A much more simple option is to use the IADsTools interface (from the
Support Tools). It has a TranslateNT4ToDN function. In general, if there
is a DS API you want to use from Perl or VBScript, there is a good chance a
wrapper for it exists in IADsTools (there are a few exceptions).
Here is a
Wow, I am impressed. I still can't read that code. Would rather get my
old Latin text books out and do some light reading there.
Good job.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bjelke John A
Contr AFRL/VSIO
Sent: Tuesday, August 05, 2003 1:39
I use
the old NT 4.0 server manager to determine what shares are in use. That
give's you some visibility.
Dave
-Original Message-From: Agung Kuswanto NCS
[mailto:[EMAIL PROTECTED]Sent: Thursday, August 07, 2003 6:40
AMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir]
Who's online
There is no change log maintained however you can look at the
replication metadata for an object (assuming you have appropriate
permissions) that will give you date and time stamps of originating
changes. Take a look at repadmin /showmeta. Also if you are nice Robbie
might post a code snippet
Joe, never forget: Coppula eam se non posit acceptera joccularum
(spelling is probably off, but you should get the gist :^) )
John A. Bjelke
Unisys
505.853.6774
[EMAIL PROTECTED]
-Original Message-
From: Joe [mailto:[EMAIL PROTECTED]
Sent: Thursday,
I'm seeking some
feedback regarding the use of the new 2003 admin. tools against a Windows 2000
only directory. I implemented these tools many moons ago on an internal,
production 2000 forest on both XP and Server 2003 clients and have experienced
no significant (insurmountable) issues.
The rule of thumb I've always heard is RAM×1.5, so 1.5 GB.
Ray at work
-Original Message-
From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED]
So you have a Gig of ram on a DC, what do you all set the
pagefile size to?
Memory +11 MB?
Like to hear your feedback.
Title: How to delegate the extended right to migrate sIDHistory
In order to allow test migrations from out NT4 world to 2003 AD, we currently have many regional and departmental admins as Domain Admins in or test 2003 AD so we can migrate and utilise sIDHistory. I would prefer it if we could
Just as an aside here - MS of course displayed their VM server at tech ed -
one nice idea was DR for Exchange 2003 - you would basically generate a new
email server in minutes on a VM - users are then back online and you then
begin to backfill their email from tape.
List info :
We got this issue resolved late last night. The simplest solution for
us, was to enable a trust relationship with the NT4.0 domain. Then we
simply made the necessary changes via NT4.0. It worked suprisingly well.
Thanks for all of the information everyone. This issue can now be
closed.
Erick
Title: Message
I enabled the logging, and am currently looking at the file. I dont
see anything glaring out as an error, or showing that something was skipped
Any suggestions as to where I should look in this log for the problem??
Thanks.
Charles
-Original Message-
From:
Title: Message
Yuck
(technical term). Dr. Watson isn't a good thing. Loading a Win2K .adm should not
cause a Dr. Watson on the MMC. Not sure why you're getting a SQLServerAgent
error--that's pretty unrelated to policy. If its possible, you may want to
delete this GPO and start from scratch.
David,
We use similar methodology for our DR tests, by keeping a laptop running as a
DC on our live network, then transferring FSMO roles at the DR site. This has worked
flawlessly for us. We are now looking to be able to restore our AD evironment to a
totally different server. Problem
Title: Message
Schema
Extensions aren't bad, if they are documented correctly and properly replicated
throughout the forest. Rob, didn't you say that you found a way to clean
upold schema extensions that Microsoft "fixed" in SP3.
Dean,
Whyis it necessary for you to extend the native tool
Title: Message
IE
Maintenance has two modes--preference and mandatory. Preference says, "hand down
IE policy but then let the user change it" whereas mandatory says, "reinforce it
all the time". You can see this by right clicking the IE Maintenance node and
choosing either Preference mode
The name is going to depend on the antivirus vendor.
But...this is not an antivirus vendor issue...this is a patch issue. The
patch has been available for a couple weeks. Grab
MS03-026.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carlos
MagalhaesSent: Tuesday, August
maybe a wayward browse master?
Mike Thommes
-Original Message-
From: Richard Sumilang [mailto:[EMAIL PROTECTED]
Sent: Thursday, August 14, 2003 12:12 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Max Connections?
