[ActiveDir] 2003AD - 2000AD Trust with LMHOST?
Havent been able to find much answers via googling unfortunately :-( I know 2000/2003 - NT4 trust creation can be done via LMHOST/WINS but can 2003 AD - 2000 AD trust creation be done via resolutions provided by LMHOSTs only? Reason being DNS is really out of my control (handled by another team), so conditional forwarding/stub zones are out of the way. Thanks lots! Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] 2003AD - 2000AD Trust with LMHOST?
Thanks Rick! Yeah last week post was about the usefulness of netbios in trust, this time is really the other way - the usefulness of dns in trust :) Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Monday, August 29, 2005 12:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 2003AD - 2000AD Trust with LMHOST? Are you talking about external trusts? If so, then yes. You would follow the same procedures as you would for a win2x to Nt 4.0. You'll need to specify the #DOM, #PRE to get the 1B, 1C records loaded. As we discussed a few weeks ago, this is the rather archaic method to do it, but if you don't have access to the WINS or DNS - you don't have much other options left to choice. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Sunday, August 28, 2005 10:57 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] 2003AD - 2000AD Trust with LMHOST? Havent been able to find much answers via googling unfortunately :-( I know 2000/2003 - NT4 trust creation can be done via LMHOST/WINS but can 2003 AD - 2000 AD trust creation be done via resolutions provided by LMHOSTs only? Reason being DNS is really out of my control (handled by another team), so conditional forwarding/stub zones are out of the way. Thanks lots! Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GPO on XP 2000 Pro
Title: RE: [ActiveDir] GPO on XP 2000 Pro You can always make a conflicting GPOs and get those to work (but with limitation) Example WMI Filter: OS=XP and OS=NON XP Settings Result Result GPO 1 WMI Filter OS=XP Settings Hide Recycle Bin = no 2000 show XP hide GPO 2 WMI Filter OS=NON-XP Hide Recycle Bin = yes 2000 hide not processed Final result = Win2000 Hide Recycle Bin = Yes WinXP Hide Recycle Bin = No Limitation = you cant set conflicting for something that you want to be set as NOT DEFINED. Hope that helps Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] From: Robert Bobel [mailto:[EMAIL PROTECTED] On Behalf Of Robert Bobel Sent: Thursday, August 25, 2005 8:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GPO on XP 2000 Pro I'm pretty much with Darren on this one. Keeping it organizad over the long term may end up being a lot of trouble especially if the envionment of a fairly large size. From: [EMAIL PROTECTED] on behalf of RM Sent: Wed 8/24/2005 6:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GPO on XP 2000 Pro On Wed, 24 Aug 2005 15:47:10 -0700, Darren Mar-Elia [EMAIL PROTECTED] said: I suppose its just me but in general I'm opposed to modifying an AD structure strictly to meet a single need such as this. If there are overwhelming business reasons to have those machines there in the first place, then moving them around to accommodate a particular GP problem is probably not a good idea, because, as we all know, there will be a new problem that will come along that will have a different set of requirements. I can think of plenty of reasons to have a differentOU for servers and no good reasonsto not have this OU. If I were tasked with thejob of admin for this environment, creating and populating a servers OU would be one of my first tasks. The second would be installing GPMC on my PC. :-) RM
[ActiveDir] Differentiating between NT4 Workstation and Server in AD?
Hi guys, Just thinking of a better way to search for NT4 workstations within AD. Filter below will return both ws and server (objectclass=computer) (objectcategory=computer) (operatingsystem=Windows NT) The hard way would be to integrate this with something like srvinfo to grep the Product Info, but those remote systems will eat up time :-( Anything else I can use to query them? WMI components may not be installed on the NT4 workstations so WMIC/Systeminfo and stuff may not be usable.. So far 3rd party non relevant utilities such as Quest Domain Migration Wizard is able to list separate out WS and SRV when I'm importing the files, but the above criteria will be used in scripts unfortunately... Ideas pls.. Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Differentiating between NT4 Workstation and Server in AD?
Genius joe, just what I needed! Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, August 23, 2005 10:08 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Differentiating between NT4 Workstation and Server in AD? You can't get any further info from AD, you need to ask the machine. Probably best bet is reg query of Key: HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions Value: ProductType Winnt Workstation Servernt Server Lanmannt Server Domain Controller -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, August 22, 2005 8:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Differentiating between NT4 Workstation and Server in AD? Hi guys, Just thinking of a better way to search for NT4 workstations within AD. Filter below will return both ws and server (objectclass=computer) (objectcategory=computer) (operatingsystem=Windows NT) The hard way would be to integrate this with something like srvinfo to grep the Product Info, but those remote systems will eat up time :-( Anything else I can use to query them? WMI components may not be installed on the NT4 workstations so WMIC/Systeminfo and stuff may not be usable.. So far 3rd party non relevant utilities such as Quest Domain Migration Wizard is able to list separate out WS and SRV when I'm importing the files, but the above criteria will be used in scripts unfortunately... Ideas pls.. Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Delprof.exe en mass
Use delprof /C For /F %i IN (servernames.txt) do delprof /C:\\%i /D:30 /Q /I Put pcnames (fqdn or if you trust your wins resolutions) into servernames.txt Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddie Coleman III Sent: Friday, August 19, 2005 6:40 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Delprof.exe en mass I am in the process of creating new profiles for a few thousand users. In order to make a clean switch, I will need to delete the local cached copy of several user profiles delprof.exe can do this on the individual basis. Has anyone had experience using it for thousands of machines, maybe writing a script to have it run domain wide? fred List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] RDP
I guess it works with any other ports, if you dont need it close itwell all of the servers that Im handling are not local so this is needed for me. You can use 128-bit encryption built into the 2003 if you like, and you can even implement that settings via GPO. Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: Wednesday, August 17, 2005 9:21 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] RDP A port scanner will find the port, but I do agree it provides some security. However, I still use a VPN and term. srvice is allowed only from certain IPs. Ravi Dogra wrote: I don't think anybody will be against it. But the thing is that you can make such connections more secure by modifying Registry and configuring it to work on some other port. using default port is an open invitation for bad guys. Well i am taking all benefits out of it. Rest is up to you. On 8/16/05, Tom Kern [EMAIL PROTECTED] wrote: Does anyone know of any articles from MS that advise for or against having term services kept on a win2k3 DC? Does anyone on this list turn it off on DC's? Should I leave it on? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] csvde issue
No wonder I could never get the -nolabel option on my servers (1.25.01)...argh now need to push out ver 1.26 on all the DCs. Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, August 15, 2005 10:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] csvde issue adfind -b dc=domain,dc=com -f ((objectCategory=computer)(operatingSystem=Windows 2000 server)) cn -nodn -nolabel -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Monday, August 15, 2005 10:20 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] csvde issue Thanks a lot. My other request is, I'd like to filter the full DN. I just want the cn of the computer object. When i use the -l cn, i still get the dn in quotes and then the cn. Is there anyway to get rid of the full dn from csvde? all i really want is just the comp name. NO dn or samAccount name with the $ appended. just the name based on my filter. thanks On 8/15/05, Cace, Andrew [EMAIL PROTECTED] wrote: Tom, You're missing a closing parentheses ')' at the end. -Andrew -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Monday, August 15, 2005 9:01 AM To: activedirectory Subject: [ActiveDir] csvde issue I'm having a hard time exporting computer objects based on operating system attribute using csvde. this is what i use- C:\csvde -f servers.txt -r ((objectCategory=computer)(operatingSystem=Windows 2000 server) This is the error i get- Search Failed An error has occurred in the program Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Task scheduler
Stupid question, Task Scheduler service is started? Else net start Task Scheduler Schtasks to create via cmd line.. But I'm sure you are already aware of that. Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Sunday, August 14, 2005 3:59 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Task scheduler The log shows up and the entries for when the service started and exited. Nothing else is in the log. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Patrick Sent: Friday, August 12, 2005 9:17 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Task scheduler In the Scheduled Tasks UI - goto Advanced and view log what shows up? steve - Original Message - From: Cothern Jeff D. Team EITC [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, August 12, 2005 3:30 PM Subject: RE: [ActiveDir] Task scheduler Nothing is showing up in the eventlog at all. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ASB Sent: Friday, August 12, 2005 6:03 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Task scheduler What of the EventLog? Have you tried to create it from teh CLI? http://www.ultratech-llc.com/KB/?File=TaskSched.TXT -ASB FAST, CHEAP, SECURE: Pick Any TWO http://www.ultratech-llc.com/KB/ On 8/12/05, Cothern Jeff D. Team EITC [EMAIL PROTECTED] wrote: Windows 2000 stand alone machines. Task scheduler service is running. But when I try to create a new task nothing comes up. I looked in the local policy and I dont see any settings for the task scheduler. Anyone have any idea what could be causing this. Jeff List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] A bad bad thing...Manual push of AD?
