| Author | Messages | |
listmail
Posts:428
 | | 01/19/2006 1:23 AM |
| Well not really. The important SID in question is the
Domain SID and that isn't duped. The domain doesn't care about the machine SID.
It is still good practice to newsid the machines though.
If the accounts are disappearing it is one of two
things
1. Someone is deleting it.
2. During the join process something fails and the computer
deletes the object out. I don't recall the details of this but I do recall
hearing it happen. It happens right after the failed join though, you don't have
to wait for it. I have also heard other people who don't have enough rights
report the account being disabled instead of deleted. I never verified
personally either.
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brian
DesmondSent: Wednesday, January 18, 2006 6:50 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] AD computer
accounts being removed
NO
NO NO NO NO BAD BAD BAD
You
have to use sysprep. You™re getting duplicate SIDs here “ bad.
Thanks,Brian
Desmond
brian@xxxxxxxxxxxxxxxx
c -
312.731.3132
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Aaron
VisserSent: Wednesday, January
18, 2006 5:44 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] AD computer
accounts being removed
Gary,
Brian,
I do not use Sysprep on
my images and have yet to come across any problems, but there may be one big
difference with my images, before I ghost them or create the image I put the
said machine into a workgroup and then create image. After I have imaged a
computer I log on and change the Computer Name reboot and then join the domain
with the new computer name, should I be using Sysprep?
And Brenda I have
experienced your problem but I have never noticed the accounts actually being
out of AD, anyways most times for me a simple reboot works although I have had
to actually ghost computers in order to rejoin the domain because I do not have
any local accounts active on my computers in the school, makes it a little safer
J but with that comes
more work L
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Brian DesmondSent: Wednesday, January 18, 2006 12:38
PMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] AD computer
accounts being removed
Gary-
Are
you implying you don™t sysprep your images?
Thanks,Brian
Desmond
brian@xxxxxxxxxxxxxxxx
c -
312.731.3132
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of GarypholdSent: Wednesday, January 18, 2006 3:04
PMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] AD computer
accounts being removed
Brenda,
FWIW: It happens
to me when I clone a workstation then try to join that workstation to the domain
in order to change the computer name. AD sees 2 machines with the same
name, gives me a notification and lets the 2nd one in. Then when the
original machine with that name logs in next time, it isn't seen on the
network. Then I have to do the same thing you did - with the original
machine. Then all is well again. Don't know if that will
help, but it might narrow down the problem
some.
Gary
Gary
Polvinale
Denton
ATD
-----Original
Message-----From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Brenda
CaseySent: Wednesday, January
18, 2006 2:24 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] AD computer
accounts being removed
Yes,
their computer account in AD is actually
gone.
Thanks,
Brenda
Brenda
CaseyNetwork
Manager
Billings
Public Schools
caseyb@xxxxxxxxxxxxxxxxxx
406-247-3792
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Gil
KirkpatrickSent: Wednesday,
January 18, 2006 11:14 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] AD computer
accounts being removed
When you say "lose
their account", do you mean the computer object in AD disappears? Or something
else?
-g
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Brenda
CaseySent: Wednesday, January
18, 2006 10:42 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] AD computer accounts
being removed
Occasionally
computers will lose their account in Active Directory for no apparent
reason. Sometimes it is a computer that has just joined the domain, while
other times the machine has been a member of the domain for 2 years. The
computer can only be logged on by a local account (not a domain account).
To remedy this, the computer has to be disjoined from the domain, join a
workgroup, then join the domain again. As I am sure you all are aware,
this is not only time consuming, but very inappropriate to have to
do.
Has
anyone else had this experience and how have you fixed
it?
Thanks,
Brenda | | | |
| listmail
Posts:428
| | 01/19/2006 1:23 AM |
| NetBEUI? Ouch.
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brian
DesmondSent: Wednesday, January 18, 2006 7:59 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] AD computer
accounts being removed
Sysprep
also removes other information which identifies the computer. For example, I
once had the pleasure of repairing a network where they had used NewSID to do
this and also had bound NetBEUI to every NIC in the LAN. I had 500 computers all
claiming the same NetBEUI name. Sysprep takes care of things like this. Highly
recommended over any other tool.
Thanks,Brian
Desmond
brian@xxxxxxxxxxxxxxxx
c -
312.731.3132
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Aaron
VisserSent: Wednesday, January
18, 2006 7:27 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] AD computer
accounts being removed
Well I would agree that
is not a safe practice for most but for my application where all Local accounts
are disabled I do not see a problem.
Taken | | | |
| ZJORZ
Posts:99
| | 01/19/2006 1:33 AM |
| >>>It IS a problem in a Windows 2000 domain as the local machine SID is used in nearly all aspects of security and before migrating to 2000 you should resolve any duplicate SID issues which may have been caused by cloning installations.
Huh..I'm having a small headache and I'm not smoking anything weird here, but... what is this?
Shoudn't this be:
Duplicate SIDs for objects in the domain are bad and a problem in NT4 and AD. It is not possible to copy an object and dupe the SID. Screwing around with the RID FSMO (AD) could result in dupped SIDs. If dupped SIDs are detected the detecting DC has a mechanism to clean those
Although a bad practice, cloned machines which have the same local SID can be in an NT4 domain and AD. The local computer SID will only be used if a user (domain base or not) is a member of a local group on that computer as the group SID on that computer consists of the computer SID and a RID
IMHO opinion the writer is mixing the object SID in the domain with the local computer SID...
Jorge
________________________________
Van: ActiveDir-owner@xxxxxxxxxxxxxxxxxx namens AdamT
Verzonden: do 2006-01-19 02:22
Aan: ActiveDir@xxxxxxxxxxxxxxxxxx
Onderwerp: Re: [ActiveDir] AD computer accounts being removed
On 1/19/06, Aaron Visser wrote:
>
> Taken from
> http://www.sysinternals.com/Utilities/NewSid.html under the
> SID Duplication Problem
>
>
> snip
Taken from: http://www.windowsitpro.com/Article/ArticleID/14919/14919.html
At the start of the GUI phase of installation each NT/2000
installation generates a unique Security IDentifier (SID). If you then
clone a workstation each installation would have the same machine SID.
This is not a problem in a Windows NT 4.0 domain as users have a SID
generated by the domain controller and do not user the local
workstation SID for security. It IS a problem in a Windows 2000 domain
as the local machine SID is used in nearly all aspects of security and
before migrating to 2000 you should resolve any duplicate SID issues
which may have been caused by cloning installations.
--
AdamT
"Maidenhead is *not* in Kent"
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| milburnr
Posts:0
| | 01/19/2006 1:43 AM |
| Any idea why XP is omitted in this article,
but 2k and 2k3 are included?
http://support.microsoft.com/?id=162001
"Do Not Disk Duplicate Installed
Versions of Windows NT"
-----------------------------------------------------------------------
Rich Milburn
MCSE, Microsoft MVP -
Directory Services
Sr Network Analyst, Field Platform Development
Applebee's International, Inc.
4551 W. 107th St
Overland Park, KS 66207
913-967-2819
----------------------------------------------------------------------
I love the smell
of red herrings in the morning - anonymous
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On
Behalf Of Aaron Visser
Sent: Wednesday, January 18, 2006
6:27 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
Well I would agree that is not a safe
practice for most but for my application where all Local accounts are disabled
I do not see a problem.
