RE: [ActiveDir] AD computer accounts being removed
Title: Message > who would even think of ghosting a Server Heh. Quite a few people actually. :) > I have yet to hear anything worth while on why I should be running sysprep on a workstation in a Domain Environment The main one in my mind is simply a support thing with MS. I agree with how bad the info is out there on why people think it needs to be done. It is easier to do it as you go then to actually really hit a real problem that does impact you that has you running around your environment doing it for all machines. So while I myself have mixed feelings on how much it is needed you will NEVER hear me tell a customer or anyone else they shouldn't do it. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron VisserSent: Friday, January 20, 2006 5:24 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed I was referring to workstations not Servers, who would even think of ghosting a Server? And here is the bottom line I have been ghosting workstations for several years now at this site without using Sysprep or anything like it, and it has caused me no problems, I have yet to hear anything worth while on why I should be running sysprep on a workstation in a Domain Environment where local login is not prohibited other than some BS stuff from Wininternals or some other mag like that. So put your rolled up newspapers away ( unless of course your going to be using it on yourself ) and give me something worth while or concrete as to why I should be running Sysprep in the mentioned environment other than NO NO NO NO BAD BAD BAD BAD you must run sysprep. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Friday, January 20, 2006 11:37 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Tell me about it. We had a vendor roll a server into every site to do as they pleased with. Didn’t get sysprep’ed. Many sites decided to dcpromo theirs up. Of course every independent domain has to trust me, and you can’t trust more than one domain with the same sid… Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, WookSent: Friday, January 20, 2006 2:16 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed You can have collisions between a domain controller SID and a member server SID when two machines have duplicate SIDs and one is DCPROMO’d and the other is joined to the new domain. The error messages that are logged say something to the effect that the domain and the member server SIDs conflict. Darn confusing when you see it for the first time. I’ll see if I can dig out the exact text of the message. Wook From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Wednesday, January 18, 2006 6:36 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Yep sorry, didn't intend to say it wasn't a good idea. At some point the list will catch up and my post that says that will show up. :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Wednesday, January 18, 2006 8:39 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Dozen other reasons to run it. Not running sysprep is just a bad idea. Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Wednesday, January 18, 2006 8:11 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Well not really. The important SID in question is the Domain SID and that isn't duped. The domain doesn't care about the machine SID. It is still good practice to newsid the machines though. If the accounts are disappearing it is one of two things 1. Someone is deleting it. 2. During the join process something fails and the computer deletes the object out. I don't recall the details of this but I do recall hearing it happen. It happens right after the failed join though, you don't have to wait for it. I have also heard other people who don't have enough rights report the account being disabled instead of deleted. I never verified personally either. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Wednesday, January 18, 2006 6:50 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed NO NO NO NO NO BAD BAD BAD You have to use sysprep. You’re getting duplicate SIDs here – bad. Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron VisserSent: Wednes
RE: [ActiveDir] AD computer accounts being removed
Title: Message Hey Wook - though I agree it's a bad idea to do this, I've always thought DCPROMOing a server to a new domain created a NEW domain SID, which is totally unrelated to the server's SID. Or was it the other way around (un-promoting a DC creates a new SID for the server...). Hmm probalby the latter from what you write. Would be good if you can find the error-message (saves me time in testing this :-) /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, WookSent: Freitag, 20. Januar 2006 08:16To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed You can have collisions between a domain controller SID and a member server SID when two machines have duplicate SIDs and one is DCPROMO’d and the other is joined to the new domain. The error messages that are logged say something to the effect that the domain and the member server SIDs conflict. Darn confusing when you see it for the first time. I’ll see if I can dig out the exact text of the message. Wook From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Wednesday, January 18, 2006 6:36 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Yep sorry, didn't intend to say it wasn't a good idea. At some point the list will catch up and my post that says that will show up. :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Wednesday, January 18, 2006 8:39 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Dozen other reasons to run it. Not running sysprep is just a bad idea. Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Wednesday, January 18, 2006 8:11 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Well not really. The important SID in question is the Domain SID and that isn't duped. The domain doesn't care about the machine SID. It is still good practice to newsid the machines though. If the accounts are disappearing it is one of two things 1. Someone is deleting it. 2. During the join process something fails and the computer deletes the object out. I don't recall the details of this but I do recall hearing it happen. It happens right after the failed join though, you don't have to wait for it. I have also heard other people who don't have enough rights report the account being disabled instead of deleted. I never verified personally either. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Wednesday, January 18, 2006 6:50 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed NO NO NO NO NO BAD BAD BAD You have to use sysprep. You’re getting duplicate SIDs here – bad. Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron VisserSent: Wednesday, January 18, 2006 5:44 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Gary, Brian, I do not use Sysprep on my images and have yet to come across any problems, but there may be one big difference with my images, before I ghost them or create the image I put the said machine into a workgroup and then create image. After I have imaged a computer I log on and change the Computer Name reboot and then join the domain with the new computer name, should I be using Sysprep? And Brenda I have experienced your problem but I have never noticed the accounts actually being out of AD, anyways most times for me a simple reboot works although I have had to actually ghost computers in order to rejoin the domain because I do not have any local accounts active on my computers in the school, makes it a little safer J but with that comes more work L From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Wednesday, January 18, 2006 12:38 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Gary- Are you implying you don’t sysprep your images? Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GarypholdSent: Wednesday, January 18, 2006 3:04 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Brenda, FWIW: It happens to me when I clone a workstation then try to join that workstation to the domain in order to change the computer name. AD sees 2 machines with the same name, gives me a notification and lets the 2nd one in. Then when the original machine with that name logs in next time, it isn't
RE: [ActiveDir] AD computer accounts being removed
Title: Message Sorry, Sorry, Sorry it is Friday and I have had enough, next time I will try to think before I hit Send (Disregard last post on this topic) Aaron Visser From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Friday, January 20, 2006 11:37 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Tell me about it. We had a vendor roll a server into every site to do as they pleased with. Didn’t get sysprep’ed. Many sites decided to dcpromo theirs up. Of course every independent domain has to trust me, and you can’t trust more than one domain with the same sid… Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook Sent: Friday, January 20, 2006 2:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed You can have collisions between a domain controller SID and a member server SID when two machines have duplicate SIDs and one is DCPROMO’d and the other is joined to the new domain. The error messages that are logged say something to the effect that the domain and the member server SIDs conflict. Darn confusing when you see it for the first time. I’ll see if I can dig out the exact text of the message. Wook From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, January 18, 2006 6:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Yep sorry, didn't intend to say it wasn't a good idea. At some point the list will catch up and my post that says that will show up. :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, January 18, 2006 8:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Dozen other reasons to run it. Not running sysprep is just a bad idea. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, January 18, 2006 8:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Well not really. The important SID in question is the Domain SID and that isn't duped. The domain doesn't care about the machine SID. It is still good practice to newsid the machines though. If the accounts are disappearing it is one of two things 1. Someone is deleting it. 2. During the join process something fails and the computer deletes the object out. I don't recall the details of this but I do recall hearing it happen. It happens right after the failed join though, you don't have to wait for it. I have also heard other people who don't have enough rights report the account being disabled instead of deleted. I never verified personally either. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, January 18, 2006 6:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed NO NO NO NO NO BAD BAD BAD You have to use sysprep. You’re getting duplicate SIDs here – bad. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Visser Sent: Wednesday, January 18, 2006 5:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Gary, Brian, I do not use Sysprep on my images and have yet to come across any problems, but there may be one big difference with my images, before I ghost them or create the image I put the said machine into a workgroup and then create image. After I have imaged a computer I log on and change the Computer Name reboot and then join the domain with the new computer name, should I be using Sysprep? And Brenda I have experienced your problem but I have never noticed the accounts actually being out of AD, anyways most times for me a simple reboot works although I have had to actually ghost computers in order to rejoin the domain because I do not have any local accounts active on my computers in the school, makes it a little safer J but with that comes more work L From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, January 18, 2006 12:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Gary- Are you implying you don’t sysprep your images? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Garyphold Sent: Wednesday, January 18, 2006 3:04 PM To: ActiveDir@mail.activedir.org Subject: R
RE: [ActiveDir] AD computer accounts being removed
Title: Message I was referring to workstations not Servers, who would even think of ghosting a Server? And here is the bottom line I have been ghosting workstations for several years now at this site without using Sysprep or anything like it, and it has caused me no problems, I have yet to hear anything worth while on why I should be running sysprep on a workstation in a Domain Environment where local login is not prohibited other than some BS stuff from Wininternals or some other mag like that. So put your rolled up newspapers away ( unless of course your going to be using it on yourself ) and give me something worth while or concrete as to why I should be running Sysprep in the mentioned environment other than NO NO NO NO BAD BAD BAD BAD you must run sysprep. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Friday, January 20, 2006 11:37 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Tell me about it. We had a vendor roll a server into every site to do as they pleased with. Didn’t get sysprep’ed. Many sites decided to dcpromo theirs up. Of course every independent domain has to trust me, and you can’t trust more than one domain with the same sid… Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook Sent: Friday, January 20, 2006 2:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed You can have collisions between a domain controller SID and a member server SID when two machines have duplicate SIDs and one is DCPROMO’d and the other is joined to the new domain. The error messages that are logged say something to the effect that the domain and the member server SIDs conflict. Darn confusing when you see it for the first time. I’ll see if I can dig out the exact text of the message. Wook From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, January 18, 2006 6:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Yep sorry, didn't intend to say it wasn't a good idea. At some point the list will catch up and my post that says that will show up. :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, January 18, 2006 8:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Dozen other reasons to run it. Not running sysprep is just a bad idea. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, January 18, 2006 8:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Well not really. The important SID in question is the Domain SID and that isn't duped. The domain doesn't care about the machine SID. It is still good practice to newsid the machines though. If the accounts are disappearing it is one of two things 1. Someone is deleting it. 2. During the join process something fails and the computer deletes the object out. I don't recall the details of this but I do recall hearing it happen. It happens right after the failed join though, you don't have to wait for it. I have also heard other people who don't have enough rights report the account being disabled instead of deleted. I never verified personally either. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, January 18, 2006 6:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed NO NO NO NO NO BAD BAD BAD You have to use sysprep. You’re getting duplicate SIDs here – bad. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Visser Sent: Wednesday, January 18, 2006 5:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Gary, Brian, I do not use Sysprep on my images and have yet to come across any problems, but there may be one big difference with my images, before I ghost them or create the image I put the said machine into a workgroup and then create image. After I have imaged a computer I log on and change the Computer Name reboot and then join the domain with the new computer name, should I be using Sysprep? And Brenda I have experienced your problem but I have never noticed the accounts actually being out of AD, anyways most times for me a simple reboot works although I have had to actually ghost computers in order to rejoin the domain because I do not have any local accounts active on my computers in the school, make
RE: [ActiveDir] AD computer accounts being removed
Title: Message Tell me about it. We had a vendor roll a server into every site to do as they pleased with. Didn’t get sysprep’ed. Many sites decided to dcpromo theirs up. Of course every independent domain has to trust me, and you can’t trust more than one domain with the same sid… Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook Sent: Friday, January 20, 2006 2:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed You can have collisions between a domain controller SID and a member server SID when two machines have duplicate SIDs and one is DCPROMO’d and the other is joined to the new domain. The error messages that are logged say something to the effect that the domain and the member server SIDs conflict. Darn confusing when you see it for the first time. I’ll see if I can dig out the exact text of the message. Wook From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, January 18, 2006 6:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Yep sorry, didn't intend to say it wasn't a good idea. At some point the list will catch up and my post that says that will show up. :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, January 18, 2006 8:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Dozen other reasons to run it. Not running sysprep is just a bad idea. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, January 18, 2006 8:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Well not really. The important SID in question is the Domain SID and that isn't duped. The domain doesn't care about the machine SID. It is still good practice to newsid the machines though. If the accounts are disappearing it is one of two things 1. Someone is deleting it. 2. During the join process something fails and the computer deletes the object out. I don't recall the details of this but I do recall hearing it happen. It happens right after the failed join though, you don't have to wait for it. I have also heard other people who don't have enough rights report the account being disabled instead of deleted. I never verified personally either. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, January 18, 2006 6:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed NO NO NO NO NO BAD BAD BAD You have to use sysprep. You’re getting duplicate SIDs here – bad. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Visser Sent: Wednesday, January 18, 2006 5:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Gary, Brian, I do not use Sysprep on my images and have yet to come across any problems, but there may be one big difference with my images, before I ghost them or create the image I put the said machine into a workgroup and then create image. After I have imaged a computer I log on and change the Computer Name reboot and then join the domain with the new computer name, should I be using Sysprep? And Brenda I have experienced your problem but I have never noticed the accounts actually being out of AD, anyways most times for me a simple reboot works although I have had to actually ghost computers in order to rejoin the domain because I do not have any local accounts active on my computers in the school, makes it a little safer J but with that comes more work L From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, January 18, 2006 12:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Gary- Are you implying you don’t sysprep your images? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Garyphold Sent: Wednesday, January 18, 2006 3:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Brenda, FWIW: It happens to me when I clone a workstation then try to join that workstation to the domain in order to change the computer name. AD sees 2 machines with the same name, gives me a notification and lets the 2nd one in. Then when the original machine with that name logs in next time, it isn't see
RE: [ActiveDir] AD computer accounts being removed
Title: Message You can have collisions between a domain controller SID and a member server SID when two machines have duplicate SIDs and one is DCPROMO’d and the other is joined to the new domain. The error messages that are logged say something to the effect that the domain and the member server SIDs conflict. Darn confusing when you see it for the first time. I’ll see if I can dig out the exact text of the message. Wook From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, January 18, 2006 6:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Yep sorry, didn't intend to say it wasn't a good idea. At some point the list will catch up and my post that says that will show up. :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, January 18, 2006 8:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Dozen other reasons to run it. Not running sysprep is just a bad idea. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, January 18, 2006 8:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Well not really. The important SID in question is the Domain SID and that isn't duped. The domain doesn't care about the machine SID. It is still good practice to newsid the machines though. If the accounts are disappearing it is one of two things 1. Someone is deleting it. 2. During the join process something fails and the computer deletes the object out. I don't recall the details of this but I do recall hearing it happen. It happens right after the failed join though, you don't have to wait for it. I have also heard other people who don't have enough rights report the account being disabled instead of deleted. I never verified personally either. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, January 18, 2006 6:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed NO NO NO NO NO BAD BAD BAD You have to use sysprep. You’re getting duplicate SIDs here – bad. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Visser Sent: Wednesday, January 18, 2006 5:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Gary, Brian, I do not use Sysprep on my images and have yet to come across any problems, but there may be one big difference with my images, before I ghost them or create the image I put the said machine into a workgroup and then create image. After I have imaged a computer I log on and change the Computer Name reboot and then join the domain with the new computer name, should I be using Sysprep? And Brenda I have experienced your problem but I have never noticed the accounts actually being out of AD, anyways most times for me a simple reboot works although I have had to actually ghost computers in order to rejoin the domain because I do not have any local accounts active on my computers in the school, makes it a little safer J but with that comes more work L From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, January 18, 2006 12:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Gary- Are you implying you don’t sysprep your images? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Garyphold Sent: Wednesday, January 18, 2006 3:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Brenda, FWIW: It happens to me when I clone a workstation then try to join that workstation to the domain in order to change the computer name. AD sees 2 machines with the same name, gives me a notification and lets the 2nd one in. Then when the original machine with that name logs in next time, it isn't seen on the network. Then I have to do the same thing you did - with the original machine. Then all is well again. Don't know if that will help, but it might narrow down the problem some. Gary Gary Polvinale Denton ATD -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey Sent: Wednesday, January 18, 2006 2:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Yes, their computer account in AD is actually gone.
