Hello experts,
How can i issue a shutdown (restart)
to all the clients machines on my domain.
Regards,
DISCLAIMER:This electronic message transmission contains information from Qatar Steel Company (QASCO) which may be confidential or privileged. The information is intended to be
Shutdown /i and add the machines to the list of machines to reboot\shutdown
-Original Message-
From: Sharif Naser [EMAIL PROTECTED]
Date: Wed, 23 Mar 2005 12:19:17
To:ActiveDir@mail.activedir.org
Subject: [ActiveDir] shutdown of all clients machines remotely
Hello experts,
How can
http://www.ultratech-llc.com/KB/?File=Shutdown.TXT
Why, btw?
-ASB
FAST, CHEAP, SECURE: Pick Any TWO
http://www.ultratech-llc.com/KB/
On Wed, 23 Mar 2005 12:19:17 +0300, Sharif Naser [EMAIL PROTECTED] wrote:
Hello experts,
How can i issue a shutdown (restart) to all the clients
If you have a text file called wkstn.txt with all of the machine names, put
this in a batch file.
FOR /F %%i in (wkstn.txt) do shutdown -r -m \\%%i
It requires the Shutdown executable to be installed (WinXP and Win2000 have
it installed with the OS I believe - NT and 9X may not)
You can
Thanks for your comments! As I said, Much
appreciated!
Joe
Pelle
Senior Infrastructure Architect
Information Technology
Valassis / IT
19975 Victor Parkway Livonia, MI
48152
Tel 734.591.7324 Fax 734.632.6151
[EMAIL PROTECTED]
http://www.valassis.com/
This message may
Return Receipt
Your RE: [ActiveDir] Active Directory Lab Recommendations
document
:
Hi Joe/Eric,
I was able to use that script to convert to csv format. Another thing I did
ahead of time was use CSVDE and export the entire OU in question. I
exported the cn, whenCreated, whenChanged attributes and discovered more
clues. This is NOT an AD problem as expected but the script is
Does anyone know if
this setting is enabledat the default domain policy are my users going to
get prompted to change their passwords immediately if their current password
does not meet the complexity requirements? Or will they be forced to use a
complex password when they change their
Your users will not be immediately prompted to change their password to
meet the complexity requirements. They will be forced to use a complex
password the next time a password change is required.
Greg
Hi,
Password complexity is by
default enabled on W2K3 domains and by default disabled on W2K domains. I don't
know the exact configuration by head for each domain
butI think you need to specify
whichoccasion.
When password complexity is
enabled:
* If you create a user account
you need to
Which LDAP traffic are you thinking of?
Typically LDAP traffic is passed by an application/client for the purpose of
either white pages type lookup or for identification and authentication.
LDAP authentication, by it's nature is unsecure. It passes credentials in
the clear on the wire.
Did
Hi All
Just to add to that.
When you change your DDP GPO to specify a stronger password, the stronger
password (complexity, password length of 42, whatever you choose) will
take affect at the next password change, but will not affect those
passwords already in the system. People with passwords
Deferring on the tombstone lifetime question, but yes you will have to
do the offline defrag of the database on each DC separately, at least
for those where you want to reclaim database space.
Hunter
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve
You can also use the Sample 5.16 - QueryAndReboot.wsf of my WMI book,
Volume 1 at http://www.lissware.net.
This script accepts an LDAP filter to query AD, and based on the results, it
reboots all computers listed in the query result.
For instance:
C:\QueryAndReboot
On Wed, 23 Mar 2005 14:49:51 +0100, Jorge de Almeida Pinto
[EMAIL PROTECTED] wrote:
When password complexity is enabled:
* If you migrate a user from a source domain to the domain with password
complexity (length, complex, etc.) enabled the password does not need to
meet the password policy in
We are currently trying to migrate all of our child domains into one
single domain. There are 3 child domains, 2 of which are Windows 2000
native and 1 is Windows 2000 Mixed. The target domain is Windows 2003
Native. We plan to use ADMT v2 for the planned migrations.
