RE: [ActiveDir] Interesting Scripting Task.....
Last I checked, it's not a bad practice to use commas. It's a bit more work to use the names if you have to escape the commas, but it's not a best practice. In fact, in a displayname, I do want to use commas, but I think you meant in the CN you wouldn't want a comma. I frequently do want them, but mostly because I've always worked with Exchange and the upgrade from 5.5 will often cause that. It's valid, it's not against any best practices, but it can be a pain to work with. You found a workaround, but I wonder if there's another way to handle the special characters? Just curious mostly. From: Smith, Brad [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Interesting Scripting Task. Date: Thu, 20 Oct 2005 15:16:59 +0100 All, Just thought a quick update might save a bit of pain for those of you that ever want to use the CreateXMLFromEnvironment.wsf and CreateEnvironmentFromXML.wsf scripts from GPMC. I found a snag where CreateEnvironmentFromXML.wsf can't import user accounts where the name contains a comma (and probably othe special characters). I know it is bad practice to use these in display names, but it is supported by dsa.msc and so inevitably has been used. There are a few ways around this, I got past it by changing line 596 from szName = User.Get(name); To szName = User.Get(samAccountName); This could be done a lot smarter I know, but for a quick fix this works and is all I need for now. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: 12 October 2005 13:16 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Interesting Scripting Task. The script Darren pointed out seem to be working just fine, now I need to configure a decent migtable ;-) Thanks again for the heads up Darren. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: 10 October 2005 17:40 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Interesting Scripting Task. Yes, Microsoft has attempted it. Check out the scripts directory under the GPMC install. It has two scripts: CreateXMLFromEnvironment.wsf and CreateEnvironmentFromXML.wsf That do pretty much everything that you've described below. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Monday, October 10, 2005 8:08 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Interesting Scripting Task. All, I am pondering the possibility of automating the creation of development environments. The problem I am hoping to solve is that a lot of our testing needs to be done in an environment where all our Ous, GPOs, Groups and so forth are present. Recreating this is a nightmare, so to alleviate this I want to write an import/export script that dumps all the OU's, Groups, Users and GPO's (including security) and then restores them in a different target domain (different forest too). Has anyone attempted/achieved this before? Brad This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This message has been scanned for viruses by MailControl - (see http://bluepages.wsatkins.co.uk/?4318150) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Interesting Scripting Task.....
There is bound to be a way round, possibly to escape the character in question, in this case, the evil comma. I say it is bad practise but really I mean it isn't something I would want as opposed to the problems it can create (like this one). It comes down to a trade off between the bit more work and how beneficial/satisfying having a comma there is. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: 21 October 2005 14:40 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Interesting Scripting Task. Last I checked, it's not a bad practice to use commas. It's a bit more work to use the names if you have to escape the commas, but it's not a best practice. In fact, in a displayname, I do want to use commas, but I think you meant in the CN you wouldn't want a comma. I frequently do want them, but mostly because I've always worked with Exchange and the upgrade from 5.5 will often cause that. It's valid, it's not against any best practices, but it can be a pain to work with. You found a workaround, but I wonder if there's another way to handle the special characters? Just curious mostly. From: Smith, Brad [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Interesting Scripting Task. Date: Thu, 20 Oct 2005 15:16:59 +0100 All, Just thought a quick update might save a bit of pain for those of you that ever want to use the CreateXMLFromEnvironment.wsf and CreateEnvironmentFromXML.wsf scripts from GPMC. I found a snag where CreateEnvironmentFromXML.wsf can't import user accounts where the name contains a comma (and probably othe special characters). I know it is bad practice to use these in display names, but it is supported by dsa.msc and so inevitably has been used. There are a few ways around this, I got past it by changing line 596 from szName = User.Get(name); To szName = User.Get(samAccountName); This could be done a lot smarter I know, but for a quick fix this works and is all I need for now. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: 12 October 2005 13:16 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Interesting Scripting Task. The script Darren pointed out seem to be working just fine, now I need to configure a decent migtable ;-) Thanks again for the heads up Darren. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: 10 October 2005 17:40 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Interesting Scripting Task. Yes, Microsoft has attempted it. Check out the scripts directory under the GPMC install. It has two scripts: CreateXMLFromEnvironment.wsf and CreateEnvironmentFromXML.wsf That do pretty much everything that you've described below. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Monday, October 10, 2005 8:08 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Interesting Scripting Task. All, I am pondering the possibility of automating the creation of development environments. The problem I am hoping to solve is that a lot of our testing needs to be done in an environment where all our Ous, GPOs, Groups and so forth are present. Recreating this is a nightmare, so to alleviate this I want to write an import/export script that dumps all the OU's, Groups, Users and GPO's (including security) and then restores them in a different target domain (different forest too). Has anyone attempted/achieved this before? Brad This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This message has been scanned for viruses by MailControl - (see http://bluepages.wsatkins.co.uk/?4318150) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http
RE: [ActiveDir] Interesting Scripting Task.....
