Monday, May 25, 2009

Thank You Veterans on Memorial Day

Today is Memorial Day in the United States. It commemorates U.S. men and women who died while in service for their country.

There are no words that can truly express my feelings. We can't give enough thanks to those that have made the ultimate sacrifice. I not only give thanks to those that made the ultimate sacrifice but also to the loved ones they left behind.

I also extend my deepest thanks to our fallen allies. We don't go into battle alone and many men and women from other countries have also made the ultimate sacrifice.

I doubt anyone I served with reads an Active Directory blog but thank you to my brothers in the Army and to anyone that has served in any branch of the military. Hooaaahhh!!

Wednesday, May 13, 2009

Add Employee ID Field - ADUC

I've seen this question several times on various message boards so I wanted to write a step by step entry on how to do this.

User objects have an employeeID attribute but it doesn't appear by default in active directory users & computers.

Sakari Kouti has written a great script to help with this. You can find that script here(employeeID.vbs)



Step1:

Download the script and save it on your PC. I've put the script on my C drive in a folder called AddID

Step2:

In ADSI Edit go to the configuration container and navigate to CN=DisplaySpecifiers, CN=409)

In the right pane find CN=user-display and right click and select properties.



Step3:

Select the adminContextMenu attribute. Add the following value
2, Employee &ID, path to script

Note: If 2 is in use just pick the next number. In my example I've put the script in c:\addid\employeeid.vbs



UPDATE: I should have added this when I first posted this but thanks to Rob Sampson for pointing it out. Rob is one of the strongest scripters I've met and is a valuable member of the IT community.

From Rob (Thanks Rob!):

you could place "employeeid.vbs" in your NetLogon share of a Domain Controller (which then replicates to all other DCs), and have 2. Employee &ID, \\domain.com\sysvol\domain.com\scripts\employeeid.vbs


Screen shot below shows that example in my mktest.com domain.







Step4:

Now if you use Active Directory Users & Computers you can right click on a user and employee ID should appear.





You can select the field and edit it:



Thanks to Sakari Kouti for the script. He also has a new book coming out called Active Directory 2008 Unleashed

If that book is anything like his last book (Inside AD 2nd Edition) then it is a must have...I've already pre-orderd the new book :)

Tuesday, May 12, 2009

Product Review - GPO Compare from SDMSoftware

This is the first in my "product review" series. I will try and test products (free and not free)relevant to all aspects of active directory and group policy.

Today we start with GPO Compare.

GPO Compare is produced by SDMSoftware If you don't know SDMSoftware then you probably know their founder. Darren Mar-Elia is the founder and has been a long time group policy MVP and generally considered one of the best group policy guys in the business.

Currently there are no free native Microsoft tools that can be used to compare the differences between two group policies. Microsoft does make a product called Advanced Group Policy Managment (AGPM) AGPM is part of the Microsoft Desktop Optimization Pack (MDOP). MDOP is only available to software assurance customers.

Many are not software assurance customers so they are out of luck...until now.

...so let's start the review.

The first thing you will want to do is download GPO Compare. You can get it here

What I first noticed is that I had a fully functional trial. That is always nice because I didn't have any features blocked or not available.

The download is approximately 7MB and the install is super easy and fast.

After you install and launch the program the first screen you see is self explanatory. As you can see in the screen shot below you can browse for two group policy objects (GPOs).



When you select Browse you will be presented with a screen that shows all the policies for your domain.

For this example I'll be using two password policies.



You will notice the check box labeled "Include GPO Metadata in Comparison?"

That setting/option includes comparisons of GPO metadata such as created and modified dates, security permissions and links. If the option is unchecked then those items are not included in the comparison. For this first run I'll include those items.

So for these policies for instance if I don't select it then there are only 6 differences versus 11.

...so now as you guessed it you can go ahead and select compare:



When you run the compare the first thing you will see is a box telling you how many differences there are. As you can see in the screenshot there are 11 differences between my two GPOs.



You can view the difference report from this dialogue box or you can access the report from the Tools menu.



The GPO Compare Difference Report will show you the differences between the group policies.



As you can see you can also right click and jump directly to that particular setting/difference.



After you select "jump to setting" you will be directed back to the main page and the exact details are spelled out in the "comparision details" section




My favorite part is the GPO Difference Report that you can create. You can save it or print it. Very easy for even managers to follow :)

An example of the GPO Difference report is in the screenshot below



My overall thoughts is that this is a great tool!! It is very easy to use, the full version costs less than $100 and it really fills a much needed void in the group policy landscape.

Final Verdict = 4/4 OUs - WELL DONE!!

Saturday, May 9, 2009

Steve Riley has left Microsoft

Steve Riley was let go as part of Microsoft's restructuring...this was round two of layoffs at Microsoft.

Steve Riley was one of Microsoft's best known speakers. His concentration was security related issues. I know times are tough for all companies but I was really surprised by this news.

Security is a huge concern in most corporations and Steve was a great speaker at most major events and brought a lot to the community.

I'm sure he will do well with whatever he does next but this is a head scratcher for sure.

If you read the comments to his blog entry you will see that he will definitely be missed.

Good Luck Steve!!