Been a long time & Get well soon Scotty!

ScottyM

Yes,  it's been quite a while since I have  written on this blog! Just before TechEd in November, I think.  Quite a lot has been happening around me and slowly but surely, I'm finding some semblance of stability again. New job and having to rapidly learn a new environment and start becoming productive has been hard work. Being surrounded by some of the most helpful people I've had the pleasure to work with has made the load lighter and fun. I'll try over the next couple of weeks to regurgitate some of my highlights of the preceding 2 - 3 months.

Unfortunately, what kicks starts my post today is very sad news about my good friend and colleague, Scotty McLeod, who runs the Windows Server Team Blog. He was involved in an accident  at a London Train station on Wednesday on his way home from some work-related meeting with Quest in London. He sustained some sort of head injury and is still unconscious at the neurology intensive care of St Georges Hospital.

I can't for the life of me, make sense of it all. And the "wrongest" person this could/should happen to! We need you well Scotty!!!

I am praying for his swift recovery and ask any of you who pray or can, to please remember him and his family in yours.

Posted 28 January 2008 03:07 PM by Austin | no comments
Use full DNS Names and OS tags in GINA's Dropdown Dialog box

Someone on the Activedir newsgroup wanted DNS names in the logon dialog box users see rather than the NetBIOS name. I didn't initially think this was possible but the poster insisted they had seen it done before. well, 2 solutions were proffered: Jorge de Almeida Pinto came up with a custom ADM which could apply to the boxes you wanted this feature enabled on and Dean Wells provided a reg hack which did the same thing. Thought I should share both:

--------------------------------------------------------

Custom ADM

--------------------------------------------------------

; Custom ADM to change how domain names are shown in the logon box
; REMARK: these are preferences and NOT policies. As such make sure you enable viewing of preferences in the GPEditor!

CLASS MACHINE

 CATEGORY "System"

  CATEGORY "Net Logon"

   CATEGORY "Domain Name in Logon Box"

    KEYNAME "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

    POLICY "Show Full DNS Names At Logon"
     EXPLAIN "EXPLANATION: When enabled, the list of domains on the logon dialog will show the full DNS names (hierarchical) rather than the NETBIOS names (flat)."
     VALUENAME "DCacheShowDnsNames"
     VALUEON  NUMERIC 1
     VALUEOFF NUMERIC 0
     END POLICY

    POLICY "Show Additional Domain Information At Logon"
     EXPLAIN "EXPLANATION: When enabled, the list of domains on the logon dialog will contain brief information about each domain after the domain name."
     VALUENAME "DCacheShowDomainTags"
     VALUEON  NUMERIC 1
     VALUEOFF NUMERIC 0
    END POLICY

   END CATEGORY

  END CATEGORY

 END CATEGORY

--------------------------------------------------------

Reg Hack

--------------------------------------------------------

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"DCacheShowDomainTags"=dword:00000001

"DCacheShowDnsNames"=dword:00000001

--------------------------------------------------------

Both are cosmetic changes and do not change the logon process in anyway. Just interesting to know it can be done. 

Posted 08 November 2007 06:19 PM by Austin | no comments
Filed under: ,
ADInsight for Active Directory

Mark Russinovich and Bruce Cogswell of Sysinternals fame have release ADInsight for Active Directory as one of the free utilities on their Microsoft Site. This tool I like to call the MRI Scan for AD. It uses DLL injection techniques into all processes to watch for WLDAP32 transactions. WLDAP32 is where Microsoft implements the LDAP API. You can see how your application talks to AD and what responses are returned. This capability can be invaluable in many application design scenarios when you can't figure out why your app's conversation with AD is spitting errors or even general troubleshooting to see "under the covers".

The Application is very similar to Regmon and Filemon in it's GUI and if you've used either before ADInsight should feel familiar.

The great thing I also see is you can Rt Click on an call sent to the directory and click on event information which takes you to an MSDN site with an explanation of the transaction. This can be an excellent learning tool as well!

ADinsight1

 

If the tool is pointed against an Active Directory where lots on calls are taking place, you can also filter events with the same flexibility available in Filemon and Regmon.

Example

The Process Filter allows the selection of processes to include or exclude there is also a transaction filter for those transactions that you want to view. This selection is made so much easier by the transaction group filter which allows the viewing of a collection of transaction e.g. connects. If a group is chosen, all applicable transactions are selected in the transactions list.