Taken
from http://www.sysinternals.com/Utilities/NewSid.html
under the SID Duplication Problem
Duplicate SIDs aren't an issue in a
Domain-based environment since domain accounts have SID's based on the Domain
SID. But, according to Microsoft Knowledge Base article Q162001, "Do Not
Disk Duplicate Installed Versions of Windows NT", in a Workgroup
environment security is based on local account SIDs. Thus, if two computers
have users with the same SID, the Workgroup will not be able to distinguish
between the users. All resources, including files and Registry keys, that one
user has access to, the other will as well.
Aaron
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brian Desmond
Sent: Wednesday, January 18, 2006
3:50 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
NO NO NO NO NO BAD BAD BAD
You have to use sysprep. You™re getting duplicate SIDs here “
bad.
Thanks,
Brian Desmond
brian@xxxxxxxxxxxxxxxx
c -
312.731.3132
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Aaron Visser
Sent: Wednesday, January 18, 2006
5:44 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
Gary, Brian,
I do not use Sysprep on my images and have
yet to come across any problems, but there may be one big difference with my
images, before I ghost them or create the image I put the said machine into a
workgroup and then create image. After I have imaged a computer I log on
and change the Computer Name reboot and then join the domain with the new
computer name, should I be using Sysprep?
And Brenda I have experienced your problem
but I have never noticed the accounts actually being out of AD, anyways most
times for me a simple reboot works although I have had to actually ghost
computers in order to rejoin the domain because I do not have any local
accounts active on my computers in the school, makes it a little safer J but with that comes more
work L
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brian
Desmond
Sent: Wednesday, January 18, 2006
12:38 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
Gary-
Are you implying you don™t sysprep your images?
Thanks,
Brian Desmond
brian@xxxxxxxxxxxxxxxx
c -
312.731.3132
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On
Behalf Of Garyphold
Sent: Wednesday, January 18, 2006
3:04 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
Brenda,
FWIW: It happens to me when I clone
a workstation then try to join that workstation to the domain in order to
change the computer name. AD sees 2 machines with the same name, gives me
a notification and lets the 2nd one in. Then when the original machine
with that name logs in next time, it isn't seen on the network. Then I
have to do the same thing you did - with the original machine.
Then all is well again. Don't know if that will help, but it
might narrow down the problem some.
Gary
Gary Polvinale
Denton ATD
-----Original Message-----
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brenda Casey
Sent: Wednesday, January 18, 2006
2:24 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD computer
accounts being removed
Yes,
their computer account in AD is actually gone.
Thanks,
Brenda
Brenda
Casey
Network Manager
Billings
Public Schools
caseyb@xxxxxxxxxxxxxxxxxx
406-247-3792
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Gil Kirkpatrick
Sent: Wednesday, January 18, 2006
11:14 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
When you say "lose their
account", do you mean the computer object in AD disappears? Or something
else?
-g
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brenda Casey
Sent: Wednesday, January 18, 2006
10:42 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] AD computer
accounts being removed
Occasionally
computers will lose their account in Active Directory for no apparent
reason. Sometimes it is a computer that has just joined the domain, while
other times the machine has been a member of the domain for 2 years. The
computer can only be logged on by a local account (not a domain account).
To remedy this, the computer has to be disjoined from the domain, join a
workgroup, then join the domain again. As I am sure you all are aware,
this is not only time consuming, but very inappropriate to have to do.
Has
anyone else had this experience and how have you fixed it?
Thanks,
Brenda
-------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE-------
PRIVILEGED /
CONFIDENTIAL INFORMATION may be contained in this message or any attachments.
This information is strictly confidential and may be subject to attorney-client
privilege. This message is intended only for the use of the named addressee. If
you are not the intended recipient of this message, unauthorized forwarding,
printing, copying, distribution, or using such information is strictly
prohibited and may be unlawful. If you have received this in error, you should
kindly notify the sender by reply e-mail and immediately destroy this message.
Unauthorized interception of this e-mail is a violation of federal criminal law.
Applebee's International, Inc. reserves the right to monitor and review the
content of all messages sent to and from this e-mail address. Messages sent to
or from this e-mail address may be stored on the Applebee's International, Inc.
e-mail system. | | | |
| adwulf
Posts:34
| | 01/19/2006 1:54 AM |
| On 1/19/06, Aaron Visser wrote:
>
> Taken from
> http://www.sysinternals.com/Utilities/NewSid.html under the
> SID Duplication Problem
>
>
> snip
Taken from: http://www.windowsitpro.com/Article/ArticleID/14919/14919.html
At the start of the GUI phase of installation each NT/2000
installation generates a unique Security IDentifier (SID). If you then
clone a workstation each installation would have the same machine SID.
This is not a problem in a Windows NT 4.0 domain as users have a SID
generated by the domain controller and do not user the local
workstation SID for security. It IS a problem in a Windows 2000 domain
as the local machine SID is used in nearly all aspects of security and
before migrating to 2000 you should resolve any duplicate SID issues
which may have been caused by cloning installations.
--
AdamT
"Maidenhead is *not* in Kent"
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| habr
Posts:25
| | 01/19/2006 2:11 AM |
| "And further, I am not trying to say I am always right. Quite the contrary,
fully 50% of what I say is flat out incorrect, made up, or complete opinion.
Your job is to try to figure out what is and isn't in that 50%."
joe, I will not be signing my emails to you anymore with "YMYMYM"
Unless of course, your recant.
RH
___________________________________________________________
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]On Behalf Of joe
Sent: Wednesday, January 18, 2006 9:36 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD computer accounts being removed
And further, I am not trying to say I am always right. Quite the contrary,
fully 50% of what I say is flat out incorrect, made up, or complete opinion.
Your job is to try to figure out what is and isn't in that 50%. Preferably
prior to changing your environment based on something I said. :o)
Or to put it another simpler way, mileage varies. What works very well for
me may not be in your best interest.
I would like to hear the technical details behind the SID issues from that
article though. Maybe I will follow the link. Though I doubt what I want is
there. Very little serious deep tech in that mag anymore. The tech stuff I
previously wrote for them they stopped putting in the mag and started
putting in their over the top highly overpriced "professional newsletters"
that were $100+ for 12 tiny little issues that looked like a small school
newspaper.
joe
-----Original Message-----
From: joe [mailto:listmail@xxxxxxxxxxx]
Sent: Wednesday, January 18, 2006 9:14 PM
To: 'ActiveDir@xxxxxxxxxxxxxxxxxx'
Subject: RE: [ActiveDir] AD computer accounts being removed
Don't get me wrong though... Sysprep/newsid, follow the process. I am
absolutely not telling people to image machines and deploy them without
cleaning them up. If you have odd things happening and are not following the
recommended processes, it is all on you and you get to take responsibility
for what you do. :)
-----Original Message-----
From: joe [mailto:listmail@xxxxxxxxxxx]
Sent: Wednesday, January 18, 2006 9:01 PM
To: 'ActiveDir@xxxxxxxxxxxxxxxxxx'
Subject: RE: [ActiveDir] AD computer accounts being removed
I would like to see the details of what the issues are. Windows IT Pro mag
is a nice mag and all, but there is no real technical review of the
articles, you can say about anything you want to and I have seen several
examples. Ditto for Redmond Mag and SearchWindows*, etc.
