid (strRootDNSDomainName, 1, Len(strRootDNSDomainName) - 1) ..: 63: ' Build the path with the Microsoft Exchange organization path 64: strOrganizationDN = "CN=" & strOrganization & _ 65: ",CN=Microsoft Exchange,CN=Services," & strConfigNC 66: 67: ' -- 68: Select Case objObject.Class 69: Case "user" 70: strRecipient = EliminateSpaces (LCase (objObject.FirstName) & _ 71: "." & LCase (objObject.LastName)) 72: ' Set the Alias name 73: objObject.put "mailNickName", strRecipient 74: 75: ' Build the SMTP Address 76: strSMTPAddress = strRecipient & "@" & strRootDNSDomainName 77: ' Build the X400 Address 78: strX400Address = "c=" & strCountry & _ 79: ";a= " & _ 80: ";p=" & Left (strOrganization, 16) & _ 81: ";o=Exchange" & _ 82: ";s=" & Lcase (objObject.LastName) & _ 83: ";g=" & Lcase (objObject.FirstName) & _ 84: ";" 85: 86: ' Set in which GAL to show the user 87: strDefaultGAL = "CN=Default Global Address List," & _ 88: "CN=All Global Address Lists,CN=Address Lists Container," & _ 89: strOrganizationDN 90: objObject.PutEx ADS_PROPERTY_UPDATE, "showInAddressBook", _ 91: Array(strDefaultGAL) 92: 93: ' Set the legacy Exchange distinguished name of the created user 94: strLegacyExchangeDN = "/o=" & strOrganization & _ 95: "/ou=" & strExchangeAdminGroup & _ 96: "/cn=Recipients/cn=" & strRecipient 97: 98: Case "group" 99: strRecipient = EliminateSpaces (objObject.Get ("sAMAccountName")) 100: 101: ' Set the Alias name 102: objObject.put "mailNickName", strRecipient 103: 104: ' Build the SMTP Address 105: strSMTP
RE: [ActiveDir] Shutdown script not working.
Have you compared the security context of the AT service in the services.msc snapin? That should be the difference ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Tuesday, May 10, 2005 9:43 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Shutdown script not working. Greetings, I have a question that I have never had answered and I am hoping that some one may know the answer. I have a shutdown script using the shutdown tool from the resource kit. It has always worked on 3.51 & 4.0 servers when I schedule it using the AT command, however on my 2000 server's it appears to run and clears it self and does nothing. If I schedule the same script through scheduled task then it works correctly. Why won't it work using the AT Command? What am I doing wrong? Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:\>at Status ID Day Time Command Line 1 Next W 1:26 AM c:\support\tools\shutdown.cmd C:\> Sincerely, Jose Medeiros 408-449-6621 Cell List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] scripting sacls
Paul, make sure you include the statement: objADObject.SetOption ADS_OPTION_SECURITY_MASK, ADS_SECURITY_INFO_OWNER Or _ ADS_SECURITY_INFO_GROUP Or _ ADS_SECURITY_INFO_DACL Or _ ADS_SECURITY_INFO_SACL Set objSD = objADObject.Get("ntSecurityDescriptor") See for more info http://msdn.microsoft.com/library/default.asp?url=""> You can find a full script example managing ACL (DACL and SACL) at http://www.lissware.net, ZIP of volume 2 samples, Sample 4.02 to 4.13 - WMIManageSD.Wsf and beyond. This script manages files, folders, file shares, registry, WMI Namespaces, AD objects and Exchange 200X mailboxes security descriptors. For AD, it also supports Extended Rights (provided you know the GUID of the Extended Right, but there you can find the complete list in my WMI books at chapter 4 dedicated to security scripting, including CDO, WMI and ADSI with AD). HTH /Alain From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, May 05, 2005 12:47 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] scripting sacls Do you currently have permissions to view the SACL through LDAP? Try this adfind -b object_DN ntSecurityDescriptor -sddc If you see a DN but no SDDL representation of the ACL then you may not have permissions. Also I believe I caught the case if one of the components of the ACL doesn't exist or you don't have perm to it specifically where it will tell you that you don't have permission to see that portion of the ACL... joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of PAUL MAYESSent: Thursday, May 05, 2005 5:20 AMTo: activedir@mail.activedir.orgSubject: [ActiveDir] scripting sacls I'm trying to modify the sacls on an object. Every document/book/google demostrates how to do this by get the ntSecurityDescriptor of an object and then obtaining a handle to the SACL by referencing .SystemAcl from the descriptor. Nice except that when you try and get the object you get an error stating that the object doesn't exist. Now I know I've got the ntSecDesc ok as I can get the DACL information and all of the other properties spit out quite nicely. It's just the SACLS which I'm having problems with. Can't get any example code from anywhere to give me SACLS either. (Mind you how many ways are there to get the ntSecDesc and then get .SystemACL!!!). Interesting .SACLDefaulted at least gives me a zero. It's driving me mad. Anyone managed to get .SystemACL out of ntSecDesc or is this a fruitless task. Paul.
