How about if you put the command into a batch file and just run it that way
- does that work?
The GPO itself is linked to the OU that contains the computers where you
want this to apply right? Does the RSOP wizard in GPMC show the script is
being applied on one of the computers?
Regards;
James
If you don't have the root PDC pointing at an external
source such as time.windows.com or tick or tock or something else, the time of
your entire forest is dependent on the variability of the clock on your PDC. As
much as it drifts, so will the time of your entire forest.
Again, if
Here are some time references I used when configuring w32time for AD.
How to configure an authoritative time server in Windows Server 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;816042
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deploy
True. But, the specific reference I used was for Dr. Who's companion, which
makes somewhat more sense in the context of discussions concerning time, as
time (travel, specifically) was Dr. Who's thing.
Roger Seielstad
E-mail Geek MS-MVP
-Original Message-
From: [EMAIL
It gets around the domain membership requirement for your non-domain boxes.
Of course, with the W32Time piece working correctly, there's no need to go
to a third party app.
Roger Seielstad
E-mail Geek MS-MVP
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL
I am looking for detailed documentation that would shed some light on
how dynamic dns works. The initial registration works fine for us but
if the ip address changes the dns entry is not updated. The DHCP
servers are configured to register the workstations ip address. I
don't know if this is a
Hi guys, I'm fairly sure I can do this. But thanks to recent security changes,
I can no longer just
fire up the delegation of authority wizard to make sure...can I grant the
ability to manage membership
of groups to a given group of user admins, without giving them the ability to
change other
Yep, you need to delegate WP to the member attribute.
I seem to recall the wizard doing something with the special permission
add/remove self as member but it seems misleading as that permission allows
the person who has it to modify the membership in its entirely, it is not a
validated
Hi
folks,
I need to apply a
GPO to the Computers container in our domain. We're running Windows 2003
Functional level. I know this can be done has I have seen it myself in the past
but I don't recall the required steps/magic.
Any
idea?
Thanks!
Francis
Ouellet
MS
MVP
You can apply a new policy to the domain level or by editing the default
domain policy. If you want the policy to only apply to computers
container, you'd have to use a WMI filter on the policy.
Paul Wilkinson
865-974-0649
2422 Dunford Hall
OIT Lab Services
University of TN, Knoxville
Francis
Is there a reason that you don't just create a
newOU and move the computers there?
- Original Message -
From:
Francis Ouellet
To: ActiveDir@mail.activedir.org
Sent: Tuesday, February 22, 2005 11:36
AM
Subject: [ActiveDir] Change the Computer
container in a
Hi,
I just figured out how to do this according to KB324949.
I created a new OU and used redircmp.exe to point to a temp OU. I then had to
delete the old Computers container and voilà.
Thanks,
Francis
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Actually it can't from what I understand. GPOs do not apply
to containers, that is why their is a big rush for people to jump out of using
the default containers and instead use OU structures.
Possibly you saw someone redirect their default landing
zone for computers to an OU that had a GPO
No, unfortunately I am not the "power that be" around here
and have to abide to someone else's one track mind. ;-)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jason
BSent: 22 février 2005 13:56To:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Change the
Computer
I currently have some Intranet sites setup that grab the username of the
person logged in:
UsrString =
Request.ServerVariables(LOGON_USER)
'Parse the domain\username format into
domain and username
UsrName =
Hi,
I think you would like to apply policy to the Computers
container? As you may know, this is a container, not an OU, and cannot
be assigned policy. However, in 2003 it is possible to redirect that
container to an OU, etc...
Please see KB 324949 for more info. that
Hi David,
Thanks for the followup. I replied pretty much the same thing you said in your
reply in a followup e-mail to my own thread. I did the trick by using
redircmp.exe.
Thanks,
Francis
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe
Title: Message
Can't be done. Domain admins own the domain (and can own
the forest if they're persistent about it). You can make it perhaps a little
inconvenient for them to add users, but you can prevent them from doing
it.
-gil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Hi,
This is a ownership issue as you're talking about multiple DHCP servers. By
default, when DHCP servers register an IP address on behalf of a client then
the DHCP server (the computer account of the DHCP server) becomes the owner
of the registered record. If another DHCP server want to
Title: Message
Well, I thought *I* was behind in my email.