I don't think the people actually test the stuff they say in a lot of those
articles though they try to state it authoritatively.
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of AdamT
Sent: Wednesday, January 18, 2006 8:22 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] AD computer accounts being removed
On 1/19/06, Aaron Visser wrote:
>
> Taken from
> http://www.sysinternals.com/Utilities/NewSid.html under the SID
> Duplication Problem
>
>
> snip
Taken from: http://www.windowsitpro.com/Article/ArticleID/14919/14919.html
At the start of the GUI phase of installation each NT/2000 installation
generates a unique Security IDentifier (SID). If you then clone a
workstation each installation would have the same machine SID.
This is not a problem in a Windows NT 4.0 domain as users have a SID
generated by the domain controller and do not user the local workstation SID
for security. It IS a problem in a Windows 2000 domain as the local machine
SID is used in nearly all aspects of security and before migrating to 2000
you should resolve any duplicate SID issues which may have been caused by
cloning installations.
--
AdamT
"Maidenhead is *not* in Kent"
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| milburnr
Posts:0
| | 01/19/2006 2:11 AM |
| > Is
there a big learning curve with Sysprep?
Well, there can be. It depends on what
you do to your master before you image it. If you do a lot of profile
customization, then yes, because sysprep cleans out the profiles, and you™ll
need to figure out how to apply settings to the default profile, or figure out
how to script them. Since you are using AD you don™t have the lack of
GPO issue I did. For example, on our workgroup systems, we create a certain
account and set up that profile, lock it down etc. If I sysprep it, that
profile gets removed and a new one is created when that user logs into the
sysprepped computer “ without any of the customizations. There are ways
around this, but I couldn™t solve all of them so for now on our newer XP
systems we use a silent install with scripted profile configuration and
lockdowns. It takes 38 minutes from DVD incl. Office 2003 install, so it™s
not too bad “ sysprep using an ximage image took 25 minutes on the same
box, most of that was DVD to HDD copy time though.
-----------------------------------------------------------------------
Rich Milburn
MCSE, Microsoft MVP -
Directory Services
Sr Network Analyst, Field Platform Development
Applebee's International, Inc.
4551 W. 107th St
Overland Park, KS 66207
913-967-2819
----------------------------------------------------------------------
I love the smell
of red herrings in the morning - anonymous
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Garyphold
Sent: Thursday, January 19, 2006
7:01 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
Thanks for the link Nav.
I use Symantec (PowerQuest) V2i Desktop
(DriveImage). Haven't used Ghost (Ghostwalker) or Sysprep. Been
wanting to experiment with Sysprep but haven't had the time. I was
thinking about that this morning though. Is there a big learning curve
with Sysprep?
I use V2i for cloning, because I'm
already using that for backups of all the workstations and all the
servers. Hard drive backups instead of tape. Without sysprep, I'm
stuck being able to only clone like machines.
I really need to learn to use
Sysprep. Too many fires burning right now.
Gary
-----Original Message-----
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Navroz Shariff
Sent: Wednesday, January 18, 2006
3:29 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
Hi Gary,
Try looking at this article from MS
regarding 'Resetting computer accounts in Windows 2000 and Windows XP'.
http://support.microsoft.com/kb/216393/EN-US/
Also, you join the computer to the domain
and then change its name?
Do you reset the SIDs of the cloned
workstation using GhostWalker or Sysprep?
-Nav
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Garyphold
Sent: Wednesday, January 18, 2006
3:04 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
Brenda,
FWIW: It happens to me when I clone
a workstation then try to join that workstation to the domain in order to
change the computer name. AD sees 2 machines with the same name, gives me
a notification and lets the 2nd one in. Then when the original machine
with that name logs in next time, it isn't seen on the network. Then I
have to do the same thing you did - with the original machine. Then all
is well again. Don't know if that will help, but it might narrow
down the problem some.
Gary
Gary Polvinale
Denton ATD
-----Original Message-----
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brenda Casey
Sent: Wednesday, January 18, 2006
2:24 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
Yes,
their computer account in AD is actually gone.
Thanks,
Brenda
Brenda
Casey
Network Manager
Billings
Public Schools
caseyb@xxxxxxxxxxxxxxxxxx
406-247-3792
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Gil Kirkpatrick
Sent: Wednesday, January 18, 2006
11:14 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
When you say "lose their
account", do you mean the computer object in AD disappears? Or something
else?
-g
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brenda Casey
Sent: Wednesday, January 18, 2006
10:42 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] AD computer
accounts being removed
Occasionally
computers will lose their account in Active Directory for no apparent
reason. Sometimes it is a computer that has just joined the domain, while
other times the machine has been a member of the domain for 2 years. The
computer can only be logged on by a local account (not a domain account).
To remedy this, the computer has to be disjoined from the domain, join a
workgroup, then join the domain again. As I am sure you all are aware,
this is not only time consuming, but very inappropriate to have to do.
Has
anyone else had this experience and how have you fixed it?
Thanks,
Brenda
-------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE-------
PRIVILEGED /
CONFIDENTIAL INFORMATION may be contained in this message or any attachments.
This information is strictly confidential and may be subject to attorney-client
privilege. This message is intended only for the use of the named addressee. If
you are not the intended recipient of this message, unauthorized forwarding,
printing, copying, distribution, or using such information is strictly
prohibited and may be unlawful. If you have received this in error, you should
kindly notify the sender by reply e-mail and immediately destroy this message.
Unauthorized interception of this e-mail is a violation of federal criminal law.
Applebee's International, Inc. reserves the right to monitor and review the
content of all messages sent to and from this e-mail address. Messages sent to
or from this e-mail address may be stored on the Applebee's International, Inc.
e-mail system. | | | |
| bdesmond
Posts:346
| | 01/19/2006 2:17 AM |
| Dozen other reasons to run it. Not running sysprep is just a bad idea.
Thanks,
Brian Desmond
brian@xxxxxxxxxxxxxxxx
c -
312.731.3132
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On
Behalf Of joe
Sent: Wednesday, January 18, 2006
8:11 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
Well not really. The important SID in
question is the Domain SID and that isn't duped. The domain doesn't care about
the machine SID. It is still good practice to newsid the machines though.
If the accounts are disappearing it is one
of two things
1. Someone is deleting it.
2. During the join process something fails
and the computer deletes the object out. I don't recall the details of this but
I do recall hearing it happen. It happens right after the failed join though,
you don't have to wait for it. I have also heard other people who don't
have enough rights report the account being disabled instead of deleted. I
never verified personally either.
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brian
Desmond
Sent: Wednesday, January 18, 2006
6:50 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
NO NO NO NO NO BAD BAD BAD
You have to use sysprep. You™re getting duplicate SIDs here “
bad.
