RE: [ActiveDir] printing prb
Title: Message Probaby a bad driver... Download new one and reinstall the printer. Also, there are some viruses that cause things like this... either macro viruses that replace the Normal.dot to corrupt your office settings, or ones that actually corrupt the printer driver. Rename your normal.dot as the next step. Running an updated virus scan never hurts either. HTH. -JB John A. Bjelke Unisys 505.853.6774 [EMAIL PROTECTED] By all means marry; if you get a good wife, you'll be happy. If you get a bad one, you'll become a philosopher. - Socrates -Original Message-From: bobo [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 03, 2003 3:46 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] printing prb hello all I am having problem to print with my hp office jet network printer. Each time i print excel or word get only blank pages. when i send test page it is printed successfully. pls help. Thks
RE: [ActiveDir] SP4
Title: Message Man, I must be havin a ball. John A. Bjelke Unisys 505.853.6774 [EMAIL PROTECTED] "Many of life's failures are people who did not realize how close they were to success when they gave up." -Thomas Edison -Original Message-From: Hutchins, Mike [mailto:[EMAIL PROTECTED] Sent: Friday, August 22, 2003 11:35 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] SP4 its mucho funno to be wrong occasionally.. ;- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Friday, August 22, 2003 7:08 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] SP4 Eh, no big deal. Look how many times I'm wrong around here. Welcome to the club ;-) Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hutchins, MikeSent: Friday, August 22, 2003 7:56 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] SP4 AndI hate to admit being wrong, but you are right. :-) When we first patched all our machines, it was only supported on SP3. However, as you stated, it has been regression tested woth SP2 and is now supported. Our company would have to sign a waiver with pss to do sp2, but we are sp3 and higher anyways. From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Thursday, August 21, 2003 8:44 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] SP4 Mike, I hate to disagree, but the minimum requirement for MS03-026 DCOm Vuln patch is Windows 2000 SP2. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hutchins, MikeSent: Thursday, August 21, 2003 9:37 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] SP4 sp3 From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Thursday, August 21, 2003 8:34 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] SP4 The patch to stop the MSBlast virus only requires SP2 be installed on the machine. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Don Murawski (Lenox) [mailto:[EMAIL PROTECTED] Sent: Thursday, August 21, 2003 10:28 AMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] SP4 Has anyone had issues with SP4 on DC's? We are getting hammered by the latest virus. Don L. Murawski Sr. Network Administrator WorldTravel BTI Phone: (404) 923-9468 Fax: (404) 949-6710 Cell: (678) 549-1264 attachment: mcse_small.gif
RE: [ActiveDir] WOT Unreadable code (was Connection String)
Title: Message Go to DEC and get one from Gil, along with getting him to buy you a drink :^) John A. Bjelke Unisys 505.853.6774 [EMAIL PROTECTED] "Many of life's failures are people who did not realize how close they were to success when they gave up." -Thomas Edison -Original Message-From: Carlos Magalhaes [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 20, 2003 1:44 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) Ok, I have plenty of people here I need to irritate (as a pay back for not patching their systems when I told them to) What do I need to do to get a rubber chicken to heheh :D -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 20, 2003 9:23 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) Excellent. That's what I love about this list. It's the only on-line community I know where you might receive a rubber toy in the post from someone you've never met before. I think I've created a monster. Tony -- Original Message ------ From: Bjelke John A Contr AFRL/VSIO [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Tue, 19 Aug 2003 19:34:43 +0100 Gil, received one screamin rubber chicken... I love it! Great sound. My fellow sysadmins just might slit a throat today. It remains to be seen if it will be mine or the chicken's :^) Thanks again! -JB John A. Bjelke Unisys 505.853.6774 [EMAIL PROTECTED] If it's as difficult as pulling teeth through an elephants rump, then the approach needs to be reevaluated. -Original Message- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 05, 2003 1:22 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) John, Stella has put the world-famous Official DEC Screaming Yellow Rubber Chicken in the mail, so you should get it by the end of the week or so. When you do get it, be sure to give it a good squeeze. When I spoke at the 2002 AFITC, a general from ACC (I've forgotten his name) told me that someone in his office had received one and the noise was driving him crazy. Scratch the chicken off the list of how to win friends and influence people. -gil -Original Message- From: Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 05, 2003 12:01 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) Gil, I'm not THAT old! Man, next you'll be implying that I built the DARPAnet! (and we all know it was Al Gore who's responsible for that!) *grin* Nah, I just have a fondness for old, dead languages and remembered seeing that one before. I actually had a book mark to a "history of computing" type doc that had this very example of MUMPS code. As for DEC Ottawa, I doubt it, times and budgets being what they are. But I'll take the chicken... sounds like cool geek-schwag :^) John A. Bjelke Unisys 505.853.6774 [EMAIL PROTECTED] Catapultam habeo. Nisi pecuniam omnem mihi dabis, ad caput tuum saxum immane mittam. -Original Message- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 05, 2003 12:01 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) Wow John! I'm impressed. Were you at Unisys when MUMPS actually ran on Unisys minis? Or did you just get lucky with Google? :) I'm thinking that your answer deserves a world-famous Official DEC Screaming Yellow Rubber Chicken, whose hideous screech is known to strike fear in the hearts of dogs, cats, and small children. Are you coming to DEC Ottawa? I can give it to you there, along with your free beer. Otherwise, send me your shipping info offlist, and no beer for you. -gil -Original Message----- From: Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 05, 2003 10:39 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) prints a table of primes, formatting it into columns. What's my prize :^) John A. Bjelke Unisys 505.853.6774 [EMAIL PROTECTED] If it's as difficult as pulling teeth through an elephants rump, then the approach needs to be reevaluated. -Original Message- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 05, 2003 9:56 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) Have you ever coded in MUMPS? It doesn't matter who the programmer is; its ALWAYS unreadable. I think MUMPS programmers invented the term "write-only programs".
RE: [ActiveDir] WOT Unreadable code (was Connection String)
Gil, received one screamin rubber chicken... I love it! Great sound. My fellow sysadmins just might slit a throat today. It remains to be seen if it will be mine or the chicken's :^) Thanks again! -JB John A. Bjelke Unisys 505.853.6774 [EMAIL PROTECTED] If it's as difficult as pulling teeth through an elephants rump, then the approach needs to be reevaluated. -Original Message- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 1:22 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) John, Stella has put the world-famous Official DEC Screaming Yellow Rubber Chicken in the mail, so you should get it by the end of the week or so. When you do get it, be sure to give it a good squeeze. When I spoke at the 2002 AFITC, a general from ACC (I've forgotten his name) told me that someone in his office had received one and the noise was driving him crazy. Scratch the chicken off the list of how to win friends and influence people. -gil -Original Message- From: Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 12:01 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) Gil, I'm not THAT old! Man, next you'll be implying that I built the DARPAnet! (and we all know it was Al Gore who's responsible for that!) *grin* Nah, I just have a fondness for old, dead languages and remembered seeing that one before. I actually had a book mark to a history of computing type doc that had this very example of MUMPS code. As for DEC Ottawa, I doubt it, times and budgets being what they are. But I'll take the chicken... sounds like cool geek-schwag :^) John A. Bjelke Unisys 505.853.6774 [EMAIL PROTECTED] Catapultam habeo. Nisi pecuniam omnem mihi dabis, ad caput tuum saxum immane mittam. -Original Message- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 12:01 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) Wow John! I'm impressed. Were you at Unisys when MUMPS actually ran on Unisys minis? Or did you just get lucky with Google? :) I'm thinking that your answer deserves a world-famous Official DEC Screaming Yellow Rubber Chicken, whose hideous screech is known to strike fear in the hearts of dogs, cats, and small children. Are you coming to DEC Ottawa? I can give it to you there, along with your free beer. Otherwise, send me your shipping info offlist, and no beer for you. -gil -Original Message- From: Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 10:39 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) prints a table of primes, formatting it into columns. What's my prize :^) John A. Bjelke Unisys 505.853.6774 [EMAIL PROTECTED] If it's as difficult as pulling teeth through an elephants rump, then the approach needs to be reevaluated. -Original Message- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 9:56 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) Have you ever coded in MUMPS? It doesn't matter who the programmer is; its ALWAYS unreadable. I think MUMPS programmers invented the term write-only programs. Typical MUMPS program: f p=2,3:2 s q=1 x f f=3:2 q:f*fp!'q s q=p#f w:q p,?$x\8+1*8 If anyone can guess what this code does, I'll give them a prize. -g Gil Kirkpatrick CTO, NetPro -Original Message- From: Robbie Allen [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 6:51 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Connection String Ha! It is not the language that makes code unreadable, it is the PROGRAMMER :-) Robbie Allen http://www.rallenhome.com/ -Original Message- From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 9:38 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Connection String HAHAHAPerl I like to be able to read my code and understand it again in 6 months :) Glenn - Original Message - From: Robbie Allen [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 11:14 PM Subject: RE: [ActiveDir] Connection String Come over to the 'Dark Side' with VB.NET.its nice and warm here *looks at the fires of hell*. Come on guys, why go to VB.NET when you can get most of the benefits of a compiled language and a whole lot more in a lot fewer lines with Perl! muaahh...Muaahh...MUUAAAHH :-) Robbie Allen http://www.rallenhome.com/ -Original Message- From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 8:54 AM To: [EMAIL PROTECTED] Subject: Re
RE: [ActiveDir] LDAP LastLogin for Computers
Title: Message One way to go about it would be to turn up the auditing andquery the event log on the machine for login success/failure events. John A. Bjelke Unisys 505.853.6774 [EMAIL PROTECTED] "Many of life's failures are people who did not realize how close they were to success when they gave up." -Thomas Edison -Original Message-From: England, Christopher M [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2003 8:22 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] LDAP LastLogin for Computers Greetings all, I am trying to pull LDAP queries on computer accounts and I want to find out the last time someone logged into the machine. "WhenModified" is just the computer account object and "LastLogin" is just for user accounts. Am I out of luck? What I have is this: 400 or so computer accounts in one OU (with many sub-OUs) probably need to be 1) moved to a new OU or 2) deleted. #1 happens if they have logged in in say the last few months. #2 if not. Any suggestions would be great! Thanks, Chris - Christopher England Server Administrator MCSA, Server+, Network+, A+ College Information Technology Office Indiana University
RE: [ActiveDir] WOT Unreadable code (was Connection String)
When I spoke at the 2002 AFITC, a general from ACC (I've forgotten his name) told me that someone in his office had received one and the noise was driving him crazy. Scratch the chicken off the list of how to win friends and influence people. LOL! That's great Gil! Thanks! John A. Bjelke Unisys 505.853.6774 [EMAIL PROTECTED] Catapultam habeo. Nisi pecuniam omnem mihi dabis, ad caput tuum saxum immane mittam. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] WOT Unreadable code (was Connection String)
Joe, never forget: Coppula eam se non posit acceptera joccularum (spelling is probably off, but you should get the gist :^) ) John A. Bjelke Unisys 505.853.6774 [EMAIL PROTECTED] -Original Message- From: Joe [mailto:[EMAIL PROTECTED] Sent: Thursday, August 07, 2003 9:49 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) Wow, I am impressed. I still can't read that code. Would rather get my old Latin text books out and do some light reading there. Good job. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bjelke John A Contr AFRL/VSIO Sent: Tuesday, August 05, 2003 1:39 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) prints a table of primes, formatting it into columns. What's my prize :^) John A. Bjelke Unisys 505.853.6774 [EMAIL PROTECTED] If it's as difficult as pulling teeth through an elephants rump, then the approach needs to be reevaluated. -Original Message- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 9:56 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) Have you ever coded in MUMPS? It doesn't matter who the programmer is; its ALWAYS unreadable. I think MUMPS programmers invented the term write-only programs. Typical MUMPS program: f p=2,3:2 s q=1 x f f=3:2 q:f*fp!'q s q=p#f w:q p,?$x\8+1*8 If anyone can guess what this code does, I'll give them a prize. -g Gil Kirkpatrick CTO, NetPro -Original Message- From: Robbie Allen [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 6:51 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Connection String Ha! It is not the language that makes code unreadable, it is the PROGRAMMER :-) Robbie Allen http://www.rallenhome.com/ -Original Message- From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 9:38 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Connection String HAHAHAPerl I like to be able to read my code and understand it again in 6 months :) Glenn - Original Message - From: Robbie Allen [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 11:14 PM Subject: RE: [ActiveDir] Connection String Come over to the 'Dark Side' with VB.NET.its nice and warm here *looks at the fires of hell*. Come on guys, why go to VB.NET when you can get most of the benefits of a compiled language and a whole lot more in a lot fewer lines with Perl! muaahh...Muaahh...MUUAAAHH :-) Robbie Allen http://www.rallenhome.com/ -Original Message- From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 8:54 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Connection String Roger, You should be able to convert the Primary Windows NT Account into a Domain\Username pairI did do it some time ago (yeah, it was Ex 5.5 timeframe too)I'll have a dig around (from memory it was using LookupAccountSID *shudder*) If your UPN in 2k and Exchange email address use the same format (ie [EMAIL PROTECTED]), you could cheat a bit, and use the UPN conversion type code: ADS_NAME_TYPE_USER_PRINCIPAL_NAME = 9 User principal name format. For example, [EMAIL PROTECTED] *shrug* might be worth a stab. not sure about mixing NT v4 and 2k servers in the call, I don't think it would work too well (may require AD). Come over to the 'Dark Side' with VB.NET.its nice and warm here *looks at the fires of hell*. G. - Original Message - From: Roger Seielstad [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 10:42 PM Subject: RE: [ActiveDir] Connection String Cool Might be able to stay away from a compiler for another 3 months... I know what it was that didn't work - VBScript can't handle the way Exchange 5.5[1] returns the Primary Windows NT Account attribute - it comes back as a string octet (I think). The VB examples all included the same contstant defs, so I was thinking it was the same thing I looked at a month or two ago. Now I'm wondering if I can just direct translate using the syntax below... I'll have to try that later... -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. [1] Yeah, I'm still running it -Original Message- From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 8:36 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Connection String From the online help about NameTranslate, VBScript Example
RE: [ActiveDir] Settign password Expiration date
Dennis, He's not looking to set this through policy, methinks. Erick, try this link for how to do this through script: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/adsi /winnt_account_expiration.asp Watch the word wrap, and good luck! John A. Bjelke Unisys 505.853.6774 [EMAIL PROTECTED] There's nothing new under the sun, but there are lots of old things we don't know. - Ambrose Bierce -Original Message- From: W2K List [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 13, 2003 11:25 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Settign password Expiration date Password policies can only be set at the domain level. Dennis Depp _ From: Erick Christian [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 13, 2003 1:17 PM To: [EMAIL PROTECTED] We are rolling our W2k network out, and have successfully migrated from NT4.0. Previously we had sat our user account's password to expire at the end of the year. However, going through and enabling each individual account is not an option, as of yet I have not found a way in AD to set the PW expiration date for an entire group. If anyone could shed light on this topic I would greatly appreciate it. Erick Christian Chesapeake Board of Education List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] WOT Unreadable code (was Connection String)
LOL :^) Ok, it's VERY rough. John A. Bjelke Unisys 505.853.6774 [EMAIL PROTECTED] If it's as difficult as pulling teeth through an elephants rump, then the approach needs to be reevaluated. -Original Message- From: Joe [mailto:[EMAIL PROTECTED] Sent: Friday, August 08, 2003 3:04 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) I would have to get the books out but that seems a little rough in more than spelling but I think I get the drift... LOL. I'll take it as a generic 'them' versus specifically 'her' as indicated by the gender of the pronoun... :o) joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bjelke John A Contr AFRL/VSIO Sent: Friday, August 08, 2003 10:21 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) Joe, never forget: Coppula eam se non posit acceptera joccularum (spelling is probably off, but you should get the gist :^) ) John A. Bjelke Unisys 505.853.6774 [EMAIL PROTECTED] -Original Message- From: Joe [mailto:[EMAIL PROTECTED] Sent: Thursday, August 07, 2003 9:49 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) Wow, I am impressed. I still can't read that code. Would rather get my old Latin text books out and do some light reading there. Good job. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bjelke John A Contr AFRL/VSIO Sent: Tuesday, August 05, 2003 1:39 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) prints a table of primes, formatting it into columns. What's my prize :^) John A. Bjelke Unisys 505.853.6774 [EMAIL PROTECTED] If it's as difficult as pulling teeth through an elephants rump, then the approach needs to be reevaluated. -Original Message- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 9:56 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) Have you ever coded in MUMPS? It doesn't matter who the programmer is; its ALWAYS unreadable. I think MUMPS programmers invented the term write-only programs. Typical MUMPS program: f p=2,3:2 s q=1 x f f=3:2 q:f*fp!'q s q=p#f w:q p,?$x\8+1*8 If anyone can guess what this code does, I'll give them a prize. -g Gil Kirkpatrick CTO, NetPro -Original Message- From: Robbie Allen [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 6:51 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Connection String Ha! It is not the language that makes code unreadable, it is the PROGRAMMER :-) Robbie Allen http://www.rallenhome.com/ -Original Message- From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 9:38 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Connection String HAHAHAPerl I like to be able to read my code and understand it again in 6 months :) Glenn - Original Message - From: Robbie Allen [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 11:14 PM Subject: RE: [ActiveDir] Connection String Come over to the 'Dark Side' with VB.NET.its nice and warm here *looks at the fires of hell*. Come on guys, why go to VB.NET when you can get most of the benefits of a compiled language and a whole lot more in a lot fewer lines with Perl! muaahh...Muaahh...MUUAAAHH :-) Robbie Allen http://www.rallenhome.com/ -Original Message- From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 8:54 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Connection String Roger, You should be able to convert the Primary Windows NT Account into a Domain\Username pairI did do it some time ago (yeah, it was Ex 5.5 timeframe too)I'll have a dig around (from memory it was using LookupAccountSID *shudder*) If your UPN in 2k and Exchange email address use the same format (ie [EMAIL PROTECTED]), you could cheat a bit, and use the UPN conversion type code: ADS_NAME_TYPE_USER_PRINCIPAL_NAME = 9 User principal name format. For example, [EMAIL PROTECTED] *shrug* might be worth a stab. not sure about mixing NT v4 and 2k servers in the call, I don't think it would work too well (may require AD). Come over to the 'Dark Side' with VB.NET.its nice and warm here *looks at the fires of hell*. G. - Original Message - From: Roger Seielstad [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 10:42 PM Subject: RE: [ActiveDir] Connection String Cool Might be able to stay away from a compiler for another 3 months... I know what