There were
Our experience with ADMT v2 (beta) matched what Jorge said...source
passwords did not have to meet the target requirements when migrated,
but the next time the migrated user changed passwords the new ones did
have to meet the target requirements. I'm not sure if this has changed
in later versions
On Wed, 23 Mar 2005 08:01:45 -0700, Coleman, Hunter [EMAIL PROTECTED] wrote:
Our experience with ADMT v2 (beta) matched what Jorge said...source
passwords did not have to meet the target requirements when migrated,
but the next time the migrated user changed passwords the new ones did
have to
Are they all in the same forest? You mentioned child domains so I
assume they are, but I just wanted to check. Do the accounts follow
the same naming standard across all the domains? You mention the
target domain is Windows 2003 Native, I assume this means Windows 2003
in Win2k Native mode?
Phil
Hi Phil
I believe the current Quest tool is the old Aelita tool. In the version
before they were purchased by Quest passwords that were migrated completely
ignored the password policy of the target domain, even allowing blank
passwords to be migrated.
Regards;
James R. Day
Active Directory
As Jorge stated, these 3rd party tools copy the pw hash and not the password
itself (for obvious reasons). The receiving DC is unable to determine if this
hash conforms to the pw policy or not and so the hash is always permitted
(even if corresponding to a blank pw).
I have used the Quest/Aelita
FWIW, there was a long conversation
covering PRC over HTTP on the security basics mailing list. You can look
at the archives to see if there was anything worth gleaning from the
conversation
Diane
http://www.securityfocus.com/archive/105/389606/2005-02-04/2005-02-10/1
From: [EMAIL
I am mainly thinking about communications with Exchange. Other than
that, I am not really sure what applications or other communications are
actually using LDAP. For instance, when someone logs onto a machine,
what is happening? I have thought that everything was taken care of by
Kerberos, but not
On Wed, 23 Mar 2005 15:31:23 -, Ruston, Neil [EMAIL PROTECTED] wrote:
As Jorge stated, these 3rd party tools copy the pw hash and not the password
itself (for obvious reasons). The receiving DC is unable to determine if this
hash conforms to the pw policy or not and so the hash is always
Title: Message
There are a few things to know here:
LDAP
data will be passed in plain text on the network unless the channel is
encrypted
LDAP
supports a concept called a SASL bind that allows your authentication to
not pass plain text credentials, even if the
Yes, all of these domain are in the same forest. We have an empty root
domain, MSROOT.domain and one tree in the forest, DOMAIN.com and 3 child
domains, FM.domain.com, MI.domain.com and RA.domain.com. The forest
functional level is Windows 2000 while the domain functional level of
Good read thanks for the link!
Joe
Pelle
Senior Infrastructure Architect
Information Technology
Valassis / IT
19975 Victor Parkway Livonia, MI
48152
Tel 734.591.7324 Fax 734.632.6151
[EMAIL PROTECTED]
http://www.valassis.com/
This message may include proprietary or
And when you say duplicates names, are they representing different users or
the same users from different forests?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, March 23, 2005 11:23 AM
To:
These are the same users in the same forest, but in different domains.
Mulnick, Al
[EMAIL PROTECTED]
Windows logins do not use LDAP. Essentially, that stuff is all done
using Kerberos or NTLM if there is some kind of failover. All of the
Kerberos ticket creation and group membership expansion for Windows
security tokens is done through different APIs and protocols.
LDAP is mainly used by
Hi Tom.
Float up the issues you had with your DR testing. If the testing is for real
and not just a so we can say we did the management will be looking for
information out of the DR Testing summary to determine if they are safe or
not. It is possibly quite likely the exercise is simply that, an
I had a user that was moved from one child domain to
another. The user was deleted and added. Is there any way to
recover the group membership of that user in the old domain?
-Devon
I wanted to thank you for the replies. I was nervous about getting a
netmon trace and trying to read it. As it turns out, when I looked at
the netmon trace, I discovered these two machines were looking for an
SMS distribution point that used to be on this machine. I pushed a
new SMS client out
Thanks for your help.
I am documenting everything.
This is the 2nd DR test that is screwed up that I've been involved with in this
company.