I am against commas and spaces and other special characters in any attributes that get used for RDNs. It shouldn't require quotes and escaping to be able to use a DN in my opinion. Since those names are seen by admins, they don't necessarily have to be nice. If you make an application and you build a container/OU structure in your app. Allow people to specify a different structure that doesn't have spaces, commas, and other crap in it cough Exchange cough. Folks who tend to like that putting that stuff in DNs (and folder and file names as well) have normally, from what I have seen, spent most if not all of their time in the GUI. I completely agree that displayname is fine and quite normal with commas. I much prefer see names in the GAL as last, first than first last. The 5.5 issue is with the ADC. You can disable the ADC from changing the CNs like that. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Friday, October 21, 2005 9:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Interesting Scripting Task. Last I checked, it's not a bad practice to use commas. It's a bit more work to use the names if you have to escape the commas, but it's not a best practice. In fact, in a displayname, I do want to use commas, but I think you meant in the CN you wouldn't want a comma. I frequently do want them, but mostly because I've always worked with Exchange and the upgrade from 5.5 will often cause that. It's valid, it's not against any best practices, but it can be a pain to work with. You found a workaround, but I wonder if there's another way to handle the special characters? Just curious mostly. From: Smith, Brad [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Interesting Scripting Task. Date: Thu, 20 Oct 2005 15:16:59 +0100 All, Just thought a quick update might save a bit of pain for those of you that ever want to use the CreateXMLFromEnvironment.wsf and CreateEnvironmentFromXML.wsf scripts from GPMC. I found a snag where CreateEnvironmentFromXML.wsf can't import user accounts where the name contains a comma (and probably othe special characters). I know it is bad practice to use these in display names, but it is supported by dsa.msc and so inevitably has been used. There are a few ways around this, I got past it by changing line 596 from szName = User.Get(name); To szName = User.Get(samAccountName); This could be done a lot smarter I know, but for a quick fix this works and is all I need for now. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: 12 October 2005 13:16 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Interesting Scripting Task. The script Darren pointed out seem to be working just fine, now I need to configure a decent migtable ;-) Thanks again for the heads up Darren. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: 10 October 2005 17:40 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Interesting Scripting Task. Yes, Microsoft has attempted it. Check out the scripts directory under the GPMC install. It has two scripts: CreateXMLFromEnvironment.wsf and CreateEnvironmentFromXML.wsf That do pretty much everything that you've described below. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Monday, October 10, 2005 8:08 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Interesting Scripting Task. All, I am pondering the possibility of automating the creation of development environments. The problem I am hoping to solve is that a lot of our testing needs to be done in an environment where all our Ous, GPOs, Groups and so forth are present. Recreating this is a nightmare, so to alleviate this I want to write an import/export script that dumps all the OU's, Groups, Users and GPO's (including security) and then restores them in a different target domain (different forest too). Has anyone attempted/achieved this before? Brad This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This message has been scanned for viruses by MailControl - (see http://bluepages.wsatkins.co.uk/?4318150) List info
RE: [ActiveDir] Interesting Scripting Task.....
I'm sure you're not indicating that you believe I am a GUI junky, but I'll leave that conversation for another time :) I disagree joe. There will always be a reason to use special characters in those fields. While I *can* change that, and often should find something that is unique across all OU's regardless of the immediate need (think about a worldwide deployment that has more than one jsmith; they should have a guaranteed unique logon name at the minimum because you never know when they plan to use UPN or plan to move to another location that breaks your OU structure. I know there are other ways to modify this behavior..but a logon id should be globally unique wherever possible; that would be a best practice in my mind.) I may as well just bite the bullet and realize that I'll often need special characters and that it could show up in my DN. May as well code for that eventuality and be done with it. Worrying about special characters in a DN is well and good, but I don't see that as a best practice or a requirement. Just a nice to have if you feel like programmatically handling admin and get to a point where you want to be extra efficient (or lazy) with the number of keystrokes. Should displayname and CN be the same? Depends on the person being asked. It's a LDAP thing. And ldap based directories face the same issue. 5.5 and ADC are things that can be modified. Done that many times. Also had to go back and modify the DN's many times for many customers, but that's not as a best practice. That was because they didn't have international needs and because they had efficient programmers. -ajm From: joe [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Interesting Scripting Task. Date: Fri, 21 Oct 2005 10:06:54 -0400 I am against commas and spaces and other special characters in any attributes that get used for RDNs. It shouldn't require quotes and escaping to be able to use a DN in my opinion. Since those names are seen by admins, they don't necessarily have to be nice. If you make an application and you build a container/OU structure in your app. Allow people to specify a different structure that doesn't have spaces, commas, and other crap in it cough Exchange cough. Folks who tend to like that putting that stuff in DNs (and folder and file names as well) have normally, from what I have seen, spent most if not all of their time in the GUI. I completely agree that displayname is fine and quite normal with commas. I much prefer see names in the GAL as last, first than first last. The 5.5 issue is with the ADC. You can disable the ADC from changing the CNs like that. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Friday, October 21, 2005 9:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Interesting Scripting Task. Last I checked, it's not a bad practice to use commas. It's a bit more work to use the names if you have to escape the commas, but it's not a best practice. In fact, in a displayname, I do want to use commas, but I think you meant in the CN you wouldn't want a comma. I frequently do want them, but mostly because I've always worked with Exchange and the upgrade from 5.5 will often cause that. It's valid, it's not against any best practices, but it can be a pain to work with. You found a workaround, but I wonder if there's another way to handle the special characters? Just curious mostly. From: Smith, Brad [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Interesting Scripting Task. Date: Thu, 20 Oct 2005 15:16:59 +0100 All, Just thought a quick update might save a bit of pain for those of you that ever want to use the CreateXMLFromEnvironment.wsf and CreateEnvironmentFromXML.wsf scripts from GPMC. I found a snag where CreateEnvironmentFromXML.wsf can't import user accounts where the name contains a comma (and probably othe special characters). I know it is bad practice to use these in display names, but it is supported by dsa.msc and so inevitably has been used. There are a few ways around this, I got past it by changing line 596 from szName = User.Get(name); To szName = User.Get(samAccountName); This could be done a lot smarter I know, but for a quick fix this works and is all I need for now. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: 12 October 2005 13:16 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Interesting Scripting Task. The script Darren pointed out seem to be working just fine, now I need to configure a decent migtable ;-) Thanks again for the heads up Darren. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: 10 October 2005 17:40 To: ActiveDir
RE: [ActiveDir] Interesting Scripting Task.....
