Windows Tips & Tricks UPDATE, December 27, 2004, —brought to you by the Windows IT Pro Network and the Windows 2000 FAQ site
http://www.windows2000faq.com

Make sure your copy of Windows Tips & Tricks UPDATE isn't mistakenly blocked by antispam software! Be sure to add Windows_TipsandTricks_UPDATE@list.windowsitpro.com to your list of allowed senders and contacts.

This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Windows Tips & Tricks UPDATE.

Free White Paper: High Availability for Windows Services
http://www.windowsitpro.com/whitepapers/neverfail/highavailability/index.cfm?code=1227Tips_P

Windows IT Pro VIP
http://www.winnetmag.com/rd.cfm?code=wvep274xup


Sponsor: Free White Paper: High Availability for Windows Services

It is no stretch to say that Windows high availability must be a fundamental element in your short- and long-term strategic IT planning. This free white paper discusses the core issues surrounding Windows high availability, with a focus on business drivers and benefits. You'll learn about the current market solutions, technologies and real-world challenges including cost-benefit analyses. Plus, find out how to assess technical elements required in choosing a high-availability solution, including the robustness of the technology, time-to-failover, and implementation difficulties. Download this white paper now!
http://www.windowsitpro.com/whitepapers/neverfail/highavailability/index.cfm?code=1227Tips_P


FAQs

  • Q. Why do some organizational units (OUs) have a blue exclamation point next to them in Group Policy Management Console (GPMC)?
  • Q. How can I run a report that displays the last password change for all accounts in a container?
  • Q. How can I determine whether my server is running Exchange Server 2003, Standard Edition, or Exchange 2003, Enterprise Edition?
  • Q. After I upgraded from Windows 2000 Server to Windows Server 2003, I received an error about the Enterprise Domain Controllers group's access to certain Group Policy Objects (GPOs) in Group Policy Management Console (GPMC). What's causing this error?
  • Q. Where is fault-tolerant (i.e., domain-based) Dfs information stored?

Commentary
by John Savill, FAQ Editor, jsavill@windowsitpro.com

This week, I tell you why some organizational units (OUs) have a blue exclamation point next to them in Group Policy Management Console (GPMC), how to run a report that displays the last password change for all accounts in a container, and how to determine whether a server is running Exchange Server 2003, Standard Edition, or Exchange 2003, Enterprise Edition. I also explain the cause of an error about the Enterprise Domain Controllers group's access to certain Group Policy Objects (GPOs) in GPMC and tell you where fault-tolerant Dfs information is stored.


Sponsor: Windows IT Pro VIP

Get Exclusive Access to Windows IT Pro Print Products Online!
Our VIP subscribers get online access to all of our print publications, plus a print subscription to Windows IT Pro and exclusive access to our banner-free VIP Web site. Now we've added even more content from the archives of SQL Server Magazine! You won't find a more complete and comprehensive resource anywhere--check it out!
http://www.winnetmag.com/rd.cfm?code=wvep274xup


FAQs

Q. Why do some organizational units (OUs) have a blue exclamation point next to them in Group Policy Management Console (GPMC)?

A. A blue exclamation point that's displayed next to an OU container in GPMC indicates that the container has Block Inheritance enabled, which means that settings made to parent containers aren't applied to the OU (unless the policy for the parent container has the "No Override" option configured). You can confirm that Block Inheritance is configured for an OU that has a blue exclamation point by right-clicking the OU; "Block Inheritance" should be selected on the displayed context menu.

Q. How can I run a report that displays the last password change for all accounts in a container?

A. The last-password-change date is stored in the user class's Active Directory (AD) pwdLastSet attribute as a large (64-bit) integer, which means the date must be converted so that it can be read and displayed in a usable "date" format. To perform the conversion, I modified a script by Richard Mueller so that it searches for all users in the passed root distinguished name and outputs their last-password-change date to a screen. You can download the script, listuserpasslastchange.vbs, at http://www.windowsitpro.com/content/content/44925/listuserpasslastchange.zip, or copy and paste the following script into a text file.

' John Savill
' This is based on Richard Mueller's script on Interger8Date
' conversion, which is copyrighted as below.
' Copyright (c) 2003 Richard L. Mueller
' Hilltop Lab Web site - http://www.rlmueller.net
'
' I simply changed it to output all objects in a passed DN.

Option Explicit

Dim strLdapPath, objConnection, objChild
Dim lngTZBias, objUser, objPwdLastSet
Dim objShell, lngBiasKey, k

' Check that all required arguments have been passed
If Wscript.Arguments.Count  0 Then
    On Error GoTo 0
    Integer8Date = #1/1/1601#
  End If
  On Error GoTo 0
End Function

   To run the script, use the syntax

cscript listuserpasslastchange.vbs ou=test,dc=demo,dc=test

You'll see output that's similar to this:

CN=Bruce Wayne    11/17/2003 1:30:14 PM
CN=Clark Kent        11/17/2003 1:31:30 PM
CN=Hal Jordan        12/6/2004 2:52:56 PM
CN=Wally West        3/17/2003 9:04:45 AM

Q. How can I determine whether my server is running Exchange Server 2003, Standard Edition, or Exchange 2003, Enterprise Edition?