Thanks,
Brian Desmond
brian@xxxxxxxxxxxxxxxx
c - 312.731.3132
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Aaron Visser
Sent: Wednesday, January 18, 2006
5:44 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
Gary, Brian,
I do not use Sysprep on my images and have
yet to come across any problems, but there may be one big difference with my
images, before I ghost them or create the image I put the said machine into a
workgroup and then create image. After I have imaged a computer I log on
and change the Computer Name reboot and then join the domain with the new
computer name, should I be using Sysprep?
And Brenda I have experienced your problem
but I have never noticed the accounts actually being out of AD, anyways most
times for me a simple reboot works although I have had to actually ghost
computers in order to rejoin the domain because I do not have any local
accounts active on my computers in the school, makes it a little safer J but with that comes more
work L
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brian
Desmond
Sent: Wednesday, January 18, 2006
12:38 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
Gary-
Are you implying you don™t sysprep your images?
Thanks,
Brian Desmond
brian@xxxxxxxxxxxxxxxx
c -
312.731.3132
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On
Behalf Of Garyphold
Sent: Wednesday, January 18, 2006
3:04 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
Brenda,
FWIW: It happens to me when I clone
a workstation then try to join that workstation to the domain in order to
change the computer name. AD sees 2 machines with the same name, gives me
a notification and lets the 2nd one in. Then when the original machine
with that name logs in next time, it isn't seen on the network. Then I
have to do the same thing you did - with the original machine.
Then all is well again. Don't know if that will help, but it
might narrow down the problem some.
Gary
Gary Polvinale
Denton ATD
-----Original Message-----
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brenda Casey
Sent: Wednesday, January 18, 2006
2:24 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD computer
accounts being removed
Yes,
their computer account in AD is actually gone.
Thanks,
Brenda
Brenda
Casey
Network Manager
Billings
Public Schools
caseyb@xxxxxxxxxxxxxxxxxx
406-247-3792
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Gil Kirkpatrick
Sent: Wednesday, January 18, 2006
11:14 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
When you say "lose their
account", do you mean the computer object in AD disappears? Or something
else?
-g
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brenda Casey
Sent: Wednesday, January 18, 2006
10:42 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] AD computer
accounts being removed
Occasionally
computers will lose their account in Active Directory for no apparent
reason. Sometimes it is a computer that has just joined the domain, while
other times the machine has been a member of the domain for 2 years. The
computer can only be logged on by a local account (not a domain account).
To remedy this, the computer has to be disjoined from the domain, join a
workgroup, then join the domain again. As I am sure you all are aware,
this is not only time consuming, but very inappropriate to have to do.
Has
anyone else had this experience and how have you fixed it?
Thanks,
Brenda | | | |
| listmail
Posts:428
| | 01/19/2006 3:06 AM |
| I would like to see the details of what the issues are. Windows IT Pro mag
is a nice mag and all, but there is no real technical review of the
articles, you can say about anything you want to and I have seen several
examples. Ditto for Redmond Mag and SearchWindows*, etc.
I don't think the people actually test the stuff they say in a lot of those
articles though they try to state it authoritatively.
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of AdamT
Sent: Wednesday, January 18, 2006 8:22 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] AD computer accounts being removed
On 1/19/06, Aaron Visser wrote:
>
> Taken from
> http://www.sysinternals.com/Utilities/NewSid.html under the SID
> Duplication Problem
>
>
> snip
Taken from: http://www.windowsitpro.com/Article/ArticleID/14919/14919.html
At the start of the GUI phase of installation each NT/2000 installation
generates a unique Security IDentifier (SID). If you then clone a
workstation each installation would have the same machine SID.
This is not a problem in a Windows NT 4.0 domain as users have a SID
generated by the domain controller and do not user the local workstation SID
for security. It IS a problem in a Windows 2000 domain as the local machine
SID is used in nearly all aspects of security and before migrating to 2000
you should resolve any duplicate SID issues which may have been caused by
cloning installations.
--
AdamT
"Maidenhead is *not* in Kent"
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| CKaiser
Posts:2
| | 01/19/2006 3:08 AM |
| Sysprep is pretty simple; there's a lot of documentation available on
it. As Rich mentioned, you need to set up your customizations under one
profile and copy that to the default user profile. Some irksome things
change, however. One of my pet peeves is that when you sysprep a PC, the
next time it boots, the select OS timeout goes from whatever you have
set it to (5 sec in our case) back to the default of 30 sec.
I have found that using group policy to make most of the settings
changes is better than doing it on the workstation. We start with a
sysprepped image that runs the mini-setup when first booted. We then the
workstation and place it in the domain, where the GPOs apply to make all
the required settings.
I was able to go from a boot floppy, ghost, and ghostwalker to a boot
CD, sysprep, and ghost (our new laptops don't have floppy drives) in
about 4 days of testing and fine-tuning. I took a couple of laptops and
a BartPE CD (with ghost added to it) into a spare conference room,
didn't answer my phone, and worked it all out. A few days of work and
the result is significantly simpler deployment of new images.
**********************
Charlie Kaiser
W2K3 MCSA/MCSE/Security, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**********************
> -----Original Message-----
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Garyphold
> Sent: Thursday, January 19, 2006 5:01 AM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: RE: [ActiveDir] AD computer accounts being removed
>
> Thanks for the link Nav.
>
> I use Symantec (PowerQuest) V2i Desktop (DriveImage).
> Haven't used Ghost (Ghostwalker) or Sysprep. Been wanting to
> experiment with Sysprep but haven't had the time. I was
> thinking about that this morning though. Is there a big
> learning curve with Sysprep?
>
> I use V2i for cloning, because I'm already using that for
> backups of all the workstations and all the servers. Hard
> drive backups instead of tape. Without sysprep, I'm stuck
> being able to only clone like machines.
>
> I really need to learn to use Sysprep. Too many fires
> burning right now.
>
> Gary
>
>
> -----Original Message-----
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
> Navroz Shariff
> Sent: Wednesday, January 18, 2006 3:29 PM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: RE: [ActiveDir] AD computer accounts being removed
>
>
> Hi Gary,
>
> Try looking at this article from MS regarding 'Resetting
> computer accounts in Windows 2000 and Windows XP'.
> http://support.microsoft.com/kb/216393/EN-US/
>
> Also, you join the computer to the domain and then change its name?
> Do you reset the SIDs of the cloned workstation using
> GhostWalker or Sysprep?
>
> -Nav
>
>
> ________________________________
>
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Garyphold
> Sent: Wednesday, January 18, 2006 3:04 PM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: RE: [ActiveDir] AD computer accounts being removed
>
>
> Brenda,
>
> FWIW: It happens to me when I clone a workstation then try
> to join that workstation to the domain in order to change the
> computer name. AD sees 2 machines with the same name, gives
> me a notification and lets the 2nd one in. Then when the
> original machine with that name logs in next time, it isn't
> seen on the network. Then I have to do the same thing you
> did - with the original machine. Then all is well again.
> Don't know if that will help, but it might narrow down the
> problem some.
>
> Gary
>
> Gary Polvinale
> Denton ATD
>
>
> -----Original Message-----
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brenda Casey
> Sent: Wednesday, January 18, 2006 2:24 PM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: RE: [ActiveDir] AD computer accounts being removed
>
>
> Yes, their computer account in AD is actually gone.