My company merged with another company(we are on equal footing). however, the
company we merged with was already on AD and we were Win NT. So they
So merge is the correct term then?
It's been a while, but I was thinking that ADMT could handle that. Have you
checked the help files for merging source to target?
al
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent:
I have checked the help files in the ADMT and it appears that it will only
replace the account in the target domain with the account in the source
domain. As a result, the users will be removed from the groups in the
target domain and they will loose access to their applications. I want to
Can ADMT merge between two domains in the same forest? Since
intraforest migrations are a move and not a copy I was under the
impression that you couldn't merge accounts while doing that. When
doing an intraforest migration with NetIQ the option to merge
conflicting accounts is not available.
Re-read what that helpfile entry says:
However, the wizard does not remove the user from groups in the
target domain that no longer exist in the source domain.
That implies that it will update the account in the target domain with
group membership from the source domain, but it will
If the user was deleted from the old domain and recreated in the new
one then I would say no.
Why was this process followed and not a Move or a Migration?
Phil
On Wed, 23 Mar 2005 12:53:30 -0500, Harding, Devon
[EMAIL PROTECTED] wrote:
I had a user that was moved from one child domain to
Can you log onto the root DC with the Enterprise Admin ID and the
newly changed password?
Phil
On Wed, 23 Mar 2005 13:25:14 -0500, Kern, Tom [EMAIL PROTECTED] wrote:
Thanks for your help.
I am documenting everything.
List info : http://www.activedir.org/List.aspx
List FAQ:
Do any of you run the windows firewall on your Domain Controllers?
If so where would I find what ports need to be open for Active Directory
DNS?
Thanks,
--
Matt Brown
[ SELECT * FROM LDAP_Servers WHERE AD OpenLDAP ]
Information Technology System Specialist
Eastern Washington University
I think during an intraforest migration it is a copy, as the source user
accounts are left intact and the users can continue to use them. This makes
for an easy roll back if something goes wrong. I have not yet looked at
using other tools as they, of course, will cost money and this tool is
Hmm... Doesn't sound like a good idea to me. I would suggest a Cisco pix
firewall as the windows model is kinda insecure My 2 cents
David A. Marquis
Computer Systems Administrator
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown
Sent:
If you can avoid it, don't put your DC's behind a firewall at all.
Take a look at this link for how to enable AD communication through a firewall:
http://support.microsoft.com/default.aspx?scid=kb;en-us;179442
Phil
On Wed, 23 Mar 2005 13:38:57 -0600, Dave A. Marquis
[EMAIL PROTECTED] wrote:
though not exactly what you are asking for - this article has alot of
applicable info:
Active Directory Replication over Firewalls
http://www.microsoft.com/serviceproviders/columns/config_ipsec_P63623.asp
hth,
john
[EMAIL PROTECTED] wrote:
LDAP: 389
GC: 3268
DNS: 53
There's secured ports for
LDAP: 389
GC: 3268
DNS: 53
There's secured ports for LDAP and GC ... I think it's 636 and 3269...
marcus c. oh
.\core technologies\cox communications, inc.
.\mvp\windows server systems\management
[v] 404.847.6117 [c] 404.391.7097
-Original Message-
From: [EMAIL PROTECTED]
Matt,
This might help:
http://www.microsoft.com/downloads/details.aspx?FamilyID=c2ef3846-43f0-4
caf-9767-a9166368434eDisplayLang=en
Mike Thommes
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown
Sent: Wednesday, March 23, 2005 1:25 PM
To:
nope. i reset the pw and it says changed successfully but i still get a bad
paw/username error.
the dc takes about 30-40 to get to a logon prompt and then after logging on it
takes another 30-40min to give you an error.
-Original Message-
From: Phil Renouf
Quest's Domain Migration Wizard has options to handle
duplicate accounts.
[EMAIL PROTECTED] 3/23/2005 11:44:44 AM
That's not correct for an intraforest migration.
Intraforest
migrations are definitely a move and not a copy. Have you
copied a
user account from a domain in ForestA to another
They will be required to meet complexity when
their current password expires after the new requirements take effect.
