Active Directory

77K

Solutions

39K

Contributors

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Share tech news, updates, or what's on your mind.

Sign up to Post

Do you have users whose passwords are expiring and they are constantly calling you?  Well I sure did and needed a way to put an end to this.  We have a lot of remote users which would not be notified that their passwords were expiring since they were not connected to the domain.  This can become a real problem for Administrators when they are wasting valuable time resetting passwords.  Let me first tell you, I'm not a developer so I'm sure there are better/other ways to do this but hopefully this will help some of you get started.

Below is a script to email active directory users that their password is going to expire in X days.  It will also send an password expiration report  to the Administrator which includes the name of each user whose password is expiring and when their password will expire.  I have this script setup as a scheduled task to run daily on my server.

Here's some instruction to get this to work:
1.   Install Quest cmdlets and add snapin to powershell. http://www.quest.com/powershell/activeroles-server.aspx
2.  Modify netadmin@email.com to the Administrators email that should be contacted
3.  Change 192.168.x.x to the address of your SMTP server
4.  Set $DaysToExpire =  X ( X=10 will email all users whose passwords expire within the next 10 days)
5.  Modify the script/body of the email to fit your environment (You could modify the body of the message to include instructions on …
5
LVL 23

Expert Comment

by:Suliman Abu Kharroub
Comment Utility
Thanks...

Vote yes
0
LVL 34

Expert Comment

by:Shreedhar Ette
Comment Utility
Hello Jake,

Does this script have any operating system requirements?

Do you ever used this in production environment?
0
Companies that have implemented Microsoft’s Active Directory need to ensure that the Active Directory is configured and operating properly. If there are issues found and not resolved, it eventually leads the components to fail or stop working and finally causing problems with Windows networking environment. Download Microsoft’s Support Tool Kit and install the Support Tools on the server.
 
Now before we move on to the health monitoring tools, it is always a good idea to make a list of all the Domain Controllers in your organization along with their IP address and trust relationships if any. Assuming that you have completed this step, let’s move on to using the tools.

Since many of these tests generate logs, let’s start by creating a log folder to store the diagnostic information. I’m going to use C:\AD-Health-Logs on my server.

Let’s start by verifying the health of the Domain. For this we are going to use NSLOOKUP which is a command line tool for testing and troubleshooting DNS. We all know that DNS is the heart of Active Directory and so that’s the first thing that we will check.

For replication to happen seamlessly between multiple Domain Controllers, name resolution should work fine. Each DC should be able to resolve the _msdcs record for other DC. Open the DNS mmc and look for the _msdcs record.
ad-health-01.jpg
Once you have the _msdcs record for the DC object, we can use NSLOOKUP to check the name resolution. Open Command Prompt and type:
 

Open in new window

3
LVL 17

Expert Comment

by:Premkumar Yogeswaran
Comment Utility
Good Article

Cheers,
Prem
0

Expert Comment

by:renilchalode
Comment Utility
Very good article..
0
I know all systems administrator at some time or another has had to create a script to copy file from a server share to a desktop. Well now there is an easy way to do this in Group Policy. Using Group policy preferences is not hard. The first thing you will need to make sure of is that you have a Windows 2003 or higher domain and a Windows 7 computer running RSAT. If you have a Windows 7 computer but are not using RSAT you can down load it at the following link.

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=7d2f6ad7-656b-4313-a005-4e344e43997d&displaylang=en

Please remember if you are using Windows XP computer you need to have Client side extensions installed.
To get started you need to create a policy or using an existing one. But first lets open Group Policy console.  pic1


Then let’s edit the policy you want to use. You will want to navigate to User configuration\ Preferences\ Windows Settings\ Files pic2

At this point you would want to right click on Files and select New \ Files. It will open a box for you to start entering in your information

You will notice that at this point you have a drop down box that gives you four options Update, Replace, Create and Delete. Update will update the file if anything changes in your policy, Replace replaces the file everytime the user logs in. Create does what it says and just creates the file if it’s not there. And Delete will delete a file if you need to.

For …
5
LVL 6

Expert Comment

by:Ricardo Martínez
Comment Utility
i got a problem using those policies, they work perfect on Windows 7, but on Windows XP its a headache... with a restricted rights user i can't copy a file to C:\Windows although, i can create a folder in there using the Folder policy, but neither file on that new folder, can u help me with that?
0
Starting in Windows Server 2008, Microsoft introduced the Group Policy Central Store. This automatically replicating location allows IT administrators to have the latest and greatest Group Policy (GP) configuration settings available.

