-------------------
Thanks,
Question 1:- What is Active Directory?
Answer:-AD is called Active Directory. Active Directory is basically a directory service that is used in a windows platform group called domain. It unifies management and the maintainability of a large group of objects like computers, servers and users. It is also a database that can be queried and is hierarchical, replicated, and extensible, basically in the windows server that is responsible of the AD maintenance which is called Domain Controller, there is a file where is database is populated, it's called NTDS.dit.
Question 2:- What is LDAP?
Answer:- LDAP means Light-Weight Directory Access Protocol. It determines how an object in an Active directory should be named. LDAP (Lightweight Directory Access Protocol) is a proposed open standard for accessing global or local directory services over a network and/or the Internet. A directory, in this sense, is very much like a phone book. LDAP can handle other information, but at present it is typically used to associate names with phone numbers and email addresses. LDAP directories are designed to support a high volume of queries, but the data stored in the directory does not change very often. It works on port no. 389. LDAP is sometimes known as X.500 Lite. X.500 is an international standard for directories and full-featured, but it is also complex, requiring a lot of computing resources and the full OSI stack. LDAP, in contrast, can run easily on a PC and over TCP/IP. LDAP can access X.500 directories but does not support every capability of X.500.
Question 3:- Can you connect Active Directory to other 3rd-party Directory Services? Name a few options.
Answer:- Yes we can connect Active Directory to other 3rd-party directory. Microsoft Identity Integration Server (MIIS) is used to connect Active Directory to other 3rd-party Directory Services including directories used by SAP, Domino, Novell Directory etc.
Question 4:- Where is the AD database held? What other folders are related to AD?
Answer:- NTDS.DIT is AD database. Stored in %SystemRoot%\ntds\NTDS.DIT
AD database is held in NTDS and SYSVOL folder for backing up AD you need to take "System State Data" backup.
Question 5:- What is the SYSVOL folder?
Answer:- Every domain controller has a shared folder in its local file system that is
the file system component of Active Directory. This shared folder, named SYSVOL,
Contains files and folders that must be available and synchronized between Domain
Controllers in a domain, including:
1) The NETLOGON shared folder, which includes system policies and user-based logon and logoff scripts for non-Windows Server 2003 and non-Windows 2000 network clients, such as clients running Windows 95, Windows 98, and Windows NT 4.0.
2) Windows Server 2003 and Windows 2000 system policies.
3) Group Policy settings (templates), including Group Policy settings for Domain Controllers running Windows Server 2003 or Windows 2000.
Question 6:- Name the AD NCs and replication issues for each NC?
Answer:-
*Schema NC, *Configuration NC, * Domain NC
Schema NC This NC is replicated to every other domain controller in the forest. It contains information about the Active Directory schema, which in turn defines the different object classes and attributes within Active Directory.
Configuration NC Also replicated to every other DC in the forest, this NC contains forest-wide configuration information pertaining to the physical layout of Active Directory, as well as information about display specifiers and forest-wide Active Directory quotas.
Domain NC This NC is replicated to every other DC within a single Active Directory domain. This is the NC that contains the most commonly-accessed Active Directory data: the actual users, groups, computers, and other objects that reside within a particular Active Directory domain.
Question 7:- What are application partitions? When do I use them?
Answer:- An application directory partition is a directory partition that is replicated only to specific domain controllers. A domain controller that participates in the replication of a particular application directory partition hosts a replica of that partition. Only domain controllers running Windows Server 2003 can host a replica of an application directory partition.
Application directory partitions are usually created by the applications that will use them to store and replicate data. For testing and troubleshooting purposes, members of the Enterprise Admins group can manually create or manage application directory partitions using the Ntdsutil command-line tool.
Question 8:- How do you create a new application partition?
Answer:- Start >> RUN>> CMD >> type there "NTDSUTIL" Press Enter
Ntdsutil: domain management Press Enter
Domain Management: Create NC dc=<host name>, dc=<domain>, dc=com <<zone name>>
Question 9:- How do you view replication properties for AD partitions and DCs?
Answer:- By using Active Directory Replication Monitor. Start--> Run--> Replmon
Question 10:- What is the Global Catalog?
Answer:- The global catalog contains a complete replica of all objects in Active Directory for its Host domain, and contains a partial replica of all objects in Active Directory for every other domain in the forest. The global catalog contains:
1) The commonly used attributes need in queries, such as a user's first and last name, and logon name.
2) All the information or records which are important to determine the location of any object in the directory.
3) A default subset of attributes for each object type.
4) All the access related permissions for every object and attribute that is stored in the global catalog. Without permission you can't access or view the objects. If you are searching for an object where you do not have the appropriate permissions to view, the object will not appear in the search results. These access permissions ensure that users can find only objects to which they have been assigned access.
Question 11:- How do you view all the GCs in the forest?
Answer:- C:\>repadmin /showreps
domain_controller
OR
You can use Replmon.exe for the same purpose.
OR
AD Sites and Services and nslookup gc._msdcs.%USERDNSDOMAIN%
Question 12:- Why not make all DCs in a large forest as GCs?
Answer:- With too many DCs are configured to become the GC servers, it will cause the replication overhead between the DCs across the forest.
Question 13:- Trying to look at the Schema, how can I do that?
Answer:- From active directory schema snap-in. But before that you have to register the schmmgmt.dll file by using regsvr32.exe schmmgmt.dll @ cmd prompt
Question 14:- What are the Support Tools? Why do I need them?
Answer:- Support tools is a package come with the Microsoft Server Disk, contains many essential tools for administrators that work with Active Directory. Support tools are invaluable sources of information, along with providing numerous tools that aid administrators in their daily tasks.
Question 15:- What is REPLMON? What is ADSIEDIT? What is NETDOM? What is REPADMIN?
