RE: [ActiveDir] printing prb

[Bjelke John A Contr AFRL/VSIO]

Title: Message



Probaby a bad driver... Download new one and reinstall the printer. 
Also, there are some viruses that cause things like this... either macro 
viruses that replace the Normal.dot to corrupt your office settings, or ones 
that actually corrupt the printer driver. Rename your normal.dot as the next 
step. Running an updated virus scan never hurts either. HTH. 
-JB
 
John A. Bjelke  
Unisys  505.853.6774 
 [EMAIL PROTECTED] 

By all means marry; if you get a good 
wife, you'll be happy. If you get a bad one, you'll become a philosopher. - 
Socrates 
 


  
  -Original Message-From: bobo 
  [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 03, 2003 
  3:46 AMTo: [EMAIL PROTECTED]Subject: 
  [ActiveDir] printing prb
  hello all
  I am having problem to print with my hp office 
  jet network printer. Each time i print excel or word get only blank pages. 
  when i send test page it is printed successfully. pls help. 
Thks

RE: [ActiveDir] SP4

[Bjelke John A Contr AFRL/VSIO]

Title: Message



Man, I 
must be havin a ball.


 
John A. Bjelke  
Unisys  505.853.6774 
 [EMAIL PROTECTED] 
"Many of life's failures are people who did not 
realize how close they were to success when they gave 
up." 
-Thomas Edison
 


  
  -Original Message-From: Hutchins, Mike 
  [mailto:[EMAIL PROTECTED] Sent: Friday, August 22, 2003 11:35 
  AMTo: [EMAIL PROTECTED]Subject: RE: 
  [ActiveDir] SP4
  its mucho funno to be wrong occasionally.. 
  ;-
  
  
  From: Rick Kingslan [mailto:[EMAIL PROTECTED] 
  Sent: Friday, August 22, 2003 7:08 AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] 
  SP4
  
  Eh, no big deal. Look how many times I'm wrong 
  around here. Welcome to the club ;-)
  
  Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active 
  DirectoryAssociate ExpertExpert Zone - 
  www.microsoft.com/windowsxp/expertzone 
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Hutchins, 
  MikeSent: Friday, August 22, 2003 7:56 AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] 
  SP4
  
  AndI hate to admit being wrong, but you are right. 
  :-)
  
  When we first patched all our machines, it was only 
  supported on SP3. However, as you stated, it has been regression tested woth 
  SP2 and is now supported. Our company would have to sign a waiver with pss to 
  do sp2, but we are sp3 and higher anyways.
  
  
  From: Rick Kingslan [mailto:[EMAIL PROTECTED] 
  Sent: Thursday, August 21, 2003 8:44 PMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] 
  SP4
  
  Mike,
  
  I hate to disagree, but the minimum requirement for 
  MS03-026 DCOm Vuln patch is Windows 2000 SP2.
  
  
  Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active 
  DirectoryAssociate ExpertExpert Zone - 
  www.microsoft.com/windowsxp/expertzone 
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Hutchins, 
  MikeSent: Thursday, August 21, 2003 9:37 AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] 
  SP4
  
  sp3
  
  
  From: Roger Seielstad 
  [mailto:[EMAIL PROTECTED] Sent: Thursday, August 21, 2003 
  8:34 AMTo: '[EMAIL PROTECTED]'Subject: RE: 
  [ActiveDir] SP4
  
  The 
  patch to stop the MSBlast virus only requires SP2 be installed on the 
  machine.
  
  
  -- 
  Roger D. Seielstad 
  - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. 
  
  

-Original Message-From: Don Murawski 
(Lenox) [mailto:[EMAIL PROTECTED] Sent: Thursday, 
August 21, 2003 10:28 AMTo: 
'[EMAIL PROTECTED]'Subject: [ActiveDir] 
SP4
Has anyone had issues 
with SP4 on DC's?
We are getting hammered 
by the latest virus.




Don L. 
Murawski
Sr. Network 
Administrator

WorldTravel 
BTI
Phone: (404) 
923-9468
Fax: (404) 949-6710
Cell: (678) 549-1264


attachment: mcse_small.gif

RE: [ActiveDir] WOT Unreadable code (was Connection String)

[Bjelke John A Contr AFRL/VSIO]

Title: Message



Go to 
DEC and get one from Gil, along with getting him to buy you a drink 
:^)


 
John A. Bjelke  
Unisys  505.853.6774 
 [EMAIL PROTECTED] 
"Many of life's failures are people who did not 
realize how close they were to success when they gave 
up." 
-Thomas Edison
 


  
  -Original Message-From: Carlos Magalhaes 
  [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 20, 2003 1:44 
  AMTo: '[EMAIL PROTECTED]'Subject: RE: 
  [ActiveDir] WOT Unreadable code (was Connection String)
  Ok, I have plenty of people here I need to irritate (as a pay 
  back for not patching their systems when I told them to) 
  What do I need to do to get a rubber chicken to heheh 
  
  :D 
  -Original Message- From: Tony 
  Murray [mailto:[EMAIL PROTECTED]] 
  Sent: Wednesday, August 20, 2003 9:23 AM 
  To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WOT Unreadable code (was Connection 
  String) 
  Excellent. 
  That's what I love about this list. It's the only 
  on-line community I know where you might receive a rubber toy in the post from 
  someone you've never met before. 
  I think I've created a monster. 
  Tony -- Original Message 
  ------ From: Bjelke John A 
  Contr AFRL/VSIO [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Tue, 19 Aug 2003 19:34:43 +0100 
  Gil,  
  received one screamin rubber chicken... I love it! Great sound. 
  My fellow sysadmins just might slit a throat today. It 
  remains to be seen if it will be mine or the chicken's 
  :^) Thanks again! -JB 
   John A. 
  Bjelke  
  Unisys  505.853.6774 
   [EMAIL PROTECTED] If 
  it's as difficult as pulling teeth through an elephants rump, then the 
  approach needs to be reevaluated. 
  -Original Message- From: Gil 
  Kirkpatrick [mailto:[EMAIL PROTECTED]] 
  Sent: Tuesday, August 05, 2003 1:22 PM 
  To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WOT Unreadable code (was Connection 
  String) 
  John, 
  Stella has put the world-famous Official DEC Screaming Yellow 
  Rubber Chicken in the mail, so you should get it by 
  the end of the week or so. When you do get it, be sure 
  to give it a good squeeze. 
  When I spoke at the 2002 AFITC, a general from ACC (I've 
  forgotten his name) told me that someone in his office 
  had received one and the noise was driving him crazy. 
  Scratch the chicken off the list of how to win friends and influence people. 
  -gil 
  -Original Message- From: 
  Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED]] 
  Sent: Tuesday, August 05, 2003 12:01 PM 
  To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WOT Unreadable code (was Connection 
  String) 
  Gil,  
  I'm not THAT old! Man, next you'll be implying that I built 
  the DARPAnet! (and we all know 
  it was Al Gore who's responsible for that!) *grin* Nah, I just have a fondness for old, dead languages and remembered seeing that 
  one before. I actually had a book mark to a "history 
  of computing" type doc that had this very example of 
  MUMPS code. As for DEC Ottawa, I doubt it, times and 
  budgets being what they are. But I'll take the chicken... sounds like 
  cool geek-schwag :^) 
   John A. 
  Bjelke  
  Unisys  505.853.6774 
   [EMAIL PROTECTED] Catapultam habeo. Nisi pecuniam omnem mihi dabis, ad caput tuum saxum 
  immane mittam. 
  -Original Message- From: Gil 
  Kirkpatrick [mailto:[EMAIL PROTECTED]] 
  Sent: Tuesday, August 05, 2003 12:01 PM 
  To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WOT Unreadable code (was Connection 
  String) 
  Wow John! I'm impressed. Were you at Unisys when MUMPS 
  actually ran on Unisys minis? Or did you just get 
  lucky with Google? :) 
  I'm thinking that your answer deserves a world-famous Official 
  DEC Screaming Yellow Rubber Chicken, whose hideous 
  screech is known to strike fear in the hearts of dogs, 
  cats, and small children.  Are you coming to DEC Ottawa? I can give it to you there, along with 
  your free beer. Otherwise, send me your shipping info 
  offlist, and no beer for you. 
  -gil 
  -Original Message----- From: 
  Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED]] 
  Sent: Tuesday, August 05, 2003 10:39 AM 
  To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WOT Unreadable code (was Connection 
  String) 
  prints a table of primes, formatting it into columns. What's 
  my prize :^) 
   John A. 
  Bjelke  
  Unisys  505.853.6774 
   [EMAIL PROTECTED] If 
  it's as difficult as pulling teeth through an elephants rump, then the 
  approach needs to be reevaluated. 
  -Original Message- From: Gil 
  Kirkpatrick [mailto:[EMAIL PROTECTED]] 
  Sent: Tuesday, August 05, 2003 9:56 AM 
  To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WOT Unreadable code (was Connection 
  String) 
  Have you ever coded in MUMPS? It doesn't matter who the 
  programmer is; its ALWAYS unreadable. I think MUMPS 
  programmers invented the term "write-only programs".

RE: [ActiveDir] WOT Unreadable code (was Connection String)

[Bjelke John A Contr AFRL/VSIO]

Gil, 
received one screamin rubber chicken... I love it! Great sound. My
fellow sysadmins just might slit a throat today. It remains to be seen if it
will be mine or the chicken's :^) Thanks again! -JB


 John A. Bjelke 
  Unisys
 505.853.6774
  [EMAIL PROTECTED]
If it's as difficult as pulling teeth through an elephants rump, then the
approach needs to be reevaluated.



-Original Message-
From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, August 05, 2003 1:22 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String)


John,

Stella has put the world-famous Official DEC Screaming Yellow Rubber Chicken
in the mail, so you should get it by the end of the week or so. When you do
get it, be sure to give it a good squeeze.

When I spoke at the 2002 AFITC, a general from ACC (I've forgotten his name)
told me that someone in his office had received one and the noise was
driving him crazy. Scratch the chicken off the list of how to win friends
and influence people.

-gil


-Original Message-
From: Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, August 05, 2003 12:01 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String)


Gil, 
I'm not THAT old! Man, next you'll be implying that I built the
DARPAnet! 
(and we all know it was Al Gore who's responsible for that!) *grin* Nah, I
just have a fondness for old, dead languages and remembered seeing that one
before. I actually had a book mark to a history of computing type doc that
had this very example of MUMPS code. As for DEC Ottawa, I doubt it, times
and budgets being what they are. But I'll take the chicken... sounds like
cool geek-schwag :^)

 John A. Bjelke 
  Unisys
 505.853.6774
  [EMAIL PROTECTED]
Catapultam habeo. Nisi pecuniam omnem mihi dabis, ad caput tuum saxum immane
mittam.



-Original Message-
From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, August 05, 2003 12:01 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String)


Wow John! I'm impressed. Were you at Unisys when MUMPS actually ran on
Unisys minis? Or did you just get lucky with Google? :)

I'm thinking that your answer deserves a world-famous Official DEC Screaming
Yellow Rubber Chicken, whose hideous screech is known to strike fear in the
hearts of dogs, cats, and small children.
 
Are you coming to DEC Ottawa? I can give it to you there, along with your
free beer. Otherwise, send me your shipping info offlist, and no beer for
you.

-gil

-Original Message-
From: Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, August 05, 2003 10:39 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String)


prints a table of primes, formatting it into columns. What's my prize :^)


 John A. Bjelke 
  Unisys
 505.853.6774
  [EMAIL PROTECTED]
If it's as difficult as pulling teeth through an elephants rump, then the
approach needs to be reevaluated.



-Original Message-
From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, August 05, 2003 9:56 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String)


Have you ever coded in MUMPS? It doesn't matter who the programmer is; its
ALWAYS unreadable. I think MUMPS programmers invented the term write-only
programs.

Typical MUMPS program: f p=2,3:2 s q=1 x f f=3:2 q:f*fp!'q  s q=p#f w:q
p,?$x\8+1*8

If anyone can guess what this code does, I'll give them a prize.

-g

Gil Kirkpatrick
CTO, NetPro


-Original Message-
From: Robbie Allen [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, August 05, 2003 6:51 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Connection String


Ha!  It is not the language that makes code unreadable, it is the PROGRAMMER
:-)

Robbie Allen
http://www.rallenhome.com/

 -Original Message-
 From: Glenn Corbett [mailto:[EMAIL PROTECTED]
 Sent: Tuesday, August 05, 2003 9:38 AM
 To: [EMAIL PROTECTED]
 Subject: Re: [ActiveDir] Connection String
 
 
 HAHAHAPerl
 
 I like to be able to read my code and understand it again in 6 months
 :)
 
 Glenn
 
 - Original Message -
 From: Robbie Allen [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Sent: Tuesday, August 05, 2003 11:14 PM
 Subject: RE: [ActiveDir] Connection String
 
 
   Come over to the 'Dark Side' with VB.NET.its nice and warm
   here *looks at the fires of hell*.
 
  Come on guys, why go to VB.NET when you can get most of the
 benefits of a
  compiled language and a whole lot more in a lot fewer lines
 with Perl!
 
  muaahh...Muaahh...MUUAAAHH
 
  :-)
 
  Robbie Allen
  http://www.rallenhome.com/
 
 
   -Original Message-
   From: Glenn Corbett [mailto:[EMAIL PROTECTED]
   Sent: Tuesday, August 05, 2003 8:54 AM
   To: [EMAIL PROTECTED]
   Subject: Re

RE: [ActiveDir] LDAP LastLogin for Computers

[Bjelke John A Contr AFRL/VSIO]

Title: Message



One 
way to go about it would be to turn up the auditing andquery the event log 
on the machine for login success/failure events. 

 
John A. Bjelke  
Unisys  505.853.6774 
 [EMAIL PROTECTED] 
"Many of life's failures are people who did not 
realize how close they were to success when they gave 
up." 
-Thomas Edison
 


  
  -Original Message-From: England, 
  Christopher M [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 
  06, 2003 8:22 AMTo: [EMAIL PROTECTED]Subject: 
  [ActiveDir] LDAP  LastLogin for Computers
  Greetings all, 
  I am trying to pull LDAP queries on computer 
  accounts and I want to find out the last time someone logged into the machine. 
  "WhenModified" is just the computer account object and "LastLogin" is just for 
  user accounts. Am I out of luck?
  What I have is this: 400 or so computer accounts in 
  one OU (with many sub-OUs) probably need to be 1) moved to a new OU or 2) 
  deleted. #1 happens if they have logged in in say the last few months. #2 if 
  not.
  Any suggestions would be great! 
  Thanks, Chris 
  - 
  Christopher England Server Administrator MCSA, Server+, 
  Network+, A+ College Information Technology 
  Office Indiana University 

RE: [ActiveDir] WOT Unreadable code (was Connection String)

[Bjelke John A Contr AFRL/VSIO]

When I spoke at the 2002 AFITC, a general from ACC (I've forgotten his
name) told me that someone in his office had received one and the noise was
driving him crazy. Scratch the chicken off the list of how to win friends
and influence people.

LOL! That's great Gil! Thanks! 


 John A. Bjelke 
  Unisys
 505.853.6774
  [EMAIL PROTECTED]
Catapultam habeo. Nisi pecuniam omnem mihi dabis, ad caput tuum saxum immane
mittam.

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] WOT Unreadable code (was Connection String)

[Bjelke John A Contr AFRL/VSIO]

Joe, never forget: Coppula eam se non posit acceptera joccularum
(spelling is probably off, but you should get the gist :^) )

 John A. Bjelke 
  Unisys
 505.853.6774
  [EMAIL PROTECTED]



-Original Message-
From: Joe [mailto:[EMAIL PROTECTED] 
Sent: Thursday, August 07, 2003 9:49 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String)


Wow, I am impressed. I still can't read that code. Would rather get my old
Latin text books out and do some light reading there. 

Good job.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bjelke John A Contr
AFRL/VSIO
Sent: Tuesday, August 05, 2003 1:39 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String)


prints a table of primes, formatting it into columns. What's my prize
:^)


 John A. Bjelke 
  Unisys
 505.853.6774
  [EMAIL PROTECTED]
If it's as difficult as pulling teeth through an elephants rump, then the
approach needs to be reevaluated.



-Original Message-
From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, August 05, 2003 9:56 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String)


Have you ever coded in MUMPS? It doesn't matter who the programmer is; its
ALWAYS unreadable. I think MUMPS programmers invented the term write-only
programs.

Typical MUMPS program: f p=2,3:2 s q=1 x f f=3:2 q:f*fp!'q  s q=p#f w:q
p,?$x\8+1*8

If anyone can guess what this code does, I'll give them a prize.

-g

Gil Kirkpatrick
CTO, NetPro


-Original Message-
From: Robbie Allen [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, August 05, 2003 6:51 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Connection String


Ha!  It is not the language that makes code unreadable, it is the PROGRAMMER
:-)

Robbie Allen
http://www.rallenhome.com/

 -Original Message-
 From: Glenn Corbett [mailto:[EMAIL PROTECTED]
 Sent: Tuesday, August 05, 2003 9:38 AM
 To: [EMAIL PROTECTED]
 Subject: Re: [ActiveDir] Connection String
 
 
 HAHAHAPerl
 
 I like to be able to read my code and understand it again in 6 months
 :)
 
 Glenn
 
 - Original Message -
 From: Robbie Allen [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Sent: Tuesday, August 05, 2003 11:14 PM
 Subject: RE: [ActiveDir] Connection String
 
 
   Come over to the 'Dark Side' with VB.NET.its nice and warm
   here *looks at the fires of hell*.
 
  Come on guys, why go to VB.NET when you can get most of the
 benefits of a
  compiled language and a whole lot more in a lot fewer lines
 with Perl!
 
  muaahh...Muaahh...MUUAAAHH
 
  :-)
 
  Robbie Allen
  http://www.rallenhome.com/
 
 
   -Original Message-
   From: Glenn Corbett [mailto:[EMAIL PROTECTED]
   Sent: Tuesday, August 05, 2003 8:54 AM
   To: [EMAIL PROTECTED]
   Subject: Re: [ActiveDir] Connection String
  
  
   Roger,
  
   You should be able to convert the Primary Windows NT
 Account into a
   Domain\Username pairI did do it some time ago (yeah,
 it was Ex 5.5
   timeframe too)I'll have a dig around (from memory it was using

   LookupAccountSID *shudder*)
  
   If your UPN in 2k and Exchange email address use the same
 format (ie
   [EMAIL PROTECTED]), you could cheat a bit, and use the UPN
   conversion type code:
  
   ADS_NAME_TYPE_USER_PRINCIPAL_NAME = 9
   User principal name format. For example, [EMAIL PROTECTED]
  
   *shrug* might be worth a stab.
  
   not sure about mixing NT v4 and 2k servers in the call, I don't
   think it would work too well (may require AD).
  
   Come over to the 'Dark Side' with VB.NET.its nice and warm
   here *looks at the fires of hell*.
  
   G.
  
  
   - Original Message -
   From: Roger Seielstad [EMAIL PROTECTED]
   To: [EMAIL PROTECTED]
   Sent: Tuesday, August 05, 2003 10:42 PM
   Subject: RE: [ActiveDir] Connection String
  
  
Cool Might be able to stay away from a compiler for
 another 3
   months...
   
I know what it was that didn't work - VBScript can't
 handle the way
   Exchange
5.5[1] returns the Primary Windows NT Account attribute -
   it comes back as
   a
string octet (I think). The VB examples all included the
   same contstant
defs, so I was thinking it was the same thing I looked at a
   month or two
ago.
   
Now I'm wondering if I can just direct translate using the
   syntax below...
I'll have to try that later...
   
--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.
   
[1] Yeah, I'm still running it
   
   
 -Original Message-
 From: Glenn Corbett [mailto:[EMAIL PROTECTED]
 Sent: Tuesday, August 05, 2003 8:36 AM
 To: [EMAIL PROTECTED]
 Subject: Re: [ActiveDir] Connection String


 From the online help about NameTranslate, VBScript Example

RE: [ActiveDir] Settign password Expiration date

[Bjelke John A Contr AFRL/VSIO]

Dennis, 
He's not looking to set this through policy, methinks. 
Erick, try this link for how to do this through script:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/adsi
/winnt_account_expiration.asp
Watch the word wrap, and good luck! 


 John A. Bjelke 
  Unisys
 505.853.6774
  [EMAIL PROTECTED]
There's nothing new under the sun, but there are lots of old things we don't
know. - Ambrose Bierce 


-Original Message-
From: W2K List [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, August 13, 2003 11:25 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Settign password Expiration date


Password policies can only be set at the domain level.
 
Dennis Depp


  _  

From: Erick Christian [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, August 13, 2003 1:17 PM
To: [EMAIL PROTECTED]


We are rolling our W2k network out, and have successfully migrated from
NT4.0. Previously we had sat our user account's password to expire at the
end of the year. However, going through and enabling each individual account
is not an option, as of yet I have not found a way in AD to set the PW
expiration date for an entire group. If anyone could shed light on this
topic I would greatly appreciate it.
 

Erick Christian
Chesapeake Board of Education


 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] WOT Unreadable code (was Connection String)

[Bjelke John A Contr AFRL/VSIO]

LOL :^) Ok, it's VERY rough. 


 John A. Bjelke 
  Unisys
 505.853.6774
  [EMAIL PROTECTED]
If it's as difficult as pulling teeth through an elephants rump, then the
approach needs to be reevaluated.



-Original Message-
From: Joe [mailto:[EMAIL PROTECTED] 
Sent: Friday, August 08, 2003 3:04 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String)


I would have to get the books out but that seems a little rough in more than
spelling but I think I get the drift... LOL.

I'll take it as a generic 'them' versus specifically 'her' as indicated by
the gender of the pronoun... 


:o)


  joe



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bjelke John A Contr
AFRL/VSIO
Sent: Friday, August 08, 2003 10:21 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String)


Joe, never forget: Coppula eam se non posit acceptera joccularum (spelling
is probably off, but you should get the gist :^) )

 John A. Bjelke 
  Unisys
 505.853.6774
  [EMAIL PROTECTED]



-Original Message-
From: Joe [mailto:[EMAIL PROTECTED] 
Sent: Thursday, August 07, 2003 9:49 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String)


Wow, I am impressed. I still can't read that code. Would rather get my old
Latin text books out and do some light reading there. 

Good job.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bjelke John A Contr
AFRL/VSIO
Sent: Tuesday, August 05, 2003 1:39 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String)


prints a table of primes, formatting it into columns. What's my prize
:^)


 John A. Bjelke 
  Unisys
 505.853.6774
  [EMAIL PROTECTED]
If it's as difficult as pulling teeth through an elephants rump, then the
approach needs to be reevaluated.



-Original Message-
From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, August 05, 2003 9:56 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String)


Have you ever coded in MUMPS? It doesn't matter who the programmer is; its
ALWAYS unreadable. I think MUMPS programmers invented the term write-only
programs.

Typical MUMPS program: f p=2,3:2 s q=1 x f f=3:2 q:f*fp!'q  s q=p#f w:q
p,?$x\8+1*8

If anyone can guess what this code does, I'll give them a prize.