This is definitely another necessary tool in the arsenal of anyone working with Active Directory.  

Posted 07 November 2007 08:31 PM by Austin | no comments
Filed under: ,
Microsoft's Awesome Stats

Anyone who's been to a conference where someone from MSFT's been talking about "How Microsoft Does IT" has probably heard this or something similar but these stats are just awesome I think (Source Bink.nu):

Microsoft internal IT:

600k connected devices
10,000 Servers
3 Datacenters 1 operations center
11% is virtualized in Microsoft Datacenters
330 of 385 servers run Windows Server 2008 (RC0) plus all 85 Microsoft.com servers
11 clustered systems
30,000 users in Redmond domain (50,000 with vendors)
NAP reporting 140K clients, 90 clients deferred mode

The Redmond Active Directory domain is running in Windows Server 2008 mode since last Thursday (Nov 1st)

Microsoft Email:

6 million internal emails per day
20 Million emails from Internet
97% rejected as spam
99,999 uptime

Worldwide:

140,000 end users
550 buildings
98 countries
1/3 of the sites are connected over Internet only

2300 Line of business applications
1 single SAP instance (5 Terrabyte database)
Dynamics/MSCRM

Windows Live Services:

130,000 servers online
435 Million unique users
280 Billion pageviews daily
12 Billion emails daily
6 billion Instant Messages daily

Remote connect:

1 million VPN sessions per month
80,000 unique OWA users
Remote app portal
TS gateway 20,000 users
Direct Connect pilot

Microsoft.com figures
55,7 million unique users, #4 overall site in US
280,5 Unique users wordwide #6 site worldwide
15,000 request a sec

Posted 06 November 2007 11:53 AM by Austin | no comments
Filed under: ,
Burn CD's and DVDs with Powershell

Included with Microsoft Vista is a new API for scripting against optical drives; the Image Mastering API version 2 or IMAPI2. This makes it possible to retrieve information from optical storage media like CDs and DVDs and write to them.

The story around the IMAPI and what you can do with it can be found on msdn but what brought it to my attention was the Scriptcenter newsletter this week where a VB sample of how to burn CDs/DVDs using the Image Mastering API was described. Yep, if we can do it with VB there's got to be a PoSHer way to do the same thing so I gave it a go and over a couple of hours managed to get my version to work.

Who needs ISO burning tools anymore ay? Roll your own!

My modification of the script accepts one argument which is the path to the ISO file and it barfs if a wrong path is given. 

The assumption is that the CD/DVD writer is first optical drive on the system (If it's not, change the msftdiscMaster2 index used in the msftdiscrecorder2 initializedrecorder method ).

Minor error checking has been thrown in to ensure a valid path to an ISO file is provided and that the disc is blank.

---------------------------------------------------------------------------------------

param(
        [string]$path = $( throw "Please Specify path to an ISO file")
         )
# Set binary file type
Set-Variable -name adFileTypeBinary -value 1 -option Constant

# Test if path exists else fail
if (Test-Path -path $path -isValid)
{
    $isoFile = $path

    # Create disc master to burn to optical drives
    $obm = New-Object -comobject "imapi2.msftdiscMaster2"

    # Create a DiscRecorder object for the specified burning device
    $obr = New-Object -comobject "imapi2.msftdiscrecorder2"
    $obr.initializediscrecorder( $obm.item(0) )
    $dataWriter = New-Object -comobject "IMAPI2.MsftDiscFormat2Data"
    $dataWriter.Recorder = $obr
    $dataWriter.ClientName = "ISOTest1"

    # Write stream to disc using the specified recorder
    Write-Host "Writing to disc..."
    $objStream = New-Object -comobject "ADODB.Stream"
    $objStream.open()
    $objStream.type = $adFileTypeBinary
    $objStream.LoadFromFile( "$isoFile" )

    # Check disk is blank else fail
    $addr = $dataWriter.NextWritableAddress
        if ( $addr = "0"  )
            {
                $dataWriter.Write( $objStream )
                Write-Host "Done"
            }
        else
            {
                Write-Host "Cannot write to disk" }
            }

else
    {
    Write-Host "A valid ISO file was not found"
    }

---------------------------------------------------------------------------------------

The Scriptcenter site shows other examples in VB and they can all be converted to Powershell with very little effort.