to escape the slash? I have fought with this in my own tools. Cover for people who have no clue or piss off people who do have a clue and handle the situation themselves? For instance... Is there a problem with this pseudo-code _VldapserverV_=someservername _VbaseV_=some branch in namespace _VscopeV_=subtree _VservernameV_=get servername from user _VqueryV_=((objectcategory=person)(objectclass=user)(homeDirectory=\\_Vser vernameV_\*)) Submit_Query [_VldapserverV_,_VbaseV_,_VscopeV_,_VqueryV_] Does it work for all name values that could be submitted, say all valid servers are in a dropdown and the user can't type their own names. Given all the possible valid servernames would this code have a possible issue? Yes. If the server name starts with the characters A-F or 0-9 (Hex character set). Correct way to write that filter is ((objectcategory=person)(objectclass=user)(homeDirectory=\5c\5c_Vservername V_\5c*))[3] I have seen that one in the wild a ton of times. What is the general solution I have seen? Why to forget about the slashes and simply wildcard the first part of the query like ((objectcategory=person)(objectclass=user)(homeDirectory=*_VservernameV_\*) ) Yeah that is efficient[4]. I would be willing to bet lunch that there is some professionally written code somewhere in this world that does exactly that. Why? Because I have seen it multiple times in non-pro code and people like to cut and paste. In many cases the difference in professional code and other code is that you pay for one and not the other. So how do you handle it generically? Was the double slash to escape the second slash or was double slash intended so it should be escaped to \5c\5c? Or was it supposed to be slash and then an escaped hex A through F? Since you know specifically what this field is for above you can add extra logic to protect against bad things, that doesn't work in the generic case though say where someone is constructing the LDAP query or some portion of it. I know, this doesn't apply to DNs... But doesn't it? You can query on DNs and you can query on the various RDN values, they have to be handled in different ways. It can be confusing for people who do understand what is going on let alone those that are simply trying to make someone else's c#, perl, or vbscript code work. Quoting generally isn't too confusing as long as you are aware that if you have special characters at the command line or spaces, you need to quote the params. However, I get at least literally 800-1000 emails a year from people who say one of the tools isn't working and it is simply due to the fact that they have no idea that you need to quote params with spaces or characters such as pipe or ampersand, etc. It especially makes me laugh when they talk about what an expert they are and how they can do anything so there is something obviously wrong with my program because if they can't get it to work, it just must be wrong. ;o) joe [1] It's a word now, deal with it. ;o) [2] I certainly don't believe you have to be formally trained to become a entry level or even great programmer. But someone who has learned on their own is often not in a position to have learned programming fundamentals as that probably wasn't on their goal sheet. If they are really bright and have been doing it for some time they probably will have developed a sense of what those fundamentals are or may be though through trial and error or looking at issues they kept hitting in an objective scientific manner. [3] If anyone just said huh, go here http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adsi/adsi/s earch_filter_syntax.asp [4] http://www.google.com/search?nq=define%3A+sarcasm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Friday, October 21, 2005 11:20 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Interesting Scripting Task. I'm sure you're not indicating that you believe I am a GUI junky, but I'll leave that conversation for another time :) I disagree joe. There will always be a reason to use special characters in those fields. While I *can* change that, and often should find something that is unique across all OU's regardless of the immediate need (think about a worldwide deployment that has more than one jsmith; they should have a guaranteed unique logon name at the minimum because you never know when they plan to use UPN or plan to move to another location that breaks your OU structure. I know there are other ways to modify this behavior..but a logon id should be globally unique wherever possible; that would be a best practice in my mind.) I may as well just bite the bullet and realize that I'll often need special characters and that it could show up in my DN. May as well code for that eventuality and be done with it. Worrying about special characters in a DN is well and good, but I don't see that as a best practice or a requirement. Just
RE: [ActiveDir] Interesting Scripting Task.....