Okay just a quick scenario.. If the deletion has been replicated (I'm fat, running to the nearest DC would be a pain :) Would adrestore.exe does the job of restoring all these objects? Although as far as I know when object is deleted and still within tombstoned period, lots of attributes are not stored and cannot be retrieved back - but.. will it work? Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Friday, August 12, 2005 7:41 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD? Please don't forget to do insert these steps: 2.5 reboot the DC back to normal mode 2.7 give a chance for the auth restore to replicate out (not necessary, just a good idea) I'm so glad Guido wrote up the below, I had something 1/2 written up, but I couldn't remember any of the details ... Cheers, Brett On Fri, 12 Aug 2005, Grillenmeier, Guido wrote: hopefully you have another Win2003 DC with SP1 = a non-SP1 2003 DC would require you to perform more manual steps during the restore. As you're still in mixed mode, none of your links are LVR (which means they won't be revived on a non-SP1 DC and ofcourse not on a Win2000 DC) 1. so boot another SP1 DC into DS Restore mode 2. use ntdsutil.exe to auth restore that user's object = with SP1, this step will create an LDIF file that will allow to restore the groups etc. it will be called ar_date-time_links_fully.qualified.domain.name.ldf (e.g. ar_20050725-145850_links_child1.root.net.ldf) and contain something similar to this: dn: CN=Child1-UG1,OU=Groups,OU=MyChild1OU1,DC=child1,DC=root,DC=net changetype: modify delete: member member: CN=Root-User1,OU=Accounts,OU=MyRootOU1,OU=Externals,DC=root,DC=net - dn: CN=Child1-UG1,OU=Groups,OU=MyChild1OU1,DC=child1,DC=root,DC=net changetype: modify add: member member: CN=Root-User1,OU=Accounts,OU=MyRootOU1,OU=Externals,DC=root,DC=net - dn: CN=Child1-User2,OU=Accounts,OU=MyChild1OU1,DC=child1,DC=root,DC=net changetype: modify delete: manager manager: CN=Root-User1,OU=Accounts,OU=MyRootOU1,OU=Externals,DC=root,DC=net - dn: CN=Child1-User2,OU=Accounts,OU=MyChild1OU1,DC=child1,DC=root,DC=net changetype: modify add: manager manager: CN=Root-User1,OU=Accounts,OU=MyRootOU1,OU=Externals,DC=root,DC=net - If you have multiple domain, you may get more than one file (depends on group-memberships of user and if you are doing the auth restore on a DC or GC - you should choose a GC if you have more than one domain). All you need to do after reboot is take that file and execute an LDIF import command (on a DC that corresponds to the file's domain): Ldifde -i -k -f ar_date-time_links_fully.qualified.domain.name.ldf e.g. Ldifde -i -k -f ar_20050725-145850_links_child1.root.net.ldf /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shadow Roldan Sent: Freitag, 12. August 2005 01:35 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD? OK This is what I was looking for, this site didn't actually have a chance to repl out the delete so I just push back the 'good' state? So, if I understand I am supposed to: 1. reboot a good DC into DS Restore mode 2. use ntdsutil.exe to auth restore that user's object. 3. use ldifde to restore the links (not sure about this step...any more info?) Bring my mistake DC back online, it tries to replicate, hits the Auth Restore, and the delete gets tossed, my mistake is rectified, and no one is the wiser... Yes? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Thursday, August 11, 2005 2:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD? I agree completely - that is the attraction of the lag sites - I have something in which I can push a change back out from a time delayed replica to where the object sill exists. And I agree as well - if there is a DC that has the object required - by all means, repl it back out authoritatively. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Thursday, August 11, 2005 3:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD? Hmmm, maybe I misunderstoood ... I understood he has a user deleted on some DCs, but not on others. He doesn't want the user deleted. He can then just take a DC with the user, auth restore the user, let that replicate out. Yes, the delete change will try to replicate out, but when it hits the auth restore the delete
RE: [ActiveDir] 2 quick favors
Hi Tom, For my system it shows like these below C:\Documents and Settings\fhartonopsexec \\xx net user PsExec v1.57 - Execute processes remotely Copyright (C) 2001-2005 Mark Russinovich Sysinternals - www.sysinternals.com User accounts for \\ --- locadmin RenamedGuest TsInternetUser The command completed with one or more errors. net exited on xx with error code 1. Permission issue? Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Friday, August 12, 2005 2:55 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 2 quick favors I think i'm screwing up the syntax. this is a sample output in logfile.txt- workstationpc psexec \\workstationpc net user thats all. thanks On 8/10/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: For part 2 Download psexec.exe (sysinternals) Create a computerlist.txt with all the pcnames (FQDN if you don't trust your wins) From command line (replace %i with %%i if using batch file) using your DA/EA credentials for example For /F %i IN (computerlist.txt) do echo %i logfile.txt psexec \\%i net user logfile.txt Note: Above will query remotely irregardless if computer is online or offline (slow if offline) - you can modify to include ping test if you want. Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Wednesday, August 10, 2005 11:47 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 2 quick favors I get errors with this script- the active directory property cannot be found in the cache I'm running win2k native mode domain. thanks. sorry to bother. On 8/10/05, Alain Lissoir [EMAIL PROTECTED] wrote: For 1/, try this one below. For 2/ I don't have one close but I'm sure some folks here can feed you ... The script doesn't dump in a text file, but that's an easy addition. HTH ' FindGPOLinks v1.04.vbs - Version 1.04 - Alain Lissoir ' ' WSH Script browsing the 'DefaultNamingContext' and the 'configurationNamingContext' ' to retrieve the Group Policies linked to AD objects. ' This should facilitate the search of created policies in the Active Directory. ' ' The script is using a basic LDAP access in the current user context, ' so, you should have enough rights to access AD objects. ' ' Change in version 1.04 ' ' - Add an error Handler in the ShowMemberInfo Private Sub ' ' Change in version 1.02 ' ' - Query the schema to get the property list associated to the 'groupPolicyContainer' class. ' - Display only the defined properties for that class. ' - For the defined properties, the scripts shows the syntax to be used by the property. ' - Take in account the fact that more than one policy can be defined at the container level. ' ' Change in version 1.01 ' ' - Add some code to bind to the GPLink LDAP Pointer to extract some properties. ' ' Any comments or questions:EMail:[EMAIL PROTECTED] Option Explicit Dim ObjRoot Dim Object Dim ObjMember ' --- WScript.Echo WScript.Echo Looking inside 'configurationNamingContext' Set objRoot = GetObject(LDAP://RootDSE) Object = objRoot.Get(configurationNamingContext) Call LookInsideObject (Object) Set Object = Nothing Set objRoot = Nothing ' --- WScript.Echo WScript.Echo Looking inside 'DefaultNamingContext' Set objRoot = GetObject(LDAP://RootDSE) Object = objRoot.Get(DefaultNamingContext) Call LookInsideObject (Object) Set Object = Nothing Set objRoot = Nothing WScript.Quit (0) ' --- Private Sub LookInsideObject (Object) Dim objMember Dim Member Set objMember = GetObject (LDAP:// Object) if objMember.Class sitesContainer And _ objMember.Class container And _ objMember.Class configuration _ Then Call ShowMemberInfo (objMember) For Each Member in objMember If Member.Class = domainDNS Or _ Member.Class = organizationalUnit Or _ Member.Class = sitesContainer Or _ Member.Class = site Or _ Member.Class = container _
RE: [ActiveDir] 2 quick favors
Hi Tom A big woops I guess - a was missing :) For /F %i IN (computerlist.txt) do echo %i logfile.txt psexec \\%i net user logfile.txt Try that - and see if it works - im using rcmd.exe (windows resource kit) instead of psexec (works faster) Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Friday, August 12, 2005 7:27 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 2 quick favors i'm running as EA, so i don't think so. the command just echo's everything after echo' for some reason. i'm running it from a winxp sp2 box. it doesn't seem like perms but i'm screwing up the syntax. turn echo off? as it is now, it just echos the psexec invoking net user with no output to the stdout and the logfile. very strange. i don't know where to begin to figure this out thanks On 8/11/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi Tom, For my system it shows like these below C:\Documents and Settings\fhartonopsexec \\xx net user PsExec v1.57 - Execute processes remotely Copyright (C) 2001-2005 Mark Russinovich Sysinternals - www.sysinternals.com User accounts for \\ --- locadmin RenamedGuest TsInternetUser The command completed with one or more errors. net exited on xx with error code 1. Permission issue? Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Friday, August 12, 2005 2:55 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 2 quick favors I think i'm screwing up the syntax. this is a sample output in logfile.txt- workstationpc psexec \\workstationpc net user thats all. thanks On 8/10/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: For part 2 Download psexec.exe (sysinternals) Create a computerlist.txt with all the pcnames (FQDN if you don't trust your wins) From command line (replace %i with %%i if using batch file) using your DA/EA credentials for example For /F %i IN (computerlist.txt) do echo %i logfile.txt psexec \\%i net user logfile.txt Note: Above will query remotely irregardless if computer is online or offline (slow if offline) - you can modify to include ping test if you want. Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Wednesday, August 10, 2005 11:47 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 2 quick favors I get errors with this script- the active directory property cannot be found in the cache I'm running win2k native mode domain. thanks. sorry to bother. On 8/10/05, Alain Lissoir [EMAIL PROTECTED] wrote: For 1/, try this one below. For 2/ I don't have one close but I'm sure some folks here can feed you ... The script doesn't dump in a text file, but that's an easy addition. HTH ' FindGPOLinks v1.04.vbs - Version 1.04 - Alain Lissoir ' ' WSH Script browsing the 'DefaultNamingContext' and the 'configurationNamingContext' ' to retrieve the Group Policies linked to AD objects. ' This should facilitate the search of created policies in the Active Directory. ' ' The script is using a basic LDAP access in the current user context, ' so, you should have enough rights to access AD objects. ' ' Change in version 1.04 ' ' - Add an error Handler in the ShowMemberInfo Private Sub ' ' Change in version 1.02 ' ' - Query the schema to get the property list associated to the 'groupPolicyContainer' class. ' - Display only the defined properties for that class. ' - For the defined properties, the scripts shows the syntax to be used by the property. ' - Take in account the fact that more than one policy can be defined at the container level. ' ' Change in version 1.01 ' ' - Add some code to bind to the GPLink LDAP Pointer to extract some properties. ' ' Any comments or questions:EMail:[EMAIL PROTECTED] Option Explicit Dim ObjRoot Dim Object Dim ObjMember ' --- WScript.Echo WScript.Echo Looking inside
RE: [ActiveDir] query service
Dhcp service needs to be authorized in the domain - so open any dhcpmgmt.msc and see the authorization list. Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Friday, August 12, 2005 10:11 AM To: activedirectory Subject: [ActiveDir] query service is it possible to write a script to query every member server/dc in your domain to search if a specific service is running like dhcp or dns and spit that out to a text file or html? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] 2 quick favors
For part 2 Download psexec.exe (sysinternals) Create a computerlist.txt with all the pcnames (FQDN if you don't trust your wins) From command line (replace %i with %%i if using batch file) using your DA/EA credentials for example For /F %i IN (computerlist.txt) do echo %i logfile.txt psexec \\%i net user logfile.txt Note: Above will query remotely irregardless if computer is online or offline (slow if offline) - you can modify to include ping test if you want. Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Wednesday, August 10, 2005 11:47 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 2 quick favors I get errors with this script- the active directory property cannot be found in the cache I'm running win2k native mode domain. thanks. sorry to bother. On 8/10/05, Alain Lissoir [EMAIL PROTECTED] wrote: For 1/, try this one below. For 2/ I don't have one close but I'm sure some folks here can feed you ... The script doesn't dump in a text file, but that's an easy addition. HTH ' FindGPOLinks v1.04.vbs - Version 1.04 - Alain Lissoir ' ' WSH Script browsing the 'DefaultNamingContext' and the 'configurationNamingContext' ' to retrieve the Group Policies linked to AD objects. ' This should facilitate the search of created policies in the Active Directory. ' ' The script is using a basic LDAP access in the current user context, ' so, you should have enough rights to access AD objects. ' ' Change in version 1.04 ' ' - Add an error Handler in the ShowMemberInfo Private Sub ' ' Change in version 1.02 ' ' - Query the schema to get the property list associated to the 'groupPolicyContainer' class. ' - Display only the defined properties for that class. ' - For the defined properties, the scripts shows the syntax to be used by the property. ' - Take in account the fact that more than one policy can be defined at the container level. ' ' Change in version 1.01 ' ' - Add some code to bind to the GPLink LDAP Pointer to extract some properties. ' ' Any comments or questions:EMail:[EMAIL PROTECTED] Option Explicit Dim ObjRoot Dim Object Dim ObjMember ' --- WScript.Echo WScript.Echo Looking inside 'configurationNamingContext' Set objRoot = GetObject(LDAP://RootDSE) Object = objRoot.Get(configurationNamingContext) Call LookInsideObject (Object) Set Object = Nothing Set objRoot = Nothing ' --- WScript.Echo WScript.Echo Looking inside 'DefaultNamingContext' Set objRoot = GetObject(LDAP://RootDSE) Object = objRoot.Get(DefaultNamingContext) Call LookInsideObject (Object) Set Object = Nothing Set objRoot = Nothing WScript.Quit (0) ' --- Private Sub LookInsideObject (Object) Dim objMember Dim Member Set objMember = GetObject (LDAP:// Object) if objMember.Class sitesContainer And _ objMember.Class container And _ objMember.Class configuration _ Then Call ShowMemberInfo (objMember) For Each Member in objMember If Member.Class = domainDNS Or _ Member.Class = organizationalUnit Or _ Member.Class = sitesContainer Or _ Member.Class = site Or _ Member.Class = container _ Then Call LookInsideObject (Member.Name , Object) Next Set objMember = Nothing End Sub ' --- Private Sub ShowMemberInfo (Object) Dim longStartPolicyPath Dim longEndPolicyPath Dim strPolicyPathSource Dim strPolicyPath Dim objPolicy Dim objPolicyClassDef Dim objPolicyProperty Dim strPropertyName Object.GetInfo If Object.GPLink = Then WScript.Echo Object.Name ( Object.Class ) WScript.Echo (No Group Policy Defined) WScript.Echo End If strPolicyPathSource = Object.GPLink While (strPolicyPathSource ) WScript.Echo Object.Name ( Object.Class ) ' Extract each LDAP pointer from the GPLink. longStartPolicyPath = InStr(1, strPolicyPathSource, [, vbTextCompare) longEndPolicyPath = InStr(1, strPolicyPathSource, ], vbTextCompare) strPolicyPath = Mid(strPolicyPathSource, longStartPolicyPath + 1, longEndPolicyPath - 4) strPolicyPathSource = Mid(strPolicyPathSource, longEndPolicyPath + 1) Set objPolicy = GetObject(strPolicyPath) objPolicy.GetInfo WScript.Echo Found an existing
RE: [ActiveDir] user dump
Repadmin ..uhmm really? :) Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Thursday, August 11, 2005 11:20 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] user dump And repadmin. BrettSh On Wed, 10 Aug 2005, Phil Renouf wrote: dsquery/dsget will do the trick as well. Phil On 8/10/05, Coleman, Hunter [EMAIL PROTECTED] wrote: ADFind: http://www.joeware.net/win/free/tools/adfind.htm Example 6 from the command line help (adfind.exe /?) should be a good starting point for you. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddie Coleman III Sent: Wednesday, August 10, 2005 8:19 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] user dump how can i dump a list of all of my ad users? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Replicating AD
Createxmlfromenvironment.wsf Didn't know that exist..thanks! Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Patrick Sent: Wednesday, October 05, 2005 9:14 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Replicating AD Ha! Nice response... On another note - GPMC has built in APIs for this and there is a script included with it that will export your OU,groups and users as well as GPO's of course, to an XML file and then you can use that to reimport. I cant recall the name of it right now.. something about an *environment*.vbs my .02 steve - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wednesday, August 03, 2005 5:44 PM Subject: RE: [ActiveDir] Replicating AD I just typed ldifde at the command line and it didn't sync my environment, what's wrong with it Guido? :o) joe _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Tuesday, August 02, 2005 2:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Replicating AD the ldifde command can do the job for you /Guido _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Antonio Aranda Sent: Dienstag, 2. August 2005 18:48 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Replicating AD I'm trying to setup a test AD that's identical to the production AD with the same OU structure and user accounts. I'd like to avoid having to manually creating them by hopefully finding a tool that would import all those object. Does any one know of such a tool? Antonio List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] User to computer
If you didn't clear the lastlogon username security settings - I guess this may help to query which machine belongs to which user. (Not the other way unfortunately) reg query \\server\HKLM\software\microsoft\windows nt\currentversion\winlogon /v defaultusername reg query \\server\HKLM\software\microsoft\windows nt\currentversion\winlogon /v altdefaultusername Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tomasz Onyszko Sent: Friday, July 29, 2005 7:07 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] User to computer Kern, Tom wrote: Is there anyway via VBscript(or another way) to find out on a large scale which user is logged on to which desktop? You can try to use psloggedon.exe - http://www.sysinternals.com/Utilities/PsLoggedOn.html Another solution is to deploy LimitLogon: http://bink.nu/Article3619.bink And Yes, You can use VBScript with some calls to scan machines but ... the logon script which will report a username to the database (approach similar to this used in LimitLogin) will give You good results. The company I'm working at right now put all their computer objects in the computer folder and I want to move some user's(about 40) pc's to an ou so I can push out an msi via computer GPO. However I know which users should get the msi but not which pc they use. I don't want the msi to follow them around if they move pc', so I'd rather this be a computer based install. P.S- on a side note, does anyone know how the Symantec Console gets to info in Symantec Corporate AV? There is a client deployed on the machines and the client can report it back to the server. -- Tomasz Onyszko http://www.w2k.pl List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Domain Controller HP Virus Throttle?