I'm using a Windows 2000 Server computer as a File Server but sometimes
It's different on different computers but a starting point would be Network
Neighborhood\Properties, identify your NIC then right click to
\Properties\Configure\, then look at media type. We have a public network
performance tester at:
http://miranda.ctd.anl.gov:7123/
that
I must say I am using this and I find it more reliable than Insight
Manager. It emails my phone and my regular email whenever a server is
not pingable (or if a certain service is not running). The check
interval is 2 minutes on mine, which catches most things quickly enough
for my needs. I
Yes
(ADS Library refrence if you use COM interface)
(library active directory VS 2002 VS 2003)
Bye
_
MSN 8 with e-mail virus protection service: 2 months FREE*
http://join.msn.com/?page=features/virus
List info :
Title: RE: [ActiveDir] Anonymous Logon
Then again you know Rick Kingslan has wonderful AD knowledge !!!
Carlos Magalhaes ADSI MVP
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, August 06, 2003 3:02 PM
To: ActiveDir
Subject: Re: [ActiveDir]
Title: Message
I know that "echo %LOGONSERVER%"
from the command prompt will give you the DC that you used but the only way I know
how to force the use of a particular DC is to put garbage information for the
DC you do not want to use in the Hosts/LMHosts file on
the client.
The machine
Hi,
For 2000 and later you can use wmi to sort this out:
For Each os in
GetObject(winmgmts:).InstancesOf(Win32_OperatingSystem)
WScript.Echo Version: , os.Caption, os.Version
Next
Regards
Volker
-Original Message-
From: Joe [mailto:[EMAIL PROTECTED]
Sent: Thursday,
Non-disabled user accounts (excluding system security principals such as
trust accounts) -
((objectcategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!
userAccountControl=2080))
Disabled user accounts (excluding system security principals such as trust
accounts) -
Title: Message
These are all 2000 machines
Under the GPO, I have Apply Group Policy Asynchronously for Users
enabled.
Charles
-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Wednesday, August 13, 2003
13:47
To:
i know this one has probably been done about 500 times already, but was
hoping to sound the mailing list out on techniques of differentiating
between Windows 2000 / NT4 from login script, given that both Windows 2000
and NT4 return Windows NT from a query of the OS Version environment
variable
GT
Thanks Dean - from your answer and that of Mr. Welch, it was a quick trip to Google to
find MS KB article 269181 that explains this in detail (in case anybody else is
interested). The part about there being two controls available (bitwise AND and
bitwise OR) will be helpful for other things I
Title: Message
We are rolling our
W2k network out, and have successfully migrated from NT4.0. Previously we had
sat our user account's password to expire at the end of the year. However, going
through and enabling each individual account is not an option, as of yet I have
not found a way in
All,
I 've been
scrambling around the Internet looking for information about the ISA-Front End
server combination. There are not too many informative sites out
there. I've been trying to design a load balancing solution fromthe
connection from my ISA server to my multiple front
endservers.NLB
Title: Message
You
can not set password expiration for a group of users. Password expiration is a
global domain policy. Now if you are looking to simply unexpire a group of users
you could write (or most likely at this point) find a script that will take a
CSV file and either reset the
I think the standard formulas work well as a starting point, but over the years I've
gotten stingy on pagefile size, since you can get defragmentation in the pagefile and
really big ones can get correspondingly more fragmented if they start to get up to a
fair percentage of total disk space. In
Title: Message
You
can use set logonserver to get the OS to tell you what it used for an
interactive logon. You can use nltest /dsgetdc:domainname to see what its
preferred ldap server is. You can use nltest /sc_query to see where the secure
channel is.
To
force a specific DC to be used
Dennis,
He's not looking to set this through policy, methinks.
Erick, try this link for how to do this through script:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/adsi
/winnt_account_expiration.asp
Watch the word wrap, and good luck!
John
Title: Message
What
you're looking for is any log items from the IE Maintenance extension as it
tries to process the policy during user logon. Look for messages as to whether
it skipped processing for some reason or couldn't process the policy.
-Original Message-From: Charles
How i can createone attribute and add to the
class using visual basic???
For example createthe attribute
"socialNumber" and adding to "user" class in optional attributes.
At this moment i manage all objects, onlyneed
extend the schema, i have the progam oidgen.exe (Microsoft Resources Kit)
NETDOM and NLTEST works on Win2000. with NETDOM i can also see trusts to NT4-Domains.
but what can i do, to see trusts from NT4-Servers. i need a way to find it out
with a (selfprogrammed) programm/script.
in Win2000 the script
Using Ntdsutil.exe to Seize or Transfer FSMO Roles to a Domain Controller
http://support.microsoft.com/default.aspx?scid=kb;en-us;255504
-Original Message-
From: EN [mailto:[EMAIL PROTECTED]
Sent: Tuesday, August 12, 2003 11:27 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] How to force
MessageIm searching the knowledgebase,but I thought maybe someone had
something
I could use here as well.