Binaries for for versions of IMAPIv2 for other platforms can be obtained here:

Image Mastering API v2.0 for Windows XP

Image Mastering API v2.0 for Windows Sever 2003

Image Mastering API v2.0 for Windows XP x64 Edition

Image Mastering API v2.0 for Windows Server 2003 x64 Edition

Posted 02 November 2007 05:47 PM by Austin | no comments
Filed under: , , ,
PoSH is here to stay!

I'm sure a lot of my crew are almost getting to their wits end with my persistent harping about the capabilities of Powershell and the need for anyone involved in Windows management to get on the act now. I ain't stopping though. This is probably the single most significant change to the way we will do things in the Windows space.

During my regular cruise of my favorite blogs, I came across the entry yesterday on Dmitry's blog where he caught on the jist from Citrix that they were rewriting their APIs for the next version of Presentation Server codenamed Parra so they had Powershell interfaces!

This is another massive join to the Powershell community and it's only going to get bigger and better.

Posted 02 November 2007 03:42 PM by Austin | no comments
Filed under: ,
Exchange Unplugged!

ExchUnplugged

Sounds like an MTV show but t'was much better than that! Eileen Brown and her crew brought the Exchange 2007 and Unified Communications road show to Manchester in Association with BT Lynx. The day long event was held at the Museum of Science and Technology and I think the location was just perfect with the Dr Who show going on there as well :-)

Brett Johnson and Julian Datta gave awesome demos of Exch07 and Office Communication Server which all went flawlessly. Apparently, the last time they gave the demos, Brett's Shuttle, a quad core, 8Gb beast, ignited! That must have been fun.

This was the first time I had heard Brett present and I was well impressed. He kept the audience well engaged and his wit was classic!

Toy of the day was the hyper cool Microsoft Roundtable conference phone providing a 360 degree view of the conference room and a high res image of the active speaker.

My takeaways from the show were:

  1. Exchange 07 & OCS are going to change the way we communicate. Voice, Video and text can now be affordably converged on the IP protocol and with presence information, playing "phone tag" will be a thing of the past.
  2. Learn Powershell. It's the future! The Exchange servers Brett built were installed and configured using Powershell Scripts & commands. 

If you haven't been to the Exchange Roadshow, there's 2 more dates I think. Make sure you catch them if you can. Well worth it:

2nd November 2007, Warwickshire: Exchange Unplugged in association with Post CTI

5th November 2007, Glasgow: Exchange Unplugged in association with Capito

Posted 01 November 2007 12:59 PM by Austin | no comments
How cool is this?

RIPE, the Regional Internet Registry just concluded their annual meeting where ISPs, Network operators and other interested parties in Europe and surrounding regions get together.

Highlight of the closing event was an impromptu gig by Gary Feldman of Thus PLC which has been posted on You Tube. Who says geeks don't rock ay? Enjoy:

http://www.youtube.com/watch?v=_y36fG2Oba0

 

Posted 30 October 2007 12:28 PM by Austin | no comments
Filed under: ,
TechEd IT Forum In Barcelona

logo_people7

Anyone visiting my blog who's going to be at TechEd in Barcelona from the 12th - 16th of November, do let me know. I'll be there and looking forward to another exciting week learning stuff and trading "war stories" with my kinda geeks!

Guys not to miss at TechEd, in my opinion, Markus Murray of Trusec and of course Mr Steve Riley. These guys run their sessions in ways that keep you interested and always happy you attended. Always standing space only too so be sure to be early for the sessions ;-)

PING me and hope to see you there.

Posted 26 October 2007 03:42 PM by Austin | no comments
Filed under: , , , ,
Creating Test AD users with Powershell- Improved!

Remember the PoSH add users to AD script? Well, it got picked up by “The Man” himself, Dmitry Sotnikov of PowerGUI fame and he rolled it into a one-liner:

 1..500 | ForEach-Object {
New-QADUser -ParentContainer ps64.local/test -Name “testuser$_“ -SamAccountName “testuser$_“ -UserPrincipalName “testuser$_@example.com“ -FirstName “testUser$_“ -LastName “example$_“ -UserPassword “password_123“ | Enable-QADUser
}

Steve Green and I, coincidentally, were having a go at getting it as short as possible and eventually came down to the same steps but Awesome to see “The Internet” at work!