RE: [ActiveDir] AD computer accounts being removed
Title: Message FYI. I submitted a request to have this article reviewed and corrected as deemed necessary. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich MilburnSent: Thursday, January 19, 2006 3:08 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Well, XP is kind of obscure, esp when you include Server 2003 SP1 in an imaging article England and do not catch such things J> ---Rich MilburnMCSE, Microsoft MVP - Directory ServicesSr Network Analyst, Field Platform DevelopmentApplebee's International, Inc.4551 W. 107th StOverland Park, KS 66207913-967-2819--”I love the smell of red herrings in the morning” - anonymous From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, January 19, 2006 12:30 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Most likely oversight. I submit quite a few requests to get articles like this updated that are missing specific OS versions or App versions. At one point I asked that they have an additional field of "doesn't apply to" for OSes so you at least knew they weren't forgetting it. I was told to piss off. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich MilburnSent: Thursday, January 19, 2006 8:44 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Any idea why XP is omitted in this article, but 2k and 2k3 are included? http://support.microsoft.com/?id=162001 "Do Not Disk Duplicate Installed Versions of Windows NT" ---Rich MilburnMCSE, Microsoft MVP - Directory ServicesSr Network Analyst, Field Platform DevelopmentApplebee's International, Inc.4551 W. 107th StOverland Park, KS 66207913-967-2819--”I love the smell of red herrings in the morning” - anonymous From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron VisserSent: Wednesday, January 18, 2006 6:27 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Well I would agree that is not a safe practice for most but for my application where all Local accounts are disabled I do not see a problem. Taken from http://www.sysinternals.com/Utilities/NewSid.html under the SID Duplication Problem Duplicate SIDs aren't an issue in a Domain-based environment since domain accounts have SID's based on the Domain SID. But, according to Microsoft Knowledge Base article Q162001, "Do Not Disk Duplicate Installed Versions of Windows NT", in a Workgroup environment security is based on local account SIDs. Thus, if two computers have users with the same SID, the Workgroup will not be able to distinguish between the users. All resources, including files and Registry keys, that one user has access to, the other will as well. Aaron From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Wednesday, January 18, 2006 3:50 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed NO NO NO NO NO BAD BAD BAD You have to use sysprep. You’re getting duplicate SIDs here – bad. Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron VisserSent: Wednesday, January 18, 2006 5:44 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Gary, Brian, I do not use Sysprep on my images and have yet to come across any problems, but there may be one big difference with my images, before I ghost them or create the image I put the said machine into a workgroup and then create image. After I have imaged a computer I log on and change the Computer Name reboot and then join the domain with the new computer name, should I be using Sysprep? And Brenda I have experienced your problem but I have never noticed the accounts actually being out of AD, anyways most times for me a simple reboot works although I have had to actually ghost computers in order to rejoin the domain because I do not have any local accounts active on my computers in the school, makes it a little safer J but with that comes more work L From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Wednesday, January 18, 2006 12:38 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Gary- Are you implying you don’t sysprep your images? Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL P
RE: [ActiveDir] AD computer accounts being removed
I can relate. I frequently do the 60 hr week thing, and as the senior of the two IT people for our company, I do all the design/planning/decision-making, as well as fix all the hard stuff the other guy can't fix. I have found that automating my repetitive tasks has helped a lot. I did a few things to help my ability to work smarter rather than harder. I set aside an hour a day for a while (at home, at work after hours, wherever) and played with new tools; reskit, joeware, scripting, whatever it took. That got me some confidence in using the advanced tools. I spent a bunch of time on this forum and the sys admin forum (sunbelt). Lurking mostly, and contributing when time and skill allowed, but frequently looking at a problem, making an estimate of the fix, and then comparing my fix to the "experts". I developed monitoring for all my production using What's Up Gold and Dumpevt/grep. That allowed me to find most failures well before they developed. I'd say better than 95% of the server problems I deal with are things I find before the end-users know about them, which is how it should be, IMO. I've also trained my junior admin and handed off all the stuff I can to him. It's hard to let go of some of it, but once I do and see that it's getting handled, I relax. :-) I think the bottom line is that until I took the steps necessary to work smarter, I just kept working harder. Spending a bunch of time to improve my skills and efficiency paid off tremendously. I don't do the 100 hour weeks anymore. Spending 8 hours to develop workable group policies saved me at least that much time per week with desktop configuration issues. If you can get your boss to buy into allowing you some no-contact time each week, you can use that to improve your skills/efficiency. You can make the case to him/her that using a bit of your time will pay dividends quickly. Do whatever it takes to move as far from reactive mode as you can. I've felt your pain; it's no fun... ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Garyphold > Sent: Thursday, January 19, 2006 7:39 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] AD computer accounts being removed > > Charlie, > > Thanks for taking the time to explain. I'm in a position > where I'm making > the big decisions, doing the big work and also doing all the > little details > (I'm it) including daily problems. Zero training/learning time, zero > anything except get to the next fire. I need spend some time > learning and > using tools like sysprep and GP to get back some of that time. > > Gary > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Charlie Kaiser > Sent: Thursday, January 19, 2006 10:07 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] AD computer accounts being removed > > > Sysprep is pretty simple; there's a lot of documentation > available on it. As > Rich mentioned, you need to set up your customizations under > one profile and > copy that to the default user profile. Some irksome things > change, however. > One of my pet peeves is that when you sysprep a PC, the next > time it boots, > the select OS timeout goes from whatever you have set it to > (5 sec in our > case) back to the default of 30 sec. > > I have found that using group policy to make most of the > settings changes is > better than doing it on the workstation. We start with a > sysprepped image > that runs the mini-setup when first booted. We then the > workstation and > place it in the domain, where the GPOs apply to make all the required > settings. > > I was able to go from a boot floppy, ghost, and ghostwalker > to a boot CD, > sysprep, and ghost (our new laptops don't have floppy drives) > in about 4 > days of testing and fine-tuning. I took a couple of laptops > and a BartPE CD > (with ghost added to it) into a spare conference room, didn't > answer my > phone, and worked it all out. A few days of work and the result is > significantly simpler deployment of new images. > > ** > Charlie Kaiser > W2K3 MCSA/MCSE/Security, CCNA > Systems Engineer > Essex Credit / Brickwalk > 510 595 5083 > ** > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Garyphold > > Sent: Thursday, January 19, 2006 5:01 AM > > To: ActiveDir@mail.activedir.org > > Subject: RE: [ActiveDir] AD computer accounts bei
RE: [ActiveDir] AD computer accounts being removed
Title: Message Well, XP is kind of obscure, esp when you include Server 2003 SP1 in an imaging article England and do not catch such things J> --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- ”I love the smell of red herrings in the morning” - anonymous From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, January 19, 2006 12:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Most likely oversight. I submit quite a few requests to get articles like this updated that are missing specific OS versions or App versions. At one point I asked that they have an additional field of "doesn't apply to" for OSes so you at least knew they weren't forgetting it. I was told to piss off. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Thursday, January 19, 2006 8:44 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Any idea why XP is omitted in this article, but 2k and 2k3 are included? http://support.microsoft.com/?id=162001 "Do Not Disk Duplicate Installed Versions of Windows NT" --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- ”I love the smell of red herrings in the morning” - anonymous From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Visser Sent: Wednesday, January 18, 2006 6:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Well I would agree that is not a safe practice for most but for my application where all Local accounts are disabled I do not see a problem. Taken from http://www.sysinternals.com/Utilities/NewSid.html under the SID Duplication Problem Duplicate SIDs aren't an issue in a Domain-based environment since domain accounts have SID's based on the Domain SID. But, according to Microsoft Knowledge Base article Q162001, "Do Not Disk Duplicate Installed Versions of Windows NT", in a Workgroup environment security is based on local account SIDs. Thus, if two computers have users with the same SID, the Workgroup will not be able to distinguish between the users. All resources, including files and Registry keys, that one user has access to, the other will as well. Aaron From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, January 18, 2006 3:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed NO NO NO NO NO BAD BAD BAD You have to use sysprep. You’re getting duplicate SIDs here – bad. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Visser Sent: Wednesday, January 18, 2006 5:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Gary, Brian, I do not use Sysprep on my images and have yet to come across any problems, but there may be one big difference with my images, before I ghost them or create the image I put the said machine into a workgroup and then create image. After I have imaged a computer I log on and change the Computer Name reboot and then join the domain with the new computer name, should I be using Sysprep? And Brenda I have experienced your problem but I have never noticed the accounts actually being out of AD, anyways most times for me a simple reboot works although I have had to actually ghost computers in order to rejoin the domain because I do not have any local accounts active on my computers in the school, makes it a little safer J but with that comes more work L From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, January 18, 2006 12:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Gary- Are you implying you don’t sysprep your images? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Garyphold Sent: Wednesday, January 18, 2006 3:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Brenda, FWIW: It happens to me
RE: [ActiveDir] AD computer accounts being removed
Title: Message Most likely oversight. I submit quite a few requests to get articles like this updated that are missing specific OS versions or App versions. At one point I asked that they have an additional field of "doesn't apply to" for OSes so you at least knew they weren't forgetting it. I was told to piss off. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich MilburnSent: Thursday, January 19, 2006 8:44 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Any idea why XP is omitted in this article, but 2k and 2k3 are included? http://support.microsoft.com/?id=162001 "Do Not Disk Duplicate Installed Versions of Windows NT" ---Rich MilburnMCSE, Microsoft MVP - Directory ServicesSr Network Analyst, Field Platform DevelopmentApplebee's International, Inc.4551 W. 107th StOverland Park, KS 66207913-967-2819--”I love the smell of red herrings in the morning” - anonymous From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron VisserSent: Wednesday, January 18, 2006 6:27 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Well I would agree that is not a safe practice for most but for my application where all Local accounts are disabled I do not see a problem. Taken from http://www.sysinternals.com/Utilities/NewSid.html under the SID Duplication Problem Duplicate SIDs aren't an issue in a Domain-based environment since domain accounts have SID's based on the Domain SID. But, according to Microsoft Knowledge Base article Q162001, "Do Not Disk Duplicate Installed Versions of Windows NT", in a Workgroup environment security is based on local account SIDs. Thus, if two computers have users with the same SID, the Workgroup will not be able to distinguish between the users. All resources, including files and Registry keys, that one user has access to, the other will as well. Aaron From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Wednesday, January 18, 2006 3:50 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed NO NO NO NO NO BAD BAD BAD You have to use sysprep. You’re getting duplicate SIDs here – bad. Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron VisserSent: Wednesday, January 18, 2006 5:44 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Gary, Brian, I do not use Sysprep on my images and have yet to come across any problems, but there may be one big difference with my images, before I ghost them or create the image I put the said machine into a workgroup and then create image. After I have imaged a computer I log on and change the Computer Name reboot and then join the domain with the new computer name, should I be using Sysprep? And Brenda I have experienced your problem but I have never noticed the accounts actually being out of AD, anyways most times for me a simple reboot works although I have had to actually ghost computers in order to rejoin the domain because I do not have any local accounts active on my computers in the school, makes it a little safer J but with that comes more work L From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Wednesday, January 18, 2006 12:38 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Gary- Are you implying you don’t sysprep your images? Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GarypholdSent: Wednesday, January 18, 2006 3:04 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Brenda, FWIW: It happens to me when I clone a workstation then try to join that workstation to the domain in order to change the computer name. AD sees 2 machines with the same name, gives me a notification and lets the 2nd one in. Then when the original machine with that name logs in next time, it isn't seen on the network. Then I have to do the same thing you did - with the original machine. Then all is well again. Don't know if that will help, but it might narrow down the problem some. Gary Gary Polvinale Denton ATD -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda CaseySent: Wednesday, January 18, 2006 2:24 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Yes, their computer account in AD is ac
RE: [ActiveDir] AD computer accounts being removed