Answer:- All above are AD Tools.
Replmon – replication monitor and troubleshooting.
Adsiedit – editing object in the active directory
Netdom – to manage domain and trust relationship,
Repadmin- to diagnose replication issue between domain controllers.
Question 16:- What are sites? What are they used for?
Answer:- Sites in Active Directory are the physical network structure of Active Directory based on subnet or subnets. Each site in Active Directory resembles well connected network. It is sometimes referred as physical structure of AD. Depending upon the locations and connection quality sites are created which include a domain or domains. Creating these sites lets you control replication traffic over WAN links. In a way Sites help define the AD's replication topology.
Question 17:- What's the difference between a site link's schedule and interval?
Answer:- Schedule enables you to list weekdays or hours when the site link is available for replication to happen in the give interval. Interval is the reoccurrence of the inter site replication in given minutes. It ranges from 15 – 10,080 mins. The default interval is 180 mins.
Question 18:- What is the KCC?
Answer:- KCC is Knowledge Consistency Checker, which creates the connection object that links the DCs into common replication topology and dictates the replication routes between one DC to another in Active Directory forest. The default run interval is 15 mins. There are two type of algorithm of KCC - Intrasite KCC – which is responsible for the connection within the site, and Intersite Topology Generator (ISTG) – which is responsible for the connections among the sites.
Question 19:- What is the ISTG? Who has that role by default?
Answer:- Intersite Topology Generator (ISTG), which is responsible for the connections among the sites. By default Windows 2003 Forest level functionality has this role.
Question 20:- What are the requirements for installing AD on a new server?
Answer:- 1) An NTFS partition with enough free space
2) An Administrator's username and password
3) The correct operating system version
4) A NIC
5) Properly configured TCP/IP (IP address, subnet mask and - optional - default gateway)
6) A network connection (to a hub or to another computer via a crossover cable)
7) An operational DNS server (which can be installed on the DC itself)
8) A Domain name that you want to use.
9) The Windows 2000 or Windows Server 2003 CD media (or at least the i386 folder)
Question 21:- What can you do to promote a server to DC if you're in a remote location with slow WAN link?
Answer:- Take a System State Backup from another DC and restore locally to the server that are going to be the next Domain Controller. Run DCPromo /adv which will prompt in the next screen to specify the path to restore the System Backup. This will prevent replication of the entire configuration over the slow network.
Question 22:- How can you forcibly remove AD from a server, and what do you do later?
Answer:- DCPromo /Forceremoval. Though this command we will seize the Domain Controller role & then we will use NTDSUTIL to cleanup the metadata.
Question 23:- Can I get user passwords from the AD database?
Answer:- No, the password is stored in a hashed state and cannot be retrieved.
Question 24:- What tool would I use to try to grab security related packets from the wire?
Answer:- By using Network Monitor utility under Administrative Tools.
Question 25:- Name some OU design considerations.
Answer:- 1) Flat organizational unit structure: 1 or 2 levels
2) Narrow organizational unit structure: 3 to 5 levels
3) Deep organizational unit structure: more than 5 levels
Question 26:- What is tombstone lifetime attribute?
Answer:- The number of days before a deleted object is removed from the directory services. This assists in removing objects from replicated servers and preventing restores from reintroducing a deleted object. This value is in the Directory Service object in the configuration NIC.
Question 28:- How would you find all users that have not logged on since last month?
Answer:- You can check it the schema of user object called "lastlogonTimestamp"
Question 29:- What are the DS* commands?
Answer:- You really are spoilt for choice when it comes to scripting tools for creating Active Directory objects. In addition to CSVDE, LDIFDE and VBScript, we now have the following DS commands: the DS family built in utility DSmod - modify Active Directory attributes, DSrm - to delete Active Directory objects, DSmove - to relocate objects, DSadd - create new accounts, DSquery - to find objects that match your query attributes, DSget - list the properties of an object
Question 30:- What's the difference between LDIFDE and CSVDE? Usage considerations?
Answer:- CSVDE is a command that can be used to import and export objects to and from the AD into a CSV-formatted file. A CSV (Comma Separated Value) file is a file easily readable in Excel. I will not go to length into this powerful command, but I will show you some basic samples of how to import a large number of users into your AD. Of course, as with the DSADD command, CSVDE can do more than just import users.
LDIFDE is a command that can be used to import and export objects to and from the AD into a LDIF-formatted file. A LDIF (LDAP Data Interchange Format) file is a file easily readable in any text editor, however it is not readable in programs like Excel. The major difference between CSVDE and LDIFDE (besides the file format) is the fact that LDIFDE can be used to edit and delete existing AD objects (not just users), while CSVDE can only import and export objects.
Question 31:- What are the FSMO roles? Who has them by default? What happens when each one fails?
Answer:- While Active Directory in general uses a multimaster replication scheme for replicating the directory database between domain controllers, there are certain directory functions that require they be performed on some specific domain controller. These functions are defined by flexible single master operations (FSMO) roles (pronounced "fiz-moe roles") and at any time these roles are uniquely assigned to specific domain controllers in different Active Directory domains. By default GCS (Global Catalog Server) is having all the roles.
If each one of them fails then below are the effects of the same:-
Schema Master – Schema updates are not available – These are generally planned changes and the first step when doing a schema change is normally something like "make sure your environment is healthy". There isn't any urgency if the schema master fails, having it offline is largely irrelevant until you want to make a schema change.
Domain Naming Master – No new domains or application partitions can be added – This sort of falls into the same "healthy environment" bucket as the schema master. When we upgraded the first DC to a beta Server 2003 OS which included the code to create the DNS application partitions, we couldn't figure why they weren't instantiated until we realized that the server hosting the DNM was offline (being upgraded) at the same time. Infrastructure Master – No cross domain updates, can't run any domain preps – Domain preps are planned (again). But no cross-domain updates. That could be important if you have a multi-domain environment with a lot of changes occurring.