>
> Thanks,
> Brenda
>
> Brenda Casey
> Network Manager
> Billings Public Schools
> caseyb@xxxxxxxxxxxxxxxxxx
> 406-247-3792
>
>
> ________________________________
>
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Gil
> Kirkpatrick
> Sent: Wednesday, January 18, 2006 11:14 AM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: RE: [ActiveDir] AD computer accounts being removed
>
>
> When you say "lose their account", do you mean the computer
> object in AD disappears? Or something else?
>
> -g
>
> ________________________________
>
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brenda Casey
> Sent: Wednesday, January 18, 2006 10:42 AM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: [ActiveDir] AD computer accounts being removed
>
>
> Occasionally computers will lose their account in Active
> Directory for no apparent reason. Sometimes it is a computer
> that has just joined the domain, while other times the
> machine has been a member of the domain for 2 years. The
> computer can only be logged on by a local account (not a
> domain account). To remedy this, the computer has to be
> disjoined from the domain, join a workgroup, then join the
> domain again. As I am sure you all are aware, this is not
> only time consuming, but very inappropriate to have to do.
>
> Has anyone else had this experience and how have you fixed it?
>
> Thanks,
> Brenda
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| listmail
Posts:428
| | 01/19/2006 3:13 AM |
| Don't get me wrong though... Sysprep/newsid, follow the process. I am
absolutely not telling people to image machines and deploy them without
cleaning them up. If you have odd things happening and are not following the
recommended processes, it is all on you and you get to take responsibility
for what you do. :)
-----Original Message-----
From: joe [mailto:listmail@xxxxxxxxxxx]
Sent: Wednesday, January 18, 2006 9:01 PM
To: 'ActiveDir@xxxxxxxxxxxxxxxxxx'
Subject: RE: [ActiveDir] AD computer accounts being removed
I would like to see the details of what the issues are. Windows IT Pro mag
is a nice mag and all, but there is no real technical review of the
articles, you can say about anything you want to and I have seen several
examples. Ditto for Redmond Mag and SearchWindows*, etc.
I don't think the people actually test the stuff they say in a lot of those
articles though they try to state it authoritatively.
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of AdamT
Sent: Wednesday, January 18, 2006 8:22 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] AD computer accounts being removed
On 1/19/06, Aaron Visser wrote:
>
> Taken from
> http://www.sysinternals.com/Utilities/NewSid.html under the SID
> Duplication Problem
>
>
> snip
Taken from: http://www.windowsitpro.com/Article/ArticleID/14919/14919.html
At the start of the GUI phase of installation each NT/2000 installation
generates a unique Security IDentifier (SID). If you then clone a
workstation each installation would have the same machine SID.
This is not a problem in a Windows NT 4.0 domain as users have a SID
generated by the domain controller and do not user the local workstation SID
for security. It IS a problem in a Windows 2000 domain as the local machine
SID is used in nearly all aspects of security and before migrating to 2000
you should resolve any duplicate SID issues which may have been caused by
cloning installations.
--
AdamT
"Maidenhead is *not* in Kent"
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| listmail
Posts:428
| | 01/19/2006 3:28 AM |
| And further, I am not trying to say I am always right. Quite the contrary,
fully 50% of what I say is flat out incorrect, made up, or complete opinion.
Your job is to try to figure out what is and isn't in that 50%. Preferably
prior to changing your environment based on something I said. :o)
Or to put it another simpler way, mileage varies. What works very well for
me may not be in your best interest.
I would like to hear the technical details behind the SID issues from that
article though. Maybe I will follow the link. Though I doubt what I want is
there. Very little serious deep tech in that mag anymore. The tech stuff I
previously wrote for them they stopped putting in the mag and started
putting in their over the top highly overpriced "professional newsletters"
that were $100+ for 12 tiny little issues that looked like a small school
newspaper.
joe
-----Original Message-----
From: joe [mailto:listmail@xxxxxxxxxxx]
Sent: Wednesday, January 18, 2006 9:14 PM
To: 'ActiveDir@xxxxxxxxxxxxxxxxxx'
Subject: RE: [ActiveDir] AD computer accounts being removed
Don't get me wrong though... Sysprep/newsid, follow the process. I am
absolutely not telling people to image machines and deploy them without
cleaning them up. If you have odd things happening and are not following the
recommended processes, it is all on you and you get to take responsibility
for what you do. :)
-----Original Message-----
From: joe [mailto:listmail@xxxxxxxxxxx]
Sent: Wednesday, January 18, 2006 9:01 PM
To: 'ActiveDir@xxxxxxxxxxxxxxxxxx'
Subject: RE: [ActiveDir] AD computer accounts being removed
I would like to see the details of what the issues are. Windows IT Pro mag
is a nice mag and all, but there is no real technical review of the
articles, you can say about anything you want to and I have seen several
examples. Ditto for Redmond Mag and SearchWindows*, etc.
I don't think the people actually test the stuff they say in a lot of those
articles though they try to state it authoritatively.
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of AdamT
Sent: Wednesday, January 18, 2006 8:22 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] AD computer accounts being removed
On 1/19/06, Aaron Visser wrote:
>
> Taken from
> http://www.sysinternals.com/Utilities/NewSid.html under the SID
> Duplication Problem
>
>
> snip
Taken from: http://www.windowsitpro.com/Article/ArticleID/14919/14919.html
At the start of the GUI phase of installation each NT/2000 installation
generates a unique Security IDentifier (SID). If you then clone a
workstation each installation would have the same machine SID.
This is not a problem in a Windows NT 4.0 domain as users have a SID
generated by the domain controller and do not user the local workstation SID
for security. It IS a problem in a Windows 2000 domain as the local machine
SID is used in nearly all aspects of security and before migrating to 2000
you should resolve any duplicate SID issues which may have been caused by
cloning installations.
--
AdamT
"Maidenhead is *not* in Kent"
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| listmail
Posts:428
| | 01/19/2006 3:28 AM |
| Yep sorry, didn't intend to say it wasn't a good idea. At
some point the list will catch up and my post that says that will show up.
:)
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brian
DesmondSent: Wednesday, January 18, 2006 8:39 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] AD computer
accounts being removed
Dozen
other reasons to run it. Not running sysprep is just a bad idea.
Thanks,Brian
Desmond
brian@xxxxxxxxxxxxxxxx
c -
312.731.3132
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of joeSent: Wednesday, January 18, 2006 8:11
PMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] AD computer
accounts being removed
Well not really. The
important SID in question is the Domain SID and that isn't duped. The domain
doesn't care about the machine SID. It is still good practice to newsid the
machines though.
If the accounts are
disappearing it is one of two things
1. Someone is deleting
it.
2. During the join
process something fails and the computer deletes the object out. I don't recall
the details of this but I do recall hearing it happen. It happens right after
the failed join though, you don't have to wait for it. I have also heard
other people who don't have enough rights report the account being disabled
instead of deleted. I never verified personally either.
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Brian DesmondSent: Wednesday, January 18, 2006 6:50
PMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] AD computer
accounts being removed
NO
NO NO NO NO BAD BAD BAD
You
have to use sysprep. You™re getting duplicate SIDs here “ bad.
