This can only be done by querying for the lastLogonTimestamp attribute across
*all* DCs in your domain. In w2k this attribute's data is not replicated
between DCs, but in w2k3, this data is replicated and shared between all DCs
in the domain so is more readily available.
Thanks,
Neil
MVP (AD)
Thanks for the suggestions Al, I will admit that it really
makes me nervous to change replication on AD since (knock on wood) it is working
so well.I have done testing in the lab for a couple of weeks now and I
think I have it all worked out, I just want to feel comfortable knowing that I
Within our domain, roaming profiles are used. The roaming
profiles are limited to 10MB by means of a GPO. The user is also given a
networked drive (K:\) that gives them an additional 40MB which gives them a
grand total of 50MB of usable space when on their workstations. The 50MB
limit is
Title: AD - Authentication
How do I check, which are the users (or computers) are getting authentication from domain controller.
Let say If I give set command on client side, then I can get
LOGONSERVER=\\CTSINPUNCFAA
If I want to know from CTSINPUNCFAA (Domain controller) how many/who
The first thing that comes to mind is disabling Windows
Installer for non-managed apps via GPO, considering you are already doing
something similar as you had mentioned that may be the most viable
solution.
Otherwise, I'm not sure if its possible or how difficult it
would be to implement
What I have noticed, in the couple of test
I have done, is that if the installer is a MSI package, it will immediately be
denied any further access. If it is a *.exe then there may be progress on
the installation and it is up to the *.exe on how to proceed. If a *.exe
is used, the system
I attempted to run adprep /forestprep in my test forest, only to have it
fail with a cryptic (and misleading, as it turns out) error recorded in
it's log.
Googling the error text lead me to a post by a MS support guy who has
written a script that will hash a schema update LDIF file against a
I could recover the drive that was corrupted...now i don`t know if i should install AD
again. My situation is that i don't have another server to use as a backup DC, i just
have one.
Is there any way i can avoid a failure because of a power loss? i read in the
microsoft documentation that
Software Restrictions via group policy may be an option for
you.
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
http://www.windowsecurity.com/articles/windows_2003_restriction_policies_security.html
Hunter
From: Edwin [mailto:[EMAIL PROTECTED]
Sent:
As Eric mentioned in an earlier post, the database underlying Active
Directory normally doesn't have problems recovering from a dirty shutdown.
You should be able to grab an old workstation in a test lab, DC Promo it up
to a domain controller, and then later unplug it without corrupting the
For the sake of completeness can you give us the error that you're
getting?
That way we know what element is failing on import.
Thanks!
~Eric
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet
Sent: Wednesday, August 04, 2004 9:04 AM
To:
Title: Maximum password age
In the default domain policy when the Maximum password age is set to Not defined. What is the default value for the password age??
Thanks
Ok, now that i could recover the partition where the ntds.dit file was, i think i
might be able to use it again...what happens if i change the registry property from
WinNT back to LanmanNT?? can i do that? will that work?
Thanks
-Mensaje original-
De: joe [mailto:[EMAIL PROTECTED]
Hello Devan,
I've seen slow authentiaction when clients authenticate over a firewall and not all
ports needed are availablr. If the W2k+ Client takes about 15 minutes then ist that
issue. The client tries to log on, receives a message from the DC which also tells him
that he´s in a
The testing I have previously done on this failed to work, I got a license
error popup when trying it. However, I believe Dean said he tried it and he
didn't have an issue. I was working with an MSDN copy of Windows and he was
working with an OEM copy. You can definitely try to do it.
So it
No, that's why I said the error from adprep was misleading. The add of
the uid attribute silently failed, but then the add of the inetorgperson
person fails because OID 0.9.2342.19200300.100.1.1 isn't in the schema.
A little cruising in adsiedit shows a delete option for
Cute
Do you have MSDN Universal access and have you looked in
the Beta SDK's?
I will send something to MS about it but don't expect a
quick fix.
joe
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Michael B.
SmithSent: Wednesday, August 04, 2004 11:52 AMTo:
[EMAIL
Great, you have to love that! ~Eric have them fix their sheet!
Here is a little article about defuncting attribs/classes so you can learn
about it
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/disab
ling_existing_classes_and_attributes.asp
Unfortunately, defuncting is
Title: AD - Authentication
You would need to have auditing enabled and scrape the
event log.
A sort of so so way to see who has a connection RIGHT NOW
to the DC but not necessarily everyone who is currently logged on the network
somewhere who was authenticated by that DC is to check the
lastLogonTimeStamp is a K3 attribute, in 2K you have to use lastLogon. And
yes, you would have to query every DC in the domain for its lastLogon value
and determine which is the most recent.
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ruston,
Active Directory is doing a whole ton more than what
Exchange directory had to do. Being an Exchange directory is but one function.
However that being said, you can export/import many of the attributes, you just
have to know which ones can't be directly reimported such as GUIDs, SIDs,
Note by default this will do computer objects, you just need to adjust the
filter to do users and it does all of the work based on pwdLastSet.
The switch to use would be
-f (objectcategory=person)(objectclass=user)
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL
Honestly you shouldn't install Exchange or any back offfice
products on domain controllers.
Other than that I am kind of confused by your post... You
demoted a machine that I take was also running Exchange and then you rebuilt it
from the beginning? What does that mean, did you reload the
I just checked the Beta K3 SP1 SDK and it isn't
there...