RE: [ActiveDir] Log changes to AD
You can also refer to some WMI features to do this. But that implies scripting. http://www.windowsitpro.com/WindowsScripting/Articles/ArticleID/41835/pg/4/4 .html /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Thursday, March 31, 2005 1:23 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Log changes to AD You can use the auditing facilities in AD that, when enabled and configured, add log messages to the system audit log on the DC where the changes are made. See the section "Establishing Domain Controller Audit Policy Settings" in the document Best Practice Guide for Securing Active Directory Installations and Day-to-Day Operations: Part I at http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologie s/activedirectory/maintain/bpguide/part1/adsecp1.mspx. Basically, you have to enable auditing of AD object access using group policy, then set the SACLs on the objects that you want to audit. Then you have to grab the data from the audit logs on the domain controllers. MSFT has been sitting on a product called Audit Collection Service (ACS) for about a year that will aggregate the audit information for you in a SQL database. They've recently changed the distribution scheme for ACS (this is about the 4th time I think), and I just don't know when or how it will be made available to the general public. I'm sure its Real Soon Now. There are 3rd-party apps that can do the auditing job as well, such as Change Auditor from NetPro. Quest Software has something along these lines as well. There are numerous 3rd party products that can aggreagte log information in a database. HTH, -gil Gil Kirkpatrick CTO, NetPro "To fly, flip away backhanded. Flat flip flies straight. Tilted flip curves. Experiment!" -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Benway Sent: Thursday, March 31, 2005 12:30 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Log changes to AD Is there some logging I can enable to track changes to user attributes (phone number, location, etc) We are running a windows 2000 AD in mixed mode. Thank you jb List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] 2003 SP1 RTM
The ones that you install by selecting "Install or Update the Virtual Machine Additions" from VS2005. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Thursday, March 31, 2005 1:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 2003 SP1 RTM The latest being what exactly? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Thursday, March 31, 2005 12:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 2003 SP1 RTM And I presume you updated the VM with the latest VM additions, right? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Thursday, March 31, 2005 11:03 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 2003 SP1 RTM I have a specific problem related in some way to SP1. I have several test environments. In each I use Virtual Server 2005. Each environment is 100% Windows Server 2003. After upgrading any of the VMs with SP1, the upgraded VM runs at nearly 100% CPU consistently. Removing and reinstalling the VM Additions has no affect. Removing SP1 also removes the visible problem. You might understand that I have an apprehension towards installing SP1 in production, especially on those systems running as VMs. Any ideas? Regards, Aric Bernard -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Thursday, March 31, 2005 10:27 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 2003 SP1 RTM Dave can you quantify this statement please? I ask out of curiosity, not disagreement. Specifically: 1) You referred to SP1 having "too many changes." How did you make this determination? What is the threshold where we cross in to too many? 2) What steps will you be going through between now and when you do install it? What will you do between now and deployment to give you the confidence level you need to fire it up on a box and see how it goes? Interested, so we can perhaps think through ways to make that less painful going forward. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave A. Marquis Sent: Thursday, March 31, 2005 8:37 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 2003 SP1 RTM I am certainly going to be waiting to install this one for a while to many changes to jump right into it. David A. Marquis Computer Systems Administrator -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, March 31, 2005 6:48 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] 2003 SP1 RTM FYI. Windows Server 2003 SP1 went RTM yesterday http://www.microsoft.com/downloads/details.aspx?familyid=22CFC239-337C-4 D81- 8354-72593B1C1F43&displaylang=en List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail message, including all attachments, is for the sole use of the intended recipients(s) and may contain confidential and privileged information. You may NOT use, disclose, copy, or disseminate this information. If you are not the intended recipient, please contact the sender by reply e-mail immediately. Please destroy all copies of the original message and all attachments. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] 2003 SP1 RTM
