Posts tagged: active directory

Reset the DSRM Administrator Password

Prior to Windows 2003 SP1 the DSRM (Directory Services Restore Mode) password was automatically synchronised with the Domain Administrator account password whenever you changed the domain admin account. With Win2003 SP1 and the breaking of this functionality you will find the below error in your application event log if these two passwords don’t match.

Event Type:    Error

Event Source:    dsrestor
Event Category:    None
Event ID:    1005
Date:        8/03/2009
Time:        2:31:19 PM
User:        N/A
Computer:    XXXXXXXXX
Description:
The DSRestore Filter failed to connect to local SAM server. Error returned is <id:997>.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
You can safely ignore this error if you know what your DSRM Password is and want to keep them the same across different domain controllers in different domains otherwise you can follow the steps below to change DSRM Password to match the domain administrator account.

To Reset the DSRM Administrator Password

  1. Click, Start, click Run, type ntdsutil, and then click OK.
  2. At the Ntdsutil command prompt, type set dsrm password.
  3. At the DSRM command prompt, type one of the following lines:
    • To reset the password on the server on which you are working, type reset password on server null. The null variable assumes that the DSRM password is being reset on the local computer. Type the new password when you are prompted. Note that no characters appear while you type the password.

      -or-

    • To reset the password for another server, type reset password on server servername, where servername is the DNS name for the server on which you are resetting the DSRM password. Type the new password when you are prompted. Note that no characters appear while you type the password.
  4. At the DSRM command prompt, type q.
  5. At the Ntdsutil command prompt, type q to exit.
Share

Tags: , ,

categories Windows 2003 | | datetime April 7, 2009 6:58 am | comments Comments (1)

Find and Delete Inactive Computer Accounts on a Domain

To find the inactive computer accounts of 25 weeks or more run the following command in a command prompt on your domain controller:

dsquery computer domainroot -d DOMAINNAME -inactive 25 >c:\inactive25.txt

To delete the inactive computers run the following command in a command prompt on your domain controller:

for /F %i in (‘dsquery computer domainroot -d DOMAINNAME -inactive 25′) do @dsrm %i -noprompt

Replace DOMAINNAME with the domain name of your organisation and substitute 25 with the specific number of weeks you want to check for.

Share

Tags: ,

categories Windows 2003 | | datetime March 16, 2009 11:58 am | comments Comments (1)

Setup your Log on to Domain automatically

One thing that really annoys me about windows is that when you add a machine to a domain the log on to domain defaults to “MachineName (This computer)”. This means that you then need to log into the machine under a domain account and then log off again if you don’t want to get a phone call from your users saying that their domain passwords dont work. This also occurs when you log into a machine using a local account to do some administration. Its such a time waster to have to login just to log out, especially if you are setting up multiple machines at a time.

By presetting the following key via a group policy object within active directory and assigning it to your computer Organisational Unit your computers always have domain name as default:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultDomainName (REG_SZ)

To do this you will need to setup a startup script under the computer policy section.

On your Computer Organisational Unit create a New Group Policy and call it DefaultDomainName.

Under Windows Settings -> Scripts, Right click on Startup and select Properties.

defaultdomainname1

Click Show Files.

defaultdomainname2

Now create the following two files within this folder.

A “DefaultDomainName.bat” containing:

%systemroot%regedit /s defaultDomainName.reg

A “DefaultDomainName.reg” file containing:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

“DefaultDomainName”=”YOURDOMAINNAME”

defaultdomainname3

Close the folder and click Add on the Startup Properties window.

defaultdomainname4

Click Browse and select the DefaultDomainName.bat file.

defaultdomainname5

Click Ok -> Ok. Then close out of the Group Policy Editor.

When your computers under that Organisational Unit restart that policy should now be applied.

Share

Tags: , , ,

categories Uncategorized, Windows XP | | datetime March 13, 2009 12:00 pm | comments Comments (0)