Re: [ActiveDir] Filter out a certain group of users from the GAL

[Kamlesh Parmar]

I think, it might due to placement of your specific filter, if you are
placing it among OR filters, some other filter might come true and return
the users. Instead put your specific filter  out of OR and along with AND.

So you might want to try it like this..

your current one is : & (X) (| (Y) (Z) (W))) so here if your specific
condition is say W then it won't help as, users you want to filter, may be
included in Y or Z.

You may want to convert it to   : & (X) (W) (| (Y) (Z))


--
Kamlesh
~
You teach best what you most need to learn.
~

On 12/21/06, Victor W. <[EMAIL PROTECTED]> wrote:


Thanks, this got me closer to the correct query. It sure saved me a lot of
tries, trying to get the query right using "(!attr=val)", instead of using
(!(attr=val). I however did not get to managed to get it working
completely.
Even with the (!(attr=val) The query outputs exactly the same.

The query below does perhaps look more complex than it in fact is. It is
in
fact the Default GAL from Exchange as it comes out of the box. I have been
trying to filter out a certain group from appearing in this GAL.



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, December 19, 2006 8:27 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Filter out a certain group of users from the GAL

I didn't look it over completely to see what you are doing but noticed the
(!attr=val) and wanted to comment on that specific piece...

When making AL filters, Exchange is picky and if you put in a ! you need
to
do use long form of (!(attr=val)) and not (!attr=val). While AD will not
have a problem with the filter, AD isn't interpreting that filter,
Exchange
is pulling everything from AD and doing the filtering itself. That is why
ESM will show you one result and what you really get could be something
completely different. I once got a crap answer from a Alliance Exchange
PSS
that someone made up about the RFC standards etc but that "reason" was, as
I
said, crap. It is just something you have to be aware of when working with
those filters.

  joe


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, December 19, 2006 11:03 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Filter out a certain group of users from the GAL

I have been trying to filter out a certain group of users from the GAL,
these users should not appear in the GAL.

I have used the "!" sign but it looks simpler than it infact is.

This is the Default GAL:

(& (mailnickname=*) (| (&(objectCategory=person)(objectClass=user)(!
(homeMDB=*))(!(msExchHomeServerName=*)))(&(objectCategory=person)
(objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*)))(&
(objectCategory=person)(objectClass=contact))(objectCategory=group)
(objectCategory=publicFolder)
(objectCategory=msExchDynamicDistributionList) ))

I want to exclude people who are a member of a group called "XYZ Users"
and thought about doing it with:

(!memberOf=CN=XYZ Users,OU=XYZ,OU=First,DC=nl,DC=test,DC=gbl)

The complete query is now:

(& (mailnickname=*) (| (&(objectCategory=person)(!memberOf=CN=XYZ
Users,OU=XYZ,OU=First,DC=nl,DC=test,DC=gbl)(objectClass=user)(!
(homeMDB=*))(!(msExchHomeServerName=*)))(&(objectCategory=person)
(objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*)))(&
(objectCategory=person)(objectClass=contact))(objectCategory=group)
(objectCategory=publicFolder)
(objectCategory=msExchDynamicDistributionList) ))

The above query outputs exactly the same objects as the first query,
the one of the Default GAL. So somehow the group is not being filtered
out.

Probably just me overlooking something.

Cheers,


Victor
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

Re: [ActiveDir] Automatic user disable based on criteria

[Kamlesh Parmar]

Thats what I am using right now... :-)
but that doesn't take care of scenario, I described.

Let me give an example,

UserA created on Day1 with "Change Password on next logon"
UserA logs in on Day3 and changes password.
UserA forgets the password on Day7 and asks help desk to reset password
Help desk resets the password and sets "Change Password on next logon"

Now, around this time, before user logs in again, If scheduled script runs,
it will pickup this user as never logged on and disable it, as it fulfills
both criteria of filter.

Now this could be very small number of users, but when you have 500 accounts
created daily, even if 25 are affected and help desk can't help them, as
help desk don't have rights to enable/disable. User have to go through quite
a few hoops to get it enabled again. So Idea was just save those guys
unnecessary hassle, if it can be handled at script level.

--
Kamlesh

On 12/18/06, Brian Desmond <[EMAIL PROTECTED]> wrote:


 *If whenCreated > 7 days and pwdLastSet = 0 then they haven't logged in
yet…*

* *

*Thanks,*

*Brian Desmond*

[EMAIL PROTECTED]

* *

*c - 312.731.3132*

* *

*From:* [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED] *On Behalf Of *Kamlesh Parmar
*Sent:* Monday, December 18, 2006 12:19 PM
*To:* ActiveDir@mail.activedir.org
*Subject:* [ActiveDir] Automatic user disable based on criteria



Hi All,



DFL & FFL : Win2k-Native

DCs : Win2k3-SP1



User accounts are automatically provisioned as enabled with "Change
Password at Next logon". And management wants to disable new accounts which
have not logged into domain within next 7 days of creation. And they want it
to happen automatically.



I have problem at hand as I can't use LastLogonTimeStamp as DFL is not
supportive. I can't connect to each DC and search for lastlogon as number of
DCs are too large, can't go by "whenchanged", as that is generic attribute,
which could get changed for any other attribute also.



Any other attribute would help me?



Currently LDAP filter checks for account created on specific day (say
current day - 7) and whose "Change Password at next logon" is still ticked
i.e. pwdlastset=0



But this doesn't take care of scenario, where users are created on that
same day (current - 7) and logged into network, changed their password,
but around the time of running script, had forgotten password and helpdesk
had resetted their password and set "Change Password at next logon"



I hope I am not confusing you all. :-)



I know, simple solution would be to change criteria to say 15 days, raise
DFL and use LLTS, but I am taking this as a scripting challenge at
Win2k-native DFL.



Hey joe, is there a way to see replication meta data using adfind? ;-)

If yes, I could take a peek at originating date/time for attributes.


--

Kamlesh
~
You teach best what you most need to learn.
~





--
~
You teach best what you most need to learn.
~

[ActiveDir] Automatic user disable based on criteria

[Kamlesh Parmar]

Hi All,

DFL & FFL : Win2k-Native
DCs : Win2k3-SP1

User accounts are automatically provisioned as enabled with "Change Password
at Next logon". And management wants to disable new accounts which have not
logged into domain within next 7 days of creation. And they want it to
happen automatically.

I have problem at hand as I can't use LastLogonTimeStamp as DFL is not
supportive. I can't connect to each DC and search for lastlogon as number of
DCs are too large, can't go by "whenchanged", as that is generic attribute,
which could get changed for any other attribute also.

Any other attribute would help me?

Currently LDAP filter checks for account created on specific day (say
current day - 7) and whose "Change Password at next logon" is still ticked
i.e. pwdlastset=0

But this doesn't take care of scenario, where users are created on that same
day (current - 7) and logged into network, changed their password,
but around the time of running script, had forgotten password and helpdesk
had resetted their password and set "Change Password at next logon"

I hope I am not confusing you all. :-)

I know, simple solution would be to change criteria to say 15 days, raise
DFL and use LLTS, but I am taking this as a scripting challenge at
Win2k-native DFL.

Hey joe, is there a way to see replication meta data using adfind? ;-)
If yes, I could take a peek at originating date/time for attributes.

--
Kamlesh
~
You teach best what you most need to learn.
~

[ActiveDir] Can't validate trust

[Kamlesh Parmar]

In a small R & D setup of one group, having two domains and two way trust
between them.
xyz (win2k3) and abc.com (win2k)

While verifying a trust from xyz PDC, we got error that, domain controller
can't make a RPC call to PDC of domain abc.com.
And in network trace of it, it gives a SMB errors as
"STATUS_CANNOT_IMPERSONATE"

Has anyone seen this error?

We verified that,
1) DNS is working for both domains.
2) SMB signing parameters are matching.
3) Lmcompatibilitylevel registry key is matching.
4) restrictanonymous is set to 0 (just as a precaution)

--
Kamlesh
~
You teach best what you most need to learn.
~

Re: [ActiveDir] Join a Domain

[Kamlesh Parmar]

From Google search's top 10 result.. :-)


How to Verify the Creation of SRV Records for a Domain Controller
http://support.microsoft.com/kb/241515

SRV Records Missing After Implementing Active Directory and Domain Name
System
http://support.microsoft.com/kb/241505

What DNS entries (SRV Records) does Windows 2000/2003 add when you create a
domain?
http://www.petri.co.il/active_directory_srv_records.htm

To verify the DNS resource records needed to join an Active Directory domain
using nslookup
http://technet2.microsoft.com/WindowsServer/en/library/70919369-262d-491d-89d9-c45d7654b32c1033.mspx?mfr=true

--
Kamlesh

On 12/12/06, Al Mulnick <[EMAIL PROTECTED]> wrote:


Based on that, you *should* have other issues going on with your domain
controllers.

That SRV record is a way for the client (your workstation you're trying to
join) to find the domain controllers in it's site. But it's not finding them
as expected, and therefore is unable to contact the domain.

You'll want to check your DNS server and a) make sure you're using the
proper one and b) ensure that the domain controllers are registering their
records properly.

Al

On 12/11/06, John <[EMAIL PROTECTED]> wrote:
>
>  There was an error in my one client machine to join a domain. Below
> are:
>
> "An error occurred when DNS was queried for the service location (SRV)
> resource record used to locate a domain controller for domain
> server-2.blackstallions.com.sa.
> The error was: "No records found for given DNS query."
> (error code 0x251D DNS_INFO_NO_RECORDS)
> The query was for the SRV record for _ldap._tcp.dc._msdcs.server-
> 2.blackstallions.com.sa"
>
> What does this SRV record means? There is something I need to
> re-configure in the server?
>
> Let me know expert.
> Thanks.
> John
>
> --
> Everyone is raving about the all-new Yahoo! Mail beta.
> 

>





--
~
You teach best what you most need to learn.
~

Re: [ActiveDir] OT: Possible Security Hole in RDP?

[Kamlesh Parmar]

If server and clients are in domain, you can disable the feature using group
policies.

Computer configuration > Administrative Templates > Windows Components >
Terminal Services > Client / Server data redirection > "Do not allow drive
redirection"

--
Kamlesh

On 10/10/06, Dan DeStefano <[EMAIL PROTECTED]> wrote:


 I should have mentioned that my RDP connection to the TS was as a normal
user as well.



Dan DeStefano
Info-lution Corporation
[EMAIL PROTECTED]
http://www.info-lution.com
Office: 727 546-9143
FAX: 727 541-5888
  --

*From:* [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED] *On Behalf Of *Peter Johnson
*Sent:* Tuesday, October 10, 2006 8:40 AM
*To:* ActiveDir@mail.activedir.org
*Subject:* RE: [ActiveDir] OT: Possible Security Hole in RDP?



If the RDP session is being created to the target server with Admin
privileges and that account also has admin privileges on your machine then I
would suspect that this is what happening here. I.E. the connection is
back to your PC from the server, under the credentials you logged in with,
and not from your PC to the server under your local credentials.



Anyone else got any ideas??



*From:* [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED] *On Behalf Of *Dan DeStefano
*Sent:* 10 October 2006 14:10
*To:* ActiveDir@mail.activedir.org
*Cc:* [EMAIL PROTECTED]
*Subject:* [ActiveDir] OT: Possible Security Hole in RDP?



I have noticed something with Terminal Services and RDP that is
concerning.



I am using a notebook on which I am just a normal user (I do not log on as
administrator unless absolutely necessary).

I create an RDP connection to a WS2k3 terminal server and choose to make
the notebook's local disks available on the terminal server.

I can then browse through my notebook's hard drive with impunity. I can
access all files and folders to which I should not have any access at all,
including the administrator profile. However, it does take very long to open
these files/folders.



I am sure this is a known issue, I just haven't read about it anywhere.

Does anyone know if there is a way to mitigate this other than setting
group policy to not allow local disks to connect to the terminal server?









Dan DeStefano
*Info-lution Corporation*
[EMAIL PROTECTED]
http://www.info-lution.com
Office: 727 546-9143
FAX: 727 541-5888

If you have received this message in error please notify the sender,
disregard any content  and remove it from your possession.





*Disclaimer:* The Development Bank of Southern Africa exercises no control
over information contained in any e-mail message originating from within the
organisation. The Bank makes no representation relating to the completeness
or accuracy and accepts no responsibility for any loss, damage or liability
that is incurred by reliance on the content hereof by the recipient or any
other party. Each page attached hereto must also be read in conjunction with
any disclaimer, which forms part of it.

*Confidentiality:* The e-mail is privileged and confidential and for use
of the addressee only. Should you have received this e-mail in error, please
return it to [EMAIL PROTECTED]<[EMAIL PROTECTED]>.
 Dissemination, disclosure, copying or any similar actions of the content of
this e-mail is strictly prohibited.


Dan DeStefano
*Info-lution Corporation*
[EMAIL PROTECTED]
http://www.info-lution.com
Office: 727 546-9143
FAX: 727 541-5888

If you have received this message in error please notify the sender,
disregard any content  and remove it from your possession.







--
~
You teach best what you most need to learn.
~

Re: [ActiveDir] Renaming sites

[Kamlesh Parmar]

We just did it,

In transition period, we saw clients wandering over WAN links, and not
connecting to DC in same renamed site, after restarting the DC, clients
returned back to renamed site DC.[1]

Procedure:
1. Rename the site
2. Verify it is replicated to all DCs in that site
3. Restart DCs one by one,
4) After restart verify that DC is publishing the SRV records under new
sitename, and has changed its sitename, (DynamicSiteName value in registry),
or nltest /dsgetsite
5. And if needed restart all the machines in that site.

--
Kamlesh

[1] No this is not the issue, for which I have a open question in the list.

On 12/5/06, Huber, Rob (HNI Corp) <[EMAIL PROTECTED]> wrote:


 Does anyone know of any issue with renaming sites?  For example, if we
change the site call Chicago to ChicagoIL, what issues could arise?  I
expect that since the GUID is not changes that there will not be a problem.
How about if we use SMS??





--
~
You teach best what you most need to learn.
~

Re: [ActiveDir] Bulk of client going to PDC

[Kamlesh Parmar]

Yes checked the correct subnets are attached to correct sites.
All clients are connected via Ethernet 100/Full Duplex.

Its like mass exodus of swarm of computers,  going to PDCe, and in turn
choking the WAN links.
It happened like once a day.. and everyday it would be random site.

Have asked different site people to install netmon on some PCs and keep it
running..on Monday..hoping that one of those sites.. and in them.. one of
those PCs misbehaves.

Anything else, I should look at?

--
Kamlesh

On 12/2/06, Al Mulnick <[EMAIL PROTECTED]> wrote:


Site definitions - are your site definitions up to date?

How are your clients connected - Are they ethernet, 802.11x, tokenring, ??




On 12/2/06, Kamlesh Parmar <[EMAIL PROTECTED]> wrote:
>
> Am sorry, I didn't follow what you are asking.. could you be more
> specific.
>
> On 12/2/06, Al Mulnick <[EMAIL PROTECTED] > wrote:
> >
> > How are your clients connected? Site definitions?
> >
> > On 12/1/06, Kamlesh Parmar <[EMAIL PROTECTED] > wrote:
> > >
> > > Appreciate the efforts taken.
> > >
> > > AFAIK, this would be more of a DFS issue then authentication, as
> > > clients are pulling policies and files from PDCe.
> > >
> > > When I look into details of DFS link targets for sysvol or netlogon,
> > > PDCe is listed as distance 9th in the list of servers which clients should
> > > contact in case there primary link target failed.
> > >
> > > And this happens so randomly, from clients that I am not able to
> > > setup a network trace also.
> > >
> > >
> > > --
> > > Kamlesh
> > >
> > >  On 12/1/06, Thomas Michael Heß <[EMAIL PROTECTED] > wrote:
> > > >
> > > >  Hi Kamlesh,
> > > >
> > > >
> > > >
> > > > first of all, iwould enable the logging of the Netlogon Service.
> > > >
> > > > I ve found an article in the WindowsITPro
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > *The Netlogon service is one of the key Local Security Authority
> > > > (LSA) processes that run on every Windows domain controller. When you
> > > > troubleshoot authentication problems, analyzing the Netlogon service log
> > > > files can be useful. How do I turn Netlogon service logging on and off, 
and
> > > > how do I analyze the content of the Netlogon log files? *
> > > >
> > > > To turn on Netlogon service logging, type the following Nltest
> > > > command at the command line:
> > > >
> > > > *nltest /dbflag:2080*
> > > >
> > > > Enabling Netlogon service logging requires that you restart the
> > > > Netlogon service. To do so, use the Net Stop Netlogon and Net Start 
Netlogon
> > > > commands. To disable netlogon service logging, type:
> > > >
> > > > *nltest /dbflag:0*
> > > >
> > > > Then, restart the Netlogon service again. The Netlogon service
> > > > stores log data in a special log file called netlogon.log, in the
> > > > %Windir%\debug folder.
> > > >
> > > > Two utilities are useful in querying the Netlogon log files:
> > > > Nlparse.exe and Findstr.exe. Nlparse.exe is a GUI tool that comes
> > > > with Microsoft Account Lockout tools. You can download Account Lockout 
tools
> > > > for free from the Microsoft Web site as part of the "Account Lockout and
> > > > Management Tools" ALTools.exe file at
> > > > 
http://www.microsoft.com/downloads/details.aspx?FamilyID=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en.
 Figure
> > > > 1 <http://www.winnetmag.com/Files/42850/Figure_01.gif> shows the
> > > > Nlparse GUI, which contains the most common Netlogon error codes and 
their
> > > > meaning. Nlparse stores the output of its queries in two files in the
> > > > %Windir%\debug folder: netlogon.log-out.scv and
> > > > netlogon.log-summaryout.txt. *. . .*
> > > >
> > > > HtH
> > > >
> > > > Thomas
> > > >
> > > >
> > > >  --
> > > >
> > > > *Von:* [EMAIL PROTECTED] [mailto:
> > > > [EMAIL PROTECTED] * Im Auftrag von *Kamlesh
> > > > Parmar
> > > > *Gesendet:* Donnerstag, 30. November 2006 20:51
> > > > *An:* ActiveDir@mail.activedir.org
> > > > *Betreff

Re: [ActiveDir] Bulk of client going to PDC

[Kamlesh Parmar]

Am sorry, I didn't follow what you are asking.. could you be more specific.

On 12/2/06, Al Mulnick <[EMAIL PROTECTED]> wrote:


How are your clients connected? Site definitions?

On 12/1/06, Kamlesh Parmar <[EMAIL PROTECTED]> wrote:
>
> Appreciate the efforts taken.
>
> AFAIK, this would be more of a DFS issue then authentication, as clients
> are pulling policies and files from PDCe.
>
> When I look into details of DFS link targets for sysvol or netlogon,
> PDCe is listed as distance 9th in the list of servers which clients should
> contact in case there primary link target failed.
>
> And this happens so randomly, from clients that I am not able to setup a
> network trace also.
>
>
> --
> Kamlesh
>
>  On 12/1/06, Thomas Michael Heß <[EMAIL PROTECTED] > wrote:
> >
> >  Hi Kamlesh,
> >
> >
> >
> > first of all, iwould enable the logging of the Netlogon Service.
> >
> > I ve found an article in the WindowsITPro
> >
> >
> >
> >
> >
> > *The Netlogon service is one of the key Local Security Authority (LSA)
> > processes that run on every Windows domain controller. When you troubleshoot
> > authentication problems, analyzing the Netlogon service log files can be
> > useful. How do I turn Netlogon service logging on and off, and how do I
> > analyze the content of the Netlogon log files? *
> >
> > To turn on Netlogon service logging, type the following Nltest command
> > at the command line:
> >
> > *nltest /dbflag:2080*
> >
> > Enabling Netlogon service logging requires that you restart the
> > Netlogon service. To do so, use the Net Stop Netlogon and Net Start Netlogon
> > commands. To disable netlogon service logging, type:
> >
> > *nltest /dbflag:0*
> >
> > Then, restart the Netlogon service again. The Netlogon service stores
> > log data in a special log file called netlogon.log, in the
> > %Windir%\debug folder.
> >
> > Two utilities are useful in querying the Netlogon log files:
> > Nlparse.exe and Findstr.exe. Nlparse.exe is a GUI tool that comes with
> > Microsoft Account Lockout tools. You can download Account Lockout tools for
> > free from the Microsoft Web site as part of the "Account Lockout and
> > Management Tools" ALTools.exe file at
> > 
http://www.microsoft.com/downloads/details.aspx?FamilyID=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en.
 Figure
> > 1 <http://www.winnetmag.com/Files/42850/Figure_01.gif> shows the
> > Nlparse GUI, which contains the most common Netlogon error codes and their
> > meaning. Nlparse stores the output of its queries in two files in the
> > %Windir%\debug folder: netlogon.log-out.scv and
> > netlogon.log-summaryout.txt. *. . .*
> >
> > HtH
> >
> > Thomas
> >
> >
> >  --
> >
> > *Von:* [EMAIL PROTECTED] [mailto:
> > [EMAIL PROTECTED] * Im Auftrag von *Kamlesh Parmar
> > *Gesendet:* Donnerstag, 30. November 2006 20:51
> > *An:* ActiveDir@mail.activedir.org
> > *Betreff:* [ActiveDir] Bulk of client going to PDC
> >
> >
> >
> > Hi Guys,
> >
> > We are facing some strange issue, randomly clients from some sites are
> > going to PDCe for group policy refresh,along with screensaver and wallpaper
> > stored in netlogon.
> >
> > Clients are ignoring their nearest DC, and approaching PDCe.
> >
> > All DCs : Win2k3 SP1
> > All Clients: XP SP2
> >
> > I verified,
> > 1) DNS entries for site DC are correct.
> > 2) Netlogon and Sysvol folder of site DC are accessible.
> > 3) Verified the clients are authenticating with site DC by :
> > nltest.exe  /sc_query:DOMAIN
> > 4) Verified DFS info for netlogon and sysvol on clients is correct :
> > dfsutil.exe  /pktinfo
> >
> > I am clueless where else, should I look?
> >
> > --
> > Kamlesh
> > ~
> > You teach best what you most need to learn.
> > ~
> >
>
>
>
> --
> ~
> You teach best what you most need to learn.
> ~
>





--
~
You teach best what you most need to learn.
~

Re: [ActiveDir] Bulk of client going to PDC

[Kamlesh Parmar]

:-), I forgot to mention, the  desktops on which  I checked, site  DC is
always listed as first  choice in DFS. So I have to guess  "feature" is
already enabled.

Also, that KB says, it is applicable to Windows 2003  gold , and we have SP1
on all servers.
That also would mean that "feature" is already included in SP1 and is
enabled.
--
Kamlesh

On 12/2/06, David Cliffe <[EMAIL PROTECTED]> wrote:


 Understood :-)   But what about the "feature" that can be used with the
more recent versions?  It's described at the bottom of the article (you'd
have to modify the registry on each applicable DC).  I wonder if that would
help in your case?

-DaveC

 --
*From:* [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED] *On Behalf Of *Kamlesh Parmar
*Sent:* Friday, December 01, 2006 12:29 PM
*To:* ActiveDir@mail.activedir.org
*Subject:* Re: [ActiveDir] Bulk of client going to PDC

 I checked the file version of dfssvc.exe and dfs.sys on my site DCs, they
are higher than the one mentioned in the KB article. So point in looking at
that fix.


--
Kamlesh


On 12/1/06, David Cliffe <[EMAIL PROTECTED]> wrote:
>
>  Hi Kamlesh,
>
> I'm not necessarily recommending this as a fix, but wondering if
> you've seen it yet and if would apply?
>
> http://support.microsoft.com/kb/831201/en-us
>
> -DaveC
>
>  ------
> *From:* [EMAIL PROTECTED] [mailto:
> [EMAIL PROTECTED] *On Behalf Of *Kamlesh Parmar
> *Sent:* Thursday, November 30, 2006 2:51 PM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* [ActiveDir] Bulk of client going to PDC
>
>  Hi Guys,
>
> We are facing some strange issue, randomly clients from some sites are
> going to PDCe for group policy refresh,along with screensaver and wallpaper
> stored in netlogon.
>
> Clients are ignoring their nearest DC, and approaching PDCe.
>
> All DCs : Win2k3 SP1
> All Clients: XP SP2
>
> I verified,
> 1) DNS entries for site DC are correct.
> 2) Netlogon and Sysvol folder of site DC are accessible.
> 3) Verified the clients are authenticating with site DC by : nltest.exe
> /sc_query:DOMAIN
> 4) Verified DFS info for netlogon and sysvol on clients is correct :
> dfsutil.exe  /pktinfo
>
> I am clueless where else, should I look?
>
> --
> Kamlesh
> ~
> You teach best what you most need to learn.
> ~
>
>
>
> This email was sent to you by Reuters, the global news and information
> company.
> To find out more about Reuters visit www.about.reuters.com
>
> Any views expressed in this message are those of the individual sender,
> except where the sender specifically states them to be the views of Reuters
> Ltd.
>



--
~
You teach best what you most need to learn.
~



This email was sent to you by Reuters, the global news and information
company.
To find out more about Reuters visit www.about.reuters.com

Any views expressed in this message are those of the individual sender,
except where the sender specifically states them to be the views of Reuters
Ltd.





--
~
You teach best what you most need to learn.
~

Re: [ActiveDir] Bulk of client going to PDC

[Kamlesh Parmar]

Appreciate the efforts taken.

AFAIK, this would be more of a DFS issue then authentication, as clients are
pulling policies and files from PDCe.

When I look into details of DFS link targets for sysvol or netlogon, PDCe is
listed as distance 9th in the list of servers which clients should contact
in case there primary link target failed.

And this happens so randomly, from clients that I am not able to setup a
network trace also.


--
Kamlesh

On 12/1/06, Thomas Michael Heß <[EMAIL PROTECTED]> wrote:


 Hi Kamlesh,



first of all, iwould enable the logging of the Netlogon Service.

I ve found an article in the WindowsITPro





*The Netlogon service is one of the key Local Security Authority (LSA)
processes that run on every Windows domain controller. When you troubleshoot
authentication problems, analyzing the Netlogon service log files can be
useful. How do I turn Netlogon service logging on and off, and how do I
analyze the content of the Netlogon log files?*

To turn on Netlogon service logging, type the following Nltest command at
the command line:

*nltest /dbflag:2080*

Enabling Netlogon service logging requires that you restart the Netlogon
service. To do so, use the Net Stop Netlogon and Net Start Netlogon
commands. To disable netlogon service logging, type:

*nltest /dbflag:0*

Then, restart the Netlogon service again. The Netlogon service stores log
data in a special log file called netlogon.log, in the %Windir%\debug
folder.

Two utilities are useful in querying the Netlogon log files: Nlparse.exeand
Findstr.exe. Nlparse.exe is a GUI tool that comes with Microsoft Account
Lockout tools. You can download Account Lockout tools for free from the
Microsoft Web site as part of the "Account Lockout and Management Tools"
ALTools.exe file at
http://www.microsoft.com/downloads/details.aspx?FamilyID=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en.
Figure 1 <http://www.winnetmag.com/Files/42850/Figure_01.gif> shows the
Nlparse GUI, which contains the most common Netlogon error codes and their
meaning. Nlparse stores the output of its queries in two files in the
%Windir%\debug folder: netlogon.log-out.scv and
netlogon.log-summaryout.txt. *. . .*

HtH

Thomas


 --

*Von:* [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED] *Im Auftrag von *Kamlesh Parmar
*Gesendet:* Donnerstag, 30. November 2006 20:51
*An:* ActiveDir@mail.activedir.org
*Betreff:* [ActiveDir] Bulk of client going to PDC



Hi Guys,

We are facing some strange issue, randomly clients from some sites are
going to PDCe for group policy refresh,along with screensaver and wallpaper
stored in netlogon.

Clients are ignoring their nearest DC, and approaching PDCe.

All DCs : Win2k3 SP1
All Clients: XP SP2

I verified,
1) DNS entries for site DC are correct.
2) Netlogon and Sysvol folder of site DC are accessible.
3) Verified the clients are authenticating with site DC by : nltest.exe
/sc_query:DOMAIN
4) Verified DFS info for netlogon and sysvol on clients is correct :
dfsutil.exe  /pktinfo

I am clueless where else, should I look?

--
Kamlesh
~
You teach best what you most need to learn.
~





--
~
You teach best what you most need to learn.
~

Re: [ActiveDir] Bulk of client going to PDC

[Kamlesh Parmar]

I checked the file version of dfssvc.exe and dfs.sys on my site DCs, they
are higher than the one mentioned in the KB article. So point in looking at
that fix.


--
Kamlesh


On 12/1/06, David Cliffe <[EMAIL PROTECTED]> wrote:


 Hi Kamlesh,

I'm not necessarily recommending this as a fix, but wondering if
you've seen it yet and if would apply?

http://support.microsoft.com/kb/831201/en-us

-DaveC

 --
*From:* [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED] *On Behalf Of *Kamlesh Parmar
*Sent:* Thursday, November 30, 2006 2:51 PM
*To:* ActiveDir@mail.activedir.org
*Subject:* [ActiveDir] Bulk of client going to PDC

 Hi Guys,

We are facing some strange issue, randomly clients from some sites are
going to PDCe for group policy refresh,along with screensaver and wallpaper
stored in netlogon.

Clients are ignoring their nearest DC, and approaching PDCe.

All DCs : Win2k3 SP1
All Clients: XP SP2

I verified,
1) DNS entries for site DC are correct.
2) Netlogon and Sysvol folder of site DC are accessible.
3) Verified the clients are authenticating with site DC by : nltest.exe
/sc_query:DOMAIN
4) Verified DFS info for netlogon and sysvol on clients is correct :
dfsutil.exe  /pktinfo

I am clueless where else, should I look?

