Remote Control permissions prompt Options
Hi,
I have a terminal server user. See print screen below
http://www.box.net/shared/agdpk5n48s
in AD the Enable remote control is enabled and the require user's permission
is not checked (i.e disabled).
Yet, I get prompted for the user's password when I try to remote control a
user.
Is their another place that one needs to change the settings?
Thanks Tag: DIGITAL TV Tag: 130835
Automatically Adding Domain Groups into Local Administrators group
By default when a computer is added to a domain the domain admin group is
added to the local computers administrators group. I would like to
automatically add my IT support group to the local computers administrators
group. Is there a way to do this before and/or after joining a computer to a
domain without having to manually touch each and every computer to do a
manual add??
It appears that in group policy restricted groups would be the place but I
can't figure out how to enter or designate the local administrators group so
then I could stick in the domain\group inside it.
Thanks Much,
Charles Tag: DIGITAL TV Tag: 130823
Group Policy and Domain Type Problem
Hi everybody,
We're having a problem on our Active Directory, we can not edit GPOs which
have been defined previously including Default Domain Policy and Default
Domain Controllers Policy as well. When we try to edit it, it says;
"Failed to open the group policy object. You may not have appropriate rights."
Detail:
"The system can not find the path specified."
Then, we try to change the security settings of related GPO , we remove some
and add another, finally when we try to Apply or click Ok, then it says;
"Unable to save permission changes on {....-.....-......-......}"
"The system can not find the file specified."
We can create new GPOs and edit them successfully, there is nothing wrong
with the new created ones.
We're using administrator account to try all of them above..
Thanks in advance.. Tag: DIGITAL TV Tag: 130815
Server share login
I have added a W2003R2 domain controller to our network. A new share has
been created on the server. When I attempt to browse to the share, clicking
on the server asks for my user name and password (which will work OK). Any
of the other shares on the network do not require entering username/password.
So apparently, when you browse to a share it normally automatically
authenticates but for some reason it doesnt on this server. Does anyone have
any ideas of what I am missing here?
--
Regards
Thomas Tag: DIGITAL TV Tag: 130811
2003 CA in a 2008 Mixed Mode Domain
Can a 2003 Enterprise Root CA exist in a 2008 Mixed Mode Domain? We
currently are running our Active Directory Domain in Windows 2003 Native
Mode and have 2003 CA's in place. We are looking to upgrade to introduce a
couple of Windows 2008 Domain Controllers into our existing domain. In the
2008 mixed mode can a 2003 Enterprise Root CA still function or does it need
to be migrated to 2008?
Tim Humphrey Tag: DIGITAL TV Tag: 130810
DNS server issue
Hi
Site: Windows 2003 SP2 DC, DNS, DHCP
Client : Win XP SP2
i was configured dns server in the dc & afterward due to some reason i had
changed the DC name. (Like from skb.com to sk.com).So i promoted the DC & its
working fine with all components.
But i got repeated error in DNS server eventvwr as:
"The DNS server was unable to open zone _msdcs.SKB.COM in the Active
Directory from the application directory partition ForestDnsZones.SKB.COM.
This DNS server is configured to obtain and use information from the
directory for this zone and is unable to load the zone without it. Check that
the Active Directory is functioning properly and reload the zone. The event
data is the error code."
i am not using the skb.com dns server right now.
How can i solve? the Event ID is : 4007
Rajaguru Tag: DIGITAL TV Tag: 130795
DHCP Dynamic updates issue
Hi
my site: windows 2003 SP2 DC, DNS, DHCP
ip range: 192.168.1.1 - 192.168.1.250 / 255.255.255.0
ip exclusion : 192.168.1.1 to 192.168.1.25
my client machines are : windows XP SP3.
Suddenly i noticed the dns records are not updated in the dns server. the
dhcp server leased ip addresses to the clients. In DHCP the icons of the
computers have a pencil in it & it means " Active lease, DNS dynamic update
pending. This address is not available for lease by the DHCP server"
I am enabled "Always dynamically update DNS A and PTR records" in the DNS
tab of DHCP properties.