As for there being a good reason for having funky characters and spaces in RDNs I would always question the reason it was said it was needed. I haven't seen a good reason yet for a comma or a space in an RDN other than to make it pretty. Again, these are admin level constructs, they don't need to be pretty. That is why you have a displayName attribute in the first place. Ok I can be persuaded, but I'm taking issue with the idea that it's a best practice. I'm not convinced it's a best practice. As evidence, I'd say there would be no other need for special character escaping in that construct. I don't have a great reason unless the characters are in need of being escaped. Spaces don't belong period. Your uniqueness argument confuses me. If you have multiple jsmith IDs around the world, you already have a uniqueness issue. The solution is to not have multiple jsmith IDs. You have jsmith, jsmith1, jsmith2 or some other mechanism for creating unique IDs. Are you suggesting we use special characters instead? Obviously I have some level of Enterprise experience, using display names as the CN doesn't get you uniqueness, heck when I was at MSU there were two of us on campus with EXACTLY the same first, middle, and last names. Heck of a coincidence. The only people who had an issue with it was the postal folks since the primary uniqueness key outside of address was display name. So something addressed to my name at MSU actually had two possible delivery locations. It had to have more info like building or room and building to definitely get a unique hit (and even then they often screwed up the delivery). In rereading it, sometimes it confuses me :) My point was that CN's should be unique globally and should NOT match the displayname attribute as they tend to do if you follow the GUI wizard as many will. Personally, I figure the right tool for the job. If you have few administrative issues you'll tend to use the native and easier tools. If you have more tasks, automation becomes a big deal. Size matters as well, since you'll want to automate more if you have more targets. In both scenarios, you'd want to automate if you disliked the options presented by the native tools. Interesting joe; not sure I'm convinced yet though. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 21, 2005 6:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Interesting Scripting Task. Not picking on you Al. However, Exchange people in general are GUI junkies. That is how they were born and bred by MS, it is not entirely the fault of the admin. And if they were command line junkies in a life prior to Exchange, MS thoroughly beat it out of them with the dearth of any serious command line tools for Exchange. Heck the more I deal with Exchange the more I find myself in LDP wandering around versus command line because of the horrible layout in the config container. I will probably end up writing a GUI version of adfind just because of Exchange and my level of irkedness[1]. Anyway, I will let you answer if you are a GUI junkie or not, I have never seen you work so I don't know if the command prompt windows out-number your GUI windows or if you have a problem with a user if you first go to aduc or the command line. Not trying to insult you or anyone else, if someone likes the GUI, they like the GUI. I don't think admin work is generally as efficient if always done with the GUI but that is for each admin to figure out on their own. If you have two admins side by side who are both just as good at solving problems but admin 2 takes 30 seconds to add some 50 new OUs and admin 1 spends more time trying to get ADUC open to the right location you can see where that is going to go long term. I am glad that Microsoft as a whole realized prior to Windows Server 2003 that the command line was important. It seems the Exchange team has made that discovery now for E12 though I still question some of what I have been seeing as they still seem to be dragging the GUI fat for info retrieval with them with some of the MONAD stuff, only there is no GUI to require it. As for there being a good reason for having funky characters and spaces in RDNs I would always question the reason it was said it was needed. I haven't seen a good reason yet for a comma or a space in an RDN other than to make it pretty. Again, these are admin level constructs, they don't need to be pretty. That is why you have a displayName attribute in the first place. Your uniqueness argument confuses me. If you have multiple jsmith IDs around the world, you already have a uniqueness issue. The solution is to not have multiple jsmith IDs. You have jsmith, jsmith1, jsmith2 or some other mechanism for creating unique IDs. Are you suggesting we use special characters instead? Obviously I have some level of Enterprise experience, using display names as the CN doesn't get you uniqueness
RE: [ActiveDir] Interesting Scripting Task.....
Good point. Personally, I don't see a value for a comma or a space in this section. Some apps might though (they tend to be very old apps). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Friday, October 21, 2005 9:58 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Interesting Scripting Task. There is bound to be a way round, possibly to escape the character in question, in this case, the evil comma. I say it is bad practise but really I mean it isn't something I would want as opposed to the problems it can create (like this one). It comes down to a trade off between the bit more work and how beneficial/satisfying having a comma there is. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: 21 October 2005 14:40 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Interesting Scripting Task. Last I checked, it's not a bad practice to use commas. It's a bit more work to use the names if you have to escape the commas, but it's not a best practice. In fact, in a displayname, I do want to use commas, but I think you meant in the CN you wouldn't want a comma. I frequently do want them, but mostly because I've always worked with Exchange and the upgrade from 5.5 will often cause that. It's valid, it's not against any best practices, but it can be a pain to work with. You found a workaround, but I wonder if there's another way to handle the special characters? Just curious mostly. From: Smith, Brad [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Interesting Scripting Task. Date: Thu, 20 Oct 2005 15:16:59 +0100 All, Just thought a quick update might save a bit of pain for those of you that ever want to use the CreateXMLFromEnvironment.wsf and CreateEnvironmentFromXML.wsf scripts from GPMC. I found a snag where CreateEnvironmentFromXML.wsf can't import user accounts where the name contains a comma (and probably othe special characters). I know it is bad practice to use these in display names, but it is supported by dsa.msc and so inevitably has been used. There are a few ways around this, I got past it by changing line 596 from szName = User.Get(name); To szName = User.Get(samAccountName); This could be done a lot smarter I know, but for a quick fix this works and is all I need for now. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: 12 October 2005 13:16 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Interesting Scripting Task. The script Darren pointed out seem to be working just fine, now I need to configure a decent migtable ;-) Thanks again for the heads up Darren. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: 10 October 2005 17:40 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Interesting Scripting Task. Yes, Microsoft has attempted it. Check out the scripts directory under the GPMC install. It has two scripts: CreateXMLFromEnvironment.wsf and CreateEnvironmentFromXML.wsf That do pretty much everything that you've described below. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Monday, October 10, 2005 8:08 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Interesting Scripting Task. All, I am pondering the possibility of automating the creation of development environments. The problem I am hoping to solve is that a lot of our testing needs to be done in an environment where all our Ous, GPOs, Groups and so forth are present. Recreating this is a nightmare, so to alleviate this I want to write an import/export script that dumps all the OU's, Groups, Users and GPO's (including security) and then restores them in a different target domain (different forest too). Has anyone attempted/achieved this before? Brad This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This message has been scanned for viruses by MailControl - (see http://bluepages.wsatkins.co.uk/?4318150) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List
RE: [ActiveDir] Interesting Scripting Task.....