Enjoy!

Posted 25 October 2007 04:53 AM by Austin | no comments
Filed under: , ,
Group Policy meets Powershell in a big way!

Today I attended an invitational-only product demo given by Thorbjörn Sjövold the CTO of Special Operation Software of their up coming product Specops Command. This product, in it's pre Beta version, tries to resolve the "last mile" problem currently facing Powershell in Version 1. Today Powershell is installed on a management workstation and carrying out remote tasks or running Powershell scripts against remote machines requires Powershell installed on those machines, using wmi or rolling your own .Net methods.

With Specops Command, you still need Powershell installed on the machines but it takes away the pain of managing which of the versions of Powershell to install (there are different versions for XP SP2, WS03, Vista and also x32 and x64 versions for each OS).

Specops CSE's on the Workstation detect its version and download the appropriate version for install.

The main Features of the Specops Command Group Policy extension are:

  1. Auto Management of Native and 3rd party cmdlets on all workstations under the scope of the Specops Command policy
  2. The ability to configure the running  of cmdlets and scripts in the Security Context of the logged on User or Computer
  3. Script Execution Feedback  -> No longer "fire and forget" when running scripts with reporting of the execution results of all scripts  on all workstations under scope of the policy. Also, the ability to drill down into the results and identify down to line numbers in the code where an issue arose. you can also configure custom feedback where results are stored in a central repository and, I presume, can then be queried using regular methods. 
  4. Undo Scripts. This was one that "tickled my fancy". The ability to cache Powershell code on the client machine that ran when the Specops Command GP was no longer in scope! this can be used to return the machine to a default state or run in any configuration state you may decide on. 
  5. Very granular "Targeting" Mechanism for users and computers.
  6. Granular Scheduling of when the policy changes are applied.
  7. The ability to sign scripts and
  8. Verbose Enterprise Reporting.

Sometime in March this year, Special Operations Software entered a Collaboration agreement with Darren Mar-Elia's SDM Software who make GP management and troubleshooting tools. Both firms are heavily into Powershell and this is further proof that to be able to manage the modern Windows environments of the future (read 6 months at the most), Powershell knowledge will be vital.

Specops Command will, by an order of magnitude, enhance the ability to securely manage, with the scripted intelligence that Powershell provides, Windows environments in a manner that is more affordable and maintainable by Corporations.

Can't wait to get my hands on the early Beta! Stay tuned!!

Learn Powershell Today! And keep a lookout for the interesting things lots of clever people are doing with it.

Posted 23 October 2007 07:36 PM by Austin | no comments
Filed under: ,
Creating Test Users in AD - Another way...

My good friend and AD Mentor, Jorge de Almeida Pinto pointed me at a much simpler way to do this. Not with PoSH, admittedly, so not as exciting to me right now but it gets the job done and uses Joe Richard's ADMOD tool:

For groups: (replace # with number, replace $$ with US, GS, LS, UD, GD, LD)

ADMOD -replacedn XXX-DOMAIN-XXX:_default -sc adag:#;$$;"CN=<RDN>,OU=<OU>,OU=<OU>,XXX-DOMAIN-XXX"

For users:

ADMOD -replacedn XXX-DOMAIN-XXX:_default -sc adau:#;<PWD>;"CN=<RDN>,OU=<OU>,OU=<OU>,XXX-DOMAIN-XXX"

 

Enjoy!

Posted 22 October 2007 11:36 AM by Austin | no comments
Filed under: ,
Creating Test AD users with Powershell

Sometime last week on the Microsoft AD newsgroup, someone asked for a script to populate test users in Active Directory using a source text file with he user names and passwords. Of course, several people suggested VB scripts to do the task and Richard Mueller gave a pointer to an excellent script on his site.

Of course, I immediately started thinking of a way to do it PoSH style. The thinking, as always, was, "I bet Powershell can do this easier!"