Hi, Is anyone using this on a production DC yet? Just like to get some comments first.. :-) --start snip snip-- HP today unveiled newly developed software which it claims can quickly control the spread of viruses across corporate networks, and reduce the damage caused during an attack. --end of sniplets- HP Virus Throttle packet driver (Not free though and requires a Proliant Essentials Intelligent Networking License) http://h18023.www1.hp.com/support/files/networking/us/revision/8664.html Some infos on what it does http://www.vnunet.com/vnunet/news/2126740/hp-claims-throttle-viruses Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Demoted DC Lives On
For licenselogging issue, open your sites and services, choose the SITE, under the Licensing Site Settings - point the licensing computer to the new DC. That should do it. Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Your Name Sent: Thursday, July 28, 2005 10:02 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Demoted DC Lives On Hello: A few weeks ago, I demoted a DC at one of our sites. The demotion appeared to work correctly, and the server no longer appears as a DC under the ADUC. Also, while there is an A record for the server, it has been removed from the _msdcs, _sites, etc. The server was then completely shut down and is awaiting a good scrubbing. All that is good. However, the DC's ghost lingers on in at least three places: - When openning replmon, the server shows up as a DC in the site. - If I use ADSI Edit to poke around in the Configuration Container, its CN still shows up under the site. - the current DC is logging an Event 213 complaining about not being able to see the LicenseService on the old DC. I thought a metadata cleanup using ntdsutil would fix it. However, the server does NOT show up when queried with list servers in site. So the question is how can I get rid of this beast? Should I simply remove it using ADSI Edit? TIA. -- nme List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] RILOE AD Integration
Hi Brian, Youll need to get a certificate for the domain controllers to enable LDAP/SSL (636 port) Easily done if you are using Windows CA (not 3rd party) as the domain controllers will auto enrol the CA. HP provides a rollout tool to mass configure the RILO AD Integration portion so this can be done easily and remotely (if you have configured ip settings, hostnames wins/dns correctly that is) In terms of functionality, you can disable the local rilo logins and use domain username logins instead. Also instead of pointing to a single domain controller for authentication and not have any redundancy, Im using forestdnszones.domain.com as the hostname J Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, July 06, 2005 8:27 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] RILOE AD Integration Anybody done the schema extensions to support HPQ iLO/RiLOE II integration with AD. Im thinking about it. Were pushing out 50 380s with RiLOE II boards in the next four weeks to all over kingdom come. If you have, hows it work from the ilo standpoint? ADUC extensions work ok? --brian
RE: [ActiveDir] Stop a DC from authenticating?
Hi Matt Creating a site without any subnets, will not prevent users from logging on to there - (those machines without a subnet defined in AD) will find its fastest responding DC, which could mean that DC. Stopping netlogon like Jose mentioned (or unplugging :) Or remove dns srv records, DC cname and its glue records (now we are finding ways to screwup DCs instead of fixing it hey?) Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Friday, June 03, 2005 2:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Stop a DC from authenticating? Hi Matt, Easy one... unplug it's network conection... Just Kidding!! But seriously that would work, the other option is turn off the netlogon service and stop the sysvol share by turning off the server service. Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Matt Brown Sent: Thursday, June 02, 2005 11:38 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Stop a DC from authenticating? How can I stop a DC from processing Authentication. If I build another site that is not hooked to any of the Subnets will the computers stop authenticating to the DC? I just want to stop it temporarily but don't want to turn the DC off. Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Selective moving/migration of users
As Jorge mentioned earlier Quest DMW has an option to find out the groups that user is a member of and migrate that as well (nice checkbox)...not sure bout ADMT though.. Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Monday, May 30, 2005 7:56 PM To: '[EMAIL PROTECTED] '; ''Lucia Washaya ' '; '''ActiveDir@mail.activedir.org' ' ' Subject: RE: [ActiveDir] Selective moving/migration of users almost forgot: think about closed sets (meaning: if I migrate these objects, what other objects should be migrated also) what about the groups the NT users you want to migrate are members of? Don't you need to migrate those as well? cheers, #JORGE# -Original Message- From: [EMAIL PROTECTED] To: 'Lucia Washaya '; '[EMAIL PROTECTED] '; ''ActiveDir@mail.activedir.org' ' Sent: 5/30/2005 1:42 PM Subject: RE: [ActiveDir] Selective moving/migration of users Hi, You can always select the user and/or groups you want to migrate. It all depends on the requirements and situations but it is not needed to migrate the domain at once. There are a lot of tools available that help you with your object migration (user, groups, computers) en resource updating (re-acl, etc.) One of the free tools available is ADMTv2 (ADMTv3 is in beta at the moment) which can migrate objects and standard windows resource updating (incl exchange). If you however need to update resources on SQL or SMS you will likely need to use a third party tool like Quest DMW Cheers, #JORGE# -Original Message- From: [EMAIL PROTECTED] To: [EMAIL PROTECTED]; 'ActiveDir@mail.activedir.org' Sent: 5/30/2005 12:52 PM Subject: [ActiveDir] Selective moving/migration of users Colleagues, Is there a way to selectively move or migrate users between NT and windows2000 domains. I have two domains one on NT and another on Widows 2000. I want to move some of the users form NT to 2000. Is there a way to do it? Thank you in advance for your assistance Regards, Lucia Washaya UNAMSIL Tel Ext.: 5497 or Local Tel.: 022-295-526 Int'l Tel.: Via Italy +(39) 083123-5497 Via USA +1(212) 963-9915 (after audio response dial 174-5497) == The cobra will bite whether you call it Cobra or Dear Mr. Cobra. === __ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] lastlogontimestamp
Title: Message Hi Andrew Where can I get the acctinfo2.dll? Would be nice to have J Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gould, Andrew D. Sent: Saturday, May 28, 2005 2:52 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp I have seen the same discrepancy. There is a newer dll (acctinfo2.dll) available now. I don't know if it rectifies this particular issue, but it does allow the Additional Account Info tab to appear ina users properties that was returned as a result of a query. Andrew Gould -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Robin Sent: Friday, May 27, 2005 2:31 PM To: 'ActiveDir@mail.activedir.org' Subject: [ActiveDir] lastlogontimestamp Hi. Our domain is at the Windows 2003 server functional level. I have registered acctinfo.dll from the 2003 resource kit and have the Additional Account Info tab in ADUC. I am finding a big discrepancy between the lastlogontimestamp date on the Additional Account Info tab and the actual lastlogontimestamp date. For example, John Doe shoes a lastlogontimestamp of 11/23/04 in ADUC. However, if I execute the following script: Set objUser = GetObject(LDAP://cn=John Doe, ou=MOET (g14), ou=Field Users, ou=LWD Accounts, dc=njdol, dc=ad, dc=dol) Set objLastLogon = objUser.Get(lastLogonTimestamp) intLastLogonTime = objLastLogon.HighPart * (2^32) + objLastLogon.LowPart intLastLogonTime = intLastLogonTime / (60 * 1000) intLastLogonTime = intLastLogonTime / 1440 Wscript.Echo Last logon time: intLastLogonTime + #1/1/1601# (code was taken from here: http://www.microsoft.com/technet/scriptcenter/topics/win2003/lastlogon.mspx) I get a much more current date (5-25-05). This is happening with more than one user. Any explanation for why this happens. I've done a lot of reading this week and I understand that the lastlogontimestamp field could be off by 7-10 days but this is several months. Thanks, Robin NJDOL This e-mail and any files transmitted with it, are confidential to National Grid and are intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error, please reply to this message and let the sender know.