LOL. I talk to myself (a lot) and write a lot of stuff that I later erase prior to sending. Through that mechanism, mostly anyone outside of me will see the good 50% but some of the bad can slip through. :o) I have a strong desire to not look like a complete dunderhead in public. I have been known to say some stunningly stupid things though. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Thursday, January 19, 2006 9:04 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed "And further, I am not trying to say I am always right. Quite the contrary, fully 50% of what I say is flat out incorrect, made up, or complete opinion. Your job is to try to figure out what is and isn't in that 50%." joe, I will not be signing my emails to you anymore with "YMYMYM" Unless of course, your recant. RH ___ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of joe Sent: Wednesday, January 18, 2006 9:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed And further, I am not trying to say I am always right. Quite the contrary, fully 50% of what I say is flat out incorrect, made up, or complete opinion. Your job is to try to figure out what is and isn't in that 50%. Preferably prior to changing your environment based on something I said. :o) Or to put it another simpler way, mileage varies. What works very well for me may not be in your best interest. I would like to hear the technical details behind the SID issues from that article though. Maybe I will follow the link. Though I doubt what I want is there. Very little serious deep tech in that mag anymore. The tech stuff I previously wrote for them they stopped putting in the mag and started putting in their over the top highly overpriced "professional newsletters" that were $100+ for 12 tiny little issues that looked like a small school newspaper. joe -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 18, 2006 9:14 PM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] AD computer accounts being removed Don't get me wrong though... Sysprep/newsid, follow the process. I am absolutely not telling people to image machines and deploy them without cleaning them up. If you have odd things happening and are not following the recommended processes, it is all on you and you get to take responsibility for what you do. :) -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 18, 2006 9:01 PM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] AD computer accounts being removed I would like to see the details of what the issues are. Windows IT Pro mag is a nice mag and all, but there is no real technical review of the articles, you can say about anything you want to and I have seen several examples. Ditto for Redmond Mag and SearchWindows*, etc. I don't think the people actually test the stuff they say in a lot of those articles though they try to state it authoritatively. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AdamT Sent: Wednesday, January 18, 2006 8:22 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD computer accounts being removed On 1/19/06, Aaron Visser <[EMAIL PROTECTED]> wrote: > > Taken from > http://www.sysinternals.com/Utilities/NewSid.html under the SID > Duplication Problem > > > snip Taken from: http://www.windowsitpro.com/Article/ArticleID/14919/14919.html At the start of the GUI phase of installation each NT/2000 installation generates a unique Security IDentifier (SID). If you then clone a workstation each installation would have the same machine SID. This is not a problem in a Windows NT 4.0 domain as users have a SID generated by the domain controller and do not user the local workstation SID for security. It IS a problem in a Windows 2000 domain as the local machine SID is used in nearly all aspects of security and before migrating to 2000 you should resolve any duplicate SID issues which may have been caused by cloning installations. -- AdamT "Maidenhead is *not* in Kent" List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.a
RE: [ActiveDir] AD computer accounts being removed
I'm in the position of jack-of-all-trades as well. I barely get a chance to visit the restroom on some days, nevermind breaks or lunch. Here's some advise I can impart: 1) Learn to say no and/or wait to the powers that be at your company. You can't do everything at once. Make certain that this is a realization which upper management has. Going hand in hand with this, be certain that you take some time for proactive monitoring during the week. Check logs for your devices and servers. Don't wait for a system to go down before you realize the logs had been throwing errors for days beforehand. 2) Train the employees to take off some of the burden. I taught all of my users about the mysterious help file. :) I also created walkthroughs of recurring chores that a standard user could perform themselves and put them into a FAQ on our intranet site. 3) Google is your biggest friend. You will have a very hard time finding a professionals forum where you will get an exact answer to a specific question every time first try. The expectation is that you do some research on an issue before even asking in a forum. On a simple problem somebody asks, the most frequent reply is a google search link. 4) Some good resources are experts-exchange and myitforum. I would also highly recommend the NTSysAdmin group hosted by Sunbelt-Software. It definitely doesn't hurt to pick up a book or two on various subjects which may apply. 5) The biggest and best time saver I can think of is to learn scripting. This is one where it's do as I say not as I do. I really want to learn and have made some inroads, but there is never enough time. My ability now is at the level of taking scripts others have generously posted and modifying them to my purposes. Tons of great sites for scripts including the Technet scripting center, scriptinganswers.com, and http://cwashington.netreach.net. 6) Stick with it here as well, if only as a lurker. Learn and absorb as much as you can. It will make you a better admin in the long run. 7) In doing all of these things, I pared down my workweek here from 80+ hours when I began 1.5 years ago to a normal 40 hour work week. I've even gotten back to doing external consulting work on the weekends again. Hope some of this helps. Scott Klassen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Garyphold Sent: Thursday, January 19, 2006 11:24 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Larry, I know I'm not the only one in this position. But membership in that club doesn't dissolve any of the stress. Are there other online forums that deal with the people who have to do it all in the smaller operations? Time-saving tips, direct answers and help on specific issues? Etc? Frankly, I'm lost on a lot of the stuff discussed in this forum - haven't been able to reach that level of knowledge yet. But it's still an invaluable source. Are there any more out there like it, at a lower tier of knowledge with slightly different focus, for the tied-to-the-whipping-post average "network-admin/PC-schlepp/IT-Systems-Mgr/purchasing-guy/telephone-system-guy /database-admin/software-specialist/new-technology-wizard/programmer-analyst /security-specialist/software-upgrade-maintainer/forget-about-cleaning-up-th at-messy-office/no-raises-this-year" multifaceted IT meatball surgeon? I'm getting further behind every day. It would be great to see how others are handling it. Gary -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers Sent: Thursday, January 19, 2006 11:02 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Gary wrote: > I'm in a position > where I'm making > the big decisions, doing the big work and also doing all the > little details > (I'm it) including daily problems. Zero training/learning time, zero > anything except get to the next fire. Boy, does that sound familiar... -- Larry List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] AD computer accounts being removed
You forgot emptying the trash. I can tell you where the SMB outside consultants hang out... but I'll agree with you... the SMB or just "M" admin crowdnot sure if I've found a venue spot on yet. hmmm... ActiveDirGUI division? :-) I know that Microsoft is gathering resources for this 'medium' business space as well. I'll ask around. Garyphold wrote: Larry, I know I'm not the only one in this position. But membership in that club doesn't dissolve any of the stress. Are there other online forums that deal with the people who have to do it all in the smaller operations? Time-saving tips, direct answers and help on specific issues? Etc? Frankly, I'm lost on a lot of the stuff discussed in this forum - haven't been able to reach that level of knowledge yet. But it's still an invaluable source. Are there any more out there like it, at a lower tier of knowledge with slightly different focus, for the tied-to-the-whipping-post average "network-admin/PC-schlepp/IT-Systems-Mgr/purchasing-guy/telephone-system-guy /database-admin/software-specialist/new-technology-wizard/programmer-analyst /security-specialist/software-upgrade-maintainer/forget-about-cleaning-up-th at-messy-office/no-raises-this-year" multifaceted IT meatball surgeon? I'm getting further behind every day. It would be great to see how others are handling it. Gary -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers Sent: Thursday, January 19, 2006 11:02 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Gary wrote: I'm in a position where I'm making the big decisions, doing the big work and also doing all the little details (I'm it) including daily problems. Zero training/learning time, zero anything except get to the next fire. Boy, does that sound familiar... -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD computer accounts being removed
Larry, I know I'm not the only one in this position. But membership in that club doesn't dissolve any of the stress. Are there other online forums that deal with the people who have to do it all in the smaller operations? Time-saving tips, direct answers and help on specific issues? Etc? Frankly, I'm lost on a lot of the stuff discussed in this forum - haven't been able to reach that level of knowledge yet. But it's still an invaluable source. Are there any more out there like it, at a lower tier of knowledge with slightly different focus, for the tied-to-the-whipping-post average "network-admin/PC-schlepp/IT-Systems-Mgr/purchasing-guy/telephone-system-guy /database-admin/software-specialist/new-technology-wizard/programmer-analyst /security-specialist/software-upgrade-maintainer/forget-about-cleaning-up-th at-messy-office/no-raises-this-year" multifaceted IT meatball surgeon? I'm getting further behind every day. It would be great to see how others are handling it. Gary -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers Sent: Thursday, January 19, 2006 11:02 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Gary wrote: > I'm in a position > where I'm making > the big decisions, doing the big work and also doing all the > little details > (I'm it) including daily problems. Zero training/learning time, zero > anything except get to the next fire. Boy, does that sound familiar... -- Larry List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD computer accounts being removed
Title: Message There’s really nothing to learn. You extract deploy.cab to a folder, run setupmgr to create the sysprep.inf, the you open it up and change ComputerName to = * and copy it all to afolder called c:\sysprep. Run sysprep.exe. It will shutdown your PC, boot it back up with the ghost disk in and dump your image. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Garyphold Sent: Thursday, January 19, 2006 8:05 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Not implying - I don't. I've been unable to find time to experiment. Yeah, I know - if I used that, I'd have much more time. Can Sysprep be much trouble to learn to use? I guess I have writer's block when it comes to that. Irrational fear of Sysprep. Gary -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, January 18, 2006 3:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Gary- Are you implying you don’t sysprep your images? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Garyphold Sent: Wednesday, January 18, 2006 3:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Brenda, FWIW: It happens to me when I clone a workstation then try to join that workstation to the domain in order to change the computer name. AD sees 2 machines with the same name, gives me a notification and lets the 2nd one in. Then when the original machine with that name logs in next time, it isn't seen on the network. Then I have to do the same thing you did - with the original machine. Then all is well again. Don't know if that will help, but it might narrow down the problem some. Gary Gary Polvinale Denton ATD -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey Sent: Wednesday, January 18, 2006 2:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Yes, their computer account in AD is actually gone. Thanks, Brenda Brenda Casey Network Manager Billings Public Schools [EMAIL PROTECTED] 406-247-3792 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Wednesday, January 18, 2006 11:14 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed When you say "lose their account", do you mean the computer object in AD disappears? Or something else? -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey Sent: Wednesday, January 18, 2006 10:42 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD computer accounts being removed Occasionally computers will lose their account in Active Directory for no apparent reason. Sometimes it is a computer that has just joined the domain, while other times the machine has been a member of the domain for 2 years. The computer can only be logged on by a local account (not a domain account). To remedy this, the computer has to be disjoined from the domain, join a workgroup, then join the domain again. As I am sure you all are aware, this is not only time consuming, but very inappropriate to have to do. Has anyone else had this experience and how have you fixed it? Thanks, Brenda
RE: [ActiveDir] AD computer accounts being removed
Gary wrote: > I'm in a position > where I'm making > the big decisions, doing the big work and also doing all the > little details > (I'm it) including daily problems. Zero training/learning time, zero > anything except get to the next fire. Boy, does that sound familiar... -- Larry List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD computer accounts being removed
Charlie, Thanks for taking the time to explain. I'm in a position where I'm making the big decisions, doing the big work and also doing all the little details (I'm it) including daily problems. Zero training/learning time, zero anything except get to the next fire. I need spend some time learning and using tools like sysprep and GP to get back some of that time. Gary -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Thursday, January 19, 2006 10:07 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Sysprep is pretty simple; there's a lot of documentation available on it. As Rich mentioned, you need to set up your customizations under one profile and copy that to the default user profile. Some irksome things change, however. One of my pet peeves is that when you sysprep a PC, the next time it boots, the select OS timeout goes from whatever you have set it to (5 sec in our case) back to the default of 30 sec. I have found that using group policy to make most of the settings changes is better than doing it on the workstation. We start with a sysprepped image that runs the mini-setup when first booted. We then the workstation and place it in the domain, where the GPOs apply to make all the required settings. I was able to go from a boot floppy, ghost, and ghostwalker to a boot CD, sysprep, and ghost (our new laptops don't have floppy drives) in about 4 days of testing and fine-tuning. I took a couple of laptops and a BartPE CD (with ghost added to it) into a spare conference room, didn't answer my phone, and worked it all out. A few days of work and the result is significantly simpler deployment of new images. ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Garyphold > Sent: Thursday, January 19, 2006 5:01 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] AD computer accounts being removed > > Thanks for the link Nav. > > I use Symantec (PowerQuest) V2i Desktop (DriveImage). > Haven't used Ghost (Ghostwalker) or Sysprep. Been wanting to > experiment with Sysprep but haven't had the time. I was > thinking about that this morning though. Is there a big > learning curve with Sysprep? > > I use V2i for cloning, because I'm already using that for > backups of all the workstations and all the servers. Hard > drive backups instead of tape. Without sysprep, I'm stuck > being able to only clone like machines. > > I really need to learn to use Sysprep. Too many fires > burning right now. > > Gary > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Navroz Shariff > Sent: Wednesday, January 18, 2006 3:29 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] AD computer accounts being removed > > > Hi Gary, > > Try looking at this article from MS regarding 'Resetting > computer accounts in Windows 2000 and Windows XP'. > http://support.microsoft.com/kb/216393/EN-US/ > > Also, you join the computer to the domain and then change its name? > Do you reset the SIDs of the cloned workstation using > GhostWalker or Sysprep? > > -Nav > > > ________ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Garyphold > Sent: Wednesday, January 18, 2006 3:04 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] AD computer accounts being removed > > > Brenda, > > FWIW: It happens to me when I clone a workstation then try > to join that workstation to the domain in order to change the > computer name. AD sees 2 machines with the same name, gives > me a notification and lets the 2nd one in. Then when the > original machine with that name logs in next time, it isn't > seen on the network. Then I have to do the same thing you > did - with the original machine. Then all is well again. > Don't know if that will help, but it might narrow down the > problem some. > > Gary > > Gary Polvinale > Denton ATD > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey > Sent: Wednesday, January 18, 2006 2:24 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] AD computer accounts being removed > > > Yes, their computer account in AD is actually gone. > > Thanks, > Brenda > > Brenda Casey > Network Manager > Billings Public Schools > [EMAIL
RE: [ActiveDir] AD computer accounts being removed
