Networking Pupil Let others know this Blog!

A tip on permissions in Windows

      What permissions do users or groups have?       
     On security tab of properties of the object, in Advanced --> Effective Permissions, we should select the Select button then write name of the user or group to check what permissions are applied on the user or group. Then we can check what combination of permissions applied improperly.
Note: the best applying permission is selecting a wide open permission in share permission for everyone group but select the main permissions in NTFS permission on the objects

0 comments
under: , , , ,

User login problem troubleshooting

If you are unable to login to your windows domain you may have one of the problems addressed in the following:
1- Logon hours
2- Workstation Restriction
3- Account expiration
4- User account Lockout
5- Accessibility to Global Catalog (GC) server or if you are trying to connect to a remote GC which its connectivity is not stable you need to enable "universal group membership caching" in your local network

Beginning with Windows 2000 native mode, a global catalog server must be contacted for every login attempt; otherwise, the login will fail (unless there is no network connectivity, which would result in a user being logged on with cached credentials). This is necessary to process all universal security groups a user may be a member of. When a client attempts to authenticate with a domain controller, that domain controller contacts a global catalog server behind the scenes to enumerate the user's universal groups.  If you have domain controllers in remote sites and they are not enabled as global catalog servers, you may run into a situation where users cannot log in if the network connection to the network with the closest global catalog server fails.

0 comments
under: , , ,

Creating a Large Number of Users in an AD DS

You want to create a large number of user objects, either for testing purposes or to initially populate Active Directory with your employee, customer, or student user accounts.

Using a command-line interface

The following example uses a for do loop in combination with dsadd to create 1,000 users under the marketing OU in the networkingpupil.com domain with usernames such as User1, User2, User3, etc. The password is set, but no other attributes are configured. You can modify the dsadd syntax to populate additional attributes, as well:

> for /F %i in (1,1,1000) do dsadd user cn=User%i,ou=marketing,dc=networkingpupil,dc=com
-pwd User%i

You can also use the ldifde utility to perform a bulk import of unique usernames. Create an .LDF file using the following syntax (separate multiple entries with a blank line in between):

dn: CN=Ali Hosseini, OU=Engineering, DC=networkingpupil, DC=com
changetype: add
cn: Ali Hosseini
objectClass: user
samAccountName: ahosseini

Once you've created the LDIF file containing your user records, import the file using the following command:

> ldifde -i -f -s

Be aware that after -f type filename.ldf and after -s bring the servername
You may notice that the LDIF file does not specify the user's password; this attribute must be modified after the user object has been created.

You can also use admod to automate this task as follows. The code below will create 4,000 users named "TestUser_1", "TestUser_2", "TestUser_3":

> admod -sc adau:4000;MyPassword1!;cn=testuser,ou=testou,dc=networkingpupil,dc=com

Using VBScript
' This code creates a large number of users with incremented user names
' e.g. User1, User2, User3, ....
' ------ SCRIPT CONFIGURATION ------
intNumUsers = 1000               ' Number of users to create
strParentDN = "" ' e.g. ou=bulk,dc=emea,dc=adatum,dc=com
' ------ END CONFIGURATION --------
' Taken from ADS_USER_FLAG_ENUM
Const ADS_UF_NORMAL_ACCOUNT = 512
set objParent = GetObject("LDAP://" & strParentDN)
for i = 1 to intNumUsers
strUser = "User" & i
Set objUser = objParent.Create("user", "cn=" & strUser)
objUser.Put "sAMAccountName", strUser
objUser.SetPassword(strUser)
objUser.SetInfo
objUser.Put "userAccountControl", ADS_UF_NORMAL_ACCOUNT
objUser.SetInfo
WScript.Echo "Created " & strUser
next
WScript.Echo ""
WScript.Echo "Created " & intNumUsers & " users"

Using PowerShell
$parentDN = ""
$strPass = "MyPassword1"
For ($i = 1; $i -le 1000; $i++) {
$strUserName = "User" + $i
New-QADUser -name $strUserName -parentContainer $parentDN -UserPassword $strPass
}

Discussion

Using ADSI, PowerShell, and the command-line utilities, you can create hundreds and even thousands of users far more easily and quickly than you would be able to do through a graphical user interface. You can also modify the examples to pull real data from a data source, such as an employee database.

Using a command-line interface

The AdMod syntax makes use of the -adau shortcut, which will add X number of users with Y as their starting password, so that "-adau:4000;MyPassword1" will create 4,000 users with a starting password of "MyPassword1". If the starting password is not specified, a unique random complex password will be generated for each user.

0 comments
under: ,

How to add user account in a domain

Using a graphical user interface

  1. Open the Active Directory Users and Computers (ADUC) snap-in.

  2. If you need to change domains, right-click on "Active Directory Users and Computers" in the left pane, select Connect to Domain, enter the domain name, and click OK.

  3. In the left pane, browse to and select the container where the new user should be located and select Newrightwards double arrowUser.