The steps I came up with were:

1. Use Powershell to generate the csv ( I can even omit this step entirely and create the users on the fly)

2. Import the users into AD from the the csv

3. Enable the users

And here's my short PoSH script for the task:

#Create the csv and run in the headings

$outfilename = "out.csv"
"samAccountName,userPrincipalName,cn,sn,givenName,Password" | Out-File $outfilename -encoding ASCII

# Now, populate the csv for 500 users

for ($i = 1; $i -lt 500; $i++){
$samAccountName = "testUser" + "$i"
$userPrincipalName = 'testUser' + "$i" + '@example.com'
$cn    =    "testUser" + "$i"
$sn =    'example' + "$i"
$givenName = "testUser" + "$i"
$password = "password_123"

"$samAccountName, $userPrincipalName, $cn, $sn, $givenName, $password" | Out-File $outfilename -encoding ASCII -append
}

# Import the csv entries into AD as user objects

Import-Csv out.csv | ForEach-Object { New-QADuser -ParentContainer 'OU=test,DC=example,DC=com' -Name $_.samAccountName -samAccountName $_.samAccountName -userPrincipalName $_.userPrincipalName -FirstName $_.cn -LastName $_.sn -password $_.password }

# Enable the user objects

Get-QADUser -SearchRoot 'example.com/Test' | Set-QADuser  -ObjectAttributes @{userAccountControl='512'}

# EASY!

This script compared to Richards, is an order of magnitude shorter and I think, easier to comprehend for almost anyone. It can also be extended, as I will still do to it, to require the number of users to be created to be entered as a variable, connection credentials for AD to be requested and the OU to create the users in as some other variable. Error checking can also be included to make it more shareable.

 

Posted 22 October 2007 09:42 AM by Austin | 1 comment(s)
Filed under: , ,
Powershell: Real Glue!

Last Friday Quest software made GA the RC of the ActiveRoles ADcmdlets. This, to me, is another significant milestone in the evolution of Microsoft's new Command line language, Powershell. The versatility continues to amaze me and there is true community effort in extending it! An Extensible command line language the continues, like Perl did, to make the impossible possible and the difficult easy!

Get the RC here

I also stumbled on this blog which shows the "glue" capabilities of Powershell. An inventory system written in much more understandable code and much shorter than you could with most other languages.

Enjoy!

Posted 16 October 2007 08:08 AM by Austin | no comments
Filed under: , , ,
More on Euro DEC Part Deux..

One of my favorite sessions was given by Jorge de Almeida Pinto, a well known DS MVP, whose blog is one of the most interesting reads on AD on the web.

Jorge doing his thing..

His talk was on Read Only Domain Controllers (RODCs); what they are and the challenges in managing them. I'll try and give a précis of his session here.

The challenges RODCs attempt to resolve are:

  • DCs in insecure locations like remote branch offices
  • Storage of credentials on DCs in these locations
  • Non-Domain Admins might be delegated tasks on the DC or manage a server role or LOB applications

All these could potentially compromise the security of Active Directory.

Even with the "read only" nature of an RODC, it is NOT the same as an NT4 BDC:

  • An RODC should always be considered as Untrusted.
  • Its main goal is to improve security and mitigate risk
  • Role is promoted and not assigned (like the GC role)
  • Preferred in perimeter networks
  • Still need to be managed with patches, hotfixes and backup.

To tell you how different they are:

    • They have an RODC “filtered attribute Set” ; a negative list of attributes not replicated to RODCs
    • The Krbtgt account is unique for each RODC. So it can issue its own Kerberos tickets without compromising domain security.
    • They are not members of “strong” security group memberships like Enterprise Domain Controllers.

Prerequisites for installing RODCs

- Forest Functional Level 2 (WS03)

  • This is required for:
      1. Constrained Delegation for Replication
      2. Linked Value Replication

- ADPREP/RODCPREP

  • Executed on the Domain Naming Master FSMO (not mandatory, but preferred as it contacts this FSMO role)
  • Updates the permissions on application partitions for an RODC to be able to participate in replicating those (contacts an application partition replica)
  • Only needed when upgrading from W2K3 AD, not W2K AD (W2K does not support app partitions).

In earlier betas, there was a requirement for the WS08 DC, which must exist, to be the PDC FSMO role holder. This is no longer the case in the RC0 release. Can be any writable WS08 DC.

Installation is by GUI or the Command Line using DCPromo.

Issues regarding Installation of RODCs

  • The delegation of the permission to install an RODC cannot be done securely. Don’t do it.
  • Trust people who install RODCs!
  • Use a 2 stage process instead:
    • Trusted Admin Installs RODC
    • Delegated Admin joins to domain

RODCs can be Installed From Media

  • Passwords can be removed
  • Attributes belonging to the Filtered Attribute Set are removed
  • Media valid: Best Before < Creation date + Tombstone Lifetime

RODCs only replicate their own Domain NC with a WS08 DC

  • Reason is: WS03 DCS do not recognize the WS08 RODC password policy (they are unable to restrict the replication of certain passwords).

