Thanks Michael and Tony, I will try it and will let you
know the outcome.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Michael B.
SmithSent: vrijdag 3 februari 2006 2:04To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exchange - ESM -
"All Address Lists" and
Hi Victor,
I just had this
issue last week !
The All Address Lists has disapeared from ESM
!!!
In fact "someone"
(saw in security event log of my DC) who has the full exchange admin on the
organisation has made an error and deleted the "All Address Lists", then he
tried to recreate it
If at all if you write a special invoice please make sure to give me some
percentage in that! ;-) I have been marketing them whole heartedly!
Sincerely,
J
On 2/3/06, joe [EMAIL PROTECTED] wrote:
What I really need to do is start kicking out tools I charge for. :o)
I wouldn't mind getting to a
Hi all, I have a question regarding Roaming Profiles. Our environment currently have 3500 users which are all roaming profile enabled. Their profiles are stored on the local site server. We have approx 56 sites which are all linked by 256-1mb lines. I like the concept of roaming profiles,
LOL. I'd be a rich man if that ploy worked and MS et al
gave me a cut each time I recommended their solutions.
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jitendra
KalyankarSent: 03 February 2006 09:18To:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Need
Frank,
Holy cow! Are you serious? 1GB profiles? Are
you sure you dont mean Home Directories?
Q) If you have a 265mb link and a 1GB profile and a
100 Mbps connection, how long does it take to download a profile during peak
usage (i.e. first thing in the morning)?
(I am in a Math 102 class
I personally avoid roaming and mandatory roaming like the
plague. One thing you can do is create a DFS Root for the profiles of the users
that move around replicate to all of the sites that they visit. I would not
recommend doing it for everyone else. I would actually stop using roaming for
The Winlogon offers localmachine, DOMINT, and DOMAIN.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams
Sent: Thursday, February 02, 2006 2:51 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] DNS vs NETBIOS name? Or something
Hi all,
Has anyone run into a similar problem with
folder redirection? Let me explain the scenario. I have configured the domain
policy to redirect my docs into the users home folder, it works well and its
great because we perform nightly backups of the users home folder and in this
way
I'm not certain, but SQL 2005 Express (a.k.a. MSDE 2005), seems to be
running faster than I'm used to MSDE running, for my test WSUS server.
But I don't have a lot of clients on it, in fact I only have 4... but I
don't see a performance hit on it at all. I heard it was faster...
setting it up and
If you have customised the IE browser you sometimes need a hotfix to get this
working.
Not able to give KB number at moment but the man from the Parks usually follows
up with it. :-)
Mark
-Original Message-
From: George Arezina [EMAIL PROTECTED]
Date: Fri, 3 Feb 2006 14:55:33
Ill preface this by saying this is
on a lab server, not production, and I almost never do anything to it or with
it, and it has been up and running (no reboots) for 7118156 or so seconds
there is no urgency here
W2K3, SP1, all available Hotfixes, AD
(SFSD, 1 DC), DNS, SQLE2005, WSUS, 1
Is replication functioning?
--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of V Lakshmi
Sent: Friday, February 03, 2006 12:44 AM
To: [EMAIL PROTECTED];
I too am a fan of local profile, but I do not think that
directly addresses Frank's issues...
A couple of jobs ago at a school we used roaming profiles
exclusively - made sense in our scenario. There was still at least 3-4 staff on
a bad day that needed their profile reconfig-ed (all
As just another piece of this, users
sometimes just throw stuff on their desktop since they dont
know any better or because that might be the first location that shows up
during a save operation. The desktop is obviously included as part of the
profile, leading to bloated sizes.
Mike
I think, to become a proof you have to publish so many papers and be
invited into the position by a university. Well, that's what a friend of
mine who's a Doc in geology said anyway :)
For Troup Bywaters + Anders
Tim Sutton
T: +44 (0) 113 243 2241
F: +44 (0) 113 242 4024
Title: Script to determine a machine's site
Does anyone have a script which can:
- Interrogate the local machine for its IP address and mask
- Determine the subnet which the machine resides in
- Determine the site that corresponds to the that subnet
And all this must be possible on a
User folder direction is a User Group Policy. Is it perhaps
possible that your laptop users have a different policy from desktop users? Also
laptops could be configured not to use offline files. Just a few things that
come to mind.
Shannon
From: [EMAIL PROTECTED]
[mailto:[EMAIL
Title: Script to determine a machine's site
Have you looked at ATSN (http://www.joeware.net/win/free/tools/atsn.htm)?
Not sure it it will work for a machine that is not a member of the domain
though. But finding the local IP and then feeding it to ATSN should not be
that big of a deal and
We are looking to transfer all of our records from one server to a new
server. We took this time to clean up the schema to remove some dead
attributes. What is a good way to transfer all the records?
