Hm, i know it isnt anything with AD..
But i don't know where to look.. Hoping you could answer...
I have a computer that connects to a domain.
The only problem is, the work on the local computer can not be modified...
The owner of the local files and folders are the local account..
But now we use
Fooling around with ntdsutil and metadata cleanup or ADSIedit should
give you some hints about the name of the DC(s) that's (are) missing. If
its missing on purpose, you need to do the metadata cleanup for the
server to get rid of it completely
good morning all,
i've got 2 Wins server (called WINS1 and WINS2) on a Windows 2000 AD
domain called AME.LOCAL. These are configured as pull-push partners of
each other and will replicate correctly.
Now, I need to add 2 more Wins servers and configure them as P-P partners
with the above.
Does that work in windows 2000?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg,
David A
Sent: Monday, August 29, 2005 11:50 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Permissions for a user to add users to a group
A
Ok looking thru the search function I cannot find any specific thing to
look for groups. I see the find people but that is looking for contact
information not a particular group. Perhaps I am missing something.
Jeff
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL
Unsure what the data is going to be used for. I just got the question of
how many users logged into the network in the last 60 days. If I can
have this in an automated way were they can pull up the infromation
easily it would be great. I think they are wanting it for metrics.
Jeff
MOM would be a great tool to investigate for information collection and
trending reports based on that information.
You could automate it by counting the users in the same manner I described, and
then iterating through what's left discounting the service accounts if you
wanted.
You could
How about joe's oldcmp tool (http://www.joeware.net/win/free/tools/oldcmp.htm)?
The tool will work with a Windows 2000 AD as well as a Windows 2003 AD. It can
key off the pwdLastSet attribute or in a Windows 2003 Domain Functional Domain
on lastLogonTimestamp. This means you are going after
I know that Microsoft states that there can only be one password policy per domain. Earlier this month Joe started a thread about AD Gripes and several people mentioned the password issue.
We are dealing with the same thing. I would like to have a more restrictive policy on our admin accounts
Strictly speaking, no there isn't a query that will return this. You would
need to script it as it will be a process to follow. You can't filter by OU
in a query unless you have another field populated in the objects that has
that OU specified so you can specify it in the filter or alternatively
I have not worked with that tool and know very little about it.
One thing to watch out for are tools that place themselves between the client
and the directory. By that I mean that they extend the directory and it's
functionality in such a way that if you were to remove the product later
I go into the Computers container weekly
and clean up the strays with a script, moving them to the right OU.
Al Maurer
Service
Manager, Naming and Authentication Services
IT
| Information Technology
Agilent
Technologies
(719)
590-2639; Telnet 590-2639
Just an update here (FYI) -
A Microsofttech. on the forums pointed out to me that
the IE Cumulative Update 896727 from bulletin MS05-038 supersedes the hotfix
903235 in MS05-037. Once the cumulative update is applied, MBSA v2 no
longer reports on the former. Forty lashes to me for not
We use multiple approaches to this problem,
1) Sysprep.inf :
You can provide the OU in which newly delpoyed computer account should
be created. We have developed our custom OS deployment solution, which
allows us to change the sysprep.inf file on the go, so no need to
rebuild the syspreped image
Windows 2003 no Service Pack but updated security patches is what the
member server is.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Tuesday, August 30, 2005 6:12 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Rename User
On 8/30/05, Al Mulnick [EMAIL PROTECTED] wrote:
What is it you need to accomplish then? If they're already separate,
what's to separate other than name resolution and DHCP/network services?
From an Active Directory point of view, the AD trust will need to be
broken, but I would like to know
MS Audit Collection Services, which should be out of beta soon, is also
great for this sort of thing.
Thanks,
Brian Desmond
mailto:[EMAIL PROTECTED] [EMAIL PROTECTED]
c - 312.731.3132
_
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent:
Sorry. should have been more specific. If you do a search for 'people',
but type a group name in there, it'll find it. Not very intuitive, I
know, but it works. If you type a partial group name you'll get all the
groups that start with that string. This can be handy if your group
naming
DSACLS, but it would be nice for the whole tree.