--
Kamlesh
~
You teach best what you most need to learn.
~



This email was sent to you by Reuters, the global news and information
company.
To find out more about Reuters visit www.about.reuters.com

Any views expressed in this message are those of the individual sender,
except where the sender specifically states them to be the views of Reuters
Ltd.





--
~
You teach best what you most need to learn.
~

Re: [ActiveDir] Bulk of client going to PDC

[Kamlesh Parmar]

on PDCe I am looking at sessions and open files in fsmgmt.msc, which
lists down the client machines with IP, then I am verifying the site
of each connecting IP using ATSN.exe from joeware.

Also, our network team had complained that network link is getting
choked, and as a proof gave list of source and destination IPs with
ports. This list contains the remote site client IPs and PDCe IP
communicating to each other.

~~
Kamlesh

On 12/1/06, David Adner <[EMAIL PROTECTED]> wrote:

How are you determining the clients are utilizing the PDCE for these
activities?  A network trace from the client may prove useful.



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh Parmar
Sent: Thursday, November 30, 2006 1:51 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Bulk of client going to PDC



Hi Guys,

We are facing some strange issue, randomly clients from some sites are going
to PDCe for group policy refresh,along with screensaver and wallpaper stored
in netlogon.

Clients are ignoring their nearest DC, and approaching PDCe.

All DCs : Win2k3 SP1
All Clients: XP SP2

I verified,
1) DNS entries for site DC are correct.
2) Netlogon and Sysvol folder of site DC are accessible.
3) Verified the clients are authenticating with site DC by : nltest.exe
/sc_query:DOMAIN
4) Verified DFS info for netlogon and sysvol on clients is correct :
dfsutil.exe  /pktinfo

I am clueless where else, should I look?

--
Kamlesh
~
You teach best what you most need to learn.
~






--
~
You teach best what you most need to learn.
~
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

[ActiveDir] Bulk of client going to PDC

[Kamlesh Parmar]

Hi Guys,

We are facing some strange issue, randomly clients from some sites are going
to PDCe for group policy refresh,along with screensaver and wallpaper stored
in netlogon.

Clients are ignoring their nearest DC, and approaching PDCe.

All DCs : Win2k3 SP1
All Clients: XP SP2

I verified,
1) DNS entries for site DC are correct.
2) Netlogon and Sysvol folder of site DC are accessible.
3) Verified the clients are authenticating with site DC by : nltest.exe
/sc_query:DOMAIN
4) Verified DFS info for netlogon and sysvol on clients is correct :
dfsutil.exe  /pktinfo

I am clueless where else, should I look?

--
Kamlesh
~
You teach best what you most need to learn.
~

Re: [ActiveDir] splitting a domain into two

[Kamlesh Parmar]

Thanks, I have already been suggested that option in a private mail... and I think, it might be way more feasible than earlier adventurous idea. :-)Just in case, someone needs it, here is the link, for AD replication over VPN
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/deploy/depovg/advpnddd.mspx
--KamleshOn 9/18/06, Rich Milburn <[EMAIL PROTECTED]> wrote:














You said both sites
have Internet connectivity, can you not configure replication through a VPN
between the sites?  A lot of implementations have replication across firewalls
in that manner.  And if not, what about dial-up between them?  700 users to
what, maybe 2000 objects – that's not a lot of replication traffic to keep the
DCs in the two sites in sync.  I'd surely think that would be easier to work
out than breaking up your domain and dealing with the aftermath…

 

Rich

 









From:
[EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Al Mulnick
Sent: Saturday, September 16, 2006
8:34 PM
To: ActiveDir@mail.activedir.org

Subject: Re: [ActiveDir] splitting
a domain into two



 



Yeah.  See the problem with that "policy" concept is
that in your environment you've already noticed that good ideas are seldom
given a chance to live long enough to make it to your level :)





 





That said, I would think it's extremely dangerous to try and break it
like that.  Although, it could work, the risk is pretty high that your
networks will be connected long before you have a chance to decommission the
domains leaving you with a potentially difficult name resolution issue to
resolve. There would likely be much wailing and gnashing of teeth as well. 





 





I think in this case, option 3 would be preferred: 





3) Leave the domains alone and allow the break of network to occur.
When the WAN links are created to the central hub, migrate as fast as your legs
will carry you.  Remember that at that time, your replication will likely
resume.  Try to keep a change freeze as long as you can if the networks
will be able to see each other. 





 





It might not be a bad idea to check on the tombstone time and raise
that if you can.  WAN links are known to take longer to bring up than any
planning might assume. Put another way, network folks tend to be overly
optimistic when it comes to timing of WAN link configurations. 





 





Be sure to communicate as much as possible about the risks and
tradeoffs.  That way you can stick your tongue out later and sing, "I
told ya so!" at the top of your lungs (likely after work and out of
earshot of those that might take offense, but you can at least do so with a
clear conscience.) 






 





 





My $0.04 (USD) anyway. 





 





Al
 





On 9/16/06, Kamlesh
Parmar <[EMAIL PROTECTED]>
wrote: 





Well :-)





I suppose, you are looking at tiny figure of 300 users and why not
choosing option 1 straight away.





If only every IT manager was as forceful and articulate about danger of
short term decisions as you are.
 





About migrating to corporate domain, that is achievable as both sites
are not going to get links simultaneously





so who ever gets link first, it gets migrated first with security
translation as preferred method, and we basically have a policy to remove
sidhistory along with demotion of old domain. And here it will be
serialized migration one after another rather than simultaneous. 





 





Assumption here being, once the trust with one domain is established,
machines migrated, trust broken. 





I suppose creating trust again with same domain name at different site should
not be a issue.





 





--









Kamlesh
 









On 9/16/06, joe
<[EMAIL PROTECTED]>
wrote: 





First impression: Yuck.

 

The main thing that caught my attention is
the "migrate into a corporate domain at a later time". I assume you
mean both of these "separated" domains would be migrated? If so, how
do you plan to do the migration? You won't be able to have name res for the
trusts, even if you could you would most likely run into SID issues if you
maintained SID History. 



 



--

O'Reilly Active Directory Third Edition - 
http://www.joeware.net/win/ad3e.htm 

 



 



 







From: 
[EMAIL PROTECTED]
[mailto:
[EMAIL PROTECTED]] On
Behalf Of Kamlesh Parmar
Sent: Friday, September 15, 2006
4:57 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] splitting a
domain into two

 





Dear All,

Scenario : 
Single regional domain , two sites , both sites having separate links to
Internet and direct WAN connectivity with each other.
AD Integrated DNS
site1: 300 users
site2: 400 users 

Now, due to restructuring, they have decided to get rid of WAN link joining the
two sites immediately, as both sites will have separate individual WAN
connectivity with some corporate hub site. And this domain will be migrated to
corporate domain i

Re: [ActiveDir] splitting a domain into two

[Kamlesh Parmar]

Well :-)
I suppose, you are looking at tiny figure of 300 users and why not choosing option 1 straight away.
If only every IT manager was as forceful and articulate about danger of short term decisions as you are. 
About migrating to corporate domain, that is achievable as both sites are not going to get links simultaneously
so who ever gets link first, it gets migrated first with security translation as preferred method, and we basically have a policy to remove sidhistory along with demotion of old domain. And here it will be serialized migration one after another rather than simultaneous.

 
Assumption here being, once the trust with one domain is established, machines migrated, trust broken. 
I suppose creating trust again with same domain name at different site should not be a issue.
 
--
Kamlesh 
On 9/16/06, joe <[EMAIL PROTECTED]> wrote:



First impression: Yuck.
 
The main thing that caught my attention is the "migrate into a corporate domain at a later time". I assume you mean both of these "separated" domains would be migrated? If so, how do you plan to do the migration? You won't be able to have name res for the trusts, even if you could you would most likely run into SID issues if you maintained SID History. 

 

--
O'Reilly Active Directory Third Edition - 
http://www.joeware.net/win/ad3e.htm 
 
 


From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Kamlesh ParmarSent: Friday, September 15, 2006 4:57 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] splitting a domain into two 

Dear All,Scenario : Single regional domain , two sites , both sites having separate links to Internet and direct WAN connectivity with each other.AD Integrated DNSsite1: 300 userssite2: 400 users
Now, due to restructuring, they have decided to get rid of WAN link joining the two sites immediately, as both sites will have separate individual WAN connectivity with some corporate hub site. And this domain will be migrated to corporate domain in due course. 
Problem here is the WAN connectivity to hub site will be commissioned at different times (one month apart) and they want to get rid of WAN link joining site1 with site2 NOW. Other problems like mail access and stuff will be handled thru' Internet link. 
Now issue is, what to do about AD Domain? as DCs will lose the direct network connectivity.Solution we are looking at is 1) Migrate one of the locations into separate domain, and thus break the dependence of both sites on single domain. 
2) Just break the network link as requested and here comes the crummy part :)    instead of migrating one of the site to new domain, you just split the domain into two isolated networks, where each site DC will  think it is the only DC handling all the stuff for that domain. 
Basically, 1) break the link 2) Point DC to themselves for DNS 3) seize all the roles 4) do meta data & DNS cleanup of other DCnet result : each DC believes they own the domain. Just make sure they don't talk to each other directly ever. 
Now, Any foreseeable issues with 2nd approach.Please don't include layer 8 issues ;), I am purely looking at technical feasibility and precautions if we go ahead.-- Kamlesh~ 
Short-term actions X time = long-term accomplishments.~ 
-- ~Short-term actions X time = long-term accomplishments.~ 

Re: [ActiveDir] Block Inheritance on DC OU

[Kamlesh Parmar]

Agreed, And I don't believe somehow policies become easier to troubleshoot with exclusions, specially in a very large environment with high level of delegation coupled with varying level of skill sets.
 
In fact the way "Enforced" or "Block Policy" are visually marked in GPMC console, I wish there was 
something to visually point at particular policy with explicit exclusions. or it would have been easier if they had
given another Area on Scope tab between "security filtering" and "WMI Filtering" stating the explicit exclusions.
 
--
Kamlesh
 
On 9/16/06, Darren Mar-Elia <[EMAIL PROTECTED]> wrote:



Yes, but there are times when you want to affect all machines or users in a domain and its a pain to have to link those policies to every OU. Domain-linked GPOs are useful but you do have to be explicitly aware of what you're targeting. That's why I like using explicit security group filtering rather than implicit blocking or enforcing. Its easier to troubleshoot (esp. on Win2K without RSOP). 

 
Darren
 


From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Derek HarrisSent: Friday, September 15, 2006 3:14 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Block Inheritance on DC OU 


It seems to me that a better solution is to only put the password policy into the default domain GPO, and create a separate GPO for any other settings to apply to the OUs. 



From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Kamlesh ParmarSent: Friday, September 15, 2006 2:38 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Block Inheritance on DC OU 
Well at one of the customers, they have around 10 to 15 GPOs applied at domain level, for various purposes ranging from software deployment to other settings.So they didn't wanted many of those GPOs to be applied to domain controllers. 
Above that, they have "block inheritance" enabled at various sub-OU levels.So only thing we could come up with to achieve what we wanted was to.1) Block policy at DC OU2) Create Password Policy at Domain level and enforce it. 
This helped for keeping a consistent password policy across all OUs and Domain.And also "saving" DCs from domain level general purpose GPOs.Long term, soln is to rethink the OU structure.
Kamlesh
On 9/13/06, Darren Mar-Elia <[EMAIL PROTECTED]
> wrote: 



Well, the obvious effect is that it prevents domain-linked policies from being delivered correctly, including password policy. This is probably not desirable. I can't think of a good scenario where this would be useful. 

 
Darren


From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of WATSON, BENSent: Wednesday, September 13, 2006 9:37 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Block Inheritance on DC OU 



The company I am currently working for has "block inheritance" enabled for the Domain Controller's OU and apparently whoever enabled this setting is no longer with the company (or they won't fess up to why they did this).

 
Although I am curious, what sort of ramifications does enabling "block inheritance" on the Domain Controller's OU pose?  And what reason would you have to enable this setting on the Domain Controller's OU?  With any other OU, it would be fairly obvious, but being that these are the Domain Controllers it would seem to be a unique situation.

 
Thanks as always for your input,
~Ben
-- ~Short-term actions X time = long-term accomplishments.~ 
-- ~Short-term actions X time = long-term accomplishments.~ 

[ActiveDir] splitting a domain into two

[Kamlesh Parmar]

Dear All,Scenario : Single regional domain , two sites , both sites having separate links to Internet and direct WAN connectivity with each other.AD Integrated DNSsite1: 300 userssite2: 400 users
Now, due to restructuring, they have decided to get rid of WAN link joining the two sites immediately, as both sites will have separate individual WAN connectivity with some corporate hub site. And this domain will be migrated to corporate domain in due course.
Problem here is the WAN connectivity to hub site will be commissioned at different times (one month apart) and they want to get rid of WAN link joining site1 with site2 NOW. Other problems like mail access and stuff will be handled thru' Internet link.
Now issue is, what to do about AD Domain? as DCs will lose the direct network connectivity.Solution we are looking at is 1) Migrate one of the locations into separate domain, and thus break the dependence of both sites on single domain.
2) Just break the network link as requested and here comes the crummy part :)    instead of migrating one of the site to new domain, you just split the domain into two isolated networks, where each site DC will  think it is the only DC handling all the stuff for that domain.
Basically, 1) break the link 2) Point DC to themselves for DNS 3) seize all the roles 4) do meta data & DNS cleanup of other DCnet result : each DC believes they own the domain. Just make sure they don't talk to each other directly ever.
Now, Any foreseeable issues with 2nd approach.Please don't include layer 8 issues ;), I am purely looking at technical feasibility and precautions if we go ahead.-- Kamlesh~
Short-term actions X time = long-term accomplishments.~

Re: [ActiveDir] Block Inheritance on DC OU

[Kamlesh Parmar]

Well at one of the customers, they have around 10 to 15 GPOs applied at domain level, for various purposes ranging from software deployment to other settings.So they didn't wanted many of those GPOs to be applied to domain controllers.
Above that, they have "block inheritance" enabled at various sub-OU levels.So only thing we could come up with to achieve what we wanted was to.1) Block policy at DC OU2) Create Password Policy at Domain level and enforce it.
This helped for keeping a consistent password policy across all OUs and Domain.And also "saving" DCs from domain level general purpose GPOs.Long term, soln is to rethink the OU structure.
KamleshOn 9/13/06, Darren Mar-Elia <[EMAIL PROTECTED]> wrote:







Well, the obvious effect is that it prevents domain-linked 
policies from being delivered correctly, including password policy. This is 
probably not desirable. I can't think of a good scenario where this would be 
useful. 
 
Darren


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]] On Behalf Of WATSON, 
BENSent: Wednesday, September 13, 2006 9:37 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Block Inheritance on 
DC OU


The company I am currently working for has "block 
inheritance" enabled for the Domain Controller's OU and apparently whoever 
enabled this setting is no longer with the company (or they won't fess up to why 
they did this).
 
Although I am curious, what sort of ramifications does 
enabling "block inheritance" on the Domain Controller's OU pose?  And what 
reason would you have to enable this setting on the Domain Controller's 
OU?  With any other OU, it would be fairly obvious, but being that these 
are the Domain Controllers it would seem to be a unique 
situation.
 
Thanks as always for your input,
~Ben

-- ~Short-term actions X time = long-term accomplishments.~

Re: [ActiveDir] Migration without domain admin rights possible?

[Kamlesh Parmar]

Thanks Guido,
 
Really appreciate the time you have taken to write that systematic plan. :-) 
-- 
Kamlesh~"Never confuse movement with action."~  
On 7/28/06, Grillenmeier, Guido <[EMAIL PROTECTED]> wrote:




If the unit is this strongly separated from the rest of your forest and you have little dependencies on apps, this should be a fairly easy / straight forward migration. You should be able to achieve all steps with ADMT:

 
The re-ACLing (= security translation) is actually a very straight forward process – this is how I would go at it:
1.    Create some test accounts in source domain that you put into group used by the users to be migrated

a.    Log on to a few test clients in source domain so as to create user source domain profiles (make some changes so that you can differentiate the profile from a default profile)

2.    Migrate the units groups and users, but leave the users in the target domain disabled (except for some of the test-users)

a.    Users still logon to source domain

3.    With the trusts between source and target still in place, migrate the resources (servers)

a.    Users still logon to source domain and access resources across trust, using SIDs from source domain

4.    Perform 1st security translation on all resources (servers)

a.    Choose to ADD permissions
b.    Users still logon to source domain and access resources across trust, using SIDs from source domain

c.    Logon to a test computer in target domain with some of your test-accounts and check they also have access to servers (now using SIDs from target domain)

d.    If everything works, you are ready for activation of the target user accounts – ideally the next two steps would be coordinated that you only enable the users whose workstations you are migrating at the time (but often difficult to match user to workstation…)

5.    Perform security translation AND profile updates on all workstations in unit – again, use ADD permissions

a.    I personally prefer to do this prior to enabling the users and prior to migrating the computers – this way this step can be performed in the "background" without any direct impact on the users

b.    This also allows you (or them) to monitor how well they can reach their clients, check access issues etc.

c.    Ensure that the computer updates – especially profile updates – have worked by using some of your test accounts on clients in the source domain: let them logon with the target domain's account => they should at this point get the same user profile as before AND have access to the target servers

6.    Once a critical mass of computers has been updated, you are ready to enable your users in the target domain

7.    Now migrate the computers to target domain (those, where security translation has already been performed successfully)

a.    At this time there will be an impact to the users, since machines need to be rebooted – which is why you should communicate these activities to your users prior to performing this step

b.    After the computer migration, ADMT will have changed the default logon domain to the target domain 

c.    Users will now logon to the target domain and access resources with the new SIDs

d.    Add extra time for troubleshooting and fixing access issues…

8.    After all computers have been migrated, and all users of the unit logon to the target domain, you are ready to do the cleanup steps

a.    Cut the trusts between the domains (if this is what you want to achieve)

b.    Perform another security translation on all resources (servers and workstations) in the target domain => this time choose the REPLACE option

9.    Done – enjoy some champagne…
 
/Guido
 

From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED]] On Behalf Of Kamlesh ParmarSent:
 Thursday, July 27, 2006 4:57 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Migration without domain admin rights possible? 


 

Appreciate the quick response,

 

I was able to migrate groups, users without sIDhistory to target.

I also tried using clonepr.vbs, it also asks for admin rights on source.

And reading further, it made it clear that, can't populate sIDhistory through legitimate APIs without having admin rights on source domain.


 

So, now my hopes are based on security translation at each and every to be migrated resource.

 

I will read up about PES service, so that if possible passwords also can be migrated without admin rights.

 

In this case, no AD dependant app like exchange comes into picture. :-)

this is more of completely independent unit with their own groups, users and computers contained within one OU. So group membership related stuff won't be problematic. (at least it seems on initial inspection)


 

Anyway to make 2nd approach you mentioned more systematic and less painless?

subinacl? ADMT security translation wizard? 

 

Thanks once again for your response,

 

-- 

Kamlesh~~~

Re: [ActiveDir] Migration without domain admin rights possible?

[Kamlesh Parmar]

Appreciate the quick response,
 
I was able to migrate groups, users without sIDhistory to target.
I also tried using clonepr.vbs, it also asks for admin rights on source.
And reading further, it made it clear that, can't populate sIDhistory through legitimate APIs without having admin rights on source domain.

 
So, now my hopes are based on security translation at each and every to be migrated resource.
 
I will read up about PES service, so that if possible passwords also can be migrated without admin rights.
 
In this case, no AD dependant app like exchange comes into picture. :-)
this is more of completely independent unit with their own groups, users and computers contained within one OU. So group membership related stuff won't be problematic. (at least it seems on initial inspection)

 
Anyway to make 2nd approach you mentioned more systematic and less painless?
subinacl? ADMT security translation wizard? 
 
Thanks once again for your response,
 
-- 
Kamlesh~"Never confuse movement with action."~  
On 7/27/06, Grillenmeier, Guido <[EMAIL PROTECTED]> wrote:



you can migrate most objects from the source even without admin rights to them - the default auth. user already has plenty of permissions to read most attributes you would care to migrate.

 
You could still setup passwords migration without giving them domain admin privs to your source domain - you would install the PES server for them instead on one of your DCs (you'd need to exchange the PES key ofcourse).  

 
Migrating SID history on the other hand, requires admin privs on the source domain => while you can delegate SIDhistory migration to the target, I've always complained that you can't delegate it on the source.  Full control on the respective Users OU in your source domain is not enough.

 
But if they do their part right (i.e. reacl all their resources in a two step approach 1st add new acls prior to "activating" the target accounts, 2nd remove old acls after all users use the new accounts), they don't really need SIDhistory and can spare themselves from having to clean it up later.  

 
You'll still have the same challenges with apps as you always do and if you also use exchange, then migrating their mailboxes is a totally different story.  Another special challenge in your scenario is group migration => depending on how your security model is setup, they may very likel need to migrate groups that don't "belong" to them, but that they need to have access to their resources (and allowing to re-acl them). This doesn't mean that they need to migrate the members that don't belong to "their" unit, but they do need read permissions on most of your groups (which most users have by default anyways...).

 
/Guido


From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED]
] On Behalf Of Kamlesh ParmarSent: Thursday, July 27, 2006 9:27 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Migration without domain admin rights possible? 


Hi Guys,
 
We have a peculiar requirement, that one of the small group of around 300 users will be parting from corporate AD and will be setting up there own forest.
 
We will be using ADMT 3.0 for migration. 
source DFL & FFL : windows 2000 native
Target DFL & FFL : Windows 2003
Two way trust between domains.
 
We would be giving FULL control rights over those 300 users and their computers account to new admins of new forest.
also, they are added to local admins of those computers to be migrated. They have domain admins rights in Target domain.
 
We don't want to add them into administrators group on source domains (i.e. corporate AD)
 
Is it possible to migrate, users,groups and computers?
What will break, in migration?
I can think of, we will not be installing PES as a result so, NO password migration. anything else?
 
Thanking you in advance,-- 
Kamlesh~"Never confuse movement with action."~ 

Re: [ActiveDir] Migration without domain admin rights possible?

[Kamlesh Parmar]

Main point of migration is they don't want to lose their current workstation profile settings, and network share permission.
 
I have setup a test network, and without giving admin rights on source, I am able to migrate 
groups, users without sidHistory.I checked clonepr.vbs and stuff, but that also demands admin rights on source domain.
 
Without sidHistory, I am not sure, during transition, they will be able to access non-migrated server resources like file shares.
 
Yes, trust, and sidHistory will not be there after migration.
-- 
Kamlesh~"Never confuse movement with action."~ 
 
 
On 7/27/06, Al Mulnick <[EMAIL PROTECTED]> wrote:


Just curious, but what was the point of migration? Why not create new in the target and have them adhere to your new company standards? 
 
As for what would break.  Hmm not sure you'd be able to read the information needed to perform the migration.  At a minimum you would want to grant them the full rights to the user account OU but without testing, I couldn't say for sure what would or would not break.  I don't think that's something I would even recommend given a similar situation.  I mean, what would they need sidHistory for anyway? The trust is going to likely go away, so they would access....?? 


 
Al 

On 7/27/06, Kamlesh Parmar <
[EMAIL PROTECTED]> wrote: 


Hi Guys,
 
We have a peculiar requirement, that one of the small group of around 300 users will be parting from corporate AD and will be setting up there own forest.
 
We will be using ADMT 3.0 for migration. 
source DFL & FFL : windows 2000 native
Target DFL & FFL : Windows 2003
Two way trust between domains.
 
We would be giving FULL control rights over those 300 users and their computers account to new admins of new forest.
also, they are added to local admins of those computers to be migrated. They have domain admins rights in Target domain.
 
We don't want to add them into administrators group on source domains (i.e. corporate AD)
 
Is it possible to migrate, users,groups and computers?
What will break, in migration?
I can think of, we will not be installing PES as a result so, NO password migration. anything else?
 
Thanking you in advance,-- 
Kamlesh~"Never confuse movement with action."~ 

[ActiveDir] Migration without domain admin rights possible?

[Kamlesh Parmar]

Hi Guys,
 
We have a peculiar requirement, that one of the small group of around 300 users will be parting from corporate AD and will be setting up there own forest.
 
We will be using ADMT 3.0 for migration. 
source DFL & FFL : windows 2000 native
Target DFL & FFL : Windows 2003
Two way trust between domains.
 
We would be giving FULL control rights over those 300 users and their computers account to new admins of new forest.
also, they are added to local admins of those computers to be migrated. They have domain admins rights in Target domain.
 
We don't want to add them into administrators group on source domains (i.e. corporate AD)
 
Is it possible to migrate, users,groups and computers?
What will break, in migration?
I can think of, we will not be installing PES as a result so, NO password migration. anything else?
 
Thanking you in advance,-- 
Kamlesh~"Never confuse movement with action."~ 

Re: [ActiveDir] Object Auditing

[Kamlesh Parmar]

You will find this blog entry by ericfitz helpful.http://blogs.msdn.com/ericfitz/archive/2006/03/07/545726.aspx
On 7/14/06, Matt Hargraves <[EMAIL PROTECTED]> wrote:
Well, you could always ACL your AD better and make it where only a small number (2 or 3 accounts) of users can make AD organizational changes.  Moving, creating and deleting OUs isn't necessary that often to where it's really all that necessary of a right for most admins.  I think that in our environment (with a very large number of OUs), I have only had maybe 1 or 2 occasions to ever move an OU, if that.
That being said... mistakes happen and these things are going to occur.  Hopefully very, very infrequently.There are tools out there to monitor AD for changes like this, I guess the question is whether it's worth the money or not.  It's possible that you might want to get them just so you can start monitoring and auditing your environment (which many organizations don't do).
On 7/13/06, Myrick, Todd (NIH/CC/DCRI) [E] <
[EMAIL PROTECTED]> wrote:














You best bet to learn how to audit changes
is to standup a Virtual AD turn on Directory auditing, and Make the changes you
would like to track to see what event ID and messages are generated.  Then
you can use Microsofts Eventcombmt tool to search your DC's for the
information.

 

We use the Quest Intrust product here for
Monitoring and Auditing… At the parent level they used Netpro for AD
monitoring and Intrust for auditing, I think they want to switch to using the
NETPRO product for auditing though.  Both companies offer very good
solutions.  It is pretty hard to make a bad decision here.  There are
some advantages with regards to cross platform support with Intrust, but that
has nothing to do with AD.  The shop I am in now uses several platforms,
so that is what drove our decision.  

 

Todd

 









From: Grillenmeier,
Guido [mailto:[EMAIL PROTECTED]
] 
Sent: Thursday, July 13, 2006 3:23
PM
To: 
ActiveDir@mail.activedir.org

Subject: RE: [ActiveDir] Object
Auditing



 

I'd have to check out myself if an OU
move is possible to audit with the built-in auditing events - I'm pretty sure
though it is possbile with AD specific auditing software such as NetPro's
ChangeAuditor AD and Quest's Intrust for AD.

 

you may also want to disable drag &
drop in your forest, simply by configuring the following (works for Win2003 SP1
- a pre-SP1 fix should be available as well):

o   
use
ADSIEDIT, LDP or equivalent tool

o   
locate
"flags" attribute of DisplaySpecifiers container in config. NC

·


set
bit 0 to 1

o   
drag
and drop now disabled

/Guido

 







From:


[EMAIL PROTECTED]
 [mailto:
[EMAIL PROTECTED]
] 
On Behalf Of Clay, Justin (ITS)
Sent: Donnerstag, 13. Juli 2006
20:25
To: 
ActiveDir@mail.activedir.org

Subject: [ActiveDir] Object
Auditing

Is it possible to audit the creation/deletion and more
importantly, the movement of OUs? One of our admins dragged and dropped an
entire OU into another OU that had a desktop lockdown GPO linked to it, thereby
locking down the PCs of a bunch of important people, and making them very
upset.

 

I have Account Management and Object Access auditing on, but
I don't see anything on any of our DCs that show anything about the OU or
any of its objects moving. Is there something else I need to enable to audit
these types of events? Is it even possible?

 

Thanks,

 

Justin
Clay
ITS Enterprise Services

 
Metropolitan Government
of Nashville and Davidson County 
 Howard School Building 
Phone: (615) 880-2573

 


 
  
  
  
  ITS ENTERPRISE SERVICES EMAIL NOTICE
  
  The information contained in this email and any attachments is confidential
  and may be subject to copyright or other intellectual property protection. If
  you are not the intended recipient, you are not authorized to use or disclose
  this information, and we request that you notify us by reply mail or
  telephone and delete the original message from your mail system.
  