Sysprep is pretty simple; there's a lot of documentation available on it. As Rich mentioned, you need to set up your customizations under one profile and copy that to the default user profile. Some irksome things change, however. One of my pet peeves is that when you sysprep a PC, the next time it boots, the select OS timeout goes from whatever you have set it to (5 sec in our case) back to the default of 30 sec. I have found that using group policy to make most of the settings changes is better than doing it on the workstation. We start with a sysprepped image that runs the mini-setup when first booted. We then the workstation and place it in the domain, where the GPOs apply to make all the required settings. I was able to go from a boot floppy, ghost, and ghostwalker to a boot CD, sysprep, and ghost (our new laptops don't have floppy drives) in about 4 days of testing and fine-tuning. I took a couple of laptops and a BartPE CD (with ghost added to it) into a spare conference room, didn't answer my phone, and worked it all out. A few days of work and the result is significantly simpler deployment of new images. ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Garyphold > Sent: Thursday, January 19, 2006 5:01 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] AD computer accounts being removed > > Thanks for the link Nav. > > I use Symantec (PowerQuest) V2i Desktop (DriveImage). > Haven't used Ghost (Ghostwalker) or Sysprep. Been wanting to > experiment with Sysprep but haven't had the time. I was > thinking about that this morning though. Is there a big > learning curve with Sysprep? > > I use V2i for cloning, because I'm already using that for > backups of all the workstations and all the servers. Hard > drive backups instead of tape. Without sysprep, I'm stuck > being able to only clone like machines. > > I really need to learn to use Sysprep. Too many fires > burning right now. > > Gary > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Navroz Shariff > Sent: Wednesday, January 18, 2006 3:29 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] AD computer accounts being removed > > > Hi Gary, > > Try looking at this article from MS regarding 'Resetting > computer accounts in Windows 2000 and Windows XP'. > http://support.microsoft.com/kb/216393/EN-US/ > > Also, you join the computer to the domain and then change its name? > Do you reset the SIDs of the cloned workstation using > GhostWalker or Sysprep? > > -Nav > > > ________ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Garyphold > Sent: Wednesday, January 18, 2006 3:04 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] AD computer accounts being removed > > > Brenda, > > FWIW: It happens to me when I clone a workstation then try > to join that workstation to the domain in order to change the > computer name. AD sees 2 machines with the same name, gives > me a notification and lets the 2nd one in. Then when the > original machine with that name logs in next time, it isn't > seen on the network. Then I have to do the same thing you > did - with the original machine. Then all is well again. > Don't know if that will help, but it might narrow down the > problem some. > > Gary > > Gary Polvinale > Denton ATD > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey > Sent: Wednesday, January 18, 2006 2:24 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] AD computer accounts being removed > > > Yes, their computer account in AD is actually gone. > > Thanks, > Brenda > > Brenda Casey > Network Manager > Billings Public Schools > [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > 406-247-3792 > > > > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Gil > Kirkpatrick > Sent: Wednesday, January 18, 2006 11:14 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] AD computer accounts being removed > > > When you say "lose their account", do you mean the computer > object in AD disappears? Or something else? > > -g > > > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PRO
RE: [ActiveDir] AD computer accounts being removed
Title: Message > Is there a big learning curve with Sysprep? Well, there can be. It depends on what you do to your master before you image it. If you do a lot of profile customization, then yes, because sysprep cleans out the profiles, and you’ll need to figure out how to apply settings to the default profile, or figure out how to script them. Since you are using AD you don’t have the lack of GPO issue I did. For example, on our workgroup systems, we create a certain account and set up that profile, lock it down etc. If I sysprep it, that profile gets removed and a new one is created when that user logs into the sysprepped computer – without any of the customizations. There are ways around this, but I couldn’t solve all of them so for now on our newer XP systems we use a silent install with scripted profile configuration and lockdowns. It takes 38 minutes from DVD incl. Office 2003 install, so it’s not too bad – sysprep using an ximage image took 25 minutes on the same box, most of that was DVD to HDD copy time though. --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- ”I love the smell of red herrings in the morning” - anonymous From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Garyphold Sent: Thursday, January 19, 2006 7:01 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Thanks for the link Nav. I use Symantec (PowerQuest) V2i Desktop (DriveImage). Haven't used Ghost (Ghostwalker) or Sysprep. Been wanting to experiment with Sysprep but haven't had the time. I was thinking about that this morning though. Is there a big learning curve with Sysprep? I use V2i for cloning, because I'm already using that for backups of all the workstations and all the servers. Hard drive backups instead of tape. Without sysprep, I'm stuck being able to only clone like machines. I really need to learn to use Sysprep. Too many fires burning right now. Gary -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Navroz Shariff Sent: Wednesday, January 18, 2006 3:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Hi Gary, Try looking at this article from MS regarding 'Resetting computer accounts in Windows 2000 and Windows XP'. http://support.microsoft.com/kb/216393/EN-US/ Also, you join the computer to the domain and then change its name? Do you reset the SIDs of the cloned workstation using GhostWalker or Sysprep? -Nav From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Garyphold Sent: Wednesday, January 18, 2006 3:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Brenda, FWIW: It happens to me when I clone a workstation then try to join that workstation to the domain in order to change the computer name. AD sees 2 machines with the same name, gives me a notification and lets the 2nd one in. Then when the original machine with that name logs in next time, it isn't seen on the network. Then I have to do the same thing you did - with the original machine. Then all is well again. Don't know if that will help, but it might narrow down the problem some. Gary Gary Polvinale Denton ATD -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey Sent: Wednesday, January 18, 2006 2:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Yes, their computer account in AD is actually gone. Thanks, Brenda Brenda Casey Network Manager Billings Public Schools [EMAIL PROTECTED] 406-247-3792 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Wednesday, January 18, 2006 11:14 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed When you say "lose their account", do you mean the computer object in AD disappears? Or something else? -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey Sent: Wednesday, January 18, 2006 10:42 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD computer accounts being removed Occasionally computers will lose their account in Active Directory for no apparent reason. Sometimes it is a computer that has just joined the domain, while other times the machine has been a member of the domain for 2 years. The computer can only be logged on
RE: [ActiveDir] AD computer accounts being removed
"And further, I am not trying to say I am always right. Quite the contrary, fully 50% of what I say is flat out incorrect, made up, or complete opinion. Your job is to try to figure out what is and isn't in that 50%." joe, I will not be signing my emails to you anymore with "YMYMYM" Unless of course, your recant. RH ___ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of joe Sent: Wednesday, January 18, 2006 9:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed And further, I am not trying to say I am always right. Quite the contrary, fully 50% of what I say is flat out incorrect, made up, or complete opinion. Your job is to try to figure out what is and isn't in that 50%. Preferably prior to changing your environment based on something I said. :o) Or to put it another simpler way, mileage varies. What works very well for me may not be in your best interest. I would like to hear the technical details behind the SID issues from that article though. Maybe I will follow the link. Though I doubt what I want is there. Very little serious deep tech in that mag anymore. The tech stuff I previously wrote for them they stopped putting in the mag and started putting in their over the top highly overpriced "professional newsletters" that were $100+ for 12 tiny little issues that looked like a small school newspaper. joe -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 18, 2006 9:14 PM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] AD computer accounts being removed Don't get me wrong though... Sysprep/newsid, follow the process. I am absolutely not telling people to image machines and deploy them without cleaning them up. If you have odd things happening and are not following the recommended processes, it is all on you and you get to take responsibility for what you do. :) -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 18, 2006 9:01 PM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] AD computer accounts being removed I would like to see the details of what the issues are. Windows IT Pro mag is a nice mag and all, but there is no real technical review of the articles, you can say about anything you want to and I have seen several examples. Ditto for Redmond Mag and SearchWindows*, etc. I don't think the people actually test the stuff they say in a lot of those articles though they try to state it authoritatively. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AdamT Sent: Wednesday, January 18, 2006 8:22 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD computer accounts being removed On 1/19/06, Aaron Visser <[EMAIL PROTECTED]> wrote: > > Taken from > http://www.sysinternals.com/Utilities/NewSid.html under the SID > Duplication Problem > > > snip Taken from: http://www.windowsitpro.com/Article/ArticleID/14919/14919.html At the start of the GUI phase of installation each NT/2000 installation generates a unique Security IDentifier (SID). If you then clone a workstation each installation would have the same machine SID. This is not a problem in a Windows NT 4.0 domain as users have a SID generated by the domain controller and do not user the local workstation SID for security. It IS a problem in a Windows 2000 domain as the local machine SID is used in nearly all aspects of security and before migrating to 2000 you should resolve any duplicate SID issues which may have been caused by cloning installations. -- AdamT "Maidenhead is *not* in Kent" List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD computer accounts being removed
Title: Message Any idea why XP is omitted in this article, but 2k and 2k3 are included? http://support.microsoft.com/?id=162001 "Do Not Disk Duplicate Installed Versions of Windows NT" --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- ”I love the smell of red herrings in the morning” - anonymous From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Visser Sent: Wednesday, January 18, 2006 6:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Well I would agree that is not a safe practice for most but for my application where all Local accounts are disabled I do not see a problem. Taken from http://www.sysinternals.com/Utilities/NewSid.html under the SID Duplication Problem Duplicate SIDs aren't an issue in a Domain-based environment since domain accounts have SID's based on the Domain SID. But, according to Microsoft Knowledge Base article Q162001, "Do Not Disk Duplicate Installed Versions of Windows NT", in a Workgroup environment security is based on local account SIDs. Thus, if two computers have users with the same SID, the Workgroup will not be able to distinguish between the users. All resources, including files and Registry keys, that one user has access to, the other will as well. Aaron From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, January 18, 2006 3:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed NO NO NO NO NO BAD BAD BAD You have to use sysprep. You’re getting duplicate SIDs here – bad. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Visser Sent: Wednesday, January 18, 2006 5:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Gary, Brian, I do not use Sysprep on my images and have yet to come across any problems, but there may be one big difference with my images, before I ghost them or create the image I put the said machine into a workgroup and then create image. After I have imaged a computer I log on and change the Computer Name reboot and then join the domain with the new computer name, should I be using Sysprep? And Brenda I have experienced your problem but I have never noticed the accounts actually being out of AD, anyways most times for me a simple reboot works although I have had to actually ghost computers in order to rejoin the domain because I do not have any local accounts active on my computers in the school, makes it a little safer J but with that comes more work L From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, January 18, 2006 12:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Gary- Are you implying you don’t sysprep your images? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Garyphold Sent: Wednesday, January 18, 2006 3:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Brenda, FWIW: It happens to me when I clone a workstation then try to join that workstation to the domain in order to change the computer name. AD sees 2 machines with the same name, gives me a notification and lets the 2nd one in. Then when the original machine with that name logs in next time, it isn't seen on the network. Then I have to do the same thing you did - with the original machine. Then all is well again. Don't know if that will help, but it might narrow down the problem some. Gary Gary Polvinale Denton ATD -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey Sent: Wednesday, January 18, 2006 2:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Yes, their computer account in AD is actually gone. Thanks, Brenda Brenda Casey Network Manager Billings Public Schools [EMAIL PROTECTED] 406-247-3792 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Wednesday, January 18, 2006 11:14 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed When you say "lose their account", do you mean the computer object in AD disappears? Or
RE: [ActiveDir] AD computer accounts being removed
>>>It IS a problem in a Windows 2000 domain as the local machine SID is used in >>>nearly all aspects of security and before migrating to 2000 you should >>>resolve any duplicate SID issues which may have been caused by cloning >>>installations. Huh..I'm having a small headache and I'm not smoking anything weird here, but... what is this? Shoudn't this be: Duplicate SIDs for objects in the domain are bad and a problem in NT4 and AD. It is not possible to copy an object and dupe the SID. Screwing around with the RID FSMO (AD) could result in dupped SIDs. If dupped SIDs are detected the detecting DC has a mechanism to clean those Although a bad practice, cloned machines which have the same local SID can be in an NT4 domain and AD. The local computer SID will only be used if a user (domain base or not) is a member of a local group on that computer as the group SID on that computer consists of the computer SID and a RID IMHO opinion the writer is mixing the object SID in the domain with the local computer SID... Jorge Van: [EMAIL PROTECTED] namens AdamT Verzonden: do 2006-01-19 02:22 Aan: ActiveDir@mail.activedir.org Onderwerp: Re: [ActiveDir] AD computer accounts being removed On 1/19/06, Aaron Visser <[EMAIL PROTECTED]> wrote: > > Taken from > http://www.sysinternals.com/Utilities/NewSid.html under the > SID Duplication Problem > > > snip Taken from: http://www.windowsitpro.com/Article/ArticleID/14919/14919.html At the start of the GUI phase of installation each NT/2000 installation generates a unique Security IDentifier (SID). If you then clone a workstation each installation would have the same machine SID. This is not a problem in a Windows NT 4.0 domain as users have a SID generated by the domain controller and do not user the local workstation SID for security. It IS a problem in a Windows 2000 domain as the local machine SID is used in nearly all aspects of security and before migrating to 2000 you should resolve any duplicate SID issues which may have been caused by cloning installations. -- AdamT "Maidenhead is *not* in Kent" List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD computer accounts being removed