What does it mean? how to solve this?
Help me out.
Rajaguru Tag: DIGITAL TV Tag: 130781
LDAP search on multiple forest
Hi
I have two forests and each has a single domain (a.com and b.com).
Both are trusted.
a.com has a user a@a.com.
b.com has a user b@b.com
When I connect using LDP tool to the GC of a.com, I can bind and
authenticate as a@a.com.
I can also bind and authenticate as b@b.com.
But I could only get LDAP attributes only for a@a.com.
How can I get the LDAP attributes (say mail or proxyAddresses) for
b@b.com?
What should be the search query?
Thanks.
UNT,
Jag Tag: DIGITAL TV Tag: 130779
windows server events
hi all,
can any one tell me the name of any site where all the events generated in
windows server 2003 event viewer can be found with solution( like event id
and solution.)so i can save my time and increase productivity.
site that contain only event ,cause and solutions. Tag: DIGITAL TV Tag: 130770
group policy
hi all,
we are using win 2003 sbs environment.i applied a one group policy for
whole domian to block usb access,cd/dvd read write access .but my policy is
not working.
step for to apply usb block template .
add the template in admin template in user configuration e.g usb.adm and
applied this as group policy. Tag: DIGITAL TV Tag: 130768
Rpc in unavailable
hi all,
we are using server 2003 sbs. i have one dc and adc .last week i restored
the system state backup on dc . dc and adc runnig fine but when i click on
replicate now on nts setting for replication the action show that rpc server
is unavailable.
and 1 more that when i tried to raise the function lavel of my domin it also
shows an arror that rpc server is unavailable. Tag: DIGITAL TV Tag: 130767
Add/Remove Self As Member Permission
Hello There...
I have a globle group name "My Enterprise Admin" who is a member of
Domain Admin in AD.
I created another group name "Admin Manger Enterprise".
I added Admin Manage Entrprise in a security tab of "My Enterprise
Admin" Group and assigb Add/Remove self as a member permission.
After an hour this group is removed from the permission.
And I found following in event log:
Event Type: Success Audit
Event Source: Security
Event Category: Account Management
Event ID: 641
Date: 6/16/2008
Time: 1:26:35 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: VBURDWDEVDC02
Description:
Security Enabled Global Group Changed:
Target Account Name: Admin Manger Enterprise
Target Domain: POWER
Target Account ID: POWER\Domain Admins
Caller User Name: DC0001$
Caller Domain: POWER
Caller Logon ID: (0x0,0x3E7)
Privileges: -
Changed Attributes:
Sam Account Name: -
Sid History: -
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
I tried again and same issue...
With investigation, I found that I am not able to assign any group
"add/remove self as a member" permission to a group which is a member
of Domain Admin or Enterprise Admin.
Can anyone help me for find solution for this.
Regards,
Avi Tag: DIGITAL TV Tag: 130762
Active directory problem!!
Single windows 2003 active directory domain, two domain controllers. One
domain controller hosts network attached storage (NAS)and the other hosts
exchange 2007 . One of the disks of NAS has been damaged and the domain
controller had to be taken off the network. When this domain controller is
turned off, despite the presence of other domain controller, active
directory cannot be found. I have transferred RID,operations master, PDC,
infrastructure and schema roles to the one with the exchange 2007, but still
cannot see the active directory when the first one is turned off. It also
has the active directory integrated DNS installed and configured.
Can anyone help me with this one? Tag: DIGITAL TV Tag: 130752
Active Directory woes... please help!
Well, I have just restored my PDC and BDC from North Ghost disk backup
made late last year (so more than 6 months ago).