All, Just thought a quick update might save a bit of pain for those of you that ever want to use the CreateXMLFromEnvironment.wsf and CreateEnvironmentFromXML.wsf scripts from GPMC. I found a snag where CreateEnvironmentFromXML.wsf can't import user accounts where the name contains a comma (and probably othe special characters). I know it is bad practice to use these in display names, but it is supported by dsa.msc and so inevitably has been used. There are a few ways around this, I got past it by changing line 596 from szName = User.Get(name); To szName = User.Get(samAccountName); This could be done a lot smarter I know, but for a quick fix this works and is all I need for now. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: 12 October 2005 13:16 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Interesting Scripting Task. The script Darren pointed out seem to be working just fine, now I need to configure a decent migtable ;-) Thanks again for the heads up Darren. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: 10 October 2005 17:40 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Interesting Scripting Task. Yes, Microsoft has attempted it. Check out the scripts directory under the GPMC install. It has two scripts: CreateXMLFromEnvironment.wsf and CreateEnvironmentFromXML.wsf That do pretty much everything that you've described below. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Monday, October 10, 2005 8:08 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Interesting Scripting Task. All, I am pondering the possibility of automating the creation of development environments. The problem I am hoping to solve is that a lot of our testing needs to be done in an environment where all our Ous, GPOs, Groups and so forth are present. Recreating this is a nightmare, so to alleviate this I want to write an import/export script that dumps all the OU's, Groups, Users and GPO's (including security) and then restores them in a different target domain (different forest too). Has anyone attempted/achieved this before? Brad This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This message has been scanned for viruses by MailControl - (see http://bluepages.wsatkins.co.uk/?4318150) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Interesting Scripting Task.....
Did groups that have not been created that are a member of a group that has been created pose a problem? IE, if the LDf restores Group A, and group A has Groups B C as members, but Group C doesn't exist yet.how did that work ? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: 11 October 2005 16:29 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Interesting Scripting Task. To automate the import of the .ldf files you need to shell to a command prompt and run the ldif import commands appropriate for what you want to do. A batch file would work as well. If you wanted to automate it all, you could use the batch/.cmd file completely to do this. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jensen, Ken Sent: Tuesday, October 11, 2005 10:39 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Interesting Scripting Task. There must be a scriptable way of automating the import of .ldf files as well. We have had good success re-creating our production environment using server imaging and exports of our OU, groups and user fields. We did have a bit of trouble with users and groups but found it was the order in which we did it that mattered. As long as all the groups are done before users, we didn't have a lot of issues and could break, err , test things quite realistically. Regards, Ken Jensen Capistrano Unified School District San Juan Capistrano, California I tell ya, if that did it for me, I'd be the happiest man on earth... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Tuesday, October 11, 2005 1:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Interesting Scripting Task. Thanks all for the replies Darren- I wil linvestigate the scripts you mention and see how I get on. Al/Ed- I need to run this on the same network as the production domain (W2K) and hence need to use a different domain name Kamlesh- The original post of that tool is what got me started thinking this is possible. I didn't have much louck using Xsync unfortunately, it seemed a bit lacking functionality as it didn't do GPO's at all and needed the logon/password credentials in each domain to be identical...weird but annoying. I will report back when I have looked into Darren's scripts -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley [MVP] Sent: 10 October 2005 23:45 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Interesting Scripting Task. I've written that, and it's actually rather straightforward if you're willing to tackle VBScript and ADSI. Another option you might consider is Microsoft Virtual Server or VMware, where you can build a VM with your environment, save it as a golden master, and use it as the base when you need to rebuild your lab. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Monday, October 10, 2005 8:08 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Interesting Scripting Task. All, I am pondering the possibility of automating the creation of development environments. The problem I am hoping to solve is that a lot of our testing needs to be done in an environment where all our Ous, GPOs, Groups and so forth are present. Recreating this is a nightmare, so to alleviate this I want to write an import/export script that dumps all the OU's, Groups, Users and GPO's (including security) and then restores them in a different target domain (different forest too). Has anyone attempted/achieved this before? Brad This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This message has been scanned for viruses by MailControl - (see http://bluepages.wsatkins.co.uk/?4318150) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This communication and any documents, files, or previous e-mail messages attached to it constitute an electronic communication within the scope of the Electronic Communication Privacy Act, 18 USCA 2510. This communication may contain
RE: [ActiveDir] Interesting Scripting Task.....
