I know… I know… It’s been a while since I have posted anything on this blog – I could point the finger to various reasons, but it wouldn’t be totally true – the thing is that I just took a short break from my web presence and concentrated on other things. Anyway, I’m back (have no idea if full time :-) ), but does it really matter ?
Anyway, back to the topic of this post. If you ever installed W2K8 cluster and ran the validation tool against multiple nodes, you might have stumbled upon the following warning in the validation report:
Validate Software Update Levels
Validate that all tested servers have the same software updates installed.
Validating that all servers have the same software updates...
Software Updates missing on 'clusternode2.contoso.com':
| Hotfix Id |
Description |
| {47740627-D81D-4A45-A215-03B075A18EC7} |
|
And after looking at the report, you would be scratching your head for a while trying to figure out what this GUID stands for. If you are lucky, you would lookup the GUID in a search engine and would find some hint about what is the actual update/hotfix that is hiding behind the GUID.
If you are not dealing with clusters, you still can stumble upon this mystery, when inspecting the output of systeminfo.exe. In the Hotfix section you might see something like:
Hotfix(s): 74 Hotfix(s) Installed.
[01]: {47740627-D81D-4A45-A215-03B075A18EC7}
[02]: {5F7F6FFF-395D-480E-8450-64F385D82C5F}
[03]: {797AE457-BA17-4BBC-B501-25FB3A0103C7}
[04]: {1DE62EBA-6684-2483-3409-CEBADBF8A31E}
[05]: {62D3B51B-F56D-40F0-8C32-EAB204ADF752}
[06]: {D1FEE6C6-CECF-4928-B356-19592A319C0A}
[07]: {0B2CC3FA-C385-4F9A-BF79-44457AABAB39}
[08]: {87796B93-94D0-A0C7-EFC4-FF34426626BC}
[09]: {1DCBF7A7-7735-433B-BAB6-D0194490A38C}
[10]: 933246
[11]: 943729
[12]: 944036
[13]: 928439
[14]: KB905866
The curious ones among us probably would not be satisfied and would like to know what those GUIDs stand for.
So back to our cluster. You run the validation tool, see that the report points to some hotfix that is missing on one of the nodes and you want to install the missing hotfix on the node that does not have it. How do you know which one it is ?
Script to the rescue!
D:\Dev\Scripts>cscript GetPatchInfo.vbs /?
Displays details of installed patches/hotfixes
Usage: cscript GetPatchInfo.vbs [/guid:<PATCHGUID>]
/guid:<PATCHGUID> The GUID of the hotfix
Running the script without parameters will enumerate all
the patches installed.
Sample output:
D:\Dev\Scripts>cscript GetPatchInfo.vbs /guid:{47740627-D81D-4A45-A215-03B075A18EC7}
-------------------------------------------------------
Patch Name: Microsoft Office SharePoint Designer 2007 Service Pack 1 (SP1)
Patch Code: {47740627-D81D-4A45-A215-03B075A18EC7}
More Info URL: http://support.microsoft.com/kb/937162
Patch State: Installed
Product Code: {90120000-00A4-0409-0000-0000000FF1CE}
Product Name: Microsoft Office 2003 Web ComponentsMuch better, right ?
No no... It's not that I wasn't re-awarded (actually I was in April - for the 3rd time), it's not that I decided to abandon the community and from some obscure reason declined the MVP award ;).
Still there is another option that can prevent you from holding an MVP award and that is when you start working for the company that gives this specific award ;). The point is that this month I started as Premier Field Engineer at Microsoft Israel where I will be focusing on providing support to enterprise customers holding Premier support contracts.
I still have a lot to catch up and will be spending the upcoming months having a lot of training, but I'm already eager to dig in. For me this position opens totally new horizons and challenges, taking me to working on a totally new level with technologies I love and opportunity to work with some of the best experts and brightest minds in the field (heck, what can be better than working with guys who develop the product?).
I also want to use this opportunity to thank Microsoft for awarding me with an MVP title - thanks to the MVP program I had an opportunity to get to know a lot of wonderful people sharing my passion for the technology, and frankly speaking I think that the MVP award is one of the reasons for me being where I am today - it was yet another reason to push forward and get better.