Now, the DCs won't replicate.
repadmin /options [PDC_Host_Name]
Current DC Options: IS_GC
repadmin /options [BDC_Host_Name]
Current DC Options: IS_GC DISABLE_INBOUND_REPL DISABLE_OUTBOUND_REPL
When I run repadmin /options [BDC_Host_Name] -DISABLE_OUTBOUND_REP
-DISABLE_INBOUND_REPL, replication fails and the BDC goes back to bein
IS_GC DISABLE_INBOUND_REPL DISABLE_OUTBOUND_REPL.
I tried removing the BDC, but that fails because the DCs canno
replicate.
Talk about an impass!
What can I do to fix this?
Thanks
--
spectde
-----------------------------------------------------------------------
spectdev's Profile: http://forums.techarena.in/member.php?userid=5165
View this thread: http://forums.techarena.in/showthread.php?t=98661
http://forums.techarena.i Tag: DIGITAL TV Tag: 130749
WAN to WAN
I currently have an active directory at my W2k3 LAN. I need to setup a 2nd
LAN, that all of my users will have access to with their current accounts. I
want to keep the active directories syncronized at all times, but these LANs
are seperated by a few hundred miles. I suppose I can export the directory to
set the initial seed, but what best practice techniques are available to keep
the directories in sync? Is there an automated method to this? Will the data
on the wire be encrypted?
Thanks in advance. Tag: DIGITAL TV Tag: 130747
Changing IP Subnet?
I've had problems over the past 6 years that were caused by the original
"consultants" who set up the primary subnet to be 192.168.1.nnn. An
obvious problem is connecting to a users personal computer (on a router)
to our network using a VPN. We have to get the user's router
reconfigured to a different subnet since most default to the same one.
I'm curious as to what it would take to change our internal IP subnet.
to something different. Any thoughts as to what would be impacted would
be appreciated. I'm not likely to do it, but it might help explain why
we don't do it....
--
Regards,
Hank Arnold
Microsoft MVP
Windows Server - Directory Services Tag: DIGITAL TV Tag: 130743
Moving a DC
I have three functioning DCs in our domain. We have 2 locations (Hyde
Park & Kingston). Each has its own subnet (HP = 192.168.1.nnn & Kingston
= 192.168.100.nnn). The sites are connected via a point to point T1.
Each site has a router.
The DC I want to move (HOSPICEDC3)currently has an IP address of
192.168.1.113. I want to move it to the KGN subnet, changing the IP to
192.168.100.113.
I have a site defined as "Kingston" on the domain (currently W2K)
waiting for a DC. Everything is currently in the default (HP) site.
I'm interested in a step by step procedure for moving this server. A
link would be great. I have a pretty good idea what to do, but I'm anal
about understanding what needs to be done before I take step one.
Also, what (if anything) do I need to do to make HOSPICEDC3 the
preferred DC for users in Kingston?
As usual, TIA.....
--
Regards,
Hank Arnold
Microsoft MVP
Windows Server - Directory Services Tag: DIGITAL TV Tag: 130742
Best practice for disabling accounts after user left? (But returning)
Hi,
What is the best practice for:
When a user works at the company for 1 year or more. They then leave for a
year.
(Possible reasons include maternity leave, uni study for one year, etc etc).
They will then return as full time staff again.
What is best practice to do with their accounts?
Set to disabled for the year? Leave share permissions.
Set to disabled for a few months then delete account and all share
permissions.
Delete account straight away.
How does this work with the mailbox? Does setting the account to disabled
stop them from receving all the e-mails? (Exchange 2003 here).
Obviously a year's worth of e-mails would be quite a lot and would not be
needed. Do you therefore stop this somehow?
Look forward to hearing what you do,
Thanks Tag: DIGITAL TV Tag: 130737
How to upgrade windows 2000 domain controller to windows 2008?
We are running a simple domain controller on windows 2000 and have a
second server that is windows 2000 (backup domain controller) that
also runs our exchange server (very old version, 5.5).
For us, this is a "once in five year" upgrade. We only do it because
all of this technology is becoming end of life.