 


 









-- ~"Be the change you want to see in the World"~

Re: [ActiveDir] Slow Links Not Recognized for Offline Files

[Kamlesh Parmar]

I think you can create a static sitename binding for those laptops usingcreate the registry entry "SiteName" under 
HKLM\system\current control set\services\netlogon\parametersand setting that value to be laptop's home site.On 6/22/06, 
Noah Eiger <[EMAIL PROTECTED]> wrote:Thanks to all. I was under the (apparently mistaken) impression that the
slow link for processing GPOs used the ping to the auth DC but that the slowlink for offline files would (imagine that) ping the server that was markedoffline. With an offline folder of any size, this constraint makes OLF
almost unusable in remote sites.I have seen batch files that use some logic to force the folder offline, butthis seems kludgey.Another thought: could I somehow peg the laptops to authenticate at their
home DCs? The auth would be less traffic than the redirected files.And, Darren two things: one, how do disable idle sync? And two, are thoserodents available as a Hotfix?Thanks.-- nme
P.S. Brian's email was blank for me too.-Original Message-From: Darren Mar-Elia [mailto:[EMAIL PROTECTED]]Sent: Thursday, June 22, 2006 8:19 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Slow Links Not Recognized for Offline FilesI've had the same problem with configuring slow link for offline files. Veryannoying when I'm at home, connected over VPN, and the damn thing insists on
synchronizing. Anyway, I've only had spotty success configuring that GPsetting below. I too set it very high and it still inconsistently wouldoccasionally try to sync. In the end I just disabled idle sync completely,
which seemed to solve the problem.In terms of the slow link detection process, the process (or at least thedetermination) is different for GP, user profiles and offline files. GPcurrently uses a lame-o mechanism with pings and yes, Neil is right that
Vista replaces this with the mysterious Network Location Awareness processthat is not well defined but apparently uses small rodents who run up thenetwork cable and ask secret questions of domain controllers to determine
how quickly they will respond. I suspect but I have not confirmed that userprofiles and offline files use a similar ping sequence but they do itagainst the user profile server or the offline file sync share. AFAIK there
is no way to see whether you have detected a slow link for offline files ornot. Gpresult only shows GP's slow link status.DarrenDarren Mar-EliaFor comprehensive Windows Group Policy Information, check out
www.gpoguy.com-- the best source for GPO tips, tools and whitepapers. Alsocheck out the Windows Group Policy Guide, a soup-to-nuts resource for GroupPolicy information.-Original Message-
From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of
[EMAIL PROTECTED]Sent: Thursday, June 22, 2006 6:26 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Slow Links Not Recognized for Offline Files
... Although this all changes in Vista.NLA is used instead, AFAIK.-Original Message-From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Brian DesmondSent: 22 June 2006 03:44To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Slow Links Not Recognized for Offline FilesNo AFAIK the slow link detection is measured by the ICMP latency pinging theDC.Thanks,Brian Desmond
[EMAIL PROTECTED]c - 312.731.3132> -Original Message-> From: [EMAIL PROTECTED] [mailto:
ActiveDir-> [EMAIL PROTECTED]] On Behalf Of Mark Parris> Sent: Wednesday, June 21, 2006 6:05 PM> To: ActiveDir.org> Subject: Re: [ActiveDir] Slow Links Not Recognized for Offline Files
>> If I recall the link speed is the network speed attached to the PC not> the WAN speed - so if it's a 100MB lan - that's the speed.>> I may be wrong, - but there is a world cup on and I have been drinking
> all evening, I have a dutch wife so currently I have two drink streams> and I am finding it hard to stay sober. Hic hic>>> -Original Message-
> From: "Noah Eiger" <[EMAIL PROTECTED]>> Date: Wed, 21 Jun 2006 15:26:15> To:> Subject: [ActiveDir] Slow Links Not Recognized for Offline Files>> Hi – First, this is sort of a follow up on a cold thread from last year. I> am having problems implementing the suggestions from last year..
 I have offline files / folder redirection enabled for My Documents.> The server files are stored at each user's "home" Site. When laptop> users go to a site different from their home, their redirected folders
> see the home server and access it directly – that is they do not go> offline. The laptops authenticate locally at the new site. I have tried adjusting slow links for Offline Files (Computer>Admin
> Templates>Network>Offline Files>Configure Slow link speed). I have set> this limit very high (15 which should be around 15Mb) and made the> reg mods described in KB 811525. The link is still not seen as slow.
> Gpresult /v says it is not a slow link, but I think that might be to> the authenticating DC. Am I understanding thi

Re: [ActiveDir] OT: Changing OEM to VLK productID - really really impossible?

[Kamlesh Parmar]

I Have info for XP Try this...http://support.microsoft.com/default.aspx?scid=kb;en-us;Q328874
http://www.microsoft.com/genuine/purchase/UpdateInstructions.aspxOr try this 3rd party stuffhttp://www.magicaljellybean.com/keyfinder.shtml
--KamleshOn 6/4/06, Freddy HARTONO <[EMAIL PROTECTED]> wrote:









Hi guys,


Just realised some of the DCs in my environment is built with OEM version and now am having problem upgrading them to R2 using vlk keys... is there any way at all to change it to vlk, unsupported way maybe?


Any help at all would be nice otherwise had to wiped out and rebuild 12 DCs because of this :(


Thank you and have a splendid day!
 
Kind Regards,
 
Freddy Hartono
Group Support Engineer
InternationalSOS Pte Ltd
mail: [EMAIL PROTECTED]
phone: (+65) 6330-9785
 




-- ~"Be the change you want to see in the World"~

Re: [ActiveDir] view only rights on ADI DNS Zone

[Kamlesh Parmar]

:-) well... actually a debate is going about dynamic updates and scavenging and stuff...and what will happen to static records...etc.This is with junior admins, who are made administrators for particular site or OU.
Now, I don't have time to verify each and every important record (static or dynamic), so I wanted to give read permission on zone and let them verify it on their own.On 5/25/06, 
Al Mulnick <[EMAIL PROTECTED]> wrote:
That's a first for me: a user that needs that information. Admins I can understand and I can see forcing an admin to use a command line or to look for employment elsewhere. 
 
Unfortunately, much of that particular information used for reporting is stored as a blob, IIRC. 
 
Curious though, if they find this information what do they do with it?  
On 5/25/06, Kamlesh Parmar <[EMAIL PROTECTED]
> wrote:

well.. need to verify information like... Record time stamp and  "Delete this record when it becomes stale" check boxnslookup doesn't give me this information.Also,  users are weary of using command line... :-( 


On 5/24/06, Al Mulnick <[EMAIL PROTECTED] 
> wrote:



You'll need a description of the rights needed to open the tool in this case, as everyone has read access by default. IIRC, the Windows 2000 DNS white paper describes how to delegate rights etc. using tools such as ADSIEDIT or DSACLS.   

 
Curious though: why bother? Read access to a DNS zone? Has the user ever used NSLOOKUP or DIG? You can read the zone records using these tools quite easily and it'll tell you just about everything you want to know about the RR.  Is there a different requirement in this? 


 
Al 

On 5/24/06, Kamlesh Parmar <[EMAIL PROTECTED] 
> wrote: 


Is it possible to give normal domain account rights to view ADI DNS zone in console ?
 
I tried to give normal account a rights to READ thru ACL on zone, but it didn't help.
 
Only otherway, I know is to create a secondary for that zone, on that users machine. but thats overkilll :)-- 
Kamlesh~"Be the change you want to see in the World"~ 


-- 
~"Be the change you want to see in the World"~
-- ~"Be the change you want to see in the World"~

Re: [ActiveDir] view only rights on ADI DNS Zone

[Kamlesh Parmar]

well.. need to verify information like... Record time stamp and  "Delete this record when it becomes stale" check boxnslookup doesn't give me this information.Also,  users are weary of using command line... :-(
On 5/24/06, Al Mulnick <[EMAIL PROTECTED]
> wrote:
You'll need a description of the rights needed to open the tool in this case, as everyone has read access by default. IIRC, the Windows 2000 DNS white paper describes how to delegate rights etc. using tools such as ADSIEDIT or DSACLS.   

 
Curious though: why bother? Read access to a DNS zone? Has the user ever used NSLOOKUP or DIG? You can read the zone records using these tools quite easily and it'll tell you just about everything you want to know about the RR.  Is there a different requirement in this? 

 
Al 
On 5/24/06, Kamlesh Parmar <[EMAIL PROTECTED]
> wrote:


Is it possible to give normal domain account rights to view ADI DNS zone in console ?
 
I tried to give normal account a rights to READ thru ACL on zone, but it didn't help.
 
Only otherway, I know is to create a secondary for that zone, on that users machine. but thats overkilll :)-- 
Kamlesh~"Be the change you want to see in the World"~ 
-- ~"Be the change you want to see in the World"~

[ActiveDir] view only rights on ADI DNS Zone

[Kamlesh Parmar]

Is it possible to give normal domain account rights to view ADI DNS zone in console ?
 
I tried to give normal account a rights to READ thru ACL on zone, but it didn't help.
 
Only otherway, I know is to create a secondary for that zone, on that users machine. but thats overkilll :)-- 
Kamlesh~"Be the change you want to see in the World"~ 

Re: [ActiveDir] Is there a way to force users to logon to domain?

[Kamlesh Parmar]

If you still want to set it via GPO...
 
set "allow logon locally" to Administrators , domain\domain users 
This will ensure that, local accounts doesn't get right to logon, unless they are member of "Administrators" group 
-- 
Kamlesh~"Be the change you want to see in the World"~ 
 
On 5/16/06, Joe Lagreca <[EMAIL PROTECTED]> wrote:
Sergio,That is the approach we are going to take.  Write a script to run atstart up to delete all local accounts, except administrator, which
only we should know the password for.Do you have any ideas on how to change local account passwords via GPOor remotely?  We would like to change the administrator passwordsinitially, and probably like to change it on a continual basis.
Thank you.JoeOn 5/16/06, Olivarez, Sergio J Mr CTNOSC/GD-NS<[EMAIL PROTECTED]> wrote:> Yeah, disregard what I said about just leaving Admins on the "allow logon
> locally" setting, that's my bad.  I guess best thing to do would be delete> all existing local user accounts.>> -Sergio> -Original Message-> From: Joe Lagreca [mailto:
[EMAIL PROTECTED]]> Sent: Monday, May 15, 2006 7:33 PM> To: ActiveDir@mail.activedir.org> Subject: Re: [ActiveDir] Is there a way to force users to logon to domain?
>> Al and others,>> We are retrofitting previously deployed workstations.  Some have local> logins, while others do not.  I was just wondering if there is a way,> via GPO, to force all users to log into the domain, instead of giving
> them the option to log into their local machine.>> I have been told that "In a GPO set the cached logon setting to "0"> and make sure "allow logon locally" is only set to Admins." will not
> work.  However I still need to test this myself.  I was told "allow> logon locally" will make it so all unlisted users will not be able to> login from that workstation, whether its locally or to the domain.
>> I realize their profiles wouldn't copy, and we can deal with that> afterwards.>> Thanks.>> Joe>>> On 5/15/06, Al Mulnick <
[EMAIL PROTECTED]> wrote:> > I think you've seen several ways of achieving something similar to> > what you've asked for.  But I'm curious as to what you really want to> > accomplish.  You've put something very specific, but what makes you
> > want to force the logon?  What's the backstory?> >> > Al> >> > On 5/15/06, Joe Lagreca <[EMAIL PROTECTED]> wrote:> > > Is there a way to force users to logon to domain, or to disable loging
> into> > > local computer accounts via GPO?> > >> > > Thanks.> > >> >> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/List.aspx> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/>List info   : 
http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/-- ~"Be the change you want to see in the World"~

Re: [ActiveDir] Cleanup of AD accounts

[Kamlesh Parmar]

I suppose you can use  DN from that modified file and feed it to dsmod.exe or admod.exeOn 4/28/06, Rimmerman, Russ <
[EMAIL PROTECTED]> wrote:




Joe - I sent you an
e-mail, I figured maybe going to this list might get more input on this question
as well:
 


If I wanted to run an oldcmp -report 120 -users -sort cn -f
"(&(objectcategory=person)(objectclass=user))" -format csv -delim
,
 
and then send it out
to our remote administrators to 'remove any accounts you don't want
disabled'
 
and then take the
final list and disable all remaining accounts
that they didn't flag as still being used,
how would I accomplish that?
 
Is there a way
to have oldcmp use a modified file as an import file for the accounts to
disable?  Our problem is we don't want to disable any service accounts that
are actively being used, but we have a LOT of
cleanup to do.  How does everyone else handle
this?
 
Thanks a
bunch,
Russ

~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~

-- ~"Be the change you want to see in the World"~

Re: [ActiveDir] copy with permissions

[Kamlesh Parmar]

The best one i know is... robocopy.exe  I have done hundreds of desktop migrations using that.free tool from microsoft resource kit tools
http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-b18c4790cffd&DisplayLang=en-- Kamlesh~"Be the change you want to see in the World"
~
--On 4/26/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]
> wrote:
        Is
there a way to copy all my file server folders to another server with permissions?
I need to change the Hard disk, but dont want to graint all permissions
again.
Thanks
        
Adrião Ramos

Re: [ActiveDir] Does windows integrated authentication in IIS update lastlogon attribute?

[Kamlesh Parmar]

Steve,Luckily all users, sharepoint servers are in same domain and i have only two DCs in that setup. And I have made sure that developers are looking at both DCs to find the latest lastlogon update. So I am not missing anything on that part.
Problem is i dont have access to servers directly, I have to relay the information I find to them and wait for them to provide test results. In earlier article you mentioned, it was suggested that problem was with
NTLM and not kerberos, so I thought lets try with kerberos and see, that also didn't help.with little digging, I found that, windows integrated authentication uses "network logon", while basic authentication uses "interactive login". 
Now I have asked them to enable "audit account logon events" and check for event 540 to verify that network logon is done.anything else I should check?--Kamlesh~
"Be the change you want to see in the World"~On 4/26/06, Steve Linehan <
[EMAIL PROTECTED]> wrote:




If you are running SharePoint and are not running Windows 
Server 2003 R2 with the latest version of WSS then the default behavior for 
SharePoint is to use NTLM, no matter what the client setting.  You can 
change this but that is another conversation.  That being said do you know 
what DC is actually authenticating the user?  Depending on where the 
account resides you would be using NTLM chaining through secure channels to get 
to a DC in the account domain so to build that chain you can use nltest 
/sc_query:  on the SharePoint server to see what DC in the 
domain in which the SharePoint server is located it has its secure channel 
with.  If the user account is in the same domain as the SharePoint server 
you are finished if not you need to go to that DC and then run nltest 
/sc_query: to find out who he has his secure channel setup to 
for that particular user domain.  You would then be able to query the 
lastlogon attribute on that DC, since that attribute is not replicated.  
You can also turn up netlogon logging on the SharePoint server to log where the 
requests are going.  The problem that you will have is if the Secure 
Channel changes then you would need to go to the new DC to get the lastlogin 
time.  As you can see this is not an easy problem to solve and even if you 
were at Windows Server 2003 FFL and had lastlogontimestamp it is loosely 
replicated so you are still not going to get the behavior you want.  
Kerberos makes this even more difficult as the client is talking to the KDC to 
get the ticket and that KDC could be any DC in its domain and not 
predictable.  As far as the types of logins that update that attribute I 
believe all of them do now though there may be a few that still do not I will 
try to work on getting a list.
 
Thanks,
 
-Steve


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]] On Behalf Of Kamlesh 
ParmarSent: Tuesday, April 25, 2006 2:58 AMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Does windows 
integrated authentication in IIS update lastlogon 
attribute?
Thanks Steve for you reply.Yes DCs are running Win2003 SP1, 
and webservers are win2003 sharepoint servers.If it helps : DFL is windows 
2000 mixed and FFL is Windows 2000so i guess, Lastlogontimestamp is not 
populated and thats why we are looking at lastlogon attribute. I also 
checked on clients that  "Enable Windows integrated authentication" is 
enabled, which would try to use kereberos first then NTLM. (as per KB problem is 
when NTLM is used)anything else i should check? Also, as deji 
requested, list of logon types which update this attribute will also be of great 
help.--Kamlesh~"Be the 
change you want to see in the 
World"~
On 4/24/06, Steve 
Linehan <[EMAIL PROTECTED]> 
wrote:

  
  Are you 
  running Windows Server 2003 SP1?  We fixed a number of scenarios where 
  this attribute was not updated for other logon types in SP1.  Here is 
  just one example: http://support.microsoft.com/default.aspx?scid=kb;[LN];886705 
  
   
  Thanks,
   
  -Steve
  
  
  From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of 
  Kamlesh ParmarSent: Monday, April 24, 2006 2:14 
  PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
  Does windows integrated authentication in IIS update lastlogon 
  attribute?
  
  Dear list members,My apologies if this sounds OT.We 
  have some win2k3 web servers which use windows integrated authentication, and 
  managers now want to display lastlogon time for all users, who use those web 
  servers. Problem is lastlogon attribute of users is not updated when user 
  login to those web servers, it is only updated when users do normal windows 
  interactive logon. does anyone know what kind of user login web 
  servers do for integrated authentication?And can it be changed such a way 
  that, it results in lastlogon time stamp getting updated?-- 
  Kamlesh~ "Be 

Re: [ActiveDir] Does windows integrated authentication in IIS update lastlogon attribute?

[Kamlesh Parmar]

Thanks Steve for you reply.Yes DCs are running Win2003 SP1, and webservers are win2003 sharepoint servers.If it helps : DFL is windows 2000 mixed and FFL is Windows 2000so i guess, Lastlogontimestamp is not populated and thats why we are looking at lastlogon attribute.
I also checked on clients that  "Enable Windows integrated authentication" is enabled, which would try to use kereberos first then NTLM. (as per KB problem is when NTLM is used)anything else i should check?
Also, as deji requested, list of logon types which update this attribute will also be of great help.--Kamlesh~"Be the change you want to see in the World"
~On 4/24/06, Steve Linehan <[EMAIL PROTECTED]> wrote:





Are you running Windows Server 2003 SP1?  We fixed a 
number of scenarios where this attribute was not updated for other logon types 
in SP1.  Here is just one example: http://support.microsoft.com/default.aspx?scid=kb;[LN];886705

 
Thanks,
 
-Steve


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]] On Behalf Of Kamlesh 
ParmarSent: Monday, April 24, 2006 2:14 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Does windows 
integrated authentication in IIS update lastlogon 
attribute?
Dear list members,My apologies if this sounds OT.We 
have some win2k3 web servers which use windows integrated authentication, and 
managers now want to display lastlogon time for all users, who use those web 
servers. Problem is lastlogon attribute of users is not updated when user login 
to those web servers, it is only updated when users do normal windows 
interactive logon. does anyone know what kind of user login web servers 
do for integrated authentication?And can it be changed such a way that, it 
results in lastlogon time stamp getting updated?-- 
Kamlesh~ "Be the change you want to 
see in the World"~

-- 

[ActiveDir] Does windows integrated authentication in IIS update lastlogon attribute?

[Kamlesh Parmar]

Dear list members,My apologies if this sounds OT.We have some win2k3 web servers which use windows integrated authentication, and managers now want to display lastlogon time for all users, who use those web servers. Problem is lastlogon attribute of users is not updated when user login to those web servers, it is only updated when users do normal windows interactive logon. 
does anyone know what kind of user login web servers do for integrated authentication?And can it be changed such a way that, it results in lastlogon time stamp getting updated?-- Kamlesh~
"Be the change you want to see in the World"~

Re: [ActiveDir] Service Account Logging/Tracking

[Kamlesh Parmar]

I will add something... logparser...amazing utility...(if you know little bit of scripting)http://www.logparser.comlogparser can be scripted... morover you can use parse the description field and extract the exact detail..and if you know how to use the template option of it..it could create nice html report too. and ofcourse once file is ready it can be picked up and sent to admins thru mail.
-Kamlesh~"Be the change you want to see in the World"~On 4/22/06, 
Matheesha Weerasinghe <[EMAIL PROTECTED]> wrote:
eventcombmt is OK but logparser is better as it can parse saved logs. Eventcombmt is for active logs only. M@
On 4/22/06, mike kline <


[EMAIL PROTECTED]> wrote:You have to turn on auditing in order to track logon events.   Once you turn auditing on you can then search your security event logs for that logon event.  

 
When you go to set auditing you will see two settings. Audit account logon events and audit logon events.  There is a good blog entry about the differences between the two settings and what they mean.
http://blogs.msdn.com/ericfitz/archive/2005/08/04/447934.aspx
 
We set both for success, failure (per NSA guidelines).  We save our logs daily on the servers and on our workstations we overwrite older events so that disk space doesn't become a huge issue. 
 
Once you have the events in the log you can search through them using a tool like Eventcomb
 
http://www.microsoft.com/downloads/details.aspx?FamilyId=9989D151-5C55-4BD3-A9D2-B95A15C73E92&displaylang=en
Eventcomb can be found within this download. 
 
You can search for EventID 528 and specify the service account to narrow the search.
 
When you say an account with elevated privileges what kind of privileges are you talking about?  Hopefully not a domain admin account.  
 
Thanks
Mike 
On 4/21/06, Clay, Justin (ITS) <[EMAIL PROTECTED]
> wrote:



What's the recommended method for tracking service account logins? We keep a pretty tight reign on service accounts and their passwords, but in some cases we have to provide the passwords to our customers (in this case, customers are other government organizations that we support) for use in their applications. Essentially we just want to know if someone logs into a PC or a server with a service account. We don't want a bunch of people using a service account to gain access to resources, especially if it's an account with elevated privileges.

 
Thanks,
 
Justin Clay



ITS Enterprise Services



 Metropolitan Government of Nashville and Davidson County
 Howard School Building



 Phone: (615) 880-2573
 



ITS ENTERPRISE SERVICES EMAIL NOTICEThe information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.





-- 

Re: [ActiveDir] how to report on scheduled jobs?

[Kamlesh Parmar]

If your remote machines are XP onwards...try  schtasks.exe /query /S remotePCNameI am assuming current logged in user has rights to manage remotePCfor more details 
schtasks.exe /query /?--KamleshOn 4/18/06, Thommes, Michael M. <[EMAIL PROTECTED]> wrote:
Is there a script to output scheduled job information?  Maybe somethingI could call in a "for" loop driven by a list of servers.  Ideally, I
would like to see the job and who's credentials it is running under,with maybe the schedule.Mike ThommesList info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Daylight savings query

[Kamlesh Parmar]

For the purpose of binary settings, one can either use .REG file or usefree PolicyMaker registry CSE from desktopstandards.com
http://www.desktopstandard.com/PolicyMakerRegistryExtension.aspx--Kamlesh~"Be the change you want to see in the World"~
On 4/4/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
Hi Susan,If you try using an ADM template to add the key you may have a problem since
it includes binary settings that can't be set via ADM Templates. Alan Cuthbertson Policy Management Software:-
http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtmlADM Template Editor:-http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml
Policy Log Reporter(Free)http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml- Original Message -
From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]"<[EMAIL PROTECTED]>To: Sent: Tuesday, April 04, 2006 11:56 AMSubject: Re: [ActiveDir] Daylight savings query> Yeah in hindsight I think I can achieve bon bon status but just putting> the stupid key in group policy.
> Dean Wells wrote:>>>I don't query the existing setting, I simply set it ... via site linked>>policies or script or whatever's your preference -->>>
>>Control.exe TIMEDATE.CPL,,/Z (GMT-08:00) Pacific Time (US & Canada);>>Tijuanaalternatively:RUNDLL32.EXE SHELL32.DLL,Control_RunDLL TIMEDATE.CPL,,/Z (GMT-08:00)
>>Pacific>>Time (US & Canada); Tijuana... where '(GMT-08:00) Pacific Time (US & Canada); Tijuana' is the>>timezone>>being>>set.>>
>>The supplied value behind /Z is from the Display value under the registry>>key ->>'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones'You can also use the Std value in those registry keys as well, this is
>>equivalent>>to "(GMT-08:00) Pacific Time (US & Canada); Tijuana":Control.exe TIMEDATE.CPL,,/Z Pacific Standard Time-->>Dean Wells
>>MSEtechnology>>* Email: [EMAIL PROTECTED]>>http://msetechnology.com>>
>>>-Original Message->>>From: [EMAIL PROTECTED]>>>[mailto:
[EMAIL PROTECTED]] On Behalf Of Susan Bradley,>>>CPA aka Ebitz - SBS Rocks [MVP]>>>Sent: Monday, April 03, 2006 9:20 PM>>>To: 
ActiveDir@mail.activedir.org>>>Cc: Send - AD mailing list>>>Subject: Re: [ActiveDir] Daylight savings query>>Without walking around to every stupid new desktop every year and getting
>>>mad at Dell that they aren't picking up the right timezones I want to>>>set at my desktop eating bon bons and scan them and see if they've>>>screwed up and the Secretaries will be booking appointments in the wrong
>>>time zones and the bosses will be getting mad>>(Bosses get the new computers.. Secretaries get the old ones that already>>>have the time zone problem resolved)
>>Basically I'm asking... what do you guys do in big server land to ensure>>>that every stupid Outlook is booking appointments in the proper zone?>>Dean Wells wrote:
>>It's late so that could well be it ... but I'm afraid I'm>>>uncertain asto what it is you've not already ascertained for yourself?
--Dean WellsMSEtechnology* Email: [EMAIL PROTECTED]
http://msetechnology.com>-Original Message->From: 
[EMAIL PROTECTED]>[mailto:[EMAIL PROTECTED]] On Behalf Of Susan Bradley,>CPA aka Ebitz - SBS Rocks [MVP]
>Sent: Monday, April 03, 2006 8:33 PM>To: ActiveDir@mail.activedir.org>Subject: [ActiveDir] Daylight savings query
>>(someone go pick Joe up off the floor after I post this..>>>I'm actually>asking about scripting)>>
>Is there a script that can be run to determine what a>>>computers time>zone status is?  Some WMI status in AD or something?  It seems like>everytime I get new computers in the office...the OEM image that we
>don't nuke and pake means that they do not grab the "autotmatically>adjust" setting, even though it's checked, so they end up>>>staying on>standard time rather than flipping to daylight savings and thus causing
>appointments to be off an hour.>>Okay so the setting is under>>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneIn
>formation>But the values under there are not jumping out at me as to>>>which one>the machine is broadcasting?>>Is it "Daylight Bias" RegDword ffc4"  ...as if I flip
>>>the gui on>and off.. that value goes down to 0>>...wonder if I can group policy that reg key valuehmm>
>>How to configure daylight saving time dates for Brazil:>http://support.microsoft.com/?kbid=317211
>>"Use a script to delete "DisableAutoDaylightTimeSet" from the registry.>When deleted 'Automatically adjust clock for daylight>>>savings changes'
in Windows will be checked.>>The registry key is:>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneIn
>formation ">>>

Re: [ActiveDir] Script not working thru GPO

[Kamlesh Parmar]

You can trim the line you read from file and also either make them lower or upper case, it helps great while comparing.
   If ucase(trim(line)) = ucase(trim(strComputerName)) Then

    found = true

    End Ifmy 0.02$--Kamlesh
On 3/29/06, Brian Desmond <[EMAIL PROTECTED]> wrote:















Is there any reason you're not just expanding the %ComputerName% environment
variable in your script?

 

As far as searching the file:

 

Dim line

Dim found

found = false

While Not objServerList.EOF

    Line = objServerList.ReadLine

    If line = strComputerName Then

    found = true

    End If

Wend

 

If found then

    ' Do stuff

Else

    ' Do other stuff

End If

 



Thanks,

Brian Desmond


[EMAIL PROTECTED]

 

c -
312.731.3132

 

 













From: 
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On
Behalf Of Cothern, Jeffrey D Mr CTR USSOCOM HQ
Sent: Wednesday, March 29, 2006
11:55 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Script
not working thru GPO



 

Foudn that problem and the other which was with objShell

 

Here is the working script. Now to find a way to have
it check if the server name is already in the serverlist.txt file and if so
skip to the end.  

 

Dim regComputerName
Dim strComputerName
Dim Serverlist
Dim objShell
Dim objServerlist
DIM objFSO
DIM strCurrenLine
DIM intIsComment
Const ForAppending = 8



 



Serverlist = "\\fileserver\serverlist.txt"
regComputerName = "HKLM\SYSTEM\CurrentControlSet\Control" &
"\ComputerName\ComputerName\ComputerName"
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objServerlist = objFSO.OpenTextFile(Serverlist, ForAppending)



 



Set objShell = CreateObject("WScript.Shell")
strComputerName = objShell.RegRead(regComputerName)
objServerlist.WriteLine (strComputerName)



 



objShell.RegWrite"HKLM\System\CurrentControlSet\Services\Eventlog\Application\AutoBackupLogFiles",
1, "REG_DWORD"
objShell.RegWrite"HKLM\System\CurrentControlSet\Services\Eventlog\Security\AutoBackupLogFiles",
1, "REG_DWORD"
objShell.RegWrite"HKLM\System\CurrentControlSet\Services\Eventlog\System\AutoBackupLogFiles",
1, "REG_DWORD"



 



 

 







From:

[EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED]

Sent: Wednesday, March 29, 2006
9:20 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Script
not working thru GPO



What's objFile being set to?

 

Set WshShell
= WScript.CreateObject("WScript.Shell")
ComputerName = objShell.RegRead(regComputerName)
objfile.Write "ComputerName" 

 

Hmm maybe I'm missing something entirely because I
don't see where objShell is being set to anything either… ?

 

 









































































:m:dsm:cci:mvp | 
marcusoh.blogspot.com









































































 









From: 
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On
Behalf Of Cothern, Jeffrey D Mr CTR USSOCOM HQ
Sent: Wednesday, March 29, 2006
8:45 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Script
not working thru GPO



 

Thank you

 

   
That fixed that line.. Now to another line.  As I mentioned before
this script works fine outside of GPO.

   
Do you see anything wrong with ComputerName =  

 







From:
 [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On
Behalf Of Darren Mar-Elia
Sent: Tuesday, March 28, 2006
12:16 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Script
not working thru GPO

Good catch Kamlesh. Jeff, check out:

 


http://msdn.microsoft.com/library/default.asp?url=""> 

 

for an example of this.

 







From:
 [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On
Behalf Of Kamlesh Parmar
Sent: Tuesday, March 28, 2006 8:59
AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Script
not working thru GPO



If this is the
exact script then





Where have you
defined value of "ForAppending" ??