Thanks,Brian
Desmond
brian@xxxxxxxxxxxxxxxx
c -
312.731.3132
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Aaron
VisserSent: Wednesday, January
18, 2006 5:44 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] AD computer
accounts being removed
Gary,
Brian,
I do not use Sysprep on
my images and have yet to come across any problems, but there may be one big
difference with my images, before I ghost them or create the image I put the
said machine into a workgroup and then create image. After I have imaged a
computer I log on and change the Computer Name reboot and then join the domain
with the new computer name, should I be using Sysprep?
And Brenda I have
experienced your problem but I have never noticed the accounts actually being
out of AD, anyways most times for me a simple reboot works although I have had
to actually ghost computers in order to rejoin the domain because I do not have
any local accounts active on my computers in the school, makes it a little safer
J but with that comes
more work L
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Brian DesmondSent: Wednesday, January 18, 2006 12:38
PMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] AD computer
accounts being removed
Gary-
Are
you implying you don™t sysprep your images?
Thanks,Brian
Desmond
brian@xxxxxxxxxxxxxxxx
c -
312.731.3132
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of GarypholdSent: Wednesday, January 18, 2006 3:04
PMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] AD computer
accounts being removed
Brenda,
FWIW: It happens
to me when I clone a workstation then try to join that workstation to the domain
in order to change the computer name. AD sees 2 machines with the same
name, gives me a notification and lets the 2nd one in. Then when the
original machine with that name logs in next time, it isn't seen on the
network. Then I have to do the same thing you did - with the original
machine. Then all is well again. Don't know if that will
help, but it might narrow down the problem
some.
Gary
Gary
Polvinale
Denton
ATD
-----Original
Message-----From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Brenda
CaseySent: Wednesday, January
18, 2006 2:24 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] AD computer
accounts being removed
Yes,
their computer account in AD is actually
gone.
Thanks,
Brenda
Brenda
CaseyNetwork
Manager
Billings
Public Schools
caseyb@xxxxxxxxxxxxxxxxxx
406-247-3792
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Gil
KirkpatrickSent: Wednesday,
January 18, 2006 11:14 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] AD computer
accounts being removed
When you say "lose
their account", do you mean the computer object in AD disappears? Or something
else?
-g
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Brenda
CaseySent: Wednesday, January
18, 2006 10:42 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] AD computer accounts
being removed
Occasionally
computers will lose their account in Active Directory for no apparent
reason. Sometimes it is a computer that has just joined the domain, while
other times the machine has been a member of the domain for 2 years. The
computer can only be logged on by a local account (not a domain account).
To remedy this, the computer has to be disjoined from the domain, join a
workgroup, then join the domain again. As I am sure you all are aware,
this is not only time consuming, but very inappropriate to have to
do.
Has
anyone else had this experience and how have you fixed
it?
Thanks,
Brenda | | | |
| bdesmond
Posts:346
| | 01/19/2006 3:28 AM |
| We have roughly 650 unique nightmare LANs here. I™ve seem some
interesting things. Have a folder full of screenshots and JPEGs from site
visits to prove it.
Thanks,
Brian Desmond
brian@xxxxxxxxxxxxxxxx
c -
312.731.3132
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of joe
Sent: Wednesday, January 18, 2006
8:11 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
NetBEUI? Ouch.
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brian
Desmond
Sent: Wednesday, January 18, 2006
7:59 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
Sysprep also removes other information which identifies the computer. For
example, I once had the pleasure of repairing a network where they had used
NewSID to do this and also had bound NetBEUI to every NIC in the LAN. I had 500
computers all claiming the same NetBEUI name. Sysprep takes care of things like
this. Highly recommended over any other tool.
Thanks,
Brian Desmond
brian@xxxxxxxxxxxxxxxx
c -
312.731.3132
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Aaron Visser
Sent: Wednesday, January 18, 2006
7:27 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
Well I would agree that is not a safe
practice for most but for my application where all Local accounts are disabled
I do not see a problem.
Taken
from http://www.sysinternals.com/Utilities/NewSid.html
under the SID Duplication Problem
Duplicate SIDs aren't an issue in a
Domain-based environment since domain accounts have SID's based on the Domain
SID. But, according to Microsoft Knowledge Base article Q162001, "Do Not
Disk Duplicate Installed Versions of Windows NT", in a Workgroup
environment security is based on local account SIDs. Thus, if two computers
have users with the same SID, the Workgroup will not be able to distinguish
between the users. All resources, including files and Registry keys, that one
user has access to, the other will as well.
Aaron
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brian
Desmond
Sent: Wednesday, January 18, 2006
3:50 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
NO NO NO NO NO BAD BAD BAD
You have to use sysprep. You™re getting duplicate SIDs here “
bad.
Thanks,
Brian Desmond
brian@xxxxxxxxxxxxxxxx
c -
312.731.3132
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Aaron Visser
Sent: Wednesday, January 18, 2006
5:44 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
Gary, Brian,
I do not use Sysprep on my images and have
yet to come across any problems, but there may be one big difference with my
images, before I ghost them or create the image I put the said machine into a
workgroup and then create image. After I have imaged a computer I log on
and change the Computer Name reboot and then join the domain with the new
computer name, should I be using Sysprep?
And Brenda I have experienced your problem
but I have never noticed the accounts actually being out of AD, anyways most
times for me a simple reboot works although I have had to actually ghost
computers in order to rejoin the domain because I do not have any local
accounts active on my computers in the school, makes it a little safer J but with that comes more
work L
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brian
Desmond
Sent: Wednesday, January 18, 2006
12:38 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
Gary-
Are you implying you don™t sysprep your images?
Thanks,
Brian Desmond
brian@xxxxxxxxxxxxxxxx
c -
312.731.3132
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Garyphold
Sent: Wednesday, January 18, 2006
3:04 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
Brenda,
FWIW: It happens to me when I clone
a workstation then try to join that workstation to the domain in order to
change the computer name. AD sees 2 machines with the same name, gives me
a notification and lets the 2nd one in. Then when the original machine
with that name logs in next time, it isn't seen on the network. Then I
have to do the same thing you did - with the original machine.
Then all is well again. Don't know if that will help, but it
might narrow down the problem some.
Gary
Gary Polvinale
Denton ATD
-----Original Message-----
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brenda Casey
Sent: Wednesday, January 18, 2006
2:24 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
Yes,
their computer account in AD is actually gone.
Thanks,
Brenda
Brenda
Casey
Network Manager
Billings
Public Schools
caseyb@xxxxxxxxxxxxxxxxxx
406-247-3792
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Gil Kirkpatrick
Sent: Wednesday, January 18, 2006
11:14 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
When you say "lose their
account", do you mean the computer object in AD disappears? Or something
else?
-g
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brenda Casey
Sent: Wednesday, January 18, 2006
10:42 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] AD computer
accounts being removed
Occasionally
computers will lose their account in Active Directory for no apparent
reason. Sometimes it is a computer that has just joined the domain, while
other times the machine has been a member of the domain for 2 years. The
computer can only be logged on by a local account (not a domain account).
To remedy this, the computer has to be disjoined from the domain, join a
workgroup, then join the domain again. As I am sure you all are aware,
this is not only time consuming, but very inappropriate to have to do.
Has
anyone else had this experience and how have you fixed it?