And I presume you updated the VM with the latest VM additions, right? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Thursday, March 31, 2005 11:03 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 2003 SP1 RTM I have a specific problem related in some way to SP1. I have several test environments. In each I use Virtual Server 2005. Each environment is 100% Windows Server 2003. After upgrading any of the VMs with SP1, the upgraded VM runs at nearly 100% CPU consistently. Removing and reinstalling the VM Additions has no affect. Removing SP1 also removes the visible problem. You might understand that I have an apprehension towards installing SP1 in production, especially on those systems running as VMs. Any ideas? Regards, Aric Bernard -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Thursday, March 31, 2005 10:27 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 2003 SP1 RTM Dave can you quantify this statement please? I ask out of curiosity, not disagreement. Specifically: 1) You referred to SP1 having "too many changes." How did you make this determination? What is the threshold where we cross in to too many? 2) What steps will you be going through between now and when you do install it? What will you do between now and deployment to give you the confidence level you need to fire it up on a box and see how it goes? Interested, so we can perhaps think through ways to make that less painful going forward. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave A. Marquis Sent: Thursday, March 31, 2005 8:37 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 2003 SP1 RTM I am certainly going to be waiting to install this one for a while to many changes to jump right into it. David A. Marquis Computer Systems Administrator -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, March 31, 2005 6:48 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] 2003 SP1 RTM FYI. Windows Server 2003 SP1 went RTM yesterday http://www.microsoft.com/downloads/details.aspx?familyid=22CFC239-337C-4 D81- 8354-72593B1C1F43&displaylang=en List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail message, including all attachments, is for the sole use of the intended recipients(s) and may contain confidential and privileged information. You may NOT use, disclose, copy, or disseminate this information. If you are not the intended recipient, please contact the sender by reply e-mail immediately. Please destroy all copies of the original message and all attachments. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] shutdown of all clients machines remotely
You can also use the "Sample 5.16 - QueryAndReboot.wsf" of my WMI book, Volume 1 at http://www.lissware.net. This script accepts an LDAP filter to query AD, and based on the results, it reboots all computers listed in the query result. For instance: C:\>QueryAndReboot "(name=MyServer01)(name=MyServer02)(name=MyServer03)(name=MyExchange*)" By default, the script includes the "(objectCategory=computer)" to the filter specified on the command line. You must run this script on an XP machine because it uses the WMI-ADSI extension, which is not available in 2003. (but the script is very easy to tweak to run it on a 2003 machine. Let me know if you can't make it). Needless to say that you must carefuly formulate your LDAP query (e.g. Don't use (name=*) ) otherwise you will have some interesting time ... :-)) HTH /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Wednesday, March 23, 2005 1:45 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] shutdown of all clients machines remotely Shutdown /i and add the machines to the list of machines to reboot\shutdown -Original Message- From: "Sharif Naser" <[EMAIL PROTECTED]> Date: Wed, 23 Mar 2005 12:19:17 To: Subject: [ActiveDir] shutdown of all clients machines remotely Hello experts, How can i issue a shutdown (restart) to all the clients machines on my domain. Regards, DISCLAIMER: This electronic message transmission contains information from Qatar Steel Company (QASCO) which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. Be aware that any disclosure, copying, distribution or use of the contents of this information, including attachments, is prohibited without the written consent of Qatar Steel Company (QASCO). -- Sent from my blackberry. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Active Directory Lab Recommendations