RID Master – New RID pools unable to be issued to DC's – This gets a bit more complicated, but let me see if I can make it easy. Every DC is initially issued 500 RID's. When it gets down to 50% (250) it requests a second pool of RID's from the RID master. So when the RID master goes offline, every DC has anywhere between 250 and 750 RIDs available (depending on whether it's hit 50% and received the new pool).
PDC – Time, logins, password changes, trusts – So we made it to the bottom of the list, and by this point you've figured that the PDC has to be the most urgent FSMO role holder to get back online. The rest of them can be offline for varying amounts of time with no impact at all. Users may see funky behavior if they changed their password, but replication will probably have completed before they call the help desk so nothing to worry about, and trust go back to that whole "healthy forest" thing again.
Question 32:- What FSMO placement considerations do you know of?
Answer:- Windows 2000/2003 Active Directory domains utilize a Single Operation Master method called FSMO (Flexible Single Master Operation), as described in Understanding FSMO Roles in Active Directory.
In most cases an administrator can keep the FSMO role holders (all 5 of them) in the same spot (or actually, on the same DC) as has been configured by the Active Directory installation process. However, there are scenarios where an administrator would want to move one or more of the FSMO roles from the default holder DC to a different DC.
Windows Server 2003 Active Directory is a bit different than the Windows 2000 version when dealing with FSMO placement. In this article I will only deal with Windows Server 2003 Active Directory, but you should bear in mind that most considerations are also true when planning Windows 2000 AD FSMO roles.
Single Domain Forest:- In a single domain forest, leave all of the FSMO roles on the first domain controller in the forest.
You should also configure all the domain controller as Global Catalog servers. This will NOT place additional stress on the DCs, while allowing GC-related applications (such as Exchange Server) to easily perform GC queries.
Multiple Domain Forest:- In a multiple domain forest, use the following guidelines:
In the forest root domain:
If all domain controllers are also global catalog servers, leave all of the FSMO roles on the first DC in the forest.
If all domain controllers are not also global catalog servers, move all of the FSMO roles to a DC that is not a global catalog server.
In each child domain, leave the PDC emulator, RID master, and Infrastructure master roles on the first DC in the domain, and ensure that this DC is never designated as a global catalog server (unless the child domain only contains one DC, then you have no choice but to leave it in place).
Configure a standby operations master - For each server that holds one or more operations master roles, make another DC in the same domain available as a standby operations master. Making a DC as a standby operation master involves the following actions:
The standby operations master should not be a global catalog server except in a single domain environment, where all domain controllers are also global catalog servers.
The standby operations master should have a manually created replication connection to the domain controller that it is the standby operations master for, and it should be in the same site.
Configure the RID master as a direct replication partner with the standby or backup RID master. This configuration reduces the risk of losing data when you seize the role because it minimizes replication latency.
Question 33:- I want to look at the RID allocation table for a DC. What do I do?
Answer:- You can check the RID allocation table or pool by running this "dcdiag /v" at command prompt.
Question 34:- What's the difference between transferring a FSMO role and seizing one? Which one should you NOT seize? Why?
Answer:- In FSMO role transfer, the existing role master relinquishes its role to the target server. Both servers ensure that the proper directory objects get updated in each other's replica of the naming context that contains the role object.
In FSMO role seizing, the target server asks permission first, but takes the role anyway regardless of the answer. The DC that seizes the role makes the necessary changes to the Directory objects in its replica of the naming context that contains the role object.
In case if you want the original FSMO holder DC to get back into the network then avoid to seize the Schema Master, Domain Naming Master & RID role. A machine that once served one of those roles must be reformatted & reinstalled. If two Schema Masters attempt to operate in the same Active Directory forest, the forest becomes inoperable.
Question 35:- How do you configure a "stand-by operation master" for any of the roles?
Answer:- A standby operations master is a domain controller that you identify as the computer that assumes the operations master role if the original computer fails. A single domain controller can act as the standby operations master for all of the operations master roles in a domain, or you can designate a separate standby for each operations master role.
No utilities or special steps are required to designate a domain controller as a standby operations master. However, the current operations master and the standby should be well connected. This means that the network connection between them must support at least a 10-megabit transmission rate and be available at all times. In addition, configure the current role holder and the standby as direct replication partners by manually creating a Connection object between them.
Configuring a replication partner can save some time if you must reassign any operations master roles to the standby operations master. Before transferring a role from the current role holder to the standby operations master, ensure that replication between the two computers is functioning properly. Because they are replication partners, the new operations master is as updated as the original operations master, thus reducing the time required for the transfer operation.
During role transfer, the two domain controllers exchange any unreplicated information to ensure that no transactions are lost. If the two domain controllers are not direct replication partners, a substantial amount of information might need to be replicated before the domain controllers completely synchronize with each other. The role transfer requires extra time to replicate the outstanding transactions. If the two domain controllers are direct replication partners, fewer outstanding transactions exist and the role transfer operation completes sooner.
Designating a domain controller as a standby also minimizes the risk of role seizure. By making the operations master and the standby direct replication partners, you reduce the chance of data loss in the event of a role seizure, thereby reducing the chances of introducing corruption into the directory.
Question 36:- How do you backup AD?
Answer:- Start >> Run >> type there "ntbackup" when the backup screen is flash then take the backup of SYSTEM STATE it will take the backup of all the necessary information about the system including AD backup , DNS(AD Integrated) ETC.
Question 37:- How do you restore AD?
Answer:- There are 2 ways to restore the AD:-
Non-Authoritative Restore:- A non-authoritative restore is the default method for restoring Active Directory. To perform a non-authoritative restore, you must be able to start the domain controller in Directory Services Restore Mode. After you restore the domain controller from backup media, replication partners use the standard replication protocols to update Active Directory and associated information on the restored domain controller.