Title: Message Not implying - I don't. I've been unable to find time to experiment. Yeah, I know - if I used that, I'd have much more time. Can Sysprep be much trouble to learn to use? I guess I have writer's block when it comes to that. Irrational fear of Sysprep. Gary -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Wednesday, January 18, 2006 3:38 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Gary- Are you implying you don’t sysprep your images? Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GarypholdSent: Wednesday, January 18, 2006 3:04 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Brenda, FWIW: It happens to me when I clone a workstation then try to join that workstation to the domain in order to change the computer name. AD sees 2 machines with the same name, gives me a notification and lets the 2nd one in. Then when the original machine with that name logs in next time, it isn't seen on the network. Then I have to do the same thing you did - with the original machine. Then all is well again. Don't know if that will help, but it might narrow down the problem some. Gary Gary Polvinale Denton ATD -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda CaseySent: Wednesday, January 18, 2006 2:24 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Yes, their computer account in AD is actually gone. Thanks, Brenda Brenda CaseyNetwork Manager Billings Public Schools [EMAIL PROTECTED] 406-247-3792 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Wednesday, January 18, 2006 11:14 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed When you say "lose their account", do you mean the computer object in AD disappears? Or something else? -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda CaseySent: Wednesday, January 18, 2006 10:42 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD computer accounts being removed Occasionally computers will lose their account in Active Directory for no apparent reason. Sometimes it is a computer that has just joined the domain, while other times the machine has been a member of the domain for 2 years. The computer can only be logged on by a local account (not a domain account). To remedy this, the computer has to be disjoined from the domain, join a workgroup, then join the domain again. As I am sure you all are aware, this is not only time consuming, but very inappropriate to have to do. Has anyone else had this experience and how have you fixed it? Thanks, Brenda
RE: [ActiveDir] AD computer accounts being removed
Title: Message Thanks for the link Nav. I use Symantec (PowerQuest) V2i Desktop (DriveImage). Haven't used Ghost (Ghostwalker) or Sysprep. Been wanting to experiment with Sysprep but haven't had the time. I was thinking about that this morning though. Is there a big learning curve with Sysprep? I use V2i for cloning, because I'm already using that for backups of all the workstations and all the servers. Hard drive backups instead of tape. Without sysprep, I'm stuck being able to only clone like machines. I really need to learn to use Sysprep. Too many fires burning right now. Gary -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Navroz ShariffSent: Wednesday, January 18, 2006 3:29 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Hi Gary, Try looking at this article from MS regarding 'Resetting computer accounts in Windows 2000 and Windows XP'. http://support.microsoft.com/kb/216393/EN-US/ Also, you join the computer to the domain and then change its name? Do you reset the SIDs of the cloned workstation using GhostWalker or Sysprep? -Nav From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GarypholdSent: Wednesday, January 18, 2006 3:04 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Brenda, FWIW: It happens to me when I clone a workstation then try to join that workstation to the domain in order to change the computer name. AD sees 2 machines with the same name, gives me a notification and lets the 2nd one in. Then when the original machine with that name logs in next time, it isn't seen on the network. Then I have to do the same thing you did - with the original machine. Then all is well again. Don't know if that will help, but it might narrow down the problem some. Gary Gary Polvinale Denton ATD -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda CaseySent: Wednesday, January 18, 2006 2:24 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Yes, their computer account in AD is actually gone. Thanks, Brenda Brenda CaseyNetwork Manager Billings Public Schools [EMAIL PROTECTED] 406-247-3792 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Wednesday, January 18, 2006 11:14 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed When you say "lose their account", do you mean the computer object in AD disappears? Or something else? -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda CaseySent: Wednesday, January 18, 2006 10:42 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD computer accounts being removed Occasionally computers will lose their account in Active Directory for no apparent reason. Sometimes it is a computer that has just joined the domain, while other times the machine has been a member of the domain for 2 years. The computer can only be logged on by a local account (not a domain account). To remedy this, the computer has to be disjoined from the domain, join a workgroup, then join the domain again. As I am sure you all are aware, this is not only time consuming, but very inappropriate to have to do. Has anyone else had this experience and how have you fixed it? Thanks, Brenda
RE: [ActiveDir] AD computer accounts being removed
Title: Message We have roughly 650 unique nightmare LANs here. I’ve seem some interesting things. Have a folder full of screenshots and JPEGs from site visits to prove it. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, January 18, 2006 8:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed NetBEUI? Ouch. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, January 18, 2006 7:59 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Sysprep also removes other information which identifies the computer. For example, I once had the pleasure of repairing a network where they had used NewSID to do this and also had bound NetBEUI to every NIC in the LAN. I had 500 computers all claiming the same NetBEUI name. Sysprep takes care of things like this. Highly recommended over any other tool. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Visser Sent: Wednesday, January 18, 2006 7:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Well I would agree that is not a safe practice for most but for my application where all Local accounts are disabled I do not see a problem. Taken from http://www.sysinternals.com/Utilities/NewSid.html under the SID Duplication Problem Duplicate SIDs aren't an issue in a Domain-based environment since domain accounts have SID's based on the Domain SID. But, according to Microsoft Knowledge Base article Q162001, "Do Not Disk Duplicate Installed Versions of Windows NT", in a Workgroup environment security is based on local account SIDs. Thus, if two computers have users with the same SID, the Workgroup will not be able to distinguish between the users. All resources, including files and Registry keys, that one user has access to, the other will as well. Aaron From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, January 18, 2006 3:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed NO NO NO NO NO BAD BAD BAD You have to use sysprep. You’re getting duplicate SIDs here – bad. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Visser Sent: Wednesday, January 18, 2006 5:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Gary, Brian, I do not use Sysprep on my images and have yet to come across any problems, but there may be one big difference with my images, before I ghost them or create the image I put the said machine into a workgroup and then create image. After I have imaged a computer I log on and change the Computer Name reboot and then join the domain with the new computer name, should I be using Sysprep? And Brenda I have experienced your problem but I have never noticed the accounts actually being out of AD, anyways most times for me a simple reboot works although I have had to actually ghost computers in order to rejoin the domain because I do not have any local accounts active on my computers in the school, makes it a little safer J but with that comes more work L From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, January 18, 2006 12:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Gary- Are you implying you don’t sysprep your images? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Garyphold Sent: Wednesday, January 18, 2006 3:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Brenda, FWIW: It happens to me when I clone a workstation then try to join that workstation to the domain in order to change the computer name. AD sees 2 machines with the same name, gives me a notification and lets the 2nd one in. Then when the original machine with that name logs in next time, it isn't seen on the network. Then I have to do the same thing you did - with the original machine. Then all is well again. Don't know if that will help, but it might narrow down the problem some. Gary Gary Polvinale Denton ATD -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey Sent: Wednesday, January 18, 2006 2:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveD
RE: [ActiveDir] AD computer accounts being removed
Title: Message Yep sorry, didn't intend to say it wasn't a good idea. At some point the list will catch up and my post that says that will show up. :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Wednesday, January 18, 2006 8:39 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Dozen other reasons to run it. Not running sysprep is just a bad idea. Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Wednesday, January 18, 2006 8:11 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Well not really. The important SID in question is the Domain SID and that isn't duped. The domain doesn't care about the machine SID. It is still good practice to newsid the machines though. If the accounts are disappearing it is one of two things 1. Someone is deleting it. 2. During the join process something fails and the computer deletes the object out. I don't recall the details of this but I do recall hearing it happen. It happens right after the failed join though, you don't have to wait for it. I have also heard other people who don't have enough rights report the account being disabled instead of deleted. I never verified personally either. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Wednesday, January 18, 2006 6:50 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed NO NO NO NO NO BAD BAD BAD You have to use sysprep. You’re getting duplicate SIDs here – bad. Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron VisserSent: Wednesday, January 18, 2006 5:44 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Gary, Brian, I do not use Sysprep on my images and have yet to come across any problems, but there may be one big difference with my images, before I ghost them or create the image I put the said machine into a workgroup and then create image. After I have imaged a computer I log on and change the Computer Name reboot and then join the domain with the new computer name, should I be using Sysprep? And Brenda I have experienced your problem but I have never noticed the accounts actually being out of AD, anyways most times for me a simple reboot works although I have had to actually ghost computers in order to rejoin the domain because I do not have any local accounts active on my computers in the school, makes it a little safer J but with that comes more work L From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Wednesday, January 18, 2006 12:38 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Gary- Are you implying you don’t sysprep your images? Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GarypholdSent: Wednesday, January 18, 2006 3:04 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Brenda, FWIW: It happens to me when I clone a workstation then try to join that workstation to the domain in order to change the computer name. AD sees 2 machines with the same name, gives me a notification and lets the 2nd one in. Then when the original machine with that name logs in next time, it isn't seen on the network. Then I have to do the same thing you did - with the original machine. Then all is well again. Don't know if that will help, but it might narrow down the problem some. Gary Gary Polvinale Denton ATD -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda CaseySent: Wednesday, January 18, 2006 2:24 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Yes, their computer account in AD is actually gone. Thanks, Brenda Brenda CaseyNetwork Manager Billings Public Schools [EMAIL PROTECTED] 406-247-3792 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Wednesday, January 18, 2006 11:14 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed When you say "lose their account", do you mean the computer object in AD disappears? Or something else? -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda CaseySent: Wednesday, January 18, 2006 10:42 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD computer accounts being removed Occasionally computers will lose their account in Acti
RE: [ActiveDir] AD computer accounts being removed
And further, I am not trying to say I am always right. Quite the contrary, fully 50% of what I say is flat out incorrect, made up, or complete opinion. Your job is to try to figure out what is and isn't in that 50%. Preferably prior to changing your environment based on something I said. :o) Or to put it another simpler way, mileage varies. What works very well for me may not be in your best interest. I would like to hear the technical details behind the SID issues from that article though. Maybe I will follow the link. Though I doubt what I want is there. Very little serious deep tech in that mag anymore. The tech stuff I previously wrote for them they stopped putting in the mag and started putting in their over the top highly overpriced "professional newsletters" that were $100+ for 12 tiny little issues that looked like a small school newspaper. joe -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 18, 2006 9:14 PM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] AD computer accounts being removed Don't get me wrong though... Sysprep/newsid, follow the process. I am absolutely not telling people to image machines and deploy them without cleaning them up. If you have odd things happening and are not following the recommended processes, it is all on you and you get to take responsibility for what you do. :) -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 18, 2006 9:01 PM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] AD computer accounts being removed I would like to see the details of what the issues are. Windows IT Pro mag is a nice mag and all, but there is no real technical review of the articles, you can say about anything you want to and I have seen several examples. Ditto for Redmond Mag and SearchWindows*, etc. I don't think the people actually test the stuff they say in a lot of those articles though they try to state it authoritatively. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AdamT Sent: Wednesday, January 18, 2006 8:22 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD computer accounts being removed On 1/19/06, Aaron Visser <[EMAIL PROTECTED]> wrote: > > Taken from > http://www.sysinternals.com/Utilities/NewSid.html under the SID > Duplication Problem > > > snip Taken from: http://www.windowsitpro.com/Article/ArticleID/14919/14919.html At the start of the GUI phase of installation each NT/2000 installation generates a unique Security IDentifier (SID). If you then clone a workstation each installation would have the same machine SID. This is not a problem in a Windows NT 4.0 domain as users have a SID generated by the domain controller and do not user the local workstation SID for security. It IS a problem in a Windows 2000 domain as the local machine SID is used in nearly all aspects of security and before migrating to 2000 you should resolve any duplicate SID issues which may have been caused by cloning installations. -- AdamT "Maidenhead is *not* in Kent" List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD computer accounts being removed
Don't get me wrong though... Sysprep/newsid, follow the process. I am absolutely not telling people to image machines and deploy them without cleaning them up. If you have odd things happening and are not following the recommended processes, it is all on you and you get to take responsibility for what you do. :) -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 18, 2006 9:01 PM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] AD computer accounts being removed I would like to see the details of what the issues are. Windows IT Pro mag is a nice mag and all, but there is no real technical review of the articles, you can say about anything you want to and I have seen several examples. Ditto for Redmond Mag and SearchWindows*, etc. I don't think the people actually test the stuff they say in a lot of those articles though they try to state it authoritatively. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AdamT Sent: Wednesday, January 18, 2006 8:22 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD computer accounts being removed On 1/19/06, Aaron Visser <[EMAIL PROTECTED]> wrote: > > Taken from > http://www.sysinternals.com/Utilities/NewSid.html under the SID > Duplication Problem > > > snip Taken from: http://www.windowsitpro.com/Article/ArticleID/14919/14919.html At the start of the GUI phase of installation each NT/2000 installation generates a unique Security IDentifier (SID). If you then clone a workstation each installation would have the same machine SID. This is not a problem in a Windows NT 4.0 domain as users have a SID generated by the domain controller and do not user the local workstation SID for security. It IS a problem in a Windows 2000 domain as the local machine SID is used in nearly all aspects of security and before migrating to 2000 you should resolve any duplicate SID issues which may have been caused by cloning installations. -- AdamT "Maidenhead is *not* in Kent" List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD computer accounts being removed