  4. Enter the values for the first name, last name, full name, and user logon name fields as appropriate and click Next.

  5. Enter and confirm password, set any of the password flags, and click Next.

  6. Click Finish.

Using a command-line interface

You can create a user with the built-in DSAdd utility, by using AdMod or Net User commands. Using DSAdd requires the following syntax:

> dsadd user "" -upn  -fn ""
-ln "" -display "" -pwd

To create a user account with AdMod, use the following syntax:

> admod -b "" -add objectClass::user
sAMAccountName:: unicodepwd:: userAccountControl::512
-kerbenc

To create a user account with Net User, use the following syntax:

> Net user username /add /domain
Using VBScript

' Taken from ADS_USER_FLAG_ENUM
Const ADS_UF_NORMAL_ACCOUNT = 512set objParent = GetObject("LDAP://")
set objUser = objParent.Create("user", "cn=") ' e.g. joes
objUser.Put "sAMAccountName", ""   ' e.g. joes
objUser.Put "userPrincipalName", "" ' e.g. joes@adatum.com
objUser.Put "givenName", ""   ' e.g. Joe
objUser.Put "sn", ""           ' e.g. Smith
objUser.Put "displayName", "<UserFirstName> <UserLastName>" ' e.g. Joe Smith
objUser.SetInfo
objUser.SetPassword("")
objUser.Put "userAccountControl", ADFS_UF_NORMAL_ACCOUNT
objUser.SetInfo

Using PowerShell

To create a new Active Directory user with the Quest AD cmdlets, use the following syntax:

new-QADUser -name '<User CN>' -parentContainer '<Parent DN>' -UserPassword
'<Password>' -FirstName '<User First Name>' -LastName '<User Last Name>'
-UserPrincipalName '<User UPN>'

To create a new Active Directory user with System.DirectoryServices, use the following:

Set-Variable -name ADS_UF_NORMAL_ACCOUNT -value 512 -option Constant
$objParent = [ADSI] "LDAP://<ParentDN>"
$objUser = $objParent.Create("user", "cn=<User CN>")
$objUser.put("samaccountname", "<UserName>")
$objUser.Put("userPrincipalName", "")
$objUser.Put("givenName", "")
$objUser.Put("sn", "")
$objUser.Put("displayName", "<UserFirstName> <UserLastName>")
$objUser.SetInfo()
$objUser.SetPassword("")
$objUser.SetInfo()
$objUser.Put("userAccountControl", $ADS_UF_NORMAL_ACCOUNT)
$objUser.SetInfo()

A tip on creation user account

1- For making a list of user in AD that is very time consuming we can first make a template user for any groups like Accounting, Sales, Marketing, and … with a _ before their full name to pull them up in the list and make them more in access for using later besides we should not forget to disable these accounts. We can fulfill all information that they are general between these groups of users in the template like their department, their profile location ( \\fileserver\profiles\%username%) and etc, then whenever we need to make a user account what we need is just right-click on the proper user template and select copy and fulfill the new user information and uncheck the disable box then use this way over and over for other users.

2- keep in mind if you have other LDAP OSs such as UNIX based on Kerberos system in your network make sure you use InetOrgPerson account instead of User account which is compatible with all Operationg Systems that use LDAP

0 comments
under:

A Tip on Clean Windows Installation

Before format your old hard disk drive make sure you did these steps:

1- Export Certificates for Data Recovery Agent (DRA) and your other certificates from the old hard disk drive to a safe media and then import them into new machine or new installed Windows

2- Using file and setting transfer wizard or backup & restore

0 comments
under: , , ,

A tip on Data Recovery

Basic elements:

· Documented recovery plan

· Power protection

· Fire suppression

· Redundancy

· Fault-tolerant data storage

o Hardware-based solution

o Built-in tools

§ If you lose one drive in a mirror set or a RAID-5 set, you are not fault tolerant

· Understand tasks

· Perform drills

Redundancy:

· Clusters: one server picks up the load for another when it goes offline

· Network load balancing

· Hot spare server

· Offsite live backup

· Offsite tape storage

· Redundancy is expensive so:

o Pick level of tolerance

o Create document

Actions:

1- Using Data Recovery Agent (DRA) in Encrypting File System (EFS) by making .CER file by cipher Command line and add it in Local Security Policy -> Public Key Policies-> Encrypting File System

a. For disabling the EFS in Domain from GPEdit.msc-> Computer Config->Windows Settings-> Security Settings-> Public Key Policies-> right-click on Encrypting File System->all Tasks-> Delete Policy

2- Using redundancy and Fault Tolerant storage like Raid -1 (mirror) and RAID-5 (stripe sets with parity)

3- Use of shadow copies feature that works on NTFS volumes for Shared files only (installed by default(not enabled) for win 2k3 but for XP we need install it by twclient.msi from 2k3 CD and for other OSs like win98 download shadowcopyclient.msi and win NT doesn’t support this feature ) we need enable the feature for volume, if we understand that shadow copies are big amount we can appoint an especial Volume for it from Volume Properties (right-click on e.g.: c:\ and select properties) -> Shadow copy Tab -> settings

a. We have access on previous Tab on properties window for copy or restore previous version of changed file or changed folder (changed folder means deleted a file) just from network address. E.g.: in case we changed a text file accidentally in c:\share folder\myfile.doc which its share name is \\hppc\share\myfile.doc we don’t have access previous tab on the properties on the local address and we must get access from previous version <- Properties <- myfile.doc from \\hppc\share\myfile.doc

4- Automated System recovery (ASR)

a. Create backup set of: 1- system state 2- OS files 3- configuration

Note: Doesn’t include data or application besides it is not a replacement for nightly data backups

5- Back up in an alternative media:

Note: always use switch /UM for ntbackup command which it doesn’t stop backup process for changing Tape in drive and writes to whatever media is there.

a. Volume shadow copy

b. Backup system State includes:

i. Registry

ii. AD

iii. Sysvol

0 comments
under: , , , , , ,
Newer Entries »
« Older Entries

Feeds

feeds
get latest updates on news and subscribes to our feeds

Search