RE: [ActiveDir] DC's not replicating
/Forceremoval? Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Thursday, May 26, 2005 12:28 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DC's not replicating Getting a continous flow of these errors on one of our remote DCs. Can't even log into it as my own domain admin account (says invalid user/pass) so I have to log in as administrator. Won't let me demote it even, says directory service invalid. Any ideas? Active Directory did not perform an authenticated remote procedure call (RPC) to another domain controller because the desired service principal name (SPN) for the destination domain controller is not registered on the Key Distribution Center (KDC) domain controller that resolves the SPN. Destination domain controller: b2293e9b-4f9c-4bd7-9b63-ab8c3ab002b8._msdcs.ourdomain.com SPN: E3514235-4B06-11D1-AB04-00C04FC2DCD2/b2293e9b-4f9c-4bd7-9b63-ab8c3ab002b 8/[EMAIL PROTECTED] User Action Verify that the names of the destination domain controller and domain are correct. Also, verify that the SPN is registered on the KDC domain controller. If the destination domain controller has been recently promoted, it will be necessary for the local domain controller's computer account data to replicate to the KDC before this computer can be authenticated. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Replication failures - lingering objects
Try with repadmin /removelingering object Or disable the strict replication key on all domain controllers and re-enable once the objects has been replicated (you can delete later on if you want to) Mod the below /d value for enable/disable of strictrepl key FOR /F skip=1 usebackq delims== %i IN (`netdom query dc`) DO reg add \\%i\HKLM\System\CurrentControlSet\Services\NTDS\Parameters /v Strict Replication Consistency /t REG_DWORD /d 1 /f Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Fontana Sent: Wednesday, May 18, 2005 4:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Replication failures - lingering objects I have a DC that appears to have had some time synch problems before I got here Subsequently, all other DCs have discontinued replication for the cn=configuration (per repadmin) with this DC. My question is; the first event I can see showing replication problems with this DC is on April 8th, which should mean that Im not past the 60 day garbage collection period. It seems to me that I could modify the reg setting to allow the other DCs to resume replication and no lingering objects would be reintroduced because the deleted object info is still present. The offending DC is running Windows 2000 SP3. Any thoughts? TIA -Alex
RE: [ActiveDir] Accounts Locked
Check out your DC logs for invalid logon attempts - also modify your lockout policy if its causing you to lockout too long. Lockoutstatus.exe and eventcombmt.exe should be quite helpful Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra Sent: Tuesday, May 17, 2005 7:40 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Accounts Locked I faced a big problem last night my all user accounts including administrator account was locked out and nothing was happening. But after some time everything was working fine. What could be the possible reason for this? Suggest List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] joining domain is not easy ?
Tom, Now that pretty strange..the view that I have is as below: [EMAIL PROTECTED]; on behalf of; [EMAIL PROTECTED] And that's my corp's smtp relay, a spam indeed? Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Monday, May 16, 2005 6:44 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] joining domain is not easy ? I think this is a good reason to use SPF on mailing lists. Charmer.com is my corps domain. i don't know why this indvidual is spoofing his return address. i know there's been a spate of German right wing spam lately on a lot of mailing lists. I don't know if this has anything to do with it... thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Sunday, May 15, 2005 4:11 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] joining domain is not easy ? greetings, this always my nightmare, everytime i connect a new computer to network to join the domain either i get his message THE NETWORK PATH WAS NOT FOUND or CANNOT JOIN THE DOMAIN. I've check the IP and did a Ping on it and everything looks fine, when I set the workstation to hookup to our LAN internet it responded well, but when I need to join the domain it is very Annoying it just can not join the domain. I even configured it as a workgroup then configure it as joining a domain, still wont join. BUT if i remove the IP address and join to the old server first then put back the IP address and do the joining to the new server domain IT WORKS. why and how I dont have any idea. If needed for me to detail my problem by phone tell me. rgds cyrus List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] joining domain is not easy ?
Postfix it is :) Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Monday, May 16, 2005 8:54 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] joining domain is not easy ? Nope, it's a fair bet that neither Outlook 2003 nor Exchange 2003 do that - because that is what I'm running. His postings just show as cyrus here. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Sunday, May 15, 2005 8:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] joining domain is not easy ? my MUA is Outlook. I'm pretty sure, Outlook doesn't do that.. Could be my mta. I use Postfix, but as i recall you have to specifically create a lookup table for that and i never did. and Exchange 2k never does that AFAIK. oh, well. i'll take a look. thanks -Original Message- From: Michael B. Smith [mailto:[EMAIL PROTECTED] Sent: Sunday, May 15, 2005 8:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] joining domain is not easy ? The address is actually coming in as a local address (i.e., just cyrus) with no domain-part. He probably has a misconfigured Outlook Express or Eudora. Your local MTA or your MUA is adding the domain-part. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Sunday, May 15, 2005 8:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] joining domain is not easy ? this is what i see( i cut out my part of the headers. you'll see [EMAIL PROTECTED] I don't rewrite sender addresses incoming so i don't know why it would end up like this)- Received: from mail.activedir.org (ftp.activedir.org [12.168.66.190]) by mta1.charmer.com (Postfix) with ESMTP id F1D7C284077 for [EMAIL PROTECTED]; Sun, 15 May 2005 17:54:41 -0400 (EDT) Received: from ams007.ftl.affinity.com [216.219.253.155] by mail.activedir.org with ESMTP (SMTPD32-8.11) id ACD581CB006C; Sun, 15 May 2005 18:27:33 -0400 Received: by ams007.ftl.affinity.com id 359462-28812; Sun, 15 May 2005 04:10:32 -0400 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org ActiveDir@mail.activedir.org Subject: [ActiveDir] joining domain is not easy ? Date: Sun, 15 May 2005 04:10:31 -0400 Mime-Version: 1.0 Content-Type: text/plain; format=flowed; charset=iso-8859-1 Content-Transfer-Encoding: 7bit Message-Id: [EMAIL PROTECTED] Precedence: bulk Sender: [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org X-Virus-Scanned: by amavisd-new at charmer.com Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 15 May 2005 22:29:13.0104 (UTC) FILETIME=[854C6100:01C5599D] thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Sunday, May 15, 2005 7:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] joining domain is not easy ? Tom, Now that pretty strange..the view that I have is as below: [EMAIL PROTECTED]; on behalf of; [EMAIL PROTECTED] And that's my corp's smtp relay, a spam indeed? Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Monday, May 16, 2005 6:44 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] joining domain is not easy ? I think this is a good reason to use SPF on mailing lists. Charmer.com is my corps domain. i don't know why this indvidual is spoofing his return address. i know there's been a spate of German right wing spam lately on a lot of mailing lists. I don't know if this has anything to do with it... thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Sunday, May 15, 2005 4:11 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] joining domain is not easy ? greetings, this always my nightmare, everytime i connect a new computer to network to join the domain either i get his message THE NETWORK PATH WAS NOT FOUND or CANNOT JOIN THE DOMAIN. I've check the IP and did a Ping on it and everything looks fine, when I set the workstation to hookup to our LAN internet it responded well, but when I need to join the domain it is very Annoying it just can not join the domain. I even configured it as a workgroup then configure it as joining a domain, still wont join. BUT if i remove the IP address and join to the old server first then put back the IP address and do the joining to the new server domain IT WORKS. why and how I dont have any idea. If needed for me to detail my problem by phone tell me. rgds cyrus List info :
RE: [ActiveDir] OT:DNS SRV resource Kit
Title: Message Try that redirection service (too many to list down) I dont think dns is able to do port redirection for web. Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Friday, May 13, 2005 11:44 PM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] OT:DNS SRV resource Kit Why not simply add an alias for www.xcompany.com and include the port number. e.g. host: www.xcompany.comalias: ww2.xcompany.com:456 This is how some ppl have configured DNS and web servers to work correctly when ISPs block port 80. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson Sent: 13 May 2005 09:40 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT:DNS SRV resource Kit Hi All Does anyone know wether IE supports SRV Resource records in DNS. I like to create a DNS entry that includes the port number of the Website on one of my internap IIS boxes. I know I can do this with host headers within IIS but I was wondering wether I could do it so that www.xcompany.com would be redirected to http://server/webiste:456 for example. Thanks in advance Peter Johnson == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure. ==
RE: [ActiveDir] Group ManageBy 'feature' in SP1 does not work?
Hi Joe Thanks again for confirming, for some reason it wasn't working the other day when I was doing a demo (for whatever reason) and just re-tested and it works fine.. Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, May 10, 2005 12:07 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Group ManageBy 'feature' in SP1 does not work? I just tested this and yes it did indeed work for me. I would fully expect it to. It isn't anything magical about ADUC, that is AD Delegation functionality at work there and normal ACLs. I even used the Self well known security principal as the managing group. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, May 09, 2005 1:40 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Group ManageBy 'feature' in SP1 does not work? Hi Someone here (sorry can't remember who) posted that in 2003 SP1, we are able to put a Group to manage a group and update membership. I've been testing that and I'm kinda stuck - after assigning a group ticking Manager can update membership list - the user in that group is unable to manage the other group. Groupname to be managed:group1 Groupname to manage:group2 (username1 is a member of group2) Under Managed By tab of group1 - I assign a group group2 and ticked Manager can update membership list Login as username1 and I am UNABLE to add or modify any members (if I assign directly to a user account it works) Eventhough it doesn't work - dsacls shows that group2 is assigned the correct rights which is SPECIAL ACCESS for Add/Remove self as member (defined as WP;member) Anyone has tested this functionality and get this to work yet? I'm trying to achieve group to self managed its member - meaning any member of the group can add/remove/modify membership list (group1 to be managed by group1). Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] OT: Removing Orphaned SIDs from User Rights Assignment?
Hi all Rather off topic I know, but just wondering if there are anyone that knows or has done cleanup before. Basically found some deleted users/sids that are still showing up on the server User Rights Assignment section of some of the servers. Is there any command line mode of doing these type of cleanup? Tried subinacl.exe without any luck as well as ntrights.exe Thanks in advance! Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Group ManageBy 'feature' in SP1 does not work?
Hi Someone here (sorry can't remember who) posted that in 2003 SP1, we are able to put a Group to manage a group and update membership. I've been testing that and I'm kinda stuck - after assigning a group ticking Manager can update membership list - the user in that group is unable to manage the other group. Groupname to be managed:group1 Groupname to manage:group2 (username1 is a member of group2) Under Managed By tab of group1 - I assign a group group2 and ticked Manager can update membership list Login as username1 and I am UNABLE to add or modify any members (if I assign directly to a user account it works) Eventhough it doesn't work - dsacls shows that group2 is assigned the correct rights which is SPECIAL ACCESS for Add/Remove self as member (defined as WP;member) Anyone has tested this functionality and get this to work yet? I'm trying to achieve group to self managed its member - meaning any member of the group can add/remove/modify membership list (group1 to be managed by group1). Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GPO Item: Accounts: Rename administrator account
Modify CharlieAdmin GPO settings to newadminusername and re-link it? Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Saliba Sent: Tuesday, May 03, 2005 7:32 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] GPO Item: Accounts: Rename administrator account Greetings I recently created and linked a GPO where the only setting was Accounts: Rename the administrator account to (for illustrative purposes) CharlieAdmin I linked it to the domain. It was under my impression that this would only rename the local administrator accounts... was i wrong. I've already disabled this GPO and unlinked it from the domain. The kicker is my domain administrator userid is still CharlieAdmin and it will not revert to what it was. I have done gpupdate and that hasn't worked.. i checked gpresult and it does not show anything about the gpo that i created. Does anyone have a clue where I could go next? Thanks! Charlie Saliba [EMAIL PROTECTED]
RE: [ActiveDir] Silly question(way OT)
For most raid cards, say HP/Compaq ones, if disk 0 1 2 3 are part of raid 5 - just recreate the raid config in the new raid card (of course without reinitializing) Some cards will bootup with NVRAM mismatch (config in ram doesn't match those in drive) and then you can choose which one to load from - in this case the drives. For extending the raid5 - sure most raid card nowadays allows you to extend the raid card - say you have 36x3 - and you add in another 36gig. Windows will not extend those that you have already allocated - so in diskmgmt.msc you will see an unassigned freespace. Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Friday, April 29, 2005 4:54 AM To: ActiveDir (E-mail) Subject: [ActiveDir] Silly question(way OT) This is a hardware question that has nothing to do with AD. be warned. Many apologies in advance. i'm not really a hardware guy. Still, I can't believe I don't know this, but if anyone can help me, that would be great. If i have a hardware raid 5 array and swap out the raid controller with a new one, what happens to the data on the disks? Is everything lost or can the new controller just do raid 5 for the existing data? also, as a final question, can I add a extra drive to extend the current raid partition? meaning, if a have a 70gig hardware raid array(not counting the parity data), can i just add another 35gig drive to make Windows see a 105gig paratition now or do I have to create an extended paration? thanks. I know this is way OT. sorry List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] More than 1 user having 'managed by' for a group?
