Hi Oliver,
First of all the receptionist needs to be delegated the rights to reset
users passwords, as well as being made aware of the consequences (local
credential cache of the users f.e.).
To reset the password you can use commands like net user username password
/domain or you can use
I do not have first hand experience with it but have been speaking to some
very trusted friends who have been trying to implement it and pretty much
anything they say I would take as if I saw it myself. From what I hear there
are some odd ACEs added to the ACLs (I believe at the NC Head level)
Net user command only works if you have full admin rights. I've google'd
till 2am this morning, haven't found any free script that doesn't use
the DN.
Cant use ADUC as I'm afraid that, if they see what info they *could*
change, that it will snowball and they will want to change it all. The
whole
Title: RE: [ActiveDir] Extending the schema
...what joe said, but also test the app thoroughly and
document its issues so that you can then perform a CYA job back to those asking
for the product and to your own boss :)
This is par for the course in the world of IT - we are
oftenforced to
Delegate the ability to reset password to your helpdesk lady.
Then grab http://www.rlmueller.net/Programs/ResetPassword.txt
Clean that up, put it behind an asp page that requires authentication. Give
your helpdesk lady access to the page and show her how to use it.
Sincerely,
_
Or you can apply a WMI Filter to the User GPO such that it runs if the
device does not have a particular service, chassis type, etc.
Many thanks,
Simon Clayton | Principal Consultant
Technology Infrastructure Practice
Avanade UK Ltd | Leeds Office
2nd Floor, 1 City Square, Leeds, LS1 2ES
Tel: +44
Hmmm interesting. It certainly does what it says on the tin.
Don't suppose you know how to create an 8 character alphanumeric random
string of characters do you ?
Thanks
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: 12 April
How about using lockoutstatus.exe? its no script tool but is sure easy to use.
M@
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Google is a wonderful thing :)
http://www.dotnetjunkies.com/Tutorial/1A07BA3D-72EC-41E8-9713-557B9189F8
20.dcik
neil
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Oliver Marshall
Sent: 12 April 2006 09:53
To: ActiveDir@mail.activedir.org
Subject: RE:
Thanks, but I have absolutely no idea how to apply that to the asp
script I have here :S
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: 12 April 2006 10:05
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Changing a users
Dear all, needing to seek further assistance on OU delegations.
We have applied a delegation using the custom delegation wizard;
Create / Delete computer object
this works fine and dandy in the context of creating and deleting computer
objects
in the container and its sub-containers.
however
Title: AD replication compression algorithms
Scenario:
Lots of poorly connected branch offices (as low as 64kbps)
Requirement:
Deploy a global AD replication topology which minimises WAN bandwidth usage
Suggestion:
Deploy a standard DC build (hardware and OS)
Revert to w2k legacy
We no longer have any servers in the default-first-site-name site; should I
delete that site? I hadn't really thought it mattered until I was looking at
the latency figures with repadmin (shown below for one server). Does it matter
that no replication has taken place to a site without servers?
Title: AD replication compression algorithms
I've
never thoroughly tested it having not encountered perf. issues with the now
legacy MSZIP algorithm nor have I seen any published stats. from MS outlining
tangible differences on shrink-wrapped hardware. I'd suggest running
through a few
Title: AD replication compression algorithms
Thanks Dean.
In fact technet article http://technet2.microsoft.com/WindowsServer/en/Library/c238f32b-4400-4a0c-b4fb-7b0febecfc731033.mspxdoes
offer some "stats", which led me to wonder why this change was made and what
experiences other
Title: AD replication compression algorithms
Thanks
for the URL ...
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]Sent: Wednesday, April 12, 2006 9:49
AMTo:
Thanks; that's what I expected but I wanted to check before I deleted something
crucial :-)
Steve
From: [EMAIL PROTECTED] on behalf of Dean Wells
Sent: Wed 12/04/2006 14:27
To: Send - AD mailing list
Subject: RE: [ActiveDir] Deleting default-first-site-name
Any ideas?
NTFS compression isn't turned on. Maybe a impending drive failure?
Internal event: Active Directory could not update the following object
with changes received from the following source domain controller. This
is because an error occurred during the application of the changes to
OK here is a question that will show my lack of AD knowledge:
If you promote a new domain controller and no subnet association exists,
doesnt that domain controller default to the default-first-site?
I know it makes sense to create a new site, assign a subnet to that site
but
..
If that
No, IIRC it defaults to the site of the DC from which the directory was
sourced.
--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Daniel Gilbert
Sent: Wednesday,
Why not just create a custom MMC in author mode that only allows ADUC to set
password, nothing else. It is possible to do. - Marc
_-_-_-_-_-_-_-_-_-
-During times of universal deceit, telling the truth becomes a
revolutionary act. - George Orwell, 1984
_-_-_-_-_-_-_-_-_-
Marc A. Mapplebeck,
Function generatePassword( allowNumbers )
NUMLOWER= 48 ' 48 = 0
NUMUPPER= 57 ' 57 = 9
LOWERBOUND = 65 ' 65 = A
UPPERBOUND = 90 ' 90 = Z
LOWERBOUND1 = 97 ' 97 = a
UPPERBOUND1 = 122 ' 122 = z
PASSWORD_LENGTH = 10
' initialize the random number generator
Randomize()
UserPass
Title: RE: [ActiveDir] Extending the schema
A lot of the complexity comes from having
multiple domains. If you have a simple forest with a single domain, then its
doable but ugly. As you scale up the complexity of your forest, if you insist
on having users from each domain, then you have
Hi
all
We had
removed an old DC using metadata cleanup. However, I still see errors
referring to the removed DC in the event logs of the current DCs. Digging
through ADSI Edit, I found the old DC in CN=System, CN=File Replication Service,
CN=Domain System Volume (SYSvol share). I believe
My friends, I need a little help
How can I grant a user, rights to join computers
in my domain?