Let’s explore our Sysvol for a second. Open an explorer window and navigate to \\DOMAINNAME\sysvol\. Open up any subfolders until you are inside the policies folder. We are now looking the GUID of every Group Policy Object (GPO) in our domain.  The picture below is from our domain.
 
 1
Open up any policy and you should see a few subfolders. The most common are: ADM, Machine, and User.
 
2
By default, your ADM folder will have five ADM files. Each client will also have a copy of these files. Each policy you create will automatically include this ADM folder. Our domain has four domain controllers and 767 group policy objects. Each policy would have a 3.46 MB ADM folder in it. That means that our domain uses 10.4 GB of space to store ADM files! That is a lot of files to replicate!

You have probably already asked – why does every policy need a copy of the ADM files? The clients do not need them because they are located on each client machine. Microsoft gave us a better solution with the Group Policy Central Store.

The Group Policy Central Store allows you to store one copy of ADMX files in your Sysvol and to automatically have any Group Policy Management Console automatically pull its …
3
As network administrators; we know how hard it is to track user’s login/logout using security event log (BTW it is harder now in windows 2008 because user name is always “N/A” in the grid), and most of us either get 3rd party tools, or just make our own log.

This simple approach can be used to create a log whenever a user logged in / logged out in any network computer, using GPO logon/logout scripts, and logging provided by IIS.

This tip is focusing on using IIS log instead of writing your own log file, which involves some complications like using shares, locking, user rights ... etc.
 
In brief what you need to do is the following:
1- Make a simple website and host it in any computer (you can use any DC) only one blank .htm page  is needed in that site
2- Enable logging for that site
3- Make a logon/logout script that make a request to that site
4- Attach and deploy those scripts to the GPO

I will not discuss in detail (maybe another article if I get the requests) how to do the 1,2,4 but I will include the script file used, assuming that they dummy site is on 192.168.0.15 port 8595 and the dummy page name default.htm

The parameter passed to the script can be "LoggedOn" when script is used as logon script and the word "LoggedOut" when it is used for Logout, the query string is built in a way that you can use the log file as comma delimited when importing it to excel for example.

Sample log output:

2011-02-27 12:36:17
1
I'm sure that every Windows systems administrator has written, or at least used, a batch or VBS login script at some point in their career, whether it is to map network drives, install printers, or set some user preferences.  No more!

With Windows Server 2008 – or, more specifically, the Group Policy Management Console for Vista / Server 2008 – Microsoft introduced Group Policy Preferences.  The server-side configuration can be done in the GPMC in Windows Vista / Server 2008 and above, meaning you don't need Server 2008 to use GP Preferences.  On the client side, the extensions are included natively in Vista and above, and can be installed as an add-on to Windows XP (available here: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=e60b5c8f-d7dc-4b27-a261-247ce3f6c4f8&displaylang=en).

There's one big difference between standard Group Policy and Group Policy Preferences.  With standard Group Policy, an administrator defines a set of policies that apply to a user or workstation, and they cannot be modified on the client.  An example would be turning on the Windows Firewall.  If this is set by Policy, the ability to turn this off is disabled for users.  On the other hand, Preferences can be modified by the user.  An example of this would be setting the default IE home page.  We can set it to http://www.company.com for all our users, but if they want to change it, they are not prevented from doing so.

To get started, install the Group Policy Management Console,…
21

Expert Comment

by:brtl1000s
Comment Utility
Wattstek: In order for this to work  with XP have to install the optional client side extension

http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=3628

run gpupdate and reboot.
0
LVL 6

Expert Comment

by:Ricardo Martínez
Comment Utility
First of all, your article was really helpful. I have a question, do you know how can i create a file tough that Active Directory policies in a folder with write permission blocked? i can create folders anywhere, but i can't create a file inside them (for example C:\Windows\Myfolder\myfile.txt) the problem is under Windows XP clients. Thanks.
0
This is my first article in EE and english is not my mother tongue so any comments you have or any corrections you would like to make, please feel free to speak up :)

For those of you working with AD, you already are very familiar with the classical MMC snap-in which makes you everyday tasks possible, ADUC (Active Directory Users & Computers). Unfortunately, ADUC still lacks features; especially prior to 2008. I have noticed recently that few System Administrartors are familiar with LDP despite being as useful as ADSIEdit. Both offer additional access to data that is difficult to see in ADUC.

As Microsoft describes:  “Ldp.exe is a Windows 2000 Support Tools utility you can use to perform Lightweight Directory Access Protocol (LDAP) searches against the Active Directory for specific information given search criteria. This also allows administrators to query data that would otherwise not be visible through the Administrative tools included in the product. All data that is returned in LDP queries, however, is subject to security permissions.”