Hi Joe Is there any reason why we need to grant the right to include the child objects? /I:T I've removed /I:T and it seems to work fine as well, thanks for the member attribute I think that does the things I wanted :D dsacls GROUP_DN /G domain\secprin:WP;member Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, April 28, 2005 6:03 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] More than 1 user having 'managed by' for a group? Ah try this... dsacls GROUP_DN /I:T /G domain\secprin:WP;member Howeverm make note that when dsacls outputs it though it will show Add/Remove self as member, not member. It has been a while since I did this and determined the command from looking at the existing ACL. I ad to go back to my notes, there are a couple of property sets that display weird in dsacls. The Add/Remove self as member and Validated Write to dnsHostName are two that I have previously hit and had issues with. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, April 27, 2005 1:37 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] More than 1 user having 'managed by' for a group? Hi Joe For some reason the below, doesn't give me access to update member list - am running in 2003 sp1 test domain. dsacls GROUP_DN /I:T /G domain\secprin:WS;Add/Remove self as member Is it different with sp1? Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, April 27, 2005 12:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] More than 1 user having 'managed by' for a group? Hey Freddy, I put this in the original post I responded in: dsacls GROUP_DN /I:T /G domain\secprin:WS;Add/Remove self as member -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, April 26, 2005 8:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] More than 1 user having 'managed by' for a group? Hi Joe Thanks for the quick one. Seems like when I was testing this - the permission that is needed is only Write Property The closest I got to is the below - however this will allow the user to write ALL PROPERTIES - this includes changing group name, description etc. While the standard gui method will not allow this.. any ideas what type of WP should I restrict this too.. dsacls GRPDN /G domain\user:WP Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, April 27, 2005 7:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] More than 1 user having 'managed by' for a group? The managedBy attribute doesn't bestow any rights upon the owner, it just is an attribute that links the user and group together for easy querying. Later versions of ADUC added functionality by letting you specify that ADUC should add an ACE for the principal specified for managedBy but that is two separate operations. That being said, that tab will not let you specify a group, it only looks at users and contacts and will only allow you to specify one. However all of that being said, you can easily add an ACE to the group for any other groups or users directly to the group itself, you want to add (and yes I know this makes no sense) the Add/Remove self as member permission. Sort of like dsacls GROUP_DN /I:T /G domain\secprin:WS;Add/Remove self as member Or through a script. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, April 26, 2005 7:16 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] More than 1 user having 'managed by' for a group? Hi all, Is it possible to get multiple accounts to be able to perform update of group membership (under the managed by) - both distribution list and security groups? Thanks in advance! Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List
[ActiveDir] More than 1 user having 'managed by' for a group?
Hi all, Is it possible to get multiple accounts to be able to perform update of group membership (under the managed by) - both distribution list and security groups? Thanks in advance! Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] More than 1 user having 'managed by' for a group?
Does that tickbox and user listed there - actually translates to 'Write Permission' on This object only ACL?? Stupid question - ill try this myself soon enough.. Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, April 27, 2005 7:16 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] More than 1 user having 'managed by' for a group? Hi all, Is it possible to get multiple accounts to be able to perform update of group membership (under the managed by) - both distribution list and security groups? Thanks in advance! Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] More than 1 user having 'managed by' for a group?
Hi Joe For some reason the below, doesn't give me access to update member list - am running in 2003 sp1 test domain. dsacls GROUP_DN /I:T /G domain\secprin:WS;Add/Remove self as member Is it different with sp1? Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, April 27, 2005 12:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] More than 1 user having 'managed by' for a group? Hey Freddy, I put this in the original post I responded in: dsacls GROUP_DN /I:T /G domain\secprin:WS;Add/Remove self as member -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, April 26, 2005 8:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] More than 1 user having 'managed by' for a group? Hi Joe Thanks for the quick one. Seems like when I was testing this - the permission that is needed is only Write Property The closest I got to is the below - however this will allow the user to write ALL PROPERTIES - this includes changing group name, description etc. While the standard gui method will not allow this.. any ideas what type of WP should I restrict this too.. dsacls GRPDN /G domain\user:WP Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, April 27, 2005 7:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] More than 1 user having 'managed by' for a group? The managedBy attribute doesn't bestow any rights upon the owner, it just is an attribute that links the user and group together for easy querying. Later versions of ADUC added functionality by letting you specify that ADUC should add an ACE for the principal specified for managedBy but that is two separate operations. That being said, that tab will not let you specify a group, it only looks at users and contacts and will only allow you to specify one. However all of that being said, you can easily add an ACE to the group for any other groups or users directly to the group itself, you want to add (and yes I know this makes no sense) the Add/Remove self as member permission. Sort of like dsacls GROUP_DN /I:T /G domain\secprin:WS;Add/Remove self as member Or through a script. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, April 26, 2005 7:16 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] More than 1 user having 'managed by' for a group? Hi all, Is it possible to get multiple accounts to be able to perform update of group membership (under the managed by) - both distribution list and security groups? Thanks in advance! Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] 2003 Native - gpresult shows domain = 2000?
Thanks for confirming Jorge, thought I did something wrong somewhere... :) Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: Monday, April 25, 2005 4:08 PM To: '[EMAIL PROTECTED] '; '[EMAIL PROTECTED] '; 'ActiveDir@mail.activedir.org ' Subject: RE: [ActiveDir] 2003 Native - gpresult shows domain = 2000? Hi, This is expected behavior. It should either be changed to the exact domain type or it should state something like Windows 200x or Windows 200x based Cheers, #JORGE# -Original Message- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 4/25/2005 1:34 AM Subject: [ActiveDir] 2003 Native - gpresult shows domain = 2000? Gpresult shows Domain Type: Windows 2000 Ldp shows these 1 domainFunctionality: 2; 1 forestFunctionality: 2; 1 domainControllerFunctionality: 2; Is this expected? Or should I be getting a different output? Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] How to verify successful installation of additional DC
Replcheck - hm I don't seem to have it... Do you by any chance means repadmin /showreps? Check that clients are authenticating to it after your dcdiag shows fine - check out the security logs (assuming auditing is enabled) or net session Dnslint or manually to check dns records (but dcdiag are already doing dnscheck also :) Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dennis Depp Sent: Sunday, April 24, 2005 6:00 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] How to verify successful installation of additional DC Also look at replcheck. If I recall, replcheck /showrepl will verify that replication is occuring properly. Also look at Active Directory sites and verify all the proper connections have been created. Dennis On 4/23/05, Danny [EMAIL PROTECTED] wrote: On 4/23/05, Gil Kirkpatrick [EMAIL PROTECTED] wrote: Running DCDIAG on both DCs would be a good start. That would be a good start. :) So I did at dcdiag /f:output.txt On the original DC: Domain Controller Diagnosis Performing initial setup: Done gathering initial info. Doing initial required tests Testing server: Default-First-Site-Name\MAIL1 Starting test: Connectivity . MAIL1 passed test Connectivity Doing primary tests Testing server: Default-First-Site-Name\MAIL1 Starting test: Replications . MAIL1 passed test Replications Starting test: NCSecDesc . MAIL1 passed test NCSecDesc Starting test: NetLogons . MAIL1 passed test NetLogons Starting test: Advertising . MAIL1 passed test Advertising Starting test: KnowsOfRoleHolders . MAIL1 passed test KnowsOfRoleHolders Starting test: RidManager . MAIL1 passed test RidManager Starting test: MachineAccount . MAIL1 passed test MachineAccount Starting test: Services . MAIL1 passed test Services Starting test: ObjectsReplicated . MAIL1 passed test ObjectsReplicated Starting test: frssysvol . MAIL1 passed test frssysvol Starting test: frsevent . MAIL1 passed test frsevent Starting test: kccevent . MAIL1 passed test kccevent Starting test: systemlog . MAIL1 passed test systemlog Starting test: VerifyReferences . MAIL1 passed test VerifyReferences Running partition tests on : ForestDnsZones Starting test: CrossRefValidation . ForestDnsZones passed test CrossRefValidation Starting test: CheckSDRefDom . ForestDnsZones passed test CheckSDRefDom Running partition tests on : DomainDnsZones Starting test: CrossRefValidation . DomainDnsZones passed test CrossRefValidation Starting test: CheckSDRefDom . DomainDnsZones passed test CheckSDRefDom Running partition tests on : Schema Starting test: CrossRefValidation . Schema passed test CrossRefValidation Starting test: CheckSDRefDom . Schema passed test CheckSDRefDom Running partition tests on : Configuration Starting test: CrossRefValidation . Configuration passed test CrossRefValidation Starting test: CheckSDRefDom . Configuration passed test CheckSDRefDom Running partition tests on : DOMAIN Starting test: CrossRefValidation . DOMAIN passed test CrossRefValidation Starting test: CheckSDRefDom . DOMAIN passed test CheckSDRefDom Running enterprise tests on : DOMAIN.LOCAL Starting test: Intersite . DOMAIN.LOCAL passed test Intersite Starting test: FsmoCheck . DOMAIN.LOCAL passed test FsmoCheck And on the new DC: Domain Controller Diagnosis Performing initial setup: Done gathering initial info. Doing initial required tests Testing server: Default-First-Site-Name\MAIL2 Starting test: Connectivity . MAIL2 passed test Connectivity Doing primary tests Testing server: Default-First-Site-Name\MAIL2 Starting test: Replications
RE: [ActiveDir] AD question
Net time /setsntp:ntpserver Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of tvanden Sent: Sunday, April 24, 2005 11:51 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD question Hi, Sorry for my english, im not englishJ! So, I have one domain named worldwide.com with multiple DCs (London, Washington, dallas, Moscow, ..) , how I do configure time service, and replication between DCs trough countries ? Thanks.
[ActiveDir] 2003 Native - gpresult shows domain = 2000?
