Hi guys,
I have resolved the issue..it could have been worse however but the
group deleted was a distribution group. The painful fact was that it
wasone that had 700 member users and I did not know howi could
repopulate that fast. However I had done a csvde export just the day
beforeand I ran ique
Have you considered a 3rd party tool which offers object level restores? There
is no rule that states that MS must provide all the functionality that we
require, after all :)
Have you considered delayed replication sites, which only receive changes on
an infrequent basis? DCs in these sites can th
Title: Few quick ones on password polices
cheers for the answers, boys and girls.
strictly speaking, I didn't need to deny the users the
ability to change their password but did it anyway. mostly so they wouldn't
complain that'd they'd just changed their password during the implementation
p
However MS does support DCs on Virtual Server if the guidelines in this
whitepaper are strictly followed:
http://www.microsoft.com/downloads/details.aspx?FamilyId=64DB845D-F7A3-4
209-8ED2-E261A117FC6B&displaylang=en
Alberto Boczar
[EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTE
Title: Updating ADM files - best practices
Scenario:
W2k DCs and multiple w2k domains
I plan to implement and enable the GPO setting 'turn off automatic update of ADMs' in the default domain GPO as part of the upgrade from w2k DCs and domains to w2k3 DCs and domains. [For obvious reasons, I ho
Are you running the forestprep directly on the server that
holds the schema master role?
Jeremy
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jacqui
HurstSent: Wednesday, February 16, 2005 11:55 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Exchange
200
Dunno if this response is urgent enough, but a good place to look at is
TCP/IP properties and see if the client is configured to use lmhosts. Uncheck
that option and try again. HTH
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
I agree with Neil. I've seen good results with ERDisk from Aelita, which is
now called Recovery Manager for AD from Quest.
-Ryan
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: Thursday, February 17, 2005 10:17 AM
To: 'ActiveDir@mail.ac
I need a script to search for userID for users and give me their full name.
We have Active Directory 2003.
Thanks,
Marie
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Marie-Therese Fahmy wrote:
I need a script to search for userID for users and give me their full
name. We have Active Directory 2003.
What You mean as userID?
Take a look at this examples:
http://www.rallenhome.com/books/adcookbook/code.html
and scriptomatic tool:
http://www.microsoft.com/technet/
They do have an undelete
option... It is in Windows Server 2003 AD. Don't expect it to be back ported to
Windows 2000 AD as that OS is now over 5 years old and the newer version is a
couple of years old.You can actually use admod as well as other tools to
undelete things in Windows Server 20
The Snapshot feature is also really useful, especially in a development/test
environment. Being able to quickly roll back the machine without requiring
a restore can save hours!
If you have ESX on a SAN, Vmotion can provide some interesting DR/BCP
options for server apps that are not cluster awar
We have been using that here as well, and outside of the somewhat less then
intuitive interface it has worked very well for us. It will not solve the
problem today of recovering a deleted group (unless you have an offline DC
that still has it) but it will for future issues.
We have used it to rec
I'm curious though. You want to convert their userid from what it is now
and change it to first name last name ??
Is this just to make the MMC tools look better or is there some other
reason?
Al
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Marie-The
Title: Message
Very
true, joe, but then that's precisely why I'd advocate the use of the 3rd party
tools, since there offer a far more robust solution.
The
thought of re-animating an object only to find most of its attributes are
missing (e.g. SIDHistory) is pretty useless, albeit by design.
Return Receipt
Your document:
[ActiveDir] DC or not DC
was received by:
nelson yong/IT/KSL
at:
17/02/2005 10:14:13 PM
I'm assuming by "convert" you mean associate? (i.e. given a user ID, show me
the Full Name?
You could use adfind (www.joeware.net)
>adfind -b dc=mydomain,dc=com -gc -f "objectCategory=person" sAMAccountName Name
That returns something like:
dn:CN=Robert Smith,CN=Users,DC=mydomain,DC=
>name:
Title: Account policies and groups
If a user is in an OU which has the block inheritance selected but is in member of group that's in a different OU and doesn’t have block inheritance applied, will the password policy for example still apply to that user?
Just curios really
For Troup Byw
Title: Account policies and groups
No, group membership does not determine what policies get
applied. If they did, they would be called "OU policies", wouldn't they?
:)
-gil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tim
SuttonSent: Thursday, February 17, 2005 7:27
When you get that error, do you get the same error when connecting to the
root of the webserver? I.e. http://webserver/default.htm ? Is that what
you're saying?