RE: [ActiveDir] WOT Unreadable code (was Connection String)
prints a table of primes, formatting it into columns. What's my prize :^) John A. Bjelke Unisys 505.853.6774 [EMAIL PROTECTED] If it's as difficult as pulling teeth through an elephants rump, then the approach needs to be reevaluated. -Original Message- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 9:56 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) Have you ever coded in MUMPS? It doesn't matter who the programmer is; its ALWAYS unreadable. I think MUMPS programmers invented the term write-only programs. Typical MUMPS program: f p=2,3:2 s q=1 x f f=3:2 q:f*fp!'q s q=p#f w:q p,?$x\8+1*8 If anyone can guess what this code does, I'll give them a prize. -g Gil Kirkpatrick CTO, NetPro -Original Message- From: Robbie Allen [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 6:51 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Connection String Ha! It is not the language that makes code unreadable, it is the PROGRAMMER :-) Robbie Allen http://www.rallenhome.com/ -Original Message- From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 9:38 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Connection String HAHAHAPerl I like to be able to read my code and understand it again in 6 months :) Glenn - Original Message - From: Robbie Allen [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 11:14 PM Subject: RE: [ActiveDir] Connection String Come over to the 'Dark Side' with VB.NET.its nice and warm here *looks at the fires of hell*. Come on guys, why go to VB.NET when you can get most of the benefits of a compiled language and a whole lot more in a lot fewer lines with Perl! muaahh...Muaahh...MUUAAAHH :-) Robbie Allen http://www.rallenhome.com/ -Original Message- From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 8:54 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Connection String Roger, You should be able to convert the Primary Windows NT Account into a Domain\Username pairI did do it some time ago (yeah, it was Ex 5.5 timeframe too)I'll have a dig around (from memory it was using LookupAccountSID *shudder*) If your UPN in 2k and Exchange email address use the same format (ie [EMAIL PROTECTED]), you could cheat a bit, and use the UPN conversion type code: ADS_NAME_TYPE_USER_PRINCIPAL_NAME = 9 User principal name format. For example, [EMAIL PROTECTED] *shrug* might be worth a stab. not sure about mixing NT v4 and 2k servers in the call, I don't think it would work too well (may require AD). Come over to the 'Dark Side' with VB.NET.its nice and warm here *looks at the fires of hell*. G. - Original Message - From: Roger Seielstad [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 10:42 PM Subject: RE: [ActiveDir] Connection String Cool Might be able to stay away from a compiler for another 3 months... I know what it was that didn't work - VBScript can't handle the way Exchange 5.5[1] returns the Primary Windows NT Account attribute - it comes back as a string octet (I think). The VB examples all included the same contstant defs, so I was thinking it was the same thing I looked at a month or two ago. Now I'm wondering if I can just direct translate using the syntax below... I'll have to try that later... -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. [1] Yeah, I'm still running it -Original Message- From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 8:36 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Connection String From the online help about NameTranslate, VBScript Example (havent tried it, but looks like it should work) Dim nto const ADS_NAME_INITTYPE_SERVER = 2 const ADS_NAME_TYPE_1779 = 1 const ADS_NAME_TYPE_NT4 = 3 server = aDsServer user = jeffsmith dom= Fabrikam passwd = top secret dn = CN=jeffsmith,CN=Users,DC=Fabrikam,DC=COM Set nto = Server.CreateObject(NameTranslate) nto.InitEx ADS_NAME_INITTYPE_SERVER, server, user, dom, passwd nto.Set ADS_NAME_TYPE_1779, dn result = nto.Get(ADS_NAME_TYPE_NT4) - Original Message - From: Roger Seielstad [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 10:31 PM Subject: RE: [ActiveDir] Connection String The only problem
RE: [ActiveDir] WOT Unreadable code (was Connection String)
Gil, I'm not THAT old! Man, next you'll be implying that I built the DARPAnet! (and we all know it was Al Gore who's responsible for that!) *grin* Nah, I just have a fondness for old, dead languages and remembered seeing that one before. I actually had a book mark to a history of computing type doc that had this very example of MUMPS code. As for DEC Ottawa, I doubt it, times and budgets being what they are. But I'll take the chicken... sounds like cool geek-schwag :^) John A. Bjelke Unisys 505.853.6774 [EMAIL PROTECTED] Catapultam habeo. Nisi pecuniam omnem mihi dabis, ad caput tuum saxum immane mittam. -Original Message- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 12:01 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) Wow John! I'm impressed. Were you at Unisys when MUMPS actually ran on Unisys minis? Or did you just get lucky with Google? :) I'm thinking that your answer deserves a world-famous Official DEC Screaming Yellow Rubber Chicken, whose hideous screech is known to strike fear in the hearts of dogs, cats, and small children. Are you coming to DEC Ottawa? I can give it to you there, along with your free beer. Otherwise, send me your shipping info offlist, and no beer for you. -gil -Original Message- From: Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 10:39 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) prints a table of primes, formatting it into columns. What's my prize :^) John A. Bjelke Unisys 505.853.6774 [EMAIL PROTECTED] If it's as difficult as pulling teeth through an elephants rump, then the approach needs to be reevaluated. -Original Message- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 9:56 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) Have you ever coded in MUMPS? It doesn't matter who the programmer is; its ALWAYS unreadable. I think MUMPS programmers invented the term write-only programs. Typical MUMPS program: f p=2,3:2 s q=1 x f f=3:2 q:f*fp!'q s q=p#f w:q p,?$x\8+1*8 If anyone can guess what this code does, I'll give them a prize. -g Gil Kirkpatrick CTO, NetPro -Original Message- From: Robbie Allen [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 6:51 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Connection String Ha! It is not the language that makes code unreadable, it is the PROGRAMMER :-) Robbie Allen http://www.rallenhome.com/ -Original Message- From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 9:38 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Connection String HAHAHAPerl I like to be able to read my code and understand it again in 6 months :) Glenn - Original Message - From: Robbie Allen [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 11:14 PM Subject: RE: [ActiveDir] Connection String Come over to the 'Dark Side' with VB.NET.its nice and warm here *looks at the fires of hell*. Come on guys, why go to VB.NET when you can get most of the benefits of a compiled language and a whole lot more in a lot fewer lines with Perl! muaahh...Muaahh...MUUAAAHH :-) Robbie Allen http://www.rallenhome.com/ -Original Message- From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 8:54 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Connection String Roger, You should be able to convert the Primary Windows NT Account into a Domain\Username pairI did do it some time ago (yeah, it was Ex 5.5 timeframe too)I'll have a dig around (from memory it was using LookupAccountSID *shudder*) If your UPN in 2k and Exchange email address use the same format (ie [EMAIL PROTECTED]), you could cheat a bit, and use the UPN conversion type code: ADS_NAME_TYPE_USER_PRINCIPAL_NAME = 9 User principal name format. For example, [EMAIL PROTECTED] *shrug* might be worth a stab. not sure about mixing NT v4 and 2k servers in the call, I don't think it would work too well (may require AD). Come over to the 'Dark Side' with VB.NET.its nice and warm here *looks at the fires of hell*. G. - Original Message - From: Roger Seielstad [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 10:42 PM Subject: RE: [ActiveDir] Connection String Cool Might be able to stay away from a compiler for another 3 months... I know what it was that didn't work - VBScript can't handle the way Exchange 5.5[1] returns the Primary Windows NT Account attribute - it comes back
RE: [ActiveDir] WOT Unreadable code (was Connection String)
Actually, if the noise is that bad, maybe he should give one out for each purchase of a competing product :^) John A. Bjelke Unisys 505.853.6774 [EMAIL PROTECTED] Few things are harder to put up with than a good example. - Mark Twain (1835-1910) -Original Message- From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 1:31 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) Gil, you should give one out for every Enterprise purchase of Netpro Products. Todd Myrick -Original Message- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 3:22 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) John, Stella has put the world-famous Official DEC Screaming Yellow Rubber Chicken in the mail, so you should get it by the end of the week or so. When you do get it, be sure to give it a good squeeze. When I spoke at the 2002 AFITC, a general from ACC (I've forgotten his name) told me that someone in his office had received one and the noise was driving him crazy. Scratch the chicken off the list of how to win friends and influence people. -gil -Original Message- From: Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 12:01 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) Gil, I'm not THAT old! Man, next you'll be implying that I built the DARPAnet! (and we all know it was Al Gore who's responsible for that!) *grin* Nah, I just have a fondness for old, dead languages and remembered seeing that one before. I actually had a book mark to a history of computing type doc that had this very example of MUMPS code. As for DEC Ottawa, I doubt it, times and budgets being what they are. But I'll take the chicken... sounds like cool geek-schwag :^) John A. Bjelke Unisys 505.853.6774 [EMAIL PROTECTED] Catapultam habeo. Nisi pecuniam omnem mihi dabis, ad caput tuum saxum immane mittam. -Original Message- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 12:01 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) Wow John! I'm impressed. Were you at Unisys when MUMPS actually ran on Unisys minis? Or did you just get lucky with Google? :) I'm thinking that your answer deserves a world-famous Official DEC Screaming Yellow Rubber Chicken, whose hideous screech is known to strike fear in the hearts of dogs, cats, and small children. Are you coming to DEC Ottawa? I can give it to you there, along with your free beer. Otherwise, send me your shipping info offlist, and no beer for you. -gil -Original Message- From: Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 10:39 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) prints a table of primes, formatting it into columns. What's my prize :^) John A. Bjelke Unisys 505.853.6774 [EMAIL PROTECTED] If it's as difficult as pulling teeth through an elephants rump, then the approach needs to be reevaluated. -Original Message- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 9:56 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) Have you ever coded in MUMPS? It doesn't matter who the programmer is; its ALWAYS unreadable. I think MUMPS programmers invented the term write-only programs. Typical MUMPS program: f p=2,3:2 s q=1 x f f=3:2 q:f*fp!'q s q=p#f w:q p,?$x\8+1*8 If anyone can guess what this code does, I'll give them a prize. -g Gil Kirkpatrick CTO, NetPro -Original Message- From: Robbie Allen [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 6:51 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Connection String Ha! It is not the language that makes code unreadable, it is the PROGRAMMER :-) Robbie Allen http://www.rallenhome.com/ -Original Message- From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 9:38 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Connection String HAHAHAPerl I like to be able to read my code and understand it again in 6 months :) Glenn - Original Message - From: Robbie Allen [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 11:14 PM Subject: RE: [ActiveDir] Connection String Come over to the 'Dark Side' with VB.NET.its nice and warm here *looks at the fires of hell*. Come on guys, why go to VB.NET when you can get most of the benefits of a compiled language and a whole lot more in a lot fewer lines with Perl! muaahh...Muaahh...MUUAAAHH :-) Robbie Allen http
[ActiveDir] OT: Tivoli
Title: OT: Tivoli Thanks Larry! That'll do nicely. As for not furthering the cause, I'm with ya brother. Not my choice, but I can only salute and move on. Eric, thanks as well. I just wish we were using framework 4.1 instead of 3.7. *sigh* John A. Bjelke Unisys 505.853.6774 [EMAIL PROTECTED] If it's as difficult as pulling teeth through an elephants rump, you must be using Tivoli. -Me
RE: [ActiveDir] Authentication Problems.
Title: Message Another possibility is that manual mappings to shared drives were done under an old password, and the system stored that in the registry. Disconnect the network drives and then reconnect. We do our standard mappings in the login script, and strongly discourage manual mappings to resources for this reason. A number of lock-out problems can be traced to this type of issue. A good trick is to have your login script disconnect mappings from a certain drive letter on up, e.g. L through Z. This also gives you a "reserved" range of drive letters for your standard network resources. Hope this helps! John A. Bjelke Unisys 505.853.6774 [EMAIL PROTECTED] "Many of life's failures are people who did not realize how close they were to success when they gave up." -Thomas Edison -Original Message-From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Monday, June 09, 2003 5:30 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Authentication Problems. Looking into my crystal ball. You're using downlevel (i.e. pre-Win2k) clients, and have enabled password complexity requirements. This was done after creating non-complex passwords for the users. Either disable password complexity, or reset their passwords to something meeting complexity requirements, then force them to change the password. I ran into it during my second AD migration. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Juan Ibarra [mailto:[EMAIL PROTECTED] Sent: Friday, June 06, 2003 9:51 PMTo: [EMAIL PROTECTED] activedir. org ([EMAIL PROTECTED])Subject: [ActiveDir] Authentication Problems. Hello to all, I am experiencing the following problem at a client. We forced all employees to change their password, by going to AD users and computers and checking the box "user must change password at next logon" It appeared that everything worked fine until we started noticing that while working at a computer and trying to access a share an error message popped up. Your password is incorrect and it wouldn't take the new password. We forced a sync with all the DCs and still getting same errors. Please help. Juan
RE: [ActiveDir] bogus DNS entries
Sounds like you have a ghosted adapter that was setup running a private IP address at some point and still exists in the registry. Try this: Click Start, click Run, type cmd.exe, and then press ENTER. Type set devmgr_show_nonpresent_devices=1, and then press ENTER. Type Start DEVMGMT.MSC, and then press ENTER. Click View, and then click Show Hidden Devices. Expand the Network Adapters tree. Right-click the dimmed network adapter, and then click Uninstall. John A. Bjelke Unisys 505.853.6774 [EMAIL PROTECTED] If it's as difficult as pulling teeth through an elephants rump, then the approach needs to be reevaluated. -Original Message- From: Rittenhouse, Cindy [mailto:[EMAIL PROTECTED] Sent: Monday, June 09, 2003 11:12 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] bogus DNS entries Please help. I have 3 servers, in 2 different domains that keep showing up in DNS with both their correct ip address and an entry with ip address 192.168.234.235. I keep deleting these entries, but they keep reappearing. There must be some significance to this ip address. Does anyone have an idea where it may be coming from, or how I can permanently delete the entry. I have DNS running on a W2K server, it is not AD integrated. These servers do have 2 NICs, but the unused NIC has been disabled. Most of my servers have 2 NICs, but the problem is only with these 3. They are all W2K servers. Thanks Cynthia Rittenhouse MCSE,CCNA LAN Administrator County of Lancaster Lancaster, PA 17602 Phone: (717)293-7274 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Additional drivers for W2K printing
Mark, I have seen that happen after making security policy changes, specifically Prevent users from installing printer drivers. Are you trying this as yourself, or as the local administrator account? -Original Message- From: Abbiss, Mark [mailto:[EMAIL PROTECTED] Sent: Thursday, April 03, 2003 7:38 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Additional drivers for W2K printing I really hope someone can help me understand !! This is my quandry. I have a W2K server which is to be used as a printer server. We have a mixed client base and so I would like use the support for installing additional drivers to allow clients to point and print as the documentation calls it. My first attempt was with a HP Laserjet 4000 but the same problem has occured with numerous other models. The W2K driver is already up and running and prints like a charm. Now I would like to provide the drivers for Win NT and Win 9x clients to use. I downloaded the necessary point and print driver bundle from the HP site, unzipped them and went to install them. I have repeated the procedure now in a 1000 different ways but the additional drivers will not install. I select the HP 4000 under printers, choose to add Additional Drivers, make my selection from the list available (Intel - Windows NT 4.0 or 2000), point the installation to the INF file in the driver directory I just created and then I get an error The printer driver you selected is either not compatible with your current version of windows, or. but it is a driver supplied by HP for Win NT !!! The INF file is not called OEMSETUP.INF but has in this instance the name HP2224p6.INF Do I have to have an OEMSETUP.INF file and if I do why isnt it in the file made available on the HP site ? Please can anyone explain what is going wrong ?!? Any clues, any tips, please !! Many thanks, Mark Abbiss List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Identifying laptops on domain
Guido, we have a huge number of desktops with pcmcia card readers installed, so I think that one is unreliable for my prposes. Thanks for the suggestion though! -JB -Original Message- From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 19, 2003 12:47 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT: Identifying laptops on domain Gil's example is great to show the value of WMI filters for GPOs in Win2k3... Another GPO independent option is to check the registry for the existance of the PCMCIA key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Pcmcia you'll likely find this on every laptop, but hardly on any desktops. Not 100% but pretty close. /Guido -Original Message- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Freitag, 7. März 2003 17:34 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT: Identifying laptops on domain You could also search the local WMI for an object of class Win32_PortableBattery. -gil -Original Message- From: Weston Rogers [mailto:[EMAIL PROTECTED] Sent: Friday, March 07, 2003 9:17 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Identifying laptops on domain We use machine naming conventions to distingush laptops [airport code of city][branch location id][computer role,Workstation,laptop..etc][date built] Also we've got a database with every piece of hardware so we know.. Wes -Original Message- From: Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED] Sent: Friday, March 07, 2003 10:32 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT: Identifying laptops on domain Existing IP scheme is static, and that's not viable to change at this time. -Original Message- From: PERRIN Martial (EURIWARE) [mailto:[EMAIL PROTECTED] Sent: Friday, March 07, 2003 8:16 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT: Identifying laptops on domain You can do this with segmentation on a DHCP network. Martial -Message d'origine- De: Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED] Date: vendredi 7 mars 2003 16:04 À: '[EMAIL PROTECTED]' Objet: [ActiveDir] OT: Identifying laptops on domain Perhaps someone here might know: Is there any machine attribute or registry value that can be queried to differentiate workstations and laptops on a domain? We have a circumstance that requires laptops to be addressed differently from workstations, and we have been unable to find any consistent variable to poll for this determination. Any suggestions or assistance is most appreciated. John A. Bjelke Systems administrator 505.853.6774 mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] The contents of this Email communication are confidential to the addressee. If you are not the intended recipient you may not disclose or distribute this communication in any form but should immediately contact the Sender. The information, images, documents and views expressed in this Email are personal to the Sender and do not expressly or implicitly represent official positions and policies of Unisys Federal Systems or it's subsidiaries and no authority exists on behalf of Unisys to make any agreements, representations or other binding commitment by means of Email. ATTENTION : Si vous n'êtes pas destinataire de ce message, vous n'êtes pas autorisé à copier, retransmettre, distribuer, révéler ou conserver le contenu de ce message. WARNING : If you are not the intended recipient, you are not authorised to copy, disclose, distribute or retain in this e-mail. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Anybody see Gil's article?