Restart the domain controller in Directory Services Restore Mode
Restore the backup by using ntbackup.exe command from command prompt.
Authoritative Restore:- An authoritative restore process returns a designated object or container of objects to its state at the time of the backup. For example, you might need to perform an authoritative restore if an administrator inadvertently deletes an organizational unit (OU) containing a large number of users. If you restore the server from backup, the normal, nonauthoritative restore process does not restore the inadvertently deleted OU because the restored domain controller is updated following the restore process to the current status of its replication partners, which have deleted the OU. Recovering the deleted OU requires authoritative restore. You can use authoritative restore to mark the OU as authoritative and let the replication process restore it to all the other domain controllers in the domain.
When an object is marked for authoritative restore, its version number is changed so that it is higher than the existing version number of the (deleted) object in the Active Directory replication system. This change ensures that any data that you restore authoritatively is replicated from the restored domain controller to other domain controllers in the forest.
For this type of backup you can use NTDSUTIL.exe utility
Question 38:- How do you change the DS Restore admin password?
Answer:- Process to change the DSRM admin password is following:-
1. Log on to the computer as the administrator or a user who is a member of the Administrators group.
2. Shut down the domain controller on which you want to change the password.
3. Restart the computer. When the selection menu screen is displayed during restar, press F8 to view advanced startup options.
4. Click the Directory Service Restore Mode option.
5. After you log on, use one of the following methods to change the local Administrator password:
At a command prompt, type the following command:
Net user administrator *
Use the Local User and Groups snap-in (Lusrmgr.msc) to change the Administrator password.
6. Shut down and restart the computer.
Now you can use the Administrator account to log on to Recovery Console or Directory Services Restore Mode using the new password.
Question 39:- Why can't you restore a DC that was backed up 4 months ago?
Answer:- Because the Tombstone Lifetime Attribute maintains the date of backup of AD & by default it consider the AD backup valid till 60 days. After that it is not recognizing that backup. That's why we can't restore the DC that was backed up 4 months ago. But we can do the same by editing the default lifetime of Tombstone.
Question 40:- What are GPOs?
Answer:- A Group Policy Object (GPO) is a collection of settings that define what a system will look like and how it will behave for a defined group of users. The GPO is associated with selected Active Directory containers, such as sites, domains, or organizational units (OUs). The MMC allows you to create a GPO that defines registry-based polices, security options, software installation and maintenance options, scripts options, and folder redirection options.
Question 41:- What is the order in which GPOs are applied?
Answer:- Group Policy settings are processed in the following order:
1) Local Group Policy Objects Each computer has exactly one Group Policy object that is stored locally. This processes for both computer and user Group Policy processing.
2) Site Any GPOs that have been linked to the site that the computer belongs to are processed next. Processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tab for the site in Group Policy Management Console (GPMC). The GPO with the lowest link order is processed last, and therefore has the highest precedence.
3) Domain Processing of multiple domain-linked GPOs is in the order specified by the administrator, on the Linked Group Policy Objects tab for the domain in GPMC. The GPO with the lowest link order is processed last, and therefore has the highest precedence.
4) Organizational Units GPOs that are linked to the organizational unit that is highest in the Active Directory hierarchy are processed first, then GPOs that are linked to its child organizational unit, and so on. Finally, the GPOs that are linked to the organizational unit that contains the user or computer are processed.
At the level of each organizational unit in the Active Directory hierarchy, one, many, or no GPOs can be linked. If several GPOs are linked to an organizational unit, their processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tab for the organizational unit in GPMC. The GPO with the lowest link order is processed last, and therefore has the highest precedence.
This order means that the local GPO is processed first, and GPOs that are linked to the organizational unit of which the computer or user is a direct member are processed last, which overwrites settings in the earlier GPOs if there are conflicts. (If there are no conflicts, then the earlier and later settings are merely aggregated.)
Question 42:- Name a few benefits of using GPMC.
Answer:- GPMC's list of features reads like a Group Policy administrator's wish list. GPMC has a new user interface that lets you view Group Policy Objects (GPOs) across domains and even forests in an intuitive and useful way. You can now generate HTML reports on GPO settings even if you don't have write access to the GPO. You can back up and restore GPOs, export them from one domain and import them into another, and even perform mapping operations to a different set of security principals and Universal Naming Convention (UNC) paths between domains. GPMC also incorporates Resultant Set of Policies (RSoP), the most requested Group Policy enhancement for Windows 2003. You can use the Windows Management Instrumentation Query Language (WQL) to build Windows Management Instrumentation (WMI) filters. GPMC even has a tool that lets you search for GPOs within a domain or across all domains in a forest.
Question 43:- What are the GPC and the GPT? Where can I find them?
Answer:- GPC The Group Policy Container (GPC) is the portion of a GPO stored in Active Directory that resides on each domain controller in the domain. The GPC is responsible for keeping references to Client Side Extensions (CSEs), the path to the GPT, paths to software installation packages, and other referential aspects of the GPO.
GPT One of the parts of the GPO is the GPT, which is responsible for storing the specific settings created within the GPO. The GPT is stored in the Policies subfolder, which is under the SYSVOL folder on each domain controller. The GPT includes key files and folders including:
GPT.ini
Machine and User folders
GptTmpl.inf
Registry.pol
Scripts (Logon, Logoff, Startup, and Shutdown) folders
The GPC is stored at the domain level as a virtual object consisting of a Group Policy container.
The GPT is located under the SYSVOL folder.
Question 44:- What are GPO links? What special things can I do to them?
Answer:- GPO Links A Group policy is associated to an active directory container by a link. You can link the GPO to three types of Active Directory Objects: Sites, Domains & OUs. A GPO can be linked to several containers. Alternatively a container can be associated with several GPOs.