Possibly you can sweet talk ~Eric into giving you the
values.
I have notified the MSDN folks and told them where to find
the constants so they don't have to look too hard but who knows what the time
frame will be.
joe
From:
Ted-
I just saw this post: http://blogs.msdn.com/exchange/archive/2004/08/04/208045.aspx
I haven't played with either version of ADModify, so I
can't comment on whether it's easier than LDIFDE or script to do bulk mods.
Maybe you can check it out in all of your spare time and report back
Is this in the source tree available for MVPs? I need to
sign up for that...
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
joeSent: Wednesday, August 04, 2004 1:45 PMTo:
[EMAIL PROTECTED]Cc: 'Eric Fleischman'Subject:
RE: [ActiveDir] Missing enumeration for DNS Scripting
Title: Maximum password age
I
believe it is 42 days.
-Original Message-
From: Cary, Mark
[mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 04, 2004
8:09 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Maximum
password age
In the default domain
policy when the Maximum password
Title: Maximum password age
If truly undefined there should be no password max age.
However, if someone just undefined an existing policy it should be whatever the
last policy set it as. So if I set the
policy to 0, then applied that policy, then undefined the policy, it would be
0.
The
Is this in
the source tree available for MVPs?
I can neither confirm nor
deny that statement.
I need to sign up for
that...
That is a good idea I think,
you just have to be careful about what you say about it once you are in it.
joe
From: [EMAIL PROTECTED]
[mailto:[EMAIL
Hmmm. Interesting point.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
joeSent: Wednesday, August 04, 2004 2:15 PMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Missing
enumeration for DNS Scripting
Is this in
the source tree available for MVPs?
I can neither confirm
Anyone have the impact that would have on SAP application by chance?
Just curious really. Don't have SAP handy.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, August 04, 2004 12:51 PM
To: [EMAIL PROTECTED]
Cc: 'Eric Fleischman'
I would expect it would really dork it up pretty well...
However there are two compensating things.
1. SAP shouldn't have done this. Ok so that isn't really a compensating
factor but they really shouldn't have!
2. He already said that they aren't using it so breaking SAP doesn't matter.
Now for
Seems that's not so easy as to find an easy vbscript for it. Found some c++
for it but that doesn't sound like what you want :) How many OU's do you
have?
Also, what POS backup system are you deploying? I'd like stay as far away
from that company as I possibly can. And since you have the
At least they threw you a boneKeeping with the Windows 2003 initiative
that everything that can be done in the GUI should be available via command
line, a command line version of the tool that contains all of the same
features is included as well.
From: joe
Thanks Joe, I saw that (rare for me lately). Just curious if SAP and Active
Directory could play well together or not.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, August 04, 2004 3:03 PM
To: [EMAIL PROTECTED]
Subject: RE:
There are two parts to the backup solution. The first only requires
backup operator rights and does normal system level backups.restores
and non AD level file recovery. No issues there.
The additonal rights come from their method of dealing with AD and
restoring individual objects in AD.
Well side by side we see:
MS UID
dn: CN=uid,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: uid
adminDisplayName: uid
adminDescription: A user ID.
attributeId: 0.9.2342.19200300.100.1.1
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued:
What was the name of that product?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve
Sent: Wednesday, August 04, 2004 3:33 PM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Changing permissions in AD
There are two parts to the backup solution. The
I will assume you have a K3 Domain...
It is going to need administrator level rights (not domain admin) just to
look into the deleted items container unless the ACL's have been relaxed
like Tony was asking about the other day here on the list. However this
should be handled in such a way that
Im not sure I understand the
question.
Which enum are you looking for? That page
specifies the values for the ins.
What am I not seeing that youre
looking for?
From: joe
[mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 04, 2004
12:45 PM
To: [EMAIL PROTECTED]
Cc: Eric
So long as it works (IE the dsa lets you do it w/o any magical tricks) I
see no problem with this approach. If you have a test lab, that's a
great place to try it first. :) But at first glance it looks like it
should work.
~Eric
-Original Message-
From: joe [mailto:[EMAIL PROTECTED]
Thanks Joe Eric! Worked like a charm. Adprep ran to completion for
forestprep and domainprep.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Wednesday, August 04, 2004 4:24 PM
To: joe; [EMAIL PROTECTED]
Subject: RE: [ActiveDir]
Uh, not at least on the public page.
SecureSecondaries
[in]
Specifies the security to be applied and must be one of the following:
ZONE_SECSECURE_NO_SECURITY
ZONE_SECSECURE_NS_ONLY
ZONE_SECSECURE_LIST_ONLY
ZONE_SECSECURE_NO_XFR
What are the numeric values of
I am really good at guessing... :oP
Glad it worked out for you.
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet
Sent: Wednesday, August 04, 2004 5:30 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Schema Gurus needed - SAP has
Ken:
Do you recall which version of the SAP portal it was that made the
schema changes? I'm asking since we are testing the SAP portal against
AD in our lab with our SAP folks. I know that the initial version that
they came to us with required a schema change (version 5?) and before we
got it
This is a learning question. Nothing is broken but I want to know
where some information is located.
How can I tell and where do I go to find out what information is
replicated in Active Directory at the DNS zone level itself. For
example, if you create a new zone in AD, all the contents of the
46 matches
Mail list logo