I have been instructed to upgrade our domain controllers to windows
2008 and install the latest exchange server and upgrade that.
So first things first, what I want to know is, what is the best path
for this? We have about 100 exchange users (so 100 users in active
directory).
Do I:
1. upgrade the domain controllers to windows 2008, have the exchange
server (running 5.5 and windows 2000) use this upgraded domain
OR
2. install a fresh domain and fresh exchange server and manually add
all the users
OR
3. is there a middle ground somewhere here?
my concerns:
If I upgrade to a 2008 domain and I make a mistake and can not attach
the windows2000/exchange5.5 server to the new domain, then I am in big
trouble because our mail servers will then be dead. has the domain
controller technology evolved that this can be an issue or will the
windows2000 server work just fine if i upgrade the domain?
What are the steps, i have googled for detailed instructions and can
not find any. Does someone have detailed instructions on how I will
do this? what happens to the servers that are pointing to the Windows
2000 DC, do they just continue to run and point to the new DC or do
they need to be rebooted or reconfigured? We still have a lot of
windows 2000 servers that are destined to be upgraded as well.
Thanks Tag: DIGITAL TV Tag: 130731
I think I need URGENT HELP on trusting domains
Scenario is:
Local Win2k3 domain and WAN domain in different forest .Trusted
I made a mistake instead of migrating I created users and machines from
scratch on the WAN domain(Users should anyway be different from the local
domain)
I removed each machine from the local domain and joined to the wan domain.
I can logon to the WAN domain and I may even use shared resources from local
but when I logon I don't see the local domain as possibility as was at the
beginning of the trust.
What may happen (if the WAN link go down i.e )
TIA Tag: DIGITAL TV Tag: 130724
Hiding the domain name from new company
We are due to merge with a another company, and due to us having a
more complex AD structure we are bringing the new domain into our AD.
We want to try and hide our domain.com from the end users of the new
company and ours and show a newdom.com (its a bit sensitive as the CEO
does not want the users to feel that they now all belong to old
domain.com).
I have created a new Domain suffix newdom.com so new and migrated
users have this account, but on its own this is not enough.
is there a way to alias the domain, i did hear about a dname in DNS,
but cannot find an real info or if it will hide or alias my existing
domain.
There are other complications in the form of an extensive DFS
namespace but i will post that in the relevant group, but i need
something that will also alias the DFS.
regards
Phil Tag: DIGITAL TV Tag: 130721
effect of domain upgrade to certificate authority and RRAS
one of our domains is due to be upgraded to w2k3:
- the domain has two DCs both running windows 2000 SP4;
- one member server(windows 2000 SP4) running RRAS and certificate
authority, also used as VPN server.
question - can this member server continue to operate as RRAS if a third
w2k3 DC is added during the upgrade or should RRAS and certificate authority
be upgraded as well to w2k3?
Thanks in advance for your help Tag: DIGITAL TV Tag: 130719
Reporting Heirarchy
I am trying to reproduce functionality that is available on our company's
intranet web site: To traverse the reporting heirarchy.
On our web site, a "manager" manages a single group at every level of the
tree. (i.e.. each person has opne and only 1 manager. each mgr manages
exactly one dept.).
Has anyone seen .NET code for displaying the *reporting* heirachy using a
treeview display?
Perhaps the 1:1 rule above is not standard and thisis the reason I can't
find code to do this. Usually codeproject.com has everything
Anyone see anything like this? Tag: DIGITAL TV Tag: 130715
Key Management Servers
Is it recommended to install Key Management Server [KMS] for activating
Vista & Server 2008 on domain controllers? Typically, it's best to avoid
piggy-backing any services on domain controllers, so I was just curious.
Any help is appreciated.