-g

Gil Kirkpatrick
CTO, NetPro


-Original Message-
From: Robbie Allen [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, August 05, 2003 6:51 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Connection String


Ha!  It is not the language that makes code unreadable, it is the PROGRAMMER
:-)

Robbie Allen
http://www.rallenhome.com/

 -Original Message-
 From: Glenn Corbett [mailto:[EMAIL PROTECTED]
 Sent: Tuesday, August 05, 2003 9:38 AM
 To: [EMAIL PROTECTED]
 Subject: Re: [ActiveDir] Connection String
 
 
 HAHAHAPerl
 
 I like to be able to read my code and understand it again in 6 months
 :)
 
 Glenn
 
 - Original Message -
 From: Robbie Allen [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Sent: Tuesday, August 05, 2003 11:14 PM
 Subject: RE: [ActiveDir] Connection String
 
 
   Come over to the 'Dark Side' with VB.NET.its nice and warm
   here *looks at the fires of hell*.
 
  Come on guys, why go to VB.NET when you can get most of the
 benefits of a
  compiled language and a whole lot more in a lot fewer lines
 with Perl!
 
  muaahh...Muaahh...MUUAAAHH
 
  :-)
 
  Robbie Allen
  http://www.rallenhome.com/
 
 
   -Original Message-
   From: Glenn Corbett [mailto:[EMAIL PROTECTED]
   Sent: Tuesday, August 05, 2003 8:54 AM
   To: [EMAIL PROTECTED]
   Subject: Re: [ActiveDir] Connection String
  
  
   Roger,
  
   You should be able to convert the Primary Windows NT
 Account into a
   Domain\Username pairI did do it some time ago (yeah,
 it was Ex 5.5
   timeframe too)I'll have a dig around (from memory it was using

   LookupAccountSID *shudder*)
  
   If your UPN in 2k and Exchange email address use the same
 format (ie
   [EMAIL PROTECTED]), you could cheat a bit, and use the UPN
   conversion type code:
  
   ADS_NAME_TYPE_USER_PRINCIPAL_NAME = 9
   User principal name format. For example, [EMAIL PROTECTED]
  
   *shrug* might be worth a stab.
  
   not sure about mixing NT v4 and 2k servers in the call, I don't
   think it would work too well (may require AD).
  
   Come over to the 'Dark Side' with VB.NET.its nice and warm
   here *looks at the fires of hell*.
  
   G.
  
  
   - Original Message -
   From: Roger Seielstad [EMAIL PROTECTED]
   To: [EMAIL PROTECTED]
   Sent: Tuesday, August 05, 2003 10:42 PM
   Subject: RE: [ActiveDir] Connection String
  
  
Cool Might be able to stay away from a compiler for
 another 3
   months...
   
I know what

RE: [ActiveDir] WOT Unreadable code (was Connection String)

[Bjelke John A Contr AFRL/VSIO]

prints a table of primes, formatting it into columns. What's my prize :^)


 John A. Bjelke 
  Unisys
 505.853.6774
  [EMAIL PROTECTED]
If it's as difficult as pulling teeth through an elephants rump, then the
approach needs to be reevaluated.



-Original Message-
From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, August 05, 2003 9:56 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String)


Have you ever coded in MUMPS? It doesn't matter who the programmer is; its
ALWAYS unreadable. I think MUMPS programmers invented the term write-only
programs.

Typical MUMPS program: f p=2,3:2 s q=1 x f f=3:2 q:f*fp!'q  s q=p#f w:q
p,?$x\8+1*8

If anyone can guess what this code does, I'll give them a prize.

-g

Gil Kirkpatrick
CTO, NetPro


-Original Message-
From: Robbie Allen [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, August 05, 2003 6:51 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Connection String


Ha!  It is not the language that makes code unreadable, it is the PROGRAMMER
:-)

Robbie Allen
http://www.rallenhome.com/

 -Original Message-
 From: Glenn Corbett [mailto:[EMAIL PROTECTED]
 Sent: Tuesday, August 05, 2003 9:38 AM
 To: [EMAIL PROTECTED]
 Subject: Re: [ActiveDir] Connection String
 
 
 HAHAHAPerl
 
 I like to be able to read my code and understand it again in 6 months 
 :)
 
 Glenn
 
 - Original Message -
 From: Robbie Allen [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Sent: Tuesday, August 05, 2003 11:14 PM
 Subject: RE: [ActiveDir] Connection String
 
 
   Come over to the 'Dark Side' with VB.NET.its nice and warm
   here *looks at the fires of hell*.
 
  Come on guys, why go to VB.NET when you can get most of the
 benefits of a
  compiled language and a whole lot more in a lot fewer lines
 with Perl!
 
  muaahh...Muaahh...MUUAAAHH
 
  :-)
 
  Robbie Allen
  http://www.rallenhome.com/
 
 
   -Original Message-
   From: Glenn Corbett [mailto:[EMAIL PROTECTED]
   Sent: Tuesday, August 05, 2003 8:54 AM
   To: [EMAIL PROTECTED]
   Subject: Re: [ActiveDir] Connection String
  
  
   Roger,
  
   You should be able to convert the Primary Windows NT
 Account into a
   Domain\Username pairI did do it some time ago (yeah,
 it was Ex 5.5
   timeframe too)I'll have a dig around (from memory it was using
   LookupAccountSID *shudder*)
  
   If your UPN in 2k and Exchange email address use the same
 format (ie
   [EMAIL PROTECTED]), you could cheat a bit, and use the UPN
   conversion type code:
  
   ADS_NAME_TYPE_USER_PRINCIPAL_NAME = 9
   User principal name format. For example, [EMAIL PROTECTED]
  
   *shrug* might be worth a stab.
  
   not sure about mixing NT v4 and 2k servers in the call, I don't
   think it would work too well (may require AD).
  
   Come over to the 'Dark Side' with VB.NET.its nice and warm
   here *looks at the fires of hell*.
  
   G.
  
  
   - Original Message -
   From: Roger Seielstad [EMAIL PROTECTED]
   To: [EMAIL PROTECTED]
   Sent: Tuesday, August 05, 2003 10:42 PM
   Subject: RE: [ActiveDir] Connection String
  
  
Cool Might be able to stay away from a compiler for
 another 3
   months...
   
I know what it was that didn't work - VBScript can't
 handle the way
   Exchange
5.5[1] returns the Primary Windows NT Account attribute -
   it comes back as
   a
string octet (I think). The VB examples all included the
   same contstant
defs, so I was thinking it was the same thing I looked at a
   month or two
ago.
   
Now I'm wondering if I can just direct translate using the
   syntax below...
I'll have to try that later...
   
--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.
   
[1] Yeah, I'm still running it
   
   
 -Original Message-
 From: Glenn Corbett [mailto:[EMAIL PROTECTED]
 Sent: Tuesday, August 05, 2003 8:36 AM
 To: [EMAIL PROTECTED]
 Subject: Re: [ActiveDir] Connection String


 From the online help about NameTranslate, VBScript Example
 (havent tried it,
 but looks like it should work)

   Dim nto
   const ADS_NAME_INITTYPE_SERVER = 2
   const ADS_NAME_TYPE_1779 = 1
   const ADS_NAME_TYPE_NT4 = 3

   server = aDsServer
   user   = jeffsmith
   dom= Fabrikam
   passwd = top secret
   dn = CN=jeffsmith,CN=Users,DC=Fabrikam,DC=COM

   Set nto = Server.CreateObject(NameTranslate)
   nto.InitEx ADS_NAME_INITTYPE_SERVER, server, user,
 dom, passwd
   nto.Set ADS_NAME_TYPE_1779, dn
   result = nto.Get(ADS_NAME_TYPE_NT4)



 - Original Message -
 From: Roger Seielstad [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Sent: Tuesday, August 05, 2003 10:31 PM
 Subject: RE: [ActiveDir] Connection String


 The only problem 

RE: [ActiveDir] WOT Unreadable code (was Connection String)

[Bjelke John A Contr AFRL/VSIO]

Gil, 
I'm not THAT old! Man, next you'll be implying that I built the
DARPAnet! 
(and we all know it was Al Gore who's responsible for that!) *grin*
Nah, I just have a fondness for old, dead languages and remembered seeing
that one before. I actually had a book mark to a history of computing type
doc that had this very example of MUMPS code. As for DEC Ottawa, I doubt it,
times and budgets being what they are. But I'll take the chicken... sounds
like cool geek-schwag :^)

 John A. Bjelke 
  Unisys
 505.853.6774
  [EMAIL PROTECTED]
Catapultam habeo. Nisi pecuniam omnem mihi dabis, ad caput tuum saxum immane
mittam.



-Original Message-
From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, August 05, 2003 12:01 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String)


Wow John! I'm impressed. Were you at Unisys when MUMPS actually ran on
Unisys minis? Or did you just get lucky with Google? :)

I'm thinking that your answer deserves a world-famous Official DEC Screaming
Yellow Rubber Chicken, whose hideous screech is known to strike fear in the
hearts of dogs, cats, and small children.
 
Are you coming to DEC Ottawa? I can give it to you there, along with your
free beer. Otherwise, send me your shipping info offlist, and no beer for
you.

-gil

-Original Message-
From: Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, August 05, 2003 10:39 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String)


prints a table of primes, formatting it into columns. What's my prize :^)


 John A. Bjelke 
  Unisys
 505.853.6774
  [EMAIL PROTECTED]
If it's as difficult as pulling teeth through an elephants rump, then the
approach needs to be reevaluated.



-Original Message-
From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, August 05, 2003 9:56 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String)


Have you ever coded in MUMPS? It doesn't matter who the programmer is; its
ALWAYS unreadable. I think MUMPS programmers invented the term write-only
programs.

Typical MUMPS program: f p=2,3:2 s q=1 x f f=3:2 q:f*fp!'q  s q=p#f w:q
p,?$x\8+1*8

If anyone can guess what this code does, I'll give them a prize.

-g

Gil Kirkpatrick
CTO, NetPro


-Original Message-
From: Robbie Allen [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, August 05, 2003 6:51 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Connection String


Ha!  It is not the language that makes code unreadable, it is the PROGRAMMER
:-)

Robbie Allen
http://www.rallenhome.com/

 -Original Message-
 From: Glenn Corbett [mailto:[EMAIL PROTECTED]
 Sent: Tuesday, August 05, 2003 9:38 AM
 To: [EMAIL PROTECTED]
 Subject: Re: [ActiveDir] Connection String
 
 
 HAHAHAPerl
 
 I like to be able to read my code and understand it again in 6 months
 :)
 
 Glenn
 
 - Original Message -
 From: Robbie Allen [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Sent: Tuesday, August 05, 2003 11:14 PM
 Subject: RE: [ActiveDir] Connection String
 
 
   Come over to the 'Dark Side' with VB.NET.its nice and warm
   here *looks at the fires of hell*.
 
  Come on guys, why go to VB.NET when you can get most of the
 benefits of a
  compiled language and a whole lot more in a lot fewer lines
 with Perl!
 
  muaahh...Muaahh...MUUAAAHH
 
  :-)
 
  Robbie Allen
  http://www.rallenhome.com/
 
 
   -Original Message-
   From: Glenn Corbett [mailto:[EMAIL PROTECTED]
   Sent: Tuesday, August 05, 2003 8:54 AM
   To: [EMAIL PROTECTED]
   Subject: Re: [ActiveDir] Connection String
  
  
   Roger,
  
   You should be able to convert the Primary Windows NT
 Account into a
   Domain\Username pairI did do it some time ago (yeah,
 it was Ex 5.5
   timeframe too)I'll have a dig around (from memory it was using
   LookupAccountSID *shudder*)
  
   If your UPN in 2k and Exchange email address use the same
 format (ie
   [EMAIL PROTECTED]), you could cheat a bit, and use the UPN
   conversion type code:
  
   ADS_NAME_TYPE_USER_PRINCIPAL_NAME = 9
   User principal name format. For example, [EMAIL PROTECTED]
  
   *shrug* might be worth a stab.
  
   not sure about mixing NT v4 and 2k servers in the call, I don't
   think it would work too well (may require AD).
  
   Come over to the 'Dark Side' with VB.NET.its nice and warm
   here *looks at the fires of hell*.
  
   G.
  
  
   - Original Message -
   From: Roger Seielstad [EMAIL PROTECTED]
   To: [EMAIL PROTECTED]
   Sent: Tuesday, August 05, 2003 10:42 PM
   Subject: RE: [ActiveDir] Connection String
  
  
Cool Might be able to stay away from a compiler for
 another 3
   months...
   
I know what it was that didn't work - VBScript can't
 handle the way
   Exchange
5.5[1] returns the Primary Windows NT Account attribute -
   it comes back

RE: [ActiveDir] WOT Unreadable code (was Connection String)

[Bjelke John A Contr AFRL/VSIO]

Actually, if the noise is that bad, maybe he should give one out for each
purchase of a competing product :^) 


 John A. Bjelke 
  Unisys
 505.853.6774
  [EMAIL PROTECTED]
Few things are harder to put up with than a good example.  - Mark Twain
(1835-1910)



-Original Message-
From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, August 05, 2003 1:31 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String)


Gil, you should give one out for every Enterprise purchase of Netpro
Products.

Todd Myrick

-Original Message-
From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, August 05, 2003 3:22 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String)


John,

Stella has put the world-famous Official DEC Screaming Yellow Rubber Chicken
in the mail, so you should get it by the end of the week or so. When you do
get it, be sure to give it a good squeeze.

When I spoke at the 2002 AFITC, a general from ACC (I've forgotten his name)
told me that someone in his office had received one and the noise was
driving him crazy. Scratch the chicken off the list of how to win friends
and influence people.

-gil


-Original Message-
From: Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, August 05, 2003 12:01 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String)


Gil, 
I'm not THAT old! Man, next you'll be implying that I built the
DARPAnet! 
(and we all know it was Al Gore who's responsible for that!) *grin* Nah, I
just have a fondness for old, dead languages and remembered seeing that one
before. I actually had a book mark to a history of computing type doc that
had this very example of MUMPS code. As for DEC Ottawa, I doubt it, times
and budgets being what they are. But I'll take the chicken... sounds like
cool geek-schwag :^)

 John A. Bjelke 
  Unisys
 505.853.6774
  [EMAIL PROTECTED]
Catapultam habeo. Nisi pecuniam omnem mihi dabis, ad caput tuum saxum immane
mittam.



-Original Message-
From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, August 05, 2003 12:01 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String)


Wow John! I'm impressed. Were you at Unisys when MUMPS actually ran on
Unisys minis? Or did you just get lucky with Google? :)

I'm thinking that your answer deserves a world-famous Official DEC Screaming
Yellow Rubber Chicken, whose hideous screech is known to strike fear in the
hearts of dogs, cats, and small children.
 
Are you coming to DEC Ottawa? I can give it to you there, along with your
free beer. Otherwise, send me your shipping info offlist, and no beer for
you.

-gil

-Original Message-
From: Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, August 05, 2003 10:39 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String)


prints a table of primes, formatting it into columns. What's my prize :^)


 John A. Bjelke 
  Unisys
 505.853.6774
  [EMAIL PROTECTED]
If it's as difficult as pulling teeth through an elephants rump, then the
approach needs to be reevaluated.



-Original Message-
From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, August 05, 2003 9:56 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String)


Have you ever coded in MUMPS? It doesn't matter who the programmer is; its
ALWAYS unreadable. I think MUMPS programmers invented the term write-only
programs.

Typical MUMPS program: f p=2,3:2 s q=1 x f f=3:2 q:f*fp!'q  s q=p#f w:q
p,?$x\8+1*8

If anyone can guess what this code does, I'll give them a prize.

-g

Gil Kirkpatrick
CTO, NetPro


-Original Message-
From: Robbie Allen [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, August 05, 2003 6:51 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Connection String


Ha!  It is not the language that makes code unreadable, it is the PROGRAMMER
:-)

Robbie Allen
http://www.rallenhome.com/

 -Original Message-
 From: Glenn Corbett [mailto:[EMAIL PROTECTED]
 Sent: Tuesday, August 05, 2003 9:38 AM
 To: [EMAIL PROTECTED]
 Subject: Re: [ActiveDir] Connection String
 
 
 HAHAHAPerl
 
 I like to be able to read my code and understand it again in 6 months
 :)
 
 Glenn
 
 - Original Message -
 From: Robbie Allen [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Sent: Tuesday, August 05, 2003 11:14 PM
 Subject: RE: [ActiveDir] Connection String
 
 
   Come over to the 'Dark Side' with VB.NET.its nice and warm 
   here *looks at the fires of hell*.
 
  Come on guys, why go to VB.NET when you can get most of the
 benefits of a
  compiled language and a whole lot more in a lot fewer lines
 with Perl!
 
  muaahh...Muaahh...MUUAAAHH
 
  :-)
 
  Robbie Allen
  http

[ActiveDir] OT: Tivoli

[Bjelke John A Contr AFRL/VSIO]

Title: OT: Tivoli





Thanks Larry! That'll do nicely. As for not furthering the cause, I'm with ya brother. Not my choice, but I can only salute and move on. Eric, thanks as well. I just wish we were using framework 4.1 instead of 3.7. *sigh* 

 John A. Bjelke 
 Unisys
 505.853.6774
 [EMAIL PROTECTED]
If it's as difficult as pulling teeth through an elephants rump, you must be using Tivoli. -Me

RE: [ActiveDir] Authentication Problems.

[Bjelke John A Contr AFRL/VSIO]

Title: Message



Another possibility is that manual mappings to shared drives were done 
under an old password, and the system stored that in the registry. Disconnect 
the network drives and then reconnect. We do our standard mappings in the login 
script, and strongly discourage manual mappings to resources for this reason. A 
number of lock-out problems can be traced to this type of issue. A good trick is 
to have your login script disconnect mappings from a certain drive letter on up, 
e.g. L through Z. This also gives you a "reserved" range of drive letters for 
your standard network resources. Hope this helps!
 
John A. Bjelke  
Unisys  505.853.6774 
 [EMAIL PROTECTED] 
"Many of life's failures are people who did not 
realize how close they were to success when they gave 
up." 
-Thomas Edison
 


  
  -Original Message-From: Roger Seielstad 
  [mailto:[EMAIL PROTECTED] Sent: Monday, June 09, 2003 
  5:30 AMTo: '[EMAIL PROTECTED]'Subject: RE: 
  [ActiveDir] Authentication Problems.
  Looking into my crystal ball.
  
  You're using downlevel (i.e. pre-Win2k) clients, and have enabled 
  password complexity requirements. This was done after creating non-complex 
  passwords for the users.
  
  Either disable password complexity, or reset their passwords to 
  something meeting complexity requirements, then force them to change the 
  password. I ran into it during my second AD migration.
  
  
  -- 
  Roger D. Seielstad 
  - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. 
  
  

-Original Message-From: Juan Ibarra 
[mailto:[EMAIL PROTECTED] Sent: Friday, June 06, 2003 9:51 
PMTo: [EMAIL PROTECTED] activedir. org 
([EMAIL PROTECTED])Subject: [ActiveDir] Authentication 
Problems.

Hello to 
all,

I am experiencing the following 
problem at a client.

We forced all employees to 
change their password, by going to AD users and computers and checking the 
box "user must change password at next logon"

It appeared that everything 
worked fine until we started noticing that while working at a computer and 
trying to access a share an error message popped 
up.
Your password is incorrect and 
it wouldn't take the new password.

We forced a 
sync with all the DCs and still getting same 
errors.

Please 
help.

Juan

RE: [ActiveDir] bogus DNS entries

[Bjelke John A Contr AFRL/VSIO]

Sounds like you have a ghosted adapter that was setup running a private IP
address at some point and still exists in the registry. Try this:
Click Start, click Run, type cmd.exe, and then press ENTER.
Type set devmgr_show_nonpresent_devices=1, and then press ENTER.
Type Start DEVMGMT.MSC, and then press ENTER.
Click View, and then click Show Hidden Devices.
Expand the Network Adapters tree.
Right-click the dimmed network adapter, and then click Uninstall.


 John A. Bjelke 
  Unisys
 505.853.6774
  [EMAIL PROTECTED]
If it's as difficult as pulling teeth through an elephants rump, then the
approach needs to be reevaluated.



-Original Message-
From: Rittenhouse, Cindy [mailto:[EMAIL PROTECTED] 
Sent: Monday, June 09, 2003 11:12 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] bogus DNS entries


Please help. I have 3 servers, in 2 different domains that keep showing up
in DNS with both their correct ip address and an entry with ip address
192.168.234.235. I keep deleting these entries, but they keep reappearing.
There must be some significance to this ip address. Does anyone have an idea
where it may be coming from, or how I can permanently delete the entry. I
have DNS running on a W2K server, it is not AD integrated. These servers do
have 2 NICs, but the unused NIC has been disabled. Most of my servers have 2
NICs, but the problem is only with these 3. They are all W2K servers. Thanks

Cynthia Rittenhouse  MCSE,CCNA
LAN Administrator
County of Lancaster
Lancaster, PA 17602
Phone: (717)293-7274

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Additional drivers for W2K printing

[Bjelke John A Contr AFRL/VSIO]

Mark, 
I have seen that happen after making security policy changes,
specifically Prevent users from installing printer drivers. Are you trying
this as yourself, or as the local administrator account?


-Original Message-
From: Abbiss, Mark [mailto:[EMAIL PROTECTED] 
Sent: Thursday, April 03, 2003 7:38 AM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] Additional drivers for W2K printing


I really hope someone can help me understand !!

This is my quandry.

I have a W2K server which is to be used as a printer server. We have a mixed
client base and so I would like use the support for installing additional
drivers to allow clients to point and print as the documentation calls it.

My first attempt was with a HP Laserjet 4000 but the same problem has
occured with numerous other models. The W2K driver is already up and running
and prints like a charm. Now I would like to provide the drivers for Win NT
and Win 9x clients to use.

I downloaded the necessary point and print driver bundle from the HP site,
unzipped them and went to install them.

I have repeated the procedure now in a 1000 different ways but the
additional drivers will not install. I select the HP 4000 under printers,
choose to add Additional Drivers, make my selection from the list
available (Intel - Windows NT 4.0 or 2000), point the installation to the
INF file in the driver directory I just created and then I get an error The
printer driver you selected is either not compatible with your current
version of windows, or. but it is a driver supplied by HP for
Win NT !!!

The INF file is not called OEMSETUP.INF but has in this instance the name
HP2224p6.INF

Do I have to have an OEMSETUP.INF file and if I do why isnt it in the file
made available on the HP site ?

Please can anyone explain what is going wrong ?!? Any clues, any tips,
please !!

Many thanks,

Mark Abbiss
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: Identifying laptops on domain

[Bjelke John A Contr AFRL/VSIO]

Guido, 
we have a huge number of desktops with pcmcia card readers
installed, so I think that one is unreliable for my prposes. Thanks for the
suggestion though! -JB

-Original Message-
From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED]

Sent: Wednesday, March 19, 2003 12:47 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] OT: Identifying laptops on domain


Gil's example is great to show the value of WMI filters for GPOs in
Win2k3...

Another GPO independent option is to check the registry for the existance of
the PCMCIA key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Pcmcia

you'll likely find this on every laptop, but hardly on any desktops.  Not
100% but pretty close.

/Guido

-Original Message-
From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] 
Sent: Freitag, 7. März 2003 17:34
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] OT: Identifying laptops on domain


You could also search the local WMI for an object of class
Win32_PortableBattery.

-gil

-Original Message-
From: Weston Rogers [mailto:[EMAIL PROTECTED] 
Sent: Friday, March 07, 2003 9:17 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] OT: Identifying laptops on domain


We use machine naming conventions to distingush laptops 

[airport code of city][branch location id][computer
role,Workstation,laptop..etc][date built]

Also we've got a database with every piece of hardware so we know..