:o)
joe
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gil
KirkpatrickSent: Tuesday, February 22, 2005 2:49 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Is it possible ?
deny domain admins create
Title: Message
lol
From: joe [mailto:[EMAIL PROTECTED]
Sent: Tuesday, February 22, 2005 1:29 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Is it possible ?
deny domain admins create new user permission
Well, I thought *I* was behind in my email.
:o)
joe
From: [EMAIL
Can't think why it wouldn't, although I'd prefer to use the LDAP provider
vs. the WINNT provider. If nothing else, it would work better for
multi-domain environments.
Are you having trouble with it?
al
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Title: Message
Yikes! How'd that happen? Must be one of those complicated
computer things...
-gil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Hutchins,
MikeSent: Tuesday, February 22, 2005 1:37 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Is it possible ?
Title: Message
My next post will be regarding the Windows Server 2003
Beta...
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
joeSent: Tuesday, February 22, 2005 1:29 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Is it possible ?
deny domain admins create new
Title: Disabling Inactive Users
Is there a GPO setting (or some other path) to disable inactive users after a specified period of time? In other words, I'd like to automatically disable Joe User if he has not logged on in more than 90 days.
Thanks,
James R. Rogers
HI,
Try the following: http://www.joeware.net/win/free/tools/oldcmp.htm.
I think it's not possible to use a GPO to do this. You could however create
a batch file using OLDCMP and schedule it to run each day/week or whenever
you want it
Jorge
-Original Message-
From: [EMAIL PROTECTED]
Personally I haven't seen a GPO for this but I'd like to hear of one if
available.
On my site I/we wrote an administrative script to handle this task that
basically scours the directory and spits out the accounts that haven't been
used on any DC in more than X days. Because of our system
Aren't you skipping ahead a little? What about that new Active Directory
thing that everyone is talking about? G
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick
Sent: Tuesday, February 22, 2005 3:54 PM
To: ActiveDir@mail.activedir.org
Is there anyway to tell without clicking into each user's properties
to tell which logon script they use?
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Title: RE: [ActiveDir] Disabling Inactive Users
I would be careful about using has not logged on in X number of days. Some users my only authenticate against AD thus they would never log on. Try tracking against last password change. I assume you have policy in place that requires user must
Not yet but I am planning on taking out our last NT 4 domain controller
and wanted to make sure it would still work. Wasn't sure if it would
change with the integration of AD.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Tuesday,
This would give you the results for everyone in the Users container, SAM ID and
login script, with a |
in between. Run from cscript or you'll get to click OK on each user! :-)
Dim OU, oUser, UserObj
set OU = GetObject(LDAP://CN=Users,DC=my,DC=domain,DC=COM;)
For Each UserObj in OU
WScript.Echo
you can try (watch wrap):
adfind.exe -b dc=domain,dc=edu -f
(objectcategory=person)(samaccountname=*) -tdc scriptPath
userPrincipalName c:\scriptPath.log
check joeware.net for adfind
Charlie Saliba wrote:
Is there anyway to tell without clicking into each user's properties
to tell which logon
Title: Disabling Inactive Users
AFAIK there's no GPO setting to do this. Most people run a
script periodically or use a 3rd part tool like Javelina.
-g
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rogers,
JamesSent: Tuesday, February 22, 2005 1:56 PMTo:
AFAIK oldcmp will give you the lastLogonTimestamp (if you are w2k3
functional) but you can't query directly on that. the -age switch looks
at pwdLastSet (it's possible that a user has not changed their password
in +90 days but they login everyday - therefore they are not inactive).
a manual
Hi -
We have a test environment that is not connected to the Internet. I would
like to update these servers but do not have WUS/SUS. One of our admins,
downloaded the individual files. Is there a way to easily run these all at
once? I have seen KB 296861 but frankly populating the script seems
Hi,
You could create a script to retrieve the scriptpath attribute from all
users in a textfile or excelsheet using the following code:
On Error Resume Next
Set objUser = GetObject _
(LDAP://cn=myerken,ou=management,dc=fabrikam,dc=com;)
objUser.GetInfo
strScriptPath =
Maybe you could configure auditing to see who is creating user accounts or
convert all domain admins into normal users ;-)
Preventing what you want is not possible as domain admins in a forest/domain
have the ability to do everything they want
Jorge
_
From: [EMAIL PROTECTED]
Title: Disabling Inactive Users
Has anyone on the list used SPA to evaluate DC performance? If so, what
were your impressions? Was the data useful? Was the product easy to figure
out?