I guess it could restore the groups first, then configure the memberships -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: 11 October 2005 16:29 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Interesting Scripting Task. To automate the import of the .ldf files you need to shell to a command prompt and run the ldif import commands appropriate for what you want to do. A batch file would work as well. If you wanted to automate it all, you could use the batch/.cmd file completely to do this. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jensen, Ken Sent: Tuesday, October 11, 2005 10:39 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Interesting Scripting Task. There must be a scriptable way of automating the import of .ldf files as well. We have had good success re-creating our production environment using server imaging and exports of our OU, groups and user fields. We did have a bit of trouble with users and groups but found it was the order in which we did it that mattered. As long as all the groups are done before users, we didn't have a lot of issues and could break, err , test things quite realistically. Regards, Ken Jensen Capistrano Unified School District San Juan Capistrano, California I tell ya, if that did it for me, I'd be the happiest man on earth... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Tuesday, October 11, 2005 1:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Interesting Scripting Task. Thanks all for the replies Darren- I wil linvestigate the scripts you mention and see how I get on. Al/Ed- I need to run this on the same network as the production domain (W2K) and hence need to use a different domain name Kamlesh- The original post of that tool is what got me started thinking this is possible. I didn't have much louck using Xsync unfortunately, it seemed a bit lacking functionality as it didn't do GPO's at all and needed the logon/password credentials in each domain to be identical...weird but annoying. I will report back when I have looked into Darren's scripts -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley [MVP] Sent: 10 October 2005 23:45 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Interesting Scripting Task. I've written that, and it's actually rather straightforward if you're willing to tackle VBScript and ADSI. Another option you might consider is Microsoft Virtual Server or VMware, where you can build a VM with your environment, save it as a golden master, and use it as the base when you need to rebuild your lab. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Monday, October 10, 2005 8:08 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Interesting Scripting Task. All, I am pondering the possibility of automating the creation of development environments. The problem I am hoping to solve is that a lot of our testing needs to be done in an environment where all our Ous, GPOs, Groups and so forth are present. Recreating this is a nightmare, so to alleviate this I want to write an import/export script that dumps all the OU's, Groups, Users and GPO's (including security) and then restores them in a different target domain (different forest too). Has anyone attempted/achieved this before? Brad This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This message has been scanned for viruses by MailControl - (see http://bluepages.wsatkins.co.uk/?4318150) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This communication and any documents, files, or previous e-mail messages attached to it constitute an electronic communication within the scope of the Electronic Communication Privacy Act, 18 USCA 2510. This communication may contain non-public, confidential, or legally privileged information intended for the sole use of the designated recipient(s). The unlawful interception, use
RE: [ActiveDir] Interesting Scripting Task.....
The script Darren pointed out seem to be working just fine, now I need to configure a decent migtable ;-) Thanks again for the heads up Darren. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: 10 October 2005 17:40 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Interesting Scripting Task. Yes, Microsoft has attempted it. Check out the scripts directory under the GPMC install. It has two scripts: CreateXMLFromEnvironment.wsf and CreateEnvironmentFromXML.wsf That do pretty much everything that you've described below. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Monday, October 10, 2005 8:08 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Interesting Scripting Task. All, I am pondering the possibility of automating the creation of development environments. The problem I am hoping to solve is that a lot of our testing needs to be done in an environment where all our Ous, GPOs, Groups and so forth are present. Recreating this is a nightmare, so to alleviate this I want to write an import/export script that dumps all the OU's, Groups, Users and GPO's (including security) and then restores them in a different target domain (different forest too). Has anyone attempted/achieved this before? Brad This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This message has been scanned for viruses by MailControl - (see http://bluepages.wsatkins.co.uk/?4318150) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Interesting Scripting Task.....
Thanks all for the replies Darren- I wil linvestigate the scripts you mention and see how I get on. Al/Ed- I need to run this on the same network as the production domain (W2K) and hence need to use a different domain name Kamlesh- The original post of that tool is what got me started thinking this is possible. I didn't have much louck using Xsync unfortunately, it seemed a bit lacking functionality as it didn't do GPO's at all and needed the logon/password credentials in each domain to be identical...weird but annoying. I will report back when I have looked into Darren's scripts -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley [MVP] Sent: 10 October 2005 23:45 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Interesting Scripting Task. I've written that, and it's actually rather straightforward if you're willing to tackle VBScript and ADSI. Another option you might consider is Microsoft Virtual Server or VMware, where you can build a VM with your environment, save it as a golden master, and use it as the base when you need to rebuild your lab. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Monday, October 10, 2005 8:08 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Interesting Scripting Task. All, I am pondering the possibility of automating the creation of development environments. The problem I am hoping to solve is that a lot of our testing needs to be done in an environment where all our Ous, GPOs, Groups and so forth are present. Recreating this is a nightmare, so to alleviate this I want to write an import/export script that dumps all the OU's, Groups, Users and GPO's (including security) and then restores them in a different target domain (different forest too). Has anyone attempted/achieved this before? Brad This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This message has been scanned for viruses by MailControl - (see http://bluepages.wsatkins.co.uk/?4318150) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Interesting Scripting Task.....
