Our company recently installed an app that extended the AD schema. Then they decided not to buy the app. Sigh. Now I am told we MUST remove the schema extensions. Yes, I know they are permanent. Is there a way to rely on recent backups (this was a couple of days ago, so not too far past) to restore... what, the entire forest?
...continue reading "Way to restore schema?"

Recently I was adding some finishing touches to a chapter I worked up for Jeremy Moskowitz on PowerShell and Group Policy. Some comments had been raised about running PowerShell scripts as logon and logoff scripts and script execution policy. Leaving aside the merits of using PowerShell for a logon or logoff script (that's another article) I discovered something that I'm honestly still not sure about.  Confused? Let's start at the beginning.  First off, you need a version of the Group Policy management console running on Windows Server 2008 R2. (I don't have an older 2008 server handy to see if that version works too). When you go to create a user logon script in a GPO
...continue reading "PowerShell Group Policy Scripts"

Any problems adding a new Win2008 (probably R2) DC to an existing 2003 forest? Everything just runs in 2003 mode, right?
...continue reading "Ok to add 2008 DC to 2003 domain?"

We are pleased to announce a new contest to hear why you want to attend The Experts Conference 2010 happening April 25-28 in Los Angeles featuring advanced training on Microsoft Directory & Identity, Exchange and SharePoint technologies ... "for the experts, by the experts". To enter, simply post a comment or response to this Discussion explaining why you want to attend TEC 2010. Your creativity is welcome! Examples can include - but are not limited to: The experts you want to hear from most What you intend to learn or discuss Your experience in attending prior TEC events More... Prize is valued at $1,845.00 USD&nb
...continue reading "Tell Us Why You Want to Go to TEC 2010! -- Win a Free Conference Pass (No Purchase Necessary)"

Here's what's been happening in the AD/Identity space over the last week.First up the Directory Services team has a nice article on using the new Get-ADComputer cmdlet to prepare a computer inventory. When a computer boots up, it's account object in AD is updated with some useful information such as operating system and service pack. You don't have to query 100 different computers. Make a single query to AD using Get-ADComputer to get all the information you need. All you need is a domain controller running Windows Server 2008 R2 or the Active Directory Gateway service. On the client side a Windows 7 desktop with RS
...continue reading "Active Directory Round Up 2/4/2010"

Is there a way to create an MMC console file that, when opened, will open the AD Users and Computer snap-in pre-focused on a particular domain controller? Or will the snapin ALWAYS connect to the nearest DC or whatever it does?
...continue reading "Can MMC be conigured to connect to a specific DC upon opening?"

Does AD keep track of the last one or more users who logged into a client machine? If so, where could I query that information?
...continue reading "Find user name who logged onto client?"

AD and Identity maven Laura Hunter has a book review and recommendation, Understanding Windows Cardspace by Vittorio Bertocci, Caleb Baker and Garrett Serack. I'll admit I'm with Laura in that I haven't delved into cardspace and infocards, but perhaps I should be. The concept of Identity management has come along way, especially once you start considering the Internet and cloud computing. According to Laura Understanding Windows Cardspace explores these concepts in a well-written and enjoyable manner.Group Policy expert and GPO Guy Darren Mar-Elia is offering a continue reading "Active Directory Round Up 1/28/2010"

After changing their password in AD, we have some users who can still log into a third-party application using their OLD AD password. The app uses LDAP to authenticate the user. Is AD caching the old password? It seems to go away after an hour or so - could it possibly be replication taking THAT LONG for a password?
...continue reading "Does AD cache passwords?"

We have a new manager (sigh) who is insisting that we can eliminate the PDC Emulator FSMO by raising our domain's functional level to 2008. All of our DCs are 2008, but we have not raised the level because we have not seen any benefit in doing so. I told the guy he's wrong and the PDC Emulator role is always there - but he insists. Who's right?
...continue reading "Get rid of PDC role?"