 





As error
 message contains "invalid argument"





 





--





Kamlesh

 





On 3/28/06, Cothern, Jeffrey D Mr CTR
USSOCOM HQ <[EMAIL PROTECTED]>
wrote: 



I have a
script i created in vbs.  This script works when run on the machines
locally but when i set it up as a machine startup script it gets this error




 





script: 





path and
name of script





 





Line:13





Char: 1





Error:
Invalid Procedure call or argument





Code:
800A0005





Source: 
Microsoft _vbscript_ runtime error





 





As I said
this runs correctly when run on the machine localy but not thru GPO.  I am
assuming that I cannot do a objFSO.OpenTestFile thru the GPO.  Is there
some other way I can accomplish the write to the test file? 





 





Jeff





 





 

Re: [ActiveDir] Script not working thru GPO

[Kamlesh Parmar]

If this is the exact script then
Where have you defined value of "ForAppending" ??
 
As error  message contains "invalid argument"
 
--
Kamlesh 
On 3/28/06, Cothern, Jeffrey D Mr CTR USSOCOM HQ <[EMAIL PROTECTED]> wrote:


I have a script i created in vbs.  This script works when run on the machines locally but when i set it up as a machine startup script it gets this error

 
script: 
path and name of script
 
Line:13
Char: 1
Error: Invalid Procedure call or argument
Code: 800A0005
Source:  Microsoft _vbscript_ runtime error
 
As I said this runs correctly when run on the machine localy but not thru GPO.  I am assuming that I cannot do a objFSO.OpenTestFile thru the GPO.  Is there some other way I can accomplish the write to the test file?

 
Jeff
 
 
 
   Here is the Script Code:
 
Dim WshShell, bKeyDim regComputerNameDim ComputerNameDim ServerlistDim objServerlistDIM objFSODIM strCurrenLineDIM intIsComment
 
Serverlist = "\\fileserver\serverlist.txt"regComputerName = "HKLM\SYSTEM\CurrentControlSet\Control" & "ComputerName\ComputerName\ComputerName"
Set objFSO = CreateObject("Scripting.FileSystemObject")Set objServerlist = objFSO.OpenTextFile(serverlist, ForAppending)
 
Set WshShell = WScript.CreateObject("WScript.Shell")ComputerName = objShell.RegRead(regComputerName)objfile.Write "ComputerName" 
 
WshShell. RegWrite"HKLM\System\CurrentControlSet\Services\Eventlog\Application\AutoBackupLogFiles", 1, "REG_DWORD"WshShell. RegWrite"HKLM\System\CurrentControlSet\Services\Eventlog\Security\AutoBackupLogFiles", 1, "REG_DWORD"
WshShell. RegWrite"HKLM\System\CurrentControlSet\Services\Eventlog\System\AutoBackupLogFiles", 1, "REG_DWORD"
 
bKey = WshShell.RegRead("HKLM\System\CurrentControlSet\Services\Eventlog\Application\AutoBackupLogFiles")bKey = WshShell.RegRead("HKLM\System\CurrentControlSet\Services\Eventlog\Security\AutoBackupLogFiles")
bKey = WshShell.RegRead("HKLM\System\CurrentControlSet\Services\Eventlog\System\AutoBackupLogFiles")
 
WScript.Echo WshShell.RegRead("HKLM\System\CurrentControlSet\Services\Eventlog\Application\AutoBackupLogFiles")WScript.Echo WshShell.RegRead("HKLM\System\CurrentControlSet\Services\Eventlog\Security\AutoBackupLogFiles")
WScript.Echo WshShell.RegRead("HKLM\System\CurrentControlSet\Services\Eventlog\System\AutoBackupLogFiles") 
 -- ~"Be the change you want to see in the World"~

Re: [ActiveDir] Active Directory

[Kamlesh Parmar]

Wouldn't it be, Default Domain Policy??
 
As that will apply to normal workstations.
 
--
Kamlesh 
On 3/21/06, Almeida Pinto, Jorge de <[EMAIL PROTECTED]> wrote:
Check the Default Domain Controllers policyComputer ConfigurationWindows SettingsSecurity Settings
Local PoliciesSecurity optionsInteractive Logon: Prompt user to change password before expiration: 14 daysMet vriendelijke groeten / Kind regards,Ing. Jorge de Almeida PintoSenior Infrastructure Consultant
MVP Windows Server - Directory ServicesLogicaCMG Nederland B.V. (BU RTINC Eindhoven)(   Tel : +31-(0)40-29.57.777(   Mobile : +31-(0)6-26.26.62.80*   E-mail : 
From: [EMAIL PROTECTED] on behalf of Christine AllenSent: Tue 2006-03-21 13:31To: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Active DirectorySorry for the dumb question, but I can't find any information regardingthis. =20We are running a windows 2000 domain.  We have set up a password policy.
Users have to change their passwords every 120 days.  When will they beprompted to change it?  One week before?  Two weeks before?  Thanks.-ChristineChristine N. AllenSystems EngineerBMC HealthNet Plan
2 Copley PlaceBoston, MA 02116617-748-6034617-293-4407[EMAIL PROTECTED]List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
-- ~"Be the change you want to see in the World"~

Re: [ActiveDir] Mass AD Full Name & Display Name Changes - Last name, first name

[Kamlesh Parmar]

Currently, I am not near a DC, to test out the exact commands... but here goes the general process..* use adfind.exe or csvde.exe to create a delimited list of current users with required attributes.* Import this file into excel
* create excel formula with displayname column as input and put the desired output into another column.* Verify that the resulting displayname is what you want.* export these changed displayname along with DN to text file
* use dsmod.exe or admod.exe to run through this text file and update the required attribute.This approach will allow you to verify each change before they are made. Instead of relying on logic built into script to take care of conversion.
Because you never know, when you stumble across exceptional case of value in attribute you are trying to change. e.g. what if someone's current fullname contains THREE words with TWO separating spaces because it also includes their middle name.
You get the drift.-- Kamlesh~"Be the change you want to see in the World"~
On 3/2/06, Danny <[EMAIL PROTECTED]> wrote:
My goal is to automate a process to change Full Name and Display Namefrom John Doe to Doe, John.  I am not yet familiar with VB et alscripting, so assistance would be greatly appreciated if you propose ascripting solution.
Thank you!...DList info   : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Link single GPO to multiple OUs using script or something

[Kamlesh Parmar]

Thanks I looked at the _vbscript_ code, what it does is, takes the current links into variable and appends our new link at the end and reattaches the whole new bunch to OU again.I thought since admod has a feature of append (+,++ operators), I might not have to do the read current links + append-new + reattach. just appending might work.
but it turns out gplink is single-value-attribute so have to follow the same route.I have gone ahead with _vbscript_ and modified to my requirement.At the same time I have the adfind+admod script also ready ( just to learn 
admod.exe better)-- Kamlesh~"Be the change you want to see in the World"~
On 3/1/06, Ulf B. Simon-Weidner <[EMAIL PROTECTED]> wrote:





Should be working - just create a example OU with the 
specific settings, adfind gPLink and gPOptions into variables (actually 
gPOptions: read it once and set it statically without reading in a variable) and 
use admod to write the gPLink and gPOptions-attributes of the other 
OUs.
 
Ulf
 

  
  
  From: 
[EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]] On Behalf Of Kamlesh 
  ParmarSent: Wednesday, March 01, 2006 8:55 AM
To: 
  ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Link single 
  GPO to multiple OUs using script or something
  Thanx, I will test it out  :-)moreover, I will see if I 
  can create a combination of adfind and admod to achieve this.-- 
  Kamlesh~"Be the change you want to 
  see in the World" ~
  On 2/28/06, Ulf B. 
  Simon-Weidner <[EMAIL PROTECTED]> wrote: 
  
  
You can 
do this with a simple VBS, LDIF-File or whatever is convenient for 
you to change AD since you only need to modify the gPLink- and 
gPOptions-Attributes. Look at the following example from the Technet 
Scriptcenter:
http://www.microsoft.com/technet/scriptcenter/scripts/ad/ous/adouvb01.mspx 

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 
  MVP-Book "Windows XP - Die 
Expertentipps": http://tinyurl.com/44zcz
  Weblog: 
http://msmvps.org/UlfBSimonWeidner
 
  Website: 
http://www.windowsserverfaq.org  Profile:   
 http://mvp.support.microsoft.com/profile="">   
 

  
  
  From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of 
  Kamlesh ParmarSent: Monday, February 27, 2006 11:12 
  PMTo: ActiveDir@mail.activedir.orgSubject: 
  [ActiveDir] Link single GPO to multiple OUs using script or 
  something
  
  Basically, we have > 50 Location OUs each having different 
  sub OUs for servers, desktops, laptops.My problem is I want to apply 
  policy to all laptops, but I don't have all laptops with XP, some are 
  win2K.So can't use a WMI query to filter out dekstops and servers and 
  create single policy. So only option left is create a policy and 
  link it to so many OUs.Is it possible to link a single GPO to 
  multiple OUs using script or utility like admod.exeThanks in advance-- 
  Kamlesh~"Be the change you 
  want to see in the 
  World"~

Re: [ActiveDir] Link single GPO to multiple OUs using script or something

[Kamlesh Parmar]

Thanks for your suggestion.I wish it was that simple. :-) (not technically, but politically)Ours is very much delegated environment, spread across 50+ locations.So making sure that no single branch office admin has rights over any of the objects of other branch office is essential, thus initial design was to create separate OUs for each object type.
Also, many of the policies are very much branch location specific, linking policy at higher level may not be feasible always and enforcing higher level policy to make it effective is again digging the grave little more.
Creating group did occur to me, but, I can't create a single group and and give everyone rights to change membership. This will violate comfort level as people have power to remove or add members from other location, also as they will likely change
membership on different DCs and since LVR is not supported in 2K native
DFL, many of the membership changes will be lost.
At the same time, I can't keep membership management rights with central team as this will add one another mundane routine to their already stretched task list and shift focus from larger issue.Now, it would require that I create 50+ location specific groups then assimilate these groups into one single group to which I apply policy. This approach makes sure that no one else can add or remove member laptops for other location and branch admin can make sure that right policies are applied to laptops, without requiring central team's help in managing single group. 
So, when I have to choose between creating 50+ groups, explaining the change in operations to 50 different branch admins, asking them to add all their laptops to these new groups while laptop OU is still present 
AND linking a policy to 50+ OUs.so in short-term, I chose linking a policy to 50 OUs.I do agree, that mere thought of linking a single policy to 50 OUs, did rang alarm bells in my head. I can assure you, restructuring the OUs is sure put down as a agenda point for next quarterly review meeting.
I know, someone might say, pal, you have such a big environment then why don't you create provisioning website or app to take care of such delegation nightmares  and make it standard, automated and accountable. I will just say "Work In Progress"  :-)
--Kamlesh~"Be the change you want to see in the World"~On 3/1/06, 
[EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:





I may have missed earlier parts to this thread, but have 
you considered adding all laptops to a group and then applying a laptops GPO at 
some higher level in the OU hierarchy, filtered by the group just 
mentioned?
 
I would also re-assess the OU hierarchy and whether it is 
relevant and appropriate. If you encounter the need to link the same GPO in 50+ 
places, then perhaps the OU hierarchy needs to be revamped / 
re-designed.
 
neil


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]] On Behalf Of Ulf B. 
Simon-WeidnerSent: 01 March 2006 08:11To: 
ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Link single GPO 
to multiple OUs using script or something

Should be working - just create a example OU with the 
specific settings, adfind gPLink and gPOptions into variables (actually 
gPOptions: read it once and set it statically without reading in a variable) and 
use admod to write the gPLink and gPOptions-attributes of the other 
OUs.
 
Ulf
 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]] On Behalf Of Kamlesh 
  ParmarSent: Wednesday, March 01, 2006 8:55 AMTo: 
  ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Link single 
  GPO to multiple OUs using script or something
  Thanx, I will test it out  :-)moreover, I will see if I 
  can create a combination of adfind and admod to achieve this.-- 
  Kamlesh~"Be the change you want to 
  see in the World" ~
  On 2/28/06, Ulf B. 
  Simon-Weidner <[EMAIL PROTECTED]> wrote: 
  
  
You can 
do this with a simple VBS, LDIF-File or whatever is convenient for 
you to change AD since you only need to modify the gPLink- and 
gPOptions-Attributes. Look at the following example from the Technet 
Scriptcenter:
http://www.microsoft.com/technet/scriptcenter/scripts/ad/ous/adouvb01.mspx 

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 
  MVP-Book "Windows XP - Die 
Expertentipps": http://tinyurl.com/44zcz
  Weblog: 
http://msmvps.org/UlfBSimonWeidner
 
  Website: 
http://www.windowsserverfaq.org  Profile:   
 http://mvp.support.microsoft.com/profile="">   
 

  
  
  From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of 
  Kamlesh ParmarSent: Monday, February 27, 2006 11:12 
  PMTo: ActiveDir@mail.activedir.orgSubject: 
  [ActiveDir] Link single GPO to multiple OUs using script or 
  something
  
  Basically, we have > 50 Location OUs each having different 
  sub OUs fo

Re: [ActiveDir] Link single GPO to multiple OUs using script or something

[Kamlesh Parmar]

Thanx, I will test it out  :-)moreover, I will see if I can create a combination of adfind and admod to achieve this.-- Kamlesh~"Be the change you want to see in the World"
~On 2/28/06, Ulf B. Simon-Weidner <[EMAIL PROTECTED]> wrote:





You can do this with a simple VBS, LDIF-File or 
whatever is convenient for you to change AD since you only need 
to modify the gPLink- and gPOptions-Attributes. Look at the following example 
from the Technet Scriptcenter:
http://www.microsoft.com/technet/scriptcenter/scripts/ad/ous/adouvb01.mspx

Gruesse - Sincerely, 
Ulf B. Simon-Weidner 
  MVP-Book "Windows XP - Die Expertentipps": 
http://tinyurl.com/44zcz  Weblog: 
http://msmvps.org/UlfBSimonWeidner
  Website: 
http://www.windowsserverfaq.org  Profile:   
http://mvp.support.microsoft.com/profile="">   
 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]] On Behalf Of Kamlesh 
  ParmarSent: Monday, February 27, 2006 11:12 PMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] Link single GPO to 
  multiple OUs using script or something
  Basically, we have > 50 Location OUs each having different sub 
  OUs for servers, desktops, laptops.My problem is I want to apply policy to 
  all laptops, but I don't have all laptops with XP, some are win2K.So can't 
  use a WMI query to filter out dekstops and servers and create single policy. 
  So only option left is create a policy and link it to so many 
  OUs.Is it possible to link a single GPO to multiple OUs using script 
  or utility like admod.exeThanks in advance-- 
  Kamlesh~"Be the change you want to 
  see in the 
World"~

Re: [ActiveDir] Each domain users to automatically be member of power users in their own computers

[Kamlesh Parmar]

use restricted groups and make "INTERACTIVE" group member of "power users"that will give you desired effect.Only *Interactively* logged on user will be power user on that particular computer.
Caveat: make sure you exclude domain controller from this policy. :-)--Kamlesh~"Be the change you want to see in the World"~
On 3/1/06, Irwan Hadi <[EMAIL PROTECTED]> wrote:
Is there a way to make so that whenever a user logon to a computer,s/he will automatically be a member of that particular computer powerusers (or even administrators) but nobody else?The reason for this is because we have some specific applications
which users will need to install in their own computer, and are notyet pushed thru group policy.I've looked at restricted group GPO, but it seems with RG GPO, eitherI will need to create individual GPO for each user, or I will need to
create a group of users and put this group as power users, which thenmeans everybody will have power users access to each other computer inan organizational unit.ThanksList info   : 
http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/-- 

Re: [ActiveDir] Phantom Account Locks

[Kamlesh Parmar]

I would rather look at Event 644 and first make sure that account lockouts are happening from same machine, you are suspecting.Then I will take a look info from this page.
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx#ENAA--KamleshOn 2/28/06, AdamT <
[EMAIL PROTECTED]> wrote:On 2/28/06, Susan Bradley <
[EMAIL PROTECTED]> wrote:> What's the security log say up on the server?>The security log has several of these:Event ID 529Source: Security
Category: Logon/LogoffType: FailureUser: NT AUTHORITY\SYSTEMComputer: SBS-DCReason: Unknown user name or bad passwordUsername: j.bloggsDomain: PC004Logon Type: 3Logon Process: NtLmSsp
Authentication Package: NTLMWorkstation Name: PC004And some of these:Event ID: 681Source: SecurityCategory: Account LogonType: FailureUser: NT AUTHORITY\SYSTEMComputer: SBS-DCThe logon to account 
j.bloggs by:MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from workstation: PC004 failed.The error code was: 3221225578(I looked that up, and the error code apparently means 'wrong password')And some of these:
Event ID: 539Source: SecurityCategory: Logon/LogoffType: FailureUser: NT AUTHORITY\SYSTEMComputer: SBS-DCReason: Account locked outUser Name: j.bloggsDomain: PC004Logon Type: 3
Logon Process: NtLmSspAuthentication Package: NTLMWorkstation Name: PC004Thanks for the mention of the lockout tools - will give them a go.Cheers,--AdamT'Thank-you for not requesting read receipts'
List info   : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/-- ~
"Be the change you want to see in the World"~

[ActiveDir] Link single GPO to multiple OUs using script or something

[Kamlesh Parmar]

Basically, we have > 50 Location OUs each having different sub OUs for servers, desktops, laptops.My problem is I want to apply policy to all laptops, but I don't have all laptops with XP, some are win2K.So can't use a WMI query to filter out dekstops and servers and create single policy.
So only option left is create a policy and link it to so many OUs.Is it possible to link a single GPO to multiple OUs using script or utility like admod.exeThanks in advance-- 
Kamlesh~"Be the change you want to see in the World"~

Re: [ActiveDir] Stupid Group Policy CSE behavior

[Kamlesh Parmar]

Thanx Darren for testing it out.Yes, I realize that setting deny for "authenticated users" stops everybody. and we want it that way, basically making hard for everyone including local administrator to play with that service.
i.e. just a crude way to stop USB mass storage devices for ignorant users.Yes, it is a device driver *service*, I would have to manually edit the .inf file in sysvol to make it appear in GP Editor, plus I thought it would not make any difference, as security SCE also acts similar when encountered with problem.
By the way, this is not the only setting which is changed, we try to
change lot of things around usbstor service, including giving a false
driver path, and since those are registry changes, it was decided to make the service config as registry change rather than putting it in "system service" settings.
Still, I will try that option, and see the behavior of CSEs.--Kamlesh~"Be the change you want 
  to see in the 
  World"~On 2/24/06, Darren Mar-Elia <[EMAIL PROTECTED]
> wrote:




Ok. I will test that but it would be good to understand the 
scenario a little better. You do realize that by setting a Deny ACE for Auth. 
Users on the device/service, you are effectively preventing any 
access to that service, which would seem problematic in and of itself. The 
second point or question is, why would you not use the service security policy 
rather than registry policy to control this? I'm assuming its because you're 
trying to control a device rather than a real service?
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]] On Behalf Of Kamlesh 
ParmarSent: Thursday, February 23, 2006 2:06 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Stupid Group 
Policy CSE behavior
My point was just that particular CSE stops processing further GPs 
related to it, and not entire GP processing.This gives very inconsistent 
application of policy. One fine day, you find that all policies are working 
fine, and when next day you introduce new policy, which has settings no way 
related to earlier policies and it goes on to break unrelated policy. I 
will give you something to test...parent OU policy contains : DENY 
'Authenticated Users' permission on one of the registry key(in my case 
USBSTOR service) & ADM template which tries to change a value inside that 
registry key (making value start = 4) Child OU policy : is simply any 
setting from existing administrative templates (in my case WSUS 
policy)You would expect processing of both polices by Registry CSE, but 
in this case child policy won't be processed as registry CSE will fail while 
changing value specified in parent OU policy, due to restrictive permission. 
In another case it was mis-spelled file name, configured for file system 
security.-- Kamlesh~"Be the 
change you want to see in the World"~ 

On 2/23/06, Darren 
Mar-Elia <[EMAIL PROTECTED]> 
wrote:

  Well, it 
  won't be the first time I've heard something about GP called "stupid" 
  :).
   
  I suspect 
  it depends upon how you think about this. Certain CSEs are more resilient 
  than others. I honestly haven't come across your scenario but in a lot of 
  cases, if a CSE fails to do something, GP processing will simply continue 
  along. I will try to take a deeper look at this and see if I can 
  understand why that is happening. 
   
  One thing 
  I usually recommend is to stay away from using registry and/or file security 
  policy to set perms. First of all, I find it kind of a klunky way to manage 
  permissions. Secondly, if you do a lot of it in policy, it can really 
  slow down processing. I think its just better to manage security permissions 
  on files and registry keys with a different, and more deterministic method. 
  
   
   
   
   
  
  
  
  From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of 
  Kamlesh ParmarSent: Wednesday, February 22, 2006 11:48 
  PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
  Stupid Group Policy CSE behavior
  
  
  I had high hopes for group policy, but now it has started waning...
   
  Simply stated, what happens is ... you have different policies applying 
  to machine.
  And say all policies contain different registry or security related 
  settings.
  Now, when at workstation registry or security CSE tries to process 
  these settings...
  It will just stop processing at first error 
  it encountered and never process settings from remaining policies.
   
  so if registry CSE found that it has 10 values in registry to set and if 
  it encountered error at 5th, it will never go ahead and process 6 to 
  10.
   
  here is my case:
   
  I had set deny permission on one registry key in one policy and I was 
  trying to change that setting from another policy.
  One would guess that, 2nd policy would simply fail and CSE would continue 
  processing other polices which are no w

Re: [ActiveDir] Stupid Group Policy CSE behavior

[Kamlesh Parmar]

My point was just that particular CSE stops processing further GPs related to it, and not entire GP processing.This gives very inconsistent application of policy. One fine day, you find that all policies are working fine, and when next day you introduce new policy, which has settings no way related to earlier policies and it goes on to break unrelated policy.
I will give you something to test...parent OU policy contains : DENY 'Authenticated Users' permission on one of the registry key(in my case USBSTOR service) & ADM template which tries to change a value inside that registry key (making value start = 4)
Child OU policy : is simply any setting from existing administrative templates (in my case WSUS policy)You would expect processing of both polices by Registry CSE, but in this case child policy won't be processed as registry CSE will fail while changing value specified in parent OU policy, due to restrictive permission.
In another case it was mis-spelled file name, configured for file system security.-- Kamlesh~"Be the change you want to see in the World"~
On 2/23/06, Darren Mar-Elia <[EMAIL PROTECTED]> wrote:





Well, it won't be the first time I've heard something about 
GP called "stupid" :).
 
I suspect it depends upon how you think about 
this. Certain CSEs are more resilient than others. I honestly haven't come 
across your scenario but in a lot of cases, if a CSE fails to do something, 
GP processing will simply continue along. I will try to take a 
deeper look at this and see if I can understand why that is happening. 

 
One thing I usually recommend is to stay away from using 
registry and/or file security policy to set perms. First of all, I find it kind 
of a klunky way to manage permissions. Secondly, if you do a lot of it in 
policy, it can really slow down processing. I think its just better to 
manage security permissions on files and registry keys with a different, and 
more deterministic method. 
 
 
 
 



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]] On Behalf Of Kamlesh 
ParmarSent: Wednesday, February 22, 2006 11:48 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Stupid Group Policy 
CSE behavior

I had high hopes for group policy, but now it has started waning...
 
Simply stated, what happens is ... you have different policies applying to 
machine.
And say all policies contain different registry or security related 
settings.
Now, when at workstation registry or security CSE tries to process 
these settings...
It will just stop processing at first error 
it encountered and never process settings from remaining policies.
 
so if registry CSE found that it has 10 values in registry to set and if it 
encountered error at 5th, it will never go ahead and process 6 to 10.
 
here is my case:
 
I had set deny permission on one registry key in one policy and I was 
trying to change that setting from another policy.
One would guess that, 2nd policy would simply fail and CSE would continue 
processing other polices which are no way related to this setting. But it 
doesn't.
 
I have seen this for Registry and Security CSE.
 
Thanks for listening :-)-- 
Kamlesh~"Be the change you want to 
see in the 
World"~ 

[ActiveDir] Stupid Group Policy CSE behavior

[Kamlesh Parmar]

I had high hopes for group policy, but now it has started waning...
 
Simply stated, what happens is ... you have different policies applying to machine.
And say all policies contain different registry or security related settings.
Now, when at workstation registry or security CSE tries to process these settings...
It will just stop processing at first error it encountered and never process settings from remaining policies.
 
so if registry CSE found that it has 10 values in registry to set and if it encountered error at 5th, it will never go ahead and process 6 to 10.
 
here is my case:
 
I had set deny permission on one registry key in one policy and I was trying to change that setting from another policy.
One would guess that, 2nd policy would simply fail and CSE would continue processing other polices which are no way related to this setting. But it doesn't.
 
I have seen this for Registry and Security CSE.
 
Thanks for listening :-)-- 
Kamlesh~"Be the change you want to see in the World"~ 

Re: [ActiveDir] Is the Directory Infected?

[Kamlesh Parmar]

I have seen that one,
 
I would guess, it came through Shared folder having everyone full access.
Blakemal virus, turn any file it finds in shared folder into EXE.
 
So, basically, if they had taken a output of some AD query and named file as full OU path.txt
virus just loaded itself into it and renamed it to EXE.
 
If Symantec definitions are up to date, they will most likely not find that file on server.
It must have been moved to quarantine.
 
So, either be paranoid and rebuild the DC or remove sharing of that folder and do a complete thorough scan of DC with latest def files.
 
--
Kamlesh 
On 2/21/06, joe <[EMAIL PROTECTED]> wrote:

The first thing I would do is find out if there actually is or was a file by that name on my DC.
 
If there was the second thing I would do is find out where it came from and who put it there so I could process their termination paperwork. :o)

 

--
O'Reilly Active Directory Third Edition - 
http://www.joeware.net/win/ad3e.htm 
 
 


From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Noah EigerSent: Monday, February 20, 2006 3:01 PM
To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Is the Directory Infected?
 



An associate emailed me yesterday and asked if he should be concerned about this which popped up on his DC console from Norton AV Corp Edition:

 
"Message from DC03 to DC01 on 2/19/2006.
 
Virus Found!Virus name: [EMAIL PROTECTED] in DC01 CN=Schema,CN=Configuration,DC=company,DC=com-DC03.exe"
 
 
I said "yes, looks like you have a virus on your DC." But what is actually infected here? Is the Directory infected? And why does it list that as an exe?

 
Thanks.
 
- nme
--No virus found in this outgoing message.Checked by AVG Free Edition.Version: 7.1.375 / Virus Database: 267.15.11/264 - Release Date: 2/17/2006
-- ~"Be the change you want to see in the World"~

Re: [ActiveDir] Authentication for kiosk machines - straw poll

[Kamlesh Parmar]

Using Autologon from http://www.sysinternals.com/Utilities/Autologon.htmlIt hides the password using some windows API--Kamlesh
On 2/16/06, Laura E. Hunter <[EMAIL PROTECTED]> wrote:
So for those of you that need to put Internet kiosks in placesomewhere in your organization, in a lobby or a dining hall orsomething, how do you handle the initial authentication when thatmachine boots up?  Hardcoding the account credentials in the Registry
under the ~\Winlogon key?  (Clear-text embedded password. Bleach.)  Ordo you use a third-party add-on to make that bit go?Just curious to see what other people are doing.-
Laura E. HunterMicrosoft MVP - Windows Server NetworkingAuthor: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)List info   : 
http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/-- ~"Be the change you want to see in the World"~

Re: [ActiveDir] Permissions are resetting

[Kamlesh Parmar]

Most common "cause"http://support.microsoft.com/?id=817433On 2/2/06, Aguilar, Louis
 <[EMAIL PROTECTED]> wrote:




Everyone,
I've 
come across a problem with permissions in Active Directory.  When 
I modify a permission on a user account or when I delegate control to a 
user group the permission reset to the original setting.  I've done some 
research, but have come up with nothing.  Any input is 
appreciated.
 
Please 
note that I'm running 2003 in Native Mode.
 
Thanks,
Louis
 
NOTICE OF CONFIDENTIALITY
This message, including attachments, is from Family Health Partners.  
This message contains information that may be confidential and protected by 
HIPAA Privacy Regulations.  If you are not the intended recipient, promptly 
delete this message and notify the sender of the delivery error by return e-mail 
or call the FHP Compliance Department at 816-234-3946.  You may not 
forward, print, copy, distribute or use the information in this message if you 
are not the intended recipient.




-- ~"Be the change you want to see in the World"~

Re: [ActiveDir] OT: Cached credentials security

[Kamlesh Parmar]

Does anyone have faster way to clean cached logon credential other than changing the value in registry for counter to 0 and restarting... --KamleshOn 2/1/06, 
Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] <[EMAIL PROTECTED]> wrote:
Cached credentials security in Windows Server 2003, in Windows XP, andin Windows 2000:http://support.microsoft.com/?kbid=913485List info   : 
http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/-- ~"Be the change you want to see in the World"~

Re: [ActiveDir] Active Directory Cleanup...

[Kamlesh Parmar]

you can find all those server DNs in one shot using

dsquery server

and then remove the specific DN of your VS image and feed rest of them to ntdsutil.

