AdFind.exe -sddc++ -b DC=example,DC=com -resolvesids -f
|(objectcategory=container)(objectcategory=organizationalUnit)
OU_ACL.txt
Thanks,
Andrew Fidel
Casey Robertson [EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
01/23/2007 05:41 PM
Please respond to
ActiveDir@mail.activedir.org
To
Domain Users is the Primary Group only by default, it can be changed. I
have been known to change it when I want to give an outside vendor access
to specific resources, but not to everything that Domain Users has rights
to. There might be some reason to change primary group, but still have a
XCACLS PATH /T permissions.txt
Thanks,
Andrew Fidel
Tech QnA [EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
01/02/2007 04:18 PM
Please respond to
ActiveDir@mail.activedir.org
To
ActiveDir@mail.activedir.org
cc
Subject
[ActiveDir] how to list permissions applied to a directory tree
Nope, we haven't delegated the rights to anyone else. We are a single
forest farm that hasn't done a schema update with the current staff so I
doubt they even know what the groups are for. They saw that Administrator
was a member of those groups, didn't know what they were for, and said to
I would be careful about that:
Account Operators ...Members of this group can log on locally to domain
controllers in the domain and shut them down...
http://technet2.microsoft.com/WindowsServer/en/library/1631acad-ef34-4f77-9c2e-94a62f8846cf1033.mspx?mfr=true
Andrew Fidel
Michael Miller
Very cool but you'd have to have one heck of a printer (plotter or
similar) to equal the one that came with the dead tree version =)
Thanks,
Andrew Fidel
Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
12/19/2006 08:32 PM
Please respond to
I would say you do server things on the server with your admin ID and do
user stuff on your workstation with your workstation ID, so doing GP
editing on the workstation isn't best practice, but that's my point of
view =)
Thanks,
Andrew Fidel
Tim Vander Kooi [EMAIL PROTECTED]
Sent by:
If it's so well baked then how do you support multiple remote offices with
slow VPN links, or none at all? How do you support field users without a
VPN client, or using an SSL based VPN? Making us use two different images
(one for each key type) isn't a solution since it doubles our support
As per normal it's probably wrong. Intuit's developers AND support folks
are clueless when it comes to permissions. Their answer when I escalated a
case about Quickbooks 2006 Enterprise users needing Power User rights was
that they really just needed Full Controll over HKCR! (The audacity of
Just for future reference the easiest way to identify where an object is
if you have a SID is to use adfind with the -binenc option:
adfind -binenc -b dc=FOO,dc=BAR -f objectSID=S-1-5-9
You'll find the full path to the object under objectCategory:
While the binenc option isn't strictly needed
_vbscript_ is one of the available providers
for WSH which is a scripting framework. JScript and _vbscript_ are the two
languages support out of the box by WSH but Perl and other scripting languages
can plug into the framework. My number one resource for _vbscript_ is the
Script Center
Start Diskpart
Select the disk and partition in question
Issue the Inactive command to clear
the boot flag
Thanks,
Andrew Fidel
Albert Duro
[EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
11/06/2006 09:55 PM
Please respond to
ActiveDir@mail.activedir.org
To
You could always put NTLDR and associated files on
the drive and point it
at the primary HDD in boot.ini. Alternatively you could try removing the
bootable flag from the USB drive. This will simply save you from yourself
if you forget to remove the drive before rebooting remotely =)
http://www.joeware.net/win/free/tools/memberof.htm
I don't believe there's any builtin
tool that will provide this information.
Thanks,
Andrew Fidel
Michael B Allen [EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
10/25/2006 12:46 PM
Please respond to
ActiveDir@mail.activedir.org
To
Printmigrator 3.1 can move both user
and kernal mode drivers. If migrating to 2003 you can not install the kernel
mode drivers by default and will need to override a setting which printmigrator
will point you to. I strongly recommend NOT doing this as kernel mode drivers
are very likely to cause
I love standards, there's so many to
pick from.
Andrew Fidel
[EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
10/17/2006 10:16 AM
Please respond to
ActiveDir@mail.activedir.org
To
ActiveDir@mail.activedir.org
cc
Subject
RE: [ActiveDir] Seperating
Database and logs on seperate
Susan,
I too have seen the situation where
a shutdown command issued through an RDP session fails to actually reboot
the computer.
One recent example has these two event
log entries:
The process Explorer.EXE has initiated
the restart of computer SERVER on behalf of user Domain\Local Admin UserID
Joe's OldCmp with the -onlydisabled
command line switch.
http://www.joeware.net/win/free/tools/oldcmp.htm
Thanks,
Andrew Fidel
Condra, Jerry W Mr
HP [EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
10/16/2006 01:50 PM
Please respond to
ActiveDir@mail.activedir.org
To
This sounds a LOT like the XP problem
with asynchronous login script processing causing user home drives to map
to the root of the share rather than the users folder. Does this only happen
on XP clients or all clients?
Thanks,
Andrew Fidel
Mark Parris
[EMAIL PROTECTED]
Sent by: [EMAIL
Have you tried giving a test user traverse
folder or other benign rights at the level where Outlook gets stuck?
Andrew Fidel
Dan DeStefano
[EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
10/04/2006 09:01 PM
Please respond to
ActiveDir@mail.activedir.org
To
ActiveDir@mail.activedir.org
build
a white box because anyone else uses crud parts era.
All hardware sucks, all software sucks,
all support sucks =)
That said, at least with the name brand
boys you have something resembling support and they generally have tools
that you can hobble your own support out of. Personally I
Hyena from Systemtools Software would
be my recommendation.
http://www.systemtools.com/hyena/
Thanks,
Andrew Fidel
Larry Wahlers [EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
09/20/2006 09:34 AM
Please respond to
ActiveDir@mail.activedir.org
To
ActiveDir@mail.activedir.org
cc
Does the GUID used for a DC change when
the server is brought up through dcpromo, or does it remain the same as
the base OS install. That is, can I take the current GUID and use it to
prefill my static BIND records, or do I need to do the dcpromo and then
create the records?