Question 45:- What can I do to prevent inheritance from above?
Answer:- Check mark the Block Inheritance option.
Question 46:- How can I override blocking of inheritance?
Answer:- Check mark the "Enforced" options (if you are using GPMC) & No Override if you are using default Group Policy Editor.
Question 47:- How can you determine what GPO was and was not applied for a user? Name a few ways to do that.
Answer:- I will generate a GP Result Report for that. Procedure:-
To generate a Group Policy Results report
1) Open the Group Policy Management Console.
2) In the console tree, double-click the forest in which you want to create a Group Policy Results query. Right-click Group Policy Results and then click Group Policy Results Wizard.
3) In the Group Policy Results Wizard, click next and enter the appropriate information.
4) After completing the wizard, click Finish.
Question 48:- A user claims he did not receive a GPO, yet his user and computer accounts are in the right OU, and everyone else there gets the GPO. What will you look for?
Answer:-
Question 49:- Name some GPO settings in the computer and user parts.
Answer:- Here are some GPO setting in computer & user parts:-
1) Minimum Password Length
2) Maximum Password Age
3) Password Complexity
4) Last Logged-On User Name
5) User Rights Assignment
6) Everyone Group Permissions and Anonymous Users
7) Process GPO Security Settings at Every Refresh
Question 50:- What are administrative templates?
Answer:- Administrative Templates are a feature of Group Policy, a Microsoft technology for centralized management of machines and users in an Active Directory environment.
Question 51:- What's the difference between software publishing and assigning?
Answer:- Publishing The software application does not appear on the start menu or desktop. This means the user may not know that the software is available. The software application is made available via the Add/Remove Programs option in control panel, or by clicking on a file that has been associated with the application. Published applications do not reinstall themselves in the event of accidental deletion, and it is not possible to publish to computers.
Assigning The software application is advertised when the user logs on. It is installed when the user clicks on the software application icon via the start menu, or accesses a file that has been associated with the software application.
Question 52:- Can I deploy Non-MSI software with GPO?
Answer:- Yes we can deploy Non-MSI software with GPO by using .zap file.
--
-------------------
Thanks,
Jonathan Swift - "May you live every day of your life."
Client_UserProfileSize.MOF :-----
#pragma namespace ("\\\\.\\root\\cimv2")
#pragma deleteclass("Win32Reg_UserProfileSize",NOFAIL)
[ dynamic,
provider("RegProv"),
ClassContext("local|HKEY_LOCAL_MACHINE\\SOFTWARE\\DesktopOptimization\\UserProf")
]
class Win32Reg_UserProfileSize
{
[key]
string Profile;
[PropertyContext("Application Data")]
string ApplicationData;
[PropertyContext("Desktop")]
string Desktop;
[PropertyContext("My Documents")]
string MyDocuments;
[PropertyContext("Local Settings")]
string LocalSettings;
[PropertyContext("ScriptRunOn")]
string ScriptRunOn;
[PropertyContext("TotalSize")]
string TotalSize;
[PropertyContext("RECYCLER")]
string RECYCLER;
};
Server_side_sms_MOF .MOF :---
[ SMS_Report (TRUE),
SMS_Group_Name ("DiskActivity"),
SMS_Class_ID ("MICROSOFT|Disk_Activity|1.0") ]
class Win32Reg_DiskActivity : SMS_Class_Template
{
[SMS_Report (TRUE) ]
string Activity;
[SMS_Report (TRUE) ]
string CleanDate;
[SMS_Report (TRUE) ]
string DefragAnalysis;
[SMS_Report (TRUE)]
string DefragDate;
[SMS_Report (TRUE)]
string DefragStatus;
[SMS_Report (TRUE)]
string DiskClean_status;
[SMS_Report (TRUE)]
string DiskCleanLast_CleanDate;
[SMS_Report (TRUE)]
string DiskSpace;
[SMS_Report (TRUE)]
string Last_DefragDate;
};
[ SMS_Report (TRUE),
SMS_Group_Name ("UserProfile"),
SMS_Class_ID ("MICROSOFT|UserProfileSize|1.0") ]
class Win32Reg_UserProfileSize : SMS_Class_Template
{
[SMS_Report (TRUE) ]
string Profile;
[SMS_Report (TRUE) ]
string ApplicationData;
[SMS_Report (TRUE) ]
string Desktop;
[SMS_Report (TRUE)]
string MyDocuments;
[SMS_Report (TRUE)]
string LocalSettings;
[SMS_Report (TRUE)]
string ScriptRunOn;
[SMS_Report (TRUE)]
string TotalSize;
[SMS_Report (TRUE)]
string RECYCLER;
};
VBSCRIPT :-- UserProfileSize_Recycler.vbs
sNode = "."