--
KamleshOn 1/25/06, Almeida Pinto, Jorge de <[EMAIL PROTECTED]> wrote:
you need to clean its metadata through NTDSUTILIf the DC in the test is a W2K3 SP1 DC you can do it like:
Ntdsutil "metadata cleanup" "remove selected server"ServerObjectWhen
using this command, specify the distinguished name (DN) path of the
server object (ServerObject) of the domain controller whose metadata
you want to remove. The server object is the parent of the NTDS
settings object in the configuration container. For example, for the
domain controller named DC1 located in the default-first-site-name of
the contoso.com forest, the DN path of the server object would be
cn=DC1,cn=servers,cn=default-first-site-name ,cn=configuration,dc=contoso,dc=com. If the DN path contains any spaces, enclose the entire DN path in quotes.cheers,jorge
From: [EMAIL PROTECTED] on behalf of Frank AbagnaleSent: Wed 2006-01-25 17:33To: ActiveSubject: [ActiveDir] Active Directory Cleanup...
Hi,I
am in the process of recreating my AD environment. I have copied my VS
image over to my test server, started it and and seized the
roles/installed DNS etc.When I look in the Event Viewer, I have a
lot of KCC error messages, when I go into AD Sites & Services I
have the 50 DC's in total in their own IP site.Because I will no
longer have these DC's in existance in my test environment, can I just
delete them, or would I need to go through ntdsutil and remove
them...if I have to do this does anyone have a script to acheive this?FrankDo you Yahoo!?With a free 1 GB, there's more in store with Yahoo! Mail. <
http://us.rd.yahoo.com/mail_us/taglines/mailstorage/*http://mail.yahoo.com/>This
e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied, disclosed to, retained or used by, any other party. If you are
not an intended recipient then please promptly delete this e-mail and
any attachment and all copies and inform the sender. Thank you.-- ~"Be the change you want to see in the World"~

Re: [ActiveDir] OT: Gauging AD experience

[Kamlesh Parmar]

Tell me about it !!
 
I faced a situation where, network team proactively blocked port 139/445 for the fear of virile without any communication, and AD team had not installed monitoring tools like sonar or ultrasound so they were clueless how come policies are not applying uniformly across locations. It took them some time to find out.

 
And then AD team started telnetting ports required for AD to make sure they are open, and installed ultrasound, scheduled propagation tests to make sure it is propagating fully.
 
But, network team was up to it, next time they rate limited 139/445 port, and gradually AD team could see propagation time becoming longer and longer.
 
So, when I see Brian mention rate-limit commands for cisco, I chuckle. :*)
 
(Brian nothing wrong with rate-limit, just a cross-reference in my mind)
 
--
Kamlesh 
On 1/21/06, Myrick, Todd (NIH/CC/DNA) [E] <[EMAIL PROTECTED]> wrote:


In my experience, when good directories go bad, it is usually due to three things.
 

Firewalls 
Firewalls 
Did I list firewalls? 
 
Runner ups would be ADC for Exchange, Clowns posing as Administrators, Clowns posing as DNS experts, Clowns posing as Security experts, and no disaster recovery solution.

 
Todd Myrick
Brushing off the dust of my MVP status.  
 
 

Re: [ActiveDir] [List Owner] IE7 and ActiveDir

[Kamlesh Parmar]

I just installed IE7 beta on XP SP2, and guess where I went first...activedir.org, when opened in IE7, redirects me to 
error.aspx page,And that page also doesn't show up completely.But If I go and see the source of the page, I can see lots of code there. 
--
Kamlesh 
On 1/19/06, AdamT <[EMAIL PROTECTED]> wrote:

On 1/16/06, Rich Milburn <
[EMAIL PROTECTED]> wrote:>> Server Error in '/' Application.Might be totally unrelated, but there was something similar mentioned recently at:
http://discuss.jarretthousenorth.com/newsItems/departments/Microsoft--AdamT"Maidenhead is *not* in Kent" List info   : 
http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/
-- ~"Be the change you want to see in the World"~

Re: [ActiveDir] OT: Script Request - Restart Remote Service

[Kamlesh Parmar]

Yup,
 
SC \\remoteserver stop myservice
SC \\remoteserver start myservice
* Assumes user or app running SC has enought rights to manage service remotely.
Note: It doesn't handle auto management for dependent services, same as other posted scripts
 
I have _vbscript_ to handle dependent services as well (put somewhere, need to find)
 if you need it let me know
 
--
Kamlesh
 
On 1/20/06, Darren Mar-Elia <[EMAIL PROTECTED]> wrote:
Sc.exe is an easy command-line utility for managing local and remoteservices. Comes with the OS.
-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]
] On Behalf Of Mark ParrisSent: Friday, January 20, 2006 8:06 AMTo: ActiveDir.orgSubject: [ActiveDir] OT: Script Request - Restart Remote ServiceDoes anyone have a nice applet to enable the remote manual restart of a
service on a server? The service permissions have been delegated as theapp that uses it is not very good and needs to be restarted numeroustimes a day - it never hangs so the inbuilt stuff is no good.I have had a look but can find no examples to achieve my end goal.
Regards,MarkList info   : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:http://www.mail-archive.com/activedir%40mail.activedir.org/List info   : 
http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/-- ~"Be the change you want to see in the World"~

Re: [ActiveDir] LDAPS SRV Records?

[Kamlesh Parmar]

joe,

Thanks for the link.

As you mentioned, adding DNS server option turned out to be quite
trickier, why not one server at a time. I know it makes sense to
add/delete same records on multiple servers, but who says they can't be
serialized. After all, it is not that time critical operation.

For CLEAR switch, I was trying to say that, someone can accidentally
delete ALL the records related to domain or site and make clients who
are primarily pointing at that DNS server suffer, for the time those
records are re registered/replicated back again.

For config file, my idea was that, if you provide a way to specify
server and read SRV operations from a file. (something like
ldifde.exe).  I could create a config file in which I could list
down all the operations/records I want to manage. of course, this can
be scripted and given to DNSSrvRec as command line options, but putting
all together in a file where each operation is separated on single
line, would give nice readability. (something like LDF file)
Also, like adfind.exe if we can define some defaults for port,weight
and ttl etc. in config file which are used for same RUN of the command.

Currently what I am doing is, preparing a excel sheet containing all
the sites in my forest and manually defining the priority order in
which clients in each site will get authenticated by DCs (like first
same site DCs, then nearest site DCs, basically making sure clients
never have to look for generic SRV records). Afterwards based on this
sheet, I will prepare a list of SRV records to create/delete on each
DNS server and push those SRV records to respective servers.


--
Kamlesh
On 1/16/06, joe <[EMAIL PROTECTED]> wrote:





Hi Kamlesh, you can get the initial version at 
http://www.joeware.net/win/free/tools/DNSSrvRec.htm. I 
posted it to the site last night and announced on my blog, there are over 50 
downloads already which surprises me a bit. 
 
The initial version does not let you specify the DNS Server 
to make the change in. I had started to add it and backed out as I wanted to 
think over the whole SOA portion of it plus if I want to handle sending to 
multiple servers at the same time and how to handle the errors coming back. This 
is all I have for specifying specific servers at the moment, a commented out 
insertion to validate the command.
 
//  
ValidOptions.push_back(L"dnssrv"); 
// Which DNS Server(s)
Not sure what you are hoping for out of the clear option in 
terms of forreal. The tool doesn't look records up first and then clear then one 
by one. It simply sends a single clear command for the DNS Name, that 
is an option for one of the functions. Having a forreal option would only 
basically echo what you sent in via the parameters. I might consider having it 
try to pull the record first and then display what would get wiped out. But that 
brings up even more questions on the specifying multiple DNS servers 
thoughts.
 
Like what kind of ops are you talking about taking from a 
config file? Like a script of records to add? This could be an interesting idea. 
A script of generic records that you specify the actual host name to resolve to 
on the command line with. Of course this could easily be wrapped in a script or 
batch file as well initially. 
 
Download it and any other thoughts about it send my 
way.
 
 
   joe
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]] On Behalf Of Kamlesh 
ParmarSent: Monday, January 16, 2006 1:59 AMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] LDAPS SRV 
Records?
joe, nice work !!In fact, I was playing with dnscmd.exe for 
same purpose not for LDAPS but other authentication records...(If you remember 
the thread about custom SRV priority per dc per site basis.)I was 
planning for creating a HTA wrapper around dnscmd.exe for CLI-challenged. But I 
am not happy with the error reporting of dnscmd.exe, so was thinking of testing 
WMI class for DNS RR management, and now you created the utility. :-)I 
would like to register as pre-beta tester. :-)Looking at the current 
usage screen you provided, I have some queries top of my head.* Can we 
specify DNS server to make change on? (stupid of me to even suggest this. Just 
trying to make a redundant entry in your to-do list :-))* Can we have switch 
-FORREAL specially for clear option. (I know, DCs will recreate records in next 
refresh cycle, still there will be a resolution issue for a small period)* 
Can we have SRV operations taken from config file, like we have it for latest 
adfind.exe ?Just trying to participate :-)--Kamlesh
On 1/15/06, joe 
<[EMAIL PROTECTED]> 
wrote:

  I couldn't 
  sleep this evening so I decided to test the API calls below. They work fine. 
  :o)
   
  I have a 
  new utility that will clear, replace, delete, and add SRV records called 
  DNSSrvRec. I need to test it a little more when I am more awake. 
  
   
   
  F:\Dev\BDSCPP\DNSSrvRec\Debug_Build>nslookup -type=srv 
  _ldaps._tcp.dc._msdcs.joe.comServer:  2k3dc01.

Re: [ActiveDir] WebAdmin Tool Setup

[Kamlesh Parmar]

I had a fleeting look at the main.asp page.

I suppose, you are trying to create a new user and getting the error.
Looking at the code it seems, it is trying to set some properties of user account, without setting the password first.

So, if you have password policy with non-zero password length, you might get that error.

I haven't tested it yet, but you will have to shuffle some code around there to make it work.

--
Kamlesh
On 1/16/06, Noah Eiger <[EMAIL PROTECTED]> wrote:















Hello:

 

I
have been playing around with the WebAdmin (Build 13) tool that was posted to
the list a few months ago. While I can get the basic site to work, I get some
errors when trying to actual make a change (or add, delete, etc) to an object
in the domain. I seem to be getting a lot of HTTP 500 errors which when I turn
off the friend errors in IE, say:

 

error
'8007001f' 

/webadmin/Lib/Main.asp, line 1434


My
Googles for that error do not turn up anything meaningful: lots of stuff about
Windows Media Player and Windows 95. 

 

Any
thoughts on what might be the problem?

 

Thanks.

 

--
nme








--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.14.18/230 - Release Date: 1/14/2006
 

-- ~"Be the change you want to see in the World"~

Re: [ActiveDir] LDAPS SRV Records?

[Kamlesh Parmar]

joe, nice work !!

In fact, I was playing with dnscmd.exe for same purpose not for LDAPS
but other authentication records...(If you remember the thread about
custom SRV priority per dc per site basis.)

I was planning for creating a HTA wrapper around dnscmd.exe for
CLI-challenged. But I am not happy with the error reporting of
dnscmd.exe, so was thinking of testing WMI class for DNS RR management,
and now you created the utility. :-)

I would like to register as pre-beta tester. :-)

Looking at the current usage screen you provided, I have some queries top of my head.

* Can we specify DNS server to make change on? (stupid of me to even
suggest this. Just trying to make a redundant entry in your to-do list
:-))
* Can we have switch -FORREAL specially for clear option. (I know, DCs
will recreate records in next refresh cycle, still there will be a
resolution issue for a small period)
* Can we have SRV operations taken from config file, like we have it for latest adfind.exe ?

Just trying to participate :-)

--
Kamlesh
On 1/15/06, joe <[EMAIL PROTECTED]> wrote:





I couldn't sleep this evening so I decided to test the API 
calls below. They work fine. :o)
 
I have a new utility that will clear, replace, delete, and 
add SRV records called DNSSrvRec. I need to test it a little more when I am more 
awake. 
 
 
F:\Dev\BDSCPP\DNSSrvRec\Debug_Build>nslookup -type=srv 
_ldaps._tcp.dc._msdcs.joe.comServer:  2k3dc01.joe.comAddress:  
192.168.0.10
 
*** 2k3dc01.joe.com can't find 
_ldaps._tcp.dc._msdcs.joe.com: Non-existent domain
 
F:\Dev\BDSCPP\DNSSrvRec\Debug_Build>DNSSrvRec.exe 
/addrec 
_ldaps._tcp.dc._msdcs.joe.com:600:0:100:636:2k3dc02.joe.com;_ldaps._tcp.dc._msdcs.joe.com:600:0:100:636:
2k3dc01.joe.com
 
AddSrvRec V01.00.00cpp Joe Richards (
[EMAIL PROTECTED]) 
January 2006
 
Adding 
_ldaps._tcp.dc._msdcs.joe.com:600:0:100:636:2k3dc02.joe.com...Success.Adding 
_ldaps._tcp.dc._msdcs.joe.com:600:0:100:636:2k3dc01.joe.com...Success.
 
Results---Total Records To Update: 2Total 
Records Updated  : 2Total Updates Failed   : 
0
 
The command completed successfully.
 
F:\Dev\BDSCPP\DNSSrvRec\Debug_Build>nslookup 
-type=srv _ldaps._tcp.dc._msdcs.joe.comServer:  
2k3dc01.joe.comAddress:  
192.168.0.10
 
_ldaps._tcp.dc._msdcs.joe.com   SRV service 
location:  
priority   = 
0  
weight = 
100  
port   = 
636  svr 
hostname   = 
2k3dc02.joe.com_ldaps._tcp.dc._msdcs.joe.com   SRV service 
location:  
priority   = 
0  
weight = 
100  
port   = 
636  svr 
hostname   = 2k3dc01.joe.com
2k3dc01.joe.com internet address = 
192.168.0.10
 
F:\Dev\BDSCPP\DNSSrvRec\Debug_Build>DNSSrvRec.exe /delrec 
_ldaps._tcp.dc._msdcs.joe.com:600:0:100:636:2k3dc02.joe.com;_ldaps._tcp.dc._msdcs.joe.com:600:0:100:636:
2k3dc01.joe.com
 
AddSrvRec 
V01.00.00cpp Joe Richards ([EMAIL PROTECTED]
) January 2006
 
Deleting 
_ldaps._tcp.dc._msdcs.joe.com:600:0:100:636:2k3dc02.joe.com...Success.Deleting 
_ldaps._tcp.dc._msdcs.joe.com:600:0:100:636:2k3dc01.joe.com...Success.
 
Results---Total Records To Update: 2Total Records 
Updated  : 2Total Updates Failed   : 0
 
The command 
completed successfully.
 
F:\Dev\BDSCPP\DNSSrvRec\Debug_Build>nslookup 
-type=srv _ldaps._tcp.dc._msdcs.joe.comServer:  
2k3dc01.joe.comAddress:  
192.168.0.10
 
*** 
2k3dc01.joe.com can't find _ldaps._tcp.dc._msdcs.joe.com: Non-existent 
domain
 
F:\Dev\BDSCPP\DNSSrvRec\Debug_Build>
 
 
Here is the current usage screen. I will relook at the API 
calls again tomorrow or Monday and decide if I want to add any more 
features.
 
 
F:\Dev\BDSCPP\DNSSrvRec\Debug_Build>DNSSrvRec.exe 
/?
 
AddSrvRec V01.00.00cpp Joe Richards (
[EMAIL PROTECTED]) 
January 2006
 
Usage: DNSSrvRec [switches]
 
  Switches: (designated by - or /)
 
   -clear xx    Clear DNS SRV 
records with name xx Format 
xx 
- The format for xx 
is a semicolon delimited list of 
DNS names such as 
_ldaps._tcp.dom.com or 
_ldaps._tcp.dom.com;_ldaps._tcp.child.dom.com
 
   
-replace yy  Replace DNS SRV records with name yy   -delrec 
yy   Delete DNS SRV records with name yy   -addrec 
yy   Add DNS SRV records with name 
yy Format 
yy 
- The format for yy 
is a semicolon delimited list of 
DNS Records. Each DNS record 
has the 
format:    
aaa:bb:cc:dd:ee:fff   
aaa - DNS Name 
(_ldaps._tcp.dom.com)   
bb  - TTL Value 
(300)   
cc  - Priority 
(0)   
dd  - Weight 
(100)   
ee  - Port 
(636)   
fff - Host Name (somedc.dom.com)
 
   
-delim   Delimiter to separate values in DNS 
Record.   -mrdelim Delimiter to separate 
multiple DNS Records.
 
 
 
  
Notes:    You can have multiple actions 
(add/delete/clear/replace) in    a single command, they will 
be processed in the order clear, replace    delete, and 
add.
 
  
Ex1:    DNSSrvRec -addrec 

Re: [ActiveDir] Automagically move AD computers into new/appropriate OU

[Kamlesh Parmar]

If you know the admin password of all new computers, you can use netdom.exe to join machine
remotely, and at the same time put it in exact ou where you want to put it.
 
NETDOM JOIN comp1 /DOMAIN:WINDOM /UO:LocalAdmin /PO:LocalAdminPassword /UD:WinDom\DomAdmin /PD:DomAdminPassword /OU:"OU=MyComps,dc=dom,dc=com"
 
Where
comp1 = remote computer to join the domain
windom = domain to join
localadmin = local administrator of comp1 computer
localadminpassword = localadmin 's password
windom\domadmin = domain account with rights to join machine to domain
DomAdminPassword = windom\domadmin's password
 
--
Kamlesh
 
On 1/9/06, Danny <[EMAIL PROTECTED]> wrote:
This is all fantastic information; especially since there aredifferent ways of getting the same end result.  Thanks, everyone!
One more related question, if you have a dozen new PC's, what optionsare available for joining/adding computers to the domain -- besideslogging into the PC and changing the network identification to the AD
domain?Because I have only have experience in smaller environments, I havealways added computers to the domain by aforementioned method.Cheers,...DList info   : 
http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/-- ~"Be the change you want to see in the World"~

Re: [ActiveDir] Windows 2003 Server

[Kamlesh Parmar]

I guess you will have to try the process explorer from www.sysinternals.com
In that you can search for handle of the file, and corresponding process which is holding that handle. Try not to give full name of pdf, just give initial few letters.
 
I have been to able to kill even the most critical services of windows with that, till now it has never disappointed.
 
Also have you checked the permission on that file.
 
--
Kamlesh 
On 1/6/06, Ellis, Debbie <[EMAIL PROTECTED]> wrote:
I had already tried that and received the same error message as I did inExplorer-Original Message-
From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Mark Parris
Sent: Thursday, January 05, 2006 3:28 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Windows 2003 ServerI have had this in Explorer and I have just fired up CMD and deleted them
that way - with no issue. I know it sounds simplistic but it worked.Mark-Original Message-From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Rich MilburnSent: 05 January 2006 20:09To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Windows 2003 ServerI have seen this behavior too, but never got to the bottom of it.  Iended up being pretty certain that antivirus software was locking itthough.  I have also seen the OS itself lock files, when it's trying to
show a preview or for other unknown reasons.  Sometimes opening acommand prompt window to the file's parent folder, and then killingexplorer with task manager, enabled me to delete it.Good luckRich
---Rich MilburnMCSE, Microsoft MVP - Directory ServicesSr Network Analyst, Field Platform DevelopmentApplebee's International, Inc.
4551 W. 107th StOverland Park, KS 66207913-967-2819--"I love the smell of red herrings in the morning" - anonymous-Original Message-
From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Ellis, Debbie
Sent: Thursday, January 05, 2006 1:14 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Windows 2003 ServerI tried all and to no avail. The process could not be found. They are
allpdf files and I can make a copy of them and am able to delete themwithoutproblems. Looks like I will have to reboot-Original Message-From: 
[EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of joeSent: Thursday, January 05, 2006 11:44 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Windows 2003 ServerShoot over to sysinternals and look for their handle tool that will showyouwhat processes have handles open to files.
You may not have a choice but to reboot if you can't find what isholdingthe files.-Original Message-From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Ellis, DebbieSent: Thursday, January 05, 2006 11:22 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Windows 2003 ServerThanks for the info, but it did not work  The pdf files did not show upasbeing in use.-Original Message-From: 
[EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of joeSent: Thursday, January 05, 2006 10:22 AM
To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Windows 2003 ServerYou can try this.On the file server run the commandNET FILE
Look for the files in question. Write down the IDThen when you have the IDsNET FILE  /CLOSEDEL FILEObviously replace  with the ID from the NET FILE enumeration.
From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]
] On Behalf Of Ellis, DebbieSent: Thursday, January 05, 2006 10:03 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Windows 2003 Server
There are a few pdf files that I can not delete on my file and printserver.I have domain admin permissions and the file is not read only.  It givesmethe error messages that the file is in use. I don't want to reboot the
server. Has anyone else had this problem and what was the solution?List info   : http://www.activedir.org/List.aspxList FAQ: 
http://www.activedir.org/ListFAQ.aspxList archive:http://www.mail-archive.com/activedir%40mail.activedir.org/List info   : 
http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/List info   : http://www.activedir.org/List.aspxList FAQ: 
http://www.activedir.org/ListFAQ.aspxList archive:http://www.mail-archive.com/activedir%40mail.activedir.org/---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE---
PRIVILEGED /CONFIDENTIAL INFORMATION may be contained in this message or anyattachments.This information is strictly confidential and may be subject toattorney-clientprivilege. This message is intended only for the use of the named addressee.
Ifyou are not the intended recipient of this message, unauthorized forwarding,printing, copying, distribution, or using such information is strictlyprohibited and may be unlawful. If

Re: [ActiveDir] Enable Windows Integrated Authentication through GPO

[Kamlesh Parmar]

I was testing the integrated authentication with IIS, and even though
site was is local intranet, IE prompted for username and password on
some machines and on some it didn't.

I checked in "Local Intranet" security zone for user authentication option and sure it was enabled for intranet sites.

And on investigation, on all the machine where it didn't work, I found
that the same "Windows integrated authentication" was not ticked in
Advanced option.
I ticked it and it worked.

So just putting it in "local intranet" might not work for this case.

My Config : Desktops are XP SP2, IE 6 & IIS 6 on Win2k3 SP1

On 1/4/06, Ulf B. Simon-Weidner <[EMAIL PROTECTED]> wrote:














The IIS site must be set up to allow windows integrated authentication
and not to allow anonymous access. By default the IE Security Zone "Local
Intranet" is enabled to allow Integrated Authentication (while Trusted
Sites does not), if you haven't changed that you can configure the
systems in question to be within the local intranet zone.

 

I don't know if you are able to change IEs settings per GPO,
propably only if you created an ADM yourself, but you may be able to change it
with IEAK. But that shouldn't be necessary if you use the correct
security zones, and I'd recommend not enabling it for "Trusted
Sites" or other Zones which are outside your DMZ.

 



Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  MVP-Book
"Windows XP - Die Expertentipps": 
http://tinyurl.com/44zcz
  Weblog: 
http://msmvps.org/UlfBSimonWeidner
  Website: 
http://www.windowsserverfaq.org
  Profile:   
http://mvp.support.microsoft.com/profile="">   











From: 
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Salandra,
Justin A.
Sent: Tuesday, January 03, 2006 8:26 PM
To: [EMAIL PROTECTED]; 
ActiveDir@mail.activedir.org
Subject: [ActiveDir] Enable Windows Integrated Authentication through
GPO



 

How does someone enable Windows Integrated Authentication  through a Group
Policy.  You will find this on the Advanced tab of Internet Options.




 

 

Justin A. Salandra

MCSE Windows 2000 & 2003

Network and Technology Services Manager

Catholic Healthcare System

646.505.3681 - office

917.455.0110 - cell

[EMAIL PROTECTED]


 







-- ~"Be the change you want to see in the World"~

[ActiveDir] OT: Windows Server 2003 Security guide Ver 2.0

[Kamlesh Parmar]

Microsoft released a updated version of Win2k3 sec guide last week,
 
This update adds post SP1 hardening recommendations, including usage of SCW for creating role based templates etc.
 
Windows Server 2003 Security guide Ver 2.0http://www.microsoft.com/downloads/details.aspx?FamilyID=8a2643c1-0685-4d89-b655-521ea6c7b4db&DisplayLang=en

 
And its companion guide
 
 Threats and Countermeasures guide Ver 2.0
http://www.microsoft.com/technet/security/topics/serversecurity/tcg/tcgch00.mspx
 
 
-- 
Kamlesh~"Be the change you want to see in the World"~ 

Re: [ActiveDir] DNS SRV records

[Kamlesh Parmar]

Thanks Jorge for so nicely putting it all together...
 
This is what I was thinking as the simplest possible optimized configuration.
 
So, thought lets put it across masters to know all possibilities...
 
--
Kamlesh
 
On 1/1/06, Almeida Pinto, Jorge de <[EMAIL PROTECTED]> wrote:
what you could do is:* make sure only the main central hub registers domain wide and site wide DC locator records
* make sure regional hubs only register site wide DC locator records and NOT domain wide DC locator records* make sure remote offices only register site wide DC locator records and NOT domain wide DC locator records
* Leave the priority of the central hub DCs as is* Configure a higher priority value for regional hub DCs* Leave the priority of the remote site DCs as is* Configure regional hub DCs to additionally cover the corresponding lower remote sites
This way:* If regional hub DCs fail clients/servers go to the main central hub when these query for DCs in the domain* If remote site DCs fail clients/servers will first go to the corresponding upper regional hub as these also cover the remote site and second these will go to the main central hub when these query for DCs in the domain
This configuration could be realized using GPOs with group filtering or SUB OUs below to the Domain Controllers OU (one OU with DCs, all remote sites, that do not register domain wide DC locator records AND one OU per regional hub with DCs that do not register domain wide DC locator records, have a highher priority for the SRV RR and additionally cover the lower remote site) or site GPOs using WMI filtering or a combination of the what is mentioned
Cheers,JorgeFrom: [EMAIL PROTECTED] on behalf of Kamlesh ParmarSent: Sat 2005-12-31 13:57
To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] DNS SRV records1)AFAIK, Site is a active directory specific concept, and AD is Directory (LDAP), Authentication server (Kerberos) etc. These services are published by AD in DNS thru SRV records in _sites._msdcs for each site and it covers them all... (LDAP,DC,GC,Kerberos,Kpassword)
so I was curious what applications would actually just read sitename from AD and look for a service not offered by DC in that site? AD based distributed applications (other than exchange) ?2)DNS priorities, I know by default, its only possible per DC basis thru registry.
I was hoping it was more customizable, even if it was not officially documented.Basically we do have hub and spoke stuff. We have central hub and then at its spokes regional hubs and at their spoke individual remote sites. (This is highly simplified, as there are load balancing links across regions, away from central hub, so I would say its a mash between center and regional sites and than hub and spokes at region and remote sites)
Now, in case of DC failure at remote site, clients would go to any regional or Central hub DC, and not necessarily its nearest regional hub DC.With priority only per DC basis, I would have to create mess of priorities to achieve what I want. And it would be complex.
One solution I thought was to publish regional hub DCs in their spoke DCs with lower priorityThis would surely give me some control, on where remote sites go for authentication. But this would not help cover DC failure at region level.
Basically, I want to totally control the list of DCs referred to clients at each site and in what order they are referred.  So, per DC per Site priority setting would have been ideal.I am open to other possible solutions.
--KamleshOn 12/31/05, Almeida Pinto, Jorge de <[EMAIL PROTECTED]> wrote:   "_sites.dc._msdcs.DNSDomainName" is for locating a DC (hence the _msdcs) that hosts a certain service in a certain site
   "_sites.DnsDomainName" is for locating a SERVER (does not need to be a DC) that hosts a certain service in a certain site   for more info on service resource records see:   
http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url="">   DNS priorities are on a per DC basis, and not on a per DC per site basis.
   It is not possible to configure a different priority for the same DC covering another site.   Why do you want to do that?   if clients cannot find a DC in a site by querying for _ldap._tcp.SiteName._sites.DnsDomainName
   the client will search for a DC in the domain by querying for _ldap._tcp.dc._msdcs.DnsDomainName   If you have a hub-and-spoke site topology it is OK to configure all spoke DCs (branches) NOT to register domain wide DC locator records and only let HUB DCs register those records
   Jorge   ____   From: [EMAIL PROTECTED] on behalf of Kamlesh Parmar   Sent: Fri 2005-12-30 22:42
   To: ActiveDir@mail.activedir.org   Subject: [ActiveDir] DNS SRV records   >From my limited knowledge of how AD uses SRV records, I have two queries.
   1)

Re: [ActiveDir] DNS SRV records

[Kamlesh Parmar]

1)
Okie.. so I can mark that part of DNS as *** Reserved for future use ***    :-)
 
In fact I also use ATSN.exe to find the IP-->siteinfo and move computer accounts from "Default Computer " container to OUs allocated for sites or even specific subnets. 
 
2) 
I was hoping for registry or netlogon.dns entries, If scripts is what left, then,
 
I have found a sample _vbscript_ script for registering records in DNS at Robbie Allen's site...
http://rallenhome.com/books/dnsonw2k3/src/14-rr_create.vbs.txt
OR
I think support tool dnscmd.exe will also help,
Dnscmd server_name /RecordAdd zone_name computer_name A IP_address 
 
--
Kamlesh 
On 1/1/06, joe <[EMAIL PROTECTED]> wrote:

1. There might be 0, 10, or 1000 apps out there doing this now. The structure is there for them to register records and look things up. I don't think the site based mentality has taken off as completely as it can yet though. I do expect that to change though because it makes a ton of sense. Mostly it is probably just done with DCs at the moment because MS offers a nice wasy API for finding DCs in that structure. If they offered an API to find any service where you plug in the prefix you are looking for coupled with easy registration of those records, it would probably be start being used more. A lot of MS based programmers are lazy. They look for the easiest way to code the stuff versus the best way to code the stuff. This is no surprise since a vast majority of Windows programmers came from the VB world. VB didn't train you to do things well, it trained you to do find the easiest way. If people weren't looking for the easiest way, it is doubtful they would have gone to VB in the first place.

 
As an aside, I know of folks who have used the site/subnet objects in AD to map out Web Site usage. The IPs were mapped via the IP to site via my ATSN tool which calls an MS API for the translation. That was the hardest part. The rest is simple perl scanning of web service logs (not blogs) and scooping out the pages and the IP accessing the site. That isn't using DNS directly, but is leveraging the AD site info for the purposes of good.