So basically you can use this to search for specific attributes and specify search criteria in order to find out what you need regarding certain objects. LDP.exe doesn’t take much time to learn and it will help you analyze AD issues. I use it a lot during migrations to locate AD objects. You can also use LDP.exe to view other LDAP catalogs that are not Active Directory.

As I mentioned, I use this in migrations and in …
1
The saying goes a bad carpenter blames his tools. In the Directory Services world a bad system administrator, well, even with the best tools they’re probably not going to become an all star.  However for the system admin who is willing to spend a little bit of time and do some learning these tools can make your life much easier and ease your stress as an Active Directory admin.

In my everyday work I spend a large amount of time working with Active Directory services. This article is written with the Active Directory admin in mind. This is by no means a definitive list of Active Directory tools, merely the ones that I find myself using on an almost daily basis and recommending to others in solutions on this board. For the most part these tools are available for free download.  If you feel that I missed an important tool please feel free to add a post and let everyone know.

The DS series of tools
These tools for active directory are probably one of my favorites. This is a set of 6 command line executables that allow you to query, modify, and delete Active Directory objects via command line.

These tools come with many others bundled, available free from Microsoft at the following locations depending on your OS.

Windows XP, 2k3 - http://www.microsoft.com/downloads/en/details.aspx?FamilyId=86B71A4F-4122-44AF-BE79-3F101E533D95&displaylang=en 
Windows Vista - …
23
LVL 1

Expert Comment

by:mrah
Comment Utility
Great resource.  Some I've used/been using and a couple of new ones to add to the artilery!
0
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
Nice article some additional tools that can also come in handy

Wireshark (or Netmon works too)
SysProSoft's Policy Reporter - Great for reading usernv and other log files
PortQry  - great scanner to help troubleshoot port issues, telnet is another nice tool in this space
Active Directory Utilities on CodePlex  ReplDiag being a nice one in that set, written by a Microsoft PFE
PAL Tool - Another nice tool written by a Microsoft PFE, helps diagnose performance logs
0
My last post dealt with using group policy preferences to set file associations, a very handy usage for a GPP. Today I am going to share another cool GPP trick, this may be a specific scenario but I run into these situations frequently in my activities.

Currently I am employed by a construction company, at any given time we can have between 30-40 small jobsites running. These are usually small field offices of 4-5 users connected either by a site to site VPN or MPLS T1. For the duration of a construction job they work out of this field office and they expect to be able to perform their job duties the same as if they were sitting in the main office.

In the past one of the annoying problems we ran into was how to properly deploy and manage printers at these jobsites. We basically had two choices

1.      Install and share the jobsite printer on our print server at the headquarters. This allowed for easy printer installation by the user but slow printing over the WAN connection and inability to print if that connection ever went down.
2.      Configure the printer locally and have users print via TCP/IP. This method allows much faster printing since all the data remains in the LAN, it is also unaffected by a down WAN link.  The downside to this is installation requires administrator rights and must be completed individually per user and printer. A site with 2 printers and 5 users would require 10 printer installations to be completed by a technician.

Using group policy …
1
LVL 74

Expert Comment

by:Glen Knight
Comment Utility
If you have a room with 30 computers in it and you want to apply the printer to all those computers regardless of who logs in, this is a much more efficient way of doing it.
0

Expert Comment

by:Tech_Services
Comment Utility
So to deploy a printer using its IP address in group policy, you first must setup a printer server and add the printer.

If this is "only used for the initial printer installation after all print jobs will route directly to the TCP/IP printer" as quoted above, if I then disable the print server or it lost its connection would the PC's connection to the printer still work as it was setup using the IP address and not UNC?

Thanks,

Andy
0
There are two modes of restricted groups GPOs.

1. Replacing mode




2. Additive mode



How do they work?
Replacing mode: Everything (users, groups, computers) that is member of the local administrators group will be cleared out. After that, the policy is evaluated and applied. This means: The accounts or groups that are specified in the GPO ("Members of this group") will be added to the local administrators group of that particular client. The local administrator always stays in the local administrators group, even if you don't specify him. The same applies to domain admins.

Additive mode: Every account that is member of the local administrators group will stay member of the group. The group defined in the policy ("Group Name") will be added to the local administrator group of this particular client that applies the GPO.

How do they work exactly?
Replacing mode: changes the file
\\<dc>\SYSVOL\gurumeditation.local\Policies\{GPO-GUID}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf

Open in new window


at the position
*S-1-5-32-522__Members = ...

Open in new window

on the domain controller.