Well, one of my DCs just died, hard drive failed completely. Fine.
I have another DC, but now I can't change the RID role. I could change the
GC, PDC and infrastructure,
but the RID master
Charles-
Have you checked out this article:
http://support.microsoft.com/default.aspx?scid=kb;en-us;306915? Its not exactly the
same but could be your problem.
Darren
-Original Message-
From: Charles Campbell [mailto:[EMAIL PROTECTED]
Sent: Mon 8/11/2003 6:10
Thanks,
I have a question though. I want to still use this server. I got a
completely new
HD in there now, and I want to use the same name. Bad idea? What should
I really do, this is the first time this has happened and I haven't read of
what
should be done when something like this occurs.
I've been getting hammered on this one myself... My firewall logs are packed
with hits to ports 135 and 445.
Charles
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe
Sent: Monday, August 11, 2003 19:41
To: [EMAIL PROTECTED]
Subject: [ActiveDir] [OT]
LOL :^) Ok, it's VERY rough.
John A. Bjelke
Unisys
505.853.6774
[EMAIL PROTECTED]
If it's as difficult as pulling teeth through an elephants rump, then the
approach needs to be reevaluated.
-Original Message-
From: Joe [mailto:[EMAIL PROTECTED]
Do you have the exact virus name?
CM
-
This email and any files transmitted are
confidential and intended solely for the
use of the individual or entity to which
they are addressed, whose privacy
should be respected. Any
Title: Message
For normal day
to day things like resetting passwords, unlocking accounts, the normal tools are
just fine.
This
entirely depends on the size of the organization in relation to the size of the
help desk staff and I guess coupled with SLA's (i.e. is it ok to wait 3 days for
Thanks for all enlighten!!!
Can this command be called from machine other than the server it self?
Best regards,
Agung
-Original Message-
From: Thommes, Michael M. [mailto:[EMAIL PROTECTED]
Sent: Thursday, August 07, 2003 8:55 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Who's
Just write it clearly... Use whitespace and good variables and DOCUMENT
your regexs...
Also perl is easy to read (and possible to write) in notepad...
Perl can be a write only language, but then so can just about any
language if you don't try to make it readable.
-Original Message-
I made those changes and I found an article about scripting home
folders. I can not find the article here, but I have it booked marked at
home. The article said something about making sure the folders exist
before attempting to set the home folder. So I changed the code to
below.
I still need to
Add myITforum.com to that list...
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Thursday, August 07, 2003 10:25 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] VBscript Help
I keep a list of these sites - hope this helps
Many thanks for all the pointers. I better order some of the books :-) and read them,
QUICK!
Jacqui
from:Gil Kirkpatrick [EMAIL PROTECTED]
date:Thu, 07 Aug 2003 17:36:25
to: [EMAIL PROTECTED]
subject: RE: [ActiveDir] VBscript Help
Alain Lissoir's two books are great:
Title: Message
The
only thing that comes to mind is using an GPO with block inheritance, but I
don't believe that works. Alternately, one could script an unlock tool
which periodically unlocks the account.
So,
how far in the future will it be when the IIS SMTP event sink model is
Admin raises his beer mug to Robbie in acknowledgment
CHEER!
/...
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Robbie Allen
Sent: Tuesday, August 05, 2003 9:14 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Connection String
Come on
Sounds like a good idea Mark.
Creation of a private VPN over the internet to form the larger Lab would
take care of the external security problems, but not the internal ones
(ie do you trust the other people).
the main issues I can see with doing this is exactly what people want to
test, and
Jacqui,
I feel your pain; I read your e-mail and thought I had written it :-).
I went to a book store and picked up Microsoft's Windows 2000 Scripting
Guide I have had really good luck with it, although everything I need
isn't in there, I have been able to find what else I need on the web or
by
In my real world there are only 3 people other than myself in the whole
world who have administrator level rights in AD and on DC's and have
interactive logon rights to DC's who can make core level changes. This
is for a global production forest comprising around 380 domain
controllers and some
Alain Lissoir's two books are great:
Understanding WMI Scripting
Leveraging WMI Scripting
-gil
Gil Kirkpatrick
CTO, NetPro
-Original Message-
From: Raymond McClinnis [mailto:[EMAIL PROTECTED]
Sent: Thursday, August 07, 2003 8:29 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir]
Dean,
thanks for the info.