Wes

-Original Message-
From: Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED] 
Sent: Friday, March 07, 2003 10:32 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] OT: Identifying laptops on domain


Existing IP scheme is static, and that's not viable to change at this time. 

-Original Message-
From: PERRIN Martial (EURIWARE) [mailto:[EMAIL PROTECTED] 
Sent: Friday, March 07, 2003 8:16 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] OT: Identifying laptops on domain


You can do this with segmentation on a DHCP network.
 
Martial

-Message d'origine-
De: Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED]
Date: vendredi 7 mars 2003 16:04
À: '[EMAIL PROTECTED]'
Objet: [ActiveDir] OT: Identifying laptops on domain



Perhaps someone here might know: 

Is there any machine attribute or registry value that can be queried
to differentiate workstations and laptops on a domain? We have a
circumstance that requires laptops to be addressed differently from
workstations, and we have been unable to find any consistent variable to
poll for this determination. Any suggestions or assistance is most
appreciated. 

 John A. Bjelke 
 Systems administrator 
  505.853.6774 
mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] 
  
The contents of this Email communication are 
confidential to the addressee. 
If you are not the intended recipient you 
may not disclose or distribute this 
communication in any form but should 
immediately contact the Sender. 
The information, images, documents and views 
expressed in this Email are personal to the 
Sender and do not expressly or implicitly 
represent official positions and policies of 
Unisys Federal Systems or it's subsidiaries 
and no authority exists on behalf of Unisys 
to make any agreements, representations or 
other binding commitment by means of Email. 



ATTENTION : Si vous n'êtes pas destinataire de ce message, vous n'êtes pas
autorisé à copier, retransmettre, distribuer, révéler ou conserver le
contenu de ce message. WARNING : If you are not the intended recipient, you
are not authorised to copy, disclose, distribute or retain in this e-mail. 


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Anybody see Gil's article?

[Bjelke John A Contr AFRL/VSIO]

Title: Anybody see Gil's article?





March issue of Windows  .NET magazine has an article by Gil Kirkpatrick on AD Authentication Topology that is definitely worth a read.

http://www.winnetmag.com/Articles/Index.cfm?ArticleID=37935 is the article online. Good stuff Gil! 


 John A. Bjelke
 Systems administrator
  Unisys
 505.853.6774
 [EMAIL PROTECTED]

[ActiveDir] OT: Identifying laptops on domain

[Bjelke John A Contr AFRL/VSIO]

Title: OT: Identifying laptops on domain





Perhaps someone here might know: 


 Is there any machine attribute or registry value that can be queried to differentiate workstations and laptops on a domain? We have a circumstance that requires laptops to be addressed differently from workstations, and we have been unable to find any consistent variable to poll for this determination. Any suggestions or assistance is most appreciated. 

 John A. Bjelke
 Systems administrator
 505.853.6774
 john.bjelke@Unisys.com
 
The contents of this Email communication are
confidential to the addressee. 
If you are not the intended recipient you 
may not disclose or distribute this 
communication in any form but should 
immediately contact the Sender.
The information, images, documents and views
expressed in this Email are personal to the 
Sender and do not expressly or implicitly 
represent official positions and policies of
Unisys Federal Systems or it's subsidiaries
and no authority exists on behalf of Unisys 
to make any agreements, representations or 
other binding commitment by means of Email.

RE: [ActiveDir] OT: Identifying laptops on domain

[Bjelke John A Contr AFRL/VSIO]

Existing IP scheme is static, and that's not viable to change at this time. 

-Original Message-
From: PERRIN Martial (EURIWARE) [mailto:[EMAIL PROTECTED] 
Sent: Friday, March 07, 2003 8:16 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] OT: Identifying laptops on domain


You can do this with segmentation on a DHCP network.
 
Martial

-Message d'origine-
De: Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED]
Date: vendredi 7 mars 2003 16:04
À: '[EMAIL PROTECTED]'
Objet: [ActiveDir] OT: Identifying laptops on domain



Perhaps someone here might know: 

Is there any machine attribute or registry value that can be queried
to differentiate workstations and laptops on a domain? We have a
circumstance that requires laptops to be addressed differently from
workstations, and we have been unable to find any consistent variable to
poll for this determination. Any suggestions or assistance is most
appreciated. 

 John A. Bjelke 
 Systems administrator 
  505.853.6774 
mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] 
  
The contents of this Email communication are 
confidential to the addressee. 
If you are not the intended recipient you 
may not disclose or distribute this 
communication in any form but should 
immediately contact the Sender. 
The information, images, documents and views 
expressed in this Email are personal to the 
Sender and do not expressly or implicitly 
represent official positions and policies of 
Unisys Federal Systems or it's subsidiaries 
and no authority exists on behalf of Unisys 
to make any agreements, representations or 
other binding commitment by means of Email. 



ATTENTION : Si vous n'êtes pas destinataire de ce message, vous n'êtes pas
autorisé à copier, retransmettre, distribuer, révéler ou conserver le
contenu de ce message. WARNING : If you are not the intended recipient, you
are not authorised to copy, disclose, distribute or retain in this e-mail. 


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: Identifying laptops on domain

[Bjelke John A Contr AFRL/VSIO]

Bill, 
we are moving to that already, and if I can figure out how to
differentiate the chasis type I can write scripts to automate the process
instead of relying on attrition or a massive helpdesk effort to rename every
pc and laptop. Catch-22. 

-Original Message-
From: Brown, Bill [contractor] [mailto:[EMAIL PROTECTED] 
Sent: Friday, March 07, 2003 8:38 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] OT: Identifying laptops on domain


We employ a standardized machine naming convention whereby a laptop is given
the name User-LT and this makes it a very simple process to break them out.

R/Bill

 -Original Message-
From:   Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED] 
Sent:   Friday, March 07, 2003 10:32 AM
To: '[EMAIL PROTECTED]'
Subject:RE: [ActiveDir] OT: Identifying laptops on domain

Existing IP scheme is static, and that's not viable to change at this time. 

-Original Message-
From: PERRIN Martial (EURIWARE) [mailto:[EMAIL PROTECTED] 
Sent: Friday, March 07, 2003 8:16 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] OT: Identifying laptops on domain


You can do this with segmentation on a DHCP network.
 
Martial

-Message d'origine-
De: Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED]
Date: vendredi 7 mars 2003 16:04
À: '[EMAIL PROTECTED]'
Objet: [ActiveDir] OT: Identifying laptops on domain



Perhaps someone here might know: 

Is there any machine attribute or registry value that can be queried
to differentiate workstations and laptops on a domain? We have a
circumstance that requires laptops to be addressed differently from
workstations, and we have been unable to find any consistent variable to
poll for this determination. Any suggestions or assistance is most
appreciated. 

 John A. Bjelke 
 Systems administrator 
  505.853.6774 
mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] 
  
The contents of this Email communication are 
confidential to the addressee. 
If you are not the intended recipient you 
may not disclose or distribute this 
communication in any form but should 
immediately contact the Sender. 
The information, images, documents and views 
expressed in this Email are personal to the 
Sender and do not expressly or implicitly 
represent official positions and policies of 
Unisys Federal Systems or it's subsidiaries 
and no authority exists on behalf of Unisys 
to make any agreements, representations or 
other binding commitment by means of Email. 



ATTENTION : Si vous n'êtes pas destinataire de ce message, vous n'êtes pas
autorisé à copier, retransmettre, distribuer, révéler ou conserver le
contenu de ce message. WARNING : If you are not the intended recipient, you
are not authorised to copy, disclose, distribute or retain in this e-mail. 


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: Identifying laptops on domain

[Bjelke John A Contr AFRL/VSIO]

Folks, 
I just found this:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/scriptcen
ter/scrguide/sas_cpm_btnz.asp  (watch the word wrap)

strComputer = .
Set objWMIService = GetObject(winmgmts: _
 {impersonationLevel=impersonate}!\\  strComputer  \root\cimv2)
Set colChassis = objWMIService.ExecQuery _
(SELECT * FROM Win32_SystemEnclosure)
For Each objChassis in colChassis
For Each intType in objChassis.ChassisTypes
Wscript.Echo intType
Next
Next

Where chassis type is one of 24 possible values. Seems like this might be
the magic bullet, but I definately need to test. Thanks for the suggestion! 
Regards, 
John A. Bjelke

-Original Message-
From: Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED] 
Sent: Friday, March 07, 2003 8:41 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] OT: Identifying laptops on domain


Bill, 
we are moving to that already, and if I can figure out how to
differentiate the chasis type I can write scripts to automate the process
instead of relying on attrition or a massive helpdesk effort to rename every
pc and laptop. Catch-22. 

-Original Message-
From: Brown, Bill [contractor] [mailto:[EMAIL PROTECTED] 
Sent: Friday, March 07, 2003 8:38 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] OT: Identifying laptops on domain


We employ a standardized machine naming convention whereby a laptop is given
the name User-LT and this makes it a very simple process to break them out.

R/Bill

 -Original Message-
From:   Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED] 
Sent:   Friday, March 07, 2003 10:32 AM
To: '[EMAIL PROTECTED]'
Subject:RE: [ActiveDir] OT: Identifying laptops on domain

Existing IP scheme is static, and that's not viable to change at this time. 

-Original Message-
From: PERRIN Martial (EURIWARE) [mailto:[EMAIL PROTECTED] 
Sent: Friday, March 07, 2003 8:16 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] OT: Identifying laptops on domain


You can do this with segmentation on a DHCP network.
 
Martial

-Message d'origine-
De: Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED]
Date: vendredi 7 mars 2003 16:04
À: '[EMAIL PROTECTED]'
Objet: [ActiveDir] OT: Identifying laptops on domain



Perhaps someone here might know: 

Is there any machine attribute or registry value that can be queried
to differentiate workstations and laptops on a domain? We have a
circumstance that requires laptops to be addressed differently from
workstations, and we have been unable to find any consistent variable to
poll for this determination. Any suggestions or assistance is most
appreciated. 

 John A. Bjelke 
 Systems administrator 
  505.853.6774 
mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] 
  
The contents of this Email communication are 
confidential to the addressee. 
If you are not the intended recipient you 
may not disclose or distribute this 
communication in any form but should 
immediately contact the Sender. 
The information, images, documents and views 
expressed in this Email are personal to the 
Sender and do not expressly or implicitly 
represent official positions and policies of 
Unisys Federal Systems or it's subsidiaries 
and no authority exists on behalf of Unisys 
to make any agreements, representations or 
other binding commitment by means of Email. 



ATTENTION : Si vous n'êtes pas destinataire de ce message, vous n'êtes pas
autorisé à copier, retransmettre, distribuer, révéler ou conserver le
contenu de ce message. WARNING : If you are not the intended recipient, you
are not authorised to copy, disclose, distribute or retain in this e-mail. 


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Remove the ability to create computer accounts inthe computer container

[Bjelke John A Contr AFRL/VSIO]

Greg, if you create an Acct Creation user, and set your script to use
those credentials from the webpage, wouldn't that work for you? In this way,
you can grant computer acct creation rights to just that user and set the
quotas on everyone else to prevent creation of accts through any method
other than your script, which is setup to create the acct in the proper
container.

-Original Message-
From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] 
Sent: Thursday, February 27, 2003 9:53 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Remove the ability to create computer accounts in
the computer container


Ms-DS-machineAccountQuota is an optional attribute of the samDomain class,
which is an auxillary class that is attached to the domainDNS class.

-Original Message-
From: Greg Felzer [mailto:[EMAIL PROTECTED] 
Sent: Thursday, February 27, 2003 7:40 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Remove the ability to create computer accounts in
the computer container


The web script authenticates against AD and checks for group membership in
the Join Computer to the Domain group.  If they are members of the group
they are allowed to create the computer account.  Their userid is used for
the creation of the computer account.

This group (Join Computer to the Domain) is allowed to create computer
accounts in the appropriate OU and is denied 'create all child objects' in
the computer container (which does not prevent them from creating the
computer account).  

Unless I can set the msDS-MachineAccountQuota on the computer container to
prevent everyone from creating computer accounts in this container the user
would still be able to create a computer account in the computer container
by joining the domain using 'My Network Places.

BTW I cannot find the msDS-MachineAccountQuota property using ADSI edit, set
to show all properties on any of my user accounts or on the computer
container.  What object type is the msDS-MachineAccountQuota property
available for?

Thanks,

Greg Felzer 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bjelke John A Contr
AFRL/VSIO
Sent: Wednesday, February 26, 2003 3:40 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Remove the ability to create computer accounts in
the computer container

Greg, 
If you restrict it so that no one except the user your web script
runs as can create accts and are specifying the container in your script,
then they will still be able to create accts, they will just be forced to
use your web script to do so. This would achive your stated goal, wouldn't
it?

-Original Message-
From: Greg Felzer [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, February 26, 2003 1:33 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Remove the ability to create computer accounts in
the computer container


Wouldn't this prevent all users from creating computer accounts?  I do not
want to prevent them from creating them, just prevent them from creating
them in the computers container.

Greg Felzer 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Sullivan, Kevin
Sent: Wednesday, February 26, 2003 11:47 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Remove the ability to create computer accounts in
the computer container

You may want to look into changing the default msDS-MachineAccountQuota.
This setting allows any user to create 10 computer accounts by default. You
can change this via a script, LDP or ADSI edit. If you change the default
value to 0 then your delegation model will probably work but the default
behavior will be changed.

It may work...

Keivn

-Original Message-
From: Greg Felzer [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, February 26, 2003 11:28 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Remove the ability to create computer accounts in the
computer container

Hello,

Maybe the collective minds here can come up with something.

I have given a group (Join Computers to the Domain group) the rights to join
computers to the domain through the Default Domain policy.  Only this group
has rights to join computers to the domain.

I have created a web page that creates a computer account (it checks first
to make sure the computer account does not exist) base upon department
specific input from the user.  Once the account is created the user names
his computer the same as the computer account and joins the domain.

The problem I am having is that some of the user that are members of the
Join Computers to the Domain group are not using the web page.  They are
using My network place, advanced, network identification.ect to join
the domain.  This creates a computer account in the computer container. When
this happens I get a computer account showing up in the computer container
that I do not know what department it belongs to.

My solution (that does not work) was to remove all rights (including System
rights) to the computer

RE: [ActiveDir] Remove the ability to create computer accounts inthe computer container

[Bjelke John A Contr AFRL/VSIO]

Greg, 
If you restrict it so that no one except the user your web script
runs as can create accts and are specifying the container in your script,
then they will still be able to create accts, they will just be forced to
use your web script to do so. This would achive your stated goal, wouldn't
it?

-Original Message-
From: Greg Felzer [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, February 26, 2003 1:33 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Remove the ability to create computer accounts in
the computer container


Wouldn't this prevent all users from creating computer accounts?  I do not
want to prevent them from creating them, just prevent them from creating
them in the computers container.

Greg Felzer 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Sullivan, Kevin
Sent: Wednesday, February 26, 2003 11:47 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Remove the ability to create computer accounts in
the computer container

You may want to look into changing the default msDS-MachineAccountQuota.
This setting allows any user to create 10 computer accounts by default. You
can change this via a script, LDP or ADSI edit. If you change the default
value to 0 then your delegation model will probably work but the default
behavior will be changed.

It may work...

Keivn

-Original Message-
From: Greg Felzer [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, February 26, 2003 11:28 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Remove the ability to create computer accounts in the
computer container

Hello,

Maybe the collective minds here can come up with something.

I have given a group (Join Computers to the Domain group) the rights to join
computers to the domain through the Default Domain policy.  Only this group
has rights to join computers to the domain.

I have created a web page that creates a computer account (it checks first
to make sure the computer account does not exist) base upon department
specific input from the user.  Once the account is created the user names
his computer the same as the computer account and joins the domain.

The problem I am having is that some of the user that are members of the
Join Computers to the Domain group are not using the web page.  They are
using My network place, advanced, network identification.ect to join
the domain.  This creates a computer account in the computer container. When
this happens I get a computer account showing up in the computer container
that I do not know what department it belongs to.

My solution (that does not work) was to remove all rights (including System
rights) to the computer container.  I figured without rights they would not
be able to create the computer accounts.  This did not work so I denied the
ability to create all child objects for the Join computers group in the
Computers Container.  This did not work so I denied the right for Everyone.
Also did not work.

Any ideas on how to prevent all users from creating computer objects in the
computers container?

Thanks
Greg



Greg Felzer
MCSE NT4, MCSE 2000, CCA, CCNA, CNA
Senior Systems Engineer
Center for Computing and Information Technology
Medical University of South Carolina

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Policy Inheritance

[Bjelke John A Contr AFRL/VSIO]

If certain OU's need to not get the domain policies pushed down upon them,
you would want to block inheritance. Perhaps your domain policies aren't as
strict as the Finance folks want their security to be. Put them in their own
OU and block inheritance, then set up a policy on that OU specifically. Or,
maybe your web-heads want less stringent policies for their folks. Force
them to move those machines to a dev network... er... I mean block
inheritance and create a policy for their OU ;^)

-Original Message-
From: John Balos [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, February 25, 2003 11:54 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Policy Inheritance


Can someone please explain to me when I would want to use 'block policy
inheritance' and why or why not I would want to use this option? 

Thanks,
 
 John
 

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Single user problem in AD

[Bjelke John A Contr AFRL/VSIO]

Rob, 
Does this same behavior exhibit if she logs on to another system?
Does it exhibit if you log on to her system as yourself?

-Original Message-
From: Rob Freeman [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, February 20, 2003 9:07 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Single user problem in AD


I have a user in AD that can not run batch files, nor task manager on any
windows 2000 machines in our domain.  What is weird is this user is located
with other users in AD and they do not have this problem.  It suddenly just
started for this user within the last week.  The batch files are located on
her desktop as a shortcut.  Any ideas on why just one use would have this
problem?

Thanks

Rob Freeman
Fleetone

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Single user problem in AD

[Bjelke John A Contr AFRL/VSIO]

Rob, 
in your GPO, you can specify Disable Task Manager under
Logon/Logoff. Check what GPO's she is getting for this option. There is also
an option of Don't run specified Windows applications that could have been
set for .bat, .exe, .msi, etc to prevent restricted users installing or
running anything. I assume you have checked her GPO results on her system
with GPResult.exe?

-Original Message-
From: Rob Freeman [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, February 20, 2003 9:28 AM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Single user problem in AD


Yes, it exists on different machines that she logs onto within the domain.

Yes, if I log into her machine, I can run the task manager and the batch
file.

- Original Message -
From: Bjelke John A Contr AFRL/VSIO [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Thursday, February 20, 2003 10:20 AM
Subject: RE: [ActiveDir] Single user problem in AD


 Rob,
 Does this same behavior exhibit if she logs on to another system? Does 
 it exhibit if you log on to her system as yourself?

 -Original Message-
 From: Rob Freeman [mailto:[EMAIL PROTECTED]]
 Sent: Thursday, February 20, 2003 9:07 AM
 To: [EMAIL PROTECTED]
 Subject: [ActiveDir] Single user problem in AD


 I have a user in AD that can not run batch files, nor task manager on 
 any windows 2000 machines in our domain.  What is weird is this user 
 is
located
 with other users in AD and they do not have this problem.  It suddenly
just
 started for this user within the last week.  The batch files are 
 located
on
 her desktop as a shortcut.  Any ideas on why just one use would have 
 this problem?

 Thanks

 Rob Freeman
 Fleetone

 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: 
 http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Determining when a user account was disabled.

[Bjelke John A Contr AFRL/VSIO]

Clyde, 
Can you parse security logs on the DC's forEvent ID: 629 Type:
Success Audit
Description: User Account Disabled? 

-Original Message-
From: Burns, Clyde [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, February 20, 2003 10:47 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Determining when a user account was disabled.



Im trying to generate a report of disabled accounts that were disabled X
number of days ago. 
Getting a report of which accounts are disabled was fairly straightforward*
but I cannot find anything that will tell me when the account WAS disabled.
I was wondering if anyone could tell me if such information is stored in AD
or how to approximate the date. Right now Im thinking of pulling the last
logon times from the domain controllers to ballpark the amount of time the
accounts could have been disabled but thats a stopgap at best.

Any tips or pointers would be greatly appreciated.
Clyde Burns



* VB6 code to generate report

Set rootDSE = GetObject(LDAP://RootDSE;)
Set Ou = GetObject(LDAP://;  CN=Users,  _
rootDSE.Get(defaultNamingContext))
Ou.Filter = Array(user)
For Each Child In Ou
  Debug.Print _
  Chr(34)  Child.sAMAccountName  Chr(34)  Chr(44)  _
  Chr(34)  Child.DisplayName  Chr(34)  Chr(44)  _
  Chr(34)  Child.accountdisabled  Chr(34)
Next
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Single user problem in AD

[Bjelke John A Contr AFRL/VSIO]

Yup.Network Management Tools.

-Original Message-
From: Rob Freeman [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, February 20, 2003 11:20 AM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Single user problem in AD


I checked these policies on the DC's and I did not see anything set for the
user.

Is GPResults.exe on the Resource kit?

Thanks

Rob
- Original Message -
From: Bjelke John A Contr AFRL/VSIO [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Thursday, February 20, 2003 11:12 AM
Subject: RE: [ActiveDir] Single user problem in AD


 Rob,
 in your GPO, you can specify Disable Task Manager under Logon/Logoff. 
 Check what GPO's she is getting for this option. There is
also
 an option of Don't run specified Windows applications that could 
 have
been
 set for .bat, .exe, .msi, etc to prevent restricted users installing 
 or running anything. I assume you have checked her GPO results on her 
 system with GPResult.exe?

 -Original Message-
 From: Rob Freeman [mailto:[EMAIL PROTECTED]]
 Sent: Thursday, February 20, 2003 9:28 AM
 To: [EMAIL PROTECTED]
 Subject: Re: [ActiveDir] Single user problem in AD


 Yes, it exists on different machines that she logs onto within the 
 domain.

 Yes, if I log into her machine, I can run the task manager and the 
 batch file.

 - Original Message -
 From: Bjelke John A Contr AFRL/VSIO [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Sent: Thursday, February 20, 2003 10:20 AM
 Subject: RE: [ActiveDir] Single user problem in AD


  Rob,
  Does this same behavior exhibit if she logs on to another system? 
  Does it exhibit if you log on to her system as yourself?
 
  -Original Message-
  From: Rob Freeman [mailto:[EMAIL PROTECTED]]
  Sent: Thursday, February 20, 2003 9:07 AM
  To: [EMAIL PROTECTED]
  Subject: [ActiveDir] Single user problem in AD
 
 
  I have a user in AD that can not run batch files, nor task manager 
  on any windows 2000 machines in our domain.  What is weird is this 
  user is
 located
  with other users in AD and they do not have this problem.  It 
  suddenly
 just
  started for this user within the last week.  The batch files are 
  located
 on
  her desktop as a shortcut.  Any ideas on why just one use would have 
  this problem?
 
