|
|
|
By: Jeff Schertz
Posted:
December 17, 2008 at 8:59 AMI feel a little silly just finding out this little tip recently as I can’t count how many times I’ve had to manually re-join a Windows workstation or member server to a domain in my life. This is a pretty common procedure as various issues can sometimes cause problems with the secure channel communications between workstations and domain controllers in an Active Directory domain. Rejoining the domain reestablishes the trusted partnership and in most cases resolves the issue. The tried-and-true
... [more]
By: David Greve
Posted:
September 22, 2008 at 10:59 PM
After recently deploying PerformancePoint Scorecards within SharePoint, we’ve noticed some client computers (end-users) could not connect to these scorecards. As an example, we have had a filter on the scorecard that would produce an error of: “No Selections available. Contact your system administrator for assistance. Contact the administrator for more details.” The scorecard also continued to say “Updating…”, after seeing this error on the filter.
While continue to diagnose this issue,
... [more]
By: Jeff Schertz
Posted:
June 25, 2008 at 1:09 PMI've run across a couple situations where enabling users for OCS via the Management Console proved to be a bit cumbersome, typically when wanting to only select a certain subset of accounts among a list of thousands. So I set off to figure out how to easily perform the same action by manipulating the AD object attributes directly with scripts and freeware tools. The first step was to observe exactly what changes were applied to an account when enabled via the console. I took a snapshot of the p
... [more]
By: Jeff Schertz
Posted:
May 20, 2008 at 3:16 PM
I recently needed to create few thousand mail-enabled users in Active Directory for a project in which the original plan was to use a third-party mail migration product to later mailbox-enable and then migrate data in from another directory. But as plans changed I found that we were going to need to manually convert a good number of these objects into mailbox-enabled accounts. At the time I thought, "No problem, I'll just filter out the specific users and select the Exchange Task to Cre
... [more]
By: Jeff Schertz
Posted:
April 25, 2008 at 3:39 PMOn a recent project I ran into a unique problem regarding replication of public folder information in an Exchange 2003 organization. The problem was recently discovered after the migration of an acquisition into the existing organization when users noticed that Free/Busy information for mailboxes was not displaying between mailboxes in the existing offices and the new office. After an exhaustive search and a few dead-ends I was able to finally resolve the issue, but the lack of information I f
... [more]
By: Travis Nielsen
Posted:
March 31, 2008 at 10:58 PM
I'm pleased to announce my third PointCast in the Windows 2008 Server series. It covers Rights Management Services and provides a demonstration of its integration with SharePoint Portal Server 2007. I'm a big fan of RMS and I encourage anyone who needs persistent document protection to take a close look at it.
There is a lot to talk about here, but I did my best to keep it short. The duration is a little over 20 minutes. [ web / iPOD (coming soon) @ 29,533KB ]
Modern security problems requ
... [more]
By: Jeff Schertz
Posted:
March 12, 2008 at 1:02 PMThere are a handful of tools and scripted solutions floating around for resolving SIDs to user accounts and the reverse, but here's a handy way to do this by simply using Active Directory Users and Computers. The first time you perform this for a domain it will be necessary to identify the RID and GUID portions of the domain's SID, so that you can create an LDAP Query, and then any future lookups will only require some quick match to convert the GUID portion into a format suitable for searching
... [more]
By: Travis Nielsen
Posted:
March 6, 2008 at 2:37 PM
When you install Certificate Services on Windows 2003 and Windows 2008, you have the option to add Web Enrollment Pages. These pages are needed if you need a higher level of assurance for your certificates than Auto Enrollment provides. In other words, they facilitate a process by which:
A user submits a request for a certificate, which is stored in a queue on a Windows Certificate Authority.
The request is independently authenticated by a 3rd party entity
The approved digitally signed
... [more]
By: Travis Nielsen
Posted:
February 5, 2008 at 11:33 AM
I recently posted a PointCast discussing Active Directory snapshots in Windows Server 2008. In it, I point out that one of the limitations of using snapshots is the fact that they can't be used to recover deleted user objects.
Fortunately, with PowerShell and a little bit of scripting knowledge you can create a convenient way to restore deleted user objects from the proverbial digital grave. Once this is accomplished, you can use a snapshot to recover other important attributes (group member
... [more]
By: Travis Nielsen
Posted:
January 27, 2008 at 11:12 PM
I have posted my first PointCast, which discusses a new feature in Windows Server 2008: Active Directory Snapshots. This is the first in a series I'm creating that takes a look at some of the new technologies to look forward to in the upcoming release of Windows Server.