I would like to see the details of what the issues are. Windows IT Pro mag is a nice mag and all, but there is no real technical review of the articles, you can say about anything you want to and I have seen several examples. Ditto for Redmond Mag and SearchWindows*, etc. I don't think the people actually test the stuff they say in a lot of those articles though they try to state it authoritatively. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AdamT Sent: Wednesday, January 18, 2006 8:22 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD computer accounts being removed On 1/19/06, Aaron Visser <[EMAIL PROTECTED]> wrote: > > Taken from > http://www.sysinternals.com/Utilities/NewSid.html under the SID > Duplication Problem > > > snip Taken from: http://www.windowsitpro.com/Article/ArticleID/14919/14919.html At the start of the GUI phase of installation each NT/2000 installation generates a unique Security IDentifier (SID). If you then clone a workstation each installation would have the same machine SID. This is not a problem in a Windows NT 4.0 domain as users have a SID generated by the domain controller and do not user the local workstation SID for security. It IS a problem in a Windows 2000 domain as the local machine SID is used in nearly all aspects of security and before migrating to 2000 you should resolve any duplicate SID issues which may have been caused by cloning installations. -- AdamT "Maidenhead is *not* in Kent" List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD computer accounts being removed
Title: Message Dozen other reasons to run it. Not running sysprep is just a bad idea. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, January 18, 2006 8:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Well not really. The important SID in question is the Domain SID and that isn't duped. The domain doesn't care about the machine SID. It is still good practice to newsid the machines though. If the accounts are disappearing it is one of two things 1. Someone is deleting it. 2. During the join process something fails and the computer deletes the object out. I don't recall the details of this but I do recall hearing it happen. It happens right after the failed join though, you don't have to wait for it. I have also heard other people who don't have enough rights report the account being disabled instead of deleted. I never verified personally either. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, January 18, 2006 6:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed NO NO NO NO NO BAD BAD BAD You have to use sysprep. You’re getting duplicate SIDs here – bad. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Visser Sent: Wednesday, January 18, 2006 5:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Gary, Brian, I do not use Sysprep on my images and have yet to come across any problems, but there may be one big difference with my images, before I ghost them or create the image I put the said machine into a workgroup and then create image. After I have imaged a computer I log on and change the Computer Name reboot and then join the domain with the new computer name, should I be using Sysprep? And Brenda I have experienced your problem but I have never noticed the accounts actually being out of AD, anyways most times for me a simple reboot works although I have had to actually ghost computers in order to rejoin the domain because I do not have any local accounts active on my computers in the school, makes it a little safer J but with that comes more work L From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, January 18, 2006 12:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Gary- Are you implying you don’t sysprep your images? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Garyphold Sent: Wednesday, January 18, 2006 3:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Brenda, FWIW: It happens to me when I clone a workstation then try to join that workstation to the domain in order to change the computer name. AD sees 2 machines with the same name, gives me a notification and lets the 2nd one in. Then when the original machine with that name logs in next time, it isn't seen on the network. Then I have to do the same thing you did - with the original machine. Then all is well again. Don't know if that will help, but it might narrow down the problem some. Gary Gary Polvinale Denton ATD -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey Sent: Wednesday, January 18, 2006 2:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Yes, their computer account in AD is actually gone. Thanks, Brenda Brenda Casey Network Manager Billings Public Schools [EMAIL PROTECTED] 406-247-3792 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Wednesday, January 18, 2006 11:14 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed When you say "lose their account", do you mean the computer object in AD disappears? Or something else? -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey Sent: Wednesday, January 18, 2006 10:42 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD computer accounts being removed Occasionally computers will lose their account in Active Directory for no apparent reason. Sometimes it is a computer that has just joined the domain, while other times the machine has been a member of the domain for 2 years. The computer can only be logged on by a local account (not a domain account). To remedy th
Re: [ActiveDir] AD computer accounts being removed
On 1/19/06, Aaron Visser <[EMAIL PROTECTED]> wrote: > > Taken from > http://www.sysinternals.com/Utilities/NewSid.html under the > SID Duplication Problem > > > snip Taken from: http://www.windowsitpro.com/Article/ArticleID/14919/14919.html At the start of the GUI phase of installation each NT/2000 installation generates a unique Security IDentifier (SID). If you then clone a workstation each installation would have the same machine SID. This is not a problem in a Windows NT 4.0 domain as users have a SID generated by the domain controller and do not user the local workstation SID for security. It IS a problem in a Windows 2000 domain as the local machine SID is used in nearly all aspects of security and before migrating to 2000 you should resolve any duplicate SID issues which may have been caused by cloning installations. -- AdamT "Maidenhead is *not* in Kent" List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD computer accounts being removed
Title: Message NetBEUI? Ouch. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Wednesday, January 18, 2006 7:59 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Sysprep also removes other information which identifies the computer. For example, I once had the pleasure of repairing a network where they had used NewSID to do this and also had bound NetBEUI to every NIC in the LAN. I had 500 computers all claiming the same NetBEUI name. Sysprep takes care of things like this. Highly recommended over any other tool. Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron VisserSent: Wednesday, January 18, 2006 7:27 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Well I would agree that is not a safe practice for most but for my application where all Local accounts are disabled I do not see a problem. Taken from http://www.sysinternals.com/Utilities/NewSid.html under the SID Duplication Problem Duplicate SIDs aren't an issue in a Domain-based environment since domain accounts have SID's based on the Domain SID. But, according to Microsoft Knowledge Base article Q162001, "Do Not Disk Duplicate Installed Versions of Windows NT", in a Workgroup environment security is based on local account SIDs. Thus, if two computers have users with the same SID, the Workgroup will not be able to distinguish between the users. All resources, including files and Registry keys, that one user has access to, the other will as well. Aaron From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Wednesday, January 18, 2006 3:50 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed NO NO NO NO NO BAD BAD BAD You have to use sysprep. You’re getting duplicate SIDs here – bad. Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron VisserSent: Wednesday, January 18, 2006 5:44 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Gary, Brian, I do not use Sysprep on my images and have yet to come across any problems, but there may be one big difference with my images, before I ghost them or create the image I put the said machine into a workgroup and then create image. After I have imaged a computer I log on and change the Computer Name reboot and then join the domain with the new computer name, should I be using Sysprep? And Brenda I have experienced your problem but I have never noticed the accounts actually being out of AD, anyways most times for me a simple reboot works although I have had to actually ghost computers in order to rejoin the domain because I do not have any local accounts active on my computers in the school, makes it a little safer J but with that comes more work L From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Wednesday, January 18, 2006 12:38 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Gary- Are you implying you don’t sysprep your images? Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GarypholdSent: Wednesday, January 18, 2006 3:04 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Brenda, FWIW: It happens to me when I clone a workstation then try to join that workstation to the domain in order to change the computer name. AD sees 2 machines with the same name, gives me a notification and lets the 2nd one in. Then when the original machine with that name logs in next time, it isn't seen on the network. Then I have to do the same thing you did - with the original machine. Then all is well again. Don't know if that will help, but it might narrow down the problem some. Gary Gary Polvinale Denton ATD -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda CaseySent: Wednesday, January 18, 2006 2:24 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Yes, their computer account in AD is actually gone. Thanks, Brenda Brenda CaseyNetwork Manager Billings Public Schools [EMAIL PROTECTED] 406-247-3792 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Wednesday, January 18, 2006 11:14 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed When you say "lose their account", do you mean the computer object in AD disappears? Or something else? -g
RE: [ActiveDir] AD computer accounts being removed
Title: Message Well not really. The important SID in question is the Domain SID and that isn't duped. The domain doesn't care about the machine SID. It is still good practice to newsid the machines though. If the accounts are disappearing it is one of two things 1. Someone is deleting it. 2. During the join process something fails and the computer deletes the object out. I don't recall the details of this but I do recall hearing it happen. It happens right after the failed join though, you don't have to wait for it. I have also heard other people who don't have enough rights report the account being disabled instead of deleted. I never verified personally either. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Wednesday, January 18, 2006 6:50 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed NO NO NO NO NO BAD BAD BAD You have to use sysprep. You’re getting duplicate SIDs here – bad. Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron VisserSent: Wednesday, January 18, 2006 5:44 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Gary, Brian, I do not use Sysprep on my images and have yet to come across any problems, but there may be one big difference with my images, before I ghost them or create the image I put the said machine into a workgroup and then create image. After I have imaged a computer I log on and change the Computer Name reboot and then join the domain with the new computer name, should I be using Sysprep? And Brenda I have experienced your problem but I have never noticed the accounts actually being out of AD, anyways most times for me a simple reboot works although I have had to actually ghost computers in order to rejoin the domain because I do not have any local accounts active on my computers in the school, makes it a little safer J but with that comes more work L From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Wednesday, January 18, 2006 12:38 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Gary- Are you implying you don’t sysprep your images? Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GarypholdSent: Wednesday, January 18, 2006 3:04 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Brenda, FWIW: It happens to me when I clone a workstation then try to join that workstation to the domain in order to change the computer name. AD sees 2 machines with the same name, gives me a notification and lets the 2nd one in. Then when the original machine with that name logs in next time, it isn't seen on the network. Then I have to do the same thing you did - with the original machine. Then all is well again. Don't know if that will help, but it might narrow down the problem some. Gary Gary Polvinale Denton ATD -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda CaseySent: Wednesday, January 18, 2006 2:24 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Yes, their computer account in AD is actually gone. Thanks, Brenda Brenda CaseyNetwork Manager Billings Public Schools [EMAIL PROTECTED] 406-247-3792 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Wednesday, January 18, 2006 11:14 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed When you say "lose their account", do you mean the computer object in AD disappears? Or something else? -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda CaseySent: Wednesday, January 18, 2006 10:42 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD computer accounts being removed Occasionally computers will lose their account in Active Directory for no apparent reason. Sometimes it is a computer that has just joined the domain, while other times the machine has been a member of the domain for 2 years. The computer can only be logged on by a local account (not a domain account). To remedy this, the computer has to be disjoined from the domain, join a workgroup, then join the domain again. As I am sure you all are aware, this is not only time consuming, but very inappropriate to have to do. Has anyone else had this experience and how have you fixed it? Thanks, Brenda
RE: [ActiveDir] AD computer accounts being removed
Title: Message Sysprep also removes other information which identifies the computer. For example, I once had the pleasure of repairing a network where they had used NewSID to do this and also had bound NetBEUI to every NIC in the LAN. I had 500 computers all claiming the same NetBEUI name. Sysprep takes care of things like this. Highly recommended over any other tool. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Visser Sent: Wednesday, January 18, 2006 7:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Well I would agree that is not a safe practice for most but for my application where all Local accounts are disabled I do not see a problem. Taken from http://www.sysinternals.com/Utilities/NewSid.html under the SID Duplication Problem Duplicate SIDs aren't an issue in a Domain-based environment since domain accounts have SID's based on the Domain SID. But, according to Microsoft Knowledge Base article Q162001, "Do Not Disk Duplicate Installed Versions of Windows NT", in a Workgroup environment security is based on local account SIDs. Thus, if two computers have users with the same SID, the Workgroup will not be able to distinguish between the users. All resources, including files and Registry keys, that one user has access to, the other will as well. Aaron From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, January 18, 2006 3:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed NO NO NO NO NO BAD BAD BAD You have to use sysprep. You’re getting duplicate SIDs here – bad. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Visser Sent: Wednesday, January 18, 2006 5:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Gary, Brian, I do not use Sysprep on my images and have yet to come across any problems, but there may be one big difference with my images, before I ghost them or create the image I put the said machine into a workgroup and then create image. After I have imaged a computer I log on and change the Computer Name reboot and then join the domain with the new computer name, should I be using Sysprep? And Brenda I have experienced your problem but I have never noticed the accounts actually being out of AD, anyways most times for me a simple reboot works although I have had to actually ghost computers in order to rejoin the domain because I do not have any local accounts active on my computers in the school, makes it a little safer J but with that comes more work L From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, January 18, 2006 12:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Gary- Are you implying you don’t sysprep your images? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Garyphold Sent: Wednesday, January 18, 2006 3:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Brenda, FWIW: It happens to me when I clone a workstation then try to join that workstation to the domain in order to change the computer name. AD sees 2 machines with the same name, gives me a notification and lets the 2nd one in. Then when the original machine with that name logs in next time, it isn't seen on the network. Then I have to do the same thing you did - with the original machine. Then all is well again. Don't know if that will help, but it might narrow down the problem some. Gary Gary Polvinale Denton ATD -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey Sent: Wednesday, January 18, 2006 2:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Yes, their computer account in AD is actually gone. Thanks, Brenda Brenda Casey Network Manager Billings Public Schools [EMAIL PROTECTED] 406-247-3792 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Wednesday, January 18, 2006 11:14 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed When you say "lose their account", do you mean the computer object in AD disappears? Or something else? -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey Sent: Wednesday, January 18, 2006 10:42 AM