Tim Tag: DIGITAL TV Tag: 130709
domain controller can not be recognized as domain controller
Hi all,
The domain controller of root domain has been crashed. I do not know how
long it has been down. Finally, I rebooted the server and came online. I
tried to add the second domain controller but can not. then I tried to join
the PC to this domain and can not which no domain controller found. I got
these events in the direcory services: event id 1645 with source NTDS
replication, event id 1126 with source global catalog,....I run dcdiag and
fsmo failed check.
Is there a way I can make this domain controller recognized by this domain
without wiping out everything? (windows 2003 R2 SP2) Tag: DIGITAL TV Tag: 130707
Migrate ADAM instance to new domain and don't lose info
I have an issue that seems a little tricky. We are having to migrate
our severs to a new domain- and for this we are using NetIQ DMA tool
with works great, However we also use Passlogix SSO application which
stores users credentials in an ADAM instance. We are trying to make
this migration appear invisible to the desktop user, and for this
happen, the old adam instance would have to have all its DACLS update
to allow access for the user id in the new domain (user id's are not
changing only domain membership) and we think we need to get update the
ADAM schema of that instance to remove the old domain and insert the new
one.
Is this even realisticaly possible? or just wishfull thinking?
Thanks
Patrick
--
dragon3085
------------------------------------------------------------------------
dragon3085's Profile: http://forums.techarena.in/member.php?userid=51476
View this thread: http://forums.techarena.in/showthread.php?t=985837
http://forums.techarena.in Tag: DIGITAL TV Tag: 130700
machine authentications vs user authentication - NEWBIE
Hello, sorry if my English is bad spelled.
I am learning all about Windows server 2003. I am new to this but I am OK
at networking. I have set up a small network of 1 server 2003 (running AD,
DNS and DHCP on the same box). I also have two XP clients. Everything seems
to work OK but I am wondering why...??
I thought I would have to authenticate the XP machines first of all.
However, I have found that I do not need to. When one of the clients tries
to join the domain, I can type in any name as the system name and when the
login box pops up, as long as I enter admin credentials the machine is
welcomed to the network. Why? Why donlt I have to set up the machine under
the active directory "computers" first? i.e why is not the machine itself
authentiacted?
I then log in as a user. This is all ok. However, when I first log in as
the user, would the machine have been authentiacted first at boot up time?
Or is this where dot1x comes in?
Any user can log in from any machine right? Can this be ties down? So that
user dave can only log in from machine A but nit machine B? I am a bit
confused...
Any wlakthough docs on this guys?
Thanks, Steve Tag: DIGITAL TV Tag: 130699
Defragmenting Client PCs Windows 2003 server
We want to set up disk defragmentation of our client machines from active
directory for Windows 2003 server. Does microsoft have an add in to do this?
I don't want to spend the money for diskeeper if Microsoft already had an
adm or other way of doing this.
Thanks.
--
Valerie Tag: DIGITAL TV Tag: 130698
SYSVOL not replicating
Hi there,
I have a problem with my domain controllers.
I have two, dep-s-dc(Win 2k3 Ent) and dep-s-004(Win 2k8 Ent)
dep-s-dc was our main server when the company started out and as such hosted
nearly everything, DNS, DHCP, Exchange, AD and DC
Over time we have got bigger and bought more servers. I installed dep-s-004
as a domain secondary controller. recently we have had problems with dep-s-dc
and it was looking bad so I moved the FSMO roles to dep-s-004 making this the
primary. All roles were transfered without problems.
I have now noticed however that new client when logging on take an age to
populate the domain list. Also group policy has stopped working. When you
click on a policy you get the following message "The network name cannot be
found". You get this message on dep-s-dc and dep-s-004. There are also errors
relating to NTfrs in the event logs on both machines.
I have done a lot of research and can't seem to pinpoint the error.
Replication does seem to be working. If I create an account on dep-s-004 and
check dep-s-dc it appears. ping and nslookup are ok between the two servers.