Const MBCONVERSION= 1048576
Const HKEY_LOCAL_MACHINE = &H80000002
dim oFS, oFolder
Set oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" _
& sNode & "/root/default:StdRegProv")
sPath = "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
sValueName = "DefaultUserName"
If oReg.GetStringValue(HKEY_LOCAL_MACHINE, sPath, sValueName, sValue) = 0 Then
'WScript.Echo "DefaultUserName from Registry Retrieved Remotely: " & sValue
End If
ScriptRunOn=Replace(Now(),"#","")
strKeyPath = "SOFTWARE\DesktopOptimization\UserProf\"
oReg.CreateKey HKEY_LOCAL_MACHINE ,strKeyPath
strKeyPath1 = "SOFTWARE\DesktopOptimization\UserProf\"&sValue
oReg.CreateKey HKEY_LOCAL_MACHINE ,strKeyPath1
path="C:\Documents and Settings\"& sValue
Set FSO = CreateObject("Scripting.FileSystemObject")
Set Folder = FSO.GetFolder(Path)
TotalSize=FormatNumber(Folder.Size/MBCONVERSION,0)
'MsgBox (TotalSize)
strValueName ="TotalSize"
strValue = TotalSize
oReg.SetStringValue HKEY_LOCAL_MACHINE,strKeyPath1,strValueName,strValue
strValueName ="ScriptRunOn"
strValue = ScriptRunOn
oReg.SetStringValue HKEY_LOCAL_MACHINE,strKeyPath1,strValueName,strValue
Set colSubFolders = Folder.SubFolders
For Each subFolder In colSubFolders
FolderName = subFolder.Name
FolderSize = FormatNumber(subFolder.Size/MBCONVERSION,0)
'MsgBox(FolderName)
'MsgBox(FolderSize)
strValueName = FolderName
strValue = FolderSize
oReg.SetStringValue HKEY_LOCAL_MACHINE,strKeyPath1,strValueName,strValue
Next
GetRecycleBinSize()
Function GetRecycleBinSize
dim oFS, oFolder
set oFS = WScript.CreateObject("Scripting.FileSystemObject")
If oFS.FolderExists("C:\Recycler")Then
Set oFolder = oFS.GetFolder("C:\Recycler")
'wscript.echo oFolder.Name & ":Size=" & oFolder.Size
RecycleBinSize=FormatNumber(oFolder.Size/MBCONVERSION,0)
'wscript.echo RecycleBinSize
strValueName = oFolder.Name
strValue = RecycleBinSize
oReg.SetStringValue HKEY_LOCAL_MACHINE,strKeyPath1,strValueName,strValue
Else
strValueName = "RECYCLER"
strValue = "Folder C:\RECYCLER Not Found"
oReg.SetStringValue HKEY_LOCAL_MACHINE,strKeyPath1,strValueName,strValue
End If
End Function
Easy way to to make script to accept list of systems from a text file where you have strComputer = "." script
Set Fso = CreateObject("Scripting.FileSystemObject")
Set InputFile = fso.OpenTextFile("MachineList.Txt")
Do While Not (InputFile.atEndOfStream)
strComputer = InputFile.ReadLine
loop
When you get the strComputer = "." and you want to accept the list from a txt file then above will be use full
-------------------
Thanks,
Charles de Gaulle - "The better I get to know men, the more I find myself loving dogs."
In the Configuration Manager console, navigate to System Center Configuration Manager / Site Database / Site Management.
Right-click <site code> - <site name> and then click Properties.
On the Site Mode tab in the site properties dialog box, select Native mode.
In the Site server signing certificate section, click Browse to view the available certificates on the site server's local store in the Available Certificates dialog box. Select the site server signing certificate that contains the site code in the Issued to field and includes Document Signing in the Intended Purpose field. Then click OK to close the Available Certificates dialog box.
If you are unable to browse to the site server's certificate store, you can manually enter the certificate's thumbprint in the Thumbprint text box. Configuration Manager will attempt to match the thumbprint to a certificate, and if this is successful, the certificate friendly name will be displayed in the Thumbprint field. If Configuration Manager is unable to match the thumbprint to a certificate, you will be prompted to choose whether you want to continue.
When you have either selected the certificate or entered the thumbprint, click OK to close the site properties dialog box.
-------------------
Thanks,
Ted Turner - "Sports is like a war without the killing."
This step-by-step example deployment, which uses a Windows Server 2008 certification authority (CA), contains procedures that guide you through the process of creating and deploying the public key infrastructure (PKI) certificates that Configuration Manager 2007 requires to operate in native mode. Native mode offers the highest level of security for a Configuration Manager 2007 site, and it is a requirement for Internet-based client management. For more information about native mode in Configuration Manager, see Benefits of Using Native Mode.
The procedures in this example refer to a Microsoft PKI solution, using an enterprise certification authority (CA) and certificate templates. The steps are appropriate for a test network only, as a proof of concept.
Because there is no single method of deployment for the required certificates, you will need to consult your particular PKI deployment documentation for the necessary procedures and best practices to deploy the required certificates for a production environment. For more information about the possible deployment methods, see Deploying the PKI Certificates Required for Native Mode.
Note |
---|
The use of a Microsoft PKI solution is recommended to support Configuration Manager 2007, but it is not required. Configuration Manager 2007 uses standard PKI certificates, supporting version 3 of the x.509 certificate format. If your existing PKI deployment can create, deploy, and manage the certificates that Configuration Manager 2007 requires for native mode, you can use your existing PKI infrastructure. Consult your PKI documentation for deployment details. |
This example contains the following sections, which cover creating and deploying the basic certificates that are required for a Configuration Manager 2007 site to operate in native mode for intranet connectivity:
Test Network Requirements
Overview
Deploying the Site Server Signing Certificate
Deploying the Web Server Certificate
Deploying the Client Certificate
The example has the following requirements:
PKI certificates must be installed prior to configuring Configuration Manager 2007 to operate in native mode. This example does not include installing and configuring Configuration Manager 2007, but it provides the steps to provision computers with the certificates they require to operate in Configuration Manager 2007 native mode.
The following table lists the three types of PKI certificates that are required and describes how they are used in a native mode Configuration Manager 2007 site:
Certificate Requirement | Certificate Description |
---|---|
Site server signing certificate | This certificate is installed on the server that will be the Configuration Manager 2007 site server. It is used to sign client policies. |
Web server certificate | This certificate is installed on servers that will be Configuration Manager 2007 site systems, with roles such as the management point and distribution point. It is used to encrypt data and authenticate the server to clients. |
Client certificate | This certificate is installed on computers that will be Configuration Manager 2007 clients, and it is installed on the management point. It is used to authenticate the client to site systems; on the management point it is used to monitor the server's operational status. |
For more information about the certificates, see Certificate Requirements for Native Mode.