It clocks in at just under 10 minutes. [ web / iPod (11,760KB) ]
DISCLAIMER: All demonstrations are taken from Windows Server 2008 Release Candidate 1. Features may change by the time the product is released to manufacture.
... [more]
By: Jeff Schertz
Posted:
September 6, 2007 at 6:01 PM
After completing multiple cross-organization migration projects with differing co-existence periods, I've found myself having to go back to the books for a refresher course on intra-forest migrations. Among the many differences on how to approach and implement a migration intra-forest versus inter-forest, one of the most important is how Active Directory objects are migrated between domains.
When working with separate forests there will typically be duplicate instances of all objects consider
... [more]
By: Jeff Schertz
Posted:
February 21, 2007 at 12:21 AM
Background
Relatively new to Windows Server (starting with 2003 SP1) is a feature called Access-based Enumeration (ABE) which recursively hides files and folders in a share from user accounts that are not granted any permissions to those objects. Simply put, if a user doesn't have at least Read access to it, they can't even see it. If you've ever worked in a Novell NetWare environment you have probably seen this in action, as users will only see the data they have permissions to acc
... [more]
By: Aaron Steele
Posted:
September 30, 2006 at 10:15 AM
Let's say you're consolidating your Active Directory domains or merging with another company's AD environment and you want to know if it's possible to keep their same login IDs, etc. Sometimes it's useful to know ahead of time whether or not this is possible. Some migration tools have mechanisms included to test for this, but if you cannot afford such tools and have to use cheaper (free) means the following script might help.
The input file is a spreadsheet with the desired information of t
... [more]
By: Aaron Steele
Posted:
September 30, 2006 at 10:14 AM
Suppose you are done with a migration and want to clean up user accounts and remove some security holes like having SIDHistory on the accounts. There are tools that some commercial products provide to automate this process, but there is also a published script from Microsoft that could be modified to do the same thing. http://support.microsoft.com/default.aspx?scid=kb;en-us;295758
'cscript.exe ClearSidHistory.vbs -n=<name> [-o=<objectCategory>] [-c=<objectClass>]''-n=<
... [more]
By: Aaron Steele
Posted:
September 30, 2006 at 10:14 AM
Let's say as part of a migration you are changing login IDs for everyone but you want to continue to use the %USERNAME% variable to map their home drives, etc. Here's an easy way to rename the existing home directories without losing rights assigned to them.
The input file is a CSV file with the old and new sAMAccountNames. Change the server and login info below. This is assuming you're connecting from a different domain and want to use a Domain Admin account that has rights to the file serve
... [more]
By: Aaron Steele
Posted:
July 14, 2006 at 2:35 PM
In case you've noticed that the sIDHistory attribute isn't very user friendly when viewing it with ADSI Edit, here's a way to reverse-engineer the value to compare it with how we are normally used to seeing it displayed:
Find the SID for the source domain user or group by using the getsid.exe command:
Command Usage:
getsid \\<source_dc> “<Source User/Group Name>” \\<target_dc> “<Target User/Group Name>”
Example:
getsid \\DA_PDC “Developers” \\CORPCU1DC00
... [more]
By: Aaron Steele
Posted:
June 27, 2006 at 10:13 AM
Here is a useful script I found on the web when trying to find a way to report on SIDs for a number of user objects. There is the free "getsid.exe" from the Microsoft Support Tools add-on located on the Windows XP/2000/2003 install CD and that is useful for performing a quick comparison of two objects. I was looking for something on a larger scale.
I came across this VBScript code which will print out the various SID formats for a given user object.:
Option ExplicitDim objUser, s
... [more]
By: Aaron Steele
Posted:
June 27, 2006 at 10:12 AM
Summary:
A company has an AD forest with a parent domain with four child domains. One of the child domain DNS zones was properly delegated and the other three were not resulting in a DNS configuration error. The zones have been configured as Active Directory-Integrated and are configured to replicate to the entire forest. Running the dcdiag tool reports the errors in DNS zone delegation. Even though the zone delegations have been configured incorrectly the service and host records have been
... [more]
|
 |
|
|
|
|
 |
|
|
|
|
|
|
|