Hello experts,
We need to upgrade our existing 2000 environment to windows
2003 environment. How can i do that smoothly without
any hassle?
At this moment, Im in process of taking one extra
domain controller (has no role) from the existing active directory structure
isolate it in a
Title: Retiring user accounts
Just out of interest, how do people go about retiring users' accounts when someone leaves? Has anyone got a set procedure or is it just a case of back up their PC / home drives, delete their account and redirect their emails to someone else?
For Troup
Title: Users leaving
Hey all!
Over the next few weeks we've got quite a few users leaving but as we're only a small office we don't have a set procedure for what happens to their account, PCs and mail etc etc . I think I've just volunteered myself to right one! Has anyone got any good
Title: Re: [ActiveDir] WINS
Did you just remove WINS or did you also
disable NetBIOS on your network? Isnt it the case that as long as NetBIOS
is enabled and being used on your network that you should also be using WINS as
this will greatly reduce broadcasts and improve name-resolution,
Why are you changing the password for the account and then later deleting
it? Isn't that redundant?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tim Sutton
Sent: Monday, March 07, 2005 7:17 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir]
Not if it's a user assigned one. I'm changing them to a password I know
and it also means that any of his / her friends won't be tempted to use
that account for things.
For Troup Bywaters + Anders
Tim Sutton
T: +44 (0) 113 243 2241
F: +44 (0) 113 242 4024
Title: Re: [ActiveDir] WINS
We just removed WINS, about a year ago.We are in the
process of testing the disabling of NETBIOS from our switches and have found a
few hitches with that, not related to Exchange. I found this KB article
WINS will always be needed as long as Microsoft Products still utilize
NetBIOS Names like Outlook and Network Printers.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Michael Tock
Sent: Sunday, March 06, 2005 12:56 PM
To: ActiveDir@mail.activedir.org
To be fair, Exchange setup requires WINS. Without it, setup fails.
Outside of that, Exchange requires shortname resolution, but the only answer
to verify that you have shortname resolution is to use WINS/Netbios
resolution.
Can you run without it? Yep. Is it supported? Not currently.
Just curious. Seems that you're changing the password and then deleting the
account. If you need to access that information using that account, I can
understand. Just figured I'd check.
Other than that, it seems like when you're done, you'll have an archive of
the users mail and desktop
Is there a way to
query Active Directory and return all OU's?
perhaps a SQL
query?
I can use "dsquery
ou" I suppose, but I'm writing a .net that can be a front end for our help desk
in easing simple user management tasks.
I have a hard coded
version, but I'd like to have a query that will
We have KCC and ISTG configured to automatically create site link connection
objects.
I am looking for information to explain the following situation:
The server in our hub site that has most of the Inter-site replication objects
defined to it goes down. At what point in time will the KCC /
I haven't done it lately, but I would assume you can bind to the root and
iterate the children looking for OU objects. You could also create a query
that searches the domain for objectClass of organizationalUnit and then add
each of the ones you find to the application nodes.
An example ldap
The KCC runs by default every 15 minutes, but there is another parameter
that controls how long a DC has to be unavailable to be dropped from the
topology.
For intersite topology, the partner has to be non-responsive for 1
attempt and two hours.
For intrasite topology, the partner has to be
Thanks Gil
One more question:
We are planning on upgrading (actually dcpromo-ing to demote and then
reloading) the DC with most of the inter-site connection objects. I understand
demoting the server will remove it from the AD configuration. Will KCC at this
point pick a new DC a create new
Personally? I like to think of AD as a GUI to Microsoft's implementation of
LDAP. That simplifies a lot of things for me. However, there is more to it
than that and the books you ordered should help in clarifying that.