Thanks,
Brenda | | | |
| garyphold@xxxx.yyy
| | 01/19/2006 3:41 AM |
| Charlie,
Thanks for taking the time to explain. I'm in a position where I'm making
the big decisions, doing the big work and also doing all the little details
(I'm it) including daily problems. Zero training/learning time, zero
anything except get to the next fire. I need spend some time learning and
using tools like sysprep and GP to get back some of that time.
Gary
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Charlie Kaiser
Sent: Thursday, January 19, 2006 10:07 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD computer accounts being removed
Sysprep is pretty simple; there's a lot of documentation available on it. As
Rich mentioned, you need to set up your customizations under one profile and
copy that to the default user profile. Some irksome things change, however.
One of my pet peeves is that when you sysprep a PC, the next time it boots,
the select OS timeout goes from whatever you have set it to (5 sec in our
case) back to the default of 30 sec.
I have found that using group policy to make most of the settings changes is
better than doing it on the workstation. We start with a sysprepped image
that runs the mini-setup when first booted. We then the workstation and
place it in the domain, where the GPOs apply to make all the required
settings.
I was able to go from a boot floppy, ghost, and ghostwalker to a boot CD,
sysprep, and ghost (our new laptops don't have floppy drives) in about 4
days of testing and fine-tuning. I took a couple of laptops and a BartPE CD
(with ghost added to it) into a spare conference room, didn't answer my
phone, and worked it all out. A few days of work and the result is
significantly simpler deployment of new images.
**********************
Charlie Kaiser
W2K3 MCSA/MCSE/Security, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**********************
> -----Original Message-----
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Garyphold
> Sent: Thursday, January 19, 2006 5:01 AM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: RE: [ActiveDir] AD computer accounts being removed
>
> Thanks for the link Nav.
>
> I use Symantec (PowerQuest) V2i Desktop (DriveImage).
> Haven't used Ghost (Ghostwalker) or Sysprep. Been wanting to
> experiment with Sysprep but haven't had the time. I was
> thinking about that this morning though. Is there a big
> learning curve with Sysprep?
>
> I use V2i for cloning, because I'm already using that for
> backups of all the workstations and all the servers. Hard
> drive backups instead of tape. Without sysprep, I'm stuck
> being able to only clone like machines.
>
> I really need to learn to use Sysprep. Too many fires
> burning right now.
>
> Gary
>
>
> -----Original Message-----
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
> Navroz Shariff
> Sent: Wednesday, January 18, 2006 3:29 PM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: RE: [ActiveDir] AD computer accounts being removed
>
>
> Hi Gary,
>
> Try looking at this article from MS regarding 'Resetting
> computer accounts in Windows 2000 and Windows XP'.
> http://support.microsoft.com/kb/216393/EN-US/
>
> Also, you join the computer to the domain and then change its name?
> Do you reset the SIDs of the cloned workstation using
> GhostWalker or Sysprep?
>
> -Nav
>
>
> ________________________________
>
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Garyphold
> Sent: Wednesday, January 18, 2006 3:04 PM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: RE: [ActiveDir] AD computer accounts being removed
>
>
> Brenda,
>
> FWIW: It happens to me when I clone a workstation then try
> to join that workstation to the domain in order to change the
> computer name. AD sees 2 machines with the same name, gives
> me a notification and lets the 2nd one in. Then when the
> original machine with that name logs in next time, it isn't
> seen on the network. Then I have to do the same thing you
> did - with the original machine. Then all is well again.
> Don't know if that will help, but it might narrow down the
> problem some.
>
> Gary
>
> Gary Polvinale
> Denton ATD
>
>
> -----Original Message-----
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brenda Casey
> Sent: Wednesday, January 18, 2006 2:24 PM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: RE: [ActiveDir] AD computer accounts being removed
>
>
> Yes, their computer account in AD is actually gone.
>
> Thanks,
> Brenda
>
> Brenda Casey
> Network Manager
> Billings Public Schools
> caseyb@xxxxxxxxxxxxxxxxxx
> 406-247-3792
>
>
> ________________________________
>
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Gil
> Kirkpatrick
> Sent: Wednesday, January 18, 2006 11:14 AM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: RE: [ActiveDir] AD computer accounts being removed
>
>
> When you say "lose their account", do you mean the computer
> object in AD disappears? Or something else?
>
> -g
>
> ________________________________
>
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brenda Casey
> Sent: Wednesday, January 18, 2006 10:42 AM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: [ActiveDir] AD computer accounts being removed
>
>
> Occasionally computers will lose their account in Active
> Directory for no apparent reason. Sometimes it is a computer
> that has just joined the domain, while other times the
> machine has been a member of the domain for 2 years. The
> computer can only be logged on by a local account (not a
> domain account). To remedy this, the computer has to be
> disjoined from the domain, join a workgroup, then join the
> domain again. As I am sure you all are aware, this is not
> only time consuming, but very inappropriate to have to do.
>
> Has anyone else had this experience and how have you fixed it?
>
> Thanks,
> Brenda
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| LarryWahlers
Posts:20
| | 01/19/2006 4:05 AM |
| Gary wrote:
> I'm in a position
> where I'm making
> the big decisions, doing the big work and also doing all the
> little details
> (I'm it) including daily problems. Zero training/learning time, zero
> anything except get to the next fire.
Boy, does that sound familiar...
--
Larry
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| bdesmond
Posts:346
| | 01/19/2006 5:17 AM |
| There™s really nothing to learn. You extract deploy.cab to a
folder, run setupmgr to create the sysprep.inf, the you open it up and change
ComputerName to = * and copy it all to afolder called c:\sysprep. Run
sysprep.exe. It will shutdown your PC, boot it back up with the ghost disk in
and dump your image.
Thanks,
Brian Desmond
brian@xxxxxxxxxxxxxxxx
c - 312.731.3132
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Garyphold
Sent: Thursday, January 19, 2006
8:05 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
Not implying - I don't. I've been
unable to find time to experiment. Yeah, I know - if I used that, I'd
have much more time. Can Sysprep be much trouble to learn to use? I
guess I have writer's block when it comes to that. Irrational fear of
Sysprep.
Gary
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On
Behalf Of Brian Desmond
Sent: Wednesday, January 18, 2006
3:38 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
Gary-
Are you implying you don™t sysprep your images?
Thanks,
Brian Desmond
brian@xxxxxxxxxxxxxxxx
c -
312.731.3132
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Garyphold
Sent: Wednesday, January 18, 2006
3:04 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
Brenda,
FWIW: It happens to me when I clone
a workstation then try to join that workstation to the domain in order to
change the computer name. AD sees 2 machines with the same name, gives me
a notification and lets the 2nd one in. Then when the original machine
with that name logs in next time, it isn't seen on the network. Then I
have to do the same thing you did - with the original machine.
Then all is well again. Don't know if that will help, but it
might narrow down the problem some.
Gary
Gary Polvinale
Denton ATD
-----Original Message-----
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brenda Casey
Sent: Wednesday, January 18, 2006
2:24 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
Yes,
their computer account in AD is actually gone.