Title: Anybody see Gil's article? March issue of Windows .NET magazine has an article by Gil Kirkpatrick on AD Authentication Topology that is definitely worth a read. http://www.winnetmag.com/Articles/Index.cfm?ArticleID=37935 is the article online. Good stuff Gil! John A. Bjelke Systems administrator Unisys 505.853.6774 [EMAIL PROTECTED]
[ActiveDir] OT: Identifying laptops on domain
Title: OT: Identifying laptops on domain Perhaps someone here might know: Is there any machine attribute or registry value that can be queried to differentiate workstations and laptops on a domain? We have a circumstance that requires laptops to be addressed differently from workstations, and we have been unable to find any consistent variable to poll for this determination. Any suggestions or assistance is most appreciated. John A. Bjelke Systems administrator 505.853.6774 john.bjelke@Unisys.com The contents of this Email communication are confidential to the addressee. If you are not the intended recipient you may not disclose or distribute this communication in any form but should immediately contact the Sender. The information, images, documents and views expressed in this Email are personal to the Sender and do not expressly or implicitly represent official positions and policies of Unisys Federal Systems or it's subsidiaries and no authority exists on behalf of Unisys to make any agreements, representations or other binding commitment by means of Email.
RE: [ActiveDir] OT: Identifying laptops on domain
Existing IP scheme is static, and that's not viable to change at this time. -Original Message- From: PERRIN Martial (EURIWARE) [mailto:[EMAIL PROTECTED] Sent: Friday, March 07, 2003 8:16 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT: Identifying laptops on domain You can do this with segmentation on a DHCP network. Martial -Message d'origine- De: Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED] Date: vendredi 7 mars 2003 16:04 À: '[EMAIL PROTECTED]' Objet: [ActiveDir] OT: Identifying laptops on domain Perhaps someone here might know: Is there any machine attribute or registry value that can be queried to differentiate workstations and laptops on a domain? We have a circumstance that requires laptops to be addressed differently from workstations, and we have been unable to find any consistent variable to poll for this determination. Any suggestions or assistance is most appreciated. John A. Bjelke Systems administrator 505.853.6774 mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] The contents of this Email communication are confidential to the addressee. If you are not the intended recipient you may not disclose or distribute this communication in any form but should immediately contact the Sender. The information, images, documents and views expressed in this Email are personal to the Sender and do not expressly or implicitly represent official positions and policies of Unisys Federal Systems or it's subsidiaries and no authority exists on behalf of Unisys to make any agreements, representations or other binding commitment by means of Email. ATTENTION : Si vous n'êtes pas destinataire de ce message, vous n'êtes pas autorisé à copier, retransmettre, distribuer, révéler ou conserver le contenu de ce message. WARNING : If you are not the intended recipient, you are not authorised to copy, disclose, distribute or retain in this e-mail. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Identifying laptops on domain
Bill, we are moving to that already, and if I can figure out how to differentiate the chasis type I can write scripts to automate the process instead of relying on attrition or a massive helpdesk effort to rename every pc and laptop. Catch-22. -Original Message- From: Brown, Bill [contractor] [mailto:[EMAIL PROTECTED] Sent: Friday, March 07, 2003 8:38 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT: Identifying laptops on domain We employ a standardized machine naming convention whereby a laptop is given the name User-LT and this makes it a very simple process to break them out. R/Bill -Original Message- From: Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED] Sent: Friday, March 07, 2003 10:32 AM To: '[EMAIL PROTECTED]' Subject:RE: [ActiveDir] OT: Identifying laptops on domain Existing IP scheme is static, and that's not viable to change at this time. -Original Message- From: PERRIN Martial (EURIWARE) [mailto:[EMAIL PROTECTED] Sent: Friday, March 07, 2003 8:16 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT: Identifying laptops on domain You can do this with segmentation on a DHCP network. Martial -Message d'origine- De: Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED] Date: vendredi 7 mars 2003 16:04 À: '[EMAIL PROTECTED]' Objet: [ActiveDir] OT: Identifying laptops on domain Perhaps someone here might know: Is there any machine attribute or registry value that can be queried to differentiate workstations and laptops on a domain? We have a circumstance that requires laptops to be addressed differently from workstations, and we have been unable to find any consistent variable to poll for this determination. Any suggestions or assistance is most appreciated. John A. Bjelke Systems administrator 505.853.6774 mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] The contents of this Email communication are confidential to the addressee. If you are not the intended recipient you may not disclose or distribute this communication in any form but should immediately contact the Sender. The information, images, documents and views expressed in this Email are personal to the Sender and do not expressly or implicitly represent official positions and policies of Unisys Federal Systems or it's subsidiaries and no authority exists on behalf of Unisys to make any agreements, representations or other binding commitment by means of Email. ATTENTION : Si vous n'êtes pas destinataire de ce message, vous n'êtes pas autorisé à copier, retransmettre, distribuer, révéler ou conserver le contenu de ce message. WARNING : If you are not the intended recipient, you are not authorised to copy, disclose, distribute or retain in this e-mail. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Identifying laptops on domain
Folks, I just found this: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/scriptcen ter/scrguide/sas_cpm_btnz.asp (watch the word wrap) strComputer = . Set objWMIService = GetObject(winmgmts: _ {impersonationLevel=impersonate}!\\ strComputer \root\cimv2) Set colChassis = objWMIService.ExecQuery _ (SELECT * FROM Win32_SystemEnclosure) For Each objChassis in colChassis For Each intType in objChassis.ChassisTypes Wscript.Echo intType Next Next Where chassis type is one of 24 possible values. Seems like this might be the magic bullet, but I definately need to test. Thanks for the suggestion! Regards, John A. Bjelke -Original Message- From: Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED] Sent: Friday, March 07, 2003 8:41 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT: Identifying laptops on domain Bill, we are moving to that already, and if I can figure out how to differentiate the chasis type I can write scripts to automate the process instead of relying on attrition or a massive helpdesk effort to rename every pc and laptop. Catch-22. -Original Message- From: Brown, Bill [contractor] [mailto:[EMAIL PROTECTED] Sent: Friday, March 07, 2003 8:38 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT: Identifying laptops on domain We employ a standardized machine naming convention whereby a laptop is given the name User-LT and this makes it a very simple process to break them out. R/Bill -Original Message- From: Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED] Sent: Friday, March 07, 2003 10:32 AM To: '[EMAIL PROTECTED]' Subject:RE: [ActiveDir] OT: Identifying laptops on domain Existing IP scheme is static, and that's not viable to change at this time. -Original Message- From: PERRIN Martial (EURIWARE) [mailto:[EMAIL PROTECTED] Sent: Friday, March 07, 2003 8:16 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT: Identifying laptops on domain You can do this with segmentation on a DHCP network. Martial -Message d'origine- De: Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED] Date: vendredi 7 mars 2003 16:04 À: '[EMAIL PROTECTED]' Objet: [ActiveDir] OT: Identifying laptops on domain Perhaps someone here might know: Is there any machine attribute or registry value that can be queried to differentiate workstations and laptops on a domain? We have a circumstance that requires laptops to be addressed differently from workstations, and we have been unable to find any consistent variable to poll for this determination. Any suggestions or assistance is most appreciated. John A. Bjelke Systems administrator 505.853.6774 mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] The contents of this Email communication are confidential to the addressee. If you are not the intended recipient you may not disclose or distribute this communication in any form but should immediately contact the Sender. The information, images, documents and views expressed in this Email are personal to the Sender and do not expressly or implicitly represent official positions and policies of Unisys Federal Systems or it's subsidiaries and no authority exists on behalf of Unisys to make any agreements, representations or other binding commitment by means of Email. ATTENTION : Si vous n'êtes pas destinataire de ce message, vous n'êtes pas autorisé à copier, retransmettre, distribuer, révéler ou conserver le contenu de ce message. WARNING : If you are not the intended recipient, you are not authorised to copy, disclose, distribute or retain in this e-mail. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Remove the ability to create computer accounts inthe computer container
Greg, if you create an Acct Creation user, and set your script to use those credentials from the webpage, wouldn't that work for you? In this way, you can grant computer acct creation rights to just that user and set the quotas on everyone else to prevent creation of accts through any method other than your script, which is setup to create the acct in the proper container. -Original Message- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Thursday, February 27, 2003 9:53 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Remove the ability to create computer accounts in the computer container Ms-DS-machineAccountQuota is an optional attribute of the samDomain class, which is an auxillary class that is attached to the domainDNS class. -Original Message- From: Greg Felzer [mailto:[EMAIL PROTECTED] Sent: Thursday, February 27, 2003 7:40 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Remove the ability to create computer accounts in the computer container The web script authenticates against AD and checks for group membership in the Join Computer to the Domain group. If they are members of the group they are allowed to create the computer account. Their userid is used for the creation of the computer account. This group (Join Computer to the Domain) is allowed to create computer accounts in the appropriate OU and is denied 'create all child objects' in the computer container (which does not prevent them from creating the computer account). Unless I can set the msDS-MachineAccountQuota on the computer container to prevent everyone from creating computer accounts in this container the user would still be able to create a computer account in the computer container by joining the domain using 'My Network Places. BTW I cannot find the msDS-MachineAccountQuota property using ADSI edit, set to show all properties on any of my user accounts or on the computer container. What object type is the msDS-MachineAccountQuota property available for? Thanks, Greg Felzer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bjelke John A Contr AFRL/VSIO Sent: Wednesday, February 26, 2003 3:40 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Remove the ability to create computer accounts in the computer container Greg, If you restrict it so that no one except the user your web script runs as can create accts and are specifying the container in your script, then they will still be able to create accts, they will just be forced to use your web script to do so. This would achive your stated goal, wouldn't it? -Original Message- From: Greg Felzer [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 26, 2003 1:33 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Remove the ability to create computer accounts in the computer container Wouldn't this prevent all users from creating computer accounts? I do not want to prevent them from creating them, just prevent them from creating them in the computers container. Greg Felzer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sullivan, Kevin Sent: Wednesday, February 26, 2003 11:47 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Remove the ability to create computer accounts in the computer container You may want to look into changing the default msDS-MachineAccountQuota. This setting allows any user to create 10 computer accounts by default. You can change this via a script, LDP or ADSI edit. If you change the default value to 0 then your delegation model will probably work but the default behavior will be changed. It may work... Keivn -Original Message- From: Greg Felzer [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 26, 2003 11:28 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Remove the ability to create computer accounts in the computer container Hello, Maybe the collective minds here can come up with something. I have given a group (Join Computers to the Domain group) the rights to join computers to the domain through the Default Domain policy. Only this group has rights to join computers to the domain. I have created a web page that creates a computer account (it checks first to make sure the computer account does not exist) base upon department specific input from the user. Once the account is created the user names his computer the same as the computer account and joins the domain. The problem I am having is that some of the user that are members of the Join Computers to the Domain group are not using the web page. They are using My network place, advanced, network identification.ect to join the domain. This creates a computer account in the computer container. When this happens I get a computer account showing up in the computer container that I do not know what department it belongs to. My solution (that does not work) was to remove all rights (including System rights) to the computer
RE: [ActiveDir] Remove the ability to create computer accounts inthe computer container
Greg, If you restrict it so that no one except the user your web script runs as can create accts and are specifying the container in your script, then they will still be able to create accts, they will just be forced to use your web script to do so. This would achive your stated goal, wouldn't it? -Original Message- From: Greg Felzer [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 26, 2003 1:33 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Remove the ability to create computer accounts in the computer container Wouldn't this prevent all users from creating computer accounts? I do not want to prevent them from creating them, just prevent them from creating them in the computers container. Greg Felzer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sullivan, Kevin Sent: Wednesday, February 26, 2003 11:47 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Remove the ability to create computer accounts in the computer container You may want to look into changing the default msDS-MachineAccountQuota. This setting allows any user to create 10 computer accounts by default. You can change this via a script, LDP or ADSI edit. If you change the default value to 0 then your delegation model will probably work but the default behavior will be changed. It may work... Keivn -Original Message- From: Greg Felzer [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 26, 2003 11:28 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Remove the ability to create computer accounts in the computer container Hello, Maybe the collective minds here can come up with something. I have given a group (Join Computers to the Domain group) the rights to join computers to the domain through the Default Domain policy. Only this group has rights to join computers to the domain. I have created a web page that creates a computer account (it checks first to make sure the computer account does not exist) base upon department specific input from the user. Once the account is created the user names his computer the same as the computer account and joins the domain. The problem I am having is that some of the user that are members of the Join Computers to the Domain group are not using the web page. They are using My network place, advanced, network identification.ect to join the domain. This creates a computer account in the computer container. When this happens I get a computer account showing up in the computer container that I do not know what department it belongs to. My solution (that does not work) was to remove all rights (including System rights) to the computer container. I figured without rights they would not be able to create the computer accounts. This did not work so I denied the ability to create all child objects for the Join computers group in the Computers Container. This did not work so I denied the right for Everyone. Also did not work. Any ideas on how to prevent all users from creating computer objects in the computers container? Thanks Greg Greg Felzer MCSE NT4, MCSE 2000, CCA, CCNA, CNA Senior Systems Engineer Center for Computing and Information Technology Medical University of South Carolina List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Policy Inheritance
If certain OU's need to not get the domain policies pushed down upon them, you would want to block inheritance. Perhaps your domain policies aren't as strict as the Finance folks want their security to be. Put them in their own OU and block inheritance, then set up a policy on that OU specifically. Or, maybe your web-heads want less stringent policies for their folks. Force them to move those machines to a dev network... er... I mean block inheritance and create a policy for their OU ;^) -Original Message- From: John Balos [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 25, 2003 11:54 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Policy Inheritance Can someone please explain to me when I would want to use 'block policy inheritance' and why or why not I would want to use this option? Thanks, John List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Single user problem in AD
Rob, Does this same behavior exhibit if she logs on to another system? Does it exhibit if you log on to her system as yourself? -Original Message- From: Rob Freeman [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 20, 2003 9:07 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Single user problem in AD I have a user in AD that can not run batch files, nor task manager on any windows 2000 machines in our domain. What is weird is this user is located with other users in AD and they do not have this problem. It suddenly just started for this user within the last week. The batch files are located on her desktop as a shortcut. Any ideas on why just one use would have this problem? Thanks Rob Freeman Fleetone List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Single user problem in AD
Rob, in your GPO, you can specify Disable Task Manager under Logon/Logoff. Check what GPO's she is getting for this option. There is also an option of Don't run specified Windows applications that could have been set for .bat, .exe, .msi, etc to prevent restricted users installing or running anything. I assume you have checked her GPO results on her system with GPResult.exe? -Original Message- From: Rob Freeman [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 20, 2003 9:28 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Single user problem in AD Yes, it exists on different machines that she logs onto within the domain. Yes, if I log into her machine, I can run the task manager and the batch file. - Original Message - From: Bjelke John A Contr AFRL/VSIO [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, February 20, 2003 10:20 AM Subject: RE: [ActiveDir] Single user problem in AD Rob, Does this same behavior exhibit if she logs on to another system? Does it exhibit if you log on to her system as yourself? -Original Message- From: Rob Freeman [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 20, 2003 9:07 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Single user problem in AD I have a user in AD that can not run batch files, nor task manager on any windows 2000 machines in our domain. What is weird is this user is located with other users in AD and they do not have this problem. It suddenly just started for this user within the last week. The batch files are located on her desktop as a shortcut. Any ideas on why just one use would have this problem? Thanks Rob Freeman Fleetone List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Determining when a user account was disabled.
Clyde, Can you parse security logs on the DC's forEvent ID: 629 Type: Success Audit Description: User Account Disabled? -Original Message- From: Burns, Clyde [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 20, 2003 10:47 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Determining when a user account was disabled. Im trying to generate a report of disabled accounts that were disabled X number of days ago. Getting a report of which accounts are disabled was fairly straightforward* but I cannot find anything that will tell me when the account WAS disabled. I was wondering if anyone could tell me if such information is stored in AD or how to approximate the date. Right now Im thinking of pulling the last logon times from the domain controllers to ballpark the amount of time the accounts could have been disabled but thats a stopgap at best. Any tips or pointers would be greatly appreciated. Clyde Burns * VB6 code to generate report Set rootDSE = GetObject(LDAP://RootDSE;) Set Ou = GetObject(LDAP://; CN=Users, _ rootDSE.Get(defaultNamingContext)) Ou.Filter = Array(user) For Each Child In Ou Debug.Print _ Chr(34) Child.sAMAccountName Chr(34) Chr(44) _ Chr(34) Child.DisplayName Chr(34) Chr(44) _ Chr(34) Child.accountdisabled Chr(34) Next List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Single user problem in AD
Yup.Network Management Tools. -Original Message- From: Rob Freeman [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 20, 2003 11:20 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Single user problem in AD I checked these policies on the DC's and I did not see anything set for the user. Is GPResults.exe on the Resource kit? Thanks Rob - Original Message - From: Bjelke John A Contr AFRL/VSIO [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, February 20, 2003 11:12 AM Subject: RE: [ActiveDir] Single user problem in AD Rob, in your GPO, you can specify Disable Task Manager under Logon/Logoff. Check what GPO's she is getting for this option. There is also an option of Don't run specified Windows applications that could have been set for .bat, .exe, .msi, etc to prevent restricted users installing or running anything. I assume you have checked her GPO results on her system with GPResult.exe? -Original Message- From: Rob Freeman [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 20, 2003 9:28 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Single user problem in AD Yes, it exists on different machines that she logs onto within the domain. Yes, if I log into her machine, I can run the task manager and the batch file. - Original Message - From: Bjelke John A Contr AFRL/VSIO [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, February 20, 2003 10:20 AM Subject: RE: [ActiveDir] Single user problem in AD Rob, Does this same behavior exhibit if she logs on to another system? Does it exhibit if you log on to her system as yourself? -Original Message- From: Rob Freeman [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 20, 2003 9:07 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Single user problem in AD I have a user in AD that can not run batch files, nor task manager on any windows 2000 machines in our domain. What is weird is this user is located with other users in AD and they do not have this problem. It suddenly just started for this user within the last week. The batch files are located on her desktop as a shortcut. Any ideas on why just one use would have this problem? Thanks Rob Freeman Fleetone List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Single user problem in AD
Rob, Another suggestion for troubleshooting this one, if you have the time to spend on it: clone this user's account and play with the security settings, profiles, etc until you figure out which setting is causing the issues. Or create a test user from scratch and add each group membership the original user has one at a time until it breaks... then look at the policies for that group. Failing that, I would look at the option of re-creating the user acct. It is possible some SID mismatch or some such bizzare thing is hosing this one user and she is not getting the proper permissions and policies. Are you using roaming profiles? Is it possible that something in her profile is toasty? Hope this helps! John A. Bjelke UNISYS The contents of this Email communication are confidential to the addressee. If you are not the intended recipient you may not disclose or distribute this communication in any form but should immediately contact the Sender. The information, images, documents and views expressed in this Email are personal to the Sender and do not expressly or implicitly represent official positions and policies of Unisys Federal Systems or it's subsidiaries and no authority exists on behalf of Unisys to make any agreements, representations or other binding commitment by means of Email. -Original Message- From: Rob Freeman [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 20, 2003 9:28 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Single user problem in AD Yes, it exists on different machines that she logs onto within the domain. Yes, if I log into her machine, I can run the task manager and the batch file. - Original Message - From: Bjelke John A Contr AFRL/VSIO [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, February 20, 2003 10:20 AM Subject: RE: [ActiveDir] Single user problem in AD Rob, Does this same behavior exhibit if she logs on to another system? Does it exhibit if you log on to her system as yourself? -Original Message- From: Rob Freeman [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 20, 2003 9:07 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Single user problem in AD I have a user in AD that can not run batch files, nor task manager on any windows 2000 machines in our domain. What is weird is this user is located with other users in AD and they do not have this problem. It suddenly just started for this user within the last week. The batch files are located on her desktop as a shortcut. Any ideas on why just one use would have this problem? Thanks Rob Freeman Fleetone List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Determining when a user account was disabled.
