Posted by jayb | Posted on 26-03-2010
Category : microsoft
Tags: active directory, email, password
At work we have been getting more and more require for accounts that have users that are not “full employee’s” (my term) These are users that do not spend most of their business time in the office, they could be travelling sales, outside sales, consultants. Some only use OWA,VPN, or Citrix desktop or published app. But they all seem to have one thing in comment. How do we let them know their password is going to expire and how to get them to change it.
Image: Francesco Marino / FreeDigitalPhotos.net
I started looked at ways to address the first issue this afternoon and I’ve found a few script that would send the emails and a few paid solutions.
The 2 vbs scripts I found are a few years old
http://theessentialexchange.com/blogs/michael/archive/2007/11/13/sending-an-e-mail-to-users-whose-password-is-about-to-expire.aspx
and
http://myitforum.com/cs2/blogs/rcrumbaker/archive/2008/08/15/email-users-when-password-is-about-to-expire.aspx
I also found an exe that you run via scheduled task
http://blogs.dirteam.com/blogs/jorge/archive/2008/07/20/notifying-users-by-e-mail-their-password-is-going-to-expire.aspx
but I think I’m going to try the free solution from NetWrix, they also have a paid solution but I’ll start with the free version. Netwrix also has some AD change tracking I’m going to test but haven’t had time yet. They have some nice free tools with the option to go to the paid version with more features.
We haven’t totally collapsed our AD into a single domain yet, so I still have to deal with managing muliple AD domain name spaces in a single AD forest.
If you know of any other ways to notify the user they password will expire or have tested netwrix products leave a comment.
Posted by jayb | Posted on 31-10-2009
Category : microsoft, technology
Tags: active directory, GPO, windows7
At work we will start testing Windows 7 within the IS department Q2 next year. Our current AD forest is still in mixed mode 2000!!! So I have some cleanup and upgrades todo on that before I start working about windows 7 GPO’s. I just need to retire and move the roles of the old 2000 DC’s. We are also retiring a few domains and merging into the forest root and utilize OU’s better. Below is good information about windows 7 GPO’s once I get there next year.
Now that you’ve obviously purchased, installed, and started playing with your Windows 7 client, you’re probably fantasizing about all the great things that will happen to your environment when you upgrade all of the machines in your site / OU / domain / basement to Windows 7 as well. Let me tell you, it’s going to be great. Why? Because you’ll have GP Preferences client side extensions installed already in all of those Windows 7 clients! That means that you can map drives and push out shortcuts and add printers and configure power plans for all these Windows 7 machines from your own Windows 7 client (with RSAT) or with Windows Server 2008 R2.
To answer the question in the title, NO, you do not need to change your update your Active Directoy (if it’s at least 2003) to take advantage of sweet new Group Policy features and settings. The exception is if the application that the setting is relevant to requires an AD upgrade, like BitLocker. This is a good article on configuring BitLocker in your AD, written by the guys on the Directory Services team: http://blogs.technet.com/askds/archive/2009/08/18/bitlocker-and-active-directory.aspx
Also – check out an overview plus good getting started tips on this website: Group Policy Management for IT Pros. If there was anything in the above paragraphs that you have questions on, read this article first. Seriously.
http://windows.microsoft.com/et-EE/windows7/Group-Policy-management-for-IT-pros
Have fun! Go Preferences!
LiliaG (@superlilia)
Windows 7 – Do I need to change my Active Directory for new Group Policy features?
GPTeam
Tue, 27 Oct 2009 08:31:00 GMT
Posted by jayb | Posted on 25-09-2009
Category : microsoft, technology
Tags: active directory, GPO
The Directory Services Team at MS has wrong two very good blog post about troubleshooting slow logons for workstations.
Here’s a clip from So you have a slow logon…? (Part 1)
- Outdated drivers: Your network interface card (NIC) should use the latest drivers installed.
- Outdated operating system (OS) patch level: Your operating system should have the latest service pack installed from windows update
- Roaming user profiles: Roaming profiles change the way group policy processing is performed. When roaming profiles are configured the processing is changed from “asynchronous” (background processing or multiple at a time) to “synchronous” (foreground processing or one at a time). This disables “Fast logon Optimization” which will delay the user getting the desktop by waiting for the network to initialize first.
Note: This is really important to understand that when roaming profiles are implemented, group policy software installations and folder redirection requires that the user is NOT logged on before the network is initialized and processes policy synchronously- ONE AT A TIME. This is the default behavior and changing it could cause inconsistencies with your logon.
- Home folders: This could impact your logon times because instead of looking at a local location for system DLL’s, the client machine will look for them in the home folder instead. If that mapped network share is across a wide area network (WAN) link that is slow you can bet that your logon time is going to suffer even more.
Note: If home folders are needed with roaming profiles there is a registry key tweak (SafeDllSearchMode) that can be added that will change the behavior. If you’re not sure that this is an issue in your environment, take a network trace at logon and see if DLL’s are being queried across the network to the home folder. There is also another tweak on the same page (StartRunNoHOMEPATH) that will assist with applications doing this behavior.
- Start up applications: Applications that are configured to automatically run during startup will slow the logon down.
- Profile scanning: There are many antivirus software applications that will scan profiles at login and at their home location if they are roaming. This is not limited to just antivirus software but other applications will as well. (In the troubleshooting section we will review how to discover if this is happening)
- Excessive group policies: Having a ton of group policies that perform extensive tasks or configurations (like software restrictions) will increase your logon time. A few policies that accomplish everything are better than many policies that do a handful of things each. If possible consolidate your group policies.