 
2. Nope, unfortunately not more customizable directly. However, these simply DNS entries. There is nothing stopping you from taking a script and registering your own records as you see fit. Just go find a copy of nsupdate and script it with perl and register whatever the heck you want to register either based on a list you generate or some logic that perl can follow. You could set up just about anything you would like to set up.

 


From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Kamlesh ParmarSent: Saturday, December 31, 2005 7:57 AMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] DNS SRV records 


1)
AFAIK, Site is a active directory specific concept, and AD is Directory (LDAP), Authentication server (Kerberos) etc. These services are published by AD in DNS thru SRV records in _sites._msdcs for each site and it covers them all... (LDAP,DC,GC,Kerberos,Kpassword) 

 
so I was curious what applications would actually just read sitename from AD and look for a service not offered by DC in that site? AD based distributed applications (other than exchange) ?
 
2)DNS priorities, I know by default, its only possible per DC basis thru registry.
I was hoping it was more customizable, even if it was not officially documented.
 
Basically we do have hub and spoke stuff. We have central hub and then at its spokes regional hubs and at their spoke individual remote sites. (This is highly simplified, as there are load balancing links across regions, away from central hub, so I would say its a mash between center and regional sites and than hub and spokes at region and remote sites) 

 
Now, in case of DC failure at remote site, clients would go to any regional or Central hub DC, and not necessarily its nearest regional hub DC.
 
With priority only per DC basis, I would have to create mess of priorities to achieve what I want. And it would be complex.
 
One solution I thought was to publish regional hub DCs in their spoke DCs with lower priority
This would surely give me some control, on where remote sites go for authentication. But this would not help cover DC failure at region level.
 
Basically, I want to totally control the list of DCs referred to clients at each site and in what order they are referred.  So, per DC per Site priority setting would have been ideal.
 
I am open to other possible solutions.
 
--
Kamlesh
 
On 12/31/05, Almeida Pinto, Jorge de <
[EMAIL PROTECTED]> wrote: 
"_sites.dc._msdcs.DNSDomainName" is for locating a DC (hence the _msdcs) that hosts a certain service in a certain site 
"_sites.DnsDomainName" is for locating a SERVER (does not need to be a DC) that hosts a certain service in a certain sitefor more info on service resource records see:
http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url="">DNS priorities are on a per DC

Re: [ActiveDir] DNS SRV records

[Kamlesh Parmar]

Yes !
Not only for remote site DCs but also for regional hub DCs too... 
--
Kamlesh 
On 12/31/05, Al Mulnick <[EMAIL PROTECTED]> wrote:

 
 
If I understand you correctly, you can already control between local site and regional/central site authentication hierarchy through publication of records (as in branch office scenario) but you want to further control which DC does authentication by controlling, in the event of failure in the local site, which hub it goes to?  Is that correct? 

 
Al

 
 
On 12/31/05, Kamlesh Parmar <[EMAIL PROTECTED]
> wrote: 

1)
AFAIK, Site is a active directory specific concept, and AD is Directory (LDAP), Authentication server (Kerberos) etc. These services are published by AD in DNS thru SRV records in _sites._msdcs for each site and it covers them all... (LDAP,DC,GC,Kerberos,Kpassword) 

 
so I was curious what applications would actually just read sitename from AD and look for a service not offered by DC in that site? AD based distributed applications (other than exchange) ?
 
2)DNS priorities, I know by default, its only possible per DC basis thru registry.
I was hoping it was more customizable, even if it was not officially documented.
 
Basically we do have hub and spoke stuff. We have central hub and then at its spokes regional hubs and at their spoke individual remote sites. (This is highly simplified, as there are load balancing links across regions, away from central hub, so I would say its a mash between center and regional sites and than hub and spokes at region and remote sites) 

 
Now, in case of DC failure at remote site, clients would go to any regional or Central hub DC, and not necessarily its nearest regional hub DC.
 
With priority only per DC basis, I would have to create mess of priorities to achieve what I want. And it would be complex.
 
One solution I thought was to publish regional hub DCs in their spoke DCs with lower priority
This would surely give me some control, on where remote sites go for authentication. But this would not help cover DC failure at region level.
 
Basically, I want to totally control the list of DCs referred to clients at each site and in what order they are referred.  So, per DC per Site priority setting would have been ideal.
 
I am open to other possible solutions.
 
--
Kamlesh

 
On 12/31/05, Almeida Pinto, Jorge de <
 [EMAIL PROTECTED]> wrote: 
"_sites.dc._msdcs.DNSDomainName" is for locating a DC (hence the _msdcs) that hosts a certain service in a certain site 
"_sites.DnsDomainName" is for locating a SERVER (does not need to be a DC) that hosts a certain service in a certain sitefor more info on service resource records see:
http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url="">DNS priorities are on a per DC basis, and not on a per DC per site basis. 
It is not possible to configure a different priority for the same DC covering another site.Why do you want to do that?if clients cannot find a DC in a site by querying for _ldap._tcp.SiteName._sites.DnsDomainName 
the client will search for a DC in the domain by querying for _ldap._tcp.dc._msdcs.DnsDomainNameIf you have a hub-and-spoke site topology it is OK to configure all spoke DCs (branches) NOT to register domain wide DC locator records and only let HUB DCs register those records 
JorgeFrom: [EMAIL PROTECTED] 
on behalf of Kamlesh ParmarSent: Fri 2005-12-30 22:42To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DNS SRV records>From my limited knowledge of how AD uses SRV records, I have two queries.1) Why we need separate _sites.DnsDomainName child domain when we have_sites.dc._msdcs.DNSDomainName child domain populated? 
And I guess that only later is used by clients to find the site specific DC for authentication. Which other applications would need site specific but generic SRV records (former ones) ??2)How to publish DC1 in site1 into remote site site2 with different priority than its own site site1? 
i.e.DC1  site1   priority=0DC1  site2   priority=10DC2  site1   priority=10DC2  site2   priority=0By the way,Happy New Year to you all.--Kamlesh~ 
"Be the change you want to see in the World"~This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. 
-- 
~"Be the change you want to see in the World"~
-- ~"Be the change you want to see in the World"~

Re: [ActiveDir] WinXP activation problem

[Kamlesh Parmar]

Ya, exactly... and their gmail.com account will give them nice conversational look at what they are doing. :-) 
By the way, I think I have seen answer for this kind of questions at Microsoft public newsgroups at 
microsoft.com, look for setup and installation section in WinXP groups.
--
Kamlesh
 
On 12/31/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
Aha! Amit did it! Perhaps you guys want to do this in private?Sincerely,Dèjì Akómöláfé, MCSE+M MCSA+M MCT
Microsoft MVP - Directory Serviceswww.readymaids.com - we know ITwww.akomolafe.comDo you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]
] On Behalf Of Ravi DograSent: Friday, December 30, 2005 2:45 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] WinXP activation problemThanks Amit,
I remember it was You who created those images and used sysprep and all.thanks for revealing the usage of 30 day trial version installation.Hope, will get some more such expert comments from your side.
Thanks and RegardsRavi DograList info   : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
-- ~"Be the change you want to see in the World"~

Re: [ActiveDir] DNS SRV records

[Kamlesh Parmar]

1)
AFAIK, Site is a active directory specific concept, and AD is Directory (LDAP), Authentication server (Kerberos) etc. These services are published by AD in DNS thru SRV records in _sites._msdcs for each site and it covers them all... (LDAP,DC,GC,Kerberos,Kpassword)

 
so I was curious what applications would actually just read sitename from AD and look for a service not offered by DC in that site? AD based distributed applications (other than exchange) ?
 
2)DNS priorities, I know by default, its only possible per DC basis thru registry.
I was hoping it was more customizable, even if it was not officially documented.
 
Basically we do have hub and spoke stuff. We have central hub and then at its spokes regional hubs and at their spoke individual remote sites. (This is highly simplified, as there are load balancing links across regions, away from central hub, so I would say its a mash between center and regional sites and than hub and spokes at region and remote sites)

 
Now, in case of DC failure at remote site, clients would go to any regional or Central hub DC, and not necessarily its nearest regional hub DC.
 
With priority only per DC basis, I would have to create mess of priorities to achieve what I want. And it would be complex.
 
One solution I thought was to publish regional hub DCs in their spoke DCs with lower priority
This would surely give me some control, on where remote sites go for authentication. But this would not help cover DC failure at region level.
 
Basically, I want to totally control the list of DCs referred to clients at each site and in what order they are referred.  So, per DC per Site priority setting would have been ideal.
 
I am open to other possible solutions.
 
--
Kamlesh
 
On 12/31/05, Almeida Pinto, Jorge de <[EMAIL PROTECTED]> wrote:
"_sites.dc._msdcs.DNSDomainName" is for locating a DC (hence the _msdcs) that hosts a certain service in a certain site
"_sites.DnsDomainName" is for locating a SERVER (does not need to be a DC) that hosts a certain service in a certain sitefor more info on service resource records see:
http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url="">DNS priorities are on a per DC basis, and not on a per DC per site basis.
It is not possible to configure a different priority for the same DC covering another site.Why do you want to do that?if clients cannot find a DC in a site by querying for _ldap._tcp.SiteName._sites.DnsDomainName
the client will search for a DC in the domain by querying for _ldap._tcp.dc._msdcs.DnsDomainNameIf you have a hub-and-spoke site topology it is OK to configure all spoke DCs (branches) NOT to register domain wide DC locator records and only let HUB DCs register those records
JorgeFrom: [EMAIL PROTECTED] on behalf of Kamlesh ParmarSent: Fri 2005-12-30 22:42To: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] DNS SRV records>From my limited knowledge of how AD uses SRV records, I have two queries.1)
Why we need separate _sites.DnsDomainName child domain when we have_sites.dc._msdcs.DNSDomainName child domain populated?And I guess that only later is used by clients to find the site specific DC for authentication.
Which other applications would need site specific but generic SRV records (former ones) ??2)How to publish DC1 in site1 into remote site site2 with different priority than its own site site1?i.e.
DC1  site1   priority=0DC1  site2   priority=10DC2  site1   priority=10DC2  site2   priority=0By the way,Happy New Year to you all.--Kamlesh~
"Be the change you want to see in the World"~This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
-- ~"Be the change you want to see in the World"~

[ActiveDir] DNS SRV records

[Kamlesh Parmar]

From my limited knowledge of how AD uses SRV records, I have two queries.
 
1)Why we need separate _sites.DnsDomainName child domain when we have _sites.dc._msdcs.DNSDomainName child domain populated? 
And I guess that only later is used by clients to find the site specific DC for authentication. Which other applications would need site specific but generic SRV records (former ones) ??
 2)How to publish DC1 in site1 into remote site site2 with different priority than its own site site1? i.e. 
DC1  site1   priority=0 DC1  site2   priority=10 DC2  site1   priority=10 DC2  site2   priority=0
  
By the way,
 
Happy New Year to you all.-- 
Kamlesh~"Be the change you want to see in the World"~ 

Re: [ActiveDir] Display Specifier + Command Variables

[Kamlesh Parmar]

If the batch file you provided is what you are using then it might not work...
As ADUC will give DN of the object as command line argument to the script
and iisftp.vbs requires username (samaccountname) of the user to work.
 
so, VBS will be better in this case...
 
' *** Start Code


Dim oUser1 
Set oUser1 = getobject(wscript.arguments(0))oUser1.FTPDir = oUser1.samaccountnameoUser1.FTPRoot = "\\hermes\Z Drives"

oUser1.SetInfo Set oUser1 = NothingSet ouserFTP = Nothing
' *** End Code 
--
Kamlesh 
On 12/24/05, Marc A. Mapplebeck <[EMAIL PROTECTED]> wrote:

I need to propogate the FTPRoot and FTPDir fields in the user objects, they are not available through ADUC, only by using iisftp or a vbs. I am using FTP via IIS in AD Isolation Mode. 



From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Al MulnickSent: December 23, 2005 12:17 
To: ActiveDir@mail.activedir.orgSubject:
 Re: [ActiveDir] Display Specifier + Command Variables 


I'm still not clear on whether you want to do this for the homedrive attribute or if you are trying to do something else. 
 
Might just be a little dense (that sometimes happens around this time of year).  
 
You want to add a _vbscript_ to your ADU&C so you can right click and enable some function that currently is not available, vs. using a script to enable it in bulk.  Is that correct? 
 
I believe you want something similar to this, right? http://www.2000trainers.com/article.aspx?articleID=317&page=2
 
On 12/23/05, Marc A. Mapplebeck <[EMAIL PROTECTED]
> wrote: 

Sure, I was just using a batch file that called iisftp
the context was "iisftp username"
all Z drives are the homedir of the user stored on our hermes server in the share Z Drives, the purpose of this was to give users access to their homedir remotely. 

however, now that I want to use it from within AD Users & Computers, I think I will have to rewrite it to set the variables using vbs.
 
 
setftp.bat
-
IIsFtp /SetADProp %1 FTPDir %1IIsFtp /SetADProp %1 FTPRoot "\\hermes\Z
 Drives"-
end 
I will probably end up using a .vbs that looks similar to this: 
 
setftp.vbs
-
Dim ouserFTPDir
Dim ouserFTPDRootDim oUser1 Set oUserFTPDir = GetObject(ouser1(0)) 
Set oUserFTPRoot = "\\hermes\Z Drives"
oUser1.SetInfo Set oUser1 = NothingSet ouserFTP = NothingWScript.Quit
-
end
 
I'm actually teaching a class right now(yes, one of my students showed up for class the day before the holiday break starts, so I gave him a nice subnetting lab, I'm soo sadistic), so I do not have access to any of my reference/test servers, so this script will prolly crash on line 1. But, the general idea is there. 

 


From: [EMAIL PROTECTED] [mailto:
 [EMAIL PROTECTED]] On Behalf Of Al MulnickSent: December 23, 2005 11:23To: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Display Specifier + Command Variables 


Marc, can you post the code you're using?  Cleaned up for internet consumption of course. 
 
Al 
On 12/23/05, Marc A. Mapplebeck <[EMAIL PROTECTED] 
> wrote: 
Hi all, I am working on setting up FTP in AD Isolation mode. I have writtena batch file that I run to enable a user on the FTP server, I would like to 
change this so that I can just right click on a user in AD Users & Computersto do this, I have made the modification to the display specifier to callthe batch file, however, it is not passing what I want, does anybody know 
if/what the variable is for the CN of the user, or would it be just as easyto script this with VB instead? If so, does anybody already have a script ora model that can be used for this? Thanks - Marc
List info   : http://www.activedir.org/List.aspxList FAQ: 
http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ 
-- ~"Be the change you want to see in the World"
~

Re: [ActiveDir] computer domain join process

[Kamlesh Parmar]

Any better method available then using netdom ?

meanwhile, I will talk to my TAM.
--
KamleshOn 12/20/05, joe <[EMAIL PROTECTED]> wrote:







SIte location is actually done in an unauthenticated 
manner with CLDAP calls. The UDP LDAP is connectionless with no TCP 
session and doesn't allow for a bind so the information has to be 
returned to anonymous callers (assuming they know the right query to submit 
and the right attributes to ask for and how to decode the binary data returned 
in the attribute). 
 
The sad thing is that it should be working with site 
affinity already as it has the needed info. The client from what I have seen in 
the traces actually does a UDP ping and gets back the site info quite early in 
the join process (like the 5th packet in the trace I looked at). 

 
I have submitted a "wish" to have that change put in. 
Anyone who also would like this I would recommend submitting DCRs through your 
various channels that are available to you.
 
   joe
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]] On Behalf Of Tony 
MurraySent: Monday, December 19, 2005 7:10 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] computer domain 
join process


My guess is that it has 
to do with security.  Until the machine is a member of the domain you don't 
want a DC to provide site and subnet information to it.
 
Tony
 



From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]] On Behalf Of Kamlesh 
ParmarSent: Tuesday, 20 December 2005 11:22 a.m.To: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] computer domain join 
process
 
As we know that, when a new machine tries to join the win2k/3 
domain,it will first try a SRV query for  
_ldap._tcp.dc._msdcs.DnsDomainNameand which ever DC is first in the list, it 
will connect to that DC and create account there and proceed for domain 
joining.This order of DCs in query result is not uniform, it changes every 
time you query.Now, If you have geographically dispersed DCs with long 
enough replication delay.This approach leads into trouble, as machine might 
have created account on remote DCand on next reboot it will try to find its 
account into local site DC, where it might not be present.This is also 
more troublesome in the case, I want to refresh the machine using Ghost, I will 
delete its account in local DC and after Ghost restore it will try to join the 
domain by connecting to any random DC, and in this case, remote DC might/might 
not have account depending on replication reached it in time. So one of 
the solution,is to use netdom.exe to join machines to domain, where at the 
command line we can target specific DC for joining process. This is the 
command we use, where, DOM = Domain to join DOMDC1 = nearest DC for that 
computer DOM\siteadmin = account with rights to join computer to domain 
netdom.exe join %computername% /domain:DOM\DOMDC1 /UD:DOM\siteadmin 
/PD:* /OU:%OU-2-CREATE-ACCOUNT-IN% /RebootNow, my question, is why can't 
machine itself find the nearest DC to join, based on query to configuration NC 
for subnet/site mapping and then DNS query for DC in that particular site. (like 
normal domain client would do to find its nearest DC)After all we are 
providing a privileged account while domain joining, which computer can use to 
get the pertinent info.Also, is there better way to target joining 
computer towards its local DC.-- 
Kamlesh~"Be the change you want to 
see in the World"~
This communication, including any attachments, is confidential. If you are 
not the intended recipient, you should not read it - please contact me 
immediately, destroy it, and do not copy or use any part of this communication 
or disclose anything about it. Thank you. Please note that this communication 
does not designate an information system for the purposes of the Electronic 
Transactions Act 2002.

-- ~"Be the change you want to see in the World"~

[ActiveDir] computer domain join process

[Kamlesh Parmar]

As we know that, when a new machine tries to join the win2k/3 domain,
it will first try a SRV query for  _ldap._tcp.dc._msdcs.DnsDomainName
and which ever DC is first in the list, it will connect to that DC and create account there and proceed for domain joining.
This order of DCs in query result is not uniform, it changes every time you query.

Now, If you have geographically dispersed DCs with long enough replication delay.
This approach leads into trouble, as machine might have created account on remote DC
and on next reboot it will try to find its account into local site DC, where it might not be present.

This is also more troublesome in the case, I want to refresh the
machine using Ghost, I will delete its account in local DC and after
Ghost restore it will try to join the domain by connecting to any
random DC, and in this case, remote DC might/might not have account
depending on replication reached it in time.


So one of the solution,is to use netdom.exe to join machines to
domain, where at the command line we can target specific DC for joining
process.

This is the command we use,
where,

DOM = Domain to join

DOMDC1 = nearest DC for that computer

DOM\siteadmin = account with rights to join computer to domain



netdom.exe join %computername% /domain:DOM\DOMDC1 /UD:DOM\siteadmin /PD:* /OU:%OU-2-CREATE-ACCOUNT-IN% /Reboot

Now, my question, is why can't machine itself find the nearest DC to
join, based on query to configuration NC for subnet/site mapping and
then DNS query for DC in that particular site. (like normal domain
client would do to find its nearest DC)

After all we are providing a privileged account while domain joining, which computer can use to get the pertinent info.

Also, is there better way to target joining computer towards its local DC.

-- 
Kamlesh~"Be the change you want to see in the World"~

Re: [ActiveDir] Win32Shutdown Method & Win2003

[Kamlesh Parmar]

YUP,  you should add 4, Here is some code

Const LOGOFF = 0Const SHUTDOWN = 1Const REBOOT = 2Const FORCE = 4Const POWEROFF = 8For Each objPC In GetObject("winmgmts:{(shutdown)}").ExecQuery("Select * from Win32_OperatingSystem")
objPC.Win32Shutdown LOGOFF + FORCENext
On 12/15/05, Darren Mar-Elia <[EMAIL PROTECTED]> wrote:







Devon-
Are you getting an actual error or just that it doesn't 
work? I ran your script on my test W2003 box and it worked just fine. I ran it 
as administrator at the server's console. How are you running this script? At 
the console or in a TS session? The latter may be problematic. Also, you might 
want to try:
 
 objSystem.Win32Shutdown 4

 
which I think is forced logoff. That would get around 
issues where some process is preventing the normal logoff.
 
Darren


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]] On Behalf Of Harding, 
DevonSent: Wednesday, December 14, 2005 9:52 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Win32Shutdown 
Method & Win2003


Same 
error
 




From:
 
[EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] 
On Behalf Of Alain 
LissoirSent: Wednesday, 
December 14, 2005 11:26 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Win32Shutdown 
Method & Win2003
 

On 2003? 
Or 2000?

Hmmm ... 
can you try with this :)  

 

objWMILocator.Security_.Privileges.AddAsString 
"SeRemoteShutdownPrivilege", True
 



From:
 
[EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] 
On Behalf Of Harding, DevonSent: Wednesday, December 14, 2005 7:39 
AMTo: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Win32Shutdown 
Method & Win2003
I still 
get the same error running on a server:
 
Generic 
Error
 
It seem to 
be giving an error right at this point: objSystem.Win32Shutdown 
0
 
Here is 
the whole script:
Set 
objWMILocator = CreateObject ("WbemScripting.SWbemLocator") 

objWMILocator.Security_.Privileges.AddAsString 
"SeShutdownPrivilege", True 
Set 
objWMIServices = objWMILocator.ConnectServer(strComputerName, cWMINameSpace, 
strUserID, strPassword)
 
Set 
objSystemSet = 
GetObject("winmgmts:{impersonationLevel=impersonate,(Shutdown)}").InstancesOf("Win32_OperatingSystem")
 
For Each 
objSystem In objSystemSet
    
objSystem.Win32Shutdown 0
Next
 





From:
 
[EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] 
On Behalf Of Alain 
LissoirSent: Wednesday, 
December 14, 2005 9:38 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Win32Shutdown 
Method & Win2003
 

Have you 
tried your script as a plain admin on server? I wonder if it is not a question 
of privileges ...

 

Try to add 
to your script the following before connecting to the Root\CIMv2 namespace. Then 
retry ...

 

    Set 
objWMILocator=CreateObject 
("WbemScripting.SWbemLocator")

    
objWMILocator.Security_.Privileges.AddAsString "SeShutdownPrivilege", 
True

    Set 
objWMIServices = objWMILocator.ConnectServer(strComputerName, 
cWMINameSpace, strUserID, strPassword)
 




From:
 
[EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] 
On Behalf Of Harding, DevonSent: Wednesday, December 14, 2005 5:23 
AMTo: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Win32Shutdown 
Method & Win2003
This 
script is part of a another script that upon logon, checks certain registry 
values, then if the values are not set, the script then sets the value and 
logoff the current user.  Like I said before, it works on Windows XP but 
not servers.  Why?
 






From:
 
[EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] 
On Behalf Of Steve 
ShaffSent: Tuesday, December 
13, 2005 7:38 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Win32Shutdown 
Method & Win2003
 
The 
shutdown command works.  Give that a shot.
S
 






From:
 
[EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] 
On Behalf Of Harding, DevonSent: Tuesday, December 13, 2005 2:34 
PMTo: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Win32Shutdown Method 
& Win2003
 
I'm using the following script to 
logoff a workstation.  It works fine on XP workstations but does not seem 
to work on Windows 2000/2003 servers.  Any 
Ideas?
 
Set objSystemSet = 
GetObject("winmgmts:{impersonationLevel=impersonate,(Shutdown)}").InstancesOf("Win32_OperatingSystem")
 
For Each objSystem In 
objSystemSet
    
objSystem.Win32Shutdown 0
Next
 
Devon
 
Harding
Windows 
Systems Engineer
Southern Wine 
& Spirits - BSG
954-602-2469
 





__
This 
message and any attachments are solely for the intended 
recipientand may 
contain confidential or privileged information. If you are 
notthe intended 
recipient, any disclosure, copying, use or distribution 
ofthe 
information included in the message and any attachments 
isprohibited. If 
you have received this communication in error, 
pleasenotify us 
by reply e-mail and immediately and permanently delete 
thismessage and 
any attachments. Thank You. 


-- ~"Be the change you want to see in the World"~

Fwd: [ActiveDir] csv to ldf converter

[Kamlesh Parmar]

If you have already seen the attached mail, my apologies for duping.

It seems, lately, gmail is creating problem, and not sending some of my replies.I have to go to, list archive and verify that, mail is sent to others, as well.

--
Kamlesh
-- Forwarded message --From: Kamlesh Parmar <[EMAIL PROTECTED]>Date: Dec 14, 2005 3:04 AM
Subject: Re: [ActiveDir] csv to ldf converterTo: ActiveDir@mail.activedir.org
 I use similar approach,

Put samid and other user fields in columns, then generate other columns
as needed from existing column. like Displayname from FN and LN using
formula =CONCATENATE(B2," ",C2)

then at the end concatenate everything into single column using * as separator
formula : =CONCATENATE(A2,"*",B2,"*",C2,"*",D2)




 
 
 
 
  SamID
  FN
  LN
  DisplayName
  TextToCopy
 
 
  user1
  User
  1
  User 1
  user1*User*1*User
  1
 
 
  user2
  User
  2
  User 2
  user2*User*2*User
  2
 
 
  user3
  User
  3
  User 3
  user3*User*3*User
  3
 
 
  user4
  User
  4
  User 4
  user4*User*4*User
  4
 
 
  user5
  User
  5
  User 5
  user5*User*5*User
  5
 


Then once ready with data, copy the content of last column into text file.(texttocopy.txt)
and run batch file something like

for /F "Tokens=1-4 Delims=*" %%A in (TexttoCopy.txt) do (
dsquery user -samid %%A | dsmod user -fn "%%B" -ln "%%C" -Display "%%D"
)

I hope this helps

--
Kamlesh

~
"Be the change you want to see in the World"
~
On 12/14/05, Phil Renouf <[EMAIL PROTECTED]
> wrote:
Gotcha, too bad because doing this sort of thing with admodify is great.
 
What I've done in the past is use some excel formulas to build a
dsmod command, then just put that in a batch file to update each user.
Not pretty, but it works.
 
Phil 
On 12/13/05, CHIANESE, DAVID <[EMAIL PROTECTED]
> wrote:

They are all caps and I want them proper case.  Or actually management wants them that way.  :)
 
We have this:
On 12/13/05, CHIANESE, DAVID <


[EMAIL PROTECTED]> wrote: 
 
We want this:
On 12/13/05, Chianese, David <


[EMAIL PROTECTED]> wrote: 


From: [EMAIL PROTECTED] [mailto:


[EMAIL PROTECTED]] On Behalf Of Phil RenoufSent: Tuesday, December 13, 2005 2:02 PMTo: 


ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] csv to ldf converter 


How are your Display names formatted? Are they say: Firstname
Lastname, or Lastname, Firstname? Are the first name and last name
fields in the users populated and do they have the correct case?
If so then AD Modify should fix that as you can tell it to build the Display Name from the Firstname and Lastname fields.
 
If not then this won't help and I'll go back to what I was doing...actually either way I'll go back to what I was doing ;)
 
Phil 
On 12/13/05, CHIANESE, DAVID <[EMAIL PROTECTED]
> wrote: 

I just found that admodify.net cannot do what I want either.  Basically if you look at my display name in e-mail here, it is all caps.. so...  
In a csvde
directory export of all users and using a well known excel function
(=proper(A1)) I am able to give proper case to each field I want to
change.  So I have that part done, all DN, SN, CN and
other capitalized fields have been reworked to proper case
fields.  The trouble I am having is converting the .csv file to
.ldf so I can then modify these attributes in the directory using
ldifde. 
 
If
anyone would like to look at my current spreadsheet that does this
conversion (well it used to anyway), I would be happy to send a copy
off list.  Scripting in Excel/VB is not my forte. 
 
 
Regards,

 
Dave


From: [EMAIL PROTECTED] [mailto:


 [EMAIL PROTECTED]] On Behalf Of Brian DesmondSent: Tuesday, December 13, 2005 1:10 PMTo: 


ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] csv to ldf converter 


You could just use csvde to do the import/export if that's what you're trying to do….


 
 

Thanks,


 Brian Desmond



[EMAIL PROTECTED]
 
c - 312.731.3132
 
 




From: 


[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 


On Behalf Of CHIANESE, DAVIDSent: Tuesday, December 13, 2005 1:05 PMTo: 


ActiveDir@mail.activedir.orgSubject: [ActiveDir] csv to ldf converter
 
Would
anybody have a handy csv to ldif macro for excel 2003?  The one I
have no longer functions.  Even a .csv file to .ldf file
conversion tool would help.  TIA! 
 
Regards, 
Dave 
-- 
-- ~"Be the change you want to see in the World"~

Re: [ActiveDir] csv to ldf converter

[Kamlesh Parmar]

 I use similar approach,

Put samid and other user fields in columns, then generate other columns
as needed from existing column. like Displayname from FN and LN using
formula =CONCATENATE(B2," ",C2)

then at the end concatenate everything into single column using * as separator
formula : =CONCATENATE(A2,"*",B2,"*",C2,"*",D2)




 
 
 
 
  SamID
  FN
  LN
  DisplayName
  TextToCopy
 
 
  user1
  User
  1
  User 1
  user1*User*1*User
  1
 
 
  user2
  User
  2
  User 2
  user2*User*2*User
  2
 
 
  user3
  User
  3
  User 3
  user3*User*3*User
  3
 
 
  user4
  User
  4
  User 4
  user4*User*4*User
  4
 
 
  user5
  User
  5
  User 5
  user5*User*5*User
  5
 


Then once ready with data, copy the content of last column into text file.(texttocopy.txt)
and run batch file something like

for /F "Tokens=1-4 Delims=*" %%A in (TexttoCopy.txt) do (
dsquery user -samid %%A | dsmod user -fn "%%B" -ln "%%C" -Display "%%D"
)

I hope this helps

--
Kamlesh

~
"Be the change you want to see in the World"
~
On 12/14/05, Phil Renouf <[EMAIL PROTECTED]> wrote:
Gotcha, too bad because doing this sort of thing with admodify is great.
 