Gpresult shows Domain Type: Windows 2000 Ldp shows these 1 domainFunctionality: 2; 1 forestFunctionality: 2; 1 domainControllerFunctionality: 2; Is this expected? Or should I be getting a different output? Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] How to verify successful installation of additional DC
KB http://support.microsoft.com/default.aspx?scid=kb;en-us;298143 Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, April 25, 2005 7:24 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to verify successful installation of additional DC Replcheck - hm I don't seem to have it... Do you by any chance means repadmin /showreps? Check that clients are authenticating to it after your dcdiag shows fine - check out the security logs (assuming auditing is enabled) or net session Dnslint or manually to check dns records (but dcdiag are already doing dnscheck also :) Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dennis Depp Sent: Sunday, April 24, 2005 6:00 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] How to verify successful installation of additional DC Also look at replcheck. If I recall, replcheck /showrepl will verify that replication is occuring properly. Also look at Active Directory sites and verify all the proper connections have been created. Dennis On 4/23/05, Danny [EMAIL PROTECTED] wrote: On 4/23/05, Gil Kirkpatrick [EMAIL PROTECTED] wrote: Running DCDIAG on both DCs would be a good start. That would be a good start. :) So I did at dcdiag /f:output.txt On the original DC: Domain Controller Diagnosis Performing initial setup: Done gathering initial info. Doing initial required tests Testing server: Default-First-Site-Name\MAIL1 Starting test: Connectivity . MAIL1 passed test Connectivity Doing primary tests Testing server: Default-First-Site-Name\MAIL1 Starting test: Replications . MAIL1 passed test Replications Starting test: NCSecDesc . MAIL1 passed test NCSecDesc Starting test: NetLogons . MAIL1 passed test NetLogons Starting test: Advertising . MAIL1 passed test Advertising Starting test: KnowsOfRoleHolders . MAIL1 passed test KnowsOfRoleHolders Starting test: RidManager . MAIL1 passed test RidManager Starting test: MachineAccount . MAIL1 passed test MachineAccount Starting test: Services . MAIL1 passed test Services Starting test: ObjectsReplicated . MAIL1 passed test ObjectsReplicated Starting test: frssysvol . MAIL1 passed test frssysvol Starting test: frsevent . MAIL1 passed test frsevent Starting test: kccevent . MAIL1 passed test kccevent Starting test: systemlog . MAIL1 passed test systemlog Starting test: VerifyReferences . MAIL1 passed test VerifyReferences Running partition tests on : ForestDnsZones Starting test: CrossRefValidation . ForestDnsZones passed test CrossRefValidation Starting test: CheckSDRefDom . ForestDnsZones passed test CheckSDRefDom Running partition tests on : DomainDnsZones Starting test: CrossRefValidation . DomainDnsZones passed test CrossRefValidation Starting test: CheckSDRefDom . DomainDnsZones passed test CheckSDRefDom Running partition tests on : Schema Starting test: CrossRefValidation . Schema passed test CrossRefValidation Starting test: CheckSDRefDom . Schema passed test CheckSDRefDom Running partition tests on : Configuration Starting test: CrossRefValidation . Configuration passed test CrossRefValidation Starting test: CheckSDRefDom . Configuration passed test CheckSDRefDom Running partition tests on : DOMAIN Starting test: CrossRefValidation . DOMAIN passed test CrossRefValidation Starting test: CheckSDRefDom . DOMAIN passed test CheckSDRefDom Running enterprise tests on : DOMAIN.LOCAL Starting test: Intersite . DOMAIN.LOCAL passed test Intersite
RE: [ActiveDir] Script Blocking
Run logon script synchronously should take care of this setting, as it will load startup scripts first before the explorer shell. Check out the settings under Computer config\Admin templates\System\Scripts\ But if its considered as a virus, try creating a batch file which calls this vbs script and see if it works as a workaround.. Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Jessop Sent: Wednesday, April 20, 2005 12:39 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Script Blocking Hi Freddy I have deployed limitlogin which depends on a Visual Basic Script on logon and logoff. I don't think it could be considered a virus but certainly some of the users view it in this way! Some versions of Norton antivirus block scripts by default (or ask the user) as do most personal firewalls. Regards Peter Jessop
RE: [ActiveDir] Policies: ALL ADMINS SHOULD READ THIS...
Did uninstallation worked as a workaround? Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Blair, James Sent: Thursday, April 21, 2005 12:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Policies: ALL ADMINS SHOULD READ THIS... Importance: High After a night of just about no sleep and spending the day on this problem. I did not let on but it was slightly more complicated in such that our Exchange servers were unable send mail between sites. After placing a call with HP and then getting forwarded to Microsoft Canada we still had no joy. This morning we found that the following patch was applied last Friday, our SUS roll out day: http://support.microsoft.com/kb/893066 This patch caused the following: Exchange servers unable to talk between sites. Workstations only able to access shares on local subnets. Unable to access Corporate intranet..separate subnet. If any of you have or have had the same problem I wouldn't mind an e-mail as I need as much ammunition as possible for the seemingly large report I am going to have to put together. James From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, 20 April 2005 11:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Policies: Assuming that there is no static(s), ACL, NAT or PAT issues with a firewall or router IOS keeping IP traffic from flowing over what I am guessing to be port 80 traffic. ICMP (ping) means little in the way of connectivity. Just means that a form of traffic can reach the destination host. Have you done a TRACERT to check the timing? Also, what port or mixture of ports seem to be blocked? Understand that ICMP is getting through to the host but if this involves long distances, it may be a propagation issue or a combination of issues. Lets whittle some of these unknowns out one at a time till we find a solution. Brent Eads
[ActiveDir] DLTpurge.vbs Strict Replication Consistency
Hi I have 550,000 objects under Filelinks Container (rubbish caused by DLT), and was trying to clean them up using the kb below http://support.microsoft.com/?id=312403 While running the script in background (10,000 object every 2 hours) some of my domain controllers stopped replicating, due to lingering object (Event 1988) and is having a different object count under Filelinks container (thanks to joe's adfind) On one of the domain controller its reporting to have only 440,000 object, while on the other one is still reporting as 500,000+ Domain are native 2003, strict replication key enabled on all DC. Repadmin /removelingeringobject came up with 0 objects, and replication was still being stuck. So temporarily I've stopped DLTpurge.vbs and disabled Strict Replication Consistency and have verified that all DC now has the same object count of Filelinks CN and replication is as per normal. (Phew) Any idea what is causing this (too many deletion at the same time)? Should I be running DLTPurge with StrictReplicationConsistency disabled? Inputs please :-) Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AdminSDHolder and Default button
Thanks Guido/Jorge As far as I know I should be fine with doing that as there shouldn't be any custom permissions set (I hope). But in any case, is that the recommended way of 'UNDO-ing' the adminsdholder restriction? Or is there a better way?... Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Wednesday, April 20, 2005 3:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AdminSDHolder and Default button I can confirm what Jorge expects below - yes, all explicit permissions are removed and then the default from whatever is defined in the schema is set. You can script the resetting of permissions back to the default using the DSACLS.exe or ACLDiag.exe tools (I can't remember if only one of them or both have the /reset permission option) /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Dienstag, 19. April 2005 10:51 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AdminSDHolder and Default button (1) I expect the default permissions to REPLACE all existing permissions, because otherwise the DEFAULT buttonb would be meaningless (2) The DEFAULT button reads the security descriptor in the schema for that particular object and places that onto the object and it enables the allow inherit from parent flag. Have checked Microsoft Scriptcenter For a script to reset the ADMINCOUNT = 1 to ADMINCOUNT = 0 see MS-KBQ817433 Delegated permissions are not available and inheritance is automatically disabled Cheers, Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: dinsdag 19 april 2005 3:50 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AdminSDHolder and Default button Hi all, If a user used to be a member of Account Operators group (affected by AdminSDHolder permissions) and has left that group - it is found that the permissions are not set back to default. Hence this user will have a very restrictive settings on itself and other members of account operators will not have rights over this username (eventhough it is no longer a member of that group). In Win2003 there's a button Default - user properties - security - advanced - DEFAULT. Description is set to replace all permission entries with the default setting. I've enabled this on a couple of accounts and seems to work expectedly. Question: 1) Does default removes any explicitly defined ACL on the user accounts? (I sure hope not). 2) How do I script this default function? Is this an attribute or something within the object itself? I have quite a few users that needs its permissions to be 'resetted' Thanks! Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Script Blocking
Hi Peter, Havent really heard that antivirus is blocking login scripts Whats inside the login script anyway? Is it considered as a virus? Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Jessop Sent: Wednesday, April 20, 2005 3:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Script Blocking Here is the scenario. An AD domain of about 1000 users and computers distributed among over 60 offices. Some users are in the local administrators group of their workstations. The reasons are varied but included a) Some program didn't function without elevated priveleges. b) The user wanted to install something and no one had time to do it for them. c) The user is a boss and insists. On various occasions I have reversed this situation using restricted groups. This always causes lots of calls to the help desk and does nothing to increase my popularity. Even Microsoft Office sometimes doesn't work properly (probably because it wasn't installed correctly) unless the users privileges are restored. Well there you have the reasons (all bad, but...) Here is the problem:- Some users have installed programs which block login scripts that I distribute through group policy. You all know these programs. Antivirus, antispyware and personal firewalls. Do any of you good people have the same problem and what methods are you adopting to solve it. Regards Peter Jessop
[ActiveDir] AdminSDHolder and Default button
Hi all, If a user used to be a member of Account Operators group (affected by AdminSDHolder permissions) and has left that group - it is found that the permissions are not set back to default. Hence this user will have a very restrictive settings on itself and other members of account operators will not have rights over this username (eventhough it is no longer a member of that group). In Win2003 there's a button Default - user properties - security - advanced - DEFAULT. Description is set to replace all permission entries with the default setting. I've enabled this on a couple of accounts and seems to work expectedly. Question: 1) Does default removes any explicitly defined ACL on the user accounts? (I sure hope not). 2) How do I script this default function? Is this an attribute or something within the object itself? I have quite a few users that needs its permissions to be 'resetted' Thanks! Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] 2003 SP1 on VMware ESX - reboot issue
Ah well luckily it's just my test DC :) There's another person in this list though, who just emailed me having the same problem with ESX, since I'm not on VMWare team (sadly) I just have to live with 2.1 temporarily... Yeah could be a selling point for VPC against VMWare...but even VPC is having problem (ha! No surprise there).. Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, April 17, 2005 9:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 2003 SP1 on VMware ESX - reboot issue I can't speak to your error on ESX (I would guess the answer is get a newer version) but Virtual Server certainly isn't the solution at the moment. Running SP1 on a guest in VS can result in extremely slow perf. Aric had mentioned it here previously and I wasn't seeing it on my machines until I installed SP1 on my Virtual Exchange Server and bam, I saw the perf issue in spades. I have since heard that if you install the VS SP1 Beta 1 guest bits or the VPC SP1 guest bits onto the guest the issues will clear up though you can well understand that isn't supported by MS. As a general statement though, this kind of thing makes you want to smack MS. It is just like the issue with coming out with XP but no admin pack for XP to admin AD only this one is far worse. Say a company has collapsed their physicals and use VS. MS puts out an SP and it is pretty critical for you to install but as soon as you do, your perf dies across the board. I can see there being issues between say VMWARE and MS in this regards, but it shouldn't be occurring amongst MS products like that. How many people have to hold off upgrading their Servers to SP1 because they are running them on VS and can't afford the perf hit? joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, April 07, 2005 7:23 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] 2003 SP1 on VMware ESX - reboot issue Heya all! Been having this annoying problem since the start of SP1 RC, basically when I reboot the vmware guest domain controller (SP1) it goes to reboot properly, then while starting up win2003 - it shutsdown instead. Host is ESX Server 2.1.0 build 7728 (yeah its rather old) VM events: Vmware ESX Server internal monitor error - Not implemented at 2182 (7728) I have 5 of my guest test DC and so far I can confirm all are having this problem. Anyone else has anything like this happening? Before SP1 all goes well.. Perhaps this should be a selling point of Virtual Server? :-) Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] changing password