A. If you have more than one storage group (SG), more than one message database, or if your database is greater than 16GB, you have Exchange 2003 Enterprise. Another way to verify your Exchange Server edition is to open the Exchange Server Setup Progress.log file, which is located on the root of your system drive. Search for one of the following entries:

\[16:53:50\] Setup configuration information: -- ID:xxxxx --
\[16:53:50\] This is a(n) Standard version of Microsoft Exchange Server
-- ID:xxxxx--

or

\[16:53:50\] Setup configuration information: -- ID:62227 --
\[16:53:50\] This is a(n) Enterprise version of Microsoft Exchange Server
-- ID:62232 --

One of these entries indicates your Exchange Server version. I find it easiest to locate the appropriate entry by searching for the "Setup configuration information" string in the file.

Q. After I upgraded from Windows 2000 Server to Windows Server 2003, I received an error about the Enterprise Domain Controllers group's access to certain Group Policy Objects (GPOs) in Group Policy Management Console (GPMC). What's causing this error?

A. Windows 2003 introduced the Group Policy Modeling feature, which allows simulations of Resultant Set of Policies (RsoP) scenarios and is performed by a service that runs on Windows 2003 domain controllers (DCs). Because this service is on the DCs, the Enterprise Domain Controllers group needs access to all Group Policy Objects (GPOs). This access is granted automatically to any newly created GPO. However, GPOs that existed before the upgrade aren't updated with the new permissions. When you use GPMC to access such GPOs, you'll receive a warning, which the figure at http://www.windowsitpro.com/content/content/44925/gpmcnoedcaccess.gif shows. To solve the problem, perform these steps:

  1. Log on as a domain administrator.
  2. Start a command prompt and navigate to the \%programfiles%\gpmc\scripts folder (e.g., c:\program files\gpmc\scripts) by typing cd /d %programfiles%\gpmc\scripts
  3. Execute the GrantPermissionOnAllGPOs.wsf script that's provided with GPMC and specify the domain's DNS name--for example:
    Cscript GrantPermissionOnAllGPOs.wsf "Enterprise Domain Controllers"
    /Permission:Read /Domain:savilltech.com
    (The command wraps to two lines here because of space limitations.) Be sure to replace savilltech.com with your domain name.

Q. Where is fault-tolerant (i.e., domain-based) Dfs information stored?

A. Unlike standalone Dfs roots and namespaces, which store their information in the registry, domain-based Dfs namespaces store their information in Active Directory (AD). The exact location in AD is the DFS-Configuration object--yes, it's one object--which is why any change to the Dfs structure causes the entire Dfs namespace to be replicated to all domain controllers (DCs) in the domain AD partition's System container. You can view this object by using a tool such as ADSI Edit.

Announcements
(from Windows IT Pro and its partners)

  • Get the Cliffs Notes to Migrating from Novell NDS to Windows Server 2003

  • Migrating from Novell NDS to Windows Server 2003 means moving from an established directory service to the latest version of Active Directory. Missing a step in the migration process could mean real problems. Use our quick reference guide as a cheat-sheet to help you manage each step of the migration process. Download the guide now.
    http://www.windowsitpro.com/essential/index.cfm?code=1227emailannc

  • Sensible Best Practices for Exchange Availability Web Seminar--February 2

  • If you're discouraged about not having piles of money for improving the availability of your Exchange server, join Exchange MVP Paul Robichaux for this free Web seminar and learn how to maximize your existing configuration. Survive unexpected outages, plan for the unplannable, and evaluate what your real business requirements are without great expense. Register now!
    http://www.windowsitpro.com/seminars/exchangeavailability/index.cfm?code=103emailannc

  • Are You a Hacker Target?

  • You are if you have an Internet connection faster than 384Kbps. In this free on-demand Web seminar, Alan Sugano will examine two attacks (an SMTP Auth Attack and a SQL Attack) that let spammers get into the network and relay spam. Find out how to keep the hackers out of your network and what to do if your mail server is blacklisted as an open relay. Register now!
    http://www.windowsitpro.com/seminars/antispam/index.cfm?code=1227emailannc

  • Token Authentication: Getting It Right

  • More and more companies are taking the first steps toward leaving passwords behind and implementing tokens for at least a portion of their users and systems. In this free on-demand Web seminar, join Randy Franklin Smith to find out the advantages of implementing token-based Reduced Sign-On (RSO) and learn how you can you make a solid business case to management that justifies the costs. Get valuable checklists of key evaluation and testing points and critical success factors for rollout time. Register now!
    http://www.windowsitpro.com/seminars/tokenauthentication/index.cfm?code=1227emailannc

    Events Central
    (A complete Web and live events directory brought to you by Windows IT Pro: http://www.windowsitpro.com/events )

  • Get Expert Advice on Implementing a Service Management Plan

  • Our expert panel delivers tips, techniques, and insight to get you closer to a service management plan in this free on-demand Web seminar. Get real-world perspectives on industry trends and examples of how to leverage service management for maximum results and how to implement a plan for your business. Register now!
    http://www.windowsitpro.com/seminars/serviceroadmap/index.cfm?code=1227emailannc

    Sponsored Link

  • Data Protection from NSI and Microsoft

  • Instant recovery and data protection solutions for Exchange and SQL servers
    http://ad.doubleclick.net/clk;12746138;8214395;l?http://www.protect-your-data.com

    Contact Us
    Here's how to reach us with your comments and questions:

    This weekly email newsletter is brought to you by Windows IT Pro, the leading publication for Windows professionals who want to learn more and perform better. Subscribe today.
    http://www.windowsitpro.com/sub.cfm?code=wswi201x1z