What I've done in the past is use some excel formulas to build a
dsmod command, then just put that in a batch file to update each user.
Not pretty, but it works.
 
Phil 
On 12/13/05, CHIANESE, DAVID <[EMAIL PROTECTED]
> wrote:

They are all caps and I want them proper case.  Or actually management wants them that way.  :)
 
We have this:
On 12/13/05, CHIANESE, DAVID <

[EMAIL PROTECTED]> wrote: 
 
We want this:
On 12/13/05, Chianese, David <

[EMAIL PROTECTED]> wrote: 


From: [EMAIL PROTECTED] [mailto:

[EMAIL PROTECTED]] On Behalf Of Phil RenoufSent: Tuesday, December 13, 2005 2:02 PMTo: 

ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] csv to ldf converter 


How are your Display names formatted? Are they say: Firstname
Lastname, or Lastname, Firstname? Are the first name and last name
fields in the users populated and do they have the correct case?
If so then AD Modify should fix that as you can tell it to build the Display Name from the Firstname and Lastname fields.
 
If not then this won't help and I'll go back to what I was doing...actually either way I'll go back to what I was doing ;)
 
Phil 
On 12/13/05, CHIANESE, DAVID <[EMAIL PROTECTED]
> wrote: 

I just found that admodify.net cannot do what I want either.  Basically if you look at my display name in e-mail here, it is all caps.. so...  
In a csvde
directory export of all users and using a well known excel function
(=proper(A1)) I am able to give proper case to each field I want to
change.  So I have that part done, all DN, SN, CN and
other capitalized fields have been reworked to proper case
fields.  The trouble I am having is converting the .csv file to
.ldf so I can then modify these attributes in the directory using
ldifde. 
 
If
anyone would like to look at my current spreadsheet that does this
conversion (well it used to anyway), I would be happy to send a copy
off list.  Scripting in Excel/VB is not my forte. 
 
 
Regards,

 
Dave


From: [EMAIL PROTECTED] [mailto:

 [EMAIL PROTECTED]] On Behalf Of Brian DesmondSent: Tuesday, December 13, 2005 1:10 PMTo: 

ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] csv to ldf converter 


You could just use csvde to do the import/export if that's what you're trying to do….

 
 

Thanks,

 Brian Desmond


[EMAIL PROTECTED]
 
c - 312.731.3132
 
 




From: 

[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 

On Behalf Of CHIANESE, DAVIDSent: Tuesday, December 13, 2005 1:05 PMTo: 

ActiveDir@mail.activedir.orgSubject: [ActiveDir] csv to ldf converter
 
Would
anybody have a handy csv to ldif macro for excel 2003?  The one I
have no longer functions.  Even a .csv file to .ldf file
conversion tool would help.  TIA! 
 
Regards, 
Dave 
-- 

Re: [ActiveDir] VBScript help(OT)

[Kamlesh Parmar]

instead of creating random, what I had done was

create a for loop, say  1..1 (fairly high number to get the unique name)

and append that number if file exists in target, 
if not exists go ahead and append that number to filename for destination and exit the loop
otherwise continue to next number

You will have to cut the filename into name and extension, so that u can append the number to name and keep extension.

something like

 
if FSO.FileExists(file) then

for iSuff = 1 to 1
'cut filename into name and extn (can use revinstr function to find position of . searching from right)

if not FSO.fileexists (name & iSuff & "." & extn) then
   newname = name & iSuff & "." & extn
   exit for

end if 

next


   
    
   
end if On 12/8/05, Tom Kern <[EMAIL PROTECTED]> wrote:
Thanks alot!!
 
 
Unfortuantely it only seems to work when i ran it the first time.
 
if i kill it and run it again and it encounters a duplicate
file  in the source dir it throws an error-"file already exisits".
 
will  it only work in one shot?
 
thanks 
On 12/8/05, Rich Milburn <[EMAIL PROTECTED]
> wrote:


Replace your last sub:
sub filelist(grp)
 for each file in grp.files
  if targ.files.count>=999 then full=true:exit for
   if lcase(fso.getextensionname(file)) = "eml" then 
   set objFile = fso.getfile(file)
   arrFileName = Split(objfile.Name,".")
    oldname = arrFileName(0)
    ext = arrFileName(1)
    if fso.FileExists(target & objFile.Name) then
    
  newfile=oldname & cstr(int(Rnd * 1000)) & "." & ext 
    Else 
  newfile=objFile.Name
    end if
    wscript.echo newfile
   fso.MoveFile file,target & newfile  
 end if
  next
End sub
 

---


Rich Milburn

MCSE, Microsoft MVP - Directory ServicesSr Network Analyst, Field Platform Development
Applebee's International, Inc.

4551 W. 107th St

Overland Park, KS 66207

913-967-2819

--



"I love the smell of red herrings in the morning" - anonymous




From: 

[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 

On Behalf Of Tom KernSent: Thursday, December 08, 2005 9:24 AM 
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] _vbscript_ help(OT)


 

Thanks alot!!

 

 

 

 

I still can't get the rename to work.

 

the
script copies a bunch of eml files from a bunch of source sub folders.
in those sub folders the files have duplicate names but because they
are in sub folders, it doesn't matter until they are being copied to
the single target folder. 

So i want to rename the file(keeping the ext) when it encounters the same file in the target.

 

Here is what i have so far-

source="c:\fso"target="c:\tom\"
Set fso = CreateObject("Scripting.FileSystemObject")set root=fso.getFolder(source)set targ=fso.getFolder(target)

dim full
do if targ.files.count=0 then full=false if full=false then call folderlist(root) wscript.sleep 1000loop
sub folderlist(grp) call filelist(grp) if full then exit sub for each fldr in grp.subFolders  set nf=fso.GetFolder(fldr.path)  call folderlist(nf)
  set nf=nothing nextend sub
 sub filelist(grp) for each file in grp.files  if targ.files.count>=999 then full=true:exit for   if lcase(fso.getextensionname(file)) = "eml" then 

    if targ.FileExists(file) then
  file=file + cstr(int(Rnd * 1000))       end  if    
   file.move target end if  nextEnd sub
 
I always get the error-  Object doesn't support this property or method:'targ.FileExists'
 
I'm kinda at a loss here.
 
thanks

 

On 12/8/05, Rich Milburn <

[EMAIL PROTECTED]> wrote: 

Tom, 
if lcase(fso.getextensionname(file)) = "eml" then file.move target

 
 

---

 
Rich Milburn 


MCSE, Microsoft MVP - Directory ServicesSr Network Analyst, Field Platform Development 
Applebee's International, Inc.

4551 W. 107th St

Overland Park, KS 66207

 913-967-2819

 -- 


"I love the smell of red herrings in the morning" - anonymous




From: 

[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 

On Behalf Of Tom KernSent: Thursday, December 08, 2005 6:33 AM 

To: 

ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] _vbscript_ help(OT)

 

isn't there a way to do it without passing the full path?

i thought in my statement its implied that whatever "file" should be, it should look for an .eml ext.

thanks 

On 12/8/05, Ken Schaefer <

 [EMAIL PROTECTED]> wrote: 

getExtensionName() requires you to pass it a filespec (a filename, or path to a file)
 
If FSO.getExtensionName("c:\windows\clock.avi") = "avi" Then
    ' do foo
Else
    ' do bar
End If
 
CheersKen
 



From: 

[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 

On Behalf Of Tom KernSent: Thursday, 8 December 2005 1:48 PM 

To: 

ActiveDir@mail.activedir.org

Re: [ActiveDir] VBScript help(OT)

[Kamlesh Parmar]

fileexists is a method for FSO object

and you are attaching it to a folder object.

Try  fso.fileexistsOn 12/8/05, Tom Kern <[EMAIL PROTECTED]> wrote:
Thanks alot!!
 
 
 
 
I still can't get the rename to work.
 
the script copies a bunch of eml files from a bunch of source sub
folders. in those sub folders the files have duplicate names but
because they are in sub folders, it doesn't matter until they are being
copied to the single target folder.

So i want to rename the file(keeping the ext) when it encounters the same file in the target.
 
Here is what i have so far-

source="c:\fso"target="c:\tom\"
Set fso = CreateObject("Scripting.FileSystemObject")set root=fso.getFolder(source)set targ=fso.getFolder(target)
dim full
do if targ.files.count=0 then full=false if full=false then call folderlist(root) wscript.sleep 1000loop
sub folderlist(grp) call filelist(grp) if full then exit sub for each fldr in grp.subFolders  set nf=fso.GetFolder(fldr.path)  call folderlist(nf)  set nf=nothing nextend sub
 sub filelist(grp) for each file in grp.files  if targ.files.count>=999 then full=true:exit for   if lcase(fso.getextensionname(file)) = "eml" then 
    if targ.FileExists(file) then
  file=file + cstr(int(Rnd * 1000))       end  if    
   file.move target end if  nextEnd sub
 
I always get the error-  Object doesn't support this property or method:'targ.FileExists'
 
I'm kinda at a loss here.
 
thanks
 
On 12/8/05, Rich Milburn <[EMAIL PROTECTED]
> wrote:


Tom, 
if lcase(fso.getextensionname(file)) = "eml" then file.move target


 

---

Rich Milburn


MCSE, Microsoft MVP - Directory ServicesSr Network Analyst, Field Platform Development
Applebee's International, Inc.

4551 W. 107th St

Overland Park, KS 66207

913-967-2819

--



"I love the smell of red herrings in the morning" - anonymous




From: 

[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 

On Behalf Of Tom KernSent: Thursday, December 08, 2005 6:33 AM 
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] _vbscript_ help(OT)


 

isn't there a way to do it without passing the full path?

i thought in my statement its implied that whatever "file" should be, it should look for an .eml ext.

thanks 

On 12/8/05, Ken Schaefer <

[EMAIL PROTECTED]> wrote: 

getExtensionName() requires you to pass it a filespec (a filename, or path to a file)
 
If FSO.getExtensionName("c:\windows\clock.avi") = "avi" Then
    ' do foo
Else
    ' do bar
End If
 
CheersKen
 



From: 

[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 

On Behalf Of Tom KernSent: Thursday, 8 December 2005 1:48 PM 

To: 

ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] _vbscript_ help(OT)

 

Oops, I guess i didn't check my code.

 

before i made any changes, i get "Wrong number of arguments or invalid propery assignment:'fso.getextensionname'.

 

sorry.

I wonder why that is? 

On 12/7/05, Ken Schaefer <

[EMAIL PROTECTED]> wrote: 
At the moment you have this line which does the copy:if lcase(fso.getextensionname) = "eml" then file.move targetSo, instead of doing the copy, check to see if the file exists at the target,
and if not do the copy. If it does exist, rename the file at the source, thendo the copy.If LCase(FSO.getExtensionName ) = "eml" Then   If objTarg.FileExists(strSourceFileName) Then

   ' Rename Source File   End If   ' Now do the copyEnd IfCheersKenFrom: 

[EMAIL PROTECTED][mailto:[EMAIL PROTECTED] ] On Behalf Of Tom Kern 
Sent: Thursday, 8 December 2005 12:00 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] _vbscript_ help(OT) 
Thanks.My real problem is, I'm not sure where to put that in my exisiting scriptwithout screwing things upShould that be a seperate sub?Thanks againOn 12/7/05, Brian Desmond < 
[EMAIL PROTECTED]> wrote:I don't see the need for a select case, but File.Exists would help.

What I would do is something like thisDim moveNamemoveName = CurrentNameOfFileWhile TargetFolder.FileExists (currentNameofFile)currentNameOfFile = currentNameofFile + Cstr(Int(Rnd * 1))

Wend'moveTheFile()Rnd*1000 will get you some random # 0 - 1000 int makes it an integer and cstrmakes it a string. Thanks,Brian Desmond

[EMAIL PROTECTED]c - 312.731.3132From: 

[EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Tom Kern 
Sent: Wednesday, December 07, 2005 7:01 PMTo: activedirectory Subject: [ActiveDir] _vbscript_ help(OT)I have this _vbscript_ i wrote/stole tomove all files with an .eml extensionfrom many subdirs into a folder only if the folder is empty and only to move 
999 at a time. it works great except when it sees files with duplicate names it bombs outwhile moving them.i'd like it to rename the dup(maybe add some random #'s or characters to

Re: [ActiveDir] AD related? not really...

[Kamlesh Parmar]

Yes it encrypts the password !

I didn't see the password I entered into registry key mentioned in KB.

--
KamleshOn 12/2/05, Mitch Reid <[EMAIL PROTECTED]> wrote:
It claims it does although I have not verified it.
 
I suppose you could check the registry referenced in:
http://support.microsoft.com/?kbid=315231 

On 12/1/05, AD <[EMAIL PROTECTED]> wrote:


Thanks Mitch,
 
Very interesting. The source
code is different then the actual executable. I sending an email to the
developer. Hopefully he will reply.
 
You wouldn't know if it encrypts the password would you?
 
Yves


From: Mitch ReidSent: Thu 01/12/2005 10:57 AMTo: 

ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] AD related? not really... 


Sysinternals has a free utility that will automate the process:
 
http://www.sysinternals.com/Utilities/Autologon.html 
On 12/1/05, AD <[EMAIL PROTECTED]> wrote: 

 We
have workstation that are not added to the domain and are
configured to autologin. The username and password are duplicated on
our domain which allows the local account to use network
resources. 
We would like to join the workstation to the domain (to many
advantages to explain why) and eliminate the local account and modify
the autologin to use a domain username and password. This causes a
problem as the username and password is stored in the registry as plain
text. 
As anyone ever had to deal with this scenario? I have
found the following articles (below) that describe that the Autologon
password can either be plain text in the registry (Winlogon key) OR
encrypted into a Local Security Authority (LSA) secret. 
Does anyone know to use these functions to encrypt the username and password in the registry?
http://www.microsoft.com/technet/security/tools/mbsa1/wp.mspx 

(Autologon section)


http://msdn.microsoft.com/library/default.asp?url=""> 
  

-- ~~~"Fortune and Love befriend the bold"~~~

Re: [ActiveDir] FSMO role transfer

[Kamlesh Parmar]

Actually, I wanted to ask, how messy it can become in a scenario where

 admin didn't transfer the roles, and went about maintenance,
found it didn't work out and time is running out, so let me seize the
role, (its only trivial command).
And meanwhile, the first role holder is back into network and declaring the ownership.
And this ownership war went unnoticed by admin for a day or two.

What kind of trouble we can expect? 
anything role specific?
on replication ? 
on authentication ? 
on overall health of AD?

I think, asking & answering questions along the same line, would surely put the decision into more perspective.

-
Kamlesh

~~~
"Fortune and Love befriend the bold"
~~~On 12/1/05, joe <[EMAIL PROTECTED]> wrote:
I am not completely on board with a seize being trivial.Sure it is trivial in the act of doing it, but do you fully understand whatis going on under the covers? With a FSMO transfer you are going from aknown state to a known state in a controlled fashion. The new roleholder can
talk to the old roleholder and understand EXACTLY what is going on so have aseamless move. A seize is going from an unknown state to a known state. Fora role that doesn't have a state to worry about which is most of them, that
is fine. But the RID master definitely has state and to a lesser extent sodoes the PDC master. Seizing a role isn't just a simple matter of popping ina value into an attribute and saying "Done!". Well it could be, but you
could get burned if that is all you do.I agree that it will be tough to convince one group to do something theother way. I do hope though that people think about what has been writtenand don't think seizing a role is trivial because the command to do it is
easy to run. I am glad it is easy, the last thing you want is for a hardprocess to be required to rescue your system when you have issues.On the comment that transferring roles isn't a normal operating procedure.
Maybe not in some places but it is a perfectly normal operating procedure,certainly more standard or normal than a seize. Transferring the PDC role inNT could be a bit painful at times but it is easy as pie in AD. I recall
having a couple of occasions in the very beginning (first half 2000) where Igot a trifle nervous at first from previous NT issues but quickly got overit. I don't think twice about moving roles. Heck we didn't even have to
submit change control for that, we would just move the roles and send anemail to the change list saying it had been done. It was considered SOP formaintaining domain operations.Finally and the last I will say about it... for the longest time and maybe
even still I haven't looked lately MS said that the seize was the course oflast resort, use it when the transfer fails. I realize MS warns about a lotof things but usually they have some basis for doing so. And if that isn't
enough... if seizing roles was such a non-item, why wouldn't you just have aseize operation? Why have a transfer and a seize and cause this confusion?If they were the same, wouldn't you just have a single move the role button
and no other mechanism whatsoever?-Original Message-From: [EMAIL PROTECTED][mailto:
[EMAIL PROTECTED]] On Behalf Of Figueroa, JohnnySent: Wednesday, November 30, 2005 4:53 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FSMO role transfer
I think what was meant about the "trivial" part is around the seizing of theroles not the transfer. I would love to have much of the ntdsutilfunctionality built into the UI, even if at some point it requires you to
reboot/restore, whatever.I don't think either camp is going to convince the other that you should orshouldn't transfer roles prior to some maintenance. It is almost apersonality thing. I prefer not to transfer the role and deal with the
possibility that I may need to seize it, on the rare case that somethinggoes drastically wrong that I can not recover from before the role isactually needed. You architected the roles on specific DCs for a reason, if
I forget to move it back I may end up with a DC hosting a role for a longtime that I never meant to. Also, I don't consider transferring roles aroundpart of the normal operating procedures.But that's just me.
Thanks-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]
] On Behalf Of Cace, AndrewSent: Wednesday, November 30, 2005 2:26 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FSMO role transferIt is available in the AD snap-ins.  In AD Domains & Trusts, you can
transfer the Domain Naming master by right-clicking the name of the snap-inin tree-view and choosing Operations Master.  In ADUC, right-click the nameof the domain and choose Operations Master to transfer the RID, PDC, and
Infrastructure masters.  In the Schema Management snapin, you can transferthe Schema master by right-clicking Active Directory Schema and choosingOperations Master.Next question...Why isn't there a single place to click all 

Re: [ActiveDir] GC list

[Kamlesh Parmar]

Since no one has mentioned, I will put extra one...

I am a fan of DS* commands...so

To find all DCs in forest
dsquery server -forest -o rdn

To find all GC in forest
dsquery server -forest -isgc -o rdn

--
Kamlesh
On 11/30/05, Tomasz Onyszko <[EMAIL PROTECTED]> wrote:
Harding, Devon wrote:> What's the easiest way to get a list of ALL my DC's and GC's in my> forest along with IP address?Quickest way will be to use nslookup:nslookup -q=SRV _ldap._tcp.dc._msdcs. - for DCs
nslookup -q=SRV _ldap._tcp.gc._msdcs. - for GCs--Tomasz Onyszkohttp://www.w2k.plList info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
-- ~~~"Fortune and Love befriend the bold"~~~

[ActiveDir] Find originating DC for password change

[Kamlesh Parmar]

How do I find out, on which DC password for a particular user was changed or reset.

I know, if account management auditing is enabled, I will get a event 627 or 628.
But what if I have large number of DCs? and I don't have monitoring app like MOM ?

Last I checked, I was not able to see any metadata info for password using repadmin
Which is the first command I run for finding the originating DC for any change.

I use following command
repadmin /showobjmeta  DCNAME   UserDN-- 
Kamlesh~~~"Be the change you want to see in the World"~~~

Re: [ActiveDir] Removing foreign accounts

[Kamlesh Parmar]

just curious, How do we know, where that FSP is used in AD.

If FSP is member of any group we can find them using memberof attribure of FSP.

But, If that is not populated, it might be the case that, someone directly and stupidly gave that FSP some right somewhere.

How do we find that?On 11/23/05, joe <[EMAIL PROTECTED]> wrote:





Go into the ForeignSecurityPrincipals container and delete 
all of the FSPs that exist from the old NT4 domain.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]] On Behalf Of Ahmed 
Al-AwahSent: Tuesday, November 22, 2005 5:30 PMTo: 
'ActiveDir@mail.activedir.org'Subject: [ActiveDir] Removing foreign 
accounts


Hello all,
Until recently we had two domains, a W2K domain and a 
WinNT4 domain. I've managed to finally shut down the Windows NT4 domain. 
However, given our previous setup and the trust relationships that existed 
between both domains I'm left with several users from the old domain in AD 
groups on our primary Windows 2K Domain. 
I was wondering if anyone had a script that would 
remove users from a particular domain from another domain's groups 
(removing all NT4 accounts from the W2K domain groups)? The reason I'd like to 
do this is because everytime we attempt to access a group in AD with members 
from the previous domain we recieve an error stating that some of the names 
cannot be shown in user-friendly form which is primarily due to the fact that 
the previous domain has been shutdown. I've searched the MS Script Repository to 
no avail.
Any help is appreciated.
Cheers,Ahmed

-- ~~~"Fortune and Love befriend the bold"~~~

Re: [ActiveDir] Internet Explorer Home Page Question

[Kamlesh Parmar]

Nice to know, that it worked out for you.
 
>I also tried using the /delete to delete the group but if the person isnt in that group the script just  hangs.I am just curious, Why would u delete the group? also why you require password in the script ?

 
If you just give "add/remove self as member" access it doesn't work thru GUI. You have to specifically go to propery level permission and assign WRITE access on members attribute, then members will be able to manage their membership of group. Give that right to SELF security principal. ( I just tested that again)

 
Also, one caveat, If you have an AD2000 forest or an AD2003 forest running on the Windows 2000 functional level, you should take into account the following warning: If you delegate group management to members, it might create problem if user update their membership on different DC. All members of a group are stored in one multivalued property. If that member list is modified on two domain controllers simultaneously (within replication latency), one of the two changes will be lost.

 
-
Kamlesh
 
On 11/22/05, Craig Gauss <[EMAIL PROTECTED]> wrote:

Been working on this one most of the day.have it sort of working.
 
Needed to use CPAU from joeware, but there is one problem.  The password is displayed in the batch which is pretty much unsecure and goes against any password policy.  Anyways, I have it adding the user to the correct group upon logon.  It takes a little while though for the user to show in the group.  I also tried using the /delete to delete the group but if the person isnt in that group the script just hangs.



From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Micheal S. MandSent:
 Monday, November 21, 2005 11:46 AMTo: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Internet Explorer Home Page Question 


Craig,
 
Quoting what Kamlesh said before your email:
 
"To remove logged-in user, I would use something likeif new-users is Domain Local group then
net localgroup new-users  %username% /delete /domainif new-users is Domain Global group then 
net group new-users  %username% /delete /domain"
 
His email was sent 
11/19/2005 10:37 AM. If you didn't get it I can forward that to you.
 
Thanks,
 


Micheal
 
-Original Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
On Behalf Of Craig GaussSent: Monday, November 21, 2005
 9:09 AM
To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Internet Explorer Home Page Question
 
How would you go about removing the user from the group in a login script?

 



From:
 [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of 
Kamlesh ParmarSent: Friday, November 18, 2005 12:11 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Internet Explorer Home Page Question
Building on what James said,You can make it automatic, create a group New-Users and assign the intranet homepage GPO to this group. and importantly, Allow members to remove themselves from group.
When you create a new user, just make her member of this group.Make a login script, in the same GPO, which will remove the logged in user from this group. When user logs in first, time, she is member of this New-Users group, so this GPO applies
and her homepage is set to intranet.At the same time, login script runs and removes user from that group. This makes sure that, this GPO is never applied again, as user no longer member of New-Users group. And intranet was set for first login only.
-Kamlesh

On 11/18/05, Blair, James <
[EMAIL PROTECTED]> wrote: 

Michael,
 
You could create a new user security group and a GPO for the homepage. Use security filtering so that group only gets the policy. Remove the new users from the group after x days.

 
James
 




From:
 [EMAIL PROTECTED] [mailto:
 [EMAIL PROTECTED]] On Behalf Of Brian DesmondSent: Friday, 18 November 2005 12:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Internet Explorer Home Page Question

 
How about a logon script to take care of this? Check for a HKCU key/value. If it's not there, assume it's the first logon and set their homepage and then set the homepage.

 

Thanks,
 Brian Desmond

[EMAIL PROTECTED]
 
c - 312.731.3132
 
 




From:
 [EMAIL PROTECTED] [mailto:
 [EMAIL PROTECTED]] On Behalf Of Micheal S. MandSent: Thursday, November 17, 2005 6:37 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Internet Explorer Home Page Question
 
Hello,
 
I just joined the list, so forgive me if this has been answered already.

 
I've been put to the task of using AD to set the home page of all NEW users to our company intranet, but not override the current user's settings. We want this to happen automatically because we are usually creating new users with little notice, and very little time to make the account active. I've searched and searched all over existence for something related to this, and so far have only come up with some hacks to permanently set every user's home page the same. We want users to be abl

Re: [ActiveDir] VBS script to set/clear inheritance of AD objects

[Kamlesh Parmar]

Building on what Jorge provided,

I have created a small batch + vbsript combo, which takes care of setting inheritance
flag and  admincount=0 for all unprotected accounts.



My basic algorithm is,

* Find out all the nested members of
protected groups (protgrps.txt)

* Find out all the users and groups
account with admincount=1  (megalist.txt)

* Remove accounts which are protected
according to protgrps.txt from megalist.txt and put into needtochange.txt

* Feed this needtochange.txt to _vbscript_
which will set Inheritance flag and admincount=0


I have attached both the batch file and _vbscript_ as TXT files.
Feel free to test it and suggest improvements.

-
Kamlesh
On 11/17/05, Almeida Pinto, Jorge de <[EMAIL PROTECTED]> wrote:
As
2 forum members had questions how to script "enabling inheritance" on
AD objects,I have put info about it on my blog ->
http://blogs.dirteam.com/blogs/jorge/archive/2005/11/16/86.aspxhave fun with it!Cheers,JorgeThis
e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied, disclosed to, retained or used by, any other party. If you are
not an intended recipient then please promptly delete this e-mail and
any attachment and all copies and inform the sender. Thank you.List info   : http://www.activedir.org/List.aspxList FAQ: 
http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
-- ~~~"Fortune and Love befriend the bold"~~~
@echo off
Title Reset Unprotected groups and users...

REM *** Put members of protected groups into protgrps.txt
Echo Collecting Protected Group membership ...
dsquery group -samid "administrators" | dsget group -members -expand > 
protgrps.txt
dsquery group -samid "Domain Admins" | dsget group -members -expand >> 
protgrps.txt
dsquery group -samid "Enterprise Admins"  | dsget group -members -expand >> 
protgrps.txt
dsquery group -samid "Schema Admins" | dsget group -members -expand >> 
protgrps.txt
dsquery group -samid "Backup Operators" | dsget group -members -expand >> 
protgrps.txt
dsquery group -samid "Server Operators" | dsget group -members -expand >> 
protgrps.txt
dsquery group -samid "Account Operators" | dsget group -members -expand >> 
protgrps.txt
dsquery group -samid "Print Operators" | dsget group -members -expand >> 
protgrps.txt
dsquery group -samid "Cert Publishers" | dsget group -members -expand >> 
protgrps.txt
dsquery group -samid "Replicator" | dsget group -members -expand >> protgrps.txt


REM *** Put TOP level protected groups into protgrps.txt
REM *** user account krbtgt is also protected (KB : 817433)

dsquery user -samid krbtgt >> protgrps.txt
dsquery group -samid "administrators" >> protgrps.txt
dsquery group -samid "Domain Admins">> protgrps.txt
dsquery group -samid "Enterprise Admins" >> protgrps.txt
dsquery group -samid "Schema Admins" >> protgrps.txt
dsquery group -samid "Backup Operators">> protgrps.txt
dsquery group -samid "Server Operators">> protgrps.txt
dsquery group -samid "Account Operators">> protgrps.txt
dsquery group -samid "Print Operators">> protgrps.txt
dsquery group -samid "Cert Publishers">> protgrps.txt
dsquery group -samid "Domain Controllers">> protgrps.txt
dsquery group -samid "Replicator">> protgrps.txt

REM *** Now find the groups and users with attribute admincount=1 into 
megalist.txt

Echo Collecting groups and users with admincount=1 ...

dsquery * -filter 
"&(|(objectcategory=user)(objectcategory=group))(admincount=1)" -l -attr 
distinguishedname -limit 0 > Megalist.txt

REM *** Now search for each entry of megalist into protgrps.txt, 
REM *** If not found then we should reset that entry
REM *** so put it in separate file : needtochange.txt

Echo separating groups and users who need to be unprotected ...

del needtochange.txt /q /f

SETLOCAL ENABLEDELAYEDEXPANSION
for /F "Tokens=* skip=1" %%A in (megalist.txt) do (
find /i "%%A" protgrps.txt >nul
if !ERRORLEVEL! neq 0 echo %%A >> needtochange.txt
)

REM *** Now we will feed this needtochange.txt to our VBScript, 
REM *** which will set inheritance flag and admincount=0

Echo Setting inheritance flag and admincount=0 ...

cscript ResetUnprotected.vbs needtochange.txt

Echo Done
'
'*
'* File:   ResetUnprotected.vbs
'* Created:November 2005
'* Version:1.0
'*
'*  Main Function:  For all accounts specified in argument file 
'*  enables the inheritance flag and Resets admincount to 0 
'*
'

Const SE_DACL_PROTECTED = 4096

On Error Resume Next

'// Verify command line argument is provided

If WScript.Arguments.Count <> 1 Then
WScript.Echo "ERROR: No filename specified as command line argument"
WScript.Quit 1
Else
'// Read content o

Re: [ActiveDir] Internet Explorer Home Page Question

[Kamlesh Parmar]

Ya, it shouldn't matter, logon / logoff ?