Thanks,
Andrew Fidel
You are almost assuredly running into
the default return limit of 1000 items. AD queries will only return that
many items per query by default. In order to retrieve more information
you need to use paging. I personally use SQL style syntax because I know
SQL and that is what the MS script center
This brings up a very good point, HOW
is it checking the password length? As we pointed out earlier once the
hash is created there should not be a way to easily check the password
length.
Andrew Fidel
Paul Williams
[EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
09/07/2006 07:35 AM
Please
I hope this will be configurable, if
not in the GUI then through a registry key which is published in the MSKB,
Andrew Fidel
Steve Linehan
[EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
08/23/2006 10:37 PM
Please respond to
ActiveDir@mail.activedir.org
To
ActiveDir@mail.activedir.org
And as lm configuration #6 from http://www.antsight.com/zsl/rainbowcrack/
shows it's trivial to crack ANY reasonable windows password with length
14 characters unless lmhashes are turned off!(lm hashes are not stored
for passwords longer than 14 characters). Unfortunately if you have to
support
By using a high ASCII character from
table 1 in http://www.microsoft.com/technet/security/prodtech/windows2000/win2khg/03osinstl.mspx
Andrew Fidel
[EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
08/09/2006 11:52 AM
Please respond to
ActiveDir@mail.activedir.org
To
Do you have roaming profiles?
Andrew Fidel
Rimmerman, Russ
[EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
08/09/2006 02:29 PM
Please respond to
ActiveDir@mail.activedir.org
To
ActiveDir@mail.activedir.org
cc
Subject
[ActiveDir] Computer bootup
speeds
Is there any easy
From Tim Mangan's
whitepaper on hyperthreading under 2003:
The results in this paper are
exclusively related to Windows Server 2003. We are currently running the
tests used in the development of this paper under erver
2000. We can verify reports of performance
and stability problems with
We had a similar issue here(much more
frequently) and tracked it down to the WhatsUp process running under their
credentials and logging into the servers to check process state. Changed
the whatsup process to run under alternate credentials (duh) and the problem
went away. My guess would be
Hyena from http://www.systemtools.com/
is a great tool for doing this, in fact it can do a lot more =)
We use it for compliance reporting,
we build up reports including folder ACL's, local group membership, and
AD group membership including nested group membership. It has some pretty
powerful
To disable cached credentials, simply alter the appropriate
GPOs so that every system in the environment has the Computer Configuration,
Windows Setting, Local Policy, Security Options control of Interactive
Logon: Number of previous logons to cache (in case domain controller is
not available) to
Personally I like to find a find a good
tool if it makes my life easier. In the area of user/group reporting one
such tool is Hyena from Systemtools.com. I'm not sure how (in) efficient
it's ldap queries are when it's asked for nested group membership but I've
never had to run it against an AD
For this and other reason I like to
use the .ad or .ads TLD for my active directory.
Andrew Fidel
Almeida Pinto, Jorge
de [EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
07/21/2006 06:43 AM
Please respond to
ActiveDir@mail.activedir.org
To
ActiveDir@mail.activedir.org
cc
Subject
The problem with XP clients mapping
to the base of a share instead of the users folder can be solved by enabling
Computer Configuration\Administrative Templates\System\Scripts\Run logon
scripts synchronously. Depending on your environment you might also need
to enable Computer
MS KB 304970 addresses the need for
Always wait for the network at computer startup
and logon in conjunction with
Run logon scripts synchronously, and using
Run logon scripts synchronously comes from a forum post I read on the
mapping problem.
Bahta, Nathaniel
V CTR USAF NASIC/SCNA [EMAIL
Yeah except the fact that thin clients
have about twice the useful life, are less prone to failure by virtue of
having no moving parts, and use a fraction of the power. There's still
a TCO argument to be made, but the initial outlay argument is gone.
Andrew Fidel
Matt Hargraves
[EMAIL
I think you'd be doing yourself a favor
to at least look into Quest Software's tools including Migration Manager
for Active Directory. While I haven't used that particular tool I have
used several of their other tools including their Domain Migration Wizard
to move from NT4 to 2000/2003 with much
I was hoping a quick google search of
MS's site would yield the answer from on high (as managers see it anyways)
and instead I got this :
NoteThe
Physical Security item in the following graphic does not have
a corresponding section in this chapter recommending resources on the topic;
Microsoft
T-1 is fine speedwise, and unless you
have things locked down hardcore they can login to their local workstation
with cached credentials and access most shared resources (and what resources
would be available anyways if the line went down, doesn't sound like they
have a server currently).
Andrew
For services I use:
net view to enumerate all machines,
process with a little batch processing to clean out the description field
services.exe from http://wettberg.home.texas.net/services.htm
grep32, use unique to get a list of
computers using the account or don't to get every service using the
I'm trying to transfrom this:
objCommand.CommandText = SELECT
Name, ADsPath FROM sADPath _
WHERE objectCategory='organizationalUnit' ORDER BY
Name
into this using the LDAP OR syntax from
MS's scripting site:
objCommand.CommandText = SELECT
Name, ADsPath FROM sADPath _
Thanks for the input, I ended up finally
figuring it out. The correct format is
objCommand.CommandText = SELECT
Name, ADsPath FROM sADPath _
WHERE objectCategory='organizationalUnit' OR objectCategory='container'
AND Name='Users' ORDER BY Name
The AND is evauluated before the OR
so
44 matches
Mail list logo