Thanks Guido (and others)
It looks like the UPN and/or domain\userid approach with user education is
going to be the way forward. It would be nice to collapse ForestB to a
single domain infrastructure, but it won't happen any time soon. :-)
Tony
-Original Message-
From: [EMAIL
For some reason, win SP2 and now our new win2003 SP1 w/ Citrix 4 servers
are changing all (not confirmed could just be most users) to
c:\windows\internet temp files
How can a script or GPO to set them back to the standard c:\document and
settings\username\local settings\temp internet files
The problem with XP clients mapping
to the base of a share instead of the users folder can be solved by enabling
Computer Configuration\Administrative Templates\System\Scripts\Run logon
scripts synchronously. Depending on your environment you might also need
to enable Computer
Andrew, do you know of any documents that address this or
support your resolution? Where do you get your information
from?
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]Sent: Tuesday, July 18, 2006 1:32 PMTo:
ActiveDir@mail.activedir.orgSubject: Re:
Title: root admin account able to be locked out?
Hi AD Gurus!
We have penetration testing going on and I saw a security event log entry that showed our root admin account getting locked out. I was surprised because I thought this account could never get locked out. In addition, we had a
What is the adfind syntax that will extract all users in a
domain to a text file and contains the following field?
LastName, FirstName isDisabled
-Devon
---
This
MS KB 304970 addresses the need for
Always wait for the network at computer startup
and logon in conjunction with
Run logon scripts synchronously, and using
Run logon scripts synchronously comes from a forum post I read on the
mapping problem.
Bahta, Nathaniel
V CTR USAF NASIC/SCNA [EMAIL
Well, I've seen in our AD when it was W2K, the administrator account
was showing as locked in dsa.msc if you try too may incorrect auth
attempts. But I was still able to logon with it as expected. I didnt
check to see if any events were logged to indicate that it was.
I cannot repro your setup
Hey,
Theres no isDisabled attribute that
I know of. You could run the adfind command below and use the userAccountControl
attribute to determine if the account is disabled or not.
adfind -b dc=yourdomain,dc=com -nodn -f
((objectCategory=person)(o
bjectClass=user)) givenName SN
My experience with this is
the default ADMINISTRATOR can be locked out (wait before shouting!)
what I mean is that if you have a lockout threshold of lets say 5, the
lockoutTime attribute will show the lockout date and time the account was
locked. In ADUC (using another custom admin
Cool. Wouldn't he need to run the bitwise query for every possible value
to make sure he gets all the accounts in the domain? Like account
disabled and password set to never expire?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
Sent:
No that is what bitwise filters are all about, so you can focus in on just
the disabled bit which happens to be bit 1 which is value 2. So to find all
disabled users in a domain you do something like
adfind -default -bit -f
(objectcategory=person)(objectclass=user)(useraccountcontrol:AND:=2) -dn
Feature request: give me a way, in the attribute list, to specify
arbitrary text for output. E.g., in this case for disabled:
adfind -default -bit -f
(objectcategory=person)(objectclass=user)(useraccountcontrol:AND:=2)
-csv -nodn givenname sn text:disabled
-Original Message-
From: [EMAIL
Hello all,
I am at the point where I now have a smooth running Windows 2003 forest and
domain with the one exception of the UID attribute which I bypassed thanks to
the hidden ADPREP switch Steve informed me of.
So I am now attempting to go back and defunct this UID attribute so I can
Unless something else has extended the schema you should be able
to look at the definition in MSDN and find the classes it is used in: http://msdn.microsoft.com/library/default.asp?url="">
in your case you only care about the 2003 classes since that is the version of
the schema that you
Also note you could use the schema documentation tool found
here: http://msdn.microsoft.com/library/default.asp?url="">
if you feel that you may have a schema extension referring to this attribute as
well. Simply look at the containedIn field for UID.
Thanks,
-Steve
From: Steve
adfind -sc scontainsl:uid is the easiest. Or use dsquery or ldp with
the base set to the schema and pass the following filter.
((objectcategory=classschema)(maycontain=uid))
The above tries to do a search for classes where the maycontain
attribute contains uid.
HTH
M@
On 7/19/06, WATSON, BEN
Ah, excellent. Thank you for a couple different search queries as an example.
That really helps me to have a better understanding of developing effective
search queries for the future.
From: [EMAIL PROTECTED] on behalf of Matheesha Weerasinghe
Sent: Tue
Thank you Steve, those links are extremely helpful. Especially when trying to
find where an attribute is used at the various domain levels.
Thanks again,
~Ben
From: [EMAIL PROTECTED] on behalf of Steve Linehan
Sent: Tue 7/18/2006 8:37 PM
To:
19 matches
Mail list logo