RE: [ActiveDir] AD computer accounts being removed
Title: Message Well I would agree that is not a safe practice for most but for my application where all Local accounts are disabled I do not see a problem. Taken from http://www.sysinternals.com/Utilities/NewSid.html under the SID Duplication Problem Duplicate SIDs aren't an issue in a Domain-based environment since domain accounts have SID's based on the Domain SID. But, according to Microsoft Knowledge Base article Q162001, "Do Not Disk Duplicate Installed Versions of Windows NT", in a Workgroup environment security is based on local account SIDs. Thus, if two computers have users with the same SID, the Workgroup will not be able to distinguish between the users. All resources, including files and Registry keys, that one user has access to, the other will as well. Aaron From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, January 18, 2006 3:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed NO NO NO NO NO BAD BAD BAD You have to use sysprep. You’re getting duplicate SIDs here – bad. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Visser Sent: Wednesday, January 18, 2006 5:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Gary, Brian, I do not use Sysprep on my images and have yet to come across any problems, but there may be one big difference with my images, before I ghost them or create the image I put the said machine into a workgroup and then create image. After I have imaged a computer I log on and change the Computer Name reboot and then join the domain with the new computer name, should I be using Sysprep? And Brenda I have experienced your problem but I have never noticed the accounts actually being out of AD, anyways most times for me a simple reboot works although I have had to actually ghost computers in order to rejoin the domain because I do not have any local accounts active on my computers in the school, makes it a little safer J but with that comes more work L From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, January 18, 2006 12:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Gary- Are you implying you don’t sysprep your images? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Garyphold Sent: Wednesday, January 18, 2006 3:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Brenda, FWIW: It happens to me when I clone a workstation then try to join that workstation to the domain in order to change the computer name. AD sees 2 machines with the same name, gives me a notification and lets the 2nd one in. Then when the original machine with that name logs in next time, it isn't seen on the network. Then I have to do the same thing you did - with the original machine. Then all is well again. Don't know if that will help, but it might narrow down the problem some. Gary Gary Polvinale Denton ATD -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey Sent: Wednesday, January 18, 2006 2:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Yes, their computer account in AD is actually gone. Thanks, Brenda Brenda Casey Network Manager Billings Public Schools [EMAIL PROTECTED] 406-247-3792 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Wednesday, January 18, 2006 11:14 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed When you say "lose their account", do you mean the computer object in AD disappears? Or something else? -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey Sent: Wednesday, January 18, 2006 10:42 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD computer accounts being removed Occasionally computers will lose their account in Active Directory for no apparent reason. Sometimes it is a computer that has just joined the domain, while other times the machine has been a member of the domain for 2 years. The computer can only be logged on by a local account (not a domain account). To remedy this, the computer has to be disjoined from the domain, join a workgroup, then join the domain again. As I am sure you all are aware, this is not only time consuming, but very inappropriate to have to do. Has anyone else had this experience and how have you fixed it? Thanks, Brenda
RE: [ActiveDir] AD computer accounts being removed
No it is not possible to delete that account. (As far as I know) but there are times when the account has been disabled thru a Policy (that is how I disable it) and that program has not worked, I know it doesn't make a lot of sense because why is the policy being enforced if it will not connect to the domain but guess what sometimes it is like that, and if everything always worked the way it was supposed to well then we wouldn't be needed now would we? Aaron Visser -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AdamT Sent: Wednesday, January 18, 2006 3:10 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD computer accounts being removed On 1/18/06, Aaron Visser <[EMAIL PROTECTED]> wrote: snip > I have had to actually ghost computers in order to rejoin the > domain because I do not have any local accounts active on my computers in > the school, makes it a little safer J but with that comes more work L > Surely it's not possible to delete the administrator account? You might be able to disable it, but IIRC, you can reset the password and unlock/re-enable to account using the infamous bootdisk at: http://home.eunet.no/~pnordahl/ntpasswd/ Shouldn't need to re-image. -- AdamT "Maidenhead is *not* in Kent" List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD computer accounts being removed
Title: Message Let me find my rolled up newspaper... :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Wednesday, January 18, 2006 4:50 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed NO NO NO NO NO BAD BAD BAD You have to use sysprep. You’re getting duplicate SIDs here – bad. Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron VisserSent: Wednesday, January 18, 2006 5:44 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Gary, Brian, I do not use Sysprep on my images and have yet to come across any problems, but there may be one big difference with my images, before I ghost them or create the image I put the said machine into a workgroup and then create image. After I have imaged a computer I log on and change the Computer Name reboot and then join the domain with the new computer name, should I be using Sysprep? And Brenda I have experienced your problem but I have never noticed the accounts actually being out of AD, anyways most times for me a simple reboot works although I have had to actually ghost computers in order to rejoin the domain because I do not have any local accounts active on my computers in the school, makes it a little safer J but with that comes more work L From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Wednesday, January 18, 2006 12:38 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Gary- Are you implying you don’t sysprep your images? Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GarypholdSent: Wednesday, January 18, 2006 3:04 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Brenda, FWIW: It happens to me when I clone a workstation then try to join that workstation to the domain in order to change the computer name. AD sees 2 machines with the same name, gives me a notification and lets the 2nd one in. Then when the original machine with that name logs in next time, it isn't seen on the network. Then I have to do the same thing you did - with the original machine. Then all is well again. Don't know if that will help, but it might narrow down the problem some. Gary Gary Polvinale Denton ATD -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda CaseySent: Wednesday, January 18, 2006 2:24 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Yes, their computer account in AD is actually gone. Thanks, Brenda Brenda CaseyNetwork Manager Billings Public Schools [EMAIL PROTECTED] 406-247-3792 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Wednesday, January 18, 2006 11:14 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed When you say "lose their account", do you mean the computer object in AD disappears? Or something else? -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda CaseySent: Wednesday, January 18, 2006 10:42 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD computer accounts being removed Occasionally computers will lose their account in Active Directory for no apparent reason. Sometimes it is a computer that has just joined the domain, while other times the machine has been a member of the domain for 2 years. The computer can only be logged on by a local account (not a domain account). To remedy this, the computer has to be disjoined from the domain, join a workgroup, then join the domain again. As I am sure you all are aware, this is not only time consuming, but very inappropriate to have to do. Has anyone else had this experience and how have you fixed it? Thanks, Brenda
RE: [ActiveDir] AD computer accounts being removed
Title: Message NO NO NO NO NO BAD BAD BAD You have to use sysprep. You’re getting duplicate SIDs here – bad. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Visser Sent: Wednesday, January 18, 2006 5:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Gary, Brian, I do not use Sysprep on my images and have yet to come across any problems, but there may be one big difference with my images, before I ghost them or create the image I put the said machine into a workgroup and then create image. After I have imaged a computer I log on and change the Computer Name reboot and then join the domain with the new computer name, should I be using Sysprep? And Brenda I have experienced your problem but I have never noticed the accounts actually being out of AD, anyways most times for me a simple reboot works although I have had to actually ghost computers in order to rejoin the domain because I do not have any local accounts active on my computers in the school, makes it a little safer J but with that comes more work L From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, January 18, 2006 12:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Gary- Are you implying you don’t sysprep your images? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Garyphold Sent: Wednesday, January 18, 2006 3:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Brenda, FWIW: It happens to me when I clone a workstation then try to join that workstation to the domain in order to change the computer name. AD sees 2 machines with the same name, gives me a notification and lets the 2nd one in. Then when the original machine with that name logs in next time, it isn't seen on the network. Then I have to do the same thing you did - with the original machine. Then all is well again. Don't know if that will help, but it might narrow down the problem some. Gary Gary Polvinale Denton ATD -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey Sent: Wednesday, January 18, 2006 2:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Yes, their computer account in AD is actually gone. Thanks, Brenda Brenda Casey Network Manager Billings Public Schools [EMAIL PROTECTED] 406-247-3792 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Wednesday, January 18, 2006 11:14 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed When you say "lose their account", do you mean the computer object in AD disappears? Or something else? -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey Sent: Wednesday, January 18, 2006 10:42 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD computer accounts being removed Occasionally computers will lose their account in Active Directory for no apparent reason. Sometimes it is a computer that has just joined the domain, while other times the machine has been a member of the domain for 2 years. The computer can only be logged on by a local account (not a domain account). To remedy this, the computer has to be disjoined from the domain, join a workgroup, then join the domain again. As I am sure you all are aware, this is not only time consuming, but very inappropriate to have to do. Has anyone else had this experience and how have you fixed it? Thanks, Brenda
Re: [ActiveDir] AD computer accounts being removed
On 1/18/06, Doug Ferguson <[EMAIL PROTECTED]> wrote: > I would use NETDOM JOIN. Type NETDOM JOIN /? To see the syntax. > Thanks, I'll look in to that. Would save me lots of time talking engineers through the process of joining a domain when they turn up to install new PCs. I'm also somewhat unhappy with reading out account passwords over the phone to engineers I've never met. Netdom and psexec ought to take care of this for me ;-) -- AdamT "Maidenhead is *not* in Kent" List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] AD computer accounts being removed
On 1/18/06, Aaron Visser <[EMAIL PROTECTED]> wrote: snip > I have had to actually ghost computers in order to rejoin the > domain because I do not have any local accounts active on my computers in > the school, makes it a little safer J but with that comes more work L > Surely it's not possible to delete the administrator account? You might be able to disable it, but IIRC, you can reset the password and unlock/re-enable to account using the infamous bootdisk at: http://home.eunet.no/~pnordahl/ntpasswd/ Shouldn't need to re-image. -- AdamT "Maidenhead is *not* in Kent" List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD computer accounts being removed
Title: Message Gary, Brian, I do not use Sysprep on my images and have yet to come across any problems, but there may be one big difference with my images, before I ghost them or create the image I put the said machine into a workgroup and then create image. After I have imaged a computer I log on and change the Computer Name reboot and then join the domain with the new computer name, should I be using Sysprep? And Brenda I have experienced your problem but I have never noticed the accounts actually being out of AD, anyways most times for me a simple reboot works although I have had to actually ghost computers in order to rejoin the domain because I do not have any local accounts active on my computers in the school, makes it a little safer J but with that comes more work L From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, January 18, 2006 12:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Gary- Are you implying you don’t sysprep your images? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Garyphold Sent: Wednesday, January 18, 2006 3:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Brenda, FWIW: It happens to me when I clone a workstation then try to join that workstation to the domain in order to change the computer name. AD sees 2 machines with the same name, gives me a notification and lets the 2nd one in. Then when the original machine with that name logs in next time, it isn't seen on the network. Then I have to do the same thing you did - with the original machine. Then all is well again. Don't know if that will help, but it might narrow down the problem some. Gary Gary Polvinale Denton ATD -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey Sent: Wednesday, January 18, 2006 2:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Yes, their computer account in AD is actually gone. Thanks, Brenda Brenda Casey Network Manager Billings Public Schools [EMAIL PROTECTED] 406-247-3792 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Wednesday, January 18, 2006 11:14 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed When you say "lose their account", do you mean the computer object in AD disappears? Or something else? -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey Sent: Wednesday, January 18, 2006 10:42 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD computer accounts being removed Occasionally computers will lose their account in Active Directory for no apparent reason. Sometimes it is a computer that has just joined the domain, while other times the machine has been a member of the domain for 2 years. The computer can only be logged on by a local account (not a domain account). To remedy this, the computer has to be disjoined from the domain, join a workgroup, then join the domain again. As I am sure you all are aware, this is not only time consuming, but very inappropriate to have to do. Has anyone else had this experience and how have you fixed it? Thanks, Brenda
RE: [ActiveDir] AD computer accounts being removed
I would use NETDOM JOIN. Type NETDOM JOIN /? To see the syntax. -;) Doug Ferguson Windows Systems Administrator Hynix Semiconductor Manufacturing America, Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AdamT Sent: Wednesday, January 18, 2006 2:03 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD computer accounts being removed On 1/18/06, Crawford, Scott <[EMAIL PROTECTED]> wrote: > For example, if the > domain box shows MICROSOFT, change it to Microsoft.com or vice-versa. This > seems to trigger a domain rejoin without having to join the workgroup. > > snip On a side-note - is there a command line utility which will allow a workstation to be renamed/joined to a domain? I'm aware of a way of creating a computer account using the NET command, but this has to be done from the server, and ideally, I'm hoping there's a way of joining from the NT4/2kpro/XP workstations. -- AdamT "Maidenhead is *not* in Kent" List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD computer accounts being removed