If you want it to happen faster, expire
the passwords with a script.
-rtk
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Greg Felzer
Sent:
As does ADMT and NetIQ, but does that apply for Intraforest migrations as well?
Phil
On Wed, 23 Mar 2005 12:59:48 -0800, Nathan Casey
[EMAIL PROTECTED] wrote:
Quest's Domain Migration Wizard has options to handle
duplicate accounts.
List info : http://www.activedir.org/List.aspx
List FAQ
According to the docs they do work for intraforest as well. It's just been
so long since I've used it I can't remember exactly which path you want in
this situation.
ADMT is a valid tool for domain consolidation (which is essentially what
you're doing). The naming conflicts settings are
Yeah I went looking for some ADMT documentation and anything I saw
that talked about Intraforest migrations didn't also include account
merging information.
Phil
On Wed, 23 Mar 2005 16:51:05 -0500, Mulnick, Al [EMAIL PROTECTED] wrote:
According to the docs they do work for intraforest as well.
Assuming your DCs are all replicating fine within the TSL you are proprosing
you should be fine. The idea behind the TSL is that the tombstoned objects
get replicated to every DC in your forest so AD knows that an object has
been deleted. If you, for instance, set the value to low, a tombstone
Now are the duplicate accounts all for the same physical principals or is
there say a root\joe, child1\joe, child2\joe and all three are different
people or processes?
If the former, you should be able to merge in the SID Histories though it
would be cleaner to clean up the ACLs.
If the
Ack sorry, for some reason this message thread didn't chain properly in
Outlook for me and now I see the thread already went this way. Good show
chaps!
;oP
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, March 23, 2005 5:10
Yeah, I would have to say your root admins don't know what is going on if
they said they do things the way they do them for security. Too bad they
aren't on this list. In the same position I would be highly tempted to take
Enterprise Admin away from them and tell them I did it for security reasons
Nope. Nothing native that is. This is a good reason to take
dumps occasionally of groups you have or sync the membership to another store
like SQL or AD/AM.
I have been thinking about making a tool to do something
like this. How much would people pay for that functionality?
joe
From:
See there. No reason to be afraid of a network trace. :o)
Its all good in the hood.
Very seriously, the more you play with network traces and looking at them,
the more you can identify as weird, strange, unusual, not correct, etc. It
really is a very good skill to work on and keep. There are so
AD and DNS are relatively easy, it is the RPC that is going to kill you. If
you want to have terrible fun supporting AD, I highly recommend firewalling
DCs from each other and from clients.
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt
I'll give you a t-shirt, a backpack, and some overpriced
wifi. When can I download the tool?
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
joeSent: Wednesday, March 23, 2005 3:22 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Recover DL
membership
Nope.
Hi,
In an intraforest migration ADMT actually MOVES the user account by creating
a new account in the target domain (new SID, but SAME GUID as the
sourceaccount) with the SID of the source account in the sIDHistory of the
target account. This is a destructive operation as there is no (quick)
2 questions:
1. How do I restrict
logon if the workstation can not find the default profile.
I have an account that
is used for users to setup/activate their account info that is completely
locked down and only allows them to run one program, my activate account application.
But a
OK, I am now sending you a bill to clean the Coca-Cola off
my FP monitors. Also my nose is burning.
Kneebiter. :o)
joe
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Coleman,
HunterSent: Wednesday, March 23, 2005 5:31 PMTo:
ActiveDir@mail.activedir.orgSubject: RE:
Thanks
It makes me want to figure out how as a domain admin I can insert myself into
the Enterprise admin group just as a proof of concept to these guys to make
them rethink their strategy.
I'm getting tired of fighting them and worse, i'm getting tried of traveling to
Sunguard and spending
This was a Windows 2000 domain with Exchange 2000, and I don't think you
can move mailbox accounts across Admin Groups (which is what we have for
each domain). Correct me if I'm wrong, but wouldn't we have to upgrade
to Exchange 2003 to accomplish this?