-gil
Gil Kirkpatrick CTO, NetPro "To fly, flip away backhanded. Flat flip flies
straight. Tilted flip
Title: Disabling Inactive Users
To fly, flip away
backhanded. Flat flip flies straight. Tilted flip curves. Experiment!
Frisbee?
-Original Message-
From: Gil Kirkpatrick
[mailto:[EMAIL PROTECTED]
Sent: Tuesday,
February 22, 2005 3:20 PM
To: ActiveDir@mail.activedir.org
We have some Groups that
were created locally on some of our servers. Is there a way to migrate each
group to Active Directory as a Group? Or do we have to manually create the group
in AD, and add the names that are in the local group on the server to the AD
Group?
Daniel E. Rodriguez
You might want to consider doing some
scripting.
The DSADD command is your friend in this
case.
Regards,
Paul.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Rodriguez, Daniel [EPM/SRM]
Sent: Tuesday, February 22, 2005
11:28 PM
To:
Hi
all,
On9 Feb. there was adiscussion about
adding computers to a domain during whichJorge mentioned the user right
"Add workstations to domain"(authenticated users being granted this right
by default), and Justin mentioned KB 251335.
A fewquestions about that right for anyone
that is
What do you mean you can't query on lastLogonTimeStamp in oldcmp?
If you use the -llts option (I'll let you guess what that stands for) it
uses lastLogonTimeStamp for the aging instead of pwdLastSet.
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf
With this query, you don't actually need -tdc. It won't add any value
because you aren't requesting any time attributes.
Also you can slim it down to only show users who have a script set by using
the following
adfind.exe -b dc=domain,dc=edu -f
the usability of the new groups in AD sort of depends what
you've used the groups for - if you've acled the files on the servers or
configured other apps to leverage the groups, you'll need to reconfigure all of
this too to make the new AD groups do anything for the users who are then
"concurrently" in this context means how many computer
object the user "owns" at any given timein AD. If the number of computer
objects he owns is higher than the ms-DS-MachineAccountQuota value, then he
won't be able to add any new machines to the domain.
So by setting the threshold to 0
Noah,
Your options are pretty limited if you don't have access to WU, WUS or SUS.
The options really do come down to applying each patch, potentially
rebooting between each of the patches. If you don't reboot, you run into a
potential issue in which the bits from patch A are over-written by
Hmmm. OK, I'm inclined to agree, but aren't DA's and EA's governed by the
same set of ACLs and ACEs applied at specific levels of AD as any other
user?
IOW, can't I remove the Allow from DA to Create / Delete User Object?
Right. AdminSDHolder is going to change it back on its rounds.
And
adminSDHolder shouldn't come into play here. That controls permissions ON
the admin user objects, not on the OUs that admins would want to control.
The thing is, admins can always take ownership of the OU where you are
stripping their rights. This is why you can't remove their ability to do
adminSDHolder shouldn't come into play here. That controls permissions ON
the admin user objects, not on the OUs that admins would want to control.
Yeah, I guess I'll have to conceded that... ;o)
As to the DA being able to grab ownership and, in effect, re-grant
everything that you've taken
Thanks Guido...understood about the 0 threshold and the quotas.
Specifically, I was more interested in the "behind the scenes" manner in which a
DC enforces the MachineAccountQuota, and I see now (after reading more
carefully!) that the "ms-ds-creatorsid" on a machine object must be used for
This is a stupid question, but wasn't a big improvement in server 2003
supposed to be reduced reboots when patching? It seems that every
month's patches require a reboot, and boy is it a pain in the butt. What
is the real reason that the OS needs to be rebooted for the patch
installs to be
Douglas,
Reduced reboots are always a goal, and the real fix to this issue - as I
understand it - is a level of consistency between what the OS needs to
implement new code, new registry, and the manner in which it is applied.
Installer 3.0 is much better at this, but there are some real
54 matches
Mail list logo