Thanks,
Brenda
Brenda
Casey
Network Manager
Billings
Public Schools
caseyb@xxxxxxxxxxxxxxxxxx
406-247-3792
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On
Behalf Of Gil Kirkpatrick
Sent: Wednesday, January 18, 2006
11:14 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
When you say "lose their
account", do you mean the computer object in AD disappears? Or something
else?
-g
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brenda Casey
Sent: Wednesday, January 18, 2006
10:42 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] AD computer
accounts being removed
Occasionally
computers will lose their account in Active Directory for no apparent
reason. Sometimes it is a computer that has just joined the domain, while
other times the machine has been a member of the domain for 2 years. The
computer can only be logged on by a local account (not a domain account).
To remedy this, the computer has to be disjoined from the domain, join a
workgroup, then join the domain again. As I am sure you all are aware,
this is not only time consuming, but very inappropriate to have to do.
Has
anyone else had this experience and how have you fixed it?
Thanks,
Brenda | | | |
| garyphold@xxxx.yyy
| | 01/19/2006 5:27 AM |
| Larry,
I know I'm not the only one in this position. But membership in that club
doesn't dissolve any of the stress. Are there other online forums that deal
with the people who have to do it all in the smaller operations?
Time-saving tips, direct answers and help on specific issues? Etc?
Frankly, I'm lost on a lot of the stuff discussed in this forum - haven't
been able to reach that level of knowledge yet. But it's still an
invaluable source.
Are there any more out there like it, at a lower tier of knowledge with
slightly different focus, for the tied-to-the-whipping-post average
"network-admin/PC-schlepp/IT-Systems-Mgr/purchasing-guy/telephone-system-guy
/database-admin/software-specialist/new-technology-wizard/programmer-analyst
/security-specialist/software-upgrade-maintainer/forget-about-cleaning-up-th
at-messy-office/no-raises-this-year" multifaceted IT meatball surgeon?
I'm getting further behind every day. It would be great to see how others
are handling it.
Gary
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Larry Wahlers
Sent: Thursday, January 19, 2006 11:02 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD computer accounts being removed
Gary wrote:
> I'm in a position
> where I'm making
> the big decisions, doing the big work and also doing all the
> little details
> (I'm it) including daily problems. Zero training/learning time, zero
> anything except get to the next fire.
Boy, does that sound familiar...
--
Larry
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| sbradcpa
Posts:298
| | 01/19/2006 5:34 AM |
| You forgot emptying the trash.
I can tell you where the SMB outside consultants hang out... but I'll
agree with you... the SMB or just "M" admin crowd....not sure if I've
found a venue spot on yet.
hmmm... ActiveDirGUI division? :-)
I know that Microsoft is gathering resources for this 'medium' business
space as well. I'll ask around.
Garyphold wrote:
Larry,
I know I'm not the only one in this position. But membership in that club
doesn't dissolve any of the stress. Are there other online forums that deal
with the people who have to do it all in the smaller operations?
Time-saving tips, direct answers and help on specific issues? Etc?
Frankly, I'm lost on a lot of the stuff discussed in this forum - haven't
been able to reach that level of knowledge yet. But it's still an
invaluable source.
Are there any more out there like it, at a lower tier of knowledge with
slightly different focus, for the tied-to-the-whipping-post average
"network-admin/PC-schlepp/IT-Systems-Mgr/purchasing-guy/telephone-system-guy
/database-admin/software-specialist/new-technology-wizard/programmer-analyst
/security-specialist/software-upgrade-maintainer/forget-about-cleaning-up-th
at-messy-office/no-raises-this-year" multifaceted IT meatball surgeon?
I'm getting further behind every day. It would be great to see how others
are handling it.
Gary
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Larry Wahlers
Sent: Thursday, January 19, 2006 11:02 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD computer accounts being removed
Gary wrote:
I'm in a position
where I'm making
the big decisions, doing the big work and also doing all the
little details
(I'm it) including daily problems. Zero training/learning time, zero
anything except get to the next fire.
Boy, does that sound familiar...
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| klas9574
Posts:1
| | 01/19/2006 6:31 AM |
| I'm in the position of jack-of-all-trades as well. I barely get a chance to
visit the restroom on some days, nevermind breaks or lunch. Here's some
advise I can impart:
1) Learn to say no and/or wait to the powers that be at your company. You
can't do everything at once. Make certain that this is a realization which
upper management has. Going hand in hand with this, be certain that you
take some time for proactive monitoring during the week. Check logs for
your devices and servers. Don't wait for a system to go down before you
realize the logs had been throwing errors for days beforehand.
2) Train the employees to take off some of the burden. I taught all of my
users about the mysterious help file. :) I also created walkthroughs of
recurring chores that a standard user could perform themselves and put them
into a FAQ on our intranet site.
3) Google is your biggest friend. You will have a very hard time finding a
professionals forum where you will get an exact answer to a specific
question every time first try. The expectation is that you do some research
on an issue before even asking in a forum. On a simple problem somebody
asks, the most frequent reply is a google search link.
4) Some good resources are experts-exchange and myitforum. I would also
highly recommend the NTSysAdmin group hosted by Sunbelt-Software. It
definitely doesn't hurt to pick up a book or two on various subjects which
may apply.
5) The biggest and best time saver I can think of is to learn scripting.
This is one where it's do as I say not as I do. I really want to learn and
have made some inroads, but there is never enough time. My ability now is
at the level of taking scripts others have generously posted and modifying
them to my purposes. Tons of great sites for scripts including the Technet
scripting center, scriptinganswers.com, and http://cwashington.netreach.net.
6) Stick with it here as well, if only as a lurker. Learn and absorb as
much as you can. It will make you a better admin in the long run.
7) In doing all of these things, I pared down my workweek here from 80+
hours when I began 1.5 years ago to a normal 40 hour work week. I've even
gotten back to doing external consulting work on the weekends again.
Hope some of this helps.
Scott Klassen
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Garyphold
Sent: Thursday, January 19, 2006 11:24 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD computer accounts being removed
Larry,
I know I'm not the only one in this position. But membership in that club
doesn't dissolve any of the stress. Are there other online forums that deal
with the people who have to do it all in the smaller operations?
Time-saving tips, direct answers and help on specific issues? Etc?
Frankly, I'm lost on a lot of the stuff discussed in this forum - haven't
been able to reach that level of knowledge yet. But it's still an
invaluable source.
Are there any more out there like it, at a lower tier of knowledge with
slightly different focus, for the tied-to-the-whipping-post average
"network-admin/PC-schlepp/IT-Systems-Mgr/purchasing-guy/telephone-system-guy
/database-admin/software-specialist/new-technology-wizard/programmer-analyst
/security-specialist/software-upgrade-maintainer/forget-about-cleaning-up-th
at-messy-office/no-raises-this-year" multifaceted IT meatball surgeon?
I'm getting further behind every day. It would be great to see how others
are handling it.
Gary
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Larry Wahlers
Sent: Thursday, January 19, 2006 11:02 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD computer accounts being removed
Gary wrote:
> I'm in a position
> where I'm making
> the big decisions, doing the big work and also doing all the
> little details
> (I'm it) including daily problems. Zero training/learning time, zero
> anything except get to the next fire.
Boy, does that sound familiar...
--
Larry
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
|
|