You don't need to know LDAP to make AD work, but it helps. It's a great
O'Reilly's Active Directory book is a good primer. That is the first AD book
I read (it was first edition back then though). Once you have the basics
down I would recommend moving into Active Directory Cookbook also by
O'Reilly and Inside Active Directory, 2e from Addison-Wesley; both excellent
To get a basic understanding of what AD is and how it relates to LDAP,
see
But briefly, Active Directory is a multi-master directory service that
is tightly integrated with the Windows security system. LDAP is a
standardized protocol that defines how programs on a network can
communicate with a
Hey now... Don't forget about Alistair. He did that first edition himself
and did it well. :)
The Cat Book rocks. Actually I should get royalties for that one too, I have
made a bunch of people buy it and have bought and given away multiple copies
myself. I still have my first copy though it is
Didn't forget, just haven't heard of it. I will remember now though :)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, March 07, 2005 12:11 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory and LDAP
Hey
The dcpromo'd DC will recreate its view of the topology five minutes (by
default) after it starts. AFAIK, the other DCs will still wait until the
next scheduled time (up to 15 minutes) before re-evaluating the
topology, but they will immdieately take into account the fact that the
first DC was
I assume you're talking about this?
http://support.microsoft.com/?kbid=248793
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Robert Mezzone
Sent: Monday, March 07, 2005 11:25 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Renaming Accounts
Aww, man... How come my book isn't up there?
-gil
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, March 07, 2005 10:11 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory and LDAP
Hey now... Don't forget
Ahh, thank you very much (both of you).
Strange. Ad.org's site seems to noe be responding.
Here's the story.
As a personal hobby I run a a few domains.
I used the Gentoo Virtual Hosts setup. I'm currently writing my own but
that's besides the point.
It uses MySQL as a database.
I get curious and
The one that's out of print?
http://www.amazon.com/gp/product/product-description/0672315874/103-8355416-
0173405?_encoding=UTF8n=283155
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick
Sent: Monday, March 07, 2005 12:19 PM
To:
Guys, just wondering if anyone else has seen this
before whereby, when a user logs into a 2K box, the home folder maps without
issue, but when logging into a 2K3 box it generates the following
error:
2K3 Domain,2K mixed Mode, all DC's
2K3.
Only happens for a few select users, and I am
Sorry, all three of you :-)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kenny Mann
Sent: Monday, March 07, 2005 11:24 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory and LDAP
Ahh, thank you very much (both of you).
Great way to do it.
For what it's worth, anytime you're trying to decide between SQL-type DB's
and LDAP, the usual differentiator is how you intend to use it. LDAP is
highly-optimized for read access. SQL db's typically are more read/write
(compared) optimized since you inject data into them
joe wrote:
O'Reilly's Active Directory book is a good primer. That is the first
AD book I read (it was first edition back then though). Once you have
the basics down I would recommend moving into Active Directory
Cookbook also by O'Reilly and Inside Active Directory, 2e from
Addison-Wesley;
Yeah, well there's that...
But that doesn't mean it isn't *good* :)
-gil
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Monday, March 07, 2005 10:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory and
I recommend your book a lot as well, in fact there is at least one list
member that has been trying to buy the darn thing based on my recommendation
but can't find it anywhere I have pointed at a couple of resources, it
was actually ordered from one resource (ebay) and the member got a note
Simple to think out
You doing mostly reads of string data, go LDAP.
You doing mostly writes go SQL.
You want fast complicated adhoc queries, business rules, triggers, searching
of binary data, etc, go SQL.
To play with AD, you don't need to spin up a domain controller, go grab
AD/AM and play
Certainly didn't want to imply...
Maybe it's time for the next book?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick
Sent: Monday, March 07, 2005 12:37 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory and
Potatoe/Potato sort of thing.
It is LDAP and it is an upgrade path from legacy systems such as WINNT.
How you use it plays a part. If you use it as a LDAP directory, then it
*is* a LDAP directory right? If you use it as a WINNT 5.x domain, then it
*is* a WINNT 5.x domain.