  Thanks
 
  Rob Freeman
  Fleetone
 
  List info   : http://www.activedir.org/mail_list.htm
  List FAQ: http://www.activedir.org/list_faq.htm
  List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
  List info   : http://www.activedir.org/mail_list.htm
  List FAQ: http://www.activedir.org/list_faq.htm
  List archive: 
  http://www.mail-archive.com/activedir%40mail.activedir.org/

 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: 
 http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Single user problem in AD

[Bjelke John A Contr AFRL/VSIO]

Rob, 
Another suggestion for troubleshooting this one, if you have the
time to spend on it: clone this user's account and play with the security
settings, profiles, etc until you figure out which setting is causing the
issues. Or create a test user from scratch and add each group membership the
original user has one at a time until it breaks... then look at the policies
for that group. Failing that, I would look at the option of re-creating the
user acct. It is possible some SID mismatch or some such bizzare thing is
hosing this one user and she is not getting the proper permissions and
policies. Are you using roaming profiles? Is it possible that something in
her profile is toasty?  Hope this helps!
 John A. Bjelke
 UNISYS
 
The contents of this Email communication are
confidential to the addressee. 
If you are not the intended recipient you 
may not disclose or distribute this 
communication in any form but should 
immediately contact the Sender.
The information, images, documents and views
expressed in this Email are personal to the 
Sender and do not expressly or implicitly 
represent official positions and policies of
Unisys Federal Systems or it's subsidiaries
and no authority exists on behalf of Unisys 
to make any agreements, representations or 
other binding commitment by means of Email.

-Original Message-
From: Rob Freeman [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, February 20, 2003 9:28 AM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Single user problem in AD


Yes, it exists on different machines that she logs onto within the domain.

Yes, if I log into her machine, I can run the task manager and the batch
file.

- Original Message -
From: Bjelke John A Contr AFRL/VSIO [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Thursday, February 20, 2003 10:20 AM
Subject: RE: [ActiveDir] Single user problem in AD


 Rob,
 Does this same behavior exhibit if she logs on to another system? Does
 it exhibit if you log on to her system as yourself?

 -Original Message-
 From: Rob Freeman [mailto:[EMAIL PROTECTED]]
 Sent: Thursday, February 20, 2003 9:07 AM
 To: [EMAIL PROTECTED]
 Subject: [ActiveDir] Single user problem in AD


 I have a user in AD that can not run batch files, nor task manager on
 any windows 2000 machines in our domain.  What is weird is this user 
 is
located
 with other users in AD and they do not have this problem.  It suddenly
just
 started for this user within the last week.  The batch files are
 located
on
 her desktop as a shortcut.  Any ideas on why just one use would have
 this problem?

 Thanks

 Rob Freeman
 Fleetone

 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive:
 http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Determining when a user account was disabled.

[Bjelke John A Contr AFRL/VSIO]

Well, I don't see a more efficient way to estimate it then than what you are
considering already then, unless one of the directory gods know of a place
that that information is stored I am unaware of. You might consider using an
event log monitoring software to notify you by email (and dump that to a
folder or pst) of 629's so that you have an easy tracking methodology for
future use. Good luck Clyde! 

-Original Message-
From: Burns, Clyde [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, February 20, 2003 11:51 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Determining when a user account was disabled.


Unfortunately the event logs dont go back that far. 
And something else is touching the accounts and updating the whenchanged
value.

-Original Message-
From: Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED]]
Sent: Thursday, February 20, 2003 12:57 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Determining when a user account was disabled.


Clyde, 
Can you parse security logs on the DC's forEvent ID: 629 Type:
Success Audit
Description: User Account Disabled? 


-Original Message-
From: David Rudolph [mailto:[EMAIL PROTECTED]]
Sent: Thursday, February 20, 2003 1:11 PM
To: Burns, Clyde
Subject: RE: [ActiveDir] Determining when a user account was disabled.


Have you tried the whenChanged attribute?

-Original Message-
From: Burns, Clyde [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, February 20, 2003 11:47 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Determining when a user account was disabled.



Im trying to generate a report of disabled accounts that were disabled X
number of days ago. 
Getting a report of which accounts are disabled was fairly
straightforward* but I cannot find anything that will tell me when the
account WAS disabled. I was wondering if anyone could tell me if such
information is stored in AD or how to approximate the date. Right now Im
thinking of pulling the last logon times from the domain controllers to
ballpark the amount of time the accounts could have been disabled but thats
a stopgap at best.

Any tips or pointers would be greatly appreciated.
Clyde Burns



* VB6 code to generate report

Set rootDSE = GetObject(LDAP://RootDSE;)
Set Ou = GetObject(LDAP://;  CN=Users,  _
rootDSE.Get(defaultNamingContext))
Ou.Filter = Array(user)
For Each Child In Ou
  Debug.Print _
  Chr(34)  Child.sAMAccountName  Chr(34)  Chr(44)  _
  Chr(34)  Child.DisplayName  Chr(34)  Chr(44)  _
  Chr(34)  Child.accountdisabled  Chr(34)
Next
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


 Anadarko Confidentiality Notice:  
 This electronic transmission and any attached documents or other writings
are intended only for the person or entity to which it is addressed and may
contain information that is privileged, confidential or otherwise protected
from disclosure.  If you have received this communication in error, please
immediately notify sender by return e-mail and destroy the communication.
Any disclosure, copying, distribution or the taking of any action concerning
the contents of this communication or any attachments by anyone other  than
the named recipient is strictly prohibited.

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Expiring passwords?

[Bjelke John A Contr AFRL/VSIO]

Mike, 
Now, this peaks my interest. Can you elaborate on how
RestrictAnonymous of 2 would effect changing of passwords?
 John A. Bjelke 
Unisys
  [EMAIL PROTECTED]

-Original Message-
From: Thommes, Michael M. [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, February 12, 2003 2:30 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Expiring passwords?


The inability to change their passwords might be caused by
HKLM\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous value being set
to 2.  How is yours set?

Mike Thommes
Argonne National Laboratory

-Original Message-
From: Fugleberg, David A [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, February 12, 2003 10:56 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Expiring passwords?


Roger- can you elaborate ?  If a domain does NOT have the complex password
filter enabled, and then chooses to enable it, are you saying the users with
existing non-complex passwords are unable to change them ?  Is that
behaviour XP-specific, or does it affect Win2K or NT4 clients ?  Any
published references are appreciated !! (In case it's not obvious, I've been
asked to do this very thing...)

Dave

-Original Message-
From: Roger Seielstad [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, February 12, 2003 8:58 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Expiring passwords?


Reset them manually - you've probably got the password complexity turned on,
and if the original password isn't complex, they can't change it.

--
Roger D. Seielstad - MCSE
Sr. Systems Administrator
Inovis - Formerly Harbinger and Extricity
Atlanta, GA


 -Original Message-
 From: Weston Rogers [mailto:[EMAIL PROTECTED]]
 Sent: Wednesday, February 12, 2003 9:24 AM
 To: [EMAIL PROTECTED]
 Subject: [ActiveDir] Expiring passwords?
 
 
 Win2k sp3 2 DC's in mixed mode, win2k pro clients.  Most clients when 
 instructed to change their password after it has expired, it won't let 
 them.  The errors it gives are sporadic and usually different.  Any 
 quick hints?
 
 Wes
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive:
 http://www.mail-archive.com/activedir% 40mail.activedir.org/
 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Group membership

[Bjelke John A Contr AFRL/VSIO]

Title: Message



Can 
you use Group.vbs from the Resource Kit? You can use the /S to specify remote 
servers, and perhaps you could wrap this in another script to loop through all 
of your servers.

  
  -Original Message-From: Brad Martin 
  [mailto:[EMAIL PROTECTED]] Sent: Monday, February 10, 2003 12:05 
  PMTo: Active Directory Mailing ListSubject: [ActiveDir] 
  Group membership
  
  I need to enumerate group 
  membership of all groups in our domain and the computer local groups on our 
  servers. I've got a couple of tools that will do that, but they require 
  that I log into each machine to grab the membership list. As we have a 
  large number of servers I'd like to avoid having to do this. Does anyone 
  know of any freeware or relatively inexpensive shareware tool that can 
  enumerate both Domain group membership and local computer group 
  membership?
  
  Brad Martin
  Go Daddy Software, 
  Inc.
  480.505.8800 ext. 
  250
  [EMAIL PROTECTED]
  http://www.godaddy.com
  
  
  
  

RE: [ActiveDir] Group membership

[Bjelke John A Contr AFRL/VSIO]

Title: Message



Or 
perhaps the "Global Groups" from res kit? 

Displays members of global groups on remote servers or 
domains.
GLOBAL 
group_name domain_name | \\server
 
group_name The name of the global group to list the members 
of. domain_name The name of a network domain. \\server The name of a 
network server.
Examples: Global "Domain Users" EastCoast Displays 
the members of the group 'Domain Users' in the EastCoast 
domain.
 
Global PrintUsers \\BLACKCAT Displays 
the members of the group PrintUsers on server BLACKCAT.
Notes: Names that include space characters must be enclosed in 
double quotes. To list members of local groups use 
Local.Exe. To get the Server name for a give Domain use 
GetDC.Exe.

  
  -Original Message-From: Brad Martin 
  [mailto:[EMAIL PROTECTED]] Sent: Monday, February 10, 2003 12:05 
  PMTo: Active Directory Mailing ListSubject: [ActiveDir] 
  Group membership
  
  I need to enumerate group 
  membership of all groups in our domain and the computer local groups on our 
  servers. I've got a couple of tools that will do that, but they require 
  that I log into each machine to grab the membership list. As we have a 
  large number of servers I'd like to avoid having to do this. Does anyone 
  know of any freeware or relatively inexpensive shareware tool that can 
  enumerate both Domain group membership and local computer group 
  membership?
  
  Brad Martin
  Go Daddy Software, 
  Inc.
  480.505.8800 ext. 
  250
  [EMAIL PROTECTED]
  http://www.godaddy.com
  
  
  
  

RE: [ActiveDir] Decrypt Files from a no longer existing domain

[Bjelke John A Contr AFRL/VSIO]

One possible solution would be to disconnect the network cable and try
logging on as the user who encrypted them, assuming that their are
credentials cached on the machine.

-Original Message-
From: Roger Seielstad [mailto:[EMAIL PROTECTED]] 
Sent: Monday, February 03, 2003 10:14 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Decrypt Files from a no longer existing domain


How they were encrypted - accidental or not - has no bearing. They're gone.

--
Roger D. Seielstad - MCSE
Sr. Systems Administrator
Inovis - Formerly Harbinger and Extricity
Atlanta, GA


 -Original Message-
 From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]]
 Sent: Monday, February 03, 2003 11:46 AM
 To: '[EMAIL PROTECTED]'
 Subject: RE: [ActiveDir] Decrypt Files from a no longer 
 existing domain
 
 
 I should mention that these files were encrypted by accident
 by the user by
 checking the box encrypt contents while looking at the 
 properties of the
 folder.  Where could I get the DRA from if the domain doesn't 
 exist, restore
 the domain on a workstations?  
 
  -Original Message-
 From: Sullivan, Kevin [mailto:[EMAIL PROTECTED]] 
 Sent: Monday, February 03, 2003 11:37 AM
 To:   [EMAIL PROTECTED]
 Subject:  RE: [ActiveDir] Decrypt Files from a no longer existing
 domain
 
 If you can't find the cert that encrypted them or the cert
 for the Data
 Recovery Agent (DRA) (usually the domain admin) you are out of luck.
 
 They key to open the data is stored in the headers of the
 file and it is
 locked up with the private key for the user who encrypted it and the
 private key for the DRA. The data is encrypted symmetrically. 
 
 You may find those keys exist somewhere even though the domain doesn't 
 exist anymore. You should be able to recover with them.
 
 -Original Message-
 From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]]
 Sent: Monday, February 03, 2003 11:33 AM
 To: ActiveDir (E-mail)
 Subject: [ActiveDir] Decrypt Files from a no longer existing domain
 
 How can I decrypt some files that I did not know were encrypted when I 
 decommissioned the last DC in that old domain.  I have tried restoring 
 them to a FAT Partition and I can open them but there is no data in 
 them. Any
 help would be appreciated
 
 
 Justin A. Salandra, MCSE
 Senior Network Engineer
 Catholic Healthcare System
 914.681.8117 office
 646.483.3325 cell
 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]
 
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: 
 http://www.mail-archive.com/activedir%40mail.activedir.org/
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive:
 http://www.mail-archive.com/activedir% 40mail.activedir.org/
 
 List info   : 
 http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive:
 http://www.mail-archive.com/activedir% 40mail.activedir.org/
 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Question

[Bjelke John A Contr AFRL/VSIO]

Jimmy, great link. I hadn't seen this. Thanks!

-Original Message-
From: Jimmy Andersson [mailto:[EMAIL PROTECTED]] 
Sent: Friday, January 31, 2003 11:52 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Question


See the License Availability Roadmap at:
http://www.microsoft.com/windows/lifecycle.mspx

Regards,
/Jimmy
--
Jimmy Andersson, Q Advice AB
Microsoft MVP - Active Directory
 www.qadvice.com 




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Salandra, Justin A.
Sent: Friday, January 31, 2003 7:25 PM
To: ActiveDir (E-mail)
Subject: [ActiveDir] Question
Importance: High


I have a tech working here today and he mentioned to me that he heard that
MS will no longer be selling Windows 2000 Professional as of April 2003. Has
anyone else heard this?

Justin A. Salandra, MCSE
Senior Network Engineer
Catholic Healthcare System
914.681.8117 office
646.483.3325 cell
[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] 

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] VNC and Terminal Services

[Bjelke John A Contr AFRL/VSIO]

Title: Message



John,
FWIW,I have heard froma few "white 
hats" that VNC is easy to hack because it stores passwords in known encryption 
algorythms in the regsitry. http://online.securityfocus.com/bid/854/discussion 
and http://www.kb.cert.org/vuls/id/197477show 
some more detail on this. I have no idea if this is all current versions, 
specific versions, or what. HTH. 

 John 
A. Bjelke  
UNISYS  Systems administrator 
Supporting AFRL Kirtland AFB  
505.853.6774  
[EMAIL PROTECTED] 

  
  -Original Message-From: John 
  Hicks/MIS/HQ/KEMET/US [mailto:[EMAIL PROTECTED]] Sent: Tuesday, 
  January 21, 2003 9:10 PMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] VNC and 
  Terminal ServicesDoes 
  anyone know of any big security issues with Ultra VNC or any other VNC 
  products. Ultra VNC looks like a good product. We currently use PCAnywhere 
  10.5 and it is not cheap. I am trying to find ways to save my org some 
  software costs. Thanks
  


  
John Hicks | 
KEMET Electronics Corporation | Network EngineerPhone: 
864-228-4473 | E-mail: [EMAIL PROTECTED] | AOL IM: ipaq1978[ Mailing: 2835 KEMET Way Simpsonville, SC 29681 USA 
]
  


  "Rick Kingslan" 
[EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 
01/21/2003 03:13 PM 

  
  

  Please respond 
  to[EMAIL PROTECTED]
  

  
  

  To
[EMAIL PROTECTED] 
  

  cc

  

  Subject
RE: [ActiveDir] VNC 
  and Terminal Services

  
  

True. But, Dell sure seems to as an integral piece of 
  their server managementand DRAC offerings - and yes, on Windows 
  2000.FWIW...Rick Kingslan MCSE, MCSA, MCTMicrosoft 
  MVP - Active DirectoryAssociate ExpertExpert Zone - 
  www.microsoft.com/windowsxp/expertzone 
  -Original Message- From: [EMAIL PROTECTED] 
   [mailto:[EMAIL PROTECTED]] On Behalf Of David 
  Lloyd Sent: Tuesday, January 21, 2003 10:56 AM To: 
  [EMAIL PROTECTED] Subject: RE: [ActiveDir] VNC and Terminal 
  Services   MS does not support it! If that is a 
  concern.  -Original Message- From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]] On Behalf Of  Prajapati, 
  Ashok (London) Sent: 21 January 2003 16:39 To: 
  '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] VNC and 
  Terminal Services  Aren't there a lot of issues with 
  installing vnc onto any  type of win 2k server?  
   
  -- 
  --  
  -- 
  --  --- 
  For very important information relating to this e-mail please  click 
  on this link: http://www.ml.com/legal_info.htm  
   -Original Message- From: Salandra, Justin A. 
  [mailto:[EMAIL PROTECTED]]  Sent: 21 January 2003 16:27 
  To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] VNC and 
  Terminal Services   right  
  -Original Message- From: 
  Granatella Adam J 
  [mailto:[EMAIL PROTECTED]]  Sent: 
  Tuesday, January 21, 2003 9:50 AM To: 
  
  '[EMAIL PROTECTED]' Subject: 
  RE: [ActiveDir] VNC and Terminal Services 
   You are going to try this in a test environment before  
  putting it on your production servers, right? I mean, you  
  wouldn't try something you've never done before on your  production 
  boxes based on the words from a mailing list, right?  
  -Original Message- From: Salandra, Justin A. 
  [mailto:[EMAIL PROTECTED]]  Sent: Tuesday, January 21, 2003 8:38 
  AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] 
  VNC and Terminal Services   No I just wanted to be 
  sure that there would be no problems  when I go to load that on a 
  server running terminal Services  -Original 
  Message- From:
   John B [mailto:[EMAIL PROTECTED]]  Sent:   
Friday, January 17, 2003 5:33 
  PM To: 
  [EMAIL PROTECTED] Subject: 
  Re: [ActiveDir] VNC and Terminal Services 
   No problems here. What type problems are you having...error 
  messages? --- "Salandra, Justin A." 
  [EMAIL PROTECTED] wrote:  Has anyone come 
  across a problem with running VNC  Server and Terminal 
  Server  on the same box at the same time?   
   Justin A. Salandra, MCSE  Senior Network Engineer 
   Catholic Healthcare System  914.681.8117 office  
  646.483.3325 cell  [EMAIL PROTECTED]  
  mailto:[EMAIL PROTECTED]List info 
   : http://www.activedir.org/mail_list.htm  List FAQ  
  : http://www.activedir.org/list_faq.htm  List 
  archive: 
  http://www.mail-archive.com/activedir%40mail.activedir.org/  
   __ Do you 
  Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. 
  

RE: [ActiveDir] ADSI and RAS

[Bjelke John A Contr AFRL/VSIO]

Title: Message



Their 
Mini-Remote Control program is pretty handy as well. 

  
  -Original Message-From: Weston Rogers 
  [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 15, 2003 
  7:40 AMTo: [EMAIL PROTECTED]Subject: RE: 
  [ActiveDir] ADSI and RAS
  woh, dameware is pretty 
sweet.
  

-Original Message-From: EALES, Jack - 
FPIL [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 15, 
2003 2:41 AMTo: '[EMAIL PROTECTED]'Subject: 
RE: [ActiveDir] ADSI and RAS
Go 
to www.dameware.com and get the 30 day 
trial of the Dameware Utilities Exporter - it'll let you get this info and a 
whole lot more then buy a copy because it's a superb suite of tools for 
NT4.0 management, I've not tried it on AD yet - but it works for managing 
Win2K boxes as well...

Just my $0.02


Regards,

Jack


  
  -Original Message-From: Carlos 
  Magalhaes [mailto:[EMAIL PROTECTED]] Sent: 15 January 2003 
  06:20To: '[EMAIL PROTECTED]'Subject: 
  [ActiveDir] ADSI and RAS
  
  Hi all,
  
  Just wondering if any of you 
  have done this and would be so kind to forward it to me before I go and re 
  code it, I need to run a report against my Windows NT4 domain (PDC or BDC) 
  and retrieve all the users that have RAS options i.e. they are allowed to 
  dial in.
  
  Regards,
  Carlos 
  Magalhaes
  

RE: [ActiveDir] User's Account Locked out Every morning

[Bjelke John A Contr AFRL/VSIO]

Title: Message



Manual 
drive mappings with old passwords..

  
  -Original Message-From: John F. Hann 
  [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 15, 2003 8:05 
  AMTo: [EMAIL PROTECTED]Subject: RE: 
  [ActiveDir] User's Account Locked out Every morning
  Logged in another PC under an old password
  

-Original Message-From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]] On Behalf Of Kevin 
FelkerSent: Wednesday, January 15, 2003 9:01 AMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] User's Account 
Locked out Every morning



  Every morning I have 
  to unlock one of my user's accounts because it is locked out every 
  morning.
  
  Does anyone know 
  what could be causing this?
  Thanks
  
  Kevin

RE: [ActiveDir] Protocols Required

[Bjelke John A Contr AFRL/VSIO]

Greg is correct... If the mail store that the outlook profile is pointing to
no longer exists or is no longer contactable by the client, outlook will
never get repointed to the new location. In this case, you would have to
manually repoint the outlook profile to the new mail store to resolve the
mailbox. This of course assumes that the client can resolve the new store
correctly, so if you are having issues with this check dns, wins, etc. Good
luck! 

-Original Message-
From: Carey, Greg [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, January 09, 2003 7:34 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Protocols Required


With the caveat that the old mail store remains up until the client
connects.

-Original Message-
From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]]
Sent: Thursday, January 09, 2003 9:28 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Protocols Required


When you move a mailbox to another server, Outlook will automatically change
the server defined in the local profile.

 -Original Message-
From:   Rick Kingslan [mailto:[EMAIL PROTECTED]] 
Sent:   Thursday, January 09, 2003 9:25 AM
To: [EMAIL PROTECTED]
Subject:RE: [ActiveDir] Protocols Required

Justin,

I'm not sure what you mean by 'reconfiguring the server in the local
profile'?  The requirement *is* to communicate over port 135.  Outlook
cannot just arbitrarilly decide to communicate over another port to support
this - hence it cannot automatically reconfigure itself.

Rick Kingslan  MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone





 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED]] On Behalf Of 
 Salandra, Justin A.
 Sent: Thursday, January 09, 2003 8:00 AM
 To: '[EMAIL PROTECTED]'
 Subject: RE: [ActiveDir] Protocols Required
 
 
 What would prevent Mapi Outlook clients from automatically
 reconfiguring the server in the local profile?
 
 Justin A. Salandra, MCSE
 Senior Network Engineer
 Catholic Healthcare System
 914.681.8117 office
 646.483.3325 cell
 [EMAIL PROTECTED]
 
 
  -Original Message-
 From: Roger Seielstad [mailto:[EMAIL PROTECTED]] 
 Sent: Thursday, January 09, 2003 9:01 AM
 To:   '[EMAIL PROTECTED]'
 Subject:  RE: [ActiveDir] Protocols Required
 
 No. Something needs to point it to the correct ports.
 
 --
 Roger D. Seielstad - MCSE
 Sr. Systems Administrator
 Inovis - Formerly Harbinger and Extricity
 Atlanta, GA
 
 
  -Original Message-
  From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]]
  Sent: Wednesday, January 08, 2003 3:26 PM
  To: '[EMAIL PROTECTED]'
  Subject: RE: [ActiveDir] Protocols Required
  
  
  Would Outlook 2000 still function if port 135 is bocked? Meaning 
  that the user can still use outlook for outlook will never
  automatically reconfigure
  itself?
  
   -Original Message-
  From:   Roger Seielstad [mailto:[EMAIL PROTECTED]] 
  Sent:   Wednesday, January 08, 2003 3:25 PM
  To: '[EMAIL PROTECTED]'
  Subject:RE: [ActiveDir] Protocols Required
  
  Needs RPC end point mapper (135) and then the ports for DS and IS. 
  Seeing as those default to being randomly assigned, you're in 
  trouble.
  
  Read the FAQ on how to assign static ports to the services.
  