Hi Cyrus, Looks like we are on the same domain, but apparently your's are spoofed. Try nltest /dsgetdc:domainname.com to see if you can find it. (Need support tools installed) Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Sunday, April 17, 2005 1:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] changing password greetings, workstation user having problem in changing their password error message The domainmane not available temp solution: I'm doing it thru server thnks cyrus List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Recover AD from database files
Try running dcpromo /adv since you said you have a system state backup of the previous. Is that the only domain controller though (none left standing)? If so, uh-oh from me.. Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Kolvik Sent: Thursday, April 14, 2005 7:10 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Recover AD from database files Hi, I just did a restore as the KB told. Now I cant even boot. I get this message: Windows could not start because of an error in the software. Please report this problem as: load needed DLLs for kernel. Please contact your support person to report this problem. I cant even start in safe mode.. Any idea? /Daniel From: Tomasz Onyszko [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Recover AD from database files Date: Thu, 14 Apr 2005 00:14:22 +0200 MIME-Version: 1.0 Received: from mail.activedir.org ([12.168.66.190]) by mc4-f5.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Wed, 13 Apr 2005 15:16:42 -0700 Received: from debris.cybernet.pl [195.117.60.10] by mail.activedir.org with ESMTP (SMTPD32-8.11) id A9E42D3D014E; Wed, 13 Apr 2005 18:15:00 -0400 Received: from [127.0.0.1] (localhost [127.0.0.1])(authenticated bits=0)by debris.cybernet.pl (8.13.0/8.12.8) with ESMTP id j3DMEspJ087771for ActiveDir@mail.activedir.org; Thu, 14 Apr 2005 00:14:54 +0200 (CEST)(envelope-from [EMAIL PROTECTED]) X-Message-Info: JGTYoYF78jEHjJx36Oi8+Z3TmmkSEdPtfpLB7P/ybN8= Organization: http://www.w2k.pl User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en References: [EMAIL PROTECTED] X-Enigmail-Version: 0.90.0.0 X-Enigmail-Supports: pgp-inline, pgp-mime X-Virus-Scanned: by amavisd-new Precedence: bulk Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 13 Apr 2005 22:16:43.0177 (UTC) FILETIME=[79169990:01C54076] Daniel Kolvik wrote: I've also a backup, made with MS Backup... But when I want to do a restore and choose System State I'm not able to just choose Active Directory in detail view. I don't want the other stuff couse I think some shit in that coused the crash. There is no such thing as AD in System state, check this KB, I hope it will be usefull for you: http://support.microsoft.com/default.aspx?scid=kb;en-us;263532 -- Tomasz Onyszko [MVP] [EMAIL PROTECTED] http://www.w2k.pl List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
OT: [ActiveDir] Password complexity requirements
What? Another door scenario? :) Good one though Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tyson Leslie Sent: Wednesday, April 13, 2005 6:42 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Password complexity requirements I think you might have misinterpreted the example. It was a bit of a stretch, but use your imagination... :) The resource in the example is the server room. If the server room has more than one door, you would expect them to all abide by the same rules. Thus, regardless of which door you use to get in to that resource, you still have to meet the same criteria. You are talking about domain accounts. It does not matter which machine you are logging into, if you are using a domain account, the policy is the same. Thus, if your super-secret researcher goes to a secretaries computer, he will still log into his own domain, and be bound by the same rules. A domain only allows one set of password policies. That is it. If you want different policies, create another domain. It sucks, but as mentioned, get in line if you want to complain... You can set *workstation* password policies all over the place, but they only apply to accounts created on the local workstation. Tyson. -- Tyson Leslie Senior Network Analyst Colt Engineering Corporation (403) 258-8153 [EMAIL PROTECTED] -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kurt Hill Sent: Tuesday, April 12, 2005 1:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Password complexity requirements You can link a GPO to an OU with a different set of password requirements than the domain policy -- you can block the OU from inheriting the Default Domain Policy as well, so AFAIK, you can have many OU's, each with different password complexity requirements (or more generally, each OU with it's own computer/user GPO settings). The statement about you certainly don't want policies attached to 2000 users also makes no sense -- the GPO is created once, and attaches itself to the user or computer as appropriate for the OU... And finally -- let me suggest that were I running Los Alamos, I would want my super-gee-whiz nuclear weapons researches to have complex passwords. I WOULD NOT WANT THEM GOING TO A SECRETARIES COMPUTER AND CHANGING THEIR PASSWORD TO foo. Passwords are properties of a user, not a computer. Think about this another way -- it is the user that has rights to resources on the network. Those resources may be sensitive, so it really should not matter what computer the user is at when changing their password. That particular users password should always be complex -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, April 11, 2005 2:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Password complexity requirements If I have a rule that says Kurt Hill must know the lock code to the server room, where should I put the lock and set the code? On Kurt Hill, or on the Server Room door? If I put the lock on (with the code) on Kurt, and Kurt goes to the server room, who will validate and enforce the rule? I know that analogies are bad, but . think about that. The password requirement has to be enforced somewhere. If it's a domain-wide requirement and you have 2000 users, you certainly don't want the policies attached to the users - and created 2000 times. and have each user check themselves for compliance. You know, that may not be a bad idea. We can then require that the users zap themselves each time they create non-compliant passwords :) If your beef is the fact that there is only one possible domain-wide or computer-specific password policy, then I say welcome to the club, pick a number :) Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Kurt Hill Sent: Mon 4/11/2005 1:42 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Password complexity requirements Can anyone explain why password complexity requirements are a computer, and not a User setting? The scenario I envision for using password complexity requirements is for network admins (Users!!) who I want to force more complex passwords on, but general users (students) do not need this setting. From what I can see, the way MS set it up, I would set password policy on student computers, and
RE: [ActiveDir] 1000 groups
More info on tokensz and maxtokensize regkey and its problem, as described by Dean earlier http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/3872f0d7-e4b3-49ed-9a4b-1fefbf0d4547.mspx http://support.microsoft.com/default.aspx?scid=kb;en-us;327825 Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Wednesday, April 13, 2005 1:39 AM To: Send - AD mailing list Subject: RE: [ActiveDir] 1000 groups Firstly, the so-called well-known ~1000 limitation and the ~5000 limitation are entirely unrelated. Regarding token bloat; the more accurate max. SIDs value is 1015. This is due to 9 well-known SIDs that are always present and should, therefore, not be part of any calculation as to what we can be administratively affected. In addition, tickets handed out by 2K3 DCs always contain DL group SIDs regardless of domain mode and, as such, are always a little bigger than a corresponding ticket issued by a 2000 DC in mixed mode (this is done solely to avoid inconsistencies during transition of modes -- considered a bug by many, myself included). In contrast, we do attempt to compress specific tokens by maintaining only the RID (not the whole SID) where applicable. A MaxTokenSize registry value exists that simply governs the upper limit. Increasing the value will likely cause performance concerns and, more significantly, potential application failures due to timeouts (too many SIDs to compare, call does not return and app. assumes failure). This article eludes to the problem - http://support.microsoft.com/kb/313661/ Real-time token size can be calculated using the following tool - http://www.microsoft.com/downloads/details.aspx?FamilyID=4a303fa5-cf20-43fb-9483-0f0b0dae265cdisplaylang=en -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Fischer Sent: Tuesday, April 12, 2005 12:45 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] 1000 groups Hi All: Can an AD user be a member of more that 1000 groups? Someone told me that 1000 was an AD limitation. Is that true? Thanks, --Brian E-mail Full? Check out our Exchange Tools! Brian Fischer Microsoft Systems Consultant Quest Software 4320 Winfield Rd Suite 500 Warrenville, IL 60555 [EMAIL PROTECTED] tel: fax: mobile: 630-836-3160 949-754-8999 630-567-2825 Last years email todays key piece of evidence! Find it fast with Quest Recovery Manager for Exchange. Get your free Technical Brief on e-Discovery. With Quest Software, you can expect more... more performance, more productivity, more value from your IT investments. Visit www.quest.com to learn how.
RE: [ActiveDir] Netdom to Join
Noah, When you create a computer under aduc, theres a field The following user or group can join this computer to a domain Make sure you assign that permission correctly or in my env, setting it to domain users would be just fine. From Davids explaination below, try getting a value by checking if the computer object exist if so do a reset for computer account password (try dsquery and dsmod reset if found) Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Aragon Sent: Saturday, April 09, 2005 11:14 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Netdom to Join Noah, Freddy is correct, you mentioned the computer objects were pre-created, check the permissionson the object and OUto ensure a-domainuser has an appropriate level of authority. Also, when a computer object is created is is not attached to anything (a blank slate as it were), when a machine joins it looks to see if there is a free object with its name on it and attaches itself to that object, imprinting its specific information (e.g. guid) on that object. Trying to join another computer with the same name will fail (different guid's). Without more information what it looks like is you've joined a different computer to the object once before, then tried to join this computer to the same object. If this is the case, try resetting the computer object before you join a computer to it. (SEE: http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/distrib/dsbi_add_qqne.asp). David Aragon From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Friday, April 08, 2005 8:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Netdom to Join Thanks for the responses. I spoke too soon. Here is what I want to do: script a means for a generic domain user (created only for this purpose) to join workgroup machines to a domain when logged onto those machines as a local non-admin user. Here's what I have done: - created a user called a-domainjoiner. Put this in the User and DomainJoiners groups. - Created a test computer account in OU=test,DC=domain,DC=com - As per David's suggestion, allowed DomainJoiners in the Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Add workstations to Domain - ran the following netdom batch from the workstation: net use \\server1\public password /USER:domain\a-domainjoiner netdom \\server1\public\netdom join /d:domain.com %computername% /OU:OU=test,DC=domain,DC=com /ud:domain\domainjoiner /pd:password /reboot /Verbose When I run this as a workstation User, I get the error: The computer account rename failed with error 5 The account already exists When I run it as a workstation admin, I get the same thing but error 2224. What am I missing here? TIA P.S. what do you mean, Freddy? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, April 08, 2005 6:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Netdom to Join Also check out computer account permissions when you create them. Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Saturday, April 09, 2005 7:55 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Netdom to Join Thanks David. Thats what I was looking for. From: David Aragon [mailto:[EMAIL PROTECTED] Sent: Friday, April 08, 2005 3:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Netdom to Join Noah, That depends on what you haveComputer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Add workstations to Domain set to allow. We are a medium sized University and have authorized a group, comprised of specified usersfrom each of the 13 colleges and major divisions on our campus, to do this. They do not have Administrative authority except within their own OU, and even that is limited to adding computers and creating/editing GPO's within that OU. Several units Ghost their machines and use Netdom without issue to join them to the Domain. David Aragon From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Friday, April 08, 2005 2:23 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Netdom to Join Hi What are the minimum credentials that a user needs to join a computer to the domain when the computer account is already created? I am trying to script
RE: [ActiveDir] Retrieving computer accounts
Dave Netdom query workstation or server would be a good start for the domain Or dsquery computer (also for the domain) Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave A. Marquis Sent: Friday, April 08, 2005 10:37 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Retrieving computer accounts Hello All, Does anyone know a script that will gather all computer accounts in a forest? I want to build a list of computer names so I can make a script to send the Win SP2 package to the file system, but not install it. Dave This e-mail message, including all attachments, is for the sole use of the intended recipients(s) and may contain confidential and privileged information. You may NOT use, disclose, copy, or disseminate this information. If you are not the intended recipient, please contact the sender by reply e-mail immediately. Please destroy all copies of the original message and all attachments.