Well, I don't see a more efficient way to estimate it then than what you are considering already then, unless one of the directory gods know of a place that that information is stored I am unaware of. You might consider using an event log monitoring software to notify you by email (and dump that to a folder or pst) of 629's so that you have an easy tracking methodology for future use. Good luck Clyde! -Original Message- From: Burns, Clyde [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 20, 2003 11:51 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Determining when a user account was disabled. Unfortunately the event logs dont go back that far. And something else is touching the accounts and updating the whenchanged value. -Original Message- From: Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 20, 2003 12:57 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Determining when a user account was disabled. Clyde, Can you parse security logs on the DC's forEvent ID: 629 Type: Success Audit Description: User Account Disabled? -Original Message- From: David Rudolph [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 20, 2003 1:11 PM To: Burns, Clyde Subject: RE: [ActiveDir] Determining when a user account was disabled. Have you tried the whenChanged attribute? -Original Message- From: Burns, Clyde [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 20, 2003 11:47 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Determining when a user account was disabled. Im trying to generate a report of disabled accounts that were disabled X number of days ago. Getting a report of which accounts are disabled was fairly straightforward* but I cannot find anything that will tell me when the account WAS disabled. I was wondering if anyone could tell me if such information is stored in AD or how to approximate the date. Right now Im thinking of pulling the last logon times from the domain controllers to ballpark the amount of time the accounts could have been disabled but thats a stopgap at best. Any tips or pointers would be greatly appreciated. Clyde Burns * VB6 code to generate report Set rootDSE = GetObject(LDAP://RootDSE;) Set Ou = GetObject(LDAP://; CN=Users, _ rootDSE.Get(defaultNamingContext)) Ou.Filter = Array(user) For Each Child In Ou Debug.Print _ Chr(34) Child.sAMAccountName Chr(34) Chr(44) _ Chr(34) Child.DisplayName Chr(34) Chr(44) _ Chr(34) Child.accountdisabled Chr(34) Next List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Anadarko Confidentiality Notice: This electronic transmission and any attached documents or other writings are intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. If you have received this communication in error, please immediately notify sender by return e-mail and destroy the communication. Any disclosure, copying, distribution or the taking of any action concerning the contents of this communication or any attachments by anyone other than the named recipient is strictly prohibited. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Expiring passwords?
Mike, Now, this peaks my interest. Can you elaborate on how RestrictAnonymous of 2 would effect changing of passwords? John A. Bjelke Unisys [EMAIL PROTECTED] -Original Message- From: Thommes, Michael M. [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 12, 2003 2:30 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Expiring passwords? The inability to change their passwords might be caused by HKLM\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous value being set to 2. How is yours set? Mike Thommes Argonne National Laboratory -Original Message- From: Fugleberg, David A [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 12, 2003 10:56 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Expiring passwords? Roger- can you elaborate ? If a domain does NOT have the complex password filter enabled, and then chooses to enable it, are you saying the users with existing non-complex passwords are unable to change them ? Is that behaviour XP-specific, or does it affect Win2K or NT4 clients ? Any published references are appreciated !! (In case it's not obvious, I've been asked to do this very thing...) Dave -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 12, 2003 8:58 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Expiring passwords? Reset them manually - you've probably got the password complexity turned on, and if the original password isn't complex, they can't change it. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Weston Rogers [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 12, 2003 9:24 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Expiring passwords? Win2k sp3 2 DC's in mixed mode, win2k pro clients. Most clients when instructed to change their password after it has expired, it won't let them. The errors it gives are sporadic and usually different. Any quick hints? Wes List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Group membership
Title: Message Can you use Group.vbs from the Resource Kit? You can use the /S to specify remote servers, and perhaps you could wrap this in another script to loop through all of your servers. -Original Message-From: Brad Martin [mailto:[EMAIL PROTECTED]] Sent: Monday, February 10, 2003 12:05 PMTo: Active Directory Mailing ListSubject: [ActiveDir] Group membership I need to enumerate group membership of all groups in our domain and the computer local groups on our servers. I've got a couple of tools that will do that, but they require that I log into each machine to grab the membership list. As we have a large number of servers I'd like to avoid having to do this. Does anyone know of any freeware or relatively inexpensive shareware tool that can enumerate both Domain group membership and local computer group membership? Brad Martin Go Daddy Software, Inc. 480.505.8800 ext. 250 [EMAIL PROTECTED] http://www.godaddy.com
RE: [ActiveDir] Group membership
Title: Message Or perhaps the "Global Groups" from res kit? Displays members of global groups on remote servers or domains. GLOBAL group_name domain_name | \\server group_name The name of the global group to list the members of. domain_name The name of a network domain. \\server The name of a network server. Examples: Global "Domain Users" EastCoast Displays the members of the group 'Domain Users' in the EastCoast domain. Global PrintUsers \\BLACKCAT Displays the members of the group PrintUsers on server BLACKCAT. Notes: Names that include space characters must be enclosed in double quotes. To list members of local groups use Local.Exe. To get the Server name for a give Domain use GetDC.Exe. -Original Message-From: Brad Martin [mailto:[EMAIL PROTECTED]] Sent: Monday, February 10, 2003 12:05 PMTo: Active Directory Mailing ListSubject: [ActiveDir] Group membership I need to enumerate group membership of all groups in our domain and the computer local groups on our servers. I've got a couple of tools that will do that, but they require that I log into each machine to grab the membership list. As we have a large number of servers I'd like to avoid having to do this. Does anyone know of any freeware or relatively inexpensive shareware tool that can enumerate both Domain group membership and local computer group membership? Brad Martin Go Daddy Software, Inc. 480.505.8800 ext. 250 [EMAIL PROTECTED] http://www.godaddy.com
RE: [ActiveDir] Decrypt Files from a no longer existing domain
One possible solution would be to disconnect the network cable and try logging on as the user who encrypted them, assuming that their are credentials cached on the machine. -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED]] Sent: Monday, February 03, 2003 10:14 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Decrypt Files from a no longer existing domain How they were encrypted - accidental or not - has no bearing. They're gone. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Monday, February 03, 2003 11:46 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Decrypt Files from a no longer existing domain I should mention that these files were encrypted by accident by the user by checking the box encrypt contents while looking at the properties of the folder. Where could I get the DRA from if the domain doesn't exist, restore the domain on a workstations? -Original Message- From: Sullivan, Kevin [mailto:[EMAIL PROTECTED]] Sent: Monday, February 03, 2003 11:37 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Decrypt Files from a no longer existing domain If you can't find the cert that encrypted them or the cert for the Data Recovery Agent (DRA) (usually the domain admin) you are out of luck. They key to open the data is stored in the headers of the file and it is locked up with the private key for the user who encrypted it and the private key for the DRA. The data is encrypted symmetrically. You may find those keys exist somewhere even though the domain doesn't exist anymore. You should be able to recover with them. -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Monday, February 03, 2003 11:33 AM To: ActiveDir (E-mail) Subject: [ActiveDir] Decrypt Files from a no longer existing domain How can I decrypt some files that I did not know were encrypted when I decommissioned the last DC in that old domain. I have tried restoring them to a FAT Partition and I can open them but there is no data in them. Any help would be appreciated Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 914.681.8117 office 646.483.3325 cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Question
Jimmy, great link. I hadn't seen this. Thanks! -Original Message- From: Jimmy Andersson [mailto:[EMAIL PROTECTED]] Sent: Friday, January 31, 2003 11:52 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Question See the License Availability Roadmap at: http://www.microsoft.com/windows/lifecycle.mspx Regards, /Jimmy -- Jimmy Andersson, Q Advice AB Microsoft MVP - Active Directory www.qadvice.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Salandra, Justin A. Sent: Friday, January 31, 2003 7:25 PM To: ActiveDir (E-mail) Subject: [ActiveDir] Question Importance: High I have a tech working here today and he mentioned to me that he heard that MS will no longer be selling Windows 2000 Professional as of April 2003. Has anyone else heard this? Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 914.681.8117 office 646.483.3325 cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] VNC and Terminal Services
Title: Message John, FWIW,I have heard froma few "white hats" that VNC is easy to hack because it stores passwords in known encryption algorythms in the regsitry. http://online.securityfocus.com/bid/854/discussion and http://www.kb.cert.org/vuls/id/197477show some more detail on this. I have no idea if this is all current versions, specific versions, or what. HTH. John A. Bjelke UNISYS Systems administrator Supporting AFRL Kirtland AFB 505.853.6774 [EMAIL PROTECTED] -Original Message-From: John Hicks/MIS/HQ/KEMET/US [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 21, 2003 9:10 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] VNC and Terminal ServicesDoes anyone know of any big security issues with Ultra VNC or any other VNC products. Ultra VNC looks like a good product. We currently use PCAnywhere 10.5 and it is not cheap. I am trying to find ways to save my org some software costs. Thanks John Hicks | KEMET Electronics Corporation | Network EngineerPhone: 864-228-4473 | E-mail: [EMAIL PROTECTED] | AOL IM: ipaq1978[ Mailing: 2835 KEMET Way Simpsonville, SC 29681 USA ] "Rick Kingslan" [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 01/21/2003 03:13 PM Please respond to[EMAIL PROTECTED] To [EMAIL PROTECTED] cc Subject RE: [ActiveDir] VNC and Terminal Services True. But, Dell sure seems to as an integral piece of their server managementand DRAC offerings - and yes, on Windows 2000.FWIW...Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of David Lloyd Sent: Tuesday, January 21, 2003 10:56 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] VNC and Terminal Services MS does not support it! If that is a concern. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Prajapati, Ashok (London) Sent: 21 January 2003 16:39 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] VNC and Terminal Services Aren't there a lot of issues with installing vnc onto any type of win 2k server? -- -- -- -- --- For very important information relating to this e-mail please click on this link: http://www.ml.com/legal_info.htm -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: 21 January 2003 16:27 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] VNC and Terminal Services right -Original Message- From: Granatella Adam J [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 21, 2003 9:50 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] VNC and Terminal Services You are going to try this in a test environment before putting it on your production servers, right? I mean, you wouldn't try something you've never done before on your production boxes based on the words from a mailing list, right? -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 21, 2003 8:38 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] VNC and Terminal Services No I just wanted to be sure that there would be no problems when I go to load that on a server running terminal Services -Original Message- From: John B [mailto:[EMAIL PROTECTED]] Sent: Friday, January 17, 2003 5:33 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] VNC and Terminal Services No problems here. What type problems are you having...error messages? --- "Salandra, Justin A." [EMAIL PROTECTED] wrote: Has anyone come across a problem with running VNC Server and Terminal Server on the same box at the same time? Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 914.681.8117 office 646.483.3325 cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
RE: [ActiveDir] ADSI and RAS
Title: Message Their Mini-Remote Control program is pretty handy as well. -Original Message-From: Weston Rogers [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 15, 2003 7:40 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] ADSI and RAS woh, dameware is pretty sweet. -Original Message-From: EALES, Jack - FPIL [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 15, 2003 2:41 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] ADSI and RAS Go to www.dameware.com and get the 30 day trial of the Dameware Utilities Exporter - it'll let you get this info and a whole lot more then buy a copy because it's a superb suite of tools for NT4.0 management, I've not tried it on AD yet - but it works for managing Win2K boxes as well... Just my $0.02 Regards, Jack -Original Message-From: Carlos Magalhaes [mailto:[EMAIL PROTECTED]] Sent: 15 January 2003 06:20To: '[EMAIL PROTECTED]'Subject: [ActiveDir] ADSI and RAS Hi all, Just wondering if any of you have done this and would be so kind to forward it to me before I go and re code it, I need to run a report against my Windows NT4 domain (PDC or BDC) and retrieve all the users that have RAS options i.e. they are allowed to dial in. Regards, Carlos Magalhaes
RE: [ActiveDir] User's Account Locked out Every morning
Title: Message Manual drive mappings with old passwords.. -Original Message-From: John F. Hann [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 15, 2003 8:05 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] User's Account Locked out Every morning Logged in another PC under an old password -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kevin FelkerSent: Wednesday, January 15, 2003 9:01 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] User's Account Locked out Every morning Every morning I have to unlock one of my user's accounts because it is locked out every morning. Does anyone know what could be causing this? Thanks Kevin
RE: [ActiveDir] Protocols Required
Greg is correct... If the mail store that the outlook profile is pointing to no longer exists or is no longer contactable by the client, outlook will never get repointed to the new location. In this case, you would have to manually repoint the outlook profile to the new mail store to resolve the mailbox. This of course assumes that the client can resolve the new store correctly, so if you are having issues with this check dns, wins, etc. Good luck! -Original Message- From: Carey, Greg [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 09, 2003 7:34 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Protocols Required With the caveat that the old mail store remains up until the client connects. -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 09, 2003 9:28 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Protocols Required When you move a mailbox to another server, Outlook will automatically change the server defined in the local profile. -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 09, 2003 9:25 AM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] Protocols Required Justin, I'm not sure what you mean by 'reconfiguring the server in the local profile'? The requirement *is* to communicate over port 135. Outlook cannot just arbitrarilly decide to communicate over another port to support this - hence it cannot automatically reconfigure itself. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Salandra, Justin A. Sent: Thursday, January 09, 2003 8:00 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Protocols Required What would prevent Mapi Outlook clients from automatically reconfiguring the server in the local profile? Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 914.681.8117 office 646.483.3325 cell [EMAIL PROTECTED] -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 09, 2003 9:01 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Protocols Required No. Something needs to point it to the correct ports. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 08, 2003 3:26 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Protocols Required Would Outlook 2000 still function if port 135 is bocked? Meaning that the user can still use outlook for outlook will never automatically reconfigure itself? -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 08, 2003 3:25 PM To: '[EMAIL PROTECTED]' Subject:RE: [ActiveDir] Protocols Required Needs RPC end point mapper (135) and then the ports for DS and IS. Seeing as those default to being randomly assigned, you're in trouble. Read the FAQ on how to assign static ports to the services. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 08, 2003 3:18 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Protocols Required Sorry, I need to know about outlook 2000 and exchange 5.5 communications -Original Message- From: Weston Rogers [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 08, 2003 3:08 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Protocols Required Maybe this will help? http://support.microsoft.com/default.aspx?scid=kb;en-us;278339 -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 08, 2003 2:49 PM To: ActiveDir (E-mail) Subject: [ActiveDir] Protocols Required Importance: High Hello everyone, I really need some help on this subject. Does everyone here know that when you move a mailbox in exchange to another mailbox in the same organization the outlook 2000 client automatically reconfigures the mail server setting on the profile to allow the client to contact the correct mail server where that mailbox now resides. My question is what are the protocols needed by the client in order for that to occur and the ports associated with them. I believe it is NetBIOS Broadcast calls and RPC but I am not sure. Also what protocols
RE: [ActiveDir] file jdbgmgr.exe
Title: Message Java debug manager/registrar. Little teddy bear icon, right? http://support.microsoft.com/default.aspx?scid=kb;en-us;Q322993 -Original Message-From: bobo [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 08, 2003 5:22 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] file jdbgmgr.exe I see file jdbgmgr.exe on my \\winnt\system32. I don't what this is. do somebody knows it. It should be a java file but what it does. Pls help. Thks - Original Message - From: Van Donk, Fred To: [EMAIL PROTECTED] Sent: Tuesday, January 07, 2003 3:24 PM Subject: RE: [ActiveDir] AD Lab Agreed -Original Message-From: Craig Cerino [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 07, 2003 10:21 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] AD Lab Right - - but if you have more than one DC I recommend making one of the ones without FSMO roles the GC -Original Message-From: Van Donk, Fred [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 07, 2003 9:22 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] AD Lab When you have one domain there is not really a need for multiple GC's. Every DC already has a full copy of the AD. GC's play a more important role when you have a forest with multiple domains in it. But there needs to be at least one GC in the forest. Even with one domain. Fred -Original Message-From: Craig Cerino [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 07, 2003 8:35 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] AD Lab If you only have one DC in each site - -- yer pretty much tied to doing that. If you have the resources I'd through a second DC in each site - - make that your GC. Jus my 2 cents -Original Message-From: Pelle, Joe [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 07, 2003 8:17 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] AD Lab If we have one domain - but multiple sites - would it be a best practice to put a global catalog on the domain controller(s) at each site? KB: http://support.microsoft.com/default.aspx?scid=kb;en-us;313994 Thanks! Joe Pelle Systems Administrator Information Technology Valassis / Targeted Print Media Solutions 35955 Schoolcraft Rd. Livonia, MI 48150 Tel 734.632.3753 Fax 734.632.6240 [EMAIL PROTECTED] http://www.valassis.com/ This message may have included proprietary or protected information. This message and the information contained herein are not to be further communicated without my express written consent. -Original Message-From: Rene Chakraborty [mailto:[EMAIL PROTECTED]] Sent: Monday, January 06, 2003 8:41 PMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] AD Lab Got to make that BDC a Global Catalog Server before you more it over. Sites and Services Rene - Original Message - From: Don Murawski (Lenox) To: [EMAIL PROTECTED] Sent: Monday, January 06, 2003 3:08 PM Subject: [ActiveDir] AD Lab Has anyone setup a AD Lab and had Global Catalog problems? I installed aBDCon the productionnetwork, disconnectit from the production and connected it to the lab network. Seize the FSMO roles. I'm able to join the domain but,I'm receiving"Unable toestablishconnection with a GC. Any suggestion would be great.