If so, then you don't have the web site permissions correct. If you don't
have those correct, you won't be able to get to the rest of t
dsquery can also find the information also. The syntax is:
dsquery * -filter (samAccountName=name) -attr displayName
I would use the Joeware tool, because I'm frustrated with some of the
limitations of dsquery. I just haven't had the need yet to learn to use
the Joeware tool.
-Andrew
-O
Yes the forestprep was run on the schema master.
The actual forestprep process works fine the issue occurs when I try to join
the Exchange 5.5 organisation. The organisation object is created in the AD
and a number = of sub containers eg Addressing it begins to fail when creating
the coun
I think Joe should put that quote on the website as a testimonial :)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cace, Andrew
Sent: Thursday, February 17, 2005 10:16 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] script to convert userID
Title: Account policies and groups
But group membership can determine which
GPOs get applied if you are using GPO filtering.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick
Sent: Thursday, February 17, 2005
6:42 AM
To: ActiveDir@mail.activedir.org
The key here is that policy is only processed by user and computer objects, but
its effect can be filtered by security groups (and WMI queries). So, in this
scenario, putting block inheritance on the OU where the user object resides
would prevent the user from receiving upstream GPOs, even thoug
I have a W2K3 AD domain. Gets its time synch from our Cisco switch,
which gets time from outside. Usually works OK; hiccups once in a while;
no big deal. I've run into an interesting problem, though. We have Cisco
VoIP phones, which display the time on the screen. A user complained
because the time
Folks, I'd like to throw this back out for comments if I can. A while back I
asked about using our
current W32Time server, the forest root AD box, as the authoritative time
server for the non-Windows
clients on our network. I haven't had any luck getting this to work. If I
remember correctly, W3
Interesting...Charlie's message just popped up in my inbox as well. Looks like
time sync is a current
hot topic. Eagerly awaiting thoughts from the group.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Charlie Kaiser
Sent: Thursday, February 17, 2005 1
Return Receipt
Your RE: [ActiveDir] DC or not DC
document:
Return Receipt
Your [ActiveDir] DC or not DC
document:
Maybe try what we did; set the AD time source to be a router or switch
that can act as a time server. That router or switch then connects to an
external time source. Different flavors of time synch can then connect
to that router or switch and get time... That way, you also don't have
to have a con
Seems to me, if the Cisco servers can talk to the DC's via TCP/IP, then
you should be able to do a simple
NET TIME \\ /SET /YES
NET TIME \\ .
Make a batch file or run an AT job, anything that syncs them
periodically.
-Original Message-
From: Creamer, Mark [mailto:[EMAIL PROTECTED
Doesn't work. "System error 5 has occurred. Access is denied."
The Cisco servers are not in the domain, and the DCs won't allow
communications from outside.
If I do a runas with domain credentials, I can make it work, but I was
hoping for a more elegant solution. I don't like doing runas with domai
When you run Net Time \\somemachine /set you are using the old LanMan
NetTOD api to locate an authoritative time source which doesn't work
because you aren't in the domain and you have already told the box to
use SNTP with the /setsntp arg.
You want to use w32tm to test the SNTP function. Stop W32
It can work, what problems are you having? What kinds of errors and what
are you using?
W2K3 is supposed to answer for both IIRC, but that was in the archives.
There are still some nuances that might be getting in your way. You know,
the nuances about how an RFC is interpreted when it says thin
Has anyone come across an article on how to take
control of public folders if the home server is gone?
This message is intended for the use of the individual or entity to which it is addressed
and may contain information that is privileged, confidential and exempt from disclosure
Title: Message
IIRC,
IF the folders have been replicated to another Exchange 5.5 server, you can
specify the home server on that other server. I had that happen to me
years ago, so I'm not positive about the procedure.
Ken Adams
-Original Message-From:
[EMAIL PROTECTED] [mailto:[E
Title: Message
Do you have a white paper on the procedure?
Lynden
From: Adams, Kenneth W
(Ken) [mailto:[EMAIL PROTECTED]
Sent: Thursday, February 17, 2005
4:10 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange
5.5
IIRC, IF the folders have b
>W2K3 is supposed to answer for both IIRC,
It will in my experience. It will answer *NTP queries as "NTP Version 3,
Mode 4"
Windows Time Service Technical Reference - Networking Services: Windows
Server 2003:
http://www.microsoft.com/Resources/Documentation/windowsserv/2003/all/te
chref/en-us/
The ubiquitous "No Server Suitable for Synchronization Found". I've found lots
of questions about this
in my googling, but no definitive answers.