  --
  Roger D. Seielstad - MCSE
  Sr. Systems Administrator
  Inovis - Formerly Harbinger and Extricity
  Atlanta, GA
  
  
   -Original Message-
   From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]]
   Sent: Wednesday, January 08, 2003 3:18 PM
   To: '[EMAIL PROTECTED]'
   Subject: RE: [ActiveDir] Protocols Required
   
   
   Sorry, I need to know about outlook 2000 and exchange 5.5 
   communications
   
-Original Message-
   From: Weston Rogers [mailto:[EMAIL PROTECTED]] 
   Sent: Wednesday, January 08, 2003 3:08 PM
   To:   [EMAIL PROTECTED]
   Subject:  RE: [ActiveDir] Protocols Required
   
   Maybe this will help?
   
   http://support.microsoft.com/default.aspx?scid=kb;en-us;278339
   
   -Original Message-
   From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]]
   Sent: Wednesday, January 08, 2003 2:49 PM
   To: ActiveDir (E-mail)
   Subject: [ActiveDir] Protocols Required
   Importance: High
   
   
   Hello everyone,
   
   I really need some help on this subject.
   
   Does everyone here know that when you move a mailbox in
 exchange to
   another mailbox in the same organization the outlook 2000 client
   automatically reconfigures the mail server setting on the 
 profile to
   allow the client to contact the correct mail server where
  that mailbox
   now resides.  My question is what are the protocols needed by the 
   client in order for that to occur and the ports associated with 
   them.  I believe it is NetBIOS Broadcast calls and RPC but I am 
   not
  sure.  Also
   what protocols 

RE: [ActiveDir] file jdbgmgr.exe

[Bjelke John A Contr AFRL/VSIO]

Title: Message



Java 
debug manager/registrar. Little teddy bear icon, right? http://support.microsoft.com/default.aspx?scid=kb;en-us;Q322993

  
  -Original Message-From: bobo 
  [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 08, 2003 5:22 
  AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] 
  file jdbgmgr.exe
  I see file jdbgmgr.exe on my \\winnt\system32. I don't what this is. do 
  somebody knows it. It should be a java file but what it does. Pls help. 
  Thks
  
- Original Message - 
From: 
Van Donk, 
Fred 
To: [EMAIL PROTECTED] 

Sent: Tuesday, January 07, 2003 3:24 
PM
Subject: RE: [ActiveDir] AD Lab

Agreed


  
  -Original Message-From: Craig Cerino 
  [mailto:[EMAIL PROTECTED]] 
  Sent: Tuesday, January 07, 2003 10:21 AMTo: [EMAIL PROTECTED]Subject: 
  RE: [ActiveDir] AD Lab
  
  Right - - but if 
  you have more than one DC I recommend making one of the ones without FSMO 
  roles the GC
  
  -Original 
  Message-From: Van 
  Donk, Fred [mailto:[EMAIL PROTECTED]] Sent: Tuesday, 
  January 07, 2003 
  9:22 
  AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] AD 
  Lab
  
  
  When 
  you have one domain there is not really a need for multiple GC's. Every DC 
  already has a full copy of the AD. GC's play a more important role when 
  you have a forest with multiple domains in it.
  
  But 
  there needs to be at least one GC in the forest. Even with one 
  domain.
  
  
  
  Fred
  
  
  
-Original 
Message-From: 
Craig Cerino [mailto:[EMAIL PROTECTED]] Sent: Tuesday, 
January 07, 2003 
8:35 
AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] AD 
Lab
If you only 
have one DC in each site - -- yer pretty much tied to doing that. If you 
have the resources I'd through a second DC in each site - - make that 
your GC.

Jus my 2 
cents

-Original 
Message-From: 
Pelle, Joe [mailto:[EMAIL PROTECTED]] Sent: Tuesday, 
January 07, 2003 
8:17 
AMTo: 
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] AD 
Lab

If 
we have one domain - but multiple sites - would it be a best practice to 
put a global catalog on the domain controller(s) at each site? 


KB: http://support.microsoft.com/default.aspx?scid=kb;en-us;313994


Thanks! 



Joe 
Pelle Systems 
Administrator Information 
Technology Valassis 
/ Targeted Print  Media Solutions 
35955 
Schoolcraft Rd. 
Livonia, 
MI 
48150 
Tel 
734.632.3753 Fax 
734.632.6240 [EMAIL PROTECTED] 
http://www.valassis.com/ 

This message 
may have included proprietary or protected information. This 
message and the information contained herein are not to be further 
communicated without my express written 
consent.
-Original 
Message-From: Rene 
Chakraborty [mailto:[EMAIL PROTECTED]] Sent: Monday, January 06, 
2003 8:41 
PMTo: 
[EMAIL PROTECTED]Subject: Re: [ActiveDir] AD 
Lab


Got to make 
that BDC a Global Catalog Server before you more it over. 






Sites and 
Services

Rene





  
  - 
  Original Message - 
  
  From: 
  Don Murawski (Lenox) 
  
  
  To: 
  [EMAIL PROTECTED] 
  
  
  Sent: 
  Monday, January 06, 
  2003 3:08 
  PM
  
  Subject: 
  [ActiveDir] AD Lab
  
  
  
  Has anyone 
  setup a AD Lab and had Global Catalog 
  problems?
  
  I installed 
  aBDCon the productionnetwork, disconnectit 
  from the production and connected it to the lab 
  network.
  
  Seize the 
  FSMO roles.
  
  I'm able to 
  join the domain but,I'm receiving"Unable 
  toestablishconnection with a 
  GC.
  
  
  
  Any 
  suggestion would be great.
  
  
  

RE: [ActiveDir] recovering a computer

[Bjelke John A Contr AFRL/VSIO]

We have used the Winternals Linux-based pwd recovery disks with much
success. Another alternative, but one of last resort IMHO, is to boot to
either a *nix cd or diskette with NTFS support (there are numerous *nix
distros out there that can be burned to cd and booted to for forensics and
other disaster scenarios) or DOS and run some tool, such as NTFS-DOS Pro,
which will allow you to mount the file system and simply delete the SAM
file. Reboot, and a new SAM is created automatically with a blank admin pwd.
Login as admin with blank pwd and start recreating any local accts and
resetting the perms. Again, this is a last-ditch effort to get it back up
and running, and I have never had to use this on Exchange and do not know
the possible gotchas here. Hope this helps!

-Original Message-
From: Rick Kingslan [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, December 31, 2002 7:35 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] recovering a computer


Now that I know that this is an Exchange box - I even more emphasize the
value of doing it the easy and safe way.

ERD Commander form www.winternals.com is the best way to accomplish what you
need, Don.

Good Luck!

Rick Kingslan  MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone





 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED]] On Behalf Of 
 Purviance, Chad
 Sent: Tuesday, December 31, 2002 7:49 AM
 To: '[EMAIL PROTECTED]'
 Subject: RE: [ActiveDir] recovering a computer
 
 
 Personally since this is an Exchange server, I would spend
 the $400 and get the ERD commander CD. This is much more the 
 PW recovery, it is a full XP OS off of a CD. Very Very useful.
 
 A cheaper solution would be the www.lostpasswords.com
 recovery for $200 but it is PW only and takes a bit more setup.
 
 This is an Exchange server!!
 Buy ERD
 Run ERD and reset Password
 Login locally and join to domain
 Reboot.
 
 Any other method with Exchange and I promise you ... you will
 remember fondly the moment when you could have just reset the 
 password. :-)
 
 
 
 Chad Purviance
 Prinicipal Consultant
 Broadwing IT Consulting
 
 
 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
 Sent: Tuesday, December 31, 2002 6:57 AM
 To: [EMAIL PROTECTED]
 Subject: RE: [ActiveDir] recovering a computer
 
 Seems like ERD Commander is the better choice in this case.
 There's also a free Linux bootdisk out on the net that can do 
 the same thing.
 
 In either case, you're really talking about telling someone
 to boot off a floppy, and walk through a few quick steps and 
 you can change the admin password without much effort.
 
 Of course, this also goes to show why physical security is so
 important - if people can physically get to your servers, you 
 can't stop them.
 
 Roger
 --
 Roger D. Seielstad - MCSE
 Sr. Systems Administrator
 Inovis - Formerly Harbinger and Extricity
 Atlanta, GA
 
 
  -Original Message-
  From: Don Murawski (Lenox) [mailto:[EMAIL PROTECTED]]
  Sent: Monday, December 30, 2002 10:31 PM
  To: '[EMAIL PROTECTED]'
  Subject: RE: [ActiveDir] recovering a computer
  
  
  The computer was deleted from the an OU.
  Now the local administrator password was and is lost.
  My question is?   Can I do a restore of that OU to recover 
  the computer account.
  The server is a remote location.
  So, restoring the administrator password will be tough.
  
  -Original Message-
  From: Rick Kingslan [mailto:[EMAIL PROTECTED]] 
  Sent: Monday, December 30, 2002 10:24 PM
  To: [EMAIL PROTECTED]
  Subject: RE: [ActiveDir] recovering a computer
  
  
  Ahhh..OK - different issue.  If the administrator
  password was lost on a system, recovering the computer object
  is not going to help.  Using a tool like ERD from Winternals 
  at www.winternals.com would be a reasonable solution.
   
  Or, are we talking about the administrator password in
  AD?  If so, pwdump and L0phtCrack has been used successfully
  in this case - given the right conditions.
   
  Rick Kingslan  MCSE, MCSA, MCT
  Microsoft MVP - Active Directory
  Associate Expert
  Expert Zone - www.microsoft.com/windowsxp/expertzone
  
  
  
  
  
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED]] On Behalf Of Don
  Murawski (Lenox)
  Sent: Monday, December 30, 2002 8:50 PM
  To: '[EMAIL PROTECTED]'
  Subject: RE: [ActiveDir] recovering a computer
  
  
  the administrator password was lost
  
  -Original Message-
  From: Rick Kingslan [mailto:[EMAIL PROTECTED]] 
  Sent: Monday, December 30, 2002 9:46 PM
  To: [EMAIL PROTECTED]
  

RE: [ActiveDir] Reverting to Basic Disk

[Bjelke John A Contr AFRL/VSIO]

Thom, I've never heard of such a tool, but if one does exist it will
probably not save you time in this scenario... you will still have to back
up this large amount of data prior to using any disk editor tool that
purports to do this or risk losing it entirely. I would strongly suggest
going with the method you already know works and reduces risk of data loss.
Just my 2c worth. Good luck, and Happy new Gregorian calendar! 

-Original Message-
From: Barber, Thomas [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, December 31, 2002 7:59 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Reverting to Basic Disk


A quick question - anyone know of a utility that will revert a Dynamic Disk
to a Basic Disk without removing the volume (and thus the data)?  Everywhere
I've looked everyone says the same thing:  backup the data, remove the
volume, revert to Basic, then restore the data.
 
Because the disk needing reverting contains a large amount of data, I don't
look forward to the amount of time this is going to take.
 
 
.+-wȆi0g-튺+Yb塲mPi潣0਍-튺+bາڪf.+-j!硶0j!ఊor楡yثIV+v*
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Hardening Active Directory

[Bjelke John A Contr AFRL/VSIO]

Title: Message



Really? Dothey have a ritual for server cleansing and consecration? 
Maybe a psalmto ward off PHB's? :^) 

  
  -Original Message-From: Leney, Justin 
  [mailto:[EMAIL PROTECTED]] Sent: Friday, December 27, 2002 9:25 
  AMTo: '[EMAIL PROTECTED]'Subject: RE: 
  [ActiveDir] Hardening Active Directory
  http://www.nsa.gov/snac/win2k/download.htm-- Guides for AD, 
  DNS, Group Polices, File System.
  
  I use these guides religiously. 
  
  

-Original Message-From: Hazelman, Doug 
[mailto:[EMAIL PROTECTED]] Sent: Friday, December 27, 2002 
11:19 AMTo: [EMAIL PROTECTED]Subject: RE: 
[ActiveDir] Hardening Active Directory
There's some good tips here. Make sure the AD 
servers on the NET are in a separate forest.

http://www.aelita.com/ADSecurity

-doug

  
  -Original Message-From: Brad Martin 
  [mailto:[EMAIL PROTECTED]] Sent: Friday, December 27, 2002 
  11:11 AMTo: Active Directory Mailing ListSubject: 
  [ActiveDir] Hardening Active Directory
  
  Anyone have any good links 
  with tips on securing Active Directory? I'm going to have a couple 
  of AD servers out on the Net, so I want to do what I can to lock them 
  down.
  
  Brad Martin
  Go Daddy 
  Software
  [EMAIL PROTECTED]
  480.505.8800 ext. 
  250
  

RE: [ActiveDir] Gathering Computer Account Info via script

[Bjelke John A Contr AFRL/VSIO]

Chris, 
you may want to create an ldap query in your vb script to what ever
container you are trying to enumerate and run through each object in that
container, write that to a csv (or text, whatever you need), and then move
on to the next container. Nested for loops would probably be the best
thing. Something like 
AdsPath=LDAP://dc name/ou=lowest level of
container,ou=container,ou=container,dc=etc,dc=etc, etc for your
entire FQDN;
Then do a foreach adsobj to return whatever values you are looking for. The
properties you can pull and some tips on how to get the data can be found
here:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/ad
/win2k3_entry_attributes_all.asp
Hope this helps! 
 John A. Bjelke 
  Unisys
 505.853.6774
 [EMAIL PROTECTED]
The more corrupt the state, the more numerous the laws.   - Cornelius
Tacitus 

-Original Message-
From: England, Christopher M [mailto:[EMAIL PROTECTED]] 
Sent: Monday, December 16, 2002 7:56 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Gathering Computer Account Info via script


Greetings all,

I need to query a portion of the Active Directory (the OUs that I
control) and get a list of computer objects and some associated data
(Operating System name and version, for example). Can I do this with
VBS/WSH?

Thanks in advance for any help!

Chris


Christopher England
Server Administrator
College Information Technology Office
Indiana University
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Little Questions

[Bjelke John A Contr AFRL/VSIO]

I second that. Antigen is very good. I would suggest keeping different
vendor's AV solutions on your SMTP Gateway vs. your Exchange servers... If
one of them doesn't catch it, the heuristics of the other AV engine (or the
newer defs that one vendor releases before the other) might, increasing your
odds of defeating exploits, worms and viruses.

-Original Message-
From: Christopher Hummert [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, December 17, 2002 12:50 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Little Questions


Antigen from Sybari Software

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Dave Kinnamon
Sent: Tuesday, December 17, 2002 11:45 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Little Questions


Shawn,

Any recommendations on a SMTP getway scanner (hardware or software) ?


Dave K.


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, December 17, 2002 12:29 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Little Questions


Exchange Antivirus on both mail servers if your Exchange antivirus product
is scanning the information store (your on Exchange 5.5 I believe).  You
need coverage on your Exchange servers for internal messaging (messages not
originating from the Internet).  

There are two virus scanning API's for Exchange 5.5, MAPI and VAPI. VAPI
will scan message as they enter the information store and MAPI will scan
messages as the user accesses them in the information store. Choose a
product that will scan using either or a combination of both interfaces.

We use a SMTP gateway scanner to scan mail as it enters the company. This
box forwards mail to our Exchange Organization.  

-Original Message-
From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, December 17, 2002 10:30 AM
To: ActiveDir (E-mail)
Subject: [ActiveDir] Little Questions


Hello everyone,

I have some little questions.

If you have two exchange servers do you need to have Exchange Antivirus on
both or just the server with the Internet Mail Connector on it?

Having a Exchange server in a forest root and an exchange server in a child
domain, the exchange server in the child domain requires what kind of admin
access?  Does the server need to utilize the admin account from the child
domain or the forest root?

Justin A. Salandra, MCSE
Senior Network Engineer
Catholic Healthcare System
914.681.8117 office
646.483.3325 cell
[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] 

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Outlook XP makes me want to throw it out the window!

[Bjelke John A Contr AFRL/VSIO]

Chris, create a new email profile in Outlook. I have seen this behaviour
when the user profile is corrupted and will not establish a proper
authentication token. Out of curiousity, do the multiple logon failures in
outlook trigger your account lockout policy against her domain account? If
it doesn't, this would suggest that Outlook is trying to match cached
credentials instead of authenticating to the server and you should clear the
password cache on the local system. You might go so far as to rename the
user's system profile and have her login to the system as if a new user and
then manually drag over her favorites, documents, etc. Hope this helps!
 John A. Bjelke 
Unisys
 505.853.6774
 [EMAIL PROTECTED]
The more corrupt the state, the more numerous the laws.   - Cornelius
Tacitus 

This email may contain information which must be protected IAW AFI 33-332
and DoD Regulation 5400.11; 
Privacy Act of 1974 as Amended Applies, and it is For Official Use Only
(FOUO).



-Original Message-
From: Chris J. Popp [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, December 10, 2002 8:30 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Outlook XP makes me want to throw it out the window!


Get your attention with the subject? :)

I have been battling a problem with one of my user's machines for the past
week. She is running Windows XP Pro, Office XP Pro SP1. Whenever she starts
up her Outlook, she gets prompter for the username, password and server.

I put the information in exactly as it should be (and have verified with my
AD on the server) and I get the following message:

Your login information was incorrect. Check your username and domain, then
type in your password again. If your account is new or if your administrator
requested a password change you need to click Change Password then logon
with your new password.

I re-check the info in the AD on the server via VNC so I am right there at
her terminal doing double checks. I re-enter the password, and get the
message again. I change the password on the AD, then enter the new password
on her Outlook (usually use 1 as the password so I know I type it correct)
and still get the above error. 

I need to get this resolved for her as she is in charge of accounting and
has made my life hell in the past because since I am the IT Manager I should
be all knowing, all powerful (a common misconception by those users that
know no better)

So, please if anyone knows what I can do to resolve this, please let me
know. I'm at my wits end!

Thanks,
Chris


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Moving users between domains within same forest VIA SCRIPTING

[Bjelke John A Contr AFRL/VSIO]

Title: Message



UserAdmin.pl from the resource kit... export from one, delete, 
createand import to the other? 


-Original Message-From: 
Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Tuesday, 
December 10, 2002 2:18 PMTo: 
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Moving users 
between domains within same forest V IA SCRIPTING

  
  Is 
  there any other way to do it?
  
  -Original 
  Message-From: Tom 
  Meunier [mailto:[EMAIL PROTECTED]]Sent: Tuesday, December 10, 2002 4:16 
  PMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Moving users 
  between domains within same forest VIA SCRIPTING
  
  Movetree from 
  your support tools directory can be scripted.
  -Original Message- From: Salandra, Justin A. 
  [mailto:[EMAIL PROTECTED]] Sent: Tue 12/10/2002 3:09 PM To: ActiveDir (E-mail) Cc: Subject: [ActiveDir] Moving users between 
  domains within same forest VIA SCRIPTING
  Does anyone know how to 
  move users between domains via script so that we canincorporate it into 
  our Intranet for user based administration? ThanksJustin A. 
  Salandra, MCSESenior Network EngineerCatholic Healthcare 
  System914.681.8117 office646.483.3325 cell[EMAIL PROTECTED] 
  mailto:[EMAIL PROTECTED]List 
  info : http://www.activedir.org/mail_list.htmList 
  FAQ : http://www.activedir.org/list_faq.htmList 
  archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Script for publishing printers?

[Bjelke John A Contr AFRL/VSIO]

Title: Message



Thanks 
Glenn! I appreciate the pointers. I'm going to keep looking for the "List in 
directory" scriptability solution, since there are political factors that 
prevent the GPO solution in my current environment (ie, GPO changes must go up 
the flagpole, be saluted and passed back down, if approved).I tried 
setting that as a local machine policy on the servers themselves, but that did 
not appear to work... probably being over-ridden by domain level policies. 
*shrug* -JB

  
  -Original Message-From: Glenn Corbett 
  [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 20, 2002 
  3:15 AMTo: [EMAIL PROTECTED]Subject: Re: 
  [ActiveDir] Script for publishing printers?
  John,
  
  there are a couple of ways to to this. From 
  VB/VBScript, you canset the Location and Description of the printers 
  (code below).
  
  Obviously this is just an example :)
  
  Dim P
  Dim PQcontainer As IADsContainerDim pq As 
  IADsPrintQueue
  ' Bind to the computer 
  object Set PQcontainer = 
  GetObject("WinNT://ServerName,computer") -- set ServerName 
  equal to your print server
  
   PQcontainer.Filter = Array("PrintQueue") -- filter 
  for print queues only For Each P In 
  PQcontainer Set pq = 
  GetObject(P.ADsPath) 'Only set this if 
  you are not using Printer location Tracking (whichis 
  greatBTW) pq.Location = "Test" 
  -- set the information
   'Set the 
  description pq.Description = "On First 
  Floor" -- set the information 
  pq.SetInfo -- update the printer 
   MsgBox pq.Name  " is a "  
  pq.Model Next P 
  Unfortunately havent figured out how to set the "Publish in AD" setting 
  from scriptso on to next bit :)
  
  You can also use a group policy setting on the 
  print server to force publishing of printers in AD:
  
  http://support.microsoft.com/default.aspx?scid=kb;EN-US;234270
  
  HTH
  
  Glenn
  
  
    - Original Message - 
From: 
Bjelke John A Contr AFRL/VSIO 

To: '[EMAIL PROTECTED]' 
Sent: Wednesday, November 20, 2002 2:26 
AM
Subject: [ActiveDir] Script for 
publishing printers?

Hey folks! 
 quick question, and one I hope there is a relatively easy answer to: 
Print servers migrated to AD via Aelita 
tools. Need to publish all of the printers on the server. Is there a way to 
script this, or do I need to manually go through hundreds of printers and 
check "List in directory" and enter a location? Suggestions, criticisms, 
verbal abuse, etc. welcome :^)
 John A. Bjelke 
 
Unisys  505.853.6774 
 
[EMAIL PROTECTED] The wise man learns more from his enemies than a fool 
does from his friends. - Chinese Proverb 
 

RE: [ActiveDir] Script for publishing printers?

[Bjelke John A Contr AFRL/VSIO]

Tony, I actually have tried the pubprn script... However, this will not
publish printers on a 2k server, only NT4. 
Error: Pubprn cannot publish printers from \\server-name because it is
running windows 2000, or later. 

-Original Message-
From: Tony Murray [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, November 19, 2002 8:48 AM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Script for publishing printers?


You can use the pubprn.vbs script provided in the System32 folder.
Instructions on how to use it (plus examples) are provided in the script.

Tony

-- Original Message --
From: Bjelke John A Contr AFRL/VSIO [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Date: Tue, 19 Nov 2002 15:26:31 -

Hey folks! 
quick question, and one I hope there is a relatively easy answer to:

Print servers migrated to AD via Aelita tools. Need to publish all of the
printers on the server. Is there a way to script this, or do I need to
manually go through hundreds of printers and check List in directory and
enter a location? Suggestions, criticisms, verbal abuse, etc. welcome :^)

 John A. Bjelke 
  Unisys
 505.853.6774
  [EMAIL PROTECTED]
The wise man learns more from his enemies than a fool does from his friends.
- Chinese Proverb   



List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] LDAP Display Name for User logged into computer

[Bjelke John A Contr AFRL/VSIO]

Last logon is kept in the registry on the local machine, unless your
policies prevent that being kept, as DefaultUserName. Take a look @
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserName.
You could write it to a log as part of the login script, along with current
time and computer name, or you could poll it via script @ intervals using a
txt file with the names of the systems you want to monitor. Hope this helps!

 John A. Bjelke
 UNISYS
 Systems administrator
Supporting AFRL Kirtland AFB
  505.853.6774
   [EMAIL PROTECTED]

The contents of this Email communication are
confidential to the addressee. 
If you are not the intended recipient you 
may not disclose or distribute this 
communication in any form but should 
immediately contact the Sender.
The information, images, documents and views
expressed in this Email are personal to the 
Sender and do not expressly or implicitly 
represent official positions and policies of
Unisys Federal Systems or it's subsidiaries
and no authority exists on behalf of Unisys 
to make any agreements, representations or 
other binding commitment by means of Email.

