Title: RE: [ActiveDir] schema updates
Joe makes a good point about PAS here. Changes to the partial attribute set are what generally force the reset status on GCs not the schema change itself. If you custom extensions have not been configured for inclusion in the GC, there should not be a
Title: Contents of GC
I finally remembered!!!
Lingering Objects!
Once I had that I found the KB article quickly enough.
Thank Google...
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q314282
joe
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
joeSent:
Ouch, that looks nasty. What's funny is that the KB article shows a method for many
objects, which relies on you having the object GUIDs in a text file. The example it
gives for obtaining the object GUIDs is to use LDP. For 10,000 objects? I think not.
CSVDE or script would be the better
Nod. Highly recommend a solution of equal parts perl and adfind. Adfind to
well, find, and perl to control flow and delete.
Note script will take an hour or so to write depending how fancy someone
wants to get and flexible and how much protection. Then log in with an admin
id for a minute or two
Tony,
An alternative is to do the unGC but the garbage collection only removes
5000 objects per garbage collection cycle unless you use a fast demote vbs
script.
From the sound of it, it would be best to do the ungc and regc method.
NOTE: don't reGC until all gc objects are removed or life will
Eljin
A quicker option would be to make a minor change to the PAS and wait for the GC full
sync to put everything right. And watch your available nework bandwidth plummet!
I have been thinking about whether the unGC/reGC (as you put it) method would work. I
think you would have to look very
Title: RE: [ActiveDir] schema updates
To me it depends if you're stacking like or unlike schema updates. For instance, with Exchange 2000 there are 2 sets of updates - the ADC and the Exchange proper ones. I'd stack those any day.
Now - if you're talking custom schema stuff, or extensions
Title: RE: [ActiveDir] schema updates
I will debate this one... :op
First no one should put in anything they don't completely
trust. I allowed that to happen once and now I have a bunch of
attributes/objects out there that have nothing to do with anything and almost
certainly won't be used
I completely agree with you Joe. I've been hassling vendors left, right and centre to
provide LDIF files for schema extensions. Unfortunately, noone appears to listen.
The most recent extensions I've tested have been from MS (SMS 2003) and HP (Managed
Objects), both of which fail to provide
Title: RE: [ActiveDir] schema updates
I have to mention this up front
the solution to this cant be a $25,000 admin tool J
Weve got an issue Ive
mentioned in passing before regarding permissions. We tend to assign global
groups NTFS permissions to files on our servers, and leave Everyone
Darn Vendors!!! Of course we could always crutch this by creating a Schema
diff file, snap the schema, update the schema, diff it, generate the ldif
ourselves. Not recommending that to anyone but is something I have been
thinking about.
While we are on the topic of schema updates, one other
ActiveRoles from Quest has always come with an update utility and an
LDIF file is available on request for exactly the reasons you
describe...
Joe.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: 30 January 2004 14:47
To: [EMAIL
Title: RE: [ActiveDir] schema updates
Tough situation. Looks
like the permissions issue got completely out of hand. A consistent policy is
the only way I know of solving this. Either a users has permissions on a
subtree, or he does not. Meddling with in-between permissions is the road to
Of course we could always crutch this by creating a Schema diff file
I did this with the RightFax schema extensions.[1] Seemed to work ok, but I was never
100% sure I'd got it right. You don't want to end up testing things that might not
actually be the thing you want to test (if you see what
As already pointed out, Jorge is suffering from a read-only lingering object
issue. Deletion of such objects in 2000 remains a painful process but is
now feasible (earlier versions of 2000 AD provided no on-the-fly means of
removing these kind of errant objects short of fully de-GCing and
I'm not sure what further information I can provide. As has already been
stated, the limitation is imposed by ESE and is, IMO, two fold -
1. ESE's inability to append to existing attribute values
2. An ESE buffer known as the version store. The buffer is of a finite
yet DC to DC variable size
Title: RE: [ActiveDir] schema updates
The easy question...
"Im also interested in how people deal with
local groups when a server needs to be migrated."
I use an excellent product from www.smallwonders.com called secure copy.
It does global groups, local groups, ntfs perms, and shares. Has a
Thanks for the correction Deano - I can live with being wrong :-)
So the GC full sync is not really a synchronization as such (at least from
my understanding of the word). I still don't understand why the GC would
behave in this way during a full sync. I mean, why would the GC want to
hang onto
I'm not aware of the motivation behind this decision. It may simply be that
they didn't want to empty the partition content (a time consuming process as
we know) in addition to the already significant impact of a PAS addition or
that they simply didn't even think about it.
Deano
--
Dean Wells
Title: [ActiveDir]
Have any of you had success joining a Windows NT 4 Workstation (SP6a) to a Windows 2003 Domain in 2003 Mode?
Thanks,
Cory
---
Cory G. Stuart
Network Administrator
Nuclear Engineering Division
Argonne National Laboratory
Greetings all, I am looking for the best way to update the default ADM
templates to support XP and 2003 servers.
According to all the documentation I can find and some of my own testing, I
have been able to update existing GPO's to use the newer XP ADM templates
without a problem. I am concern
Title: Message
Does the NT4
machine have the DS Client installed?
Todd
-Original Message-From: Stuart, Cory G.