If I understand right, SNTP is the client implementation of the NTP protocol?
If that's true, how
could it serve time updates to anything? What's your
Ah. There we go. The w32tm -once showed a sync. Now the next question
is: will the standalone server automatically sync with the listed time
source or will I have to perform manual/scripted syncs? I know it's
automatic within an AD structure, but what I've been reading doesn't
address non-domain sc
Ah...maybe it's the difference between Win2000 and Win2003 then. My domains are
still 2000. Thanks Bob
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Free, Bob
Sent: Thursday, February 17, 2005 4:35 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [Act
I can’t seem to get a startup script to create a local
account on all domain computers. I’ve created an OU, dragged the user
account into that OU applied a GPO for that OU to have a startup script which
contain the following:
echo Adding local Consulting account
net user consulting te
Slightly OT for an AD forum, but since I've seen so
much great advice flow through this list, and we're populated with Sys Admins
(who are frequently in charge of backups) I figured I'd throw it out
there.
We have two Dell Tape autoloaders that have 8 slots
(7 DLT IV + 1 cleaning tape).
Sheesh, now someone with Win2K that does work!! :-) My domain is Win2000 also
Mike. Now I'm just
confused again. W32Time wizard Nathan - are you still monitoring this list?
-Original Message-
From: Michael Wallendahl [mailto:[EMAIL PROTECTED]
Sent: Thursday, February 17, 2005 5:02 PM
T
"user account" and "startup script"
?
Try the computer account in the OU. Startup
scripts apply to computers :-)
-DaveC
Reuters America
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Harding,
DevonSent: Thursday, February 17, 2005 5:02 PMTo:
ActiveDir@mail.activedir.
That worked!
Thanks,
-Devon
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe
Sent: Thursday, February 17, 2005
5:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Startup
Scripts?
"user account" and
"startup script" ?
Tr
net localgroup Users /add "consulting
temp1234"
- Original Message -
From:
Harding, Devon
To: ActiveDir@mail.activedir.org
Sent: Thursday, February 17, 2005 3:02
PM
Subject: [ActiveDir] Startup
Scripts?
I cant seem to get a startup
script to create
>If I understand right, SNTP is the client implementation of the NTP
protocol?
SNTP can actually be a client or a server, it is "unreliable" (my word)
compared to NTP and some devices simply won't accept time from it.
RFC 1769 "The model for a SNTP server operating with either a NTP or
SNTP clien
W32time will synch as long as you leave the service running. It will
peer up to the source and then synch periodically, 3x a day at the
default IIRC. You can turn on logging and it will log to the event log
if you want to keep an eye on it.
For W2K- Add the following values and bounce the service
I'm still here :)
Regarding:
"
If you are running Windows Server 2003, it *may* not allow non-domain
members to sync with it out of the box.
"
NTP is not a secure protocol. You can sync non-domain joined severs with
a DC.
SNTP and NTP are exactly the same network packet. The only differe
Yep, the 2000 boxes wouldn't talk back to many of the *NIX utilities
because they only did SNTP
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Thursday, February 17, 2005 1:55 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir
Keep in mind you can run a DC for even a moderately sized org on a typical
desktop machine.
Since DC's (except the FSMO role holders) are scale-out redundant, there's
no reason not to add additional capacity by using desktop class machines.
Roger Seielstad
E-mail Geek & MS-MVP
> -
Its logical separation vs. physical separation. Mainframes have had LPAR's
(logical partitions) for ever, which do the same basic thing.
Logically separating the platforms does protect from most of the issues
caused by putting a crapload of services on one box.
However, I'd never use a virtualizi
Title: Updating ADM files - best practices
Neil,
Not sure if it is best practice, but what I do
is:-
1. Leave on the Auto upgrade of ADM files. We
assume that Microsoft always adds to ADM files, never changes existing
keys.
2. Always use a different ADM file for your
modifications. Nev
Title: Account policies and groups
Yes, the password policy will still apply to that user - it
applies to every object in the domain, regardless of block inheritance
settings.
Roger SeielstadE-mail Geek & MS-MVP
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Beh
FYI. If anyone posted anything specifically aimed at me, I just want to let
you know I haven't seen it yet and I apologize.
My provider GLOBAT got plugged for inbound SMTP sometime around Thu 3AM
(Last post I saw was the HELP!!! Undelete required post from Aramide. Most
of my email seems to be fl
57 matches
Mail list logo