And in Microsoft's tradition I'll sign with my alias ;)
/guyte
As some of you have noticed, I have removed the recent posts about CoreConfigurator and the download of the tool is not working anymore. This is not a temporary hiccup and the reason I have not put a clarification about what is going on is that there were some things going on behind the scenes. The point is that I developed the tool at my spare time, but the contract with my employer at the time of developing the tool stated that anything I develop (even at my spare time) belongs to my employer.
The bottom line is that the company I worked for has asked me to remove the tool from the web. I will not be developing the tool anymore and can not support it. I have asked about the future of the tool and there is a good chance that it will be re-branded under my former employer logo and will be released to public (not sure whether as shareware or something you pay for). The moment I have more details I will make sure to post an update about CoreConfigurator whereabouts.
P.S.: Just to clear things out: no, Microsoft did NOT ban the tool (actually some MSFT dev folks helped me with some issues I had with WMI)
Last month I had couple of clients that needed to restore accidentally deleted user and computer account. Though there is a command line version of tombstone reanimation tool called adrestore, the clients were not CLI savvies and having a GUI version of this functionality could really help them out. Some time ago I wrote a GUI version just for the case in VB.NET, but as it turned out it was quite buggy (well, it was one of my first .NET GUI apps), so I set down and rewrote the application from scratch in C#.
Now, if you are not familiar with the concept of tombstone reanimation, I would suggest that at this point you go and read Gil Kirkpatrick's article at Techent - it explains what tombstones are and how does the tombstone reanimation process works.
So, if you are aware of tombstone reanimation limitations (only a small set of attributes is restored), still willing to restore a deleted object and prefer a GUI version, you will probably find this little tool useful.
Main features:
- Browsing the tombstones
- Domain Controller targeting
- Can be used with alternative credentials (convenient if you do not logon to your desktop as Domain Admin, which you should never do anyway)
- User/Computer/OU/Container reanimation
- Preview of tombstone attributes
Here are some sceenshots:
Enumerating tombstones
Previewing the tombstone attributes
Restoring a deleted user account
Notice that if you delete an OU with accounts in it, you will have to restore first the OUs the accounts were in, otherwise the reanimation of the child object will fail. It is not enough to create an OU with the same name as this will be a totally new object in AD and child object's lastKnowParent attribute will still reference the deleted OU. Here is a walthrough:
Initial state:
TestOU organizational unit is deleted:
State of tombstones (notice that lastKnownParent attribute of user and computer accounts reference the deleted OU):
OU is restored (lastKnowParent points to the restored OU's distinguished name):
Both computer and user accounts that resided in TestOU are reanimated:
Funny how things turn out. I was visiting today a customer which is undergoing a process of upgrading his Domain Controllers to W2K3 R2 and I was asked to help them get a report of OS version on all the DCs in the forest (multi-domain forest). First I thought to query the AD directly, but it appears that there is no way to distinguish between W2K3 and W2K3 R2 when looking at operatingSystem, operatingSystemVersion and operatingSystemServicePack attributes of the DC's computer account.
Now what is so funny about it ? Well, just yesterday I helped out a guy at the forum I manage to fix a script that was running against a list of servers and was querying the OS and SP version (see the original post here - it's in Hebrew). The script the guy wrote was almost perfect for my case, but I still had to scope it to run only against the DCs. What I came up is a generic batch that you can use to run a set of commands against all the DCs in the forest (including trees and child domains ).
So how do we achieve that ? Here is the logic I used in the script:
- I use "dsquery server forestroot" command to obtain a list of all the server objects in the forest (this gives us a list of distinguished names of the server objects in the Configuration partition)
- For each DN in the list, I query the "serverreference" attribute, which is pointing the the distinguished name of the actual DC's computer account ("dsquery * <DN> -attr serverreference". The DN returned will be used in the next step.
- I use DN from step 2 to query the dnsHostName attribute of the DC.
- I run a set of commands against each DC using it's DNS name obtained in step 3
The script break-down:
Most-outer loop (step 1):
for /f "usebackq" %%n in (`dsquery server forestroot`) do ( <second loop here> )
Second loop (inside the above loop):
for /f "usebackq delims=" %%s in (`dsquery * %%n -attr serverreference ^| findstr /i DC=`) do ( <third loop here> )
Third loop (again inside the above loop):
for /f "usebackq skip=1 delims=" %%d in (`dsquery * forestroot -filter "distinguishedname=%%s" -attr dNSHostName`) do (
for /f "usebackq skip=1" %%a in (`dsquery * forestroot -filter "distinguishedname=%%s" -attr name`) do (
set netbiosname=%%a
set tempname=%%d
set dnsname=!tempname:~2,-2!
echo !netbiosname! : !dnsname!