- Excessive startup/logon scripts: Scripts that run at logon or start up can delay the process significantly if they perform a lot of tasks or use inefficient code
- Excessive WMI filters: Having excessive WMI filters can slow group policy processing
- No local domain controllers: Not having local domain controllers (users authenticating across a wide area network-WAN) will cause a logon delay
Continue Reading
Posted by jayb | Posted on 14-05-2009
Category : microsoft, technology
Tags: active directory, admin, computers, images, mac, microsoft, tv, windows, windows 2008, windows server, work, XP
There are quite a few ways to tell. Here are a few I found.
The correct version of the ADPrep.exe tool for Windows Server 2003 R2 is 5.2.3790.2075.
You can verify the operating system support level of the schema by looking at the value of the Schema Version registry subkey on a domain controller. You can find this subkey in the following location:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
You can also verify the operating system support level of the schema by using the Adsiedit.exe utility or the Ldp.exe utility to view the objectVersion attribute in the properties of the cn=schema,cn=configuration,dc=<domain> partition. The value of the Schema Version registry subkey and the objectVersion attribute are in decimal.
Schema Version ObjectVersion values and corresponding operating system support level
- 13=Microsoft Windows 2000
- 30=Original release version of Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 (SP1)
- 31=Microsoft Windows Server 2003 R2
- 44=Windows 2008
******OR*********
adfind -sc schver. It gets objectVersion code and translates into Win2003 version.
******OR*********
Win2003 http://technet.microsoft.com/en-us/library/cc783495.aspx
To verify that the Active Directory Preparation tool has completed all operations successfully
Continue Reading
Posted by jayb | Posted on 04-12-2008
Category : microsoft, technology
Tags: active directory, microsoft, windows server
If you run dcdiag and get a failure on the systemlog, it means you have errors in the system event log. You can clear the system event log (make sure you save it) and then your dcdiag should show success for the systemlog.
I ran into that issue today, thanks to petri.co I found the answer and I thought I’d share.
Posted by jayb | Posted on 08-08-2008
Category : Post from around the Net, microsoft, technology
Tags: active directory, activedirectory, help, love, mac, search, servers, vista, windows, work, XP
Wow, check out these great ADUC saved queries from Ron Crumbaker at myITforum.com
Does anyone use the Saved Queries with in the ADUC?
I do, and I love them.
Here are some that might help you out.
Just Right Click on Saved Queries and Choose New and then Query.
Name the Query accordingly and then click on Define Query…
Then Find the Custom Search and click on the Advanced tab.
Paste each of these in the <add criteria from above to this list> area and then click OK.
Locked Out Users
(&(&(&(&(objectCategory=person)(objectClass=user)(lockoutTime:1.2.840.113556.1.4.804:=4294967295)))))
Dial In Access
(&(&(&(&(objectCategory=person)(objectClass=user)(msNPAllowDialin=TRUE)))))
Disabled User Accounts
(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))
No Expiring Accounts
(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))
Active Accounts
(&(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)))
Continue Reading
Here is great step-by-step instructions on creation of Home, roaming profiles, and redirected folders.
I need to review this and see what impact it would have if these locations are over the WAN. I’d also like the redirected ‘My Documents’ to be the same place as the home drive. Then I need to setup offline folders for the home drive.
Periodically we’re asked "what is the best way to auto-create home, roaming profile, and folder redirection folders instead of Administrators creating and configuring the NTFS permissions manually?" The techniques in this post requires you to use the environment variable %USERNAME% in the user’s home folder attribute when you create the users account.
Ask the Directory Services Team : Automatic creation of user folders for home, roaming profile and redirected folders.
Posted by jayb | Posted on 09-06-2008
Category : Post from around the Net, microsoft, technology
Tags: active directory, admin, exchange, free, lan, microsoft, search, txt, work
We plan on having an outside company come in and do a AD/Exchange health check before we work on our domain migration project. This article will give me a head start on all of this.
Health Checks on Domain Controllers
I get asked over and over about what I do when I’m performing a health check on a domain controller. Below you will see some of the commands that I use when I need to ensure my domain controllers are still healthy after some sort of change…like patching.
The Event Viewer is always a must. I look at all the logs before and after the update to the domain controller looking for abnormal events. With the pre-check I usually go back a month of logs to get more historical data. I then run through a couple command line utilities. One thing I always do is pipe my commands out to a text document. This just makes it easier for me to read and also search for failed events.
Dcdiag.exe /v >> c:\temp\pre_dcdiag.txt
This is a must and will always tell you if there is trouble with your DCs and/or services associated with it
Your Source for Free Online IT Articles and Elearning
Using w32tm:
To sync time:
Go to the PDC emulator role for the forest, open a cmd prompt and type
w32tm /config /manualpeerlist:peers /syncfromflags:manual /reliable:yes /update where peers are the IP address of time servers. If you have time servers for other network equipment use those.
Then type:
Net stop w32time & net start w32time
Then, on the other DCs open a cmd prompt and type:
w32tm /config /syncfromflags:domhier /update
Net stop w32time & net start w32time
OR
VBScript:
This VBS script will allow you to set the time on a local machine to the official Windows 2003 Server domain time by promoting you for the PDC Emulator name.
The script can also be used to run in a scheduled task for troublesome machines.
VBS Script:
strPdcEmulator = InputBox ("Enter Your PDC Emulator Name")
Set WshShell = WScript.CreateObject("WScript.Shell")
objcmnd = "Cmd /C Net Time \\" & strPdcEmulator & " /Set /y"
WshShell.Run(objcmnd)
MsgBox "Done"
VBS Script To Set A Local Machines Time With the Windows 2003 Server PDC Emulator
dhite
Mon, 26 May 2008 12:42:14 GMT