Yep, if you need to have it on the same network and accessible via the same network for multiple machines (can't just remote to it) then you'll certainly want the scripting route. LDAP/ADSI (as Ed also mentioned) is pretty easy as long as you get the order correct, while the GPO's might take a little more work that that. If those scripts work out, you're pretty much home free after you do the transform. Another option would be to use something like MIIS to achieve these goals and keep things in sync. Scripts would be more useful for large scale changes (wipe and reload scenarios) while MIIS (or similar) would be much easier for incremental changes. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Tuesday, October 11, 2005 4:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Interesting Scripting Task. Thanks all for the replies Darren- I wil linvestigate the scripts you mention and see how I get on. Al/Ed- I need to run this on the same network as the production domain (W2K) and hence need to use a different domain name Kamlesh- The original post of that tool is what got me started thinking this is possible. I didn't have much louck using Xsync unfortunately, it seemed a bit lacking functionality as it didn't do GPO's at all and needed the logon/password credentials in each domain to be identical...weird but annoying. I will report back when I have looked into Darren's scripts -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley [MVP] Sent: 10 October 2005 23:45 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Interesting Scripting Task. I've written that, and it's actually rather straightforward if you're willing to tackle VBScript and ADSI. Another option you might consider is Microsoft Virtual Server or VMware, where you can build a VM with your environment, save it as a golden master, and use it as the base when you need to rebuild your lab. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Monday, October 10, 2005 8:08 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Interesting Scripting Task. All, I am pondering the possibility of automating the creation of development environments. The problem I am hoping to solve is that a lot of our testing needs to be done in an environment where all our Ous, GPOs, Groups and so forth are present. Recreating this is a nightmare, so to alleviate this I want to write an import/export script that dumps all the OU's, Groups, Users and GPO's (including security) and then restores them in a different target domain (different forest too). Has anyone attempted/achieved this before? Brad This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This message has been scanned for viruses by MailControl - (see http://bluepages.wsatkins.co.uk/?4318150) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Interesting Scripting Task.....
There must be a scriptable way of automating the import of .ldf files as well. We have had good success re-creating our production environment using server imaging and exports of our OU, groups and user fields. We did have a bit of trouble with users and groups but found it was the order in which we did it that mattered. As long as all the groups are done before users, we didn't have a lot of issues and could break, err , test things quite realistically. Regards, Ken Jensen Capistrano Unified School District San Juan Capistrano, California I tell ya, if that did it for me, I'd be the happiest man on earth... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Tuesday, October 11, 2005 1:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Interesting Scripting Task. Thanks all for the replies Darren- I wil linvestigate the scripts you mention and see how I get on. Al/Ed- I need to run this on the same network as the production domain (W2K) and hence need to use a different domain name Kamlesh- The original post of that tool is what got me started thinking this is possible. I didn't have much louck using Xsync unfortunately, it seemed a bit lacking functionality as it didn't do GPO's at all and needed the logon/password credentials in each domain to be identical...weird but annoying. I will report back when I have looked into Darren's scripts -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley [MVP] Sent: 10 October 2005 23:45 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Interesting Scripting Task. I've written that, and it's actually rather straightforward if you're willing to tackle VBScript and ADSI. Another option you might consider is Microsoft Virtual Server or VMware, where you can build a VM with your environment, save it as a golden master, and use it as the base when you need to rebuild your lab. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Monday, October 10, 2005 8:08 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Interesting Scripting Task. All, I am pondering the possibility of automating the creation of development environments. The problem I am hoping to solve is that a lot of our testing needs to be done in an environment where all our Ous, GPOs, Groups and so forth are present. Recreating this is a nightmare, so to alleviate this I want to write an import/export script that dumps all the OU's, Groups, Users and GPO's (including security) and then restores them in a different target domain (different forest too). Has anyone attempted/achieved this before? Brad This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This message has been scanned for viruses by MailControl - (see http://bluepages.wsatkins.co.uk/?4318150) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This communication and any documents, files, or previous e-mail messages attached to it constitute an electronic communication within the scope of the Electronic Communication Privacy Act, 18 USCA 2510. This communication may contain non-public, confidential, or legally privileged information intended for the sole use of the designated recipient(s). The unlawful interception, use or disclosure of such information is strictly prohibited under 18 USCA 2511 and any applicable laws. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Interesting Scripting Task.....