)
)
In the code above I just echo the Netbios and DNS names of the DCs, but you can use it for anything else you can execute against a remote computer - running psexec or similar is begging.
The actual script I used is attached. I would post it here, but the blog breaks the formatting of the too long lines, making it unreadable.
Imagine the following scenario:
- You perform a full backup of mailbox store on Exchange 2003.
- You move a mailboxe from the backed-up store to an Exchange 2007 server.
- You try to leverage the Recovery Storage Group feature on the Exchange 2003 server to restore the contents of the mailbox in question using ExMerge to restore/export the contents of the mailbox from a date before the mailbox was moved.
- The ExMerge export phase fails with the following error in the exmerge.log:
Error opening message store (MSEMS). Verify that the Microsoft Exchange Information Store service is running and that you have the correct permissions to log on. (0x8004011d)
Usually you would get this error if the account you run Exmerge with does not have full permissions on the mailbox you are trying to restore, but this case is a bit different. Even if you grant yourself Full Mailbox Access and get rid of the "Send As" and "Receive As" denies (see KB322312 for details), the process still fails with the error message above.
The issue stems from the fact that the mailbox in question has been moved to a different mailbox store from the one it was backed-up from. In order to better understand the problem, lets look at how Recovery Storage Group links a mailbox from RSG to an existing account in AD and what are some of the checks that are performed when you try to export the contents of a mailbox from a database mounted in the RSG:
- msExchMailboxGUID attribute: this is the first test that is being performed. The GUID of the mailbox in the RSG (taken from the database itself in the RSG) must correspond to an existing account in the AD. If Exmerge can not find the GUID of the mailbox you are trying to restore in the AD, it will fail.
- msExchOrigMDB attribute: When a database is added to RSG, its msExchOrigMDB attribute is populated with a distinguished name that points to the original database that was backed-up. When Exmerge runs, it checks whether the mailbox we are trying to restore/export exists in the the database the msExchOrigMDB points to. If the mailbox store does not exist or the mailbox has been moved to a different store, the test fails and the following message is logged in the exmerge.log file:
"Error opening message store (MSEMS). Verify that the Microsoft Exchange Information Store service is running and that you have the correct permissions to log on. (0x8004011d)".
Workaround:
- Obtain the distinguished name of the store where the mailbox currently resides.
There are numerous ways of locating the DN of the database. Here are 2 examples:
Using command line (I find it quickest): query the homeMDB attribute of the user's account whose mailbox we are restoring using dsquery:
C:\>dsquery * -filter "samaccountname=guyt" -attr homemdb
Query result:
homemdb
CN=Mailbox Store (E2K7MBX01),CN=First Storage Group,CN=InformationStore, CN=E2K7MBX01, CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT), CN=Administrative Groups, CN=ExchOrgName,CN=Microsoft Exchange,CN=Services, CN=Configuration,DC=company,DC=corp
Using adsiedit.msc: Navigate to the user account whose mailbox you are restoring and copy the value of the homeMDB attribute of the user account:
a. Drill down in the Domain partition to locate the account in question:
b. Right-click the user account and select "Properties". Locate "homeMDB" attribute and click "Edit":
c. Copy the value of the homeMDB attribute which would look something like:
CN=Mailbox Store (E2K7MBX01),CN=First Storage Group,CN=InformationStore, CN=E2K7MBX01,CN=Servers, CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups, CN=<Exch Org Name>, CN=Microsoft Exchange,CN=Services,CN=Configuration, DC=company,DC=corp
- Edit the msExchOrigMDB attribute of the object representing the restored database in the Recovery Storage Group
a. Open adsiedit.msc and locate the object representing the database you have recovered to the RSG. It will be somewhere under:
CN=Mailbox Store (E2K3SRV01),CN=Recovery Storage Group,CN=InformationStore,CN=E2K3SRV01,CN=Servers,CN=first administrative group,CN=Administrative Groups,CN=<Exch Org Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=company,DC=corp
b. Right-click the mailbox store object and select "Properties". Locate the msExchOrigMDB attribute and click "Edit"
c. Replace the current value with the distinguished name you obtained in Step 1
d. Click OK and wait a bit till the change replicates to other DCs in your environment.
e. Restart the "Microsoft Exchange Information Store" service on the Exchange server hosting the Recovery Storage Group.