It just seems to be the sysvol and netlogon that are not being replicated.
they are on dep-s-dc but not on dep-s-004
How can I solve this? Tag: DIGITAL TV Tag: 130690
AD Home Folder
We were having problems with performance for some Citrix users. After
removing the home folder settings on their AD account their performance
improved drastically.
Now I realize this may be a very basic question but I really can't seem to
find anything about this. What exactly does the home folder setting do, and
why would it impact user performance?
Thanks in advance! Tag: DIGITAL TV Tag: 130674
Password Length
I have changed the password length from Min 6 characters to 8 Characters.but
somehow it id not working can set password for 6 characters..Can someone
guide what needds to be checked and where to enforce this policy... Tag: DIGITAL TV Tag: 130663
Domain Controller Reinstall
I have a domain controller which has Enterprise edition win2k3
installed..need to reinstall it wih win2k3 r2.It has Wins DHCP,DNS
installed.Can anyone suggest a method wherin i can reinstall without
impacting the enviroment or users..Step by step method is what is required
.Help will be apprceiated in this... Tag: DIGITAL TV Tag: 130662
Property sheet not visible when using Find in ADUC
Hello,
I have made a property sheet extensions for ADUC, which shows some
data from MIIS.
Everything is fine and my property sheets are visible for Users and
Groups when using browser in ADUC,
but when I use Find from ADUC context menu and search for the same
Users or Groups to see theirs properties,
my property sheet is missing.
This is how it looks using ADUC browser (MIIS tab is visible)
http://img179.imageshack.us/img179/1627/usingbrowseree0.png
This is how it looks using ADUC Find (MIIS tab is not visible)
http://img340.imageshack.us/img340/3456/usingfindzu3.png
Do you have any ideas?
Regards Tag: DIGITAL TV Tag: 130654
Slow authetication and GPO processing for remote site that without DC
Need some advise, we are running single forest single domain on our Active
Directory.
Recently we notice our workstation login take very long time in our site
that do not have Domain controller.
From our investigation, the workstation seems to randomly select any
available DC for their login process including the GPO, these has become a
problem when the workstation try to connect to a DC that is very far away.
I am trying to look for solution on the net on how do I force particular
site to use a dedicated remote DC, no luck in getting a solution, appreciate
some one could shed some light here ...
rgds, Tag: DIGITAL TV Tag: 130648
Change a field-label in the GUI "Active Directory users and comput
I would like to change a field-label in the GUI "Active Directory users and
computers".
For example:
Changing the label "Pager:" to "Short-dial No.:". In Exchange you can modify
the adrress templates in the system manager. Is there something similar in AD?
Thank you in advance for any help,
Simmix
--
stephan.simmen -at- martiag.ch
Berne, Switzerland Tag: DIGITAL TV Tag: 130646
Active Directory Domain Services has detected and deleted some possibly corrupted indices as part of initialization
Hello,
I'm playing around with my first 2008 server setup. So far the only role
I've added was AD. It is in a new domain (not a production environment)
and is the sole server. It automatically installs DNS during the process.
After the AD wizard ran it rebooted and I see this error along with a few
others in the server manager under the ad role.
The name of my local area domain is abc.lan
Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: 6/12/2008 4:00:54 PM
Event ID: 1463
Task Category: Internal Configuration
Level: Warning
Keywords: Classic
User: ANONYMOUS LOGON
Computer: ABC-6700.abc.lan
Description:
Active Directory Domain Services has detected and deleted some possibly
corrupted indices as part of initialization.
These deleted indices will be rebuilt.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-ActiveDirectory_DomainService"
Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS General"
/>
<EventID Qualifiers="32768">1463</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>7</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2008-06-12T23:00:54.603Z" />
<EventRecordID>48</EventRecordID>
<Correlation />
<Execution ProcessID="696" ThreadID="6488" />
<Channel>Directory Service</Channel>
<Computer>ABC-6700.abc.lan</Computer>
<Security UserID="S-1-5-7" />
</System>
<EventData>
</EventData>
</Event> Tag: DIGITAL TV Tag: 130641
The local domain controller could not connect with - 2008
Hello,
I'm playing around with my first 2008 server setup. So far the only role
I've added was AD. It is in a new domain (not a production environment)
and is the sole server. It automatically installs DNS during the process.