To automate the import of the .ldf files you need to shell to a command prompt and run the ldif import commands appropriate for what you want to do. A batch file would work as well. If you wanted to automate it all, you could use the batch/.cmd file completely to do this. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jensen, Ken Sent: Tuesday, October 11, 2005 10:39 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Interesting Scripting Task. There must be a scriptable way of automating the import of .ldf files as well. We have had good success re-creating our production environment using server imaging and exports of our OU, groups and user fields. We did have a bit of trouble with users and groups but found it was the order in which we did it that mattered. As long as all the groups are done before users, we didn't have a lot of issues and could break, err , test things quite realistically. Regards, Ken Jensen Capistrano Unified School District San Juan Capistrano, California I tell ya, if that did it for me, I'd be the happiest man on earth... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Tuesday, October 11, 2005 1:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Interesting Scripting Task. Thanks all for the replies Darren- I wil linvestigate the scripts you mention and see how I get on. Al/Ed- I need to run this on the same network as the production domain (W2K) and hence need to use a different domain name Kamlesh- The original post of that tool is what got me started thinking this is possible. I didn't have much louck using Xsync unfortunately, it seemed a bit lacking functionality as it didn't do GPO's at all and needed the logon/password credentials in each domain to be identical...weird but annoying. I will report back when I have looked into Darren's scripts -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley [MVP] Sent: 10 October 2005 23:45 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Interesting Scripting Task. I've written that, and it's actually rather straightforward if you're willing to tackle VBScript and ADSI. Another option you might consider is Microsoft Virtual Server or VMware, where you can build a VM with your environment, save it as a golden master, and use it as the base when you need to rebuild your lab. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Monday, October 10, 2005 8:08 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Interesting Scripting Task. All, I am pondering the possibility of automating the creation of development environments. The problem I am hoping to solve is that a lot of our testing needs to be done in an environment where all our Ous, GPOs, Groups and so forth are present. Recreating this is a nightmare, so to alleviate this I want to write an import/export script that dumps all the OU's, Groups, Users and GPO's (including security) and then restores them in a different target domain (different forest too). Has anyone attempted/achieved this before? Brad This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This message has been scanned for viruses by MailControl - (see http://bluepages.wsatkins.co.uk/?4318150) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This communication and any documents, files, or previous e-mail messages attached to it constitute an electronic communication within the scope of the Electronic Communication Privacy Act, 18 USCA 2510. This communication may contain non-public, confidential, or legally privileged information intended for the sole use of the designated recipient(s). The unlawful interception, use or disclosure of such information is strictly prohibited under 18 USCA 2511 and any applicable laws. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http
[ActiveDir] Interesting Scripting Task.....
All, I am pondering the possibility of automating the creation of development environments. The problem I am hoping to solve is that a lot of our testing needs to be done in an environment where all our Ous, GPOs, Groups and so forth are present. Recreating this is a nightmare, so to alleviate this I want to write an import/export script that dumps all the OU's, Groups, Users and GPO's (including security) and then restores them in a different target domain (different forest too). Has anyone attempted/achieved this before? Brad This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Interesting Scripting Task.....
Yes, Microsoft has attempted it. Check out the scripts directory under the GPMC install. It has two scripts: CreateXMLFromEnvironment.wsf and CreateEnvironmentFromXML.wsf That do pretty much everything that you've described below. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Monday, October 10, 2005 8:08 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Interesting Scripting Task. All, I am pondering the possibility of automating the creation of development environments. The problem I am hoping to solve is that a lot of our testing needs to be done in an environment where all our Ous, GPOs, Groups and so forth are present. Recreating this is a nightmare, so to alleviate this I want to write an import/export script that dumps all the OU's, Groups, Users and GPO's (including security) and then restores them in a different target domain (different forest too). Has anyone attempted/achieved this before? Brad This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Interesting Scripting Task.....
Exporting users, groups etc and then recreating them in a new environment is not terribly difficult. Getting the security settings and the GPO information recreated is a bit more difficult. This is not an export and copy, it's an export and create new that looks like the old situation if you do it that way. What do you have to work with? Is it too much to recreate the environments by overlaying the production, cleaning up the metadata and letting it loose? Or do you have workstations and servers in the environment to be concerned about? Al - Original Message - From: Smith, Brad [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Monday, October 10, 2005 11:07 AM Subject: [ActiveDir] Interesting Scripting Task. All, I am pondering the possibility of automating the creation of development environments. The problem I am hoping to solve is that a lot of our testing needs to be done in an environment where all our Ous, GPOs, Groups and so forth are present. Recreating this is a nightmare, so to alleviate this I want to write an import/export script that dumps all the OU's, Groups, Users and GPO's (including security) and then restores them in a different target domain (different forest too). Has anyone attempted/achieved this before? Brad This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Interesting Scripting Task.....
I am copying the exact post from Tiro Yann, Hi Activedir List :) A new free tool is now available here http://www.yside.com/projects/tools.htm which name is XSync v0.2 It duplicates your real AD Domain in a test lab with no SID issues. Thanks a lot to Chris Wall ([EMAIL PROTECTED] ) who made the information available on the ExhcangeList with the same thread Duplicate your AD domain with this new (free) tool. Cheers, Yann On 10/10/05, Smith, Brad [EMAIL PROTECTED] wrote:All,I am pondering the possibility of automating the creation of development environments.The problem I am hoping to solve is that a lot of our testingneeds to be done in an environment where all our Ous, GPOs, Groups and soforth are present.Recreating this is a nightmare,so to alleviate this I want to write an import/export script that dumps all the OU's, Groups, Usersand GPO's (including security) and then restores them in a different targetdomain (different forest too).Has anyone attempted/achieved this before? BradThis email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding.List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- ~~~Fortune and Love befriend the bold~~~
RE: [ActiveDir] Interesting Scripting Task.....
I've written that, and it's actually rather straightforward if you're willing to tackle VBScript and ADSI. Another option you might consider is Microsoft Virtual Server or VMware, where you can build a VM with your environment, save it as a golden master, and use it as the base when you need to rebuild your lab. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Monday, October 10, 2005 8:08 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Interesting Scripting Task. All, I am pondering the possibility of automating the creation of development environments. The problem I am hoping to solve is that a lot of our testing needs to be done in an environment where all our Ous, GPOs, Groups and so forth are present. Recreating this is a nightmare, so to alleviate this I want to write an import/export script that dumps all the OU's, Groups, Users and GPO's (including security) and then restores them in a different target domain (different forest too). Has anyone attempted/achieved this before? Brad This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/