-
Mount the database in the Recovery Storage Group
-
Run Exmerge. This time you should be able to export the contents of the moved mailbox.
Warning:
After you follow the instructions above you, you will not be able to use Exmerge to access any mailboxes that you did not move to a different mailbox store. If you want to access the mailboxes that remain in the original mailbox store, you must change the msExchOrigMDB attribute back to its original value.
Related articles:
Looks like MS are going in the right direction (finally!) - they are piloting a performance based AD exam that should replace the current multiple-choice tests.
For a long time I have been bashing that the current MCP exams format is useless - too many people without proper knowledge have passed the exams just by using braindumps, the questions in the exams are way too far from the real life experiences, dilemmas and tasks me and many other AD consultants like me, are being faced with on a daily basis. Performance based exams should bring in some balance into the current state of affairs and should sort out those that till now were passing based on their short-term good memory and braindumps.
Read more here: Performance based Microsoft Certification Testing
Well... Not really. But here is a nice tidbit:
1) Create a share called SYSVOL on an XP box
2) Try to unshare the directory you shared as SYSVOL.
3) You will get a nice warning stating:
"This share is required for the machine to act properly as a domain controller. Removing it will cause a loss of functionality on all clients that this domain controller serves. Are you sure you wish to stop sharing SYSVOL?"
Here is a screenshot:
But do not worry - unsharing SYSVOL on XP will not break your AD. My guess is that this is a direct result of code parts reuse between various versions of Microsoft operating systems, yet it's funny to see XP claiming to be a DC ;)
For a while I have been posting at http://blogs.microsoft.co.il/blogs/guyt/, but it seams that I have managed to stumple upon some bug and some of my posts are not geting indexed by search engines. As a result I have copied all the posts I made at http://blogs.microsoft.co.il/blogs/guyt/ to my blog at http://guy.netguru.co.il. I have talked to Yosi Taguri who is running the MS Israel blogs webserver and he is looking into it. I will be cross-posting to both blogs for a while till this issue is sorted out.
Recently I had a customer who, instead of deploying the 2007 daylight savings hotfixes, just moved the entire organization's clock one hour forward. In order to provide a solution I had to cope with several issues:
- Meetings scheduled with people outside of the company being shifted by one hour
- Some users decided to manually install the updates and the organization had to be baselined before deploying the necessary hotfixes.
- Because of the possible issues related to meeting appointments being adjusted incorrectly using Exchange Calendar Update Tool, it was decided that all meetings have to be stamped with the meeting start and end time in the subject.
I searched the internet and did not find much that I could use for stamping the appointment's subject, so I resorted to writing a very small application in VB using CDO COM object - something that could be either manually executed by a user or launched from a logon script. What I basically do is to iterate throw all the meeting appointments in the calendar, while ignoring all day appointments, and adding the meeting start and end time in the subject. This way, even if the appointment is mistakenly moved as a result of daylight time adjustments, you will still know the time it was scheduled for initially.
Here is the code:
Dim objSession As New MAPI.Session ' Session object
Dim objCalendarFolder As Folder ' Folder object
Dim objCalMessages As Messages ' Messages collection
Dim objAppointment As AppointmentItem ' Appointment object
Dim strNewSubject As String ' New subject
Dim strStartTime As String ' Appointment start time
Dim strEndTime As String ' Appointment end time
Dim strTimePrefix As String
objSession.Logon
' get the calendar folder
Set objCalendarFolder = objSession.GetDefaultFolder( _
CdoDefaultFolderTypes.CdoDefaultFolderCalendar)
' get all the items from the calendar
Set objCalMessages = objCalendarFolder.Messages
Set objAppointment = objCalMessages.GetFirst
Do While Not objAppointment Is Nothing
If Not objAppointment.AllDayEvent Then
strStartTime = Format(objAppointment.StartTime, "h:mm AM/PM")
strEndTime = Format(objAppointment.EndTime, "h:mm AM/PM")
strTimePrefix = strStartTime & " - " & strEndTime
' We do not want to stamp the same appointment twice
If InStr(objAppointment.Subject, strTimePrefix) = 0 Then
strNewSubject = strTimePrefix & " :: " & objAppointment.Subject
objAppointment.Subject = strNewSubject
objAppointment.Update
End If
End If
Set objAppointment = objCalMessages.GetNext
Loop
objSession.Logoff
If you want the executable, get it here.
