Friday, November 30, 2007
Tuesday, November 13, 2007
How to Change System Only Attributes
Using ADSearch allows you to extract object properties, however, not all properties of an object are changable. If you need to change Active Directory object properties that are set as system only there is a registry key setting that will allow you to set these properties.
I strongly recommend caution when changing system only properties.
By adding a registry key to the PDC Emulator or FSMO DC the registry key will allow you to change system-only attributes.
Key: HKEY_LOCAL_MACHINE
Path: System\CurrentControlSet\Services\NTDS\Parameters
Value name: Allow System Only Change
Data type: REG_DWORD
Value data: 1
Tuesday, November 06, 2007
AD Group Scope Basics
Security groups or a distribution groups, are characterized by a scope that identifies how they are applied in the domain tree or forest.
There are three group scopes: universal, global, and domain local.
Universal Groups (type - 2147483640)
Universal groups can include other groups and accounts from any domain in the domain tree or forest and can be assigned permissions in any domain in the domain tree or forest.
Global Groups (type - 2147483646)
Global groups can include other groups and accounts only from the domain in which the group is defined and can be assigned permissions in any domain in the forest.
Domain Local Groups (type - 2147483644)
Domain local groups can include other groups and can be assigned permissions only within a domain.
Functionality Scope
When the domain is set to Windows 2000 native or Windows Server 2003, members of universal groups can include accounts, global groups, and universal groups from any domain.
Global groups can include accounts and global groups from the same domain. Domain local scope can include accounts, global groups, and universal groups from any domain, as well as domain local groups from the same domain.
Groups can be added to other groups and assigned permissions in any domain. Groups can be added to other domain local groups and assigned permissions only in the same domain.
Groups can be converted to domain local scope, to global scope, as long as no other universal groups exist as members. Groups can be converted to universal scope, as long as the group is not a member of any other group with global scope. Groups can be converted to universal scope, as long as the group does not have as its member another group with domain local scope.
When the domain level is set to Windows mixed, security universal groups cannot be created. Global groups can include accounts from the same domain. Domain local groups can include accounts and global groups from any domain.
Domain Local Scope Use
Groups with domain local scope help you define and manage access to resources within a single domain.
Global Scope Use
Use groups with global scope to manage directory objects that require daily maintenance, such as user and computer accounts because groups with global scope are not replicated outside of their own domain.
Universal Scope Use
Use groups with universal scope to consolidate groups that span domains. Add the accounts to groups with global scope and nest these groups within groups having universal scope. Any membership changes in the groups having global scope do not affect the groups with universal scope.
Groups with universal scope should not be changed frequently, since any changes to these group memberships cause the entire membership of the group to be replicated to every global catalog in the forest.
Changing Group Scope
Global to universal. This is only allowed if the group you want to change is not a member of another global scope group.
Domain local to universal. This is only allowed if the group you want to change does not have another domain local group as a member.
Universal to global. This is only allowed if the group you want to change does not have another universal group as a member.
Universal to domain local. No restrictions for this operation.
Friday, November 02, 2007
Clean up Active Directory
Over time, user and computer accounts become obsolete and need elimination. ADSearch helps identify all inactive or disabled users and computers in Active Directory. Based on your company policy you can delete, disable, enable or move these accounts.
Enhance Active Directory Safety and Performance.
You can run Adsearch to search logonCount for users and computers and report only accounts that never logged on to locate inactive user or computer accounts and then disable, delete or move these accounts.
For detailed reports using Active Directory lastLogon feature, download and use Winzero Computer2User to evaluate every DC in your domain for the true last logon time of any user.
A reliable Active Directory infrastructure should always ensure that the existing accounts are enabled and obsolete accounts are disabled or deleted, for optimum productivity and security.