I don´t want any other right just that.
waht is the best way to do that?
I tried to delegate right on computers object
create object.
is that right?
adriao ramos
Go ahead and delete it. Delete it in Sites and Services as well as in the
Domain Controllers OU if it's still there. Then look for traces of it in your
DNS zone and nuke any reference to it.
Sincerely,
_
(, / | /) /) /)
/---|
If you look at the
Microsoft document on Metadata cleanup it states this as a step:
Use ADSIEdit to delete the FRS member object. To do this,
follow these steps:
a.
Click Start, click Run,
type adsiedit.msc in the Open
box, and then click OK
b.
Thank you very much. Right after I sent this - I
reread the document. I guess this was a "DUH" moment!
ThanksRuss
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Olivarez, Sergio
J Mr CTNOSC/GD-NSSent: Wednesday, April 12, 2006 4:31
PMTo:
Hello,
I got a discussion with a consultant who was hired to deploy a new corporate domain(Win2003) structure.
We have right now a domain running on Windows 2000 (Active Directory 2000), I created a logical OU structure in the domain controller according all the departments we have in the
The consultant may have been referring to the number of GPOs that you are
attaching to the OUs. The more GPOs that have to be processed, the longer the
login time.
OU design is really a matter or preferences, IMO.
Sincerely,
_
(, / | /)
The OU
structure and depth does not directly influence logon time (AD hierarchy is in
fact something of a simulation). Hierarchy can influence login performance
only when nested sufficiently deeply and with a large number of linked GPOs at
each or most of the superior OUs, a choice made by
Smack myself everytime I accidentally click the little expand
thing in their browser since its a single threaded GUI. They have a
manually punch in the server name box.
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731.3132
From: [EMAIL PROTECTED]
[mailto:[EMAIL
Your consultant is smoking something. OU depth has nothing to do
with logon time (although I have seen recommendations to keep it like under 5
or 7 depth as a matter of design practice). The number of group policies the
client has to process will of course affect logon time (and if you
What? BE has a manual input box for the machine name? Trying to figure out why I'd want to use the browser in the first place then.
On 4/12/06, Brian Desmond [EMAIL PROTECTED] wrote:
Smack myself everytime I accidentally click the little expand thing in their browser since it's a single
Because it caters largely to the smaller operations crowd where
its useful for those folks I think.
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731.3132
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Wednesday, April 12, 2006 7:32
Return Receipt
Your [ActiveDir] Domain System Volume
document:
wasJustin Leney/US/DCI
received
by:
at:04/12/2006 07:56:53 PM
NEW! COSMEO, THE ONLINE HOMEWORK HELP TOOL BROUGHT TO YOU BY DISCOVERY CHANNEL.
FREE TRIAL AT HTTP://WWW.COSMEO.COM
This
You could do what Bryan mentioned by adjusting the ACL of the required
folder under the security tab.
-Shariff
On 4/11/06 4:12 PM, Brian Desmond [EMAIL PROTECTED] wrote:
Yes. Give them the right to Create Files/Write Data but not modify or
delete.
Thanks,
Brian Desmond
[EMAIL
That is incorrect. I have chased this code path a couple of
times in the Windows source and from other obvious logical reasons the hierarchy
will not impact auth timings - read the book in the signature for more info on
that as I specifically call this fallacy out.
The issue is with the
Title: RE: [ActiveDir] Extending the schema
I have found coughing politely and bumping a hardcopy of
the document/email/memo their direction has the best "told you so" effect...
:o)
Several years ago Iwrote up a quick document about
EMC Celerras and the problems we were going to hit based
http://www.activedir.org/article.aspx?aid=84
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]Sent: Wednesday, April 12, 2006 1:35
PMTo: ActiveDir@mail.activedir.orgSubject:
To find a user
adfind -sc u:X -dn
Where X is the user's SAM name or cn.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Oliver Marshall
Sent: Tuesday,
Full admin or Account Operator is what the NET API requires. Doesn't work
with delegated rights.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Oliver Marshall
That has got to be one of the longest signature blocks of all time...
Hopefully that is only stamped on mail going outside of the org, hate to
have all of that bunched up in my Exchange DBs for all daily mail... ;)
--
O'Reilly Active Directory Third Edition -
HAHAHAHAHA ha ha ha ah Yeah. Smack.
I concur with Dean, this will be fine from an AD perspective, certainly
nothing special about it. Some people rename it, some people delete it. The
only time it is special is when it is the only one. :)
--
O'Reilly Active Directory Third Edition -
I would certainly be a trifle concerned about disk...
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Wednesday, April 12, 2006 11:46 AM
To:
http://blog.joeware.net/2005/07/17/48/
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner
Sent: Wednesday, April 12, 2006 5:42 AM
To:
How did that work out for you?
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Noah
EigerSent: Wednesday, April 05, 2006 9:45 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
Title: RE: [ActiveDir] Deleting "default-first-site-name" site
just curious, if this is deleted - where would a new dc
with nosubnet mapping be dropped to
Thank you and have a splendid
day!
Kind Regards,
Freddy Hartono
Group Support
Engineer
InternationalSOS Pte Ltd
mail:
[EMAIL
Title: RE: [ActiveDir] Deleting "default-first-site-name" site
I
think you must have missed the answer in the follow-up reply ... that response
contained -
paste
No, IIRC it defaults to the site of the DC from which the
directory was sourced.
/paste
...
let me know if that doesn't cover
Mike-
Did you ever get any resolution on this or more info?
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731.3132
-Original Message-
From: [EMAIL PROTECTED] [mailto:ActiveDir-
[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, February 20, 2006 7:14 PM
To:
50 matches
Mail list logo