-Devon
-Original Message-
From:
Authentication and Authorization are handled through kerberos between
Windows machines. There are some goofy linux folks out there using LDAP for
auth though[1].
LDAP is a communication protocol for information lookup and to update the
directory, it isn't an authentication protocol but that
This would be very useful as we have
people moving from different domains\admin groups quite often.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, March 23, 2005
5:22 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Recover
DL
Using the Windows Firewall will be the same like putting some firewall
between the domain members and each DC and between each DC. I know for DC
replication (AD and FRS) you can configure fixed RPC ports on each DC. I'm
not sure if it is possible to configure a fixed RPC port(s) so domain
members
Has anyone ever actually tested if Exchange properly delivers emails to all
members of a large (many thousands of mail objects) Distribution List?
Specifically where the Exchange server has to expand a DL and use attribute
ranging to get all members.
joe
List info :
If
you want it to happen faster, expire the passwords with a
script.
Gee
Rick you missed a chance to prop joe?
:-0
http://www.joeware.net/win/free/tools/expire.htm
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kingslan, Rick
T.Sent: Wednesday, March 23, 2005 8:38
I'll let you in on a secret, Rick doesn't really like me
very much.
He sat there in the keynote at DEC trying to get me
arrested by the Canadian Royal Mounted Policy by telling Stuart Kwan (of the
Ottawa Kwan Clan)in front of millions, ok hundreds, of people that I had
death threats out
can you explain one thing for me?
why is it that gil's hack worked on the root dc but would'nt work if i ran it
on a child dc?
does the local system account on a child dc not have as much power over dc's in
other domains?
i thought by being in the same AD group, all the local system accounts
I'm on several DLs that are thousands of users in size(some are multiple
times larger than MaxValRange), and it works just fine. (by thousands of
users in size, I'm talking about a single DL that is thousands of users,
not nested DLs, as that is of course an entirely different test scenario
that
How do you know it works just fine? What proactive checking is done to
verify it? Say 2 people didn't get the message and they didn't realize there
was a message to not get...
The question is being posed because I am working with some folks who had a
couple of people (that we know of) out of
I say it because some of the DLs I'm on, people would find out they
didn't get the message. Such as a required form that they would not fill
out.
Did I call all 4000 people on one of these lists? No I didn't.
Short of having a script that watches every mailbox, I suspect no one on
this list can
Title: RE: [ActiveDir] [OT] Another Odd OT Question - Exchange DL based but still has an AD portion...
I should have addedare
you looking for thoughts on troubleshooting? Or just asking if anyone has seen
this?
~Eric
From: [EMAIL PROTECTED] on
behalf of Eric FleischmanSent: Wed
Title: RE: [ActiveDir] [OT] Another Odd OT Question - Exchange DL based but still has an AD portion...
Yes. :)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric
FleischmanSent: Wednesday, March 23, 2005 8:58 PMTo:
ActiveDir@mail.activedir.org;
This is just an FYI for anyone that may
experience the same problem I was having.
Problem: XP clients are not receiving
updates from SUS, and when trying a manual Windows Update from the web, you get
error 0x800A0046.
http://support.microsoft.com/?scid=kb;en-us;883821 I
used
Title: RE: [ActiveDir] [OT] Another Odd OT Question - Exchange DL based but still has an AD portion...
Seems like you're on the right track. With the message ID
and tracking logs, you can back out all of the mailboxes that got the message.
But you already knew that, and probably have let
Thanks Jorge, that is what I was thinking but I wasn't 100% positive
that was the case for ADMT.
Phil
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Title: RE: [ActiveDir] [OT] Another Odd OT Question - Exchange DL based but
still has an AD portion...
Can you give us some insight in to the
problem and what you know so far? Versions of Exchange and AD are also of interest.
~Eric
From:
[EMAIL PROTECTED] [mailto:[EMAIL
Also, is it a query based DL or not?
From: [EMAIL PROTECTED] on behalf of Eric Fleischman
Sent: Thu 3/24/2005 12:42 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] Another Odd OT Question - Exchange DL based but
still has an AD portion...
83 matches
Mail list logo