This has the following effect: When the group policy is applied, every account or group that isn't specified will be erased from the local administrators group.
When you have a multilingual setup, the local administrators group can be …
4
LVL 17

Expert Comment

by:Premkumar Yogeswaran
Comment Utility
I haven't seen a concept of "additive restricted group"..

Could you share a link for that?
0
LVL 74

Expert Comment

by:Glen Knight
Comment Utility
Premglitz,

It's a fairly basic concept.  You either replace or update.

When you look at the properties if the restricted group you either specify the members of the group you enter or specify the group is a member of.

The members of the group option specify the members of the group, anything not listed will be removed.

Specifying the group listed is a member of "another group" will add the group to a group that already exists without modifying the contents of the group.

Which bit are you not clear with?
0
At some point in your work you may run into a need to globally assign a specific file type to open using a specific program. I recently was tasked with completing this objective. In my case it was setting the TSV file association to open with Excel. Below are the steps to follow if you need to do a similar file extension modification using GPP.

I had originally been hesitant to use GPP's because I thought they required a 2008 domain controller. This is not the case. These GPP's can be easily used assuming you meet the prerequesites below.

1. You will need to create the GPP on a Vista, 7, or Server 2008 machine with the Group policy management console available.
2. Your clients will need to have the group policy preferences client side entensions installed on them. These come installed by default on Vista and 7. For XP you will need to download them here. This update can also be pushed to your clients via WSUS.
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=e60b5c8f-d7dc-4b27-a261-247ce3f6c4f8&DisplayLang=en
3. Microsoft reccomends installing XMLlite on the machine as well. http://www.microsoft.com/downloads/en/results.aspx?pocId=&freetext=XMLLite&DisplayLang=en 
I did not have to do install this for the GPP to work on my XP machine.

nce you have the 3 pre-requesites above covered simply open up the GPMC. Right click the group policy object container and select new or open an existing group policy.

In the new policy you created navigate to …
8

Expert Comment

by:HelpDeskGeiger
Comment Utility
This was EPIC! I've been trying to get .tif files associated with MODI on a Server 2008 R2 box and I just couldn't find any good information till I checked here. Your guide was exactly what I needed. THANKS!
0

Expert Comment

by:Josh Libby
Comment Utility
Did you have Office installed on the DC where you edited your policy in order to have the associated class available in your drop down?
0
At least once a month I see a Question in one of the Windows Server related Zones asking about Best Practices for GPO Security.  I have been in IT for 20 years, and a Sys Ad for over 15.  I know this will sound cliché, but this is mostly a preference question.  I mean, technically, if you want to be secure, you should lock the machine the point it would only be good for a boat anchor.  I am sure that some DoD security specialist would still think it needs to be coated in concrete after all the cables into it are severed.  

I currently work in a division of the DoD.  I will tell you that we are HIGHLY secure on our standards.  No users have administrative rights on their machines.  Technicians who need admin rights have separate accounts which are audited frequently.   In the past I have worked in the Health Care industry as well as the Financial industry.  Each has specific needs.  So, how do you come up with a Best Practice?

First, decide: What are your business' legal needs?

There are many industries that have specific laws applied to them.  The Healthcare industry has to deal with HIPAA.  Publicly traded companies have to deal with SOX.  Government entities have to deal with DISA.  If you do not work in a field with sensitive, regulated data (financial, health, government, etc), you have more leverage, but as a System Administrator you need to make it your business to know your business.  That means you need to know the applicable laws which regulate it.
 
8
LVL 24

Expert Comment

by:Awinish
Comment Utility
Very good article..I like the way of explanation..coz there is no best practices for GPO, it depends how we use it for maximum effect with minimum GPO...Thumbs up for the article.
0
LVL 31

Author Comment

by:Justin Owens
Comment Utility
Thank you, Awinish.  Your kind words are appreciated.
0
I came across this issue when setting up a two way forest level trust. so here's the scenario:

A company wildcards acquired another company, bizworks ( both Fictitious).

Wild cards: windows 2003 Domain & forest functional levels - Ad domain name:Wildcards.com
Exchange server 2007 - Mail domain: wildcards.com

Bizworks:  windows 2000 domain & forest functional levels AD domain:bizworks.local
Linux based Mail server - Mail domain: Bizworks.com

Both have Mx records on service providers DNS. both domains connected over VPN/ MPLS/ PTP or any other form.

Since one of the domains was a windows 2000 we decided to create a two way forest trust and for DNS resolution we created secondary zones, altough with 2003 we could have used conditional forwarders. when this happened. All the emails from Bizworks to wildcards started getting queued up.