And of course, I meant in VM lab environment ... obviously! :-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain LissoirSent: Monday, March 21, 2005 8:41 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Active Directory Lab Recommendations Yep ! I concur with Aric's statement. Changing the tombtone is definively worthed in an AD environment. I've been through these issues myself ... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, AricSent: Monday, March 21, 2005 8:29 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Active Directory Lab Recommendations I think the strict replication consistency will allow you to get around this situation. http://support.microsoft.com/default.aspx?scid=kb;en-us;317097 Regardless, you run the chance of generating lingering objects if all the DCs are not fully synced at the point of shutdown for the 60 day plus duration. You might consider increasing the tombstone lifetime to a value large enough to ensure that your DCs will be in use enough to replicate tombstones before they are garbage collected. AD is not designed to be in a “mostly powered off” state, so these two issues are something you will always battle with in an environment that is powered on infrequently. Regards, Aric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida PintoSent: Monday, March 21, 2005 4:46 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Active Directory Lab Recommendations Hi Dean, Just curious... For my studying, testing, playing, etc. I have several VM environments (VM WRK) set up that I use from time to time. Lets say I built that environment (at least 2 DCs) in December 2004. When I start the VMs now all DCs start to complain, which is logical to me, about that each DC has not replicated for more than the Tombstone Lifetime Value (60 days). Using the "Allow Replication With Divergent and Corrupt Partner" registry on the DC I get those DCs replicating again. Not that much work for a test environment. I was wondering if you have some thoughts on this Cheers, Jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Saturday, March 19, 2005 03:08To: Send - AD mailing listSubject: RE: [ActiveDir] Active Directory Lab Recommendations ... forgot to mention that any number of rollbacks within the available timeframe takes (in our configuration) only minutes (the most costly demand on the time to return-to-ready state is the OS's bootstrap). --Dean WellsMSEtechnology* Email: [EMAIL PROTECTED]http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Friday, March 18, 2005 8:59 PMTo: Send - AD mailing listSubject: RE: [ActiveDir] Active Directory Lab Recommendations I've seen a slew of production and lab scenario requests over the past year or so, many of which I've offered non-technology specific recommendations for ... more recently I've focused my efforts on a non-Microsoft solution that I developed for MSEtechnology, used for some time in the Remote Learning arena, named ECbox (originally defined as "Electronic Classroom in a Box" though more recently internally-colloquially known as "Enterprise Computing in a Box"). The solution was designed from its inception to provide a means of snapshotting a distributed environment whose services impose a potential requirement to roll-back the entire distributed implementation to an earlier point in time (lock, stock and, hopefully not too-smoking, barrel). As I mentioned, the ECbox is used extensively for remote learning but MSEtechnology has also deployed it as a platform around which our own internal technology services are housed. Simply put, the ECbox is a solution built upon VMware ESX Server containing server (and administrative client-side mods.) designed specifically to tailor ESX's feature set to the demands of collective groups of dependent computers (e.g. a distributed database such as Active Directory). For the sake of example, MSEtechnology is able to roll its entire Directory, Web and Messaging service (though our requirements are comparatively small, the scale is something of an irrelevant factor in rollback capability and time) back to a multitude of daily earlier points in time (MSEtechnology's current capacity/requirement allows for a couple of weeks). Hope this proves useful. Regards. Dean --Dean WellsMSEtechnology* Email: [EMAIL PROTECTED]http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, AricSent: Friday, March 18, 2005 8:04 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Active Directory Lab Recommendations How about MSVS 2005, MSVPC 2004, or VMWare (pick your flavor) with undo disks? From my experience this a lot faster and typically cheap
RE: [ActiveDir] Active Directory Lab Recommendations