RE: [ActiveDir] GUID resolution
Tom, Not sure how many DCs you have (im assuming its not a 3 digit number) If im understanding the prob correctly, you are suspecting to have a stale records somewhere in ntds.. Why not you work out the other way round - grab a list of your current DCs - resolve those GUID, and find out which of the dc guid is not there (something like that)... If its autogenerated - perhaps KCC manual trigger should takes care of the deleted dsa? Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Friday, April 08, 2005 10:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GUID resolution I'm replying to my own post. I think this means this guid can't be found in AD? However, my DC keeps logging errors that it can't replicate with it. This has been going on for days. My DC must be getting the guid from somewhere, but where? any help would be great. thanks Kern, Tom wrote: Even with the brackets and guid=, i get this error now- ldap_search_s(ld, guid=c47ca389-0832-41bc-8030-3e0c7fd13674, 1, (objectclass=*), NULL, 1, msg) Error: Search: Referral. 10 Result 10: 202B: RefErr: DSID-03100698, data 0, 2 access points ref 1: 'gc.ms-dcs.CSG-IT.NET:3268' ref 2: 'gc._msdcs.CSG-IT.NET:3268' Matched DNs: Getting 0 entries: Any idea what this means? Thanks [EMAIL PROTECTED] wrote: You are missing the closing . Regarding the question on GUID binding syntax, 2K supports both octet string and COM GUID style with dashes. Just don't get them mixed up. The octet string is NOT the same as the COM GUID with no dashes. bcd3e267-50ff-4780-afd6-d1bb3785ada5 and 67E2D3BCFF508047AFD6D1BB3785ADA5 are equivalent. Note the change of byte order on the first DWORD and the first 2 WORDs. Also, you can search by GUID and use them in LDIF files (generally for creating schema with fixed schemaIDGUID): (objectGUID=\67\E2\D3\BC\FF\50\80\47\AF\D6\D1\BB\37\85\AD\A5) and Z+LTvP9QgEev1tG7N4WtpQ== For the Base64 that LDIF requires. With SID binding, 2003 supports SDDL format and octet string, but 2K supports octet string only. HTH, Joe K. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, April 07, 2005 5:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GUID resolution I'm running win2k sp4 in mixed mode. heres the result i get from prepending GUID- ldap_search_s(ld, GUID=c47ca389-0832-41bc-8030-3e0c7fd13674, 1, (objectclass=*), attrList, 0, msg) Error: Search: Invalid DN Syntax. 34 Result 34: 208F: NameErr: DSID-031001AA, problem 2006 (BAD_NAME), data 8350, best match of: 'GUID=c47ca389-0832-41bc-8030-3e0c7fd13674' Matched DNs: Getting 0 entries: Thanks -Original Message- From: Dean Wells [mailto:[EMAIL PROTECTED] Sent: Thursday, April 07, 2005 5:54 PM To: Send - AD mailing list Subject: RE: [ActiveDir] GUID resolution I'm guessing you mean octet string ... if so and if I understand what you're asking, not really ... GUID= and SID= are little more than hard-coded bits of server-side intelligence ... am I even answering your question? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe Sent: Thursday, April 07, 2005 5:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GUID resolution Seems you can also use that syntax GUID= as the argument to -b in ADFIND, which makes sense, and is nice to know. Is this because that attribute's syntax is an Octal string? I'm just curious...not knowing too much about the way these things are stored! Thanks! -DaveC Reuters CIO Infrastructure -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Thursday, April 07, 2005 5:22 PM To: Send - AD mailing list Subject: RE: [ActiveDir] GUID resolution Noticed you said you're using 2K ... dashes are of no concern, at least to 2K3 ... don't have 2K directory handy to test right now. Either way, can't even remember if the GUID=blah base is supported on 2K ... assuming it is, you missed the GUID= from the beginning of the entry. Dean Wells wrote: 1. Run LDP 2. Connect and BIND 3. Select Search 4. Enter Base DN of GUID=[whatever the GUID is] ... include the angled brackets 5. Populate other dialogs accordingly, enter and run List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info :
RE: [ActiveDir] Netdom to Join
Also check out computer account permissions when you create them. Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Saturday, April 09, 2005 7:55 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Netdom to Join Thanks David. Thats what I was looking for. From: David Aragon [mailto:[EMAIL PROTECTED] Sent: Friday, April 08, 2005 3:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Netdom to Join Noah, That depends on what you haveComputer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Add workstations to Domain set to allow. We are a medium sized University and have authorized a group, comprised of specified usersfrom each of the 13 colleges and major divisions on our campus, to do this. They do not have Administrative authority except within their own OU, and even that is limited to adding computers and creating/editing GPO's within that OU. Several units Ghost their machines and use Netdom without issue to join them to the Domain. David Aragon From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Friday, April 08, 2005 2:23 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Netdom to Join Hi What are the minimum credentials that a user needs to join a computer to the domain when the computer account is already created? I am trying to script netdom to do this and getting denied if the user has less than administrative access. Thanks. -- nme
RE: [ActiveDir] alias not working
Had a customer encountered that before after fileserver hardware swap. Take a look at this regkey perhaps its applicable to you too http://support.microsoft.com/default.aspx?scid=kb;en-us;281308 Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Saturday, April 09, 2005 5:10 AM To: ActiveDir@mail.activedir.org Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Subject: Re: [ActiveDir] alias not working Hi Jeff This is because when I access a server it verifies that the server that I am requesting matches the netbios name on the server itself. Aliases, A records and WINS / LMHosts will not fix this in any configuration we have tried. The access denied is server name does not match. Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] |-+-- | | Cothern Jeff D. Team | | | EITC | | | [EMAIL PROTECTED]| | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 04/08/2005 04:33 PM AST| | | Please respond to | | | ActiveDir | |-+-- --- ---| | | | To: ActiveDir@mail.activedir.org | | cc: (bcc: James Day/Contractor/NPS) | | Subject: [ActiveDir] alias not working | --- ---| Ok for some reason 2003 and xp machines that are locked down with policies are not working with an alias that was created within DNS for a server. To shortin the length of a server name for share purposes we created an alias. IE. Fileserver1 alias FS1. If you go onto the machine and type in \\fs1 you get an access denied message. If you type \\Fileserver1 it takes you right into the server. Anyone have a clue on which policies may be affecting this. Jeff List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] 2003 SP1 on VMware ESX - reboot issue
Heya all! Been having this annoying problem since the start of SP1 RC, basically when I reboot the vmware guest domain controller (SP1) it goes to reboot properly, then while starting up win2003 - it shutsdown instead. Host is ESX Server 2.1.0 build 7728 (yeah its rather old) VM events: Vmware ESX Server internal monitor error - Not implemented at 2182 (7728) I have 5 of my guest test DC and so far I can confirm all are having this problem. Anyone else has anything like this happening? Before SP1 all goes well.. Perhaps this should be a selling point of Virtual Server? :-) Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Error
Any luck with userenv.log or a manual gpupdate /force. Check out gpmc events (gpresult for that computer) to check if GPO is actually applying. Theres a KB on gigabit cards and GPO, not sure if this is the same events you are getting http://support.microsoft.com/default.aspx?scid=kb;en-us;326152 http://support.microsoft.com/default.aspx?scid=kb;en-us;840669 Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Friday, April 08, 2005 5:56 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Error I have heard that error connected to a corrupt computer account on the network with the resolution being to join it to a workgroup reboot, then rejoin it to the domain. Is that one of the things you tried? -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Thursday, April 07, 2005 4:35 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Error I keep getting this on a computer. Windows XP SP2 Windows cannot determine the user or computer name. (An internal error occurred. ). Group Policy processing aborted. Any ideas, I have already tried so much. Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Assigning permissions for domain user -- post Server 2003 sp1 upgrade
Ports that you need http://www.microsoft.com/serviceproviders/columns/config_ipsec_p63623.asp Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stephen G. Maczko Sent: Thursday, April 07, 2005 5:24 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Assigning permissions for domain user -- post Server 2003 sp1 upgrade I'm no longer able to assign permissions on a client to a domain user. When i open a directory properties sheet, security tab and then press the Add btn, it takes a long time for the Users, computers groups box to show. Then when i select a user, the thing hangs. One other simptom, possibly related: it takes a looong time to pop up the runas box now from anywhere on the client. I've not used the security wizzard, because you can't use it on a DC, so i activated the firewall and manually opened a set of ports. The following is my partial list of portsa opened, those relevant to AD, etc. 53 DNS (TCP/UDP) 88 Kerberos (TCP/UDP) 123 NTP (UDP) (??) 464 Keberos password change (TCP/UDP) I also have all the appropriate ports for file-sharing; working well for the shares where permissions are already set up. The network is really very basic; i have one server/one client. It's actually a development environment; i need AD to mimick one of my clients. I also have ASP.NET and SQL Server on the server; they are working well, including ASP.NET debugging. Thanks for any suggestions! Steve
RE: [ActiveDir] Script to add a group to the local administrator's group?
Would be kinda handy if you have rcmd installed on all servers and put them in the text list - without having to wait for startup scripts. FOR /F skip=1 usebackq delims== %% IN (filename) DO rcmd \\%%1 net localgroup administrators blabla /add Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Wednesday, April 06, 2005 8:29 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Script to add a group to the local administrator's group? Sounds easy enough, now how can I have this run and update 500 servers without having to logon to each one or add it as a logon script? Thanks in advance for your help! Senior System Engineer ADP National Accounts, ProBusiness Division Jose Medeiros --- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: Tuesday, April 05, 2005 5:19 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Script to add a group to the local administrator's group? Hi Jose net localgroup administrators grupnametoadd /add Only 11 words! Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] Medeiros, Jose [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org com cc: (bcc: James Day/Contractor/NPS) Sent by: Subject: [ActiveDir] Script to add a group to the local administrator's group? [EMAIL PROTECTED] tivedir.org 04/05/2005 04:28 PM MST Please respond to ActiveDir Greetings, I am new to the list, so please forgive me if this has been posted in the past. Does anyone have a Script to add a domain group to the local administrator's group on member servers or workstations? Sincerely, Jose Medeiros 408-449-6621 Cell List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] startup scripts not running
How about doing a workaround as in copying the exe to local %windir% or some other variables? Perhaps an if not exist statement copy, if not exist %windir%\test.exe copy %logonserver%\share\test.exe Since computer startup is run as system which should have full access to your machine, this should overcome if it is by any chance a permission issue Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crawford, Scott Sent: Tuesday, March 29, 2005 7:25 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] startup scripts not running I would say that the computers account doesnt have access to the .exe. Where is the .exe located? If its in the GPOs script folder, it should have inherited the Authenticated Users permission by default. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Monday, March 28, 2005 3:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] startup scripts not running It is a vbs. Actually, though, I found out a little more. I put a fresh server into the same OU, and rebooted. Turns out most of the script is successful. The only part that isnt is a line that calls an executable file (.exe), which is also located in the same folder as the vbscript. If I wait until the server is fully logged in, the script runs the executable with no problem. If I leave it to the startup script to run, it does not. Im using the Exec method of the wscript object, such as: Ws.exec(myexecutable.exe) Does that make sense? Thanks again, Mark From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, March 28, 2005 3:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] startup scripts not running Is it a vbs? If yes, have you tried calling it from a bat file? Does it work if you do that? What you can do depends on the outcome of that test. Deji From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Monday, March 28, 2005 11:54 AM To: activedir@mail.activedir.org Subject: [ActiveDir] startup scripts not running I have a situation in which startup scripts assigned to various OUs where different servers are located are not running. If I log in as a domain admin, browse to the location of the script in the GPO assigned to the OU where that server is located, I can launch the script with no problem. Im having trouble figuring out why the script wont launch on its own. The only thing Ive found so far in troubleshooting a startup script is to look for an entry in the Application log with a source of Userinit. However, I see no such entries. Can anyone think of what I might need to look at? What permissions need to be enabled on the Policy itself, just in case thats the issue? Thanks, Mark This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
RE: [ActiveDir] OWA issue after Exchange 2003 migration.
Does this has something to do with IIS Lockdown tools or enabling compression in IIS? (I used to have the same issue previously) or even the application permissions on the folder Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tashildar, Dinesh (Cognizant) Sent: Monday, March 21, 2005 6:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OWA issue after Exchange 2003 migration. Hi, This issues got solved.. This was not a issue on client side. We have done some changes on server related to IIS 6. If anyone in future causes same issue then please contact me. Regards, Dinesh Tashildar From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Manjeet Sent: Monday, March 21, 2005 2:30 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OWA issue after Exchange 2003 migration. Hi, Which IE version you are using ? Also check your IE advance settings because this is not a server end problem. Thanks Manjeet Tashildar, Dinesh (Cognizant) [EMAIL PROTECTED] wrote: We have migrated our front end exchange server from exchange 2003 (as well OS to Windows 2003). After migration OWA stop displaying. Please check attached view of OWA. web.doc I am not able to find anything on MS site. Any help would be appreciated. Regards, Dinesh Tashildar Cognizant Technology Solutions India Pvt. Ltd. Tel : 91-20-4062600 Extn : 3119 Vnet : 23119 This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Any unauthorised review, use, disclosure, dissemination, forwarding, printing or copying of this email or any action taken in reliance on this e-mail is strictly prohibited and may be unlawful. Visit us at http://www.cognizant.com __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Any unauthorised review, use, disclosure, dissemination, forwarding, printing or copying of this email or any action taken in reliance on this e-mail is strictly prohibited and may be unlawful. Visit us at http://www.cognizant.com