Windowmaker's blog

ADRestore.NET rewrite

Last month I had couple of clients that needed to restore accidentally deleted user and computer account. Though there is a command line version of tombstone reanimation tool called adrestore , the clients were not CLI savvies and having a GUI version of this functionality could really help them out. Some time ago I wrote a GUI version just for the case in VB.NET, but as it turned out it was quite buggy (well, it was one of my first .NET GUI apps), so I set down and rewrote the application from scratch...

Executing a set of commands against all DCs in the forest

Funny how things turn out. I was visiting today a customer which is undergoing a process of upgrading his Domain Controllers to W2K3 R2 and I was asked to help them get a report of OS version on all the DCs in the forest (multi-domain forest). First I thought to query the AD directly, but it appears that there is no way to distinguish between W2K3 and W2K3 R2 when looking at operatingSystem, operatingSystemVersion and operatingSystemServicePack attributes of the DC's computer account. Now what...

Performance based Active Directory MCP exams

Looks like MS are going in the right direction (finally!) - they are piloting a performance based AD exam that should replace the current multiple-choice tests. For a long time I have been bashing that the current MCP exams format is useless - too many people without proper knowledge have passed the exams just by using braindumps, the questions in the exams are way too far from the real life experiences, dilemmas and tasks me and many other AD consultants like me, are being faced with on a daily...

XP as Domain Controller ?

Well... Not really. But here is a nice tidbit: 1) Create a share called SYSVOL on an XP box 2) Try to unshare the directory you shared as SYSVOL. 3) You will get a nice warning stating: "This share is required for the machine to act properly as a domain controller. Removing it will cause a loss of functionality on all clients that this domain controller serves. Are you sure you wish to stop sharing SYSVOL?" Here is a screenshot: But do not worry - unsharing SYSVOL on XP will not break your AD. My...

ADRestore.NET

Finally I had some time to sit down and dig into System.DirectoryServices (S.DS) namespace in .NET 2. Couple of days later and after too many full ashtrays, what I have is 2 things: A list of links to resources I found to be very useful while trying to get familiar with the topic: Introduction to System.DirectoryServices.Protocols (S.DS.P) by Ethan Wilansky Introduction to System.DirectoryServices.ActiveDirectory (S.DS.AD) by Ethan Wilansky Extemporaneous Mumblings - Ryan Dunn's blog (very useful...

Preventing local administrators from renaming computers in AD

Imagine that you are an administrator in a large distributed AD based environment. You have invested a lot of thought and time in the design, written policies, created procedures and among other things you rely on some sort of naming convention for your servers for the purpose of provisioning and tracking. You rigorously follow the guidelines in order to keep your environment as stable and controlled as possible, but... But the problem is that in a large environment you do not control everything...

Bulk add user accounts from a file to security group using batch

If you have a file containing the names of users (sAMAccountName) and you want to add all of them to a specific group in AD, here is a batch script that might make your life easier: :: GrpFromFile.CMD - Guy Teverovsky - January 2007 :: :: Add users from a file to specific group @echo off setlocal ENABLEDELAYEDEXPANSION setlocal ENABLEEXTENSIONS if "%1" == "" goto :SYNTAX if "%1" == "/?" goto :SYNTAX echo/ :: Define initial environment set groupname=%1 set filename=%2 set scriptname=GrpFromFile :...

Copying AD user group membership with dsquery and dsmod

A question was asked at Daniel Petri's forums about copying AD user's group membership using dsquery/dsmod tools. Having some spare time I have written a batch script that does just that - looks at memberOf attribute of source user account and joins the target account to those groups. Important: if the source account is a member in a group that resides in another forest or the group is of Domain Local type, the fact is not reflected in the memberOf attribute and membership in those group will not...

How to install Active Directory on Longhorn Server Core

Before installing AD on Server Core you should make sure you have all the basic requirements satisfied. Not being able to comply with the requirements will not let you set up the Active Directory. The actual list has not been published yet to my knowledge, so you might want to use Daniel Petri's What are the AD installation requirements and recommendations article as guidance. Note: This article is only good for understanding how to install the FIRST DC in a NEW AD Domain , in a NEW TREE , in...