Finally I had some time to sit down and dig into System.DirectoryServices (S.DS) namespace in .NET 2. Couple of days later and after too many full ashtrays, what I have is 2 things:
- A list of links to resources I found to be very useful while trying to get familiar with the topic:
-
-
-
-
Directory Programming .NET - website run by Ryan Dunn and Joe Kaplan - two Microsoft MVPs and experts in LDAP programming using .NET
-
An application that I wrote using S.DS in VB.NET. I will lie if I would say that I hadn't been inspired by
AdRestore written by Mark Russinovich. The funny thing though, is that in one week I had two people calling me and asking how to either quickly restore a deleted user object or look at the tombstones in the "Deleted Objects" container. Both of the guys I sent to Mark's AdRestore, but I thought to myself: "hey, I want an easy way to look at the 'Deleted Objects' container in the AD and I'd like to have it in GUI with an option to use alternative credentials - options that AdRestore is lacking. Another thing I wanted was being able to point the tool to a specific DC - again AdRestore was not up to it. So I set down, wrote my own tool and called it (surprise! surprise!) ADRestore.NET. To get an Idea of what I am talking about, here is a screenshot of the application in action:
I think the picture is self explaining. You select which objects you want to look fo: either users or computers or both, pick the one that you want to bring back, and click "Restore".
There is one thing you need to remember though - this is not the same as authoritatively restoring an AD object from a backup - when you are using the technique I am using here, what is brought back is the tombstone of the deleted object - a stripped down version having the bare minimum of the attributes. You can forget about group membership, Exchange attributes and things like that. But if you are looking for a quick way to restore an object and all you care about is the object SID, the tool might be quite useful.
Download ADRestore.NET
Imagine that you are an administrator in a large distributed AD based environment. You have invested a lot of thought and time in the design, written policies, created procedures and among other things you rely on some sort of naming convention for your servers for the purpose of provisioning and tracking. You rigorously follow the guidelines in order to keep your environment as stable and controlled as possible, but...
But the problem is that in a large environment you do not control everything. It only makes sense that there are user accounts in your AD that are local administrators on a bunch of production servers so that those users will be able to run and maintain applications used in the company. The problem, though, is that those users have a nasty habit of renaming NetBIOS names of those production servers they are responsible for and tend to ignore the naming conventions and not updating the records when doing so.
So what can you do about it ? Actually the problem is two-fold:
- By default any authenticated user has the right to join up to 10 computers to a domain
- The account that created the computer object gets quite a lot of permissions over it in AD.
Preventing any authenticated user from creating computers in AD:
The default quota is managed by ms-DS-MachineAccountQuota attribute on the domain head object. In order to revoke this right, all you need is to set ms-DS-MachineAccountQuota attribute of your domain head (i.e.: dc=domain,dc=com) to 0. After that only accounts with explicit permissions to create child objects over OUs/containers will be able to join computers to the domain. The actual steps on how to do that can be found at the following KB: Default Limit to Number of Workstations a User Can Join to the Domain
Preventing computer object creators from renaming the computer's NetBIOS name:
Here we are facing the situation where we have a domain user account that has joined a computer to the domain and as a result of that action, has been granted a set of explicit permissions that give the user quite a lot of control over what he can do with the computer object. Among other things the user gets the right to update sAMAccountName attribute of the computer object - the very thing we want to prevent.
From here on I will be using user account GUTE\test which is a only a member of Domain Users group and has explicit permissions to create computer objects in "Computers" container in the domain. If I use this account to join computer named WKSTEST01 to the AD and look at the permissions assigned to GUTE\test account over the computer object using dsacls.exe, I will see the following:
C:\>dsacls "CN=WKSTEST01,CN=Computers,DC=gute,DC=local" | more
[SNIP]
Allow GUTE\test SPECIAL ACCESS for Account Restrictions
WRITE PROPERTY
Allow GUTE\test SPECIAL ACCESS for Logon Information
WRITE PROPERTY
Allow GUTE\test SPECIAL ACCESS for description
WRITE PROPERTY
Allow GUTE\test SPECIAL ACCESS for displayName
WRITE PROPERTY
Allow GUTE\test SPECIAL ACCESS for sAMAccountName
WRITE PROPERTY
See the line in bold ? This means that if GUTE\test has in addition administrative rights at WKSTEST01, he will also be able to rename the computer without disjoining/re-joining the computer to the domain.