The reason we found was:since Bizworks has the same AD and Mail domains. and since we had enabled secondary zones and enabled zone transfers the secondary zone for wildcards.com on the Bizworks DNS was acting as an authoritative zone and none of the queries were going to the external Mx. Now Exchange does not need an Mx on the internal DNS for its own domain, it relies on Host records and Active directory.

since we cannot create records on the secondary zones, we created an Mx records on the Primary. now this gets interesting, we pointed this Mx to the public IP. If we create Mx pointing to internal IP of the exchange server, …
0
LVL 1

Expert Comment

by:Dhaval Pandya
Comment Utility
As i can understand is you want to make dual entry pointing to same server through different IP's for the link fail over.

In such case i guess you have to set 2 mx records with different priorities. i.e. direct connectivity IP you can set high priorities and for internet link IP you can set very low priorities.

I hoping this will help.
0
LVL 13

Author Comment

by:Kini pradeep
Comment Utility
That would be a good strategy if you have multiple IP (public) what happens if your DNS server does not query the public DNS at all as it finds an authoritative zone on the Internal DNS server ?
0
One of the major disadvantages of still running XP in production is its lack of Internet Explorer Favourites directory redirection. If your users frequently roam between computers, the usual workaround is to enable Roaming Profiles to have the favourites roam with them. This usually works, until Windows Vista or 7 is introduced into the environment.

The newer Microsoft operating systems from Vista onwards do not support the old, legacy format of the XP profile. Instead, users logging on to a modern OS for the first time will be given a new roaming profile with ".V2" appended to their username in the roaming profile share. This is the version 2 profile, used by Vista up and totally isolated from the XP profile, including total isolation of the data it contains. In a phased roll-out of the newer Microsoft operating systems, you must follow best practices by using folder redirection to redirect user data on all systems to a common network location. This removes the data from the profiles, maintains consistency and ensures the user experience is the same on all network stations, without concerns over which OS is installed and therefore which profile and data the user will have access to. Plus, roaming profiles are just too slow for storing lots of user data anyway.

Unfortunately, Windows XP does not support redirection of the Favourites directory; this support was added in Windows Vista. One workaround I have seen is the built-in Vista redirection configured to …
6
LVL 24

Expert Comment

by:Awinish
Comment Utility
Very Informative..
0
LVL 58

Author Comment

by:tigermatt
Comment Utility
Thanks, Awinish. I appreciate your feedback.

Matt
0
If you've spent any time administering Active Directory, you've probably come across the concept of Flexible Single Master Operations (FSMO) roles. Their introduction is arguably one of the most important but misunderstood changes to Active Directory in the last ten years.

Take a trip down memory lane

In the days of Windows NT, one may recall the Primary Domain Controller (PDC) and Backup Domain Controller (BDC) concept. The directory was structured such that every DC, whether a PDC or a BDC, had a copy of the directory database, but only the PDC could make changes to that database. The model was inefficient, negatively impacted growth and desperately needed improving if the product had any chance of surviving.

Enter Windows 2000. The Directory Service went through one of its largest scale rebuilds to date. Replication and management was significantly improved and the concept of having a multi-master directory was introduced. Although this design has been tweaked over the years, fundamentally, it has remained the same through the versions - because it works. Any DC anywhere in the domain can execute virtually any update to the directory. This scales beautifully, even on large, geographically dispersed networks with many thousands of users.

However, notice I said virtually any change. Since a change can take effect at any DC, there is the possibility that a conflicting change will be made in two locations …
54
LVL 26

Expert Comment

by:MidnightOne
Comment Utility
The best discussion I've heard on FSMO seizures:

Him: You're the president, I'm the vice president.
Me: Okay.
Him: You have all the stuff you can do (the FSMO roles) that I can't.
Me: Right.
Him: BANG! You're dead, and I get to take over.
Me: Close - what allows the vice-president to take over?
Him: He gets sworn in
Me: Correct - and that's what seizing the roles does - it swears in another domain controller as the FSMO role holder.
Him: So, Nixon leaving office was a role transfer?
Me: And Kennedy being killed was a role seizure.

I have to hand it to him - it's brilliant.
0
LVL 18

Expert Comment

by:Life1430
Comment Utility
Wow Great article
0
Have you ever wondered why the Administrator account is allowed to do certain things and other accounts aren't?  Probably not unless you're an insomniac like me, but the reason is actually pretty simple and mastering the ability to assign User Rights, Windows' method of determining what users can do what, can grant system administrators a great deal of control over their environment.

This article will delve deep into the dark reaches of User Rights to give you a good enough understanding of this simple system of user management that you'll be able to build a more secure, stable, and efficient Active Directory environment with little effort at all.