RE: [ActiveDir] recovering a computer
We have used the Winternals Linux-based pwd recovery disks with much success. Another alternative, but one of last resort IMHO, is to boot to either a *nix cd or diskette with NTFS support (there are numerous *nix distros out there that can be burned to cd and booted to for forensics and other disaster scenarios) or DOS and run some tool, such as NTFS-DOS Pro, which will allow you to mount the file system and simply delete the SAM file. Reboot, and a new SAM is created automatically with a blank admin pwd. Login as admin with blank pwd and start recreating any local accts and resetting the perms. Again, this is a last-ditch effort to get it back up and running, and I have never had to use this on Exchange and do not know the possible gotchas here. Hope this helps! -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 31, 2002 7:35 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] recovering a computer Now that I know that this is an Exchange box - I even more emphasize the value of doing it the easy and safe way. ERD Commander form www.winternals.com is the best way to accomplish what you need, Don. Good Luck! Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Purviance, Chad Sent: Tuesday, December 31, 2002 7:49 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] recovering a computer Personally since this is an Exchange server, I would spend the $400 and get the ERD commander CD. This is much more the PW recovery, it is a full XP OS off of a CD. Very Very useful. A cheaper solution would be the www.lostpasswords.com recovery for $200 but it is PW only and takes a bit more setup. This is an Exchange server!! Buy ERD Run ERD and reset Password Login locally and join to domain Reboot. Any other method with Exchange and I promise you ... you will remember fondly the moment when you could have just reset the password. :-) Chad Purviance Prinicipal Consultant Broadwing IT Consulting -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 31, 2002 6:57 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] recovering a computer Seems like ERD Commander is the better choice in this case. There's also a free Linux bootdisk out on the net that can do the same thing. In either case, you're really talking about telling someone to boot off a floppy, and walk through a few quick steps and you can change the admin password without much effort. Of course, this also goes to show why physical security is so important - if people can physically get to your servers, you can't stop them. Roger -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Don Murawski (Lenox) [mailto:[EMAIL PROTECTED]] Sent: Monday, December 30, 2002 10:31 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] recovering a computer The computer was deleted from the an OU. Now the local administrator password was and is lost. My question is? Can I do a restore of that OU to recover the computer account. The server is a remote location. So, restoring the administrator password will be tough. -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED]] Sent: Monday, December 30, 2002 10:24 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] recovering a computer Ahhh..OK - different issue. If the administrator password was lost on a system, recovering the computer object is not going to help. Using a tool like ERD from Winternals at www.winternals.com would be a reasonable solution. Or, are we talking about the administrator password in AD? If so, pwdump and L0phtCrack has been used successfully in this case - given the right conditions. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Don Murawski (Lenox) Sent: Monday, December 30, 2002 8:50 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] recovering a computer the administrator password was lost -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED]] Sent: Monday, December 30, 2002 9:46 PM To: [EMAIL PROTECTED]
RE: [ActiveDir] Reverting to Basic Disk
Thom, I've never heard of such a tool, but if one does exist it will probably not save you time in this scenario... you will still have to back up this large amount of data prior to using any disk editor tool that purports to do this or risk losing it entirely. I would strongly suggest going with the method you already know works and reduces risk of data loss. Just my 2c worth. Good luck, and Happy new Gregorian calendar! -Original Message- From: Barber, Thomas [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 31, 2002 7:59 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Reverting to Basic Disk A quick question - anyone know of a utility that will revert a Dynamic Disk to a Basic Disk without removing the volume (and thus the data)? Everywhere I've looked everyone says the same thing: backup the data, remove the volume, revert to Basic, then restore the data. Because the disk needing reverting contains a large amount of data, I don't look forward to the amount of time this is going to take. .+-wȆi0g-튺+Yb塲mPi潣0-튺+bາڪf.+-j!硶0j!ఊor楡yثIV+v* List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Hardening Active Directory
Title: Message Really? Dothey have a ritual for server cleansing and consecration? Maybe a psalmto ward off PHB's? :^) -Original Message-From: Leney, Justin [mailto:[EMAIL PROTECTED]] Sent: Friday, December 27, 2002 9:25 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Hardening Active Directory http://www.nsa.gov/snac/win2k/download.htm-- Guides for AD, DNS, Group Polices, File System. I use these guides religiously. -Original Message-From: Hazelman, Doug [mailto:[EMAIL PROTECTED]] Sent: Friday, December 27, 2002 11:19 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Hardening Active Directory There's some good tips here. Make sure the AD servers on the NET are in a separate forest. http://www.aelita.com/ADSecurity -doug -Original Message-From: Brad Martin [mailto:[EMAIL PROTECTED]] Sent: Friday, December 27, 2002 11:11 AMTo: Active Directory Mailing ListSubject: [ActiveDir] Hardening Active Directory Anyone have any good links with tips on securing Active Directory? I'm going to have a couple of AD servers out on the Net, so I want to do what I can to lock them down. Brad Martin Go Daddy Software [EMAIL PROTECTED] 480.505.8800 ext. 250
RE: [ActiveDir] Gathering Computer Account Info via script
Chris, you may want to create an ldap query in your vb script to what ever container you are trying to enumerate and run through each object in that container, write that to a csv (or text, whatever you need), and then move on to the next container. Nested for loops would probably be the best thing. Something like AdsPath=LDAP://dc name/ou=lowest level of container,ou=container,ou=container,dc=etc,dc=etc, etc for your entire FQDN; Then do a foreach adsobj to return whatever values you are looking for. The properties you can pull and some tips on how to get the data can be found here: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/ad /win2k3_entry_attributes_all.asp Hope this helps! John A. Bjelke Unisys 505.853.6774 [EMAIL PROTECTED] The more corrupt the state, the more numerous the laws. - Cornelius Tacitus -Original Message- From: England, Christopher M [mailto:[EMAIL PROTECTED]] Sent: Monday, December 16, 2002 7:56 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Gathering Computer Account Info via script Greetings all, I need to query a portion of the Active Directory (the OUs that I control) and get a list of computer objects and some associated data (Operating System name and version, for example). Can I do this with VBS/WSH? Thanks in advance for any help! Chris Christopher England Server Administrator College Information Technology Office Indiana University List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Little Questions
I second that. Antigen is very good. I would suggest keeping different vendor's AV solutions on your SMTP Gateway vs. your Exchange servers... If one of them doesn't catch it, the heuristics of the other AV engine (or the newer defs that one vendor releases before the other) might, increasing your odds of defeating exploits, worms and viruses. -Original Message- From: Christopher Hummert [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 17, 2002 12:50 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Little Questions Antigen from Sybari Software -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dave Kinnamon Sent: Tuesday, December 17, 2002 11:45 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Little Questions Shawn, Any recommendations on a SMTP getway scanner (hardware or software) ? Dave K. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 17, 2002 12:29 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Little Questions Exchange Antivirus on both mail servers if your Exchange antivirus product is scanning the information store (your on Exchange 5.5 I believe). You need coverage on your Exchange servers for internal messaging (messages not originating from the Internet). There are two virus scanning API's for Exchange 5.5, MAPI and VAPI. VAPI will scan message as they enter the information store and MAPI will scan messages as the user accesses them in the information store. Choose a product that will scan using either or a combination of both interfaces. We use a SMTP gateway scanner to scan mail as it enters the company. This box forwards mail to our Exchange Organization. -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 17, 2002 10:30 AM To: ActiveDir (E-mail) Subject: [ActiveDir] Little Questions Hello everyone, I have some little questions. If you have two exchange servers do you need to have Exchange Antivirus on both or just the server with the Internet Mail Connector on it? Having a Exchange server in a forest root and an exchange server in a child domain, the exchange server in the child domain requires what kind of admin access? Does the server need to utilize the admin account from the child domain or the forest root? Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 914.681.8117 office 646.483.3325 cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Outlook XP makes me want to throw it out the window!
Chris, create a new email profile in Outlook. I have seen this behaviour when the user profile is corrupted and will not establish a proper authentication token. Out of curiousity, do the multiple logon failures in outlook trigger your account lockout policy against her domain account? If it doesn't, this would suggest that Outlook is trying to match cached credentials instead of authenticating to the server and you should clear the password cache on the local system. You might go so far as to rename the user's system profile and have her login to the system as if a new user and then manually drag over her favorites, documents, etc. Hope this helps! John A. Bjelke Unisys 505.853.6774 [EMAIL PROTECTED] The more corrupt the state, the more numerous the laws. - Cornelius Tacitus This email may contain information which must be protected IAW AFI 33-332 and DoD Regulation 5400.11; Privacy Act of 1974 as Amended Applies, and it is For Official Use Only (FOUO). -Original Message- From: Chris J. Popp [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 10, 2002 8:30 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Outlook XP makes me want to throw it out the window! Get your attention with the subject? :) I have been battling a problem with one of my user's machines for the past week. She is running Windows XP Pro, Office XP Pro SP1. Whenever she starts up her Outlook, she gets prompter for the username, password and server. I put the information in exactly as it should be (and have verified with my AD on the server) and I get the following message: Your login information was incorrect. Check your username and domain, then type in your password again. If your account is new or if your administrator requested a password change you need to click Change Password then logon with your new password. I re-check the info in the AD on the server via VNC so I am right there at her terminal doing double checks. I re-enter the password, and get the message again. I change the password on the AD, then enter the new password on her Outlook (usually use 1 as the password so I know I type it correct) and still get the above error. I need to get this resolved for her as she is in charge of accounting and has made my life hell in the past because since I am the IT Manager I should be all knowing, all powerful (a common misconception by those users that know no better) So, please if anyone knows what I can do to resolve this, please let me know. I'm at my wits end! Thanks, Chris List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Moving users between domains within same forest VIA SCRIPTING
Title: Message UserAdmin.pl from the resource kit... export from one, delete, createand import to the other? -Original Message-From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 10, 2002 2:18 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Moving users between domains within same forest V IA SCRIPTING Is there any other way to do it? -Original Message-From: Tom Meunier [mailto:[EMAIL PROTECTED]]Sent: Tuesday, December 10, 2002 4:16 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Moving users between domains within same forest VIA SCRIPTING Movetree from your support tools directory can be scripted. -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Tue 12/10/2002 3:09 PM To: ActiveDir (E-mail) Cc: Subject: [ActiveDir] Moving users between domains within same forest VIA SCRIPTING Does anyone know how to move users between domains via script so that we canincorporate it into our Intranet for user based administration? ThanksJustin A. Salandra, MCSESenior Network EngineerCatholic Healthcare System914.681.8117 office646.483.3325 cell[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]List info : http://www.activedir.org/mail_list.htmList FAQ : http://www.activedir.org/list_faq.htmList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Script for publishing printers?
Title: Message Thanks Glenn! I appreciate the pointers. I'm going to keep looking for the "List in directory" scriptability solution, since there are political factors that prevent the GPO solution in my current environment (ie, GPO changes must go up the flagpole, be saluted and passed back down, if approved).I tried setting that as a local machine policy on the servers themselves, but that did not appear to work... probably being over-ridden by domain level policies. *shrug* -JB -Original Message-From: Glenn Corbett [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 20, 2002 3:15 AMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] Script for publishing printers? John, there are a couple of ways to to this. From VB/VBScript, you canset the Location and Description of the printers (code below). Obviously this is just an example :) Dim P Dim PQcontainer As IADsContainerDim pq As IADsPrintQueue ' Bind to the computer object Set PQcontainer = GetObject("WinNT://ServerName,computer") -- set ServerName equal to your print server PQcontainer.Filter = Array("PrintQueue") -- filter for print queues only For Each P In PQcontainer Set pq = GetObject(P.ADsPath) 'Only set this if you are not using Printer location Tracking (whichis greatBTW) pq.Location = "Test" -- set the information 'Set the description pq.Description = "On First Floor" -- set the information pq.SetInfo -- update the printer MsgBox pq.Name " is a " pq.Model Next P Unfortunately havent figured out how to set the "Publish in AD" setting from scriptso on to next bit :) You can also use a group policy setting on the print server to force publishing of printers in AD: http://support.microsoft.com/default.aspx?scid=kb;EN-US;234270 HTH Glenn - Original Message - From: Bjelke John A Contr AFRL/VSIO To: '[EMAIL PROTECTED]' Sent: Wednesday, November 20, 2002 2:26 AM Subject: [ActiveDir] Script for publishing printers? Hey folks! quick question, and one I hope there is a relatively easy answer to: Print servers migrated to AD via Aelita tools. Need to publish all of the printers on the server. Is there a way to script this, or do I need to manually go through hundreds of printers and check "List in directory" and enter a location? Suggestions, criticisms, verbal abuse, etc. welcome :^) John A. Bjelke Unisys 505.853.6774 [EMAIL PROTECTED] The wise man learns more from his enemies than a fool does from his friends. - Chinese Proverb
RE: [ActiveDir] Script for publishing printers?