So where those permissions come from ? Well, those are controlled by defaultSecurityDescriptor attribute of the Computer object of type classSchema in the Schema partition. The attribute controls what permissions are assigned to newly created objects of Computer object class. So how can we change it ?
- Register the Active Directory Schema snap-in. At the command prompt type:
C:\>regsvr32 schmmgmt.dll
- Start -->Run--> mmc, File --> Add/Remove snap-in, click the Add button and select "Active Directory Schema" from the list
- In the left pane select the Classes and locate the Computer entry:
- Double-click the "computer" entry and go to Default Security tab. As you can see, the CREATOR OWNER security principal has quite a lot of permissions:
- Click the Advanced tab and scroll down till you see the ACEs for CREATOR OWNER with "Write Property" permissions (there are several):
- If you have not changed anything before, you will see 4 subsequent entries for CREATOR OWNER with "Write Property" permission. Select the forth, click Edit and scroll down till you see the "Write Computer name (pre-windows 2000)".
- Your environment might be different from mine and you will have to search for the ACE in question as it might not be at exactly the same position as in my case.
- Un-tick the Allow checkbox and click your way through OK's...
- Let the change replicate to all the DCs in your forest.
All set !
Let's test it...
- Use an account that is only a member of Domain Users group and join a new computer to domain.
- Make the account from above a member of computer's local Administrators group
- Logon with your test account
- Right-click "My Computer" and go to "Computer Name" tab
- Click the "Change" button
- In the "Computer Name" field fill in a new name (i.e.: WKSTEST02)
- Click OK. You will be asked for user credentials. Type in the test account details (in my case "GUTE\test" and the account's password)
- Click OK
- Observe the Access Denied message
Note: the steps above will not prevent a user, that has a right to remove a computer from domain, to join the computer to a workgroup, change the computer name and later join the domain with the new name, but will certainly make their life harder as removing a computer from a domain might have quite a few implications and the user will think twice before doing that. If you want to go another step further, you can use GPO to control "Add workstations to domain" user right and make sure that only a pre-defined security groups have those rights.
If you have a file containing the names of users (sAMAccountName) and you want to add all of them to a specific group in AD, here is a batch script that might make your life easier:
:: GrpFromFile.CMD - Guy Teverovsky - January 2007
::
:: Add users from a file to specific group
@echo off
setlocal ENABLEDELAYEDEXPANSION
setlocal ENABLEEXTENSIONS
if "%1"=="" goto :SYNTAX
if "%1"=="/?" goto :SYNTAX
echo/
:: Define initial environment
set groupname=%1
set filename=%2
set scriptname=GrpFromFile
:: Determine if supplied arguments were sufficient
if "%groupname%"=="" (
echo/
echo ERROR - Insufficient arguments
goto :SYNTAX
)
if "%filename%"=="" (
echo/
echo ERROR - Insufficient arguments
goto :SYNTAX
)
if not exist "%filename%" (
echo/
echo ERROR - File not found
goto :SYNTAX
)
:: Locate critical executables
for %%e in (dsquery.exe dsget.exe) do (
set where="%%~$PATH:e"
if "!where!"=="""" (
echo ERROR - Required executable, "%%e", not located within the path
goto :END
)
)
FOR /F "TOKENS=*" %%G IN ('dsquery group -name %groupname%') DO SET groupdn=%%~G
if "x%groupdn%" == "x" (
echo/
echo ERROR - Group not found
goto :END
)
for /f "delims=" %%i in (%filename%) do (
:: Search for the user and add to group
FOR /F "TOKENS=*" %%U IN ('dsquery user -samid %%i') DO dsmod group "%groupdn%" -addmbr "%%~U" -c
)
goto :END
:SYNTAX
echo/
echo SYNTAX - %scriptname% [Group] [File]
echo/
echo * [Group] is the group to add accounts to
echo * [File] is the file containing the list of user accounts
echo/
echo e.g. - %scriptname% grpAllUsers userlist.txt
echo/
:END
The script can be downloaded from
here.