After the AD wizard ran it rebooted and I see this error along with a few
others in the server manager under the ad role.
The name of my local area domain is abc.lan
The local domain controller could not connect with the following domain
controller hosting the following directory partition to resolve
distinguished names.
Domain controller:
Directory partition:
abc.lan
Additional Data
Error value:
1355 The specified domain either does not exist or could not be contacted.
Internal ID:
3200d50 Tag: DIGITAL TV Tag: 130640
AD users export
I need to export the usernames of an AD server to put at a spreadsheet. I´m
having some dificulties at using the comand ldifde. How can I use this comand
to export the whole list os user and groups to a file? Tag: DIGITAL TV Tag: 130624
2003 Active Directory Services and 2008 Terminal Services
I currently have a Server 2003 Active Directory domain environment. I would
like to introduce Terminal Server 2008 into that environment.
Are their any incompatibility issues I should be concenred about between
TS2008 and AD2003?
Do I have to upgrade my 2003 AD domain controllers in order to run TS2008?
Any information you can provide is greatly appreciated.
--
Paul D. Oneill, CISSP, MCSA Tag: DIGITAL TV Tag: 130612
No external time source for Windows Time Service
We're a multi-domain environment with one root domain and several child
domains.
The root domain's DC that's also a PDCE operations master is the
authoritative time server for the whole forest right?
-What happens if you don't set up the external time source on the root
domain's DC that's also a PDCE master? Does it just rely on itself then for
the time or does it use MS's NTP by defalut?
-If there are 2 DCs in the root domain, is it recommended to set up the
external time source on both of them even though one of them is not a PDCE
master in case the one with PDCE master goes down and seize the PDCE master
role when this happens? Tag: DIGITAL TV Tag: 130600
Need script to list various groups and there users
Hello,
I was hoping to get a script that can scan AD for any groups that have
"admin" the name, but then I also need it to list the members of the groups
it finds.
I was hoping t modify this script to do what I want:
On Error Resume Next
Const ADS_SCOPE_SUBTREE = 2
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.CommandText = _
"SELECT Name FROM 'LDAP://DC=fabrikam,DC=com' WHERE
objectCategory='group' " & _
"AND Name='*admin*'"
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst
Do Until objRecordSet.EOF
Wscript.Echo objRecordSet.Fields("Name").Value
objRecordSet.MoveNext
Loop
Would it be very easy to add the user membership lookup to this script? If
so, how and if not, then what is a good script that will?
Thanks! Tag: DIGITAL TV Tag: 130596
EFS
MS¹¤³Ìʦ£¬ÄúºÃ£¡
ÎÒÔÚ΢ÈíÍøÕ¾ÉÏ¿´µ½¹ØÓÚEFSµÄÃèÊö£ºµ±Ò»¸ö±»EFS¼ÓÃܹýµÄÎĵµ£¬±»´«Êäµ½±¾µØ»òÕßÁíһ̨ûÓÐʹÓÃEFSµÄ·þÎñÆ÷ÉÏʱ£¬Õâ¸öÎĵµ½«±»×Ô¶¯½âÃÜ¡£
ÕâÊDz»ÊǾÍÊÇ˵£¬Èç¹ûÕâ¸öÎĵµÀ뿪ÁËÔÀ´¼ÓÃܵÄÎļþ¼Ðºó£¬¾Í²»ÔÙ±»±£»¤£¿ÄÇEFSϵͳÖ÷ÒªÊÇÓÃÀ´×öʲôµÄÄØ£¿ Tag: DIGITAL TV Tag: 130591
how to create a new AD tree or forest?
win2k3
At home here I have a little network consisting of a winXPpro machine and
another machine running win2k3 (evaluation). I've configured the win2k3
machine to be the domain controller in my AD. I'm doing this for the purpose
of learning AD. Now I want to create another tree or another forest in my
AD... when I run dcpromo on the win2k3 machine, the only option I got is to
remove the AD... And all the info I've come a cross on the Internet says I
should use dcpromo to create a new tree or forest.... I'm a bit confused
here....
any suggestions? Tag: DIGITAL TV Tag: 130582
Prevent users from joining Computers to domain?