As you said, the changes dont sound too extreme,
but yes, the SchemaVersion would be the major concern.
I would be interested to see what the MS guys have
to say.
G.
- Original Message -
From:
Dean
Wells
To: AD mailing list (send)
Title: Message
Machine account change frequency (default) NT is 7 days W2K is 30.
That's
how we have always managed machine accounts. Just had to tweak the interval in
the PERL script when W2K showed up :-]
Over
the threshold, whack the account
-Original Message-From: Steve
Yes, you could have an OU for groups if you want. But the pros and cons all
depend on the way you want to administrate your AD. Can you give a bit more
info on your environment?
Regards,
/Jimmy
-
Jimmy Andersson, Q Advice AB
CEO Principal
Could you please send it to [EMAIL PROTECTED] Thanks
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Tuesday, August 05, 2003 2:23 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Group Policy
We do. It is our way to display the GPO's in human readable
Title: Message
use a
local SMTP engine (IIS SMTP ) and let DNS route the messages out for
you.
Shawn
-Original Message-From: Salandra, Justin
A. [mailto:[EMAIL PROTECTED] Sent: Thursday, August 07, 2003
8:57 AMTo: '[EMAIL PROTECTED]'Subject: RE:
[ActiveDir] OT:
If web services or ftp are running on those, both those services allow anon
to access the main page,
- Original Message -
From: Rittenhouse, Cindy [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, August 05, 2003 1:02 PM
Subject: RE: [ActiveDir] Anonymous Logon
Rick,
The
Do you have your GPO set to apply the
changes even when the GPO hasnt changed? If not, it may be worth
enabled this option in your GPO:
Computer Configuration/Administrative
Templates/System/Group Policy/Internet Explorer Maintenance/Process even
if Group Policy Objects have not
Great post
--
Sent from my BlackBerry Wireless Handheld
- Original Message -
From: ActiveDir-owner
Sent: 08/05/2003 11:03 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Anonymous Logon
Cindy,
If you're going to have to keep all audit entries, you're going
Gil, you should give one out for every Enterprise purchase of Netpro
Products.
Todd Myrick
-Original Message-
From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED]
Sent: Tuesday, August 05, 2003 3:22 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WOT Unreadable code (was Connection
Title: Message
Hi
Mike,
You
can require "complex" passwords bysetting the Domain Security Policy -
Account Policies - Password Policy - Password must meet complexity
requirements.
Here
ismore info:
http://www.microsoft.com/technet/treeview/default.asp?url="">
After
setting password
Dean -
given all that, why not just do the whole ADPrep /forestprep and /domainprep
? Even if the domain stays Win2K forever, would there be any harm in doing
so? From what I've seen, there isn't.
I
guess the question is, why is it more acceptable (to your customer) to do a
subset of these
We do. It is our way to display the GPO's in human readable format.
Dan
-Original Message-
From: Ellis, Debbie [mailto:[EMAIL PROTECTED]
Sent: Tuesday, August 05, 2003 10:32 AM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] Group Policy
Does anyone have a Group Policy Spreadsheet ?
Title: LDAP & LastLogin for Computers
Hunter,
Are you actually querying the workstation, or just
the user accounts ? If your finding out when a computer was last logged onto, I
would LOVE to have a copy of the script as well (so I can kick our desktop
support guys in the bum to clean up
Cindy,
If you're going to have to keep all audit entries, you're going to have a
tough time. I can help decipher these records for you (I do a lot of
this!), but in a nutshell you've recorded a successful logoff (the Event
538) and a successful network logon via the Kerberos authentication
Ryan,
My understanding is that the only way to do this is to hook into the
password filter DLL. This is a Win32 DLL that the DC calls whenever a user
or administrator initiates a password change, whose job is to verify the
quality of the new password.
The DLL is your own code, so it can do
It'sin the "Domain Security Policy" mmc,under
Windows Settings/Security Settings/Account Policies/Password
Policy
Passwords must meet complexity requirements = Enabled
Mike
Thommes
-Original Message-From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]Sent: Tuesday, August
Password complexity is enabled thru the Domain GPO. It is an on or
off function, not configurable. It curtails the success of dictionary
hacks by requiring 3 out of the following 4 in all user's passwords - Uppercase,
lowercase, numbers, special characters. It also will not allow the
password to
101 - 172 of 172 matches
Mail list logo