Follow the steps in this example to achieve the following goals:
This step has four procedures:
On the domain controller running the Windows Server 2008 console, click Start, click Programs, click Administrative Tools, and then click Certification Authority.
Expand the name of your certification authority (CA), and then click Certificate Templates.
Right-click Certificate Templates, and then click Manage to load the Certificates Templates Console.
In the results pane, right-click the entry that displays Computer in the Template Display Name column, and then click Duplicate Template.
In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected, and then click OK.
Important |
---|
Do not select Windows 2008 Server, Enterprise Edition. |
In the Properties of New Template dialog box, on the General tab, enter a template name for the site server signing certificate template, such as ConfigMgr Site Server Signing Certificate.
Click the Issuance Requirements tab, and then select CA certificate manager approval.
Click the Subject Name tab, and then click Supply in the request.
Click the Extensions tab, make sure Application Policies is selected, and then click Edit.
In the Edit Application Policies Extension dialog box, select Client Authentication, press Shift and select Server Authentication, and then click Remove.
In the Edit Application Policies Extension dialog box, click Add.
In the Add Application Policy dialog box, select Document Signing as the only application policy, and then click OK.
In the Properties of New Template dialog box, you should now see listed as the description of Application policies: Document Signing.
Click OK, click OK to close the Properties of New Template, and then close the Certificate Templates Console.
In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue.
In the Enable Certificate Templates dialog box, select the new template you have just created, ConfigMgr Site Server Signing Certificate, and then click OK.
Note |
---|
If you cannot complete steps 15 or 16, check that you are using the Enterprise Edition of Windows Server 2008. Although you can configure certificate templates with Windows Server Standard Edition and Active Directory Certificate Services, you cannot deploy certificates using modified certificate templates unless you are using the Enterprise Edition of Windows Server 2008. |
Do not close the Certification Authority console.
On the member server, create a folder to contain your certificate files.
Open Notepad, or a similar text file of your choice. Copy and paste the following text into the file:
[NewRequest] Subject = "CN=The site code of this site server is <site-code>" MachineKeySet = True [RequestAttributes] CertificateTemplate = ConfigMgrSiteServerSigningCertificate |
Replace the text <site-code> with your own site code. For example, if your site code is A01, the line will become: Subject = "CN=The site code of this site server is A01".
Important |
---|
Both the site code and the name of the template are case sensitive. Make sure that you specify the site code exactly as it appears in the Configuration Manager console, and that you specify the site server signing certificate template exactly as it appears as the Template name (not the Template display name) in the certificate template properties. |
Save the file with the name sitesigning.inf, and save it in the certificates folder that you created.
Open a command window in the certificates folder that you created, type the following command, and then press Enter:
certreq –new sitesigning.inf sitesigning.req
Type the following command, and then press Enter:
certreq –submit sitesigning.req sitesigning.cer
You are prompted to select the issuing CA in the Select Certification Authority dialog box. Select the CA, and then click OK. When the certificate is issued, you see RequestId: <number> displayed, where <number> is the next sequential certificate request to the issuing CA. Make a note of this number.
Do not close the command prompt.
On the domain controller, in Certification Authority, click Pending Requests.
In the results pane, you will see the requested certificate with the Request ID that was displayed with the last Certreq command.
Right-click the requested certificate, click All Tasks, and then click Issue.
Do not close the Certification Authority console.
On the member server, in the command window, type the following command, and then press Enter:
certreq –retrieve <number> sitesigning.cer
For example, if the request number previously displayed was 12, type: certreq –retrieve 12 sitesigning.cer
You are prompted to select the issuing CA in the Select Certification Authority dialog box. Select the CA, and then click OK.
Type the following command, and then press Enter:
certreq –accept sitesigning.cer
The member server is now provisioned with a Configuration Manager 2007 site server signing certificate.
This step has four procedures:
On the domain controller, click Start, click Administrative Tools, and then click Active Directory Users and Computers.
Right-click the domain, click New, and then click Group.
In the New Object – Group dialog box, enter ConfigMgr IIS Servers as the Group name, and then click OK.
In Directory Users and Computers, right-click the group you have just created, and then click Properties.
Click the Members tab, and then click Add to select the member server.
Note |
---|
In our test environment, there is only one server to add. However, in a production environment, it is likely that various servers will host the Configuration Manager 2007 site systems that require certificates, such as the site's management point and distribution points. It is therefore good practice to assign permissions to a group and add the site systems that require the same type of certificate. Creating a security group for these servers enables you to assign permissions so that only these servers can use these certificates. |
Click OK, and then click OK again to close the group properties dialog box.
Restart your member server (if running) so that it can pick up the new group membership.
On the domain controller, while still running the Certification Authority console, right-click Certificate Templates and click Manage to load the Certificate Templates console.
In the results pane, right-click the entry that displays Web Server in the column Template Display Name, and then click Duplicate Template.
In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected, and then click OK.
Important |
---|
Do not select Windows 2008 Server, Enterprise Edition. |
In the Properties of New Template dialog box, on the General tab, enter a template name to generate the Web certificates that will be used on Configuration Manager site systems, such as ConfigMgr Web Server Certificate.
Click the Subject Name tab, click Build from this Active Directory information is selected, and then select one of the following for the Subject name format:
Clear the option User principal name (UPN).
Click the Security tab, and remove the Enroll permission from the security groups Domain Admins and Enterprise Admins.
Click Add, enter ConfigMgr IIS Servers in the text box, and then click OK.
Select the Enroll permission for this group, and do not clear the Read permission.
Click OK, and close the Certificate Templates Console.
In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue.
In the Enable Certificate Templates dialog box, select the new template you have just created, ConfigMgr Web Server Certificate, and then click OK.
