Windows Tips & Tricks UPDATE, September 27, 2004, —brought to you by the Windows IT Pro Network and the Windows 2000 FAQ site
Q. How can I use Microsoft Active Directory Service Interfaces (ADSI) to check a user's enabled or disabled state?
A. Each user object has an AccountDisabled property. To check whether an account is disabled, you can run a simple script that uses a True or False condition statement, such as this:
If objChild.AccountDisabled Then objDisabledStat = "Y" Else objDisabledStat = "N" End If
Q. How can I use Microsoft Active Directory Service Interfaces (ADSI) to disable a user account?
A. Assuming that you've already defined an objUser variable in a VBScript script that points to the user you want to disable, you can disable a user account by adding the following code to your script:
objUser.AccountDisabled = True objUser.SetInfo
Q. How can I manually force a replication of an Active Directory Application Mode (ADAM) partition?
A. You can use the ADAM version of Repadmin to force a replication by performing the following steps:
- Start an ADAM tools command prompt (Start, Programs, ADAM, ADAM Tools Command Prompt).
- Type the command
repadmin /syncall localhost:389 <partition name>You'll need to change the port number in the command if you've assigned the ADAM instance a different port.
Messages similar to the following will be displayed:
Syncing partition: cn=App1,o=Savilltech,c=US CALLBACK MESSAGE: The following replication is in progress: From: adamtest1.savilltech.com:389 To : adamtest2.savilltech.com:389 CALLBACK MESSAGE: The following replication completed successfully: From: adamtest1.savilltech.com:389 To : adamtest2.savilltech.com:389 CALLBACK MESSAGE: SyncAll Finished. SyncAll terminated with no errors. This shows a successful replication.
Q. How can I configure the replication interval within an Active Directory Application Mode (ADAM) site?
A. By default, all your ADAM replicas are in the same site. Because replication within a site is based on notification--that is, when a server has a change, it notifies its replication partners of the update--by default changes should be replicated almost instantly. A replication schedule exists for intrasite replication; however, this schedule applies only when no update-based replication has occurred within the standard replication time interval. To modify the default replication interval within a site, perform these steps:
- Start the ADAM ADSI Edit tool (Start, Programs, ADAM, ADAM ADSI Edit).
- If ADAM ADSI Edit doesn't open the Configuration partition by default, connect to it by right-clicking the ADAM ADSI Edit root in the treeview pane and selecting "Connect to"; otherwise, go to step 4.
- At the dialog box that's displayed, enter a connection name of "Configuration." (Leave the default server name and port number unless you changed the port during installation.) Under Connect to the following node, select "Well-known naming context" and choose "Configuration." Click OK.
- Expand the Configuration partition, expand sites, and select the site name (which by default is Default-First-Site-Name--the same as with Active Directory--AD).
- Right-click CN=NTDS Site Settings in the right pane and select Schedule from the displayed context menu.
- In the Schedule window, you can set the default replication interval (if no update replications have occurred). By default, the interval is once per hour.
- Click OK.
Q. Can I add a Windows Server 2003 domain controller (DC) to a Windows 2000 Server domain?
A. If you have only Win2K Server DCs in a domain and attempt to run Dcpromo from a Windows 2003 server so that it can join the domain, the command will fail and the error message that the figure shows will be displayed. Before you can make a Windows 2003 server a DC in an existing Win2K Server domain, you must run the forest and domain preparation utility--Adprep--which you can find in the \i386 folder on the Windows 2003 CD-ROM--by running the commands
adprep /forestprep adprep /domainprep
Be aware that these commands alter the schema and configuration of your forest and domain--especially if you have Microsoft Exchange 2000 Server installed--which can cause problems with the Windows 2003 forest preparation. (I'll cover the steps you need to take to avoid such problems in an upcoming FAQ.)
Q. How can I block downloading of Windows XP Service Pack 2 (SP2) through Windows Update and Automatic Updates?
A. XP SP2 includes many great new features; the downside is that it can cause problems with running some programs. Consequently, some customers want to prevent their systems from automatically downloading XP SP2 until they've tested the service pack thoroughly and are better prepared to deploy it. Microsoft understands this and provides detailed guidance about blocking the automatic delivery of XP SP2 via Windows Update and Automatic Updates at Microsoft Web site. The methods described on this Web page will work until April 12, 2005, at which time Windows Update and Automatic Updates will deliver XP SP2 regardless of whether the blocking mechanism is present on a system. (That date is also the scheduled date for a monthly cumulative security update.)
You can download a tool that blocks delivery of XP SP2 at Microsoft download site. The download includes an executable file, a script and Group Policy administrative template, and some sample email messages that you can send to users; the sample messages contain links users can click to either block or unblock the delivery of XP SP2. XP SP2 blocking is controlled through the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotAllowXPSP2 registry subkey. Setting the subkey's value to 1 blocks delivery of XP SP2 through Windows Update or Automatic Updates on that system. Be aware that this registry change will work only until April 12, 2005, as well.