We used ldifde to create an LDIF file, but it includes a lot of attributes
like PwdLastSet
Dean,
I hope you don't mind me asking you this. If you do, please forgive me. I'll
ask anyway :-p
Considering that I work for a Microsoft Gold Partner (Unisys), what do I need
to do to get into one of the internal trainings you do for MS folks? I know
that MS was thinking about introducing an
Any recommendations out there for storing a custom timestamp in AD/ADAM? I created an attribute with the same syntax as the existing time formats (e.g. pwdLastSet), and I can recover the date/time easily enough in code. However, LDP doesn't show the new attribute as a date/time, just as the large
Title: Script to determine a machine's site
Does
this suffice -
nltest
/dsgetsite /server:domain FQDN
Haven't tried anything of this kind myself under Wimpy
so I'm uncertain of its suitability.
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
From:
I agree... but what about OST files - Outlook cached mode. Is anyone
excluding the OST from the roaming profile? If so, a new OST will
need to be downloaded at each computer the user logs into. Most are
100-300MB. Which is the lesser evil. :)
...D
On 2/3/06, Thommes, Michael M. [EMAIL
Title: Script to determine a machine's site
The function call DsAddressToSiteNames will take a
dnsHostName and give you the site it belongs to. If you cannot implement that
call, there are scripts out there that do a brute force query of AD for sites
and subnets to get you the site name.
Hey Deji,
Not at all.
Hmmm ... I'm not certain how you, as a partner, would go about that. Were
you an end-user with a TAM, I'd say simply start there.
I thought you aware (but I'm guessing otherwise based on your question) that
we're now able to deliver some of these classes externally
I would highly discourage against using cached mode for roaming
profiles. Just imagine the network resources they would be hogging up
when they log onto a different computer and not to mention HDD space. We
definitely have disable cached mode for roaming profiles.
-Nav
-Original
Title: Script to determine a machine's site
hmm - this won't work with non-domain joined clients
though...
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean
WellsSent: Freitag, 3. Februar 2006 21:10To: Send - AD
mailing listSubject: RE: [ActiveDir] Script to determine a
Title: Script to determine a machine's site
Indeed
it does, that's what I ran it on ...
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier,
GuidoSent: Friday, February 03, 2006 4:32
Dean (actually one of his cohorts due to scheduling difficulties)
taught one of said publicly-available courses for my office back in
the fall. I highly (HIGHLY) recommend it. :-)
- L
On 2/3/06, Dean Wells [EMAIL PROTECTED] wrote:
Hey Deji,
Not at all.
Hmmm ... I'm not certain how you,
Title: Script to determine a machine's site
... to
be clear, it does require that some level of credential first be established
but, nonetheless, it functions.
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
From: [EMAIL PROTECTED]
[mailto:[EMAIL
Title: Script to determine a machine's site
Dean, let me guess: the name + pw
of the local administrator of your unjoined workstation and the target domain's
local admin account + pw are the same, and you're logged on to the client as
local admin...
I get "DsGetSiteName failed: Status = 5
Hi Frank,
with those large roaming profiles you need
to
1. educate your users
2. question the use of roaming
profiles
In fact I've seen a lot of companies who tend to stick
to local only profiles in the recent past. Roaming profiles are great - however
I see them in infrastructures where
Title: Script to determine a machine's site
Per my
previous post, I'd forced some creds. down the target DCs throat prior to
executing NLTEST ... and, no, my local creds. do not match those of the
virtual domain in question ... 'cause that would be all kinds ofjust plain
wrong :o)
--Dean
and pls. make use of redirecting your documents folder (and many other
things as well, such as Desktop) to a server share.
DFS is ok to use for many profile scenarios - but it won't be of much
help if the profiles get too large (still needs to be loaded by the
client, even if the source is now
Ulf everyone,thanks for your responses, roaming profilesare mandatory here, if we were to take this away, all hell would break loose.I guess educating them to store files elsewhere would be a good start.thanksFrankUlf - you are not the first to mention Carl Hanratty, youwon't
Just a friendly reminder to those supporting SBS servers... SBS servers
do not get the benefit of the DFS upgrades in R2. Member servers can
get the R2 bits but not the SBS/DC itself. (yeah yeah I know... we
shouldn't be using as a file server in the first place...but ...hey)
Grillenmeier,
Title: Script to determine a machine's site
Yeah you could definitely get it to run but the /server
switch is telling nltest to get the site for that machine specified, not for the
machine running the command. So for instance, say I run that command against a
couple of DCs in different sites
Title: Script to determine a machine's site
Actually DsAddressToSiteNames will only take socket
addresses (PSOCKET_ADDRESS, type AF_INET) to translate, the parameter that takes
the dnshostname is the one to specify what DC you want to resolve the addresses
to subnet/sites on.
Actually the
FUN!
The int8 attributes don't have anything to mark them as
time stamps or time deltas, you have to hardcode the attribute names into the
applications. That is how adfind does it for those and how LDP does it for those
as well as GUIDs and other attributes[1].
In terms of working with
Yeah, that is the next question I would have asked. Sounds like the issues
are bigger than that one thing.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sorry - wasn't sure if it's your real name. If I'd
choose a fake name for a community yours is in the top10
;-)
Hope you don't mind.