I am planning to rework how our users join PC's to our domain for
security/management purposes. I know that by default users can join up to 10
workstations to the domain without any special permissions required. I am
guessing that as a first step I would need to use ADSI Edit on the PDC and
change the "ms-DS-MachineAccountQuota" value to "0". This would then allow
only the Account Operators group (and higher) to join PC's to the domain.
Ultimately, we would like the process to be as follows:
1 - User requests to helpdesk to join a PC to the domain (user cannot join
the PC to the domain on their own).
2 - Helpdesk creates the Computer object with specified name in AD and
assigns domain join permissions to the specific user.
("the following user or group can join this computer to a domain").
3 - User then joins the Computer with the same name to the domain.
I would appreciate any feedback and/or sound advice on this. Thanks very
much. Tag: DIGITAL TV Tag: 130568
specifying DC to use during a promo?
I have an issue with a remote site where it complains about a schema update
needed.. i'd like to force this machine when it promo's to use my FSMO dc
as its original replication point. I understand theres an /adv switch with
DCPROMO.. I ran it in my test environment but I didn't see a place where I
could specify which DC to replicate from. I saw that I could pick either
replication from a DC or from a file backup.. so I chose DC.. but was never
able to specify..
anyone have any idea? Tag: DIGITAL TV Tag: 130563
GUI folders missing in \\sysvol\domain\policies
Long short story.
One domain - 1 DC
1 month ago created the 2nd DC -> 1 domain 2 DCs
One of the DC become hw unstable (the 1st dc in the domain - old machine)
and I had to demote it using /forcedemote switch. Cleaned up AD using
ntdsutil.
status: 1 domain - 1 DC
1 week ago promoted another DC -> 1 domain - 2 DCs
Immediately after I found out that sysvol folder was missing. I've recreated
the sysvol folder and subfolders using the D2 and D4 reg values.
Yesterday after I checked the sysvol folder and I noticed that under
\\sysvol\domain\policies there were no folders (GUI with brackets). I checked
the advanced tab in AD\users and computers\system\default domain policy also
nothing there but tones of event id :1030 source:usernv.
"Windows cannot query for the list of Group Policy objects. Check the event
log for possible messages previously logged by the policy engine that
describes the reason for this."
GPMC cannot find path in group policy objects for DC policy, domain policy
and sp users logon deny.
At this point I do have only a copy of the sysvol folder that was taken 1
month ago from the 1st DC that has been forcedemoted. The GUI folders all
three of them are there. They seem to be intact.
1. Is there any possibility to restore those policies having those folders
from backup?
2. If not what would be the consequences if I use dcgpofix?
Thank you very much in advance.
Andrei Tag: DIGITAL TV Tag: 130560
Mass update of sapUsername attribute
Hi there,
I have a list of users (not all) in one of my OUs that I need to updat
by adding the attribute sapUsername with the value specific for them.
e.g.
sAMAccountName is Test.User1 then sapUsername is TUSER1
sAMAccountName is Test.User2 then sapUsername is TUSER2
However, i have over 300 users to update and doing this manually is no
an ideal situation! Is their any way i can mass upload these?
Thanks,
Boul
--
sin.e.boul
-----------------------------------------------------------------------
sin.e.bouli's Profile: http://forums.techarena.in/member.php?userid=5142
View this thread: http://forums.techarena.in/showthread.php?t=98465
http://forums.techarena.i Tag: DIGITAL TV Tag: 130559