Tony, I actually have tried the pubprn script... However, this will not publish printers on a 2k server, only NT4. Error: Pubprn cannot publish printers from \\server-name because it is running windows 2000, or later. -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED]] Sent: Tuesday, November 19, 2002 8:48 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Script for publishing printers? You can use the pubprn.vbs script provided in the System32 folder. Instructions on how to use it (plus examples) are provided in the script. Tony -- Original Message -- From: Bjelke John A Contr AFRL/VSIO [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Tue, 19 Nov 2002 15:26:31 - Hey folks! quick question, and one I hope there is a relatively easy answer to: Print servers migrated to AD via Aelita tools. Need to publish all of the printers on the server. Is there a way to script this, or do I need to manually go through hundreds of printers and check List in directory and enter a location? Suggestions, criticisms, verbal abuse, etc. welcome :^) John A. Bjelke Unisys 505.853.6774 [EMAIL PROTECTED] The wise man learns more from his enemies than a fool does from his friends. - Chinese Proverb List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LDAP Display Name for User logged into computer
Last logon is kept in the registry on the local machine, unless your policies prevent that being kept, as DefaultUserName. Take a look @ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserName. You could write it to a log as part of the login script, along with current time and computer name, or you could poll it via script @ intervals using a txt file with the names of the systems you want to monitor. Hope this helps! John A. Bjelke UNISYS Systems administrator Supporting AFRL Kirtland AFB 505.853.6774 [EMAIL PROTECTED] The contents of this Email communication are confidential to the addressee. If you are not the intended recipient you may not disclose or distribute this communication in any form but should immediately contact the Sender. The information, images, documents and views expressed in this Email are personal to the Sender and do not expressly or implicitly represent official positions and policies of Unisys Federal Systems or it's subsidiaries and no authority exists on behalf of Unisys to make any agreements, representations or other binding commitment by means of Email. -Original Message- From: Roger Seielstad [mailto:roger.seielstad;inovis.com] Sent: Friday, November 08, 2002 5:09 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] LDAP Display Name for User logged into computer You can't do that, per se. AD doesn't track who logged in where. You'd have to turn on logon auditing and scrape the DC logs to pull that off. Alternately, there *might* be something you can poll per machine via WMI, but I don't think so. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Jones, Rick J.(Desktop Engineering) [mailto:rick.j.jones;attws.com] Sent: Thursday, November 07, 2002 6:40 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] LDAP Display Name for User logged into computer What is the LDAP display name on a computer account for the user that logged into the system from that computer? What I am trying to do is pole active directory with a vbscript I have to find out the UserID of the user that last logged into the domain from that computer. Any thoughts? Rick List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LDAP Display Name for User logged into computer
BTW, you can also pull the last domain name logged into from the DefaultDomainName under that same reg key. You might need to do this, judging from your description of what you're trying to do. Otherwise, you may drive yourself nuts trying to match local account logins with non-existant DC records :^) -JB -Original Message- From: Roger Seielstad [mailto:roger.seielstad;inovis.com] Sent: Friday, November 08, 2002 5:09 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] LDAP Display Name for User logged into computer You can't do that, per se. AD doesn't track who logged in where. You'd have to turn on logon auditing and scrape the DC logs to pull that off. Alternately, there *might* be something you can poll per machine via WMI, but I don't think so. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Jones, Rick J.(Desktop Engineering) [mailto:rick.j.jones;attws.com] Sent: Thursday, November 07, 2002 6:40 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] LDAP Display Name for User logged into computer What is the LDAP display name on a computer account for the user that logged into the system from that computer? What I am trying to do is pole active directory with a vbscript I have to find out the UserID of the user that last logged into the domain from that computer. Any thoughts? Rick List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] OT(sort of): Aelita questions
Can one of the resident Aelita gurus please contact me off list? I have some questions resulting from a few test migrations in our production environments that we would like to ask before the go-live date, which is almost upon us. Thanks! John A. Bjelke Unisys 505.853.6774 [EMAIL PROTECTED] Put your hand on a hot stove for a minute, and it seems like an hour. Sit with a pretty girl for an hour, and it seems like a minute. That's relativity. - Albert Einstein List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Scripting question
Thanks for the suggestions Stefano, but I think you have missed what I was looking to do... I have a script that will repoint the clients,but the problem is that I want to be able to retain specific settings, such as paper orientation, duplexing options, etc. The method I am using to do this is to use wsh to read certain registry keys, copy out the settings to variables, plug in the new server name and create new reg entries while deleting the old ones, which does not preserve the settings. Thus, I was looking for a way to just rename the keys and not delete them. I can write in a new value for the server name multi_sz beneath the key, but need to be able to rename the key so that it reflects the proper server assignment in other areas. The changes would then cascade correctly with no change to user print preferences... I hesitate to use the term, as it is often a bit of a Jonah, but it woould be transparent to the users if I could simply rename the key programatically. -Original Message- From: stefano tufillaro [mailto:stufillaro;hotmail.com] Sent: Wednesday, October 30, 2002 2:09 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Scripting question Ok if you must change the name of the print server (example srvprinternew against srvprinterold) i 'll make this: 1) use PM to have the same queues in the srvprinternew 2) now migrate the client by a sample script that you can launch from a GP (you are in AD) if they are Win2k or by policy domain if they are NT / Win98. Alternatively you can use a sample login scripts but this required a logon (automatically or simulate but logon) But you can use a photo difference in a machine-test so to generate an alias installing packet (.MSI) that is the mechanism used by SMS, TNG, SYmantec, packet to run on every machine. If you need of a creator of MSI look at your Win2k CD in support and search for winstle product. Is very easier to use. Good Luke From: Bjelke John A Contr AFRL/VSIO [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Scripting question Date: Tue, 29 Oct 2002 21:31:46 - Nod.. yes, if I were to rename the new server the same as the existing print server, this would work. We are migrating between an NT4 domain and a AD domain, and the new print server has to conform to a certain naming convention in the AD domain, ergo no rename. -Original Message- From: stefano tufillaro [mailto:stufillaro;hotmail.com] Sent: Tuesday, October 29, 2002 1:47 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Scripting question Hello John I don't know you specifi situation i can tell you my experience. I needed a backup printer server. Two hundred client was using it (Windows 98, NT , 2000). I gave another name to the new server (SRVPRINTER02) The old was SRVPRINTER01. I created the same queues of SRVPRINTER01 by PrintMigrator3 on SRVPRINTER02. After the SRVPRINTER01 is off-line. When the server SRVPRINTER01 crashes I 1) rename SRVPRINTER02 in SRVPRINTER01 2) give the same IP address of SRVPRINTER01 in SRVPRINTER02 3) make on-line the new SRVPRINTER01 and in the same Domain-situation of the old SRVPRINTER01 For all the client that is absolutely transparent so I need to change anything because the client use NETBIOS resolution (ES: \\srvprinter01\HPLASERJ3) or IP / Netbios resolution (ES: \\172.16.16.1\HPLASERJ3) I hope that is useful From: Bjelke John A Contr AFRL/VSIO [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Scripting question Date: Mon, 28 Oct 2002 23:07:35 - Stefano, PrintMig3 is what I have used to copy the print queues to the new server, but I fail to see how it will assist me in repointing 2000 client systems is there something I am missing? -Original Message- From: stefano tufillaro [mailto:stufillaro;hotmail.com] Sent: Monday, October 28, 2002 2:54 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Scripting question Print Migrator 3 Microsoft no cost From: Roger Seielstad [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Scripting question Date: Thu, 24 Oct 2002 11:06:10 -0400 WSH as the ability to do that - shouldn't be that hard. I don't have the book handy, but I think either Tim Hill's or Thomas Eck's books covers that in detail. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Bjelke John A Contr AFRL/VSIO [mailto:John.Bjelke;kirtland.af.mil] Sent: Thursday, October 24, 2002 9:37 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] OT: Scripting question Hey folks... I need to automate repointing print
RE: [ActiveDir] OT: Scripting question
Nod.. yes, if I were to rename the new server the same as the existing print server, this would work. We are migrating between an NT4 domain and a AD domain, and the new print server has to conform to a certain naming convention in the AD domain, ergo no rename. -Original Message- From: stefano tufillaro [mailto:stufillaro;hotmail.com] Sent: Tuesday, October 29, 2002 1:47 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Scripting question Hello John I don't know you specifi situation i can tell you my experience. I needed a backup printer server. Two hundred client was using it (Windows 98, NT , 2000). I gave another name to the new server (SRVPRINTER02) The old was SRVPRINTER01. I created the same queues of SRVPRINTER01 by PrintMigrator3 on SRVPRINTER02. After the SRVPRINTER01 is off-line. When the server SRVPRINTER01 crashes I 1) rename SRVPRINTER02 in SRVPRINTER01 2) give the same IP address of SRVPRINTER01 in SRVPRINTER02 3) make on-line the new SRVPRINTER01 and in the same Domain-situation of the old SRVPRINTER01 For all the client that is absolutely transparent so I need to change anything because the client use NETBIOS resolution (ES: \\srvprinter01\HPLASERJ3) or IP / Netbios resolution (ES: \\172.16.16.1\HPLASERJ3) I hope that is useful From: Bjelke John A Contr AFRL/VSIO [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Scripting question Date: Mon, 28 Oct 2002 23:07:35 - Stefano, PrintMig3 is what I have used to copy the print queues to the new server, but I fail to see how it will assist me in repointing 2000 client systems is there something I am missing? -Original Message- From: stefano tufillaro [mailto:stufillaro;hotmail.com] Sent: Monday, October 28, 2002 2:54 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Scripting question Print Migrator 3 Microsoft no cost From: Roger Seielstad [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Scripting question Date: Thu, 24 Oct 2002 11:06:10 -0400 WSH as the ability to do that - shouldn't be that hard. I don't have the book handy, but I think either Tim Hill's or Thomas Eck's books covers that in detail. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Bjelke John A Contr AFRL/VSIO [mailto:John.Bjelke;kirtland.af.mil] Sent: Thursday, October 24, 2002 9:37 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] OT: Scripting question Hey folks... I need to automate repointing print queues on ~2000 clients to a different print server and retain user settings on each queue... does anyone know how to RENAME a registry key, either in VB, Perl, C++, or WSH? I can pull the value and create a new key to the same printer name on the new server, but that doesn't retain the settings. Any suggestions are appreciated. Thanks! John A. Bjelke Unisys 505.853.6774 [EMAIL PROTECTED] A conclusion is simply the place where you got tired of thinking. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ _ Internet access plans that fit your lifestyle -- join MSN. http://resourcecenter.msn.com/access/plans/default.asp List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ _ Broadband? Dial-up? Get reliable MSN Internet Access. http://resourcecenter.msn.com/access/plans/default.asp List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Scripting question
Stefano, PrintMig3 is what I have used to copy the print queues to the new server, but I fail to see how it will assist me in repointing 2000 client systems is there something I am missing? -Original Message- From: stefano tufillaro [mailto:stufillaro;hotmail.com] Sent: Monday, October 28, 2002 2:54 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Scripting question Print Migrator 3 Microsoft no cost From: Roger Seielstad [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Scripting question Date: Thu, 24 Oct 2002 11:06:10 -0400 WSH as the ability to do that - shouldn't be that hard. I don't have the book handy, but I think either Tim Hill's or Thomas Eck's books covers that in detail. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Bjelke John A Contr AFRL/VSIO [mailto:John.Bjelke;kirtland.af.mil] Sent: Thursday, October 24, 2002 9:37 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] OT: Scripting question Hey folks... I need to automate repointing print queues on ~2000 clients to a different print server and retain user settings on each queue... does anyone know how to RENAME a registry key, either in VB, Perl, C++, or WSH? I can pull the value and create a new key to the same printer name on the new server, but that doesn't retain the settings. Any suggestions are appreciated. Thanks! John A. Bjelke Unisys 505.853.6774 [EMAIL PROTECTED] A conclusion is simply the place where you got tired of thinking. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ _ Internet access plans that fit your lifestyle -- join MSN. http://resourcecenter.msn.com/access/plans/default.asp List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Remote Folder appear local
I believe she is looking to have it appear on their local machines from the network, but not require them to map a connection to the server. Sounds to me like just what DFS was made for! Set up the server as a DFS root and the shared folder on the server can be added as a file system folder on their machines. You will still need to share the folder containing the files in question, but I believe you can make it a hidden share on the server and still have it work. John A. Bjelke UNISYS Systems administrator Supporting AFRL Kirtland AFB 505.853.6774 [EMAIL PROTECTED] The contents of this Email communication are confidential to the addressee. If you are not the intended recipient you may not disclose or distribute this communication in any form but should immediately contact the Sender. The information, images, documents and views expressed in this Email are personal to the Sender and do not expressly or implicitly represent official positions and policies of Unisys Federal Systems or it's subsidiaries and no authority exists on behalf of Unisys to make any agreements, representations or other binding commitment by means of Email. -Original Message- From: Sullivan, Kevin [mailto:KSullivan;aelita.com] Sent: Friday, October 25, 2002 7:37 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Remote Folder appear local I am not totally sure what your goal is here. But some things to think about... 1. Off Line files (of course occasionally they will need access to the network. 2. Write a script that does a file copy and call it from a logon script. 3. Create a .msi file with SMS Installer or WISE or WinInstall LE that does a file copy and push the .msi via group policy. (Of course they will need access to the network) How are you expecting to do this without access to the network? SneakerNet may work G... Kevin -Original Message- From: marija efnuseva [mailto:efmar;freemail.com.mk] Sent: Friday, October 25, 2002 4:36 AM To: ActiveDirLista Subject: [ActiveDir] Remote Folder appear local I am interested if anyone can tell me how can I put the same files on all client computers (some users) from my server. Is it possible. If not can I make a shared folder on the server visible as a local one to all my client computer. i mean that they would not have to connect to my server through the network. I do not want them to have access to the local network (should not be able to browse it) thanks marija P.S. Can anyone tell me how can I make backup of my server Windows 2000 Server List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Profile question
Title: Message Chris, you could runa script before the migration to read the value of the ProfileImagePath entry in the registry and export that to a tab dilineated file... then add a few lines to the logon script in the new AD domain to parse their username against said tab seperated file and do a wsh.RegWrite to the same key with the old value. HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\appropriate RID\ProfileImagePath is theregistry key, and %SystemDrive%\Documents and Settings\appropriate user nameis the data format. Data type is REG_EXPAND_SZ. It's a really good idea to dimension a constant or two to avoid typing the key names over and over.. something like Const HKEY_LOCAL_MACHINE = H8002Const PROFILE_SUBKEY = "SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" Here'sacode snippet from a script we have for our helpdesk to repoint profiles follows: ' ' Get the specified user's ProfileImagePath on the specified machine ' nRC = oRegistry.GetExpandedStringValue(HKEY_LOCAL_MACHINE, PROFILE_SUBKEY "\" sSID, "ProfileImagePath", sProfilePath) If nRC 0 Then Wscript.Echo "Error " Hex(nRC) " reading registry" Wscript.Quit(1) End If Wscript.Echo "Profile path: " sProfilePath Wscript.Echo Wscript.Echo "OS Default Profile Path" Wscript.Echo "" Wscript.Echo "Windows NT %SystemRoot%\Profiles\username" Wscript.Echo "Windows 2000 %SystemDrive%\Documents and Settings\username" Wscript.Echo Wscript.Echo "You can use environment variables when specifying the path" Wscript.Echo ' ' Set the ProfileImagePath directory ' nRC = oRegistry.SetExpandedStringValue(HKEY_LOCAL_MACHINE, PROFILE_SUBKEY "\" sSID, "ProfileImagePath", sNewPath) If nRC 0 Then Wscript.Echo "Error " Hex(nRC) " writing registry" Wscript.Quit(1) Else Wscript.Echo "Modified profile path" End IfEnd Sub Hope this helps! John A. Bjelke UNISYS Systems administrator Supporting AFRL Kirtland AFB 505.853.6774 [EMAIL PROTECTED] The contents of this Email communication are confidential to the addressee. If you are not the intended recipient you may not disclose or distribute this communication in any form but should immediately contact the Sender. The information, images, documents and views expressed in this Email are personal to the Sender and do not expressly or implicitly represent official positions and policies of Unisys Federal Systems or it's subsidiaries and no authority exists on behalf of Unisys to make any agreements, representations or other binding commitment by means of Email. -Original Message-From: cflesher [mailto:[EMAIL PROTECTED]]Sent: Friday, October 25, 2002 1:52 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Profile question First time postee, long time fan.. We are currently in the process of migrating users from NT4 domains to 2000. While most of the nodes are NT4 workstation, some are running 2000 workstation. My question is, once a user goes from connecting to an NT4 domain to a 2000 domain from a 2000 workstation, is there a scripting method to have the user use their old profile for their new logon. Obviously, one can copy profiles by hand. I'm looking for a way to automate this. Just looking for a few hints. Thanks. Chris Flesher The University of Chicago NSIT/DCS 1-773-834-8477
[ActiveDir] OT: Scripting question
Hey folks... I need to automate repointing print queues on ~2000 clients to a different print server and retain user settings on each queue... does anyone know how to RENAME a registry key, either in VB, Perl, C++, or WSH? I can pull the value and create a new key to the same printer name on the new server, but that doesn't retain the settings. Any suggestions are appreciated. Thanks! John A. Bjelke Unisys 505.853.6774 [EMAIL PROTECTED] A conclusion is simply the place where you got tired of thinking. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Scripting question
Does anyone know the wsh call to rename a key though? I have been unable to find it. Unfortunately, I do not have either of the texts you reference, but I have put them on the wish list! -Original Message- From: Roger Seielstad [mailto:roger.seielstad;inovis.com] Sent: Thursday, October 24, 2002 9:06 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT: Scripting question WSH as the ability to do that - shouldn't be that hard. I don't have the book handy, but I think either Tim Hill's or Thomas Eck's books covers that in detail. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Bjelke John A Contr AFRL/VSIO [mailto:John.Bjelke;kirtland.af.mil] Sent: Thursday, October 24, 2002 9:37 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] OT: Scripting question Hey folks... I need to automate repointing print queues on ~2000 clients to a different print server and retain user settings on each queue... does anyone know how to RENAME a registry key, either in VB, Perl, C++, or WSH? I can pull the value and create a new key to the same printer name on the new server, but that doesn't retain the settings. Any suggestions are appreciated. Thanks! John A. Bjelke Unisys 505.853.6774 [EMAIL PROTECTED] A conclusion is simply the place where you got tired of thinking. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Scripting question
grumble That's what I was afraid of. It doesn't make sense to me that you can rename from the console but not programatically! /grumble Oh, well. -Original Message- From: Carey, Greg [mailto:Greg.Carey;haledorr.com] Sent: Thursday, October 24, 2002 9:18 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Scripting question I don't think there is a rename. You would just read the old, write the new with that info and then delete the old. -Original Message- From: Bjelke John A Contr AFRL/VSIO [mailto:John.Bjelke;kirtland.af.mil] Sent: Thursday, October 24, 2002 11:09 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT: Scripting question Does anyone know the wsh call to rename a key though? I have been unable to find it. Unfortunately, I do not have either of the texts you reference, but I have put them on the wish list! -Original Message- From: Roger Seielstad [mailto:roger.seielstad;inovis.com] Sent: Thursday, October 24, 2002 9:06 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT: Scripting question WSH as the ability to do that - shouldn't be that hard. I don't have the book handy, but I think either Tim Hill's or Thomas Eck's books covers that in detail. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Bjelke John A Contr AFRL/VSIO [mailto:John.Bjelke;kirtland.af.mil] Sent: Thursday, October 24, 2002 9:37 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] OT: Scripting question Hey folks... I need to automate repointing print queues on ~2000 clients to a different print server and retain user settings on each queue... does anyone know how to RENAME a registry key, either in VB, Perl, C++, or WSH? I can pull the value and create a new key to the same printer name on the new server, but that doesn't retain the settings. Any suggestions are appreciated. Thanks! John A. Bjelke Unisys 505.853.6774 [EMAIL PROTECTED] A conclusion is simply the place where you got tired of thinking. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT/ cannot share resources
Michael, a little more info would be helpful, but let me ask a few things: 1)Have you enabled and print sharing on the 98 box in question? 2)Are the subnet masks the same on all machines in the workgroup? 3)Is the workgroup name the same on all boxen? 4)Can you ping and/or tracert to the troublesome 9X from other boxen on lan? Assuming these are in order, I would suggest the following: 1)Check layer one. 2)Remove file and print sharing and re-add with a reboot in between. 3)Remove Microsoft Windows Networking, reboot, and re-add the provider and protocols and reconfigure network settings. 4)Delete and recreate the shares that you are trying to access. 5)Check layer one again. In my experience, despite the iffy nature of networking in Win9X, the problems are often physical in nature. 6)Scrap 9X and use a real network OS... (not helpful, I know, but definatively earnest) Good luck! John A. Bjelke Unisys 505.853.6774 [EMAIL PROTECTED] The more corrupt the state, the more numerous the laws. - Cornelius Tacitus This email may contain information which must be protected IAW AFI 33-332 and DoD Regulation 5400.11; Privacy Act of 1974 as Amended Applies, and it is For Official Use Only (FOUO). -Original Message- From: Michael Tock [mailto:mptock;peoplepc.com] Sent: Thursday, October 24, 2002 9:21 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] OT/ cannot share resources Ok you network people, I cannot share my files on just one of my computers, it is just a small peer to peer workgroup. I can see the computer in the network neighborhood. The computer I am having problems with has win 98. So what is causing the problem, and how do I fix it. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Disable IE via GPO
Heh. I like it. And of course, thumbcuffs would work wonders to prevent inapropriate surfing... :^) -Original Message- From: Puckett, Richard [mailto:[EMAIL PROTECTED]] Sent: Tuesday, October 15, 2002 4:03 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Disable IE via GPO If you were really evil, you could toss in a wscript.echo statement after the objLatestProcess.TargetInstance.Terminate line that says stop downloading viruses already! (or a more sensible usage warning). :-) Richard -Original Message- From: Puckett, Richard Sent: Tuesday, October 15, 2002 5:52 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Disable IE via GPO James, There are a couple of different ways you could approach this. One quick thought would be a custom logon script that targets this user specifically at logon and runs a wscript (not cscript) call against the below code (converted from the MS Script Repository). This creates a temporary event consumer that continually watches for instances of IEXPLORE.EXE and kills them (good for a practical joke too :-)). Using wscript ensures that no command window is created and the script is only recognizable by the wscript.exe process active in task manager. Of course this doesn't preclude him renaming IEXPLORE.EXE to something else, or logging on locally to avoid the logon script, but it's at least one option. Put wscript.exe %LOGONSERVER%\netlogon\killie.vbs in the logon script field (to suppress any display of a command prompt). Then stick the following into a .VBS file and copy it into the netlogon share. 'KillIE.VBS strComputer = . Set objWMIService = GetObject(winmgmts: _ {impersonationLevel=impersonate}!\\ strComputer \root\cimv2) Set colMonitoredProcesses = objWMIService. _ ExecNotificationQuery(select * from __instancecreationevent _ within 1 where TargetInstance isa 'Win32_Process') i = 0 Do While i = 0 Set objLatestProcess = colMonitoredProcesses.NextEvent If objLatestProcess.TargetInstance.Name = IEXPLORE.EXE Then objLatestProcess.TargetInstance.Terminate End If Loop Hope this helps, Richard -Original Message- From: James Liddil [mailto:[EMAIL PROTECTED]] Sent: Tuesday, October 15, 2002 3:54 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Disable IE via GPO W2K/Exchange2K Environment. We have a visiting scientist who I was asked to give an account to. Turns out he has been reading his web mail and it is highly infected based on the number of alerts I got. The one machine he uses I have pulled of the internet. But I now find he went to another machine and did some web mail (virus alert again). So at this point my hands are tied by the managements lack of policies. So I need a way to prevent him from using IE regardless of the machine. It seems in GPO I can lock it down but not totally disable it. Or is there a way? Jim Liddil List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Disable IE via GPO
Well, you *could* write code into his login script that sets the IE security preferences for the Restricted Zones, and then undoes it in the standard login script so that others are not affected... That would probably be a good script to hang onto for future offenders as well. Add his web-mail site to the restricted zones on a test pc, then export HKEY_CURRENT_USER\Software\ Microsoft\Windows\Current Version\Internet Settings\ZoneMap\Domains to a REG file. In his logon script, copy this reg file to a temp on the system and run it. For the clean up in the normal script, find the specific entry and delete it, maybe? I would also suggest drafting an acceptable use policy to run by the powers that be, maybe through your IT boss... the worst they can do is say We're not concerned. At best, you might gain some leverage on stopping things like this. Good luck! -JB -Original Message- From: James Liddil [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 16, 2002 9:28 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Disable IE via GPO We don't have a policy in place the prevents folks from reading yahoo, hotmail etc. So if I have our firewall configured to block this I'm sure I'd immediately be blacklisted by end users. I could just as easily use McAffee EPO and add these various webmail URLs and block them. Until management decides this is a business critical issue I won't go there. But I certainly have considered the idea along with blocking IM traffic. Jim Liddil -Original Message- From: Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED]] Sent: Tuesday, October 15, 2002 4:22 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Disable IE via GPO Why not block his web-mail site @ the firewall? He might have legitimate project related need for web access, but if you can point to virus infections from his web-based email you should be able to justify blocking the site for everyone. John A. Bjelke Unisys 505.853.6774 [EMAIL PROTECTED] Man will occasionally stumble over the truth, but most times he will pick himself up and carry on... - Winston Churchill -Original Message- From: James Liddil [mailto:[EMAIL PROTECTED]] Sent: Tuesday, October 15, 2002 1:54 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Disable IE via GPO W2K/Exchange2K Environment. We have a visiting scientist who I was asked to give an account to. Turns out he has been reading his web mail and it is highly infected based on the number of alerts I got. The one machine he uses I have pulled of the internet. But I now find he went to another machine and did some web mail (virus alert again). So at this point my hands are tied by the managements lack of policies. So I need a way to prevent him from using IE regardless of the machine. It seems in GPO I can lock it down but not totally disable it. Or is there a way? Jim Liddil List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Sort of OT: other Protocols
What about using hosts files as a fail over for DNS? Seems like less work to me. John A. Bjelke UNISYS Systems administrator 505.846.5894 [EMAIL PROTECTED] -Original Message- From: Morgan, Joshua [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 18, 2002 8:45 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Sort of OT: other Protocols I have an Isolated environment that runs SQL 2000 and Windows 2000 Servers. This environment experienced problems the other day because of a lack of name resolution between the Servers. I was asked by management to look at netbeui as a backup incase standard TCPIP name Resolution failed... Here is what I have set up... On each machine I have 2 Nic's, 1 nic on each machine is dedicated to IP and 1 Nic is dedicated to NetBeui. Does anyone see any issues with this? Joshua Morgan PROFITLAB Senior Network Engineer PH: (864) 250-1350 Ext 133 Fax: (413) 581-4936 [EMAIL PROTECTED] http://www.profit-lab.com http://ncontrol.info The greatest glory is not in never failing, but in rising up every time we fall. -- Confucius List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Why Active Directory?