To say it's a
Stella has been scrounging the dusty antiquarian bookshops in New York
and London and has managed to snag a few copies. We'll have a handful of
my books available at DEC. For some reason Pearson never wanted to do a
2nd edition. What a bunch of poopy-heads (according to my 4 year old).
Yeah, it
One sorta word for you Gil...
PDF
Toddler
-Original Message-
From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED]
Sent: Monday, March 07, 2005 12:56 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory and LDAP
Stella has been scrounging the dusty antiquarian
This works with Outlook 2003 and Exchange 2003. The article discuss'
Exchange 5.5 and older versions of Outlook.
Thanks.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Monday, March 07, 2005 12:18 PM
To: ActiveDir@mail.activedir.org
that reflects my findings from other DC replacements as well, which is
why I tend to move the connection objects to another DC (i.e. in a
hub-site with multiple DCs) during the replacement of the first DC.
The reason to do so is simply due to FRS and it's requirements to do a
full VV-join when
I'll probably want programmer side later, when I understand what I'm
doing.
BTW, someone posted this link:
http://www.microsoft.com/windowsserver2003/adam/default.mspx
Here is Microsoft's definition:
Windows Server 2003 Active Directory Application Mode
For organizations that require flexible
Hello:
Can someone point me to a doc detailing the GPO settings for locked down
computer that might be in a lab or other public access location?
Thanks.
attachment: winmail.dat
Running AD 2000,
I'm creating templates for user creation for the help desk. However, when
they copy the template it does not copy all the field information like
address. It copies city and state, but not street address.
Does anyone know why it will copy come fields, but not all?
-Christine
If it's out of print, Gil should just make the PDF available free to
list members online... :-)
Unless of course, he's planning to actually DO those reprints and make
some money off of them...
G
**
Charlie Kaiser
MCSE, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595
This doc is a good starting point:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/management/csws2003.mspx
It provides a set of settings for a variety of lockdown
scenarios.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Noah
EigerSent:
Not all attributes are flagged in the schema for copy when ADUC dupes an
account.
See
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/ad
schema/a_systemflags.asp
Not sure why this flag is in searchFlags instead of systemFlags but there
you go...
It would follow that
Thanks!
-Original Message-
From: joe [mailto:[EMAIL PROTECTED]
Sent: Monday, March 07, 2005 3:12 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Ad users and Computers
Not all attributes are flagged in the schema for copy when ADUC dupes an
account.
See
Hmm... Although based on the same technology, don't confuse ADAM with AD.
ADAM is the lightweight version of AD technology. I.E. it's an LDAP server
vs. an identification, authentication, and authorization infrastructure (aka
special sauce ingredients).
Al
-Original Message-
From:
Ah, thank you for pointing that out.
I did confused them.
Kenny
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Monday, March 07, 2005 2:31 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory and LDAP
Hmm...
AD/AM is primarily just the LDAP directory part of AD. It doesn't do
kerberos nor the NSPI stuff. So if you want to play say with Exchange you
have to go to AD. If you want to kerberize authentications, you need AD.
If you are simply playing with adding/removing/reading/querying data for
users
Probably depends on his agreement with the publisher on whether he can do it
or not. Gil may not own the rights to the book to do this even if he wants
to. Personally I think he should update it and sell it. The first time
around it was pretty early in the AD world without a huge number of
Yeah, I don't own the rights img desc=Picture of Satan on my shoulder
cackling with glee/, but I might be able to get them. I'll have to
look into it.