-Original Message-
From: Roger Seielstad [mailto:roger.seielstad;inovis.com] 
Sent: Friday, November 08, 2002 5:09 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] LDAP Display Name for User logged into computer


You can't do that, per se. AD doesn't track who logged in where. You'd have
to turn on logon auditing and scrape the DC logs to pull that off.

Alternately, there *might* be something you can poll per machine via WMI,
but I don't think so.

--
Roger D. Seielstad - MCSE
Sr. Systems Administrator
Inovis - Formerly Harbinger and Extricity
Atlanta, GA


 -Original Message-
 From: Jones, Rick J.(Desktop Engineering)
 [mailto:rick.j.jones;attws.com] 
 Sent: Thursday, November 07, 2002 6:40 PM
 To: [EMAIL PROTECTED]
 Subject: [ActiveDir] LDAP Display Name for User logged into computer
 
 
 What is the LDAP display name on a computer account for the
 user that logged into the system from that computer?
 
 What I am trying to do is pole active directory with a
 vbscript I have to find out the UserID of the user that last 
 logged into the domain from that computer.
 
 Any thoughts?
 
 Rick
 
 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] LDAP Display Name for User logged into computer

[Bjelke John A Contr AFRL/VSIO]

BTW, you can also pull the last domain name logged into from the
DefaultDomainName under that same reg key. You might need to do this,
judging from your description of what you're trying to do. Otherwise, you
may drive yourself nuts trying to match local account logins with
non-existant DC records :^)  -JB
 
-Original Message-
From: Roger Seielstad [mailto:roger.seielstad;inovis.com] 
Sent: Friday, November 08, 2002 5:09 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] LDAP Display Name for User logged into computer


You can't do that, per se. AD doesn't track who logged in where. You'd have
to turn on logon auditing and scrape the DC logs to pull that off.

Alternately, there *might* be something you can poll per machine via WMI,
but I don't think so.

--
Roger D. Seielstad - MCSE
Sr. Systems Administrator
Inovis - Formerly Harbinger and Extricity
Atlanta, GA


 -Original Message-
 From: Jones, Rick J.(Desktop Engineering) 
 [mailto:rick.j.jones;attws.com]
 Sent: Thursday, November 07, 2002 6:40 PM
 To: [EMAIL PROTECTED]
 Subject: [ActiveDir] LDAP Display Name for User logged into computer
 
 
 What is the LDAP display name on a computer account for the user that 
 logged into the system from that computer?
 
 What I am trying to do is pole active directory with a vbscript I have 
 to find out the UserID of the user that last logged into the domain 
 from that computer.
 
 Any thoughts?
 
 Rick
 
 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] OT(sort of): Aelita questions

[Bjelke John A Contr AFRL/VSIO]

Can one of the resident Aelita gurus please contact me off list? I have some
questions resulting from a few test migrations in our production
environments that we would like to ask before the go-live date, which is
almost upon us. Thanks! 

 John A. Bjelke 
  Unisys
 505.853.6774
  [EMAIL PROTECTED]
Put your hand on a hot stove for a minute, and it seems like an hour. Sit
with a pretty girl for an hour, and it seems like a minute. That's
relativity.   - Albert Einstein 

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: Scripting question

[Bjelke John A Contr AFRL/VSIO]

Thanks for the suggestions Stefano, but I think you have missed what I was
looking to do... I have a script that will repoint the clients,but the
problem is that I want to be able to retain specific settings, such as paper
orientation, duplexing options, etc. 
 The method I am using to do this is to use wsh to read certain registry
keys, copy out the settings to variables, plug in the new server name and
create new reg entries while deleting the old ones, which does not preserve
the settings. Thus, I was looking for a way to just rename the keys and not
delete them. I can write in a new value for the server name multi_sz
beneath the key, but need to be able to rename the key so that it reflects
the proper server assignment in other areas. The changes would then cascade
correctly with no change to user print preferences... I hesitate to use the
term, as it is often a bit of a Jonah, but it woould be transparent to the
users if I could simply rename the key programatically. 

-Original Message-
From: stefano tufillaro [mailto:stufillaro;hotmail.com]
Sent: Wednesday, October 30, 2002 2:09 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] OT: Scripting question


Ok
if you must change the name of the print server (example srvprinternew 
against srvprinterold) i 'll make this:

1) use PM to have the same queues in the srvprinternew

2) now migrate the client by a sample script that you can launch from a GP 
(you are in AD) if they are Win2k or by policy domain if they are NT / 
Win98.
Alternatively you can use a sample login scripts but this required a logon 
(automatically or simulate but logon)

But you can use a photo difference in a machine-test so to generate an alias

installing packet (.MSI) that is the mechanism used by SMS, TNG, SYmantec, 
packet to run on every machine.
If you need of a creator of MSI look at your Win2k CD in support and search 
for winstle product.
Is very easier to use.
Good Luke








From: Bjelke John A Contr AFRL/VSIO [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
To: '[EMAIL PROTECTED]' [EMAIL PROTECTED]
Subject: RE: [ActiveDir] OT: Scripting question
Date: Tue, 29 Oct 2002 21:31:46 -

Nod.. yes, if I were to rename the new server the same as the existing 
print
server, this would work. We are migrating between an NT4 domain and a AD
domain, and the new print server has to conform to a certain naming
convention in the AD domain, ergo no rename.

-Original Message-
From: stefano tufillaro [mailto:stufillaro;hotmail.com]
Sent: Tuesday, October 29, 2002 1:47 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] OT: Scripting question


Hello John

I don't know you specifi situation i can tell you my experience.

I needed a backup printer server.
Two hundred client was using it (Windows 98, NT , 2000).

I gave another name to the new server (SRVPRINTER02)
The old was SRVPRINTER01.
I created the same queues of SRVPRINTER01 by PrintMigrator3 on 
SRVPRINTER02.
After the SRVPRINTER01 is off-line.

When the server SRVPRINTER01 crashes I
1) rename SRVPRINTER02 in SRVPRINTER01
2) give the same IP address of SRVPRINTER01 in SRVPRINTER02

3) make on-line the new SRVPRINTER01 and in the same Domain-situation of 
the

old SRVPRINTER01

For all the client that is absolutely transparent so I need to change
anything because the client use NETBIOS
resolution (ES: \\srvprinter01\HPLASERJ3)
or IP / Netbios resolution
(ES: \\172.16.16.1\HPLASERJ3)

I hope that is useful




 From: Bjelke John A Contr AFRL/VSIO [EMAIL PROTECTED]
 Reply-To: [EMAIL PROTECTED]
 To: '[EMAIL PROTECTED]' [EMAIL PROTECTED]
 Subject: RE: [ActiveDir] OT: Scripting question
 Date: Mon, 28 Oct 2002 23:07:35 -
 
 Stefano,
  PrintMig3 is what I have used to copy the print queues to the new
 server, but I fail to see how it will assist me in repointing 2000 client
 systems is there something I am missing?
 
 -Original Message-
 From: stefano tufillaro [mailto:stufillaro;hotmail.com]
 Sent: Monday, October 28, 2002 2:54 PM
 To: [EMAIL PROTECTED]
 Subject: RE: [ActiveDir] OT: Scripting question
 
 
 Print Migrator 3
 Microsoft
 no cost
 
 
 
 
 
 
  From: Roger Seielstad [EMAIL PROTECTED]
  Reply-To: [EMAIL PROTECTED]
  To: '[EMAIL PROTECTED]' [EMAIL PROTECTED]
  Subject: RE: [ActiveDir] OT: Scripting question
  Date: Thu, 24 Oct 2002 11:06:10 -0400
  
  WSH as the ability to do that - shouldn't be that hard.
  
  I don't have the book handy, but I think either Tim Hill's or Thomas
 Eck's
  books covers that in detail.
  
  --
  Roger D. Seielstad - MCSE
  Sr. Systems Administrator
  Inovis - Formerly Harbinger and Extricity
  Atlanta, GA
  
  
-Original Message-
From: Bjelke John A Contr AFRL/VSIO
[mailto:John.Bjelke;kirtland.af.mil]
Sent: Thursday, October 24, 2002 9:37 AM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] OT: Scripting question
   
   
Hey folks...
I need to automate repointing print

RE: [ActiveDir] OT: Scripting question

[Bjelke John A Contr AFRL/VSIO]

Nod.. yes, if I were to rename the new server the same as the existing print
server, this would work. We are migrating between an NT4 domain and a AD
domain, and the new print server has to conform to a certain naming
convention in the AD domain, ergo no rename.

-Original Message-
From: stefano tufillaro [mailto:stufillaro;hotmail.com]
Sent: Tuesday, October 29, 2002 1:47 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] OT: Scripting question


Hello John

I don't know you specifi situation i can tell you my experience.

I needed a backup printer server.
Two hundred client was using it (Windows 98, NT , 2000).

I gave another name to the new server (SRVPRINTER02)
The old was SRVPRINTER01.
I created the same queues of SRVPRINTER01 by PrintMigrator3 on SRVPRINTER02.
After the SRVPRINTER01 is off-line.

When the server SRVPRINTER01 crashes I
1) rename SRVPRINTER02 in SRVPRINTER01
2) give the same IP address of SRVPRINTER01 in SRVPRINTER02

3) make on-line the new SRVPRINTER01 and in the same Domain-situation of the

old SRVPRINTER01

For all the client that is absolutely transparent so I need to change 
anything because the client use NETBIOS
resolution (ES: \\srvprinter01\HPLASERJ3)
or IP / Netbios resolution
(ES: \\172.16.16.1\HPLASERJ3)

I hope that is useful




From: Bjelke John A Contr AFRL/VSIO [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
To: '[EMAIL PROTECTED]' [EMAIL PROTECTED]
Subject: RE: [ActiveDir] OT: Scripting question
Date: Mon, 28 Oct 2002 23:07:35 -

Stefano,
   PrintMig3 is what I have used to copy the print queues to the new
server, but I fail to see how it will assist me in repointing 2000 client
systems is there something I am missing?

-Original Message-
From: stefano tufillaro [mailto:stufillaro;hotmail.com]
Sent: Monday, October 28, 2002 2:54 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] OT: Scripting question


Print Migrator 3
Microsoft
no cost






 From: Roger Seielstad [EMAIL PROTECTED]
 Reply-To: [EMAIL PROTECTED]
 To: '[EMAIL PROTECTED]' [EMAIL PROTECTED]
 Subject: RE: [ActiveDir] OT: Scripting question
 Date: Thu, 24 Oct 2002 11:06:10 -0400
 
 WSH as the ability to do that - shouldn't be that hard.
 
 I don't have the book handy, but I think either Tim Hill's or Thomas 
Eck's
 books covers that in detail.
 
 --
 Roger D. Seielstad - MCSE
 Sr. Systems Administrator
 Inovis - Formerly Harbinger and Extricity
 Atlanta, GA
 
 
   -Original Message-
   From: Bjelke John A Contr AFRL/VSIO
   [mailto:John.Bjelke;kirtland.af.mil]
   Sent: Thursday, October 24, 2002 9:37 AM
   To: '[EMAIL PROTECTED]'
   Subject: [ActiveDir] OT: Scripting question
  
  
   Hey folks...
 I need to automate repointing print queues on ~2000 clients to a
   different print server and retain user settings on each
   queue... does anyone
   know how to RENAME a registry key, either in VB, Perl, C++,
   or WSH? I can
   pull the value and create a new key to the same printer name
   on the new
   server, but that doesn't retain the settings. Any suggestions are
   appreciated. Thanks!
  
John A. Bjelke
 Unisys
505.853.6774
 [EMAIL PROTECTED]
   A conclusion is simply the place where you got tired of thinking.
  
   List info   : http://www.activedir.org/mail_list.htm
   List FAQ: http://www.activedir.org/list_faq.htm
   List archive:
   http://www.mail-archive.com/activedir% 40mail.activedir.org/
  
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


_
Internet access plans that fit your lifestyle -- join MSN.
http://resourcecenter.msn.com/access/plans/default.asp

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


_
Broadband? Dial-up? Get reliable MSN Internet Access. 
http://resourcecenter.msn.com/access/plans/default.asp

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: Scripting question

[Bjelke John A Contr AFRL/VSIO]

Stefano, 
PrintMig3 is what I have used to copy the print queues to the new
server, but I fail to see how it will assist me in repointing 2000 client
systems is there something I am missing?

-Original Message-
From: stefano tufillaro [mailto:stufillaro;hotmail.com]
Sent: Monday, October 28, 2002 2:54 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] OT: Scripting question


Print Migrator 3
Microsoft
no cost






From: Roger Seielstad [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
To: '[EMAIL PROTECTED]' [EMAIL PROTECTED]
Subject: RE: [ActiveDir] OT: Scripting question
Date: Thu, 24 Oct 2002 11:06:10 -0400

WSH as the ability to do that - shouldn't be that hard.

I don't have the book handy, but I think either Tim Hill's or Thomas Eck's
books covers that in detail.

--
Roger D. Seielstad - MCSE
Sr. Systems Administrator
Inovis - Formerly Harbinger and Extricity
Atlanta, GA


  -Original Message-
  From: Bjelke John A Contr AFRL/VSIO
  [mailto:John.Bjelke;kirtland.af.mil]
  Sent: Thursday, October 24, 2002 9:37 AM
  To: '[EMAIL PROTECTED]'
  Subject: [ActiveDir] OT: Scripting question
 
 
  Hey folks...
  I need to automate repointing print queues on ~2000 clients to a
  different print server and retain user settings on each
  queue... does anyone
  know how to RENAME a registry key, either in VB, Perl, C++,
  or WSH? I can
  pull the value and create a new key to the same printer name
  on the new
  server, but that doesn't retain the settings. Any suggestions are
  appreciated. Thanks!
 
   John A. Bjelke
Unisys
   505.853.6774
[EMAIL PROTECTED]
  A conclusion is simply the place where you got tired of thinking.
 
  List info   : http://www.activedir.org/mail_list.htm
  List FAQ: http://www.activedir.org/list_faq.htm
  List archive:
  http://www.mail-archive.com/activedir% 40mail.activedir.org/
 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


_
Internet access plans that fit your lifestyle -- join MSN. 
http://resourcecenter.msn.com/access/plans/default.asp

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Remote Folder appear local

[Bjelke John A Contr AFRL/VSIO]

I believe she is looking to have it appear on their local machines from
the network, but not require them to map a connection to the server. Sounds
to me like just what DFS was made for! Set up the server as a DFS root and
the shared folder on the server can be added as a file system folder on
their machines. You will still need to share the folder containing the files
in question, but I believe you can make it a hidden share on the server and
still have it work. 
  John A. Bjelke
 UNISYS
 Systems administrator
Supporting AFRL Kirtland AFB
  505.853.6774
   [EMAIL PROTECTED]

The contents of this Email communication are
confidential to the addressee. 
If you are not the intended recipient you 
may not disclose or distribute this 
communication in any form but should 
immediately contact the Sender.
The information, images, documents and views
expressed in this Email are personal to the 
Sender and do not expressly or implicitly 
represent official positions and policies of
Unisys Federal Systems or it's subsidiaries
and no authority exists on behalf of Unisys 
to make any agreements, representations or 
other binding commitment by means of Email.



-Original Message-
From: Sullivan, Kevin [mailto:KSullivan;aelita.com]
Sent: Friday, October 25, 2002 7:37 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Remote Folder appear local


I am not totally sure what your goal is here. But some things to think
about...

1. Off Line files (of course occasionally they will need access to the
network.
2. Write a script that does a file copy and call it from a logon script.
3. Create a .msi file with SMS Installer or WISE or WinInstall LE that
does a file copy and push the .msi via group policy. (Of course they
will need access to the network)

How are you expecting to do this without access to the network?
SneakerNet may work G...

Kevin

-Original Message-
From: marija efnuseva [mailto:efmar;freemail.com.mk] 
Sent: Friday, October 25, 2002 4:36 AM
To: ActiveDirLista
Subject: [ActiveDir] Remote Folder appear local

I am interested if anyone can tell me how can I put the same files on
all client computers (some users) from my server. Is it possible. If not
can I make a shared folder on the server visible as a local one to all
my client computer. i mean that they would not have to connect to my
server through the network. I do not want them to have access to the
local network (should not be able to browse it)

thanks
marija

P.S. Can anyone tell me how can I make backup of my server Windows 2000
Server
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Profile question

[Bjelke John A Contr AFRL/VSIO]

Title: Message



Chris, 

 you could 
runa script before the migration to read the value of the ProfileImagePath 
entry in the registry and export that to a tab dilineated file... then add a few 
lines to the logon script in the new AD domain to parse their username against 
said tab seperated file and do a wsh.RegWrite to the same key with the old 
value. 
HKLM\Software\Microsoft\Windows 
NT\CurrentVersion\ProfileList\appropriate RID\ProfileImagePath 

is 
theregistry key, and %SystemDrive%\Documents and 
Settings\appropriate user nameis the data format. Data type is 
REG_EXPAND_SZ. It's a really good idea to dimension a constant or two to avoid 
typing the key names over and over.. something 
like

Const HKEY_LOCAL_MACHINE = H8002Const 
PROFILE_SUBKEY = "SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\ProfileList"

Here'sacode snippet from a script we have 
for our helpdesk to repoint profiles follows: 
 
' 
' Get the specified user's ProfileImagePath on the specified machine 
' 
nRC = oRegistry.GetExpandedStringValue(HKEY_LOCAL_MACHINE, PROFILE_SUBKEY  
"\"  sSID, "ProfileImagePath", sProfilePath) If nRC  0 
Then Wscript.Echo "Error "  Hex(nRC)  " reading 
registry" Wscript.Quit(1) End 
If

 Wscript.Echo "Profile path: "  
sProfilePath

 Wscript.Echo Wscript.Echo 
"OS 
Default Profile Path" Wscript.Echo 
"" 
Wscript.Echo "Windows NT 
%SystemRoot%\Profiles\username" Wscript.Echo "Windows 2000 
%SystemDrive%\Documents and Settings\username" Wscript.Echo 
Wscript.Echo "You can use environment variables when specifying the 
path" Wscript.Echo
 
' 
' Set the ProfileImagePath directory 
' 
nRC = oRegistry.SetExpandedStringValue(HKEY_LOCAL_MACHINE, PROFILE_SUBKEY  
"\"  sSID, "ProfileImagePath", sNewPath) If nRC  0 
Then Wscript.Echo "Error "  Hex(nRC)  " writing 
registry" Wscript.Quit(1) 
Else Wscript.Echo "Modified profile path" End 
IfEnd Sub


Hope this helps!

 John 
A. Bjelke  
UNISYS  Systems administrator 
Supporting AFRL Kirtland AFB  
505.853.6774  
[EMAIL PROTECTED] 
The contents of this Email communication 
are confidential to the addressee. 
If you are not the intended recipient 
you may not disclose or distribute 
this communication in any form but 
should immediately contact the 
Sender. The information, images, 
documents and views expressed in this 
Email are personal to the Sender and 
do not expressly or implicitly represent official positions and policies of Unisys Federal Systems or it's subsidiaries 
and no authority exists on behalf of Unisys 
to make any agreements, 
representations or other binding 
commitment by means of Email. 

-Original Message-From: 
cflesher [mailto:[EMAIL PROTECTED]]Sent: Friday, October 25, 2002 
1:52 PMTo: [EMAIL PROTECTED]Subject: 
[ActiveDir] Profile question

  First time postee, 
  long time fan..
  
  We are currently 
  in the process of migrating users from NT4 domains to 2000. While most of the 
  nodes are NT4 workstation, some are running 2000 workstation. My question is, 
  once a user goes from connecting to an NT4 domain to a 2000 domain from a 2000 
  workstation, is there a scripting method to have the user use their old 
  profile for their new logon. Obviously, one can copy profiles by hand. I'm 
  looking for a way to automate this. Just looking for a few 
  hints.
  
  Thanks.
  
  Chris Flesher
  The University of Chicago
  NSIT/DCS
  1-773-834-8477
  

[ActiveDir] OT: Scripting question

[Bjelke John A Contr AFRL/VSIO]

Hey folks... 
I need to automate repointing print queues on ~2000 clients to a
different print server and retain user settings on each queue... does anyone
know how to RENAME a registry key, either in VB, Perl, C++, or WSH? I can
pull the value and create a new key to the same printer name on the new
server, but that doesn't retain the settings. Any suggestions are
appreciated. Thanks!

 John A. Bjelke 
  Unisys
 505.853.6774
  [EMAIL PROTECTED]
A conclusion is simply the place where you got tired of thinking.   

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: Scripting question

[Bjelke John A Contr AFRL/VSIO]

Does anyone know the wsh call to rename a key though? I have been unable to
find it. Unfortunately, I do not have either of the texts you reference, but
I have put them on the wish list!

-Original Message-
From: Roger Seielstad [mailto:roger.seielstad;inovis.com]
Sent: Thursday, October 24, 2002 9:06 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] OT: Scripting question


WSH as the ability to do that - shouldn't be that hard.

I don't have the book handy, but I think either Tim Hill's or Thomas Eck's
books covers that in detail.

--
Roger D. Seielstad - MCSE
Sr. Systems Administrator
Inovis - Formerly Harbinger and Extricity
Atlanta, GA


 -Original Message-
 From: Bjelke John A Contr AFRL/VSIO 
 [mailto:John.Bjelke;kirtland.af.mil] 
 Sent: Thursday, October 24, 2002 9:37 AM
 To: '[EMAIL PROTECTED]'
 Subject: [ActiveDir] OT: Scripting question
 
 
 Hey folks... 
   I need to automate repointing print queues on ~2000 clients to a
 different print server and retain user settings on each 
 queue... does anyone
 know how to RENAME a registry key, either in VB, Perl, C++, 
 or WSH? I can
 pull the value and create a new key to the same printer name 
 on the new
 server, but that doesn't retain the settings. Any suggestions are
 appreciated. Thanks!
 
  John A. Bjelke   
   Unisys
  505.853.6774
   [EMAIL PROTECTED]
 A conclusion is simply the place where you got tired of thinking. 
 
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: 
 http://www.mail-archive.com/activedir% 40mail.activedir.org/
 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: Scripting question

[Bjelke John A Contr AFRL/VSIO]

grumble That's what I was afraid of. It doesn't make sense to me that you
can rename from the console but not programatically! /grumble  Oh, well. 

-Original Message-
From: Carey, Greg [mailto:Greg.Carey;haledorr.com]
Sent: Thursday, October 24, 2002 9:18 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] OT: Scripting question


I don't think there is a rename.  You would just read the old, write the new
with that info and then delete the old.

-Original Message-
From: Bjelke John A Contr AFRL/VSIO [mailto:John.Bjelke;kirtland.af.mil]
Sent: Thursday, October 24, 2002 11:09 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] OT: Scripting question


Does anyone know the wsh call to rename a key though? I have been unable to
find it. Unfortunately, I do not have either of the texts you reference, but
I have put them on the wish list!

-Original Message-
From: Roger Seielstad [mailto:roger.seielstad;inovis.com]
Sent: Thursday, October 24, 2002 9:06 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] OT: Scripting question


WSH as the ability to do that - shouldn't be that hard.

I don't have the book handy, but I think either Tim Hill's or Thomas Eck's
books covers that in detail.