The Place

To control the rights that any user has, you'll need to find the right place to take control of it. The User Rights Assignment section of Windows Policy is where you get to manage this stuff.

To see for yourself, open the default domain controllers Group Policy Object (GPO) or run gpedit.msc. With the policy management window open, navigate to Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment. This part of Windows Policy is where you determine which accounts can do what and which ones can't. Each right listed grants a specific type of operation to any user that is granted a right. When you first look at this section, you'll notice that "Administrators" is listed in almost every line. This is why Administrators can do everything they can do.

The What

1
LVL 22

Expert Comment

by:Joseph Moody
Comment Utility
I really enjoyed reading this! Setting up a proper service account is cool!
0
Managing Your Accounts the Right Way

One of the most important roles a Systems Administrator has is user management. Depending on the size of your network, it can be really simple or horribly daunting.  Luckily, there are strategies for handling permissions to accounts, so you don't have to spend your entire life applying permissions to each user.  This is the purpose of Security groups, and there are some best practices associated with handling them.

The Best Practice

Somewhere along the line, back in the age of NT, Microsoft developed a group and account management strategy called AGDLP.  The underlying purpose for this strategy was to handle account access between domains.

Accounts were added to Global groups, and the global groups were added to Domain Local groups.

The Domain Local groups were given permissions to files, processes, and anything else that needed access.  The whole purpose of this strategy was to prevent administrators from having to assign permissions to individual users in each domain (which can take forever in large environments).  With Windows 2000, Microsoft also added the Universal group and AGDLP became AGUDLP.
 
The strategy continues today, in the world of Windows 2008 (if you've gotten there yet).  So let me explain what each of these group types do.

The Skinny on the Group Types

We'll start from the bottom of the list and work our way up in defining the group types

Local Groups Local groups …
5
LVL 5

Expert Comment

by:FunkyBrown
Comment Utility
Spells it out pretty solid - the clarification on universal groups is very useful.  An easy mnemonic or memory trick for AGUDLP is to think of Sgt. Pepper's Lonely Hearts Club Band - that was A GUD (good) LP.
0
LVL 50

Expert Comment

by:DanRollins
Comment Utility
Nice! ... but what about "Houses of the Holy" and "Are you Experienced?"  those were also GUD :-)
0
Hi guys,
I’m going to talk today about the ADMT 3.1 and the complete process of migrating users accounts and passwords supported with snapshots. Active Directory Migration tool “ADMT 3.1” is the latest version that can be run on Windows 2008.

This task will demonstrate with snap shots the process of setting up the ADMT, configuring user’s migrations, setting password export server on the source domain, migrating users’ passwords and SID history.

First step: installing ADMT 3.1 on Windows 2008 Domain Controller
1-installation

Installing ADMT

ADMT installation file can be downloaded from
here:
    Active Directory Migration Tool version 3.1

During installation, the installation Wizard will ask about the database to be used by ADMT, the wizard can use existing SQL 2005 instance or it can install a new instance of SQL 2005 Express, in our case we choose to install a new SQL 2005 instance.
2-sql setupThen, the wizard will prompt us if we need to import data from any previous ADMT database, since this is a new installation we choose not to import any data
3-import previous settingsImporting previous ADMT data.
Then the installation Wizard completes successfully
4-finish installationSecond Step: Installing Password Export Server

In order to be able to export the users' passwords, we need to install the …
3
LVL 3

Expert Comment

by:TechGoddess82
Comment Utility
Precise documentation! Thanks!
0
LVL 6

Expert Comment

by:Paul Wagner
Comment Utility
The ADMT manual says that you have to migrate service accounts and global groups first. Does this article infer that those steps were already done?
0
Here is my process for pre-populating a domain profile on a desktop computer WITHOUT having the user login. This works well for those summer replacements when all the teachers are off.

Change ServerName and DomainName, DC=Domain,DC=Domain to your appropriate values or your appropriate OU.  When the user logs in they will have the same desktop folders and data as well as their bookmarks.  It will go through the initial configuring of Internet Explorer, etc., but the saved data will still be there.

User home directory is on the server, but sometimes folks save stuff to the desktop.  Prior to reimaging the machine, I copy Desktop and favorites from the user's profile.