[mailto:[EMAIL PROTECTED] Sent: Friday, January 30, 2004 2:44
PMTo: [EMAIL PROTECTED]Subject: [ActiveDir]
Have any of you had success joining a Windows NT 4
Title: [ActiveDir]
Yes, didn't do anything special. Are you having a
specific problem?
- Original Message -
From:
Stuart, Cory G.
To: [EMAIL PROTECTED]
Sent: Friday, January 30, 2004 11:43
AM
Subject: [ActiveDir]
Have any of you had success joining a
Title: Message
Yes and I also made sure that SMB signing was
enabled.
Cory
---Cory G. StuartNetwork
AdministratorNuclear Engineering DivisionArgonne National
Laboratory---
From: Myrick, Todd (NIH/CIT)
[mailto:[EMAIL
Title: RE: [ActiveDir] schema updates
Is there any way to change the wording that pops up
when a users password expires so instead of saying it must be changed, it
explains that it must contain uppercase/lowercase/numbers/symbols (complex) so
the users know what passwords they should
pick?
Title: Message
Any chance a
firewall might be blocking ports... specifically 135,
137,138,139?
Todd
-Original Message-From: Stuart, Cory G.
[mailto:[EMAIL PROTECTED] Sent: Friday, January 30, 2004 2:58
PMTo: [EMAIL PROTECTED]Subject: RE:
[ActiveDir] nt4 in 2003 domain
Title: Message
Unless you have a single
subnet you need to install and configure WINS, and make sure that all DCs
and especially the PDC emulator register with it.
You may want to add
Everyone to the group Pre-Windows 2000 Compatible Access if youve
built the domain without it.
--
Title: RE: [ActiveDir] schema updates
Not sure of a way off hand to do this,
however I do have a small Windows application that Im finishing up for
just such an issue. The program will generate random, semi-pronounceable
passwords with at least 1 uppercase char, 2 numbers and 1 symbol in
Todd-
Congrats on your MVP!
#1 below is correct. #2 is also correct. As far as losing settings that
have been retrograded, my experience is that you don't. That is, if
you take an XP-created GPO, make some changes to it and then downgrade
it by editing it with a Win2K box, when you then go back
Joe - care to elaborate on the error that didn't become obvious until it replicated ?
I'm just curious what to watch for - maybe I'll add some steps to my schema change
testing process...
Dave
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of joe
Sent:
Same goes. This is a relatively new topic for me.
To answer a few questions, the configuration is an empty root domain and
three child domains. The extensions we are looking at are for Windows 2003,
Exchange 2003, and SMS 2003. :)
Now Joe you mentioned something regarding taking a snapshot of
Nod...
The issue could be that the executable is checking for something and if it
doesn't see it it adds something additional to the schema or doesn't put
something in or maybe doesn't allow the update at all. Test and production
enviroments are generally disjoint no matter how hard people try to
DEAN!
You rock dude, I love your posts.
I like the little /kcc thing below... I had no idea.
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Friday, January 30, 2004 1:06 PM
To: AD mailing list (Send)
Subject: RE:
DEAN!
You rock dude, I love your posts.
I like the little /kcc thing below... I had no idea.
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Friday, January 30, 2004 1:06 PM
To: AD mailing list (Send)
Subject: RE:
I doubt they thought about it. I would almost bet they index off the source
DC and since the source DC doesn't have the lingering stuff it would never
get touched. Otherwise you would have to
1. Wipe the partition which I agree they probably didn't want to do maybe
for frag reasons, etc.
2. Do
I doubt they thought about it. I would almost bet they index off the source
DC and since the source DC doesn't have the lingering stuff it would never
get touched. Otherwise you would have to
1. Wipe the partition which I agree they probably didn't want to do maybe
for frag reasons, etc.
2. Do
Title: RE: [ActiveDir] schema updates
Nope. That is one of the big complaints and reasons that
people aren't more agressive on complexity filters. Some companies have gone out
and implemented their own client/server software for this though. Alternatively
you can disable the ability for the
Damn, I knew someone would ask for details and this is one I wasn't heavily
involved in.
We were putting in W2K3 schema and some our company specific stuff. There
was something that collided with the E2K stuff - I want to say inetorgperson
though it was like many months ago and Exchange has
Thanks Darren...
I found a pretty good White Paper on the NSA site about XP as well.
I just want to make sure I fully understood all aspects of the XP GPO stuff
since there was a lot of information out there.
Todd
-Original Message-
From: Darren Mar-Elia [mailto:[EMAIL PROTECTED]
Not exactly what you're asking for, but I noticed this article the other
day in some forum. Makes the message they get if they don't type in a
complex password slightly more user friendly so the users know what
constitutes complexity.
Title: Logon/Logoff scripts and Services
Only interactive workstation/server logons execute logon
scripts. Services and runas and process starts don't do it. I could be wrong but
I believe it is the GINA that actually fires the logon script.
joe
From: [EMAIL PROTECTED]
[mailto:[EMAIL
Title: RE: [ActiveDir] schema updates
Rich my friend. (That sounds better as my Rich
friend...)
You need a good group story. I will give you A story, not
necessarily a good one. I will tell you my story or more likely our story with
our being the company I do the contract work for - names
42 matches
Mail list logo