--
Roger D. Seielstad - MCSE
Sr. Systems Administrator
Inovis - Formerly Harbinger and Extricity
Atlanta, GA


 -Original Message-
 From: Bjelke John A Contr AFRL/VSIO 
 [mailto:John.Bjelke;kirtland.af.mil] 
 Sent: Thursday, October 24, 2002 9:37 AM
 To: '[EMAIL PROTECTED]'
 Subject: [ActiveDir] OT: Scripting question
 
 
 Hey folks... 
   I need to automate repointing print queues on ~2000 clients to a
 different print server and retain user settings on each 
 queue... does anyone
 know how to RENAME a registry key, either in VB, Perl, C++, 
 or WSH? I can
 pull the value and create a new key to the same printer name 
 on the new
 server, but that doesn't retain the settings. Any suggestions are
 appreciated. Thanks!
 
  John A. Bjelke   
   Unisys
  505.853.6774
   [EMAIL PROTECTED]
 A conclusion is simply the place where you got tired of thinking. 
 
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: 
 http://www.mail-archive.com/activedir% 40mail.activedir.org/
 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT/ cannot share resources

[Bjelke John A Contr AFRL/VSIO]

Michael, 
a little more info would be helpful, but let me ask a few things:
1)Have you enabled and print sharing on the 98 box in question? 2)Are the
subnet masks the same on all machines in the workgroup? 3)Is the workgroup
name the same on all boxen? 4)Can you ping and/or tracert to the troublesome
9X from other boxen on lan?

Assuming these are in order, I would suggest the following: 
1)Check layer one. 2)Remove file and print sharing and re-add with a reboot
in between. 3)Remove Microsoft Windows Networking, reboot, and re-add the
provider and protocols and reconfigure network settings. 4)Delete and
recreate the shares that you are trying to access. 5)Check layer one again.
In my experience, despite the iffy nature of networking in Win9X, the
problems are often physical in nature.
6)Scrap 9X and use a real network OS... (not helpful, I know, but
definatively earnest)
Good luck!
 John A. Bjelke 
Unisys
  505.853.6774
   [EMAIL PROTECTED]
The more corrupt the state, the more numerous the laws.   - Cornelius
Tacitus 

This email may contain information which must be protected IAW AFI 33-332
and DoD Regulation 5400.11; 
Privacy Act of 1974 as Amended Applies, and it is For Official Use Only
(FOUO).


-Original Message-
From: Michael Tock [mailto:mptock;peoplepc.com]
Sent: Thursday, October 24, 2002 9:21 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] OT/ cannot share resources


Ok you network people, I cannot share my files on just one of my computers,
it is just a small peer to peer workgroup. I  can see the computer in the
network neighborhood. The computer I am having problems with has win 98. So
what is causing the problem, and how do I fix it.

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Disable IE via GPO

[Bjelke John A Contr AFRL/VSIO]

Heh. I like it. And of course, thumbcuffs would work wonders to prevent
inapropriate surfing... :^)

-Original Message-
From: Puckett, Richard [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, October 15, 2002 4:03 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Disable IE via GPO




If you were really evil, you could toss in a wscript.echo statement after
the objLatestProcess.TargetInstance.Terminate line that says stop
downloading viruses already! (or a more sensible usage warning).

:-)

Richard


 -Original Message-
 From: Puckett, Richard 
 Sent: Tuesday, October 15, 2002 5:52 PM
 To: '[EMAIL PROTECTED]'
 Subject: RE: [ActiveDir] Disable IE via GPO
 
 
 
 James,
 
 There are a couple of different ways you could approach this.  
 
 One quick thought would be a custom logon script that targets 
 this user specifically at logon and runs a wscript (not 
 cscript) call against the below code (converted from the MS 
 Script Repository).  This creates a temporary event consumer 
 that continually watches for instances of IEXPLORE.EXE and 
 kills them (good for a practical joke too :-)).  Using 
 wscript ensures that no command window is created and the 
 script is only recognizable by the wscript.exe process active 
 in task manager.  Of course this doesn't preclude him 
 renaming IEXPLORE.EXE to something else, or logging on 
 locally to avoid the logon script, but it's at least one option.
 
 
 Put wscript.exe %LOGONSERVER%\netlogon\killie.vbs in the 
 logon script field (to suppress any display of a command 
 prompt).  Then stick the following into a .VBS file and copy 
 it into the netlogon share.  
 
 'KillIE.VBS
 
 strComputer = .
 Set objWMIService = GetObject(winmgmts: _
  {impersonationLevel=impersonate}!\\  strComputer  
 \root\cimv2)
 Set colMonitoredProcesses = objWMIService. _
 ExecNotificationQuery(select * from __instancecreationevent  _ 
   within 1 where TargetInstance isa 
 'Win32_Process') i = 0 Do While i = 0
 Set objLatestProcess = colMonitoredProcesses.NextEvent
 If objLatestProcess.TargetInstance.Name = IEXPLORE.EXE Then
 objLatestProcess.TargetInstance.Terminate
 End If
 Loop
 
 
 Hope this helps,
 Richard
 
 
  -Original Message-
  From: James Liddil [mailto:[EMAIL PROTECTED]]
  Sent: Tuesday, October 15, 2002 3:54 PM
  To: [EMAIL PROTECTED]
  Subject: [ActiveDir] Disable IE via GPO
  
  
  W2K/Exchange2K Environment.  We have a visiting scientist who
  I was asked to give an account to.  Turns out he has been 
  reading his web mail and it is highly infected based on the 
  number of alerts I got.  The one machine he uses I have 
  pulled of the internet.  But I now find he went to another 
  machine and did some web mail (virus alert again).  So at 
  this point my hands are tied by the managements lack of 
  policies.  So I need a way to prevent him from using IE 
  regardless of the machine.  It seems in GPO I can lock it 
  down but not totally disable it.  Or is there a way?
  
  Jim Liddil
  List info   : http://www.activedir.org/mail_list.htm
  List FAQ: http://www.activedir.org/list_faq.htm
  List archive:
  http://www.mail-archive.com/activedir% 40mail.activedir.org/
  
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: 
 http://www.mail-archive.com/activedir% 40mail.activedir.org/
 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Disable IE via GPO

[Bjelke John A Contr AFRL/VSIO]

Well, you *could* write code into his login script that sets the IE security
preferences for the Restricted Zones, and then undoes it in the standard
login script so that others are not affected... 
That would probably be a good script to hang onto for future offenders as
well.  
Add his web-mail site to the restricted zones on a test pc, then export
HKEY_CURRENT_USER\Software\ Microsoft\Windows\Current Version\Internet
Settings\ZoneMap\Domains to a REG file. In his logon script, copy this reg
file to a temp on the system and run it. For the clean up in the normal
script, find the specific entry and delete it, maybe?

I would also suggest drafting an acceptable use policy to run by the
powers that be, maybe through your IT boss... the worst they can do is say
We're not concerned. At best, you might gain some leverage on stopping
things like this. 
Good luck! -JB

-Original Message-
From: James Liddil [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, October 16, 2002 9:28 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Disable IE via GPO


We don't have a policy in place the prevents folks from reading yahoo,
hotmail etc.  So if I have our firewall configured to block this I'm sure
I'd
immediately be blacklisted by end users.  I could just as easily use McAffee
EPO and add these various webmail URLs and block them.  Until management
decides this is a business critical issue I won't go there.  But I certainly
have considered the idea along with blocking IM traffic.  

Jim Liddil

 -Original Message-
 From: Bjelke John A Contr AFRL/VSIO 
 [mailto:[EMAIL PROTECTED]] 
 Sent: Tuesday, October 15, 2002 4:22 PM
 To: '[EMAIL PROTECTED]'
 Subject: RE: [ActiveDir] Disable IE via GPO
 
 
 Why not block his web-mail site @ the firewall? He might have 
 legitimate project related need for web access, but if you 
 can point to virus infections from his web-based email you 
 should be able to justify blocking the site for everyone.
  John A. Bjelke   
Unisys
  505.853.6774
   [EMAIL PROTECTED]
 Man will occasionally stumble over the truth, but most times 
 he will pick
 himself up and carry on...  - Winston Churchill   
 
 
 -Original Message-
 From: James Liddil [mailto:[EMAIL PROTECTED]]
 Sent: Tuesday, October 15, 2002 1:54 PM
 To: [EMAIL PROTECTED]
 Subject: [ActiveDir] Disable IE via GPO
 
 
 W2K/Exchange2K Environment.  We have a visiting scientist who 
 I was asked to give an account to.  Turns out he has been 
 reading his web mail and it is highly infected based on the 
 number of alerts I got.  The one machine he uses I have 
 pulled of the internet.  But I now find he went to another 
 machine and did some web mail (virus alert again).  So at 
 this point my hands are tied by the managements lack of 
 policies.  So I need a way to prevent him from using IE 
 regardless of the machine.  It seems in GPO I can lock it 
 down but not totally disable it.  Or is there a way?
 
 Jim Liddil
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: 
 http://www.mail-archive.com/activedir% 40mail.activedir.org/
 
 List info   : 
 http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: 
 http://www.mail-archive.com/activedir% 40mail.activedir.org/
 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Sort of OT: other Protocols

[Bjelke John A Contr AFRL/VSIO]

What about using hosts files as a fail over for DNS? Seems like less work to
me.
  
 John A. Bjelke
  UNISYS
Systems administrator
505.846.5894
[EMAIL PROTECTED]


-Original Message-
From: Morgan, Joshua [mailto:[EMAIL PROTECTED]]
Sent: Thursday, July 18, 2002 8:45 AM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] Sort of OT: other Protocols


I have an Isolated environment that runs SQL 2000 and Windows 2000 Servers.
This environment experienced problems the other day because of a lack of
name resolution between the Servers.
I was asked by management to look at netbeui as a backup incase standard
TCPIP name Resolution failed...
Here is what I have set up...
On each machine I have 2 Nic's, 1 nic on each machine is dedicated to IP and
1 Nic is dedicated to NetBeui.

Does anyone see any issues with this?







Joshua Morgan
PROFITLAB
Senior Network Engineer
PH: (864) 250-1350 Ext 133
Fax: (413) 581-4936
[EMAIL PROTECTED]
http://www.profit-lab.com
http://ncontrol.info

The greatest glory is not in never failing, but in rising up every time we
fall.
-- Confucius 

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Why Active Directory?

[Bjelke John A Contr AFRL/VSIO]

David, 
the way to best reduce total cost of ownership on any network (and
the amount of work you have to put in on it) is to go to a standardized
desktop environment where possible. The fewer hardware and software
configurations an organization has, the easier, theoretically at least, it
will be to manage the infrastructure. So, were I in your shoes, I would work
on getting a standard approved for workstations on the network and begin
implimenting it before I tackled selling them AD. Win 2K Pro or XP Pro would
be my choice for the standardized OS. The easiest way to sell this to the
bean counters would be to highlight the insecure and unstable nature of all
Win9x boxen and the subsequent TCO. Keep track of the hours spent
troubleshooting, rebooting, cursing, etc. 9x boxen as compared to 2K/XP
boxen on your network. Present them with articles discussing the lack of
security in win9x (including Me). Basically, build a well documented case
for standardization with an OS designed for corporate environments. Include
the benefits of centralized administration from a domain, such as security,
remote administration, automated back-ups, the potential to add email
services, and the like. But I would seriously look at establishing some kind
of base-line for workstations... it will really make your job easier in the
short and long terms. Good luck!
   John A. Bjelke
  UNISYS
[EMAIL PROTECTED]


-Original Message-
From: David Bradford [mailto:[EMAIL PROTECTED]]
Sent: Thursday, July 11, 2002 7:19 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Why Active Directory?


Hi all;

For the last 2 months I've been given the additional job of  part time
network admin for my company's network. Its currently 80 workstations, 2
windows 2000 servers and about 10 HP printers.

The workstations run either Win98/WinMe/Win2k Professional or WinXP
Home/Pro.

Its all running in workgroup mode and it's a pain in the butt to maintain
user accounts/passwords etc etc. 10 New users joined us today and they
needed access to both win2k servers and various printers connected to
various workstations, so off I went adding the same 10 users to all the
different machines.

Additionally, Winme and XP home sometimes can, sometimes cant see the
network. A reboot almost always cures the problem. Very annoying.

Of course, keeping track of service packs/patches -  even deploying normal
apps is a monumental task. I can see why the previous network admin left!

Basically, the network is becoming unmanageable. I'm familiar with AD and
its obvious to me that a proper directory service will do wonders for the
network but management seem to think everything is running OK at present so
why would they want to buy 2 more servers to act as domain controllers and
upgrade everyone to either win2k or WinXP pro?

The existing win2k servers are used as our fileservers and are pretty busy
so upgrading them to DC's wouldn't be desirable.

Basically, I need some reasons that I can present to management why AD will
be such a great thing for us, I've suggested user management/deploying apps
as advantages but they don't seem impressed.

What else can I add?

Thanks;

David Bradford

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Password Changes Issues

[Bjelke John A Contr AFRL/VSIO]

Don, 
Check for policy changes. The you are not authorized to change your
password error message appears to be the default error message. Our users
see this error all the time if they are not meeting the length and
complexity requirements. Hope this helps!
 John A. Bjelke AFRL\VSIO 
 Business Support Analyst
UNISYS
Nunca encontraras una mas miserable madriguera de escoria y villania.
=
This e-mail is intended for the addressee shown. It contains information
that is confidential and protected from disclosure. Any review,
dissemination or use of this transmission or its contents by persons or
unauthorized employees of the intended organisations is strictly prohibited.
The contents of this email do not necessarily represent the views or
policies of Unisys Federal Systems, its employees or affiliates.





-Original Message-
From: Don L. Hollingshead [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, June 04, 2002 7:33 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Password Changes Issues


Hey,

We have been operating normally with periodic user password changes.  Today
anyone that is required to change their password gets a message stating that
they are not authorized to change it.

Any ideas would be appreciated.

Thanx

Don

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Simple Password reset utility

[Bjelke John A Contr AFRL/VSIO]

Do you 
use Outlook Web Access on Exchange? There is a password change applet 
built-inthere that should workfor what you need. 
-John
-Original Message-From: Izzy 
[mailto:[EMAIL PROTECTED]]Sent: Friday, May 17, 2002 12:46 
PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] 
Simple Password reset utility

Does anyone have, or know of a site 
that has, a simple Win32 app to reset passwords.

We have people at remote offices who 
I have given the ability to reset passwords of other users at the office but I 
really don't want them using ADUC. So they have the native ACLs set so they can reset the password but native tools are 
overkill for what they need.

What I would like is a simple app 
that asks for a user's logon and then prompts for a new password, if the account 
should be unlocked, if the user must change their password at next logon, 
etc.

I know this is something that could 
be whipped out pretty quickly using VB but if someone has already done it why 
re-invent the wheel.

RE: [ActiveDir] Simple Password reset utility

[Bjelke John A Contr AFRL/VSIO]

Ah, 
sorry.. I misunderstood what you were looking for. 
-Original Message-From: Izzy 
[mailto:[EMAIL PROTECTED]]Sent: Friday, May 17, 2002 1:00 
PMTo: '[EMAIL PROTECTED]'Subject: RE: 
[ActiveDir] Simple Password reset utility

Yes but I need 
something so a local "IT" person can reset another user's password or unlock 
their account, assuming they forgot their password.

-Original 
Message-From: Bjelke John 
A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED]] Sent: Friday, May 17, 
2002 1:55 
PMTo: 
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Simple Password 
reset utility


Do you use 
Outlook Web Access on Exchange? There is a password change applet 
built-inthere that should workfor what you need. 
-John
-Original 
Message-From: Izzy 
[mailto:[EMAIL PROTECTED]]Sent: 
Friday, May 17, 
2002 12:46 
PMTo: 
'[EMAIL PROTECTED]'Subject: [ActiveDir] Simple Password reset 
utility
Does anyone have, or know of a site 
that has, a simple Win32 app to reset passwords.

We have people at remote offices who 
I have given the ability to reset passwords of other users at the office but I 
really don't want them using ADUC. 
So they have the native ACLs set so they can reset the password but 
native tools are overkill for what they need.

What I would like is a simple app 
that asks for a user's logon and then prompts for a new password, if the account 
should be unlocked, if the user must change their password at next logon, 
etc.

I know this is something that could 
be whipped out pretty quickly using VB but if someone has already done it why 
re-invent the wheel.

RE: Antwort: [ActiveDir] Pwdlastset attribute

[Bjelke John A Contr AFRL/VSIO]

I always thought UTC in relation to computing was the number of non-leap
seconds that have elapsed since 00:00:00 January 1, 1970. I find the choice
of Jan 01, 1601 to be a little bizarre in this context. Was this a typo? Or
is that how UTC is now measured in AD? 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Thursday, April 04, 2002 6:00 AM
To: [EMAIL PROTECTED]
Subject: Antwort: [ActiveDir] Pwdlastset attribute


Tasneem,

the format of a UTC time is described in
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/sysinfo/ti
me_0fzm.asp

It is the number of 100-nanosecond intervals since January 1, 1601. With
the Win32-API-Function 'FileTimeToSystemTime' it can be converted to a
readable format.

This is a C++ example:

FILETIME ftRawvalue;
SYSTEMTIME stGMT, stLocal;

// Convert the raw time value to GMT Zone
FileTimeToSystemTime(ftRawvalue, stGMT);

// Convert the time from GMT zone to your local time zone
SystemTimeToTzSpecificLocalTime(NULL, stGMT, stLocal);

// Build a string showing the date and time.
wsprintf(lpszString, %02d/%02d/%d  %02d:%02d,
stLocal.wDay, stLocal.wMonth, stLocal.wYear,
stLocal.wHour, stLocal.wMinute);

There should be a similar VB example, but I'm not a VB expert.

Rainer.





Bhaijee, Tasneem [EMAIL PROTECTED]@mail.activedir.org on
28.03.2002 18:10:31

Bitte antworten an [EMAIL PROTECTED]

Gesendet von:  [EMAIL PROTECTED]


An:   [EMAIL PROTECTED]
Kopie:
Thema:[ActiveDir] Pwdlastset attribute

Pwdlastset is an attribute in Active directory which stores the value in
UTC (universal Coordinated Time) format.
   Value example:  126550226842430343
   Data type for the attribute is an integer.

   How do I convert this value to local time?

   Thanks.



List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Registry setting

[Bjelke John A Contr AFRL/VSIO]

Scott, 
I can only assume you are looking to programatically change this
setting in your environment. Here is a snippet of the vbs code we use to
toggle this off. Best of luck!
  John A. Bjelke AFRL\VSIO 
  Business Support Analyst
UNISYS
  Supporting AFRL 
  Kirtland AFB, NM
505.853.6087
 [EMAIL PROTECTED]
=
Catapultam habeo. Nisi pecuniam omnem mihi dabis,  ad caput tuum saxum
immane mittam. 
Copula eam se non possit acceptare jocularum.


'--
' Disable Dynamic DNS registration
'--
Sub DisableDynamicDNS(sComputerName)
  On Error Resume Next
  Dim oServer, oAdapters, oAdapter, nRC

  Set oServer = g_oLocator.ConnectServer(sComputerName, root\CIMV2)
  If Err.Number = 0 Then
Set oAdapters = oServer.ExecQuery(SELECT * FROM
Win32_NetworkAdapterConfiguration WHERE  _
 IPEnabled = TRUE AND MACAddress  )
For Each oAdapter In oAdapters
  If oAdapter.IPAddress(0)   Then
If oAdapter.FullDNSRegistrationEnabled Then
  nRC = oAdapter.SetDynamicDNSRegistration(False, False)
  If nRC  0 Then
g_sMessage = g_sMessage  SetDynamicDNSRegistration failed for
network adapter adapter with IP  _
 oAdapter.IPAddress(0)  vbCRLF
  Else
g_sMessage = g_sMessage  Disabled dynamic DNS registration for
network adapter with IP  _
 oAdapter.IPAddress(0)  vbCRLF
  End If
Else
  g_sMessage = g_sMessage  Dynamic DNS registration already
disabled for network adapter with IP  _
   oAdapter.IPAddress(0)  vbCRLF
End If
  End If
Next
  Else
g_sMessage = g_sMessage  DisableDynamicDNS: ConnectServer failed 
vbCRLF
  End If
End Sub




-Original Message-
From: Scott Krall [mailto:[EMAIL PROTECTED]]
Sent: Monday, April 01, 2002 10:53 AM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] Registry setting


Is there a registry setting for the setting 'register this connection's
addresses in DNS' ??? 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] AD on XP

[Bjelke John A Contr AFRL/VSIO]

Well, the XP version of 2KAdvancedServer is .Net Server, which I don't
believe has been fully released yet. XP workstations should integrate nicely
in a 2K AD environment.
Good luck! -JB
 John A. Bjelke AFRL\VSIO 
 Business Support Analyst
 UNISYS
  Supporting AFRL 
  Kirtland AFB, NM
505.853.6087
[EMAIL PROTECTED]
=
Catapultam habeo. Nisi pecuniam omnem mihi dabis,  ad caput tuum saxum
immane mittam. 
Copula eam se non possit acceptare jocularum.





-Original Message-
From: Nah Idee [mailto:[EMAIL PROTECTED]]
Sent: Friday, March 22, 2002 7:15 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] AD on XP


If I currently have a simple AD infrastructure with 10 Windows 2000 Advanced
Servers, what are my options with respect to XP ? I know about XP desktop
and professional, but is there a XP equivalent to win2000 AS ? I realize
2000 is NT5.0 and XP is NT5.1, but I wouldn't want to lose anything
(especailly AD-wise) by converting to an XP platform.
Thanks for your comments.

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Rolling SRP1 into a RIS Install:

[Bjelke John A Contr AFRL/VSIO]

James,
The rough instructions are in Q296723, but the 
specific outline is something like this:
1. Copy the Windows 2000 CD-ROM onto 
the HD
2. Slipstream SP2 into it (update 
-s:path)
3. Extract the SRP1 files somewhere 
(sp2srp1 -x:path)
From this point, what you have to do is 
remove matching files from the i386 folder and subfolders, and replace them with 
the ones from the sp2srp1; e.g. if you have i386\kernel32.dl_, and the sp2srp1 
has kernel32.dll, you have to remove the kernel32.dl_ and replace it with the 
kernel32.dll that's from the package. I did this by generating a list of files 
in the sp2srp1 and munged it using regular expressions in my text editor, added 
a del command to the beginning of each line, save it as a batch file, etc. After 
you remove the files, you then copy the sp2srp1 versions in their 
place.
Then you edit the dosnet.inf and create 
a svcpack.inf file as specified in the Q article, create the svcpack 
subdirectory and put the sp3.cat file from the sp2srp1 package, etc. That's 
about it.
Good 
luck!
John A. Bjelke AFRL\VSIO Business Support Analyst  UNISYS  Supporting AFRL 
 Kirtland AFB, 
NM  505.853.6087 
[EMAIL PROTECTED] = Catapultam habeo. Nisi pecuniam omnem mihi dabis, ad 
caput tuum saxum immane mittam. Copula eam 
se non possit acceptare jocularum.
-Original Message-From: Blair, James 
[mailto:[EMAIL PROTECTED]]Sent: Monday, March 
04, 2002 7:09 PMTo: '[EMAIL PROTECTED]'Subject: 
[ActiveDir] Rolling SRP1 into a RIS Install:
All,

Have any of you 
successfully rolled SRP1 into a RIS Image...if so how did you do it...by rolling 
SRP1 into the image I can avoid having to use QCHAIN, HFNETCHK and login scrips 
for a little while longer.