Ulf
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Frank
AbagnaleSent: Friday, February 03, 2006 11:28 PMTo:
Disabling the use of roaming profiles and
instead requiring remote desktop is something I implemented at a
customer. In their case, this satisfied the traveling user community
given the alternatives they saw: a) waiting for the profile download and logon
process to complete, b) buying
Title: Script to determine a machine's site
Nod,
have since learned that ... my apologies.
I'm
guessing there's a mean of achieving that with nltest (or perhaps a few
iterations and some output parsing).
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
I don't have the script I wrote for this handy, but the logic I used is this:
Get host's IP Address
Split it into whatever subnet mask use in your subnet/site configurations.
Do a CaseCase Else looking for a match.
If you get a match, that computer is in that site.
e.g.
IP is
Is it possible within a domain on an authorized DHCP server
to restrict what machines get a DHCP IP Address? For example, I want to
prevent someone from bringing in an unauthorized laptop and getting an IP
Address on the network. I want it to be so that if the machine is not a part
of the
The difficult with that is it only handles simple subnetting. If someone did
something more complicated such as multi-sized subnet masks or supernetting
and the logic would be very difficult to manage. Also obviously you would
need to keep the script up to date with new subnet/site mods since it
Title: Script to determine a machine's site
Yeah I have been looking at the parameters nltest has, I
would expect it would be able to do this too but I am not seeing something to do
it directly.
As I sat here thinking of ways to do this in an unauth'ed
manner I realized that a CLDAP ping
I'm not sure if it's the best way to do it, but you could
set your entire scope to be in one exclusion range, then assign static DHCP to
authorised MACs. After that, for added security, you could set a second scope to
give out leases outside your network range so that unauth ppl will get a
Assigning IPs based off of MAC
addresses would be a huge headache! Besides, just as you said the network
savvy person can easily find out the IP range if needed and assign them
self an IP and spoof the MAC if needed.
If something like this is possible, I
would like to have a more
Only other option would be to use managed switches and
again, you would need MACs of all auth. machines as you would need to register
each MAC for them to filter traffic. Unfortunately, other than that, not that
easy. - Marc
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Youd have to go with DHCP reservations for each Mac you want to
authorize. Some of the NAC and NAP stuff thats starting to come out from
MS and Cisco is also an option to consider.
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c -
312.731.3132
From:
[EMAIL PROTECTED]
There is nothing you can do around a DHCP server that will
really help you as you point out. You simply need to plug into a port, enter any
IP address or let one of the 169 addresses kick in and turn on a sniffer and you
start seeing enough traffic to figure out where to come up with a
Can't this be done with ...what is MS using? Is it Ipsec and smartcard
authentication?
You go to Redmond, stick in a rj45 and unless you have a lovely plastic
thingy with a chip you don't get access on corpnet.
joe wrote:
There is nothing you can do around a DHCP server that will really
Yeah that is the tunneling/vpn stuff I mentioned and pointed out wireless as
an example. You can do that with your regular network stuff too.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL
Joe,
From what I understand of MS NAP, it only
helps if the machines belong to the domain, is that correct? It doesnt stop
someone from plugging in and hard coding an IP. I get the impression it is
designed to be used in conjunction with Ciscos CleanAccess product.
Bryan Lucas
Microsoft uses 802.1x auth. I believe ... as do many.
--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Friday, February
Actually I don't think it was as there's a security issue with 802.1x
wired connections.. (wireless no, wired there's an issue that Slav and
Steve Riley have discussed)
Let me get a post
Dean Wells wrote:
Microsoft uses 802.1x auth. I believe ... as do many.
--
Dean Wells
Yup not 802.1x for wired connections...wireless yes, but wired there's an issue.
Mitigating the Threats of Rogue Machines—802.1X or IPsec? -- TechNet Column - Security Management - August 2005:
http://www.microsoft.com/technet/community/columns/secmgmt/sm0805.mspx
Article by the Blonde guy of
Title: Re: [ActiveDir] Getting better control over DHCP
I was under the impression it
was 802.1x. Your certificate is stored on the smartcard.
Cheers
Ken
From: [EMAIL PROTECTED] on
behalf of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]Sent: Sat
2/4/2006 2:25 PMTo:
Not that I was told.. not on a wired connection as there is a security
issue (see the other post)...it's IPsec that I'm aware of.
If the blue badges want to confirm or deny those links/info I'm sure one
will chime in.
I've also seen that when a blue badge goes to a different LAN (whatever
IT's Showtime:
http://www.microsoft.com/emea/itsshowtime/sessionh.aspx?videoid=9
If I remember right in this webcast Steve Riley discusses the issues
with a wired 802.1x implementation.
Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote:
Not that I was told.. not on a wired connection as
At Microsoft we do not use 802.1x, so if you were to walk up to a port on
our corporate network and plug in, you would get an IP and have access to
some things.
What we do instead is domain isolation via IPSec, which means that
machines which are not joined to an MSIT managed domain (basically,
63 matches
Mail list logo