-gil
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, March 07, 2005 2:22 PM
To:
Is it possible to change the text for the security setting Interactive
logon: Prompt user to change password before expiration
The reason were looking to do this is that we have a
3rd party password management application, and we still want to use
the windows notification for password
Wouldn't it make more sense to just turn that off and send them a
notification via the third-party app? What's their recommendation?
al
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Olegario, Alan
Sent: Monday, March 07, 2005 4:30 PM
To:
What I'm told (InfoSec is checking on this) is that the application does
not handle notification. I was thinking about just writing a script to
check when the user's passwords will expire and then shoot them over an
email but figured I'd try to see if there's any easy way to change the
text
Not really for the normal admin. If you want to write code
you could probably work on the gina and pull it off, again not very realistic, I
personally wouldn't consider making gina modsfor that. The usual solution
is to email people prior to their password expiring and having the directions
You might take a look at the platform SDK and see if there is anything in
there about it. Be aware that if you have multiple desktops, there may be
multiple places to make changes. I'd be more of a fan of writing a script
to notify users of password expiration than I would of re-writing,
Scenario:
Windows 2000 clustered server. Mail on
one node. File share and printer share on the other node.
-
Need the
ability for the Desktop Technicians that install the physical printers to
install them onto the server.
-
Printers
are setup using static IPs and added to the
Doesn't the ability to install a printer mean they have the
rights to install a device driver? I think that means they have to have local
administrator rights.
And if they have the ability to install a driver, they own
the server anyway :)
-gil
From: [EMAIL PROTECTED]
[mailto:[EMAIL
Hi Christine,
My guess is that Microsoft accidentally flagged a wrong attribute to be copied
when a user is copied. The Street attribute you see in ADUC is stored in the
streetAddress attribute (which is an LDAP name), and that attribute is not
copied. However, another attribute with an LDAP
If you use the schema management snap-in instead to do this, there's a cehckbox
to copy the attribute. Perhaps a bit less dangerous than tinkering in adsiedit:
Startrunregsvr32 schmmgmt.dll
startrunschmmgmt.msc
Browse down to the streetAddress attribute, there's a checkbox on the bottom of
You can use GP to differentiate who has rights to install a printer driver vs
any other driver w/ 2003 at least (and maybe XP).
But no way to create printers without admin on the server.
--Brian Desmond
[EMAIL PROTECTED]
Payton on the web! www.wpcp.org
v - 773.534.0034 x135
f -
The Cat Book rocks. Actually I should get royalties for that one too, I
have made a bunch of people buy it
Here we go again
-rtk
P.S :p
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, March 07, 2005 11:11 AM
To:
It's the best Nuts and bolts book on programming to AD that I've got on the
shelf.
Active Directory Programming by Gil Kirkpatrick
-rtk
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick
Sent: Monday, March 07, 2005 11:19 AM
To:
Oh, and mine's signed! Thanks again, Gil!
:)
-rtk
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Monday, March 07, 2005 9:16 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory and LDAP
It's the best Nuts
Oh Kenny, something I intended to mention but forgot to...
You mention your hobby of spinning up new domains, etc. By domain do you
mean a new Windows NT Authentication Realm or Kerberos Realm or just a new
LDAP Hierarchy?
If the latter, AD/AM can be quite useful here as well since you can have
What can I say... I didn't win the Lotto. :)
It seems more and more like I am going to have to actually earn my first
million.
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Monday, March 07, 2005 10:14 PM
To:
Ahh, my ego has been assuaged... :)
You're welcome!
From: [EMAIL PROTECTED] on behalf of Rick Kingslan
Sent: Mon 3/7/2005 8:25 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory and LDAP
Oh, and mine's signed! Thanks again, Gil!
I'm glad to hear that it's finally dawned on you that you're more like the
rest of us than you want to admit
Actually have to EARN your first million Yeah. I suspect you're closer
than I am.
Yur killin' me, joe.
;o)
-rtk
-Original Message-
From: [EMAIL PROTECTED]
Yes that should work on O2K3. I don't believe the profile processes have
changed much.
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Robert Mezzone
Sent: Monday, March 07, 2005 1:16 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
Hi all
Anyone ever have to choose between Simple Sync and Imanami Directory
Transformation Manager ?
I'm talking to a mainframe via LDAP going to AD and on paper Imanami looks
the better choice.
Anyone have any recommendations either way?
I've seen simple sync mentioned at least once on this list
69 matches
Mail list logo