Look at netdom.exe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AdamT Sent: Wednesday, January 18, 2006 3:03 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD computer accounts being removed On 1/18/06, Crawford, Scott <[EMAIL PROTECTED]> wrote: > For example, if the > domain box shows MICROSOFT, change it to Microsoft.com or vice-versa. > This seems to trigger a domain rejoin without having to join the workgroup. > > snip On a side-note - is there a command line utility which will allow a workstation to be renamed/joined to a domain? I'm aware of a way of creating a computer account using the NET command, but this has to be done from the server, and ideally, I'm hoping there's a way of joining from the NT4/2kpro/XP workstations. -- AdamT "Maidenhead is *not* in Kent" List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] AD computer accounts being removed
On 1/18/06, Crawford, Scott <[EMAIL PROTECTED]> wrote: > For example, if the > domain box shows MICROSOFT, change it to Microsoft.com or vice-versa. This > seems to trigger a domain rejoin without having to join the workgroup. > > snip On a side-note - is there a command line utility which will allow a workstation to be renamed/joined to a domain? I'm aware of a way of creating a computer account using the NET command, but this has to be done from the server, and ideally, I'm hoping there's a way of joining from the NT4/2kpro/XP workstations. -- AdamT "Maidenhead is *not* in Kent" List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD computer accounts being removed
We have seen the same thing in our organization, and I am investigating whether our technician that does the images for our desktop deployments has been using the wrong version of Sysprep. I read on the MS site that there are versions of Sysprep for different OS levels (or service packs). Just a thought. -;) Doug Ferguson Windows Systems Administrator Hynix Semiconductor Manufacturing America, Inc. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey Sent: Wednesday, January 18, 2006 9:42 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD computer accounts being removed Occasionally computers will lose their account in Active Directory for no apparent reason. Sometimes it is a computer that has just joined the domain, while other times the machine has been a member of the domain for 2 years. The computer can only be logged on by a local account (not a domain account). To remedy this, the computer has to be disjoined from the domain, join a workgroup, then join the domain again. As I am sure you all are aware, this is not only time consuming, but very inappropriate to have to do. Has anyone else had this experience and how have you fixed it? Thanks, Brenda
RE: [ActiveDir] AD computer accounts being removed
You might enable auditing on the appropriate OU to find out who is doing the deleting. You need to enable AD auditing in the Domain Controllers group policy, and then add auditing entries on the security descriptor of the appropriate OU, e.g CN=Computers to track creation and deletion of Computer objects. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda CaseySent: Wednesday, January 18, 2006 12:24 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Yes, their computer account in AD is actually gone. Thanks, Brenda Brenda CaseyNetwork Manager Billings Public Schools [EMAIL PROTECTED] 406-247-3792 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Wednesday, January 18, 2006 11:14 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed When you say "lose their account", do you mean the computer object in AD disappears? Or something else? -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda CaseySent: Wednesday, January 18, 2006 10:42 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD computer accounts being removed Occasionally computers will lose their account in Active Directory for no apparent reason. Sometimes it is a computer that has just joined the domain, while other times the machine has been a member of the domain for 2 years. The computer can only be logged on by a local account (not a domain account). To remedy this, the computer has to be disjoined from the domain, join a workgroup, then join the domain again. As I am sure you all are aware, this is not only time consuming, but very inappropriate to have to do. Has anyone else had this experience and how have you fixed it? Thanks, Brenda
RE: [ActiveDir] AD computer accounts being removed
Title: Message Gary- Are you implying you don’t sysprep your images? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Garyphold Sent: Wednesday, January 18, 2006 3:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Brenda, FWIW: It happens to me when I clone a workstation then try to join that workstation to the domain in order to change the computer name. AD sees 2 machines with the same name, gives me a notification and lets the 2nd one in. Then when the original machine with that name logs in next time, it isn't seen on the network. Then I have to do the same thing you did - with the original machine. Then all is well again. Don't know if that will help, but it might narrow down the problem some. Gary Gary Polvinale Denton ATD -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey Sent: Wednesday, January 18, 2006 2:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Yes, their computer account in AD is actually gone. Thanks, Brenda Brenda Casey Network Manager Billings Public Schools [EMAIL PROTECTED] 406-247-3792 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Wednesday, January 18, 2006 11:14 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed When you say "lose their account", do you mean the computer object in AD disappears? Or something else? -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey Sent: Wednesday, January 18, 2006 10:42 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD computer accounts being removed Occasionally computers will lose their account in Active Directory for no apparent reason. Sometimes it is a computer that has just joined the domain, while other times the machine has been a member of the domain for 2 years. The computer can only be logged on by a local account (not a domain account). To remedy this, the computer has to be disjoined from the domain, join a workgroup, then join the domain again. As I am sure you all are aware, this is not only time consuming, but very inappropriate to have to do. Has anyone else had this experience and how have you fixed it? Thanks, Brenda
RE: [ActiveDir] AD computer accounts being removed
Title: Message Hi Gary, Try looking at this article from MS regarding 'Resetting computer accounts in Windows 2000 and Windows XP'. http://support.microsoft.com/kb/216393/EN-US/ Also, you join the computer to the domain and then change its name? Do you reset the SIDs of the cloned workstation using GhostWalker or Sysprep? -Nav From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GarypholdSent: Wednesday, January 18, 2006 3:04 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Brenda, FWIW: It happens to me when I clone a workstation then try to join that workstation to the domain in order to change the computer name. AD sees 2 machines with the same name, gives me a notification and lets the 2nd one in. Then when the original machine with that name logs in next time, it isn't seen on the network. Then I have to do the same thing you did - with the original machine. Then all is well again. Don't know if that will help, but it might narrow down the problem some. Gary Gary Polvinale Denton ATD -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda CaseySent: Wednesday, January 18, 2006 2:24 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Yes, their computer account in AD is actually gone. Thanks, Brenda Brenda CaseyNetwork Manager Billings Public Schools [EMAIL PROTECTED] 406-247-3792 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Wednesday, January 18, 2006 11:14 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed When you say "lose their account", do you mean the computer object in AD disappears? Or something else? -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda CaseySent: Wednesday, January 18, 2006 10:42 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD computer accounts being removed Occasionally computers will lose their account in Active Directory for no apparent reason. Sometimes it is a computer that has just joined the domain, while other times the machine has been a member of the domain for 2 years. The computer can only be logged on by a local account (not a domain account). To remedy this, the computer has to be disjoined from the domain, join a workgroup, then join the domain again. As I am sure you all are aware, this is not only time consuming, but very inappropriate to have to do. Has anyone else had this experience and how have you fixed it? Thanks, Brenda
RE: [ActiveDir] AD computer accounts being removed
I don’t have any suggestions for why its happening or how to prevent it, but I do have a tip for speeding up the rejoin process. I’ve never had a problem ignoring the reboot prompt after you remove it from the domain. So basically, I just add it to a workgroup, ignore the reboot prompt, add to the domain, then reboot. This saves you a reboot which is really what makes this so time consuming. Also, Dan Holme suggested just changing the name of the domain from its DNS name to its NetBIOS name. For example, if the domain box shows MICROSOFT, change it to Microsoft.com or vice-versa. This seems to trigger a domain rejoin without having to join the workgroup. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey Sent: Wednesday, January 18, 2006 11:42 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD computer accounts being removed Occasionally computers will lose their account in Active Directory for no apparent reason. Sometimes it is a computer that has just joined the domain, while other times the machine has been a member of the domain for 2 years. The computer can only be logged on by a local account (not a domain account). To remedy this, the computer has to be disjoined from the domain, join a workgroup, then join the domain again. As I am sure you all are aware, this is not only time consuming, but very inappropriate to have to do. Has anyone else had this experience and how have you fixed it? Thanks, Brenda
RE: [ActiveDir] AD computer accounts being removed
Title: Message Brenda, FWIW: It happens to me when I clone a workstation then try to join that workstation to the domain in order to change the computer name. AD sees 2 machines with the same name, gives me a notification and lets the 2nd one in. Then when the original machine with that name logs in next time, it isn't seen on the network. Then I have to do the same thing you did - with the original machine. Then all is well again. Don't know if that will help, but it might narrow down the problem some. Gary Gary Polvinale Denton ATD -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda CaseySent: Wednesday, January 18, 2006 2:24 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Yes, their computer account in AD is actually gone. Thanks, Brenda Brenda CaseyNetwork Manager Billings Public Schools [EMAIL PROTECTED] 406-247-3792 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Wednesday, January 18, 2006 11:14 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed When you say "lose their account", do you mean the computer object in AD disappears? Or something else? -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda CaseySent: Wednesday, January 18, 2006 10:42 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD computer accounts being removed Occasionally computers will lose their account in Active Directory for no apparent reason. Sometimes it is a computer that has just joined the domain, while other times the machine has been a member of the domain for 2 years. The computer can only be logged on by a local account (not a domain account). To remedy this, the computer has to be disjoined from the domain, join a workgroup, then join the domain again. As I am sure you all are aware, this is not only time consuming, but very inappropriate to have to do. Has anyone else had this experience and how have you fixed it? Thanks, Brenda
RE: [ActiveDir] AD computer accounts being removed
Yes, their computer account in AD is actually gone. Thanks, Brenda Brenda CaseyNetwork Manager Billings Public Schools [EMAIL PROTECTED] 406-247-3792 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Wednesday, January 18, 2006 11:14 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed When you say "lose their account", do you mean the computer object in AD disappears? Or something else? -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda CaseySent: Wednesday, January 18, 2006 10:42 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD computer accounts being removed Occasionally computers will lose their account in Active Directory for no apparent reason. Sometimes it is a computer that has just joined the domain, while other times the machine has been a member of the domain for 2 years. The computer can only be logged on by a local account (not a domain account). To remedy this, the computer has to be disjoined from the domain, join a workgroup, then join the domain again. As I am sure you all are aware, this is not only time consuming, but very inappropriate to have to do. Has anyone else had this experience and how have you fixed it? Thanks, Brenda
RE: [ActiveDir] AD computer accounts being removed
No, there is not any lockdown type of software on these machines. Thanks, Brenda Brenda CaseyNetwork Manager Billings Public Schools [EMAIL PROTECTED] 406-247-3792 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Wednesday, January 18, 2006 11:02 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Brenda- I see the k12 email address (I run AD for Chicago Public Schools), first question I have to ask is do you have any lockdown software on these computers? DeepFreeze, Fortress, or similar? This will screw with and hose up computer password sync. Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda CaseySent: Wednesday, January 18, 2006 12:42 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD computer accounts being removed Occasionally computers will lose their account in Active Directory for no apparent reason. Sometimes it is a computer that has just joined the domain, while other times the machine has been a member of the domain for 2 years. The computer can only be logged on by a local account (not a domain account). To remedy this, the computer has to be disjoined from the domain, join a workgroup, then join the domain again. As I am sure you all are aware, this is not only time consuming, but very inappropriate to have to do. Has anyone else had this experience and how have you fixed it? Thanks, Brenda
RE: [ActiveDir] AD computer accounts being removed
When you say "lose their account", do you mean the computer object in AD disappears? Or something else? -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda CaseySent: Wednesday, January 18, 2006 10:42 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD computer accounts being removed Occasionally computers will lose their account in Active Directory for no apparent reason. Sometimes it is a computer that has just joined the domain, while other times the machine has been a member of the domain for 2 years. The computer can only be logged on by a local account (not a domain account). To remedy this, the computer has to be disjoined from the domain, join a workgroup, then join the domain again. As I am sure you all are aware, this is not only time consuming, but very inappropriate to have to do. Has anyone else had this experience and how have you fixed it? Thanks, Brenda
RE: [ActiveDir] AD computer accounts being removed
Brenda- I see the k12 email address (I run AD for Chicago Public Schools), first question I have to ask is do you have any lockdown software on these computers? DeepFreeze, Fortress, or similar? This will screw with and hose up computer password sync. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey Sent: Wednesday, January 18, 2006 12:42 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD computer accounts being removed Occasionally computers will lose their account in Active Directory for no apparent reason. Sometimes it is a computer that has just joined the domain, while other times the machine has been a member of the domain for 2 years. The computer can only be logged on by a local account (not a domain account). To remedy this, the computer has to be disjoined from the domain, join a workgroup, then join the domain again. As I am sure you all are aware, this is not only time consuming, but very inappropriate to have to do. Has anyone else had this experience and how have you fixed it? Thanks, Brenda
[ActiveDir] AD computer accounts being removed
Occasionally computers will lose their account in Active Directory for no apparent reason. Sometimes it is a computer that has just joined the domain, while other times the machine has been a member of the domain for 2 years. The computer can only be logged on by a local account (not a domain account). To remedy this, the computer has to be disjoined from the domain, join a workgroup, then join the domain again. As I am sure you all are aware, this is not only time consuming, but very inappropriate to have to do. Has anyone else had this experience and how have you fixed it? Thanks, Brenda