To remove logged-in user, I would use something like

if new-users is Domain Local group then
net localgroup new-users  %username% /delete /domain

if new-users is Domain Global group then 
net group new-users  %username% /delete /domain

-
Kamlesh
On 11/19/05, Micheal S. Mand <[EMAIL PROTECTED]> wrote:














I have a question:

 

What if, instead of using a logon
script, you used a logoff script? Would that affect anything?

 

Also, does anyone know the correct
syntax to remove a user from an AD group in a logon/logoff script? I'm
not really a programming junkie unless it comes to the web.

 

Thanks again,

 





Micheal





-Original Message-
From:
[EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Micheal S. Mand
Sent: Friday, November 18, 2005
3:12 PM
To: 
ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Internet
Explorer Home Page Question

 

Thanks
all. I'll try these then send you the results. One of them is bound to
work.

 





Micheal





-Original Message-
From:
[EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Kamlesh Parmar
Sent: Friday, November 18, 2005
11:11 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Internet
Explorer Home Page Question

 

Building
on what James said,

You can make it automatic, create a group New-Users and assign the intranet
homepage GPO to this group. and importantly, Allow members to remove themselves
from group.

When you create a new user, just make her member of this group.

Make a login script, in the same GPO, which will remove the logged in user from
this group. 

When user logs in first, time, she is member of this New-Users group, so this
GPO applies
and her homepage is set to intranet.
At the same time, login script runs and removes user from that group. 
This makes sure that, this GPO is never applied again, as user no longer member
of New-Users group. And intranet was set for first login only.

-
Kamlesh



On 11/18/05, Blair, James <
[EMAIL PROTECTED]>
wrote: 



Michael,

 

You could create a new
user security group and a GPO for the homepage. Use security filtering so that
group only gets the policy. Remove the new users from the group after x days.

 

James

 













From:
 [EMAIL PROTECTED]
[mailto:
[EMAIL PROTECTED]] On
Behalf Of Brian Desmond
Sent: Friday, 18 November 2005
12:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Internet
Explorer Home Page Question





 

How about a logon script to take care of this? Check for a HKCU
key/value. If it's not there, assume it's the first logon and set their
homepage and then set the homepage.

 



Thanks,
 
Brian
Desmond


[EMAIL PROTECTED]

 

c - 312.731.3132

 

 















From:
 [EMAIL PROTECTED]
[mailto:
[EMAIL PROTECTED]] On
Behalf Of Micheal S. Mand
Sent: Thursday, November 17, 2005
6:37 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Internet
Explorer Home Page Question



 

Hello,

 

I just joined the list,
so forgive me if this has been answered already.

 

I've been put to the
task of using AD to set the home page of all NEW users to our company intranet,
but not override the current user's settings. We want this to happen
automatically because we are usually creating new users with little notice, and
very little time to make the account active. I've searched and searched all
over existence for something related to this, and so far have only come up with
some hacks to permanently set every user's home page the same. We want users to
be able to change this home page if they wish, without it resetting every time
they log in to their machine. If they log into a new machine, we could also set
the home page to the intranet, but this isn't as necessary.

 

Has anyone even heard
of doing anything like this? Is it even possible?

 

Thanks in advance,

Micheal S. Mand

Network Administrator
Applied Research Associates, Inc.
Email:  [EMAIL PROTECTED]
http://www.ara.com

 












-- 
~~~
"Fortune and Love befriend the bold"
~~~







-- ~~~"Fortune and Love befriend the bold"~~~

Re: [ActiveDir] Internet Explorer Home Page Question

[Kamlesh Parmar]

Building on what James said,

You can make it automatic, create a group New-Users and assign the
intranet homepage GPO to this group. and importantly, Allow members to
remove themselves from group.

When you create a new user, just make her member of this group.

Make a login script, in the same GPO, which will remove the logged in user from this group. 

When user logs in first, time, she is member of this New-Users group, so this GPO applies
and her homepage is set to intranet.
At the same time, login script runs and removes user from that group. 
This makes sure that, this GPO is never applied again, as user no
longer member of New-Users group. And intranet was set for first login
only.

-
KamleshOn 11/18/05, Blair, James <[EMAIL PROTECTED]> wrote:















Michael,

 

You could create a new user security group
and a GPO for the homepage. Use security filtering so that group only gets the
policy. Remove the new users from the group after x days.

 

James

 









From:
[EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Brian Desmond
Sent: Friday, 18 November 2005
12:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Internet
Explorer Home Page Question



 

How about a logon script to take care of this? Check for a HKCU
key/value. If it's not there, assume it's the first logon and set
their homepage and then set the homepage.

 



Thanks,

Brian
Desmond


[EMAIL PROTECTED]

 

c -
312.731.3132

 

 











From:
[EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Micheal S. Mand
Sent: Thursday, November 17, 2005
6:37 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Internet
Explorer Home Page Question



 

Hello,

 

I just joined the list, so forgive me if
this has been answered already.

 

I've been put to the task of using
AD to set the home page of all NEW users to our company intranet, but not
override the current user's settings. We want this to happen
automatically because we are usually creating new users with little notice, and
very little time to make the account active. I've searched and searched
all over existence for something related to this, and so far have only come up
with some hacks to permanently set every user's home page the same. We
want users to be able to change this home page if they wish, without it
resetting every time they log in to their machine. If they log into a new
machine, we could also set the home page to the intranet, but this isn't
as necessary.

 

Has anyone even heard of doing anything like
this? Is it even possible?

 

Thanks in advance,

Micheal S. Mand
Network Administrator
Applied Research Associates, Inc.
Email:  [EMAIL PROTECTED]
http://www.ara.com

 







-- ~~~"Fortune and Love befriend the bold"~~~

Re: [ActiveDir] [Slightly OT] Protecting objects not covered by AdminSDHolder

[Kamlesh Parmar]

Got script or commands to handle that automatically ?  

basically, enable the inheritance and set the admincount = 0 

I searched for admincount=1 in mu domain and there are couple-o-thousand entires...
I guess, because we migrated large number of domains into single domain.

-
KamleshOn 11/16/05, Almeida Pinto, Jorge de <[EMAIL PROTECTED]> wrote:
To make a protected member of a protected group a NON-PROTECTED object you need to:
* remove his membership from the protected group* enable inheritance again on the object* set the admincount attribute to 0 or to What
is said is that by removing the member from a protected group,
inheritance will not be changed automatically and the admincount
attribute will also not be changed automatically. All must be changed
manually and when reverting the object back to a non-protected oject it
is best to do all three!So, yes I also agree with those recommendationsJorgeFrom: [EMAIL PROTECTED]
 on behalf of David CliffeSent: Tue 11/15/2005 9:56 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [Slightly OT] Protecting objects not covered by AdminSDHolder
Jorge
--> "The group membership of a protected group is the criteria the
process looks at, not the attribute value of 1. The admincount
attribute is just an administrative measure for the process that says
"been here", nothing else."This implies
that if you later go back and remove a user from any protected groups,
you can then go set his ACL back to what you want, and not have to
worry about the admincount attribute still having a value of 1,
right?  Only reason I ask is because I could have sworn I've
seen recommendations on this list to set that attribute back to 0 after
removing all protected group memberships, so just double
checking.  Maybe there were other factors involved in those
previous recommendations which I didn't read close enough!Also, interesting approach to the original poster's question.  Thanks!-DaveCFrom: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Almeida Pinto, Jorge de
Sent: Tuesday, November 15, 2005 3:22 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Protecting objects not covered by AdminSDHolder
That
sounds logical. However the adminsdholder process only looks at users
and groups that are defined in AD as protected objects. As mentioned in
MS-KBQ817433 - "Delegated permissions are not available and inheritance
is automatically disabled" it is possible to include or exclude some of
the default admin groups (account operators, print operators ,etc.) The
process that checks object against the adminSDHolder object only looks
at that definition of protected objects and in case of groups it will
also look at its members. It resets the DACL to match the DACL of the
adminSDHolder object and sets the admincount attribute to 1. The group
membership of a protected group is the criteria the process looks at,
not the attribute value of 1. The admincount attribute is just an
administrative measure for the process that says "been here", nothing
else.So, to add
custom groups as protected groups in AD, MS should see if it is
interesting to implement in Longhorn.There
is a way however to implement your own protected groups. (I think it
will work)How to do that?* Take a protected group (weakest one possible)* Create a distribution group with a name like "Custom_Protected_Groups_Definition" and make that a member of the actual protected group
*
Put all custom users and groups directly into the distribution group
that need to be protected by adminSDHolderNow what will happen?The
adminSDHolder process sees the memberships (transitive included) and
protects them.When
a user logs on, he will be a member of the distribution group
"Custom_Protected_Groups_Definition" but the SID of the actual (security) protected group will not be in the access token of the user.If
a distribution group is a member of a security group, the members of
the distribution group will not be transitive security members of the
security protected group as the distribution group blocks the security
group membershipThere
is a catch however!  -> DO NOT EVER CONVERT THE
DISTRIBUTION GROUP TO A SECURITY GROUP! (doing this will lift the
security group membership block and the users/group will suddendly get
the SID of the protected security group in their access token!)I
agree with Al you should be very careful changing the configuration of
the DACL of the adminSDHolder object! Remember that object protects the
default (very strong) users and groups!Cheers,Jorge(cool: I think I just wrote something nice for my blog)From: 
[EMAIL PROTECTED] on behalf of Al MulnickSent: Tue 11/15/2005 7:04 PMTo: ActiveDir@mail.activedir.orgSubject:

Re: [ActiveDir] User accounts getting locked out..

[Kamlesh Parmar]

This article contains the on troubleshooting account lockout,
http://www.windowsecurity.com/articles/Implementing-Troubleshooting-Account-Lockout.html

plus you can look at Best practices guide for account lockout.
http://www.microsoft.com/downloads/details.aspx?FamilyID=8c8e0d90-a13b-4977-a4fc-3e2b67e3748e&DisplayLang=en


--
KamleshOn 11/15/05, Sudhir Kaushal <[EMAIL PROTECTED]> wrote:

Hi All,

I am facing one strange issue. All of
sudden my user accounts are getting locked out in certain OU's. The event
logs says 

Event Id - 675, AUDIT FAILURE, Security,
Mon Nov 14 12:50:57 2005, NT AUTHORITY\SYSTEM, Pre-authentication failed:
  User Name: xyz    User ID:  %{xyz}    
Service Name: krbtgt/domain name     Pre-Authentication Type:
0x2     Failure Code: 0x18     Client Address: IP address.
    
Event Id - 644, AUDIT SUCCESS, Security, Mon Nov 14 12:50:56 2005,
NT AUTHORITY\SYSTEM, User Account Locked Out:     Target
Account Name: xyz     Target Account ID: %{xyz}    
Caller Machine Name: Name of the machine     Caller User Name:
Name of the DC    Caller Domain: Domain Name     Caller
Logon ID: (0x0,0x3E7)    

They also get clear after some time
automatically.  One reason which i figure out is that it could be
related to the system time of the client machine with the system time of
DC ( Related to failure of Kerberos ticket ) .  Any other pointers???
 

Thanks in Advance. 

Regards,
Sudhir Kaushal
Systems Engineer (GIS)
Computer Sciences Corporation.
India - + 91
120 2582323 Ext. 2649
Denmark - + 45
70100024 Ext. 2649
 
"You never win Silver, You
lose Gold"



This is a PRIVATE message. If you are not the intended recipient, please
delete without copying and kindly advise us by e-mail of the mistake in
delivery. NOTE: Regardless of content, this e-mail shall not operate to
bind CSC to any order or other contract unless pursuant to explicit written
agreement or government initiative expressly permitting the use of e-mail
for such purpose.


-- ~~~"Fortune and Love befriend the bold"~~~

Re: [ActiveDir] Reset Domain Admin Password in Windows Server 2003 AD

[Kamlesh Parmar]

its not a big secret,
 
you go to google and search for "reset domain admin password" and you will get that page... 
On 11/4/05, Brian Desmond <[EMAIL PROTECTED]> wrote:


He shouldn't have posted that.
 

Thanks,
Brian Desmond

[EMAIL PROTECTED]
 
c - 312.731.3132
 
 

Re: [ActiveDir] GP version mismatch between DS & SYSVOL

[Kamlesh Parmar]

I don't think, there is a problem with processing precedence.
 
I have problem that, there is no easy way to revert to stage where that setting was not configured at all.
 
Did u enforce the domain policy and check the settings in "Internet Options" Problem is when you enforce it, domain policy will take precedence, and it assumes that in domain policy the proxy settings are disabled and it overrides settings in OU policy.
 
You don't see proxy settings in GP editor or in GPMC, but if you go to sysvol and open the install.ins file in USER\Microsoft\IEAK folder, you will see that Proxy_Enable=0
is set, and which creates the problem when domain level or any higher level policy is enforced.
 
 
Anyway, I have edited the policy in sysvol and up the version in gpt.ini and DS.
 
Just thought, it would be helpful to someone.
 
 
On 11/3/05, Darren Mar-Elia <[EMAIL PROTECTED]> wrote:

Ok, I tested this myself. I think what is happening is that RSOP is reporting incorrectly, rather than there being something broken in policy processing precedence. For example, I set up the scenario you described below and ran GP Results from GPMC on the user logging into my test client and it showed, as you indicated, that  the winning policy was the domain linked one. However, at the client, the user was receiving the OU policy as expected. Also, when I run 
rsop.msc from the client, it reports the correct winning GPO. So it looks like a RSOP bug.
 
In terms of directly editing SYSVOL, I don't typically recommend it, but if you do that, and modify the gpt.ini file, you also need to update the versionNumber attribute on the GPC object in AD to have the same version number. Note that as of XP and 2003, mismatched version numbers no longer prevent the GPO from being processed, as they did in Win2K.

 
 
 
 


From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Kamlesh ParmarSent: Wednesday, November 02, 2005 12:14 PM
To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] GP version mismatch between DS & SYSVOL
 

Darren,Try this,create one GPO at domain level, and one at OU level,configure the proxy settings at both levels.now, according to GPO processing rules, OU level GPO should win.Now, go ahead remove the proxy settings from domain level GPO.
In this case also OU level GPO  should  win.But you will notice that domain level GPO is still mentioned as processed for proxy settings. (in the precedence tab)So, if I happen to enforce the GPO at domain level, even though I have removed proxy settings, it takes precedence and nullifies the proxy settings at OU level.
So, I want to reach that stage where it was never configured at domain level GPO, so that I can enforce GPO for other settings.I hope it is clear,So one way to achieve is, create new GPO and copy settings other than proxy from old GPO  and enforce this new GPO. Other is, edit at sysvol level and increment version in 
gpt.ini.I know, masters will recommend creating new GPO and copying settings[1], but I thought lets try something like this.[2][1]  Copying GPO using GPMC interface doesn't help as it creates the same settings, so can't revert back to stage where proxy settings were never configured.
[2] I have read a KB article in which if you happen to lock yourself out of DC, due to mis-configured security options in default DC policy or something, you can edit the security INF file in sysvol and increment the version in 
gpt.ini to get back to functional state.--Kamlesh
On 11/3/05, Darren Mar-Elia <[EMAIL PROTECTED]
> wrote: 

Kamlesh-
I'm not sure I understand what you're saying about "Not Configured". If I check "Automatically Detect configuration settings" in IE Maintenance policy, then that box is checked for all users that process the policy. If you uncheck that box, the box is unchecked for the user the next time they process the policy. What behavior are you trying to achieve?

 
Darren


From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Kamlesh ParmarSent: Wednesday, November 02, 2005 9:33 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] GP version mismatch between DS & SYSVOL 

You know, there are some settings like, "automatically detect configuration settings" under IE maintenance and  some certificate enrollment settings etc.Which once configured, can't be made "not - configured" as you can do with other settings.
This values are either disable or enable, there is no option like "not configured"I have two or three such policies, and I want to get rid of these settings, without recreating the GPO.so I thought I would go directly in SYSVOL folder of this policies and delete the appropriate settings and UP the version number in 
gpt.ini so that it replicates.But, since I have not used standard group policy editor, the version in Active Directory remains old.Now it gives error in monitoring tools saying version mismatch between DS & SYSVOL.
So, 1)  Is there better way to handle these sticky settings? other than recreating GPO.2)  

Re: [ActiveDir] GP version mismatch between DS & SYSVOL

[Kamlesh Parmar]

Darren,

Try this,

create one GPO at domain level, and one at OU level,
configure the proxy settings at both levels.
now, according to GPO processing rules, OU level GPO should win.

Now, go ahead remove the proxy settings from domain level GPO.
In this case also OU level GPO  should  win.
But you will notice that domain level GPO is still mentioned as processed for proxy settings. (in the precedence tab)

So, if I happen to enforce the GPO at domain level, even though I have
removed proxy settings, it takes precedence and nullifies the proxy
settings at OU level.

So, I want to reach that stage where it was never configured at domain level GPO, so that I can enforce GPO for other settings.

I hope it is clear,

So one way to achieve is, create new GPO and copy settings other than
proxy from old GPO  and enforce this new GPO. Other is, edit at
sysvol level and increment version in gpt.ini.

I know, masters will recommend creating new GPO and copying settings[1], but I thought lets try something like this.[2]


[1]  Copying GPO using GPMC interface doesn't help as it creates
the same settings, so can't revert back to stage where proxy settings
were never configured.

[2] I have read a KB article in which if you happen to lock yourself
out of DC, due to mis-configured security options in default DC policy
or something, you can edit the security INF file in sysvol and
increment the version in gpt.ini to get back to functional state.
--
Kamlesh


On 11/3/05, Darren Mar-Elia <[EMAIL PROTECTED]> wrote:





Kamlesh-
I'm not sure I understand what you're saying about "Not 
Configured". If I check "Automatically Detect configuration settings" in IE 
Maintenance policy, then that box is checked for all users that process the 
policy. If you uncheck that box, the box is unchecked for the user the next time 
they process the policy. What behavior are you trying to 
achieve?
 
Darren


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]] On Behalf Of Kamlesh 
ParmarSent: Wednesday, November 02, 2005 9:33 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] GP version mismatch 
between DS & SYSVOL
You know, there are some settings like, "automatically detect 
configuration settings" under IE maintenance and  some certificate 
enrollment settings etc.Which once configured, can't be made "not - 
configured" as you can do with other settings.This values are either 
disable or enable, there is no option like "not configured"I have two or 
three such policies, and I want to get rid of these settings, without recreating 
the GPO.so I thought I would go directly in SYSVOL folder of this policies 
and delete the appropriate settings and UP the version number in gpt.ini so that 
it replicates.But, since I have not used standard group policy editor, 
the version in Active Directory remains old.Now it gives error in 
monitoring tools saying version mismatch between DS & SYSVOL.So, 
1)  Is there better way to handle these sticky settings? other than 
recreating GPO.2)  Can I change the version in DS using adsiedit.msc to 
reflect the same as SYSVOL? will it have any effect on GP 
application?-- 
Kamlesh~~~"Fortune and Love befriend the 
bold"~~~

-- ~~~"Fortune and Love befriend the bold"~~~

[ActiveDir] GP version mismatch between DS & SYSVOL

[Kamlesh Parmar]

You know, there are some settings like, "automatically detect
configuration settings" under IE maintenance and  some certificate
enrollment settings etc.

Which once configured, can't be made "not - configured" as you can do with other settings.

This values are either disable or enable, there is no option like "not configured"

I have two or three such policies, and I want to get rid of these settings, without recreating the GPO.
so I thought I would go directly in SYSVOL folder of this policies and
delete the appropriate settings and UP the version number in gpt.ini so
that it replicates.

But, since I have not used standard group policy editor, the version in Active Directory remains old.Now it gives error in monitoring tools saying version mismatch between DS & SYSVOL.

So, 
1)  Is there better way to handle these sticky settings? other than recreating GPO.
2)  Can I change the version in DS using adsiedit.msc to reflect
the same as SYSVOL? will it have any effect on GP application?

-- 
Kamlesh~~~"Fortune and Love befriend the bold"~~~

Re: [ActiveDir] Restricted Groups question

[Kamlesh Parmar]

I have done this for a small site, where different machine require
different user as administrator for a particular period. Say something
like  USER1 admin on WKS1 starting from Oct-10 to Oct-20

So, What I have done is capture this requirement in CSV file
wks1,user1,2005/10/10,2005/10/20

I have written a small _vbscript_ which runs as STARTUP script on each workstation,
which check this CSV file kept at network share, and finds the user who
should be member of admin group on this particular day according to the
CSV file, he is added, who should not be is removed.

And every week, we collect the members of administrators group on all
workstations to make sure that process is working as it should be.

This has many advantages, 
* I can give rights to particular user on particular machine for specific time period and not forever.
( which is ideally what you want, if you go and find out who really
needs local admin rights on their machine, you will find many misfits,
anyway, we have policy for review of admin rights every quarter)

* It acts as my authorized list of local admins
* I have good transaction log for this process, so I know, at what
period of time in past who was member of admin group on particular
workstation.
--
Kamlesh
On 10/30/05, Susan Bradley <[EMAIL PROTECTED]> wrote:
Oh, you mean only let that person be admin on 'that' particular machineand no other?  Oh sorry I wasn't getting the limitation he was wanting here.Well IMHO, if you are already thinking that 'hey we want to limit access
to just that machine' and thus already thinking of the consequences ofsecurity you might as well bite the bullet, and pull out theregmon/filemon and start yelling at your vendors.
[EMAIL PROTECTED] wrote:>The point is - he can't ensure that users are local admins on THEIR>computers. Whether he uses interactive or domain users or everyone or just>simply users, what he will get is "anyone who logs into this computer is an
>admin" which means he is making users local admins on ANY computer. The same>result is achieved using option #2. In effect, anybody can be an admin on any>computer.>>In short, there is no inexpensive, magical, native way to do what he is
>expecting to do. It may be not very expensive in SBS land (I mean .>c'mon, how tedious can adding users to groups on 75 computers - or however>much they let you guys have these days - be ?). But in non-SBS space,
>well do the math.>>So, again, the shortest (maybe most honest :)) answer (IMHO) to the question>is: You can't, at least not natively.>>>Sincerely,>>Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
>Microsoft MVP - Directory Services>www.readymaids.com - we know IT>www.akomolafe.com>Do you now realize that Today is the Tomorrow you were worried about
>Yesterday?  -anon>>>>From: [EMAIL PROTECTED] on behalf of Susan Bradley>Sent: Sat 10/29/2005 7:39 PM
>To: ActiveDir@mail.activedir.org>Subject: Re: [ActiveDir] Restricted Groups questionNow keep in mind that SBS's connection wizard does this for us and my
>manual memory 'how to' is a bit rustybut I think the normal process>includes creating an AD security group called "Workstation Admin", and>add that group to the local admins group on each computer for existing
>machines.>> From the server... if you manage the computer & add it in the local>users & groups . Then you can simply add users to the AD group as needed.>>For existing deployed computers...this is our normal recommendation:
>>>1)On each PC, add the INTERACTIVE group to the Administrators group.>This will automatically give each user that logs in local Admin rights.>Downside is that if you ever want a user to not have local admin rights,
>you>won't be able to restrict them as long as you have this configuration.>>>2)Create a Security Group within AD (e.g. Local Admins).  On each>workstation, add the domain Local Admins group you created to the local
>Administrators group.  Then on your SBS, add your existing users to the>Local Admins group, and create a new user template that includes Local>Admins group membership.  When you create a new user, use the custom
>template and they'll be included in the Local Admins security group, which>will give them local admin rights on the machines where you added the Local>Admins group to the local Administrators group.
>>>3)Preferred solution:  Don't give users local admin rights.  Find your>problem apps that don't run as a restricted user and start nagging the>vendor.  Ask why they find exposing your business to undue risk as a
>justified business practice on their part.  Find what directories / reg>keys>those apps want access to and tweak the permissions accordingly to allow>restricted users to be able to access those locations (and thus run the
>problem apps).>[EMAIL PROTECTED] wrote:>I'm splitting hair here, but ...What you've recommended still doesn't achieve his stated goal - to make
>userslocal admin rights on THEIR PCs.>>Sincere

Re: [ActiveDir] LastLogon timestamp

[Kamlesh Parmar]

I am just curious, what was the issue for that "old attribute" i.e. lastlogon not replicated.

was it plain simple, "too-much-replication-for-a-single-attribute" ? or anything else?On 10/28/05, Almeida Pinto, Jorge de <
[EMAIL PROTECTED]> wrote:Hi Russ,For that you need to query all DCs as the "old attribute" is not
replicated between DCsThe new lastlogontimestamp attribute only is available in DFL W2K3 andis replicated between DCsIn both FLs you could use OLDCMP (with the users option) from
joeware.net (http://www.joeware.net/win/free/tools/oldcmp.htm)DumpSec from SomarSoft also provides the ability to scan/query all DCssearching for the true last logon time (
http://www.somarsoft.com/)Cheers,Jorge-Original Message-From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Rimmerman, RussSent: Friday, October 28, 2005 12:56To: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] LastLogon timestampWhat's the easiest way to find out the last logon time of a useraccount?  And if you have 50 domain controllers, would you have to query
each one for it, or is this replicated some how?  We're in a nativewin2k domain with mostly win2k3 DCs.Thanks~~This e-mail is confidential, may contain proprietary information of the
Cooper Cameron Corporation and its operating Divisions and may beconfidential or privileged.This e-mail should be read, copied, disseminated and/or used only by theaddressee. If you have received this message in error please delete it,
together with any attachments, from your system.~~List info   : http://www.activedir.org/List.aspxList FAQ: 
http://www.activedir.org/ListFAQ.aspxList archive:http://www.mail-archive.com/activedir%40mail.activedir.org/
This
e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied, disclosed to, retained or used by, any other party. If you are
not an intended recipient then please promptly delete this e-mail and
any attachment and all copies and inform the sender. Thank you.List info   : http://www.activedir.org/List.aspxList FAQ: 
http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
-- ~~~"Fortune and Love befriend the bold"~~~

Re: [ActiveDir] Active Directory Computer management

[Kamlesh Parmar]

I would suggest scheduling excellent joeware utility oldcmp.exe[1]  for this task,

I follow this process, 

Find computers older than 60 days, move them to particular OU say - "oldComps"
disable them, and let different location admins know, if they have problem with computer account,
we move those comps to normal OU again. or special OUs which are excluded from this process.

otherwise after a week time delete all comps from that OU and repeat the process again next week.
Besides this oldcmp.exe has built-in safety that it NEVER touches domain controller accounts,
also, u can exclude OUs from this process, so if you have many
NAS,Linux,Unix boxes having computer account then u can put them in OU
and exclude them from removal process. As they normally don't change
their account password every 30 days.

[1] source : http://www.joeware.net/win/free/tools/oldcmp.htm
you will find basic example on the same page
--
Kamlesh
On 10/28/05, Abella Tarimo <[EMAIL PROTECTED]> wrote:













Hello everyone,

 

Does anyone know how I can implement a policy where a
computer which has not accessed the domain for more than X number of days is
automatically removed in the computer OU?

 

Basically I need to manage my Anti-virus (McAfee) reports
and currently I have set an auto-import from the AD which means the dormant machines
(e.g. consultants who were here for only a week a year ago) appear and these
machines would obviously never pick an agent and so my report to management
always shows some non-compliant machines.

 

Thanks in advance for all your responses.

 

Abella 







-- ~~~"Fortune and Love befriend the bold"~~~

Re: [ActiveDir]Group Policy Administrative Templates

[Kamlesh Parmar]

I found this free registry GP CSE 

at http://www.desktopstandard.com/PolicyMakerRegistryExtension.aspx

some of the feature it touts are
* Full control over tattooing  ( i.e. means each setting becomes a policy and not preference)
* Registry Wizard for settings import
* Per-setting filtering 
* integration with GPMC

I will be testing this extension, :)

--
Kamlesh
On 10/26/05, Darren Mar-Elia <[EMAIL PROTECTED]> wrote:







There's a few free and for pay tools to do it. Check out 
the following:
 
RegtoADM: turns .reg files into ADMs. Free 
tool that is part of the NUTS utilities at http://yizhar.mvps.org/
 
ADM TEmplate Editor: This is a for pay 
tool found at http://www.sysprosoft.com/adm_summary.shtml

 
Policy Template Editor: a for pay tool at 
http://www.tools4ever.com/products/utilities/policytemplateeditor/

 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]] On Behalf Of Sadovskiy Artem 
NikolaevichSent: Tuesday, October 25, 2005 7:28 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir]Group Policy 
Administrative Templates


Hi!
 
Are there any tools that can assist 
me to create .ADM (Group Policy Administrative Templates) 
files?
If anybody knows, please send me a 
link.
 
Regards.
 

-- ~~~"Fortune and Love befriend the bold"~~~

Re: [ActiveDir] OT: Robocopy command..

[Kamlesh Parmar]

does /M  help, it will behave like ntbackup with incremental backup type

i.e. if archive bit is set then only copy.
and as we know archive bit is set for new files and changed files.
On 10/25/05, Frank Abagnale <[EMAIL PROTECTED]> wrote:
 
Hi.
I have used robocopy to copy an entire folder content from oldserver1 to newserver1.
 
I want to keep this data on the newserver consistent however,
I only want it to copy file changes and additional files
that have been created, not the entire folder content.
 
I was thinking of using robocopy d:\source d:\destination /e /IT /log:e:\log.txt /r:1 
 
does anyone have any thoughts about the parameters I've used? 
thanks
 
frank
		 
Yahoo! FareChase - Search multiple travel sites in one click.

 

 
-- ~~~"Fortune and Love befriend the bold"~~~