David, the way to best reduce total cost of ownership on any network (and the amount of work you have to put in on it) is to go to a standardized desktop environment where possible. The fewer hardware and software configurations an organization has, the easier, theoretically at least, it will be to manage the infrastructure. So, were I in your shoes, I would work on getting a standard approved for workstations on the network and begin implimenting it before I tackled selling them AD. Win 2K Pro or XP Pro would be my choice for the standardized OS. The easiest way to sell this to the bean counters would be to highlight the insecure and unstable nature of all Win9x boxen and the subsequent TCO. Keep track of the hours spent troubleshooting, rebooting, cursing, etc. 9x boxen as compared to 2K/XP boxen on your network. Present them with articles discussing the lack of security in win9x (including Me). Basically, build a well documented case for standardization with an OS designed for corporate environments. Include the benefits of centralized administration from a domain, such as security, remote administration, automated back-ups, the potential to add email services, and the like. But I would seriously look at establishing some kind of base-line for workstations... it will really make your job easier in the short and long terms. Good luck! John A. Bjelke UNISYS [EMAIL PROTECTED] -Original Message- From: David Bradford [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 11, 2002 7:19 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Why Active Directory? Hi all; For the last 2 months I've been given the additional job of part time network admin for my company's network. Its currently 80 workstations, 2 windows 2000 servers and about 10 HP printers. The workstations run either Win98/WinMe/Win2k Professional or WinXP Home/Pro. Its all running in workgroup mode and it's a pain in the butt to maintain user accounts/passwords etc etc. 10 New users joined us today and they needed access to both win2k servers and various printers connected to various workstations, so off I went adding the same 10 users to all the different machines. Additionally, Winme and XP home sometimes can, sometimes cant see the network. A reboot almost always cures the problem. Very annoying. Of course, keeping track of service packs/patches - even deploying normal apps is a monumental task. I can see why the previous network admin left! Basically, the network is becoming unmanageable. I'm familiar with AD and its obvious to me that a proper directory service will do wonders for the network but management seem to think everything is running OK at present so why would they want to buy 2 more servers to act as domain controllers and upgrade everyone to either win2k or WinXP pro? The existing win2k servers are used as our fileservers and are pretty busy so upgrading them to DC's wouldn't be desirable. Basically, I need some reasons that I can present to management why AD will be such a great thing for us, I've suggested user management/deploying apps as advantages but they don't seem impressed. What else can I add? Thanks; David Bradford List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Password Changes Issues
Don, Check for policy changes. The you are not authorized to change your password error message appears to be the default error message. Our users see this error all the time if they are not meeting the length and complexity requirements. Hope this helps! John A. Bjelke AFRL\VSIO Business Support Analyst UNISYS Nunca encontraras una mas miserable madriguera de escoria y villania. = This e-mail is intended for the addressee shown. It contains information that is confidential and protected from disclosure. Any review, dissemination or use of this transmission or its contents by persons or unauthorized employees of the intended organisations is strictly prohibited. The contents of this email do not necessarily represent the views or policies of Unisys Federal Systems, its employees or affiliates. -Original Message- From: Don L. Hollingshead [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 04, 2002 7:33 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Password Changes Issues Hey, We have been operating normally with periodic user password changes. Today anyone that is required to change their password gets a message stating that they are not authorized to change it. Any ideas would be appreciated. Thanx Don List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Simple Password reset utility
Do you use Outlook Web Access on Exchange? There is a password change applet built-inthere that should workfor what you need. -John -Original Message-From: Izzy [mailto:[EMAIL PROTECTED]]Sent: Friday, May 17, 2002 12:46 PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Simple Password reset utility Does anyone have, or know of a site that has, a simple Win32 app to reset passwords. We have people at remote offices who I have given the ability to reset passwords of other users at the office but I really don't want them using ADUC. So they have the native ACLs set so they can reset the password but native tools are overkill for what they need. What I would like is a simple app that asks for a user's logon and then prompts for a new password, if the account should be unlocked, if the user must change their password at next logon, etc. I know this is something that could be whipped out pretty quickly using VB but if someone has already done it why re-invent the wheel.
RE: [ActiveDir] Simple Password reset utility
Ah, sorry.. I misunderstood what you were looking for. -Original Message-From: Izzy [mailto:[EMAIL PROTECTED]]Sent: Friday, May 17, 2002 1:00 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Simple Password reset utility Yes but I need something so a local "IT" person can reset another user's password or unlock their account, assuming they forgot their password. -Original Message-From: Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED]] Sent: Friday, May 17, 2002 1:55 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Simple Password reset utility Do you use Outlook Web Access on Exchange? There is a password change applet built-inthere that should workfor what you need. -John -Original Message-From: Izzy [mailto:[EMAIL PROTECTED]]Sent: Friday, May 17, 2002 12:46 PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Simple Password reset utility Does anyone have, or know of a site that has, a simple Win32 app to reset passwords. We have people at remote offices who I have given the ability to reset passwords of other users at the office but I really don't want them using ADUC. So they have the native ACLs set so they can reset the password but native tools are overkill for what they need. What I would like is a simple app that asks for a user's logon and then prompts for a new password, if the account should be unlocked, if the user must change their password at next logon, etc. I know this is something that could be whipped out pretty quickly using VB but if someone has already done it why re-invent the wheel.
RE: Antwort: [ActiveDir] Pwdlastset attribute
I always thought UTC in relation to computing was the number of non-leap seconds that have elapsed since 00:00:00 January 1, 1970. I find the choice of Jan 01, 1601 to be a little bizarre in this context. Was this a typo? Or is that how UTC is now measured in AD? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 04, 2002 6:00 AM To: [EMAIL PROTECTED] Subject: Antwort: [ActiveDir] Pwdlastset attribute Tasneem, the format of a UTC time is described in http://msdn.microsoft.com/library/default.asp?url=/library/en-us/sysinfo/ti me_0fzm.asp It is the number of 100-nanosecond intervals since January 1, 1601. With the Win32-API-Function 'FileTimeToSystemTime' it can be converted to a readable format. This is a C++ example: FILETIME ftRawvalue; SYSTEMTIME stGMT, stLocal; // Convert the raw time value to GMT Zone FileTimeToSystemTime(ftRawvalue, stGMT); // Convert the time from GMT zone to your local time zone SystemTimeToTzSpecificLocalTime(NULL, stGMT, stLocal); // Build a string showing the date and time. wsprintf(lpszString, %02d/%02d/%d %02d:%02d, stLocal.wDay, stLocal.wMonth, stLocal.wYear, stLocal.wHour, stLocal.wMinute); There should be a similar VB example, but I'm not a VB expert. Rainer. Bhaijee, Tasneem [EMAIL PROTECTED]@mail.activedir.org on 28.03.2002 18:10:31 Bitte antworten an [EMAIL PROTECTED] Gesendet von: [EMAIL PROTECTED] An: [EMAIL PROTECTED] Kopie: Thema:[ActiveDir] Pwdlastset attribute Pwdlastset is an attribute in Active directory which stores the value in UTC (universal Coordinated Time) format. Value example: 126550226842430343 Data type for the attribute is an integer. How do I convert this value to local time? Thanks. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Registry setting
Scott, I can only assume you are looking to programatically change this setting in your environment. Here is a snippet of the vbs code we use to toggle this off. Best of luck! John A. Bjelke AFRL\VSIO Business Support Analyst UNISYS Supporting AFRL Kirtland AFB, NM 505.853.6087 [EMAIL PROTECTED] = Catapultam habeo. Nisi pecuniam omnem mihi dabis, ad caput tuum saxum immane mittam. Copula eam se non possit acceptare jocularum. '-- ' Disable Dynamic DNS registration '-- Sub DisableDynamicDNS(sComputerName) On Error Resume Next Dim oServer, oAdapters, oAdapter, nRC Set oServer = g_oLocator.ConnectServer(sComputerName, root\CIMV2) If Err.Number = 0 Then Set oAdapters = oServer.ExecQuery(SELECT * FROM Win32_NetworkAdapterConfiguration WHERE _ IPEnabled = TRUE AND MACAddress ) For Each oAdapter In oAdapters If oAdapter.IPAddress(0) Then If oAdapter.FullDNSRegistrationEnabled Then nRC = oAdapter.SetDynamicDNSRegistration(False, False) If nRC 0 Then g_sMessage = g_sMessage SetDynamicDNSRegistration failed for network adapter adapter with IP _ oAdapter.IPAddress(0) vbCRLF Else g_sMessage = g_sMessage Disabled dynamic DNS registration for network adapter with IP _ oAdapter.IPAddress(0) vbCRLF End If Else g_sMessage = g_sMessage Dynamic DNS registration already disabled for network adapter with IP _ oAdapter.IPAddress(0) vbCRLF End If End If Next Else g_sMessage = g_sMessage DisableDynamicDNS: ConnectServer failed vbCRLF End If End Sub -Original Message- From: Scott Krall [mailto:[EMAIL PROTECTED]] Sent: Monday, April 01, 2002 10:53 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Registry setting Is there a registry setting for the setting 'register this connection's addresses in DNS' ??? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD on XP
Well, the XP version of 2KAdvancedServer is .Net Server, which I don't believe has been fully released yet. XP workstations should integrate nicely in a 2K AD environment. Good luck! -JB John A. Bjelke AFRL\VSIO Business Support Analyst UNISYS Supporting AFRL Kirtland AFB, NM 505.853.6087 [EMAIL PROTECTED] = Catapultam habeo. Nisi pecuniam omnem mihi dabis, ad caput tuum saxum immane mittam. Copula eam se non possit acceptare jocularum. -Original Message- From: Nah Idee [mailto:[EMAIL PROTECTED]] Sent: Friday, March 22, 2002 7:15 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] AD on XP If I currently have a simple AD infrastructure with 10 Windows 2000 Advanced Servers, what are my options with respect to XP ? I know about XP desktop and professional, but is there a XP equivalent to win2000 AS ? I realize 2000 is NT5.0 and XP is NT5.1, but I wouldn't want to lose anything (especailly AD-wise) by converting to an XP platform. Thanks for your comments. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Rolling SRP1 into a RIS Install:
James, The rough instructions are in Q296723, but the specific outline is something like this: 1. Copy the Windows 2000 CD-ROM onto the HD 2. Slipstream SP2 into it (update -s:path) 3. Extract the SRP1 files somewhere (sp2srp1 -x:path) From this point, what you have to do is remove matching files from the i386 folder and subfolders, and replace them with the ones from the sp2srp1; e.g. if you have i386\kernel32.dl_, and the sp2srp1 has kernel32.dll, you have to remove the kernel32.dl_ and replace it with the kernel32.dll that's from the package. I did this by generating a list of files in the sp2srp1 and munged it using regular expressions in my text editor, added a del command to the beginning of each line, save it as a batch file, etc. After you remove the files, you then copy the sp2srp1 versions in their place. Then you edit the dosnet.inf and create a svcpack.inf file as specified in the Q article, create the svcpack subdirectory and put the sp3.cat file from the sp2srp1 package, etc. That's about it. Good luck! John A. Bjelke AFRL\VSIO Business Support Analyst UNISYS Supporting AFRL Kirtland AFB, NM 505.853.6087 [EMAIL PROTECTED] = Catapultam habeo. Nisi pecuniam omnem mihi dabis, ad caput tuum saxum immane mittam. Copula eam se non possit acceptare jocularum. -Original Message-From: Blair, James [mailto:[EMAIL PROTECTED]]Sent: Monday, March 04, 2002 7:09 PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Rolling SRP1 into a RIS Install: All, Have any of you successfully rolled SRP1 into a RIS Image...if so how did you do it...by rolling SRP1 into the image I can avoid having to use QCHAIN, HFNETCHK and login scrips for a little while longer. James
RE: [ActiveDir] Two Domains, One Subnet
DHCP is going to work on a first available basis.. i.e., the first DHCP server that a system can contact when it looks for a lease will issue an IP and register the connection in dynamic DNS. This could cause managing computer domain accounts to get ugly, unless you are willing to keep all computer accounts in one single domain by turning DHCP off on one of the domains. DNS shouldn't be a problem, as long as the two domain's DNS servers are replicating zones frequently and acurately between themselves. -Original Message- From: SALANDRA, JUSTIN [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 21, 2002 10:07 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Two Domains, One Subnet But can two domains exist on the same subnet? If so how would DHCP and DNS work correctly? -Original Message- From: Butler, Simon (London) [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 21, 2002 12:06 PM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] Two Domains, One Subnet Yes You only need to consider sitesa site is a collection of 1 or more subnets...domains can span multiple sites multiple domains can exist in the same siteetc etc Simon Butler Merrill Lynch HSBC -Original Message- From: SALANDRA, JUSTIN [mailto:[EMAIL PROTECTED]] Sent: 21 February 2002 16:39 To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Two Domains, One Subnet Importance: High Hello All, I am trying to find out if it is possible to have two separate domains, in the same AD Tree in the same AD Site span the same subnet? If you know the answer, please e-mail me. Thanks Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 914.681.8117 office 646.483.3325 cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- ** Internet communications cannot be guaranteed to be secure or error-free as their content could be intercepted, corrupted, lost, arrive late or contain viruses. The sender therefore does not accept liability for any errors or omissions in the context of this message which arise as a result of its internet transmission. This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the [EMAIL PROTECTED] . Any opinions contained in this message are those of the author and are not given or endorsed by any entity or office through which this message has been sent unless otherwise clearly indicated in this message and the authority of the author to so bind Merrill Lynch HSBC Limited or any other company within its group is duly verified. Any email may be monitored in accordance with Merrill Lynch HSBC Limited's communication policy. Merrill Lynch HSBC Limited Registered Office 24 Monument Street London EC3R 8AJ. Registered in England Number 3973777 Merrill Lynch HSBC Limited regulated by the FSA ** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] RIS and RipRep
Did you slip-stream the service pack and hot fixes prior to the ris, or after you have pushed the image to the system? I belive that if you apply SP2 AFTER the install through ris, the image will NOt match the install. -Original Message- From: Morgan, Joshua [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 24, 2002 8:08 AM To: '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]' Cc: 'Morin, Jon' Subject: [ActiveDir] RIS and RipRep I have loaded a machine via RIS and have applied appropriate Service Packs and Hot fixes. However, when I go to run RipRep (from the server that the original image was loaded from) I get this message: The server to which you chose to replicate this system does not contain a CD-based image. The Version of the CD-Based image on the server must match the version of the system you are attempting to copy. Select a different server or add a CD-based image to this server any ideas? Joshua Morgan PROFITLAB Network Engineer [EMAIL PROTECTED] One is glad to be of service --Robin Williams (Bicentennial Man)-- List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Weird Domain Error