After the script below  is run the desktop and favorites folder are copied into the user's profile folder.  To create the profile folders and grant rights to the user's AD account I run the following script:
'* Stage Profile written by Scott D 3-31-10
'* Usage: After a machine has been migrated or imaged,
'* this script creates a local profile to which saved data can be copied
'* without the user having to login first.
'* The script creates the registry entries under 
'* HKLM\Software\Microsoft\Windows NT\Current Version\ProfileGUID 
'* and HKLM\Software\Microsoft\Windows NT\Current Version\ProfileList
'* in the form of the users AD Guid and Sid
'* The script also creates the user folder under Documents and Settings.
'* The script copies SubInAcl.exe to the machine and uses it 

Open in new window

0
LVL 5

Author Comment

by:sgdought
Comment Utility
Every thing that is preceded by a '* is a comment.  I thought the comments at the top explained it very well.  Feel free to delete it.  I just thought that someone searching for pre stage a profile might find it use full.  I found numerous people  looking for an answer, but never actually found one, so I thought I would post it here.  With all the code comments, it is assumed a vbscripter would be able to customize it.
0

Expert Comment

by:NewbieTechi
Comment Utility
Hi
I tried your script but did not have any luck. I got "...no domain available...." message after running your script and when I tried to logon.
I am providing user's logon name as input to the script. The script finds the user account in AD, creates the profile folder and all the registry values properly except HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-x-xx-yyyyyyyyy-zzzzzzzzzz-xxxxxxxxxx-zzzzz\Guid. The HexToDecStr function is not properly converting the GUID value. So instead of {xxxxxxxx-zzzzz-yyyy-xxxx-zzzzzzzzzzzz} format I am seeing {xxxxxxxxzzzzzyyyyxxxxzzzzzzzzzzzz} and the left side of xx & zz string set are not correct, and the reason why I am saying that is because I did a GUID comparison for the same domain user on two different PCs, one where I ran this script and the other where I actually logged on using that same domain user account.
Any ideas on how to fix this?
thanks    
0
Looking at the Forums, I noticed a significant number of people complaining about slow logon speeds.  This can be irritating at the best of times.  However, I always have the feeling that home time is a more valuable time given our crazy pace of life.

So, if you are struggling with slow logons from home, consider the following:
Is your laptop in a domain?
Does it have wireless?
Does your home network IP Addressing Scheme overlap with your corporations IP Addressing Scheme (e.g. RFC 1918 addresses 10.x.y.z, 127.16.y.z - 172.31.y.z; 192.168.y.z)

If the above are yes, yes & yes, then try disabling your wireless card on your laptop while you are booting it up and logging on from home.  Only turn on your wireless once you are logged on.

After a successful domain logon, information is cached; this means that later a user can log on to the computer with the domain account even if the domain controller that authenticated the user is not available. Because the user has already been authenticated, Windows uses the cached credentials to log the user on locally. For example, if a mobile user logs on to a portable computer that is a domain member with a domain account and then takes the portable computer to a location where the domain is unavailable, Windows will attempt to use the cached credentials from the last successful logon with a domain account to locally log on the user and allocate access to local computer resources.
6
Where did all of these domains come from?  Why do we need so many domains?  What is the cost of administering each of our domains?  Is there a way around this?

So, first things first.  Forget about everything you have at the moment.  What would the ideal Architecture look like?  The ideal goal is “Single Forest, Single Domain”.  Any decision to deviate from this ideal goal should be thoroughly questioned as the costs and technical complexity of a multi-forest or multi-domain environment are significant and generally lead to technical catastrophes without a roc solid Operations Framework.  Another way of stating Single forest, Single Domain might be the following “Provide a secure, fault tolerant, high performance IT infrastructure to all geographic areas of the organization for as little cost a possible.”  Strong statement?  It’s the truth…

What do you really need?  Here are some ideas which include cognisance of your branch offices:

Base Services
•Directory services
•DHCP services
•Name resolution services
•File services
•Print services
•Base client services
•Base management services
Extended Services
•Application services
•Web caching
•Messaging services
•Collaboration services
•Extended management services
•Extended monitoring services
•Branch network access services
Don’t confuse the Physical Architecture with the Logical Architecture.  The Physical Architecture is merely where you place your servers, while the Logical Architecture is “what will …
0
LVL 2

Expert Comment

by:zsaurabh
Comment Utility
unable to find part2
0
There existed a problem in Windows 2000 and Windows Server 2003 prior to Service Pack 1 where the NTDS Settings container was not removed after successful demotion of a domain controller until after 14 days.  This would prevent a domain controller of the same name being introduced into Active Directory.

This problem can also be seen in newer versions of Active Directory Services if the replTopologyStayOfExecution setting has been set, so all domain administrators may benefit from this article.


Cause

Active Directory objects that are deleted are normally moved to the 'Deleted Objects' container.  Attributes that are not required for replication are removed.