The Challenges

  • Unidirectional Replication. No changes (AD DS & DFS) are written to the RODC therefore writable DCs that are replication partners do not have to pull changes from the RODC and do not create inbound replication objects from RODCs (less work for Bridgehead servers).
    • This can create an inconsistent view of replication connection objects depending on which DC has the focus.
  • No automatic deletion of Lingering Objects on an RODC. Use: Repadmin /removelingeringobjects
  • RODC “Filtered Attribute Set”
    • Set of attributes in the schema for domain objects that will not replicate to an RODC
    • If DC is compromised and it tries to replicate attributes defined in the filtered attribute set from a WS08 DC, the replication request is denied.
    • If the DC tries to replicate from a WS03 DC, the request CAN succeed.
    • MAKE SURE FOREST IS AT FFL3 IF YOU WANT TO USE RODC FILTERED ATTRIBUTE SETS
    • System-critical Attributes cannot be added to the RODC filtered attribute set (a system-critical attribute has a schemaFlagsEx attribute value equal to 1)
  • LDAP writes to an RODC are referred to a writable DC; even to a WS03 DC.
  • More than 1 RODC in a specific site will lead to inconsistent logon experiences and is not supported.

Special Write action on an RODC:- password changes

  1. User in site with RODC changes password
  2. RODC refers password change to writable WS08 DC
  3. RODC inbound replicates the password using the “replicate single object” method.

RODC caches, by default, 2 passwords:

  1. The RODC computer account password
  2. The Kerberos account password

If an accounts password is not cached and the user tries to logon, the request is referred to a writable DC.

2 minutes later, or thereabouts, the RODC tries to inbound replicate the password from a WS08 DC which recognises the request is from a RODC and consults the Password Replication policy in effect for the RODC.

The Password Replication Policy determines if the creds can be replicated to the RODC and if so, the writable WS08 DC sends the creds to the RODC.

Next time the user tries to logon, the RODC services the request and signs the users TGT with its krbtgt account. Till the users password changes.

When a TGT is signed with the RODCs krbtgt account, the RODC knows it has a cached copy of the creds. If another DC signed the TGT, the RODC refers the request to a writable DC.

By limiting Credential caching to only users and computers who have logged on to the RODC, the potential risk to the Forest is limited.

Managing Password Replication Policy

  1. Using ADUC on a writable WS08 DC – properties of the RODC computer Account, the PRP tab
  2. Repadmin /PRP

To force replication: Repadmin /rodcpwdrepl

To remove a password from a RODC:

Because an RODC is considered untrusted, the concept that a password can be “removed or purged” from it is insecure.

  1. Change/reset/expire the password immediately
  2. Or wait for it to expire.

When caching accounts on an RODC make sure Computer and user accounts for the site are cached.

How to Deal with a Compromised RODC

When a RWDC is stolen, the immediate threat is all account credentials in the forest can be compromised.

Ulf backed this up by informing of a test he ran for a bank which showed they could crack all passwords of varying complexity and less than 8 chars in length within 2 hrs

To attempt to recover from the loss of a RWDC, you have to:

  1. Clean the metadata of the stolen DC
  2. Reset the password of all user accounts in the Domain
  3. Reset the domain wide KRBTGT account twice.
  4. Reset all DC accounts, all server accounts, all client accounts and all trust. Twice.

All very hard work and you still need to be aware of synched accounts or passwords in other Apps, systems, Domains or Forests.

To recover from a compromised RODC, you have to:

  1. Delete the krbtgt_instancename account of the RODC
  2. Cleanup AD metadata
  3. Reset all cached user and computer accounts

And all this can be done from the ADUC mmc when deleting the RODC account. The cached user and computer accounts can also be exported to a file.

With these RODC concepts, it can be seen how the branch office infrastructure is being better secured whilst trying to improve management.

Microsoft, we hear, are even experimenting with the idea of having an RODC on the Internet. All good stuff I say!

Posted 08 October 2007 07:22 AM by Austin | no comments
Filed under: , , , ,
More Posts Next page »