This is the only things I can find on this issue. Q179483. Hope it helps! Error Msg: No More Connections Can Be Made At This Time -- The information in this article applies to: Microsoft Windows 2000 , Professional Microsoft Windows 2000 , Server Microsoft Windows 2000 , Advanced Server Microsoft Windows 2000 , Datacenter Server Microsoft Windows NT Workstation versions 3.51 , 4.0 Microsoft Windows NT Server versions 3.51 , 4.0 Microsoft Windows 95 --- SYMPTOMS If you are using a computer that is running Windows NT or later, you may receive the following error message: No more connections can be made at this remote computer at this time because there are already as many connections as the computer can accept. If you are using a computer that is running Windows 95, you may receive the following error message: This request is not accepted by the network. Try again later. CAUSE You may be attempting to connect to a share that is configured to allows a specific number of connections, and that number of connections has been reached. Check the properties on the share on the server. RESOLUTION If the specified number of connections has been reached, increase the user limit or set the value to maximum allowed. MORE INFORMATION There are several other parameters that you can check when troubleshooting a problem with limited connections to the computer. Verify that the computer is running a retail version of Windows NT or later. To verify this, check the Licensing tool in Control Panel and make sure that the following message does not appear: Not available in NFR (Not for Resale)/MSDN Edition of Windows NT Server. The server may be configured with Per Server licensing and the number of licenses may be exhausted. A quick check to see if this is the problem would be turn off the License Logging Service on the computer. Check to see if the server was configured by upgrading a computer running Windows NT Workstation to Windows NT Server. If it was, the following registry parameter may need to be increased from a hex value of 0xa (10) to 0x: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters \Users -Original Message- From: Christopher Hummert [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 24, 2002 9:57 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Weird Domain Error Anyone know if maybe there is a hotfix to get around this problem? -Chris -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Thornley, Dave H Sent: Thursday, January 24, 2002 12:27 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Weird Domain Error Hi, We had a similar problem some time ago, I can't remember the cause (I'm sure it wasn't licensing), but we fixed it by moving the master browser role to another server. The master browser role had been taken by an Exchange server, we moved it to a domain controller and that fixed the problem. You can check what computers are holding browser roles with BROWMON from the resource kit. HTH dave -Original Message- From: Christopher Hummert [mailto:[EMAIL PROTECTED]] Sent: 23 January 2002 22:03 To: ActiveDir Subject: [ActiveDir] Weird Domain Error I'm having a pretty weird error that I can't seem to figure out. Whenever I have a user go to network neighborhood and then view the entire contents of the network and then they click on the domain they get the message AAII is not accessible - No more connections can be made to this remote computer at this time because there are already as many connections as the computer can accept I can do a search for the domain controller and connect to it that way but not the other. Now I thought it was a license problem but it appears that I have the required amount of licenses. Anyone know what's wrong? Thanks Chris Hummert Network Administrator - Albany Agency of Insurance Webmaster for Noghri.net http://www.noghri.net MS Beta tester ID #: 388366 Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contacts us. - from Calvin and Hobbes List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info :
RE: [ActiveDir] OT: Data Recovery
Title: OT: Data Recovery LostFound is a pretty good recovery tool from PowerQuest software. The time frame doesn't matter, what matters is subsequent drive activity since the deleteion. If those sectors have been written to, write off the data as a loss. John A. Bjelke AFRL\VSIO Business Support Analyst UNISYS Supporting AFRL Kirtland AFB, NM 505.853.6087 [EMAIL PROTECTED] = Catapultam habeo. Nisi pecuniam omnem mihi dabis, ad caput tuum saxum immane mittam. Copula eam se non possit acceptare jocularum. -Original Message-From: Morgan, Joshua [mailto:[EMAIL PROTECTED]]Sent: Tuesday, January 22, 2002 8:06 AMTo: Exchange Discussions; '[EMAIL PROTECTED]'; [EMAIL PROTECTED]Subject: [ActiveDir] OT: Data Recovery Does anyone know of any Data Recovery tools? To find Data that was deleted off a hard drive less than 24 hours ago? Joshua Morgan PROFITLAB Network Engineer PH: (864) 250-1350 Ext 133 [EMAIL PROTECTED] "One is glad to be of service " --Robin Williams (Bicentennial Man)--
RE: [ActiveDir] OT: Data Recovery
You mean made by Execusoft, who also makes Diskeeper :^) -Original Message- From: Tom Meunier [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 22, 2002 8:27 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Data Recovery sorry, I said Diskeeper; I meant Undelete(tm) which is made by Diskeeper. Need more coffee. http://www.diskeeper.com/undelete/undelete.asp -tom -Original Message- From: Morgan, Joshua [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 22, 2002 9:06 AM To: Exchange Discussions; '[EMAIL PROTECTED]'; [EMAIL PROTECTED] Subject: [ActiveDir] OT: Data Recovery Does anyone know of any Data Recovery tools? To find Data that was deleted off a hard drive less than 24 hours ago? Joshua Morgan PROFITLAB Network Engineer PH: (864) 250-1350 Ext 133 [EMAIL PROTECTED] One is glad to be of service --Robin Williams (Bicentennial Man)-- List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Application monitor/Internet tracking?
There are a number of internet tracking applications out there that will track the ammount of time connected to a given URL. I believe some proxies can be configured to do this as well. Have fun parsing those logs... I wouldn't want to do it. Sessionwall from SSi will do this and much much more... Sessionwall will even capture packet traffic and re-assemble it so that you can see everything someone does on your network. And I do mean everything. But it IS cost heavy. Then again, presenting said managers with a quote for Sessionwall might make them realize that this is something they don't want to do :^) To absent friends, lost loves, old gods, and the season of mists. And may each and every one of us always give the Devil his due. -Gaiman John A. Bjelke AFRL\VSIO Business Support Analyst UNISYS Supporting AFRL Kirtland AFB, NM 505.853.6087 [EMAIL PROTECTED] -Original Message- From: Jason Benway [mailto:[EMAIL PROTECTED]] Sent: Friday, January 18, 2002 2:00 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT: Application monitor/Internet tracking? We have a few users who's managers 'think' they are spending a lot of time surf the web. They want to be able to see the amount of time the users are using IE. Since our proxy only tells them what pages they go to it doesn't say how long they spent reading that page. Your right, but the managers are asking for it. jb -Original Message- From: Benjamin Winzenz [mailto:[EMAIL PROTECTED]] Sent: Friday, January 18, 2002 3:54 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT: Application monitor/Internet tracking? What are you hoping to accomplish with this? Find out which people are being unproductive? Find out how much company time is being wasted? Just curious. I think you are going to find that what you are wanting to do is really something that you don't want to do. If you know what I mean. Ben Winzenz, MCSE Network/Systems Administrator Peregrine Systems -Original Message- From: Jason Benway [mailto:[EMAIL PROTECTED]] Sent: Friday, January 18, 2002 3:29 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] OT: Application monitor/Internet tracking? I'm looking for a way to monitor how long IE is open. Software that could monitor how long a program is the active window would work. We are trying to track how much time a user spends using the internet. We have a proxy setup but that only tells how much data was downloaded and which pages the user visited. It doesn't tell us how long they spent reading the page. My idea was to find a tool to record how long IE is the active window, this would give a better idea of internet usage. If anyone has any ideas, I would be very grateful. Thanks,jb Jason Benway [EMAIL PROTECTED] 1250 S.Beechtree Grand Haven, MI 49417 616-847-8474 Fax: 616-850-1208 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Policy Logon Error
I have seen incorrect path statements in the environment settings cause vbs login scripts to bomb out. Compare the path statements on the ones that work to the ones that don't. This would especially be indicative if it is a it used to work and now it doesn't situation. Software installs often adjust the path statement without so much as a by your leave. John A. Bjelke AFRL Business Support Analyst Unisys Supporting AFRL Kirtland AFB, NM 505.853.6087 [EMAIL PROTECTED] == -Original Message- From: Mike Tonazzi [mailto:[EMAIL PROTECTED]] Sent: Sunday, January 06, 2002 11:17 PM To: [EMAIL PROTECTED] Subject: AW: [ActiveDir] AD Policy Logon Error We are using DHCP. I checked the DNS entries and they are correct. mike -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Im Auftrag von Jacqui Hurst Gesendet: Samstag, 5. Januar 2002 12:05 An: [EMAIL PROTECTED] Betreff: RE: [ActiveDir] AD Policy Logon Error Have you checked the DNS settings on these workstations are correct. We had a similar problem when workstations were added without the correct DNS suffix Jacqui -Original Message- From: Mike Tonazzi [mailto:[EMAIL PROTECTED]] On Behalf Of Mike Tonazzi Sent: 04 January 2002 07:38 To: ActiveDir Mailinglist (E-Mail) Subject: AD Policy Logon Error Hi Guys Hope you started your 2002 well I have the following problem: I have created several group policies related to OU's. In the group policy I have configured to execute a vb logon script when users logging on. So far so good. Everything worked fine for at least nine months. But since two weeks or so, some workstations don't execute the logon script no more. If I try to logon with the same user on an other workstation it works fine! Any Idea? Best Regards, Mike List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Software Deployment:
James, unfortunately, the bulk of our experince has been in using SMS to push patches and updates. I really don't think building a new .msi file is the way you want to go. Slip-streaming the patches into the original installs has worked very well for us, and has allowed us to keep an updated version of office 2K, for example, up on a network share. Installing from this directory has eliminated the need for users to keep putting their cd's into the drive every time we patched office for the latest vulnerability, wich was a real pain in the gluteus. Slip-streaming is discussed in depth at http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q271791, and I imagine one could use RIS to deploy it from a 2K server. Youshould also be able to set up a policy to force the local machines to run the windows critical updates on a schedule. As for the restart issues, I would send out notice to all the department heads saying "This installation is mandatory. Non-compliance will be reported to uppermanagement" or some such garbage, and instruct them to leave all systems turned on and connected at a specific time. Depending on how you push the updates, youshould be able toforce a reboot at that time. You should also be able to give users a warning dialogue box telling them to save all workwith a count down to reboot. If anything is incorrect here, please feel free to shoot me down! Hope this helps. -John -Original Message-From: Blair, James [mailto:[EMAIL PROTECTED]]Sent: Tuesday, December 11, 2001 5:13 AMTo: 'ActiveDir ([EMAIL PROTECTED])'Subject: [ActiveDir] Software Deployment: All, I am looking at rolling out security updates and patches etc. for Windows 2000, Office 2000 etc. I was hoping to utilise Intellimirror to do this but for the life of me can't figure out how to do it correctly. I initially tried an IE 6 rollout to a testbed using WInInstaller LE to create the *.msi file, after failing I then tried out SP2 for the OS, also with no luck. Please could someone out there advise on the best way to do this as third party products seem to be the go but are generally not cheap. Microsoft says that it is trying to lower the total cost of ownership but having to keep investing in third party products is proving quite costly. Also, with the security updates etc. how the hell do you get *.msi's, *.mst's or *.msp's of these the only way to get these seems to be through using the Critical Update Notification...we cannot expect users to do this themselves...One last issue...is there any way to cut down on the shut down and restarts if I roll out IE 6 it will take a reboot also SP2 for W2k requires a reboot, then SR1a for office will as well most likely so will SP2 for Office. It would take at least a week of logins...and if someone is not in on the deployment day I know this is probably basic but if anyone can shed light on this please advise, I do not at this stage wish t use SMS 2.0. James
RE: [ActiveDir] Account Lockouts in mixed mode
Actually, we have seen similar issues in our mixed mode domain. Sometimes, it seems that there is a sync problem between pdc and bdc's. Other times, we have no clue why it is occuring to an individual over and over again. We have even gone so far as to delete and recreate accounts in AD for users experiencing repeated lock-outs. The only common thread seems to have been their accessing exchange through outlook. Users could log in after their account was unlocked, but later in the day they would be locked out again. Passwords were not being cached at all, and it was almost always a Win2kPro box that the user was logging on through. I am uncertain as to the exact cause(s), but recreating the user object has resolved the issues for users experiencing this. -Original Message- From: Fugleberg, David A [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 17, 2001 9:09 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Account Lockouts in mixed mode We have a mixed mode AD (Single forest/single tree/single domain), with about 20 DCs and 35 BDCs. Accounts are administered centrally by a very small group, and they typically connect to the DC that holds the PDC FSMO to do all administrative tasks. Our account lockout policy locks accounts after three bad attempts. Over the past several months, we've seen a couple strange issues with account lockouts: 1. Once in awhile, a user will be locked out again and again for no apparent reason. For example, they arrive at work, attempt to login, and are locked out. The admins unlock the account and the user logs in, but if you check the account later it is locked out again. If the user then logs out, they are unable to login because of the lock. We've seen this happen to a given user several times over a few days, then mysteriously disappear. Some users have a great deal of trouble with this; most never see it. 2. When an account is locked out, the admin will typically unlock it by going to the account tab on the user's object in Active Directory Users and Computers. In some cases, however, even after doing so the user is unable to logon. Since these folks are old-time NT admins, they will then often open User Manager for Domains and try unlocking the account from there. Strangely, they sometimes need to perform the unlock from BOTH tools before the user is able to logon. At first, I thought this was just a timing issue, or that they were looking at the account info on different servers, but I have seen with my own eyes cases where ADUC connected to the PDC emulator shows one lockout status, and User Manager for Domains shows another. I'm trying to get the admins away from User Manager for Domains altogether, but they don't trust 'Users and Computers' in this case. I've tried to explain that the Nt Domain and the Active Directory Domain are the SAME THING, but they're not buying it when they see a different view in the two tools. My questions: 1. Is anybody else havong similar lockout problems ? The Q articles on the subject don't seem to apply to this scenario. 2. When an admin uses User Manager for Domains, it obviously can make changes only at the (emulated) PDC. Does this mean that the lockout status it displays is the one stored on that server, or is it possible that it's displaying status read from a BDC ? 3. Has anyone else seen a case where they had to unlock an account using both tools before the user could login ? 4. Is there any other reason why attributes that are displayable in User Manager for Domains should NOT be IDENTICAL to the same attributes as displayed in Active Directory Users and Computers ? In other words, does the PDC emulator store this data in a separate SAM that can somehow be temporarily out of sync with the AD, or is the PDC emulator a real-time conduit into the AD store ? Thanks for any ideas... Dave Fugleberg List info: http://www.activedir.org/mail_list.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info: http://www.activedir.org/mail_list.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Time Clock
ntp2.usno.navy.mil at 192.5.41.209 tock.usno.navy.mil at 192.5.41.41 John A. Bjelke AFRL\VSIO Business Support Analyst UNISYS Supporting AFRL Kirtland AFB, NM 505.853.6087 [EMAIL PROTECTED] === "Oh, you hate your job? Why didn't you say so? There's a support group for that. It's called EVERYBODY, and they meet at the bar." - Drew Carey -Original Message-From: Joe Baird [mailto:[EMAIL PROTECTED]]Sent: Wednesday, August 15, 2001 9:05 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Time Clock Could someone give me the address of a sntp time server. I cannot remember the address to the navy clock i used to use. Thx
RE: [ActiveDir] Time Clock
Here is a page with a pretty up to date list of public primary NTP servers: http://www.eecis.udel.edu/~mills/ntp/clock1.htm -Original Message-From: Joe Baird [mailto:[EMAIL PROTECTED]]Sent: Wednesday, August 15, 2001 9:05 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Time Clock Could someone give me the address of a sntp time server. I cannot remember the address to the navy clock i used to use. Thx
RE: [ActiveDir] Domain Controller with GC sizing?
Cindy, here's the link to the sizer tool. http://www.microsoft.com/windows2000/downloads/tools/sizer/default.asp John A. Bjelke AFRL\VSIO Business Support Analyst UNISYS Supporting AFRL Kirtland AFB, NM 505.853.6087 [EMAIL PROTECTED] -Original Message- From: Rittenhouse, Cindy [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 24, 2001 10:08 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Domain Controller with GC sizing? Please tell me where I can obtain this DC sizer? It sound like to would be quite useful? -Original Message- From: Lori Demkovich [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 24, 2001 11:57 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Domain Controller with GC sizing? Howard, it sounds like you asked for a one box solution. Did you sketch your domain and DC topology before using the tool? Your user counts will be spread across multiple DC/GCs - due to multiple sites. I haven't yet run the tool for your users as shown below but if I did, I would not be surprised at the calculation for one server servicing 4000 accounts. Lori Demkovich MCSE, MCP Exchange 5.5 MCP Exchange 2000 Enterprise Architect Info Systems, Inc. -Original Message- From: Sockrider, Howard L. [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 24, 2001 11:18 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Domain Controller with GC sizing? We have about 3500 PCs and use NT 4 and Exchange 5.5 today. There are about 4000 accounts with a good number of distribution lists. The DC sizer tool from MS indicates I need a quad CPU box with two arrays. Really?!? That could get very expensive depending on the domain model chosen and level of fault tolerance employed. What are the real world hardware guidelines for DCs and GC servers in a 3000-4000 user domain with several sites and Exchange 2k. - Howard Sockrider Methodist Health Care System Manager - Email, Database, and Access Control -- List info: http://www.activedir.org/mail_list.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info: http://www.activedir.org/mail_list.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info: http://www.activedir.org/mail_list.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info: http://www.activedir.org/mail_list.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/