Do not close the Certification Authority console.
Restart the member server to ensure it can access the certificate template with the configured permission.
Click Start, click Run, and type mmc.exe. In the empty console, click File, and then click Add/Remove Snap-in.
In the Add or Remove Snap-ins dialog box, select Certificates from the list of Available snap-ins, and then click Add.
In the Certificate snap-in dialog box, select Computer account, and then click Next.
In the Select Computer dialog box, ensure Local computer: (the computer this console is running on) is selected, and then click Finish.
In the Add or Remove Snap-ins dialog box, click OK.
In the console, expand Certificates (Local Computer), and then click Personal.
Right-click Certificates, click All Tasks, and then click Request New Certificate.
On the Before You Begin page, click Next.
On the Request Certificates page, select ConfigMgr Web Server Certificate from the list of displayed certificates, and then click Enroll.
On the Certificates Installation Results page, wait until the certificate is installed, and then click Finish.
Close Certificates (Local Computer).
On the member server, click Start, click Programs, click Administrative Tools, and then click Internet Information Services (IIS) Manager.
Expand Sites, right-click Default Web Site, and then select Edit Bindings.
Click the https entry, and then click Edit.
In the Edit Site Binding dialog box, select the certificate that you requested by using the ConfigMgr Web Server Certificates template, and then click OK.
Note |
---|
If you are not sure which is the correct certificate, select one, and then click View. This allows you to compare the selected certificate details with the certificates that are displayed with the Certificates snap-in. For example, the Certificates snap-in displays the certificate template that was used to request the certificate. You can then compare the certificate thumbprint of the certificate that was requested with the ConfigMgr Web Server Certificates template with the certificate thumbprint of the certificate currently selected in the Edit Site Binding dialog box. |
Click OK in the Edit Site Binding dialog box, and then click Close.
Close Internet Information Services (IIS) Manager.
The member server is now provisioned with a Configuration Manager 2007 Web server certificate.
This step has three procedures:
On the domain controller, while still running the Certification Authority console, right-click Certificate Templates, and then click Manage to load the Certificate Templates management console.
In the results pane, right-click the entry that displays Workstation Authentication in the column Template Display Name, and then click Duplicate Template.
In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected, and then click OK.
Important |
---|
Do not select Windows 2008 Server, Enterprise Edition. |
In the Properties of New Template dialog box, on the General tab, enter a template name to generate the client certificates that will be used on Configuration Manager client computers, such as ConfigMgr Client Certificate.
Click the Security tab, select the Domain Computers group, and select the additional permissions of Read and Autoenroll. Do not clear Enroll.
Click OK and close Certificate Templates Console.
In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue.
In the Enable Certificate Templates dialog box, select the new template you have just created, ConfigMgr Client Certificate, and then click OK.
Close the Certification Authority console.
On the domain controller, click Start, click Administrative Tools, and then click Group Policy Management.
Navigate to your domain, right-click the domain, and then select Create a GPO in this domain, and Link it here.
Note |
---|
This step uses the best practice of creating a new Group Policy for custom settings rather than editing the Default Domain Policy that is installed with Active Directory Domain Services. By assigning this Group Policy at the domain level, you will apply it to all computers in the domain. However, on a production environment, you can restrict the autoenrollment so that it enrolls on only selected computers by assigning the Group Policy at an organizational unit level, or you can filter the domain Group Policy with a security group so that it applies only to the computers in the group. If you restrict autoenrollment, remember to include the server that is configured as the management point. |
In the New GPO dialog box, enter a name for the new Group Policy, such as Autoenroll Certificates, and click OK.
In the results pane, on the Linked Group Policy Objects tab, right-click the new Group Policy, and then click Edit.
In the Group Policy Management Editor, expand Policies under Computer Configuration, and then navigate to Windows Settings / Security Settings / Public Key Policies.
Right-click the object type named Certificate Services Client – Auto-enrollment, and then click Properties.
From the Configuration Model drop-down list, select Enabled, select Renew expired certificates, update pending certificates, and remove revoked certificates, select Update certificates that use certificate templates, and then click OK.
Close Group Policy Management.
Restart the workstation computer, and wait a few minutes before logging on.
Note |
---|
Restarting a computer is the most reliable method of ensuring success with certificate autoenrollment. |
Log on with an account that has administrative privileges.
In the search box, type mmc.exe., and then press Enter.
In the empty management console, click File, and then click Add/Remove Snap-in.
In the Add or Remove Snap-ins dialog box, select Certificates from the list of Available snap-ins, and then click Add.
In the Certificate snap-in dialog box, select Computer account, and then click Next.
In the Select Computer dialog box, ensure that Local computer: (the computer this console is running on) is selected, and then click Finish.
In the Add or Remove Snap-ins dialog box, click OK.
In the console, expand Certificates (Local Computer), expand Personal, and then click Certificates.
In the results pane, confirm that a certificate is displayed that has Client Authentication displayed in the Intended Purpose column, and that ConfigMgr Client Certificate is displayed in the Certificate Template column.
Close Certificates (Local Computer).
Repeat steps 1 through 11 for the member server to verify that the server that will be configured as the management point also has a client certificate.
The workstation and member server are now provisioned with a Configuration Manager 2007 client certificate.
By accessing this Website, you indicate your acknowledgement acceptance of the following terms and conditions. These terms and conditions may change from time to time, and you agree to be bound by any such changes when posted on this Website, including its affiliates, as applicable reserves all of its rights at law and equity, The information and content displayed on this Website, including but not limited to text, graphics, logos, images, audio clips and software, is the property of Public or its licensors, as the case may be, and is protected by copyright laws. While I invite you to browse, no content or information on this Website may be downloaded, reproduced or modified in any manner without the prior written consent of me (PaddyMaddy) or as otherwise expressly provided herein.