James

RE: [ActiveDir] Two Domains, One Subnet

[Bjelke John A Contr AFRL/VSIO]

DHCP is going to work on a first available basis.. i.e., the first DHCP
server that a system can contact when it looks for a lease will issue an IP
and register the connection in dynamic DNS. This could cause managing
computer domain accounts to get ugly, unless you are willing to keep all
computer accounts in one single domain by turning DHCP off on one of the
domains. DNS shouldn't be a problem, as long as the two domain's DNS servers
are replicating zones frequently and acurately between themselves. 

-Original Message-
From: SALANDRA, JUSTIN [mailto:[EMAIL PROTECTED]]
Sent: Thursday, February 21, 2002 10:07 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Two Domains, One Subnet


But can two domains exist on the same subnet?   If so how would DHCP and DNS
work correctly?

 -Original Message-
From:   Butler, Simon (London) [mailto:[EMAIL PROTECTED]] 
Sent:   Thursday, February 21, 2002 12:06 PM
To: [EMAIL PROTECTED]
Subject:RE: [ActiveDir] Two Domains, One Subnet

Yes

You only need to consider sitesa site is a collection of 1 or more
subnets...domains can span multiple sites  multiple domains can exist
in the same siteetc etc

Simon Butler 
Merrill Lynch HSBC 


-Original Message-
From: SALANDRA, JUSTIN [mailto:[EMAIL PROTECTED]] 
Sent: 21 February 2002 16:39
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] Two Domains, One Subnet
Importance: High


Hello All,

I am trying to find out if it is possible to have two separate domains,
in the same AD Tree in the same AD Site span the same subnet?  If you
know the answer, please e-mail me.  Thanks

Justin A. Salandra, MCSE
Senior Network Engineer
Catholic Healthcare System
914.681.8117 office
646.483.3325 cell
[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] 

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


--
**

Internet communications cannot be guaranteed to be 
secure or error-free as their content could be intercepted, 
corrupted, lost, arrive late or contain viruses. 

The sender therefore does not accept liability for any 
errors or omissions in the context of this message which 
arise as a result of its internet transmission.

This email and any files transmitted with it are confidential 
and intended solely for the use of the individual or entity to 
whom they are addressed.  If you have received this email 
in error please notify the [EMAIL PROTECTED] .

Any opinions contained in this message are those of the 
author and are not given or endorsed by any entity or office
through which this message has been sent unless otherwise 
clearly indicated in this message and the authority of 
the author to so bind Merrill Lynch HSBC Limited or 
any other company within its group is duly verified.

Any email may be monitored in accordance with 
Merrill Lynch HSBC Limited's communication policy.

Merrill Lynch HSBC Limited Registered Office 
24 Monument Street London EC3R 8AJ.  
Registered in England Number 3973777 



Merrill Lynch HSBC Limited regulated by the FSA

**
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] RIS and RipRep

[Bjelke John A Contr AFRL/VSIO]

Did you slip-stream the service pack and hot fixes prior to the ris, or
after you have pushed the image to the system? I belive that if you apply
SP2 AFTER the install through ris, the image will NOt match the install.

-Original Message-
From: Morgan, Joshua [mailto:[EMAIL PROTECTED]]
Sent: Thursday, January 24, 2002 8:08 AM
To: '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]'
Cc: 'Morin, Jon'
Subject: [ActiveDir] RIS and RipRep


I have loaded a machine via RIS and have applied appropriate Service Packs
and Hot fixes. However, when I go to run RipRep (from the server that the
original image was loaded from) I get this message:

 The server to which you chose to replicate this system does not contain a
CD-based image. The Version of the CD-Based image on the server must match
the version of the system you are attempting to copy. Select a different
server or add a CD-based image to this server
 
 any ideas?



 
Joshua Morgan
PROFITLAB
Network Engineer
[EMAIL PROTECTED]

One is glad to be of service 
--Robin Williams (Bicentennial Man)--

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Weird Domain Error

[Bjelke John A Contr AFRL/VSIO]

This is the only things I can find on this issue. Q179483. Hope it helps! 

Error Msg: No More Connections Can Be Made At This Time

--
The information in this article applies to:

Microsoft Windows 2000 , Professional 
Microsoft Windows 2000 , Server 
Microsoft Windows 2000 , Advanced Server 
Microsoft Windows 2000 , Datacenter Server 
Microsoft Windows NT Workstation versions 3.51 , 4.0 
Microsoft Windows NT Server versions 3.51 , 4.0 
Microsoft Windows 95 

---
SYMPTOMS
If you are using a computer that is running Windows NT or later, you may
receive the following error message: 

No more connections can be made at this remote computer at this time because
there are already as many connections as the computer can accept. 
If you are using a computer that is running Windows 95, you may receive the
following error message: 
This request is not accepted by the network. Try again later. 

CAUSE
You may be attempting to connect to a share that is configured to allows a
specific number of connections, and that number of connections has been
reached. Check the properties on the share on the server. 

RESOLUTION
If the specified number of connections has been reached, increase the user
limit or set the value to maximum allowed. 

MORE INFORMATION
There are several other parameters that you can check when troubleshooting a
problem with limited connections to the computer. 

Verify that the computer is running a retail version of Windows NT or later.
To verify this, check the Licensing tool in Control Panel and make sure that
the following message does not appear: 

Not available in NFR (Not for Resale)/MSDN Edition of Windows NT Server. 
The server may be configured with Per Server licensing and the number of
licenses may be exhausted. A quick check to see if this is the problem would
be turn off the License Logging Service on the computer. 

Check to see if the server was configured by upgrading a computer running
Windows NT Workstation to Windows NT Server. If it was, the following
registry parameter may need to be increased from a hex value of 0xa (10) to
0x: 

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters
\Users 

-Original Message-
From: Christopher Hummert [mailto:[EMAIL PROTECTED]]
Sent: Thursday, January 24, 2002 9:57 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Weird Domain Error


Anyone know if maybe there is a hotfix to get around this problem?
-Chris

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Thornley, Dave
H
Sent: Thursday, January 24, 2002 12:27 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Weird Domain Error


Hi,

We had a similar problem some time ago, I can't remember the cause (I'm
sure it wasn't  licensing), but we fixed it by moving the master browser
role to another server. 

The master browser role had been taken by an Exchange server, we moved
it to a domain controller and that fixed the problem. You can check what
computers are holding browser roles with BROWMON from the resource kit.

HTH

dave

 -Original Message-
 From: Christopher Hummert [mailto:[EMAIL PROTECTED]]
 Sent: 23 January 2002 22:03
 To: ActiveDir
 Subject: [ActiveDir] Weird Domain Error
 
 
 I'm having a pretty weird error that I can't seem to figure out. 
 Whenever I have a user go to network neighborhood and then view the 
 entire contents of the network and then they click on the domain they 
 get the message AAII is not accessible - No more connections can be 
 made to this remote computer at this time because there are already as

 many connections as the computer can accept I can do a search for the

 domain controller and connect to it that way but not the other. Now I 
 thought it was a license problem but it appears that I have the 
 required amount of licenses. Anyone know what's wrong?
 
 Thanks
 Chris Hummert
 
 
 Network Administrator - Albany Agency of Insurance
 Webmaster for Noghri.net
 http://www.noghri.net
 MS Beta tester ID #: 388366
 
 Sometimes I think the surest sign that intelligent life
 exists elsewhere
 in the universe is that none of it has tried to contacts us. 
 
 - from Calvin and Hobbes
 
 
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : 

RE: [ActiveDir] OT: Data Recovery

[Bjelke John A Contr AFRL/VSIO]

Title: OT: Data Recovery



LostFound is a pretty good recovery tool from 
PowerQuest software. The time frame doesn't matter, what matters is subsequent 
drive activity since the deleteion. If those sectors have been written to, write 
off the data as a loss. 

John A. Bjelke AFRL\VSIO Business Support Analyst  UNISYS  Supporting AFRL 
 Kirtland AFB, 
NM  505.853.6087 
[EMAIL PROTECTED] = Catapultam habeo. Nisi pecuniam omnem mihi dabis, ad 
caput tuum saxum immane mittam. Copula eam 
se non possit acceptare jocularum. -Original Message-From: Morgan, Joshua 
[mailto:[EMAIL PROTECTED]]Sent: Tuesday, January 22, 2002 8:06 
AMTo: Exchange Discussions; '[EMAIL PROTECTED]'; 
[EMAIL PROTECTED]Subject: [ActiveDir] OT: Data 
Recovery
Does anyone know of any Data Recovery tools? 
To find Data that was deleted off a hard 
drive less than 24 hours ago? 
Joshua Morgan PROFITLAB Network 
Engineer PH: (864) 250-1350 Ext 
133 [EMAIL PROTECTED] 

"One is glad to be of service " 
--Robin Williams (Bicentennial Man)-- 

RE: [ActiveDir] OT: Data Recovery

[Bjelke John A Contr AFRL/VSIO]

You mean made by Execusoft, who also makes Diskeeper :^)

-Original Message-
From: Tom Meunier [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, January 22, 2002 8:27 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] OT: Data Recovery


sorry, I said Diskeeper; I meant Undelete(tm) which is made by
Diskeeper.  Need more coffee.
http://www.diskeeper.com/undelete/undelete.asp

-tom

-Original Message-
From: Morgan, Joshua [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, January 22, 2002 9:06 AM
To: Exchange Discussions; '[EMAIL PROTECTED]';
[EMAIL PROTECTED]
Subject: [ActiveDir] OT: Data Recovery


Does anyone know of any Data Recovery tools? 
To find Data that was deleted off a hard drive   less than 24 hours ago?

 
  
  
  
Joshua Morgan 
PROFITLAB 
Network Engineer 
PH: (864) 250-1350 Ext 133 
[EMAIL PROTECTED] 
One is glad to be of service  
--Robin Williams (Bicentennial Man)-- 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: Application monitor/Internet tracking?

[Bjelke John A Contr AFRL/VSIO]

There are a number of internet tracking applications out there that will
track the ammount of time connected to a given URL. I believe some proxies
can be configured to do this as well. Have fun parsing those logs... I
wouldn't want to do it. Sessionwall from SSi will do this and much much
more... Sessionwall will even capture packet traffic and re-assemble it so
that you can see everything someone does on your network. And I do mean
everything. But it IS cost heavy. Then again, presenting said managers with
a quote for Sessionwall might make them realize that this is something they
don't want to do :^)
   
To absent friends, lost loves, old gods, and the season of mists.
And may each and every one of us always give the Devil his due. -Gaiman

 John A. Bjelke AFRL\VSIO 
 Business Support Analyst 
UNISYS 
 Supporting AFRL 
 Kirtland AFB, NM 
  505.853.6087 
[EMAIL PROTECTED] 





-Original Message-
From: Jason Benway [mailto:[EMAIL PROTECTED]]
Sent: Friday, January 18, 2002 2:00 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] OT: Application monitor/Internet tracking?


We have a few users who's managers 'think' they are spending a lot of time
surf the web. They want to be able to see the amount of time the users are
using IE. Since our proxy only tells them what pages they go to it doesn't
say how long they spent reading that page.

Your right, but the managers are asking for it.

jb

-Original Message-
From: Benjamin Winzenz [mailto:[EMAIL PROTECTED]]
Sent: Friday, January 18, 2002 3:54 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] OT: Application monitor/Internet tracking?


What are you hoping to accomplish with this?  Find out which people are
being unproductive?  Find out how much company time is being wasted?  Just
curious.  I think you are going to find that what you are wanting to do is
really something that you don't want to do.  If you know what I mean.

Ben Winzenz, MCSE
Network/Systems Administrator
Peregrine Systems


-Original Message-
From: Jason Benway [mailto:[EMAIL PROTECTED]] 
Sent: Friday, January 18, 2002 3:29 PM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] OT: Application monitor/Internet tracking?


I'm looking for a way to monitor how long IE is open. Software that could
monitor how long a program is the active window would work. 
We are trying to track how much time a user spends using the internet. We
have a proxy setup but that only tells how much data was downloaded and
which pages the user visited. It doesn't tell us how long they spent reading
the page. 
My idea was to find a tool to record how long IE is the active window, this
would give a better idea of internet usage. 
If anyone has any ideas, I would be very grateful. 
Thanks,jb


Jason Benway 
[EMAIL PROTECTED] 
1250 S.Beechtree 
Grand Haven, MI 49417 
616-847-8474
Fax: 616-850-1208 


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] AD Policy Logon Error

[Bjelke John A Contr AFRL/VSIO]

I have seen incorrect path statements in the environment settings cause vbs
login scripts to bomb out. Compare the path statements on the ones that work
to the ones that don't. This would especially be indicative if it is a it
used to work and now it doesn't situation. Software installs often adjust
the path statement without so much as a by your leave. 

John A. Bjelke AFRL
  Business Support Analyst
   Unisys
  Supporting AFRL 
 Kirtland AFB, NM
   505.853.6087
  [EMAIL PROTECTED]
==

-Original Message-
From: Mike Tonazzi [mailto:[EMAIL PROTECTED]]
Sent: Sunday, January 06, 2002 11:17 PM
To: [EMAIL PROTECTED]
Subject: AW: [ActiveDir] AD Policy Logon Error


We are using DHCP. I checked the DNS entries and they are correct.

mike

  -Ursprüngliche Nachricht-
 Von:  [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED]]  Im Auftrag von 
 Jacqui Hurst
 Gesendet: Samstag, 5. Januar 2002 12:05
 An:   [EMAIL PROTECTED]
 Betreff:  RE: [ActiveDir] AD Policy Logon Error
 
 Have you checked the DNS settings on these workstations are 
 correct.  We had a similar problem when workstations were 
 added without the correct DNS suffix
 
 Jacqui
 
  -Original Message-
 From: Mike Tonazzi 
 [mailto:[EMAIL PROTECTED]]  On Behalf Of Mike
Tonazzi
 Sent: 04 January 2002 07:38
 To:   ActiveDir Mailinglist (E-Mail)
 Subject:  AD Policy Logon Error
 
 Hi Guys
 
 Hope you started your 2002 well
 
 I have the following problem:
 
 I have created several group policies related to OU's. In the 
 group policy I have configured to execute a vb logon script 
 when users logging on. So far so good.
 Everything worked fine for at least nine months.
 
 But since two weeks or so, some workstations don't execute 
 the logon script no more. If I try to logon with the same 
 user on an other workstation it works fine!
 
 Any Idea?
 
 Best Regards,
 Mike
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Software Deployment:

[Bjelke John A Contr AFRL/VSIO]

James, 

 
unfortunately, the bulk of our experince 
has been in using SMS to push patches and updates. I really don't think building 
a new .msi file is the way you want to go. Slip-streaming the patches into the 
original installs has worked very well for us, and has allowed us to keep an 
updated version of office 2K, for example, up on a network share. Installing 
from this directory has eliminated the need for users to keep putting their cd's 
into the drive every time we patched office for the latest vulnerability, wich 
was a real pain in the gluteus. Slip-streaming is discussed in depth at http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q271791, 
and I imagine one could use RIS to deploy it from a 2K server. Youshould 
also be able to set up a policy to force the local machines to run the windows 
critical updates on a schedule. As for the restart issues, I would send out 
notice to all the department heads saying "This installation is mandatory. 
Non-compliance will be reported to uppermanagement" or some such garbage, 
and instruct them to leave all systems turned on and connected at a specific 
time. Depending on how you push the updates, youshould be able 
toforce a reboot at that time. You should also be able to give users a 
warning dialogue box telling them to save all workwith a count down to 
reboot. If anything is incorrect here, please feel free to shoot me down! Hope 
this helps. -John

-Original Message-From: Blair, James 
[mailto:[EMAIL PROTECTED]]Sent: Tuesday, 
December 11, 2001 5:13 AMTo: 'ActiveDir 
([EMAIL PROTECTED])'Subject: [ActiveDir] Software 
Deployment:

All,

I am looking at rolling out security 
updates and patches etc. for Windows 2000, Office 2000 etc. I was hoping to 
utilise Intellimirror to do this but for the life of me can't figure out how to 
do it correctly. I initially tried an IE 6 rollout to a testbed using 
WInInstaller LE to create the *.msi file, after failing I then tried out SP2 for 
the OS, also with no luck. Please could someone out there advise on the best way 
to do this as third party products seem to be the go but are generally not cheap. Microsoft says that it is trying to lower the total 
cost of ownership but having to keep investing in third party products is 
proving quite costly. Also, with the security updates etc. how the hell do you 
get *.msi's, *.mst's or *.msp's of these the only way to get these seems to be 
through using the Critical Update Notification...we cannot expect users to do 
this themselves...One last issue...is there any way to cut down on the shut down 
and restarts if I roll out IE 6 it will take a reboot also SP2 for W2k requires 
a reboot, then SR1a for office will as well most likely so will SP2 for Office. 
It would take at least a week of logins...and if someone is not in on the 
deployment day

I know this is probably basic but if 
anyone can shed light on this please advise, I do not 
at this stage wish t use SMS 2.0.

James

RE: [ActiveDir] Account Lockouts in mixed mode

[Bjelke John A Contr AFRL/VSIO]

Actually, we have seen similar issues in our mixed mode domain. Sometimes,
it seems that there is a sync problem between pdc and bdc's. Other times, we
have no clue why it is occuring to an individual over and over again. We
have even gone so far as to delete and recreate accounts in AD for users
experiencing repeated lock-outs. The only common thread seems to have been
their accessing exchange through outlook. Users could log in after their
account was unlocked, but later in the day they would be locked out again.
Passwords were not being cached at all, and it was almost always a Win2kPro
box that the user was logging on through. I am uncertain as to the exact
cause(s), but recreating the user object has resolved the issues for users
experiencing this.

-Original Message-
From: Fugleberg, David A [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, October 17, 2001 9:09 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Account Lockouts in mixed mode


We have a mixed mode AD (Single forest/single tree/single domain), with
about 20 DCs and 35 BDCs.  Accounts are administered centrally by a very
small group, and they typically connect to the DC that holds the PDC
FSMO to do all administrative tasks. 

Our account lockout policy locks accounts after three bad attempts.
Over the past several months, we've seen a couple strange issues with
account lockouts:
1. Once in awhile, a user will be locked out again and again for no
apparent reason.  For example, they arrive at work, attempt to login,
and are locked out.  The admins unlock the account and the user logs in,
but if you check the account later it is locked out again. If the user
then logs out, they are unable to login because of the lock.  We've seen
this happen to a given user several times over a few days, then
mysteriously disappear.  Some users have a great deal of trouble with
this; most never see it.

2. When an account is locked out, the admin will typically unlock it by
going to the account tab on the user's object in Active Directory Users
and Computers.  In some cases, however, even after doing so the user is
unable to logon.  Since these folks are old-time NT admins, they will
then often open User Manager for Domains and try unlocking the account
from there.  Strangely, they sometimes need to perform the unlock from
BOTH tools before the user is able to logon.  At first, I thought this
was just a timing issue, or that they were looking at the account info
on different servers, but I have seen with my own eyes cases where ADUC
connected to the PDC emulator shows one lockout status, and User Manager
for Domains shows another.

I'm trying to get the admins away from User Manager for Domains
altogether, but they don't trust 'Users and Computers' in this case.
I've tried to explain that the Nt Domain and the Active Directory
Domain are the SAME THING, but they're not buying it when they see a
different view in the two tools.

My questions:
1. Is anybody else havong similar lockout problems ?  The Q articles on
the subject don't seem to apply to this scenario.
2. When an admin uses User Manager for Domains, it obviously can make
changes only at the (emulated) PDC.  Does this mean that the lockout
status it displays is the one stored on that server, or is it possible
that it's displaying status read from a BDC ?
3. Has anyone else seen a case where they had to unlock an account using
both tools before the user could login ?
4. Is there any other reason why attributes that are displayable in User
Manager for Domains should NOT be IDENTICAL to the same attributes as
displayed in Active Directory Users and Computers ?  In other words,
does the PDC emulator store this data in a separate SAM that can somehow
be temporarily out of sync with the AD, or is the PDC emulator a
real-time conduit into the AD store ?

Thanks for any ideas...
Dave Fugleberg


List info: http://www.activedir.org/mail_list.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info: http://www.activedir.org/mail_list.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Time Clock

[Bjelke John A Contr AFRL/VSIO]

  ntp2.usno.navy.mil at 
  192.5.41.209 
  tock.usno.navy.mil at 
  192.5.41.41 

John A. Bjelke AFRL\VSIO Business Support Analyst  UNISYS 
 
Supporting AFRL  Kirtland AFB, NM 
 
505.853.6087 [EMAIL PROTECTED] === "Oh, you hate your job? Why didn't you say so? There's a support group 
for that. It's called EVERYBODY, and they meet at the bar." - Drew 
Carey
-Original Message-From: Joe Baird 
[mailto:[EMAIL PROTECTED]]Sent: Wednesday, August 15, 2001 
9:05 AMTo: [EMAIL PROTECTED]Subject: 
[ActiveDir] Time Clock
Could someone give me the address of a sntp time 
server. I cannot remember the address to the navy clock i used to 
use. Thx

RE: [ActiveDir] Time Clock

[Bjelke John A Contr AFRL/VSIO]

Here 
is a page with a pretty up to date list of public primary NTP servers: 


http://www.eecis.udel.edu/~mills/ntp/clock1.htm

-Original Message-From: Joe Baird 
[mailto:[EMAIL PROTECTED]]Sent: Wednesday, August 15, 2001 
9:05 AMTo: [EMAIL PROTECTED]Subject: 
[ActiveDir] Time Clock
Could someone give me the address of a sntp time 
server. I cannot remember the address to the navy clock i used to 
use. Thx

RE: [ActiveDir] Domain Controller with GC sizing?

[Bjelke John A Contr AFRL/VSIO]

Cindy, here's the link to the sizer tool. 
http://www.microsoft.com/windows2000/downloads/tools/sizer/default.asp

 John A. Bjelke AFRL\VSIO 
 Business Support Analyst
UNISYS
 Supporting AFRL 
 Kirtland AFB, NM
  505.853.6087
[EMAIL PROTECTED]


-Original Message-
From: Rittenhouse, Cindy [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 24, 2001 10:08 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Domain Controller with GC sizing?


Please tell me where I can obtain this DC sizer? It sound like to would be
quite useful?
 
-Original Message-
From: Lori Demkovich [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 24, 2001 11:57
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Domain Controller with GC sizing?


Howard, it sounds like you asked for a one box solution.  Did you sketch
your domain and DC topology before using the tool? Your user counts will be
spread across multiple DC/GCs - due to multiple sites.  I haven't yet run
the tool for your users as shown below but if I did, I would not be
surprised at the calculation for one server servicing 4000 accounts.

Lori Demkovich
MCSE, MCP Exchange 5.5
MCP Exchange 2000
Enterprise Architect
Info Systems, Inc.

-Original Message-
From: Sockrider, Howard L. [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 24, 2001 11:18 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Domain Controller with GC sizing?


We have about 3500 PCs and use NT 4 and Exchange 5.5 today.  There are about
4000 accounts with a good number of distribution lists.  The DC sizer tool
from MS indicates I need a quad CPU box with two arrays.  Really?!?  That
could get very expensive depending on the domain model chosen and level of
fault tolerance employed.  

What are the real world hardware guidelines for DCs and GC servers in a
3000-4000 user domain with several sites and Exchange 2k.



-
Howard Sockrider
Methodist Health Care System
Manager - Email, Database, and Access Control

--

List info: http://www.activedir.org/mail_list.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info: http://www.activedir.org/mail_list.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info: http://www.activedir.org/mail_list.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info: http://www.activedir.org/mail_list.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/