Mark
-Original Message-
From: Al Mulnick [EMAIL PROTECTED]
Date: Tue, 30 Aug 2005 20:19:03
To:ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory Permissions
What are you using now for that single OU?
-Original
Have worked with this tool and it works well. You
have to make a few changes to the domain password policy during the
implementation of this program but it was rather painless. I do believe
you can get an eval copy for a test environment to see how it is configured
etc..
Jeff
From:
when you run it, use a command file.
dsacls ou1
dsacls ou2
dsacls ou3
That of course would not get the sub OU's, but if they are relatively static,
it would be fast to put together and it would keep your output fairly constant
with what you have now.
If not, you could root
Finding the root. I believe it was Dean who posted this a little while back.
... another thought, to determine your forest root in order to validate
the dn you're supplying, the following single-line command line syntax
will help -
portqry -n domain name -e 389 | find root
Run that on both
My preference is a tool that does it for me - but I will put together a
script now that I know there is not a tool to do it.
Many thanks.
Mark
_
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: 31 August 2005 17:58
To:
Dan.
I seem to remember from a security course
that I did that you had to write an ADM to prevent this happening in certain
circumstances it was to do with NetBIOS.
This is the snippet of my custom ADM and
was meant to be configured on internet facing machines only.
POLICY
I am trying to write a script to set a user password and the script must be run
from a machine that is not a domain member.
Background:
We are migrating to Exchange from Groupwise in 12 days. We still have a ton of
machines that are not part of AD, still in NDS. Users all have accounts and
How does the non-domain member find strNetBIOSDomain ?
On line 61, how about having it echo to the user what the strNetBIOSDomain and
strUserName1 variables result in?
Does it match what you think it should be? Is it possible to find that
information from the workstation it's running on?
Thanks for the reply Al.
strNetbiosdomain is a variable I set
script dies before line 61
A web front-end is where we were leaning.
Shawn
Al Mulnick [EMAIL PROTECTED] 08/31/05 03:19PM
How does the non-domain member find strNetBIOSDomain ?
On line 61, how about having it echo to the user
On 8/31/05, Al Mulnick [EMAIL PROTECTED] wrote:
Finding the root. I believe it was Dean who posted this a little while back.
... another thought, to determine your forest root in order to validate
the dn you're supplying, the following single-line command line syntax
will help -
portqry -n
Sorry, I'm have a brain hiccup. Does anyone know the command line utility that
tells you which dc authenticates you?
-Christine
Christine N. Allen
Systems Engineer
BMC HealthNet Plan
2 Copley Place
Boston, MA 02216
617-748-6034
617-293-4407
[EMAIL PROTECTED]
List info :
I think the set command will give you that information. There might
be a better tool - I would be interested in that as well :)
I use this command - set | find LOGONSERVER - to parse out the rest
of the info.
HTH
Thank you for your time!
Jennifer
-Original Message-
From: [EMAIL
SET LOGONSERVER at the command line should be enough.
Mike Thommes
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jennifer
Fountain
Sent: Wednesday, August 31, 2005 4:05 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DC authentication
I
How about...
set logonserver
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Christine Allen
Sent: Wednesday, August 31, 2005 4:58 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DC authentication
Sorry, I'm have a brain hiccup. Does anyone
Echo %logonserver%
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731.3132
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Christine Allen
Sent: Wednesday, August 31, 2005 4:58 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DC
echo %logonserver%
-Ryan
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Christine Allen
Sent: Wednesday, August 31, 2005 4:58 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DC authentication
Sorry, I'm have a brain hiccup. Does anyone know
Hi Christine
This will show you the secure channel for given machine:
nltest /sc_query:domain /server:server_name
Tony
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Christine Allen
Sent: Thursday, 1 September 2005 8:58 a.m.
To:
Set l will return your logon server.
Dan Cariglia
Systems Analyst
Concerto Software, Inc.