The Active Directory object representing domain controllers (nTDSDSA object), however, is not moved to the 'Deleted Objects' container until after 14 days and retains all attributes fully populated.

As the object in Active Directory that represents the domain controller (the nTDSDSA object) is not moved to the 'Deleted Objects' container, but remains in its default location Configuration container > Sites > sitename > Servers > {servername} marked as iSDelete3d=TRUE (and thereby invisible in the user interface) , the name of a demoted or deleted domain controller must not be re-used until the nTDSDSA objects have been moved to the 'Deleted Objects' container and replication to all domain controllers has completed.


Resolution

It is possible to change the default value of the time …
6
LVL 24

Expert Comment

by:Awinish
Comment Utility
Your article solved the problem of one of the user, i knew the answer,but didn't have document, so i pointed to your article & it worked.

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_26614850.html

Brilliant..:)
0
LVL 8

Author Comment

by:ms-pro
Comment Utility
Super :)
0
I recently ran into a question where someone wanted to deploy SCOM in two different domains.  The problem was that the two sites they used were two domains, and while they trusted each other, they were not in the same forest.   The person asking the question wanted to install the remote agent at his other site, but the installation was failing.

The solution to the question was to deploy a gateway server at the remote site as described in this Technet Article:

http://technet.microsoft.com/en-us/library/bb432149.aspx

The procedural overview as laid out in that article is to:

Request certificates for any computer in the agent, gateway server, management server chain.
Import those certificates into the target computers by using the Operations Manager 2007 MOMCertImport.exe tool.
Distribute the Microsoft.EnterpriseManagement.gatewayApprovalTool.exe to the management server.
Run the Microsoft.EnterpriseManagement.GatewayApprovalTool.exe tool to initiate communication between the management server and the gateway.
Install the gateway server.
The detailed directions for each step are laid out there in a simple to understand fashion.
This is actually a very good solution for conditions which require Cross Forest SCOM deployments.  While my personal preference would be to bring both domains into a single forest, there are many reasons (mostly legal or political) to not do so.  In the…
0
A Little on Standard Group policy Processing
Before we look at how loopback processing works it may be beneficial to have a quick refresh on how standard group policy processing works.

Group Policy Objects (GPO) are a collection of configurable policy settings that are organised as a single object and contain Computer Configuration policies which are applied to computers during Startup and User Configuration policies which are applied to users during logon.


All about Scope
The term in scope is used to refer to any GPO that applies to an object (computer account or user account).

Group policies can be applied at four separate points within a domain structure (Local, Site, Domain and Organisational Unit (OU)) and are applied one after the other in precedence order for each step.

So the in scope GPOs for an account consist of all Local policy GPOs, all of the Site GPOs, all of the Domain GPOs and all GPOs linked to each OU in the path of the account object. At each stage a new GPO applies it will overwrite any conflicting settings with its own settings; the final set of policies applied is known as the Resultant Set of Policies (RSoP) and can be viewed on a client device via the RSoP.msc console.

Any GPO that has been denied apply rights or filtered out via WMI Filtering is considered to be Out of scope


Why Loopback
The User Group Policy loopback processing mode option available within the computer configuration node …
38
LVL 19

Expert Comment

by:Raheman M. Abdul
Comment Utility
Good article
0
LVL 27

Expert Comment

by:yo_bee
Comment Utility
I think I am going to flag this and promote your article.
0
How to manage Active Directory Partition

This article will show you how to create, delete, set replication and modify partitions with ease. I will also provide you with some knowledge to give you a better understanding of Application partition. Here are some quick facts about Active Directory Application Partition:
 
Active Directory Application Partition have their own namespace for example if you have a single domain called iris.internal and you create an application partition named App the namespace would be app.iris.com
 
You may also set it same level as the root domain such as app.com
 
You may create Child partition and the namespace would followed suite. From the above example if your create an application within app called child1 it would be child1.app.iris.com
Note: Windows 2000 does not support active directory partitions.


Creating an Application partition within Active Directory.

There are a few ways of creating active directory partition you can use the LDAP command, NTDSUTIL or ADSIEDIT. We will be using NTDSUTIL as it's a great and easy tool. Now lets break it down.
 
On the server open a command prompt and type
NTDSUTIL
 
Then type
domain management
 
Connect to the server that you wish to create the active directory partition by typing
connections
connect to server DC1.domainname.com
q
 
To create a partition type.
Create NC Application.domainname.com DC1.domainname.com
0

Active Directory

77K

Solutions

39K

Contributors

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Vendor Experts

Kevin StanushSystemTools Software Learn more about SystemTools Software