A question was asked at Daniel Petri's forums about copying AD user's group membership using dsquery/dsmod tools. Having some spare time I have written a batch script that does just that - looks at memberOf attribute of source user account and joins the target account to those groups.
Important: if the source account is a member in a group that resides in another forest or the group is of Domain Local type, the fact is not reflected in the memberOf attribute and membership in those group will not be copied between accounts. The script is mosly usefull in single domain AD, where the caviats mentioned above do not apply.
Code:
:: CpGroups.CMD - Guy Teverovsky - December 2006
::
:: Copies group membership between user accounts
@echo off
setlocal ENABLEDELAYEDEXPANSION
setlocal ENABLEEXTENSIONS
if "%1"=="" goto :SYNTAX
if "%1"=="/?" goto :SYNTAX
echo/
:: Define initial environment
set source_usr=%1
set target_usr=%2
set scriptname=CpGroups
:: Determine if supplied arguments were sufficient
if "%source_usr%"=="" (
echo/
echo ERROR - Insufficient arguments
goto :SYNTAX
)
if "%target_usr%"=="" (
echo/
echo ERROR - Insufficient arguments
goto :SYNTAX
)
:: Locate critical executables
for %%e in (dsquery.exe dsget.exe) do (
set where="%%~$PATH:e"
if "!where!"=="""" (
echo ERROR - Required executable, "%%e", not located within the path
goto :END
)
)
for /f "delims=" %%i in ('dsquery user -samid %source_usr%') do (
setlocal DISABLEEXTENSIONS
set source_usr_dn=%%i
setlocal ENABLEEXTENSIONS
)
if %source_usr_dn%=="" (
echo/
echo ERROR - Source user account not found
goto :END
)
for /f "delims=" %%i in ('dsquery user -samid %target_usr%') do (
setlocal DISABLEEXTENSIONS
set target_usr_dn=%%i
setlocal ENABLEEXTENSIONS
)
if %target_usr_dn%=="" (
echo/
echo ERROR - Target user account not found
goto :END
)
for /f "delims=" %%i in ('dsget user %source_usr_dn% -memberof') do (
dsmod group %%i -addmbr %target_usr_dn%
)
goto :END
:SYNTAX
echo/
echo SYNTAX - %scriptname% [source account samid] [target account samid]
echo/
echo * [source account samid] is the account to copy the group membership from
echo * [target account samid] is the account to copy the group membership to
echo/
echo e.g. - %scriptname% jdoe bsmith
echo/
:END
Download the script
I have been fighting this one for several years. Because of the way the daylight savings start and end time were determined in Israel till not long ago, the operating systems that came out of Microsoft's playground do not contain the settings required for configuring summer clock for Israel. If you are looking for more details, you can take a look at my article for year 2005 at Daniel Petri's website and Daniel's excellent followup in 2006 - both articles were written in order to help system administrators to cope with the process of updating the client computers and coping with issues related to those updates.
But it looks like this year it is going to be different - Microsoft have finally included Israel in the 2007 round of daylight savings updates and the result is KB article 928388 . To put the long story short, if you were among those that were updating their environment and were using custom tools, this year all you will have to do is to deploy the update that will be available via Microsoft/Windows Update or WSUS services.
What this hotfix does ?
The hotfix updates the daylight savings settings on the client computer to reflect the start and end date of summer clock for more than 30 different time zones (Israel among them) on the computer. In addition the tool changes the way the information is stored in the registry and configures the computer to have the correct settings till year 2023 (hurray! no more yearly updates!). After you install the update, the computer's registry will look like this:
Notice the "Dynamic DST" registry key and the values representing different years that have been added under "Israel Standard Time" key.
Why there is no Vista version ?
Vista already contains the updated time zone definitions.
What about Exchange ?
Currently a test version of update for Exchange server can be downloaded from the following link: http://support.microsoft.com/kb/926666. The update is supposed to address issues related to CDO based programs like Outlook Web Access that are not aware of summer clock start/end dates configured on the client computer. I suggest you to check out the following link for updated versions of the hotfix for Exchange: http://www.microsoft.com/windows/timezone/exchange.mspx
Where can I find more information ?
http://www.microsoft.com/windows/timezone/dst2007.mspx is right place to go.
More Posts
Next page »