6 Technology Park Drive
Westford, MA 01886
(978)952-0618
Ext. 20618
email: [EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Christine Allen
I would wonder if the Name Translation is failing, does it have the security
context to do the lookup? I am not in a position to test it at the moment
but I would make sure it is working properly.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Shawn
Setprfdc from NT4 allows you to specify a DC to use, but if you're
actually looking for what you're asking for, the other answers posted
are what you're looking for.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Christine Allen
Sent: Wednesday, August
Yes.
Someone followed the MS book examples pretty explicitly. :o)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Danny
Sent: Wednesday, August 31, 2005 3:52 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Companies splitting - where to
I wonder if, in this case, it might not be easier to just use the
WINNT:// ADSI provider to reset the user's password? You might avoid
some of these issues.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, September 01, 2005 7:18 AM
Our TAM has been beating using nltest instead of set l into our heads for
almost two years now. The set command echoes a variable that is set at
startup and doesn't change when your authenticating server changes.
The only problem with using nltest with the /sc_query option is that it also
Title: Re: [ActiveDir] Active Directory Permissions
Hi Mark,
When writing our book (Inside Active Directory), I wrote a
script that dumps all the ACEs of a domain to an Excel
spreadsheet.
The script has some fixed names and it's not "production
quality" by any means, but if you want, I can
It might at that. :)
I ran this at home and it was the translation that was causing me issues.
I changed the code to be more like this:
Const ADS_SECURE_AUTHENTICATION = 1
strUserDN = cn=Administrator,cn=Users,dc=Clusterdomain,dc=com
strPassword = Super_Secret_and_complex_Password
Set
The time on my server is constantly increasing and is
clearly wrong. I do not want to sync with and external source!
Help appreciated!
Windows 2000 advance server
How about synch'ing it with an internal source that is stable? Remember that
it needs port UDP 123 open. I wonder why you wouldn't want to use an external
source, like http://tycho.usno.navy.mil/ntp.html?
Mike Thommes
From: [EMAIL PROTECTED] on behalf of
The only way I can visualize this happening is if someone
reset the computer account on Domain Controller A. Otherwise when the new
machine joined the domain, it couldn't "slide into" the machine account for the
existing domain controller A.
joe
From: [EMAIL PROTECTED]
[mailto:[EMAIL
Then you better be resetting the clock manually until you
find what is wrong with the server. If it isn't syncing with anything, then its
internal clock is fubar.
How is tomorrow BTW, looks like you are sending this a good
4 hours before I am responding. :o)
joe
From: [EMAIL PROTECTED]
Yes, the recommendation is to use an internal hardware clock:
http://support.microsoft.com/default.aspx?scid=816042
Tony
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Thursday, 1 September 2005 12:28 p.m.
To:
The switch /sc_query only shows you your secure channel DC, it doesn't
necessarily tell you what DC you are using for LDAP ops currently. They are
usually the same but don't have to be.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cace, Andrew
Why don't you want to sync externally?
Your BIOS battery is probably going south.
-ASB
FAST, CHEAP, SECURE: Pick Any TWO
http://www.ultratech-llc.com/KB/
On 9/1/05, Patrick Paul [EMAIL PROTECTED] wrote:
The time on my server is constantly increasing and is clearly wrong. I do
not
And please be sure to note the part of Michael's mail below here he said
stable. I once talked to a customer who was syncing DCs to an external
clock that rolled back ~20 years. I assure you that was not the best day
ever for this admin. :)
~Eric
-Original Message-
From: [EMAIL
I had already posted the recursive command for DSACLS to dump the full
structure...
Here it goes again.. Put it in a batch file
For /F Tokens=1* Delims=* %%A in ('dsquery ou -limit 0') do dsacls
%%A %%A.log
This will recursive go to each OU and dump its permissions in logfile
named by the
I will take a copy of this script please and I will also utilise the other
script posted,
Markp
-Original Message-
From: Sakari Kouti [EMAIL PROTECTED]
Date: Thu, 1 Sep 2005 02:04:21
To:ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory Permissions
Hi Mark,
53 matches
Mail list logo