Yep ! I concur with Aric's statement. Changing the tombtone is definively worthed in an AD environment. I've been through these issues myself ... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, AricSent: Monday, March 21, 2005 8:29 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Active Directory Lab Recommendations I think the strict replication consistency will allow you to get around this situation. http://support.microsoft.com/default.aspx?scid=kb;en-us;317097 Regardless, you run the chance of generating lingering objects if all the DCs are not fully synced at the point of shutdown for the 60 day plus duration. You might consider increasing the tombstone lifetime to a value large enough to ensure that your DCs will be in use enough to replicate tombstones before they are garbage collected. AD is not designed to be in a “mostly powered off” state, so these two issues are something you will always battle with in an environment that is powered on infrequently. Regards, Aric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida PintoSent: Monday, March 21, 2005 4:46 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Active Directory Lab Recommendations Hi Dean, Just curious... For my studying, testing, playing, etc. I have several VM environments (VM WRK) set up that I use from time to time. Lets say I built that environment (at least 2 DCs) in December 2004. When I start the VMs now all DCs start to complain, which is logical to me, about that each DC has not replicated for more than the Tombstone Lifetime Value (60 days). Using the "Allow Replication With Divergent and Corrupt Partner" registry on the DC I get those DCs replicating again. Not that much work for a test environment. I was wondering if you have some thoughts on this Cheers, Jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Saturday, March 19, 2005 03:08To: Send - AD mailing listSubject: RE: [ActiveDir] Active Directory Lab Recommendations ... forgot to mention that any number of rollbacks within the available timeframe takes (in our configuration) only minutes (the most costly demand on the time to return-to-ready state is the OS's bootstrap). --Dean WellsMSEtechnology* Email: [EMAIL PROTECTED]http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Friday, March 18, 2005 8:59 PMTo: Send - AD mailing listSubject: RE: [ActiveDir] Active Directory Lab Recommendations I've seen a slew of production and lab scenario requests over the past year or so, many of which I've offered non-technology specific recommendations for ... more recently I've focused my efforts on a non-Microsoft solution that I developed for MSEtechnology, used for some time in the Remote Learning arena, named ECbox (originally defined as "Electronic Classroom in a Box" though more recently internally-colloquially known as "Enterprise Computing in a Box"). The solution was designed from its inception to provide a means of snapshotting a distributed environment whose services impose a potential requirement to roll-back the entire distributed implementation to an earlier point in time (lock, stock and, hopefully not too-smoking, barrel). As I mentioned, the ECbox is used extensively for remote learning but MSEtechnology has also deployed it as a platform around which our own internal technology services are housed. Simply put, the ECbox is a solution built upon VMware ESX Server containing server (and administrative client-side mods.) designed specifically to tailor ESX's feature set to the demands of collective groups of dependent computers (e.g. a distributed database such as Active Directory). For the sake of example, MSEtechnology is able to roll its entire Directory, Web and Messaging service (though our requirements are comparatively small, the scale is something of an irrelevant factor in rollback capability and time) back to a multitude of daily earlier points in time (MSEtechnology's current capacity/requirement allows for a couple of weeks). Hope this proves useful. Regards. Dean --Dean WellsMSEtechnology* Email: [EMAIL PROTECTED]http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, AricSent: Friday, March 18, 2005 8:04 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Active Directory Lab Recommendations How about MSVS 2005, MSVPC 2004, or VMWare (pick your flavor) with undo disks? From my experience this a lot faster and typically cheaper than using a disk imaging utility and a slew of physical machines. Regards, Aric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, March 18, 2005 4:54 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Active Dir
RE: [ActiveDir] Event Log
I would be curious to know what you bloker doesn't like in my URLs. :-) Good luck! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rubix cube Sent: Saturday, March 19, 2005 9:59 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Event Log :) Thanks I rechecked the links and they are still blocked in here. u know in here http://www.msexchange.org/ is blocked because it has the word "sex" in the URL! r.c. On Sat, 19 Mar 2005 08:56:03 -0800, Alain Lissoir <[EMAIL PROTECTED]> wrote: > I concur with Joe's reply. > I just want to stress that both approaches are valid: usage of > scripting or usage of an Enterprise Management software (e.g. HPOV, MOM ...). > In the case of Enterprise Management software, some people avoid them > simply because they need to setup that infrastructure to manage the > actual infrastructure, which represent for them an additional cost and > complexity (depending of the size of the enterprise and > infrastructure). On the other hand, even though most large enterprises > have such a software in place, it happens that local admins want to > have a pin-point solution instead of interacting with this type of > software (for political reasons of asking a work item to another team they don't control, for technical reasons, etc ... > Real life has more imagination than we do sometimes). > > Last but not least, these Enterprise Management software often use WMI > behind the scene. For instance, HPOV and Tivoli uses WMI to report > Event Log entries via their agents to their consoles. So even if you > are not a WMI guru, you do use it even if you ignore that it is in the game. > The WMIWatcher script does nothing else than these enterprise > management software currently do. But instead of being a C++ compiled > code, it is just simple WSH script that can be run as a Windows > Service (thanks to SRVANY.EXE from the RESKIT) which is acting like an > agent where the console becomes the email client. Not perfect as you > rely on the infrastructure you monitor to relay alerts (email queues). > This is why these enterprise management solutions often have their own > path and queues to reports alerts. However, the WMIWatcher script is a > foundation that can address some pin-point problems for some people. > Let's say it has the benefit to exist even though it is not a perfect solution. > > I recognize that WMI is not intuitive, but for people passing the > step, it is a very powerful technology to get data out of the system > from scripts or any other software consuming WMI. It offers things you > can't really do with other technologies like ADSI. The aim is of it is just different. > > For the SMTP consumer, you must create a WQL query selecting event log > entries + some typical SMTP parameters. You must also use MOFCOMP to > set it up in WMI. Of course, far from me to push for my business, > there are many literature on WMI in the wild but everything is > explained in my books. ;-) (same link bwloe) > > About the links, I rechecked them and all works fine for me. > > And no worries, I'm not offended. I know that emails don't always > allow to put all shades and colors we would like in the tone! :-) I've > been through this myself. > > HTH > /Alain > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of rubix cube > Sent: Saturday, March 19, 2005 8:47 AM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] Event Log > > Ops I appreciated Alain's input, I was depressed cause it didn't > work from where I am in the world. > I hope Alain is not offended by what I said, how ever if he is my deep > apology, I really appreciate his input. > > thanks. > r.c. > > On Sat, 19 Mar 2005 11:32:46 -0500, joe <[EMAIL PROTECTED]> wrote: > > It is requested by many people. > > > > So many people, in fact, many companies sell software along this > > concept called Event Log Scrapers or monitors. They tend to have an > > agent that picks up the events, ships them onto a console, the > > console then executes some process specified for the specific > > events. You can look at tools such as OpenView, Microsoft Operations > > Manager (MOM), HostMonitor (www.ks-soft.net), etc. There are most > > likely open source projects in the various repositories to do it as > > well. The reason it is a separate process like this is because not > > everyone would want it going to their email. What if the error is > > that email doesn't work like say the smtp queue is backing up? These > > products offer multiple paths to get th
RE: [ActiveDir] Event Log
y one of them. Lots of other rather large things I think > that don't have any answers or possibility at the moment that I would > like to see done because you can't write scripts or programs to do it. > > Finally, I think you were a bit rough on Alain. He was simply trying > to help. I agree that WMI is less than intuitive and I personally > dislike it and avoid it myself. However if you aren't someone who can > write code to access the API or aren't a good perl scripter, WMI > offers the mechansims to do some of the things you may want to do and > in some cases the only programmatic way to accomplish what you want to > do (say like reconnect Exchange mailboxes). Additionally both of the > links Alain mentions below work just fine from where I am at in the > world. Alain is actually the Microsoft PM for WMI, it is rather nice > of him to take time out to respond at all. > > One item you might want to look at to help you with WMI is a tool > called the scriptomatic which is a free download from Microsoft. > > > joe > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of rubix cube > Sent: Saturday, March 19, 2005 7:56 AM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] Event Log > > Thanks for your help > > am not a WMI girl and you made my life misreable and I couldn't even > download the WMIWatcher.zip and when I googled for it couldn't find it > either, and even the http://www.lissware.net was not accessible. > I will try the SMTP Event Consumer and see how it goes (Since it was > the only link I could reach). > > I thought it is a simple thing requested by many people, have the > event viewer alarms (specific ones) delivered to thier mailboxes > instead of checking the event viewer of the servers. > > Thanks again > > On Fri, 18 Mar 2005 07:21:44 -0800, Alain Lissoir > <[EMAIL PROTECTED]> wrote: > > Absolutely! WMI is a good way to do this. > > The WMIWatcher script does this for you. > > You can download the the script from > > http://users.skynet.be/alain.lissoir/temp/WMIWatcher.zip > > > > You can find other script samples doing this at > > http://www.lissware.net (Volume 1 samples): > > Sample 6.13 - SynchronousEventConsumer.wsf to Sample 6.17 - > > GenericEventAsyncConsumer.wsf show the basic mechanic to catch > > events from WMI. > > > > and Sample 6.22 to 6.23 - EventLogTimeDiffMonitor.wsf to Sample 6.25 > > to 6.27 - EventLogTimeDiffMonitorWithNonEvent.wsf show how to catch > > events from the NT event log and calculate the time between two > > events (or no event after a timeout). It also sends an email alert. > > > > However, you don't necessarily have to run a script to do this. > > You can also leverage the SMTP Permanent Event Consumer Provider. > > It requires a MOF file compilation. > > You can find a sample at http://www.lissware.net (Volume 1 samples): > > Sample 2.03 - SMTPConsumerInstanceReg.mof For non-WMI people, this > > will be a bit more complex to setup, however. > > It described in my WMI books but MSDN has also some information > > about it at > > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wmi > > sd > > k/wmi/ > > smtpeventconsumer.asp > > > > This WMI provider consumes any WMI events and send an SMTP email to > > a relay of your choice. > > The WQL query you submit makes the WMI event selection. > > > > HTH > > /Alain > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of joe > > Sent: Friday, March 18, 2005 12:15 AM > > To: ActiveDir@mail.activedir.org > > Subject: RE: [ActiveDir] Event Log > > > > Just to be specific, event viewer is a simple client tool used to > > view entries in the event log. It is like notepad reading a file. > > > > If you need to get alerts like that, you will need to use a third > > party tool or script. WMI tends to be good in this space, take a > > look at some of the WMI web sites or books. > > > > joe > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of rubix cube > > Sent: Monday, March 14, 2005 5:08 AM > > To: ActiveDir@mail.activedir.org > > Subject: [ActiveDir] Event Log > > > > Please is there any way to make the event viewer trigger an email? > > Thanks > > r.c. > > List info : http://www.activedir.org/List.aspx > > List FAQ: http://www.activedir.org/ListFAQ.aspx
RE: [ActiveDir] Event Log
Absolutely! WMI is a good way to do this. The WMIWatcher script does this for you. You can download the the script from http://users.skynet.be/alain.lissoir/temp/WMIWatcher.zip You can find other script samples doing this at http://www.lissware.net (Volume 1 samples): Sample 6.13 - SynchronousEventConsumer.wsf to Sample 6.17 - GenericEventAsyncConsumer.wsf show the basic mechanic to catch events from WMI. and Sample 6.22 to 6.23 - EventLogTimeDiffMonitor.wsf to Sample 6.25 to 6.27 - EventLogTimeDiffMonitorWithNonEvent.wsf show how to catch events from the NT event log and calculate the time between two events (or no event after a timeout). It also sends an email alert. However, you don't necessarily have to run a script to do this. You can also leverage the SMTP Permanent Event Consumer Provider. It requires a MOF file compilation. You can find a sample at http://www.lissware.net (Volume 1 samples): Sample 2.03 - SMTPConsumerInstanceReg.mof For non-WMI people, this will be a bit more complex to setup, however. It described in my WMI books but MSDN has also some information about it at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wmisdk/wmi/ smtpeventconsumer.asp This WMI provider consumes any WMI events and send an SMTP email to a relay of your choice. The WQL query you submit makes the WMI event selection. HTH /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, March 18, 2005 12:15 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Event Log Just to be specific, event viewer is a simple client tool used to view entries in the event log. It is like notepad reading a file. If you need to get alerts like that, you will need to use a third party tool or script. WMI tends to be good in this space, take a look at some of the WMI web sites or books. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rubix cube Sent: Monday, March 14, 2005 5:08 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Event Log Please is there any way to make the event viewer trigger an email? Thanks r.c. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/