Full of I.T.

Kevin Remde's IT Pro WebLog

Windows Server 2003 Administration Webcast Series (Part 2) Q&A

I screwed up and deleted the original Part 2 Q&A document when uploading the Part 3 Q&A over the top of it in my blog.  That will teach me not to retrieve old articles and expect that saving them with changes will cause a new one to be created.  <sigh>

Anyway – here is now the Q&A again from Part 2 of our webcast Series.

Thanks again to my teammates for doing such a great job helping to answer questions!  I give them the credit for the information in this document.  Outstanding!

Also I want to make sure also have the link to the Session Resources I posted for Part 2

Series Part 2 Webcast Q&A

“Where do I find the homework again?”

I’ve posted the homework on my blog.  Here is the homework for Part 2.

“I wasn’t here for last week, is it available to view later?”

You can go to http://www.microsoft.com/seminar/events/series/windowsserver2003admin.mspx and view last weeks webcast in the on-demand section (bottom of the page). You can register for last weeks on demand webcast and you will be sent an email with links to download the WMV and the PPT file. Thanks and enjoy!

“Do I need a computer to watch this WebCast?”


“Is there a particular time to log in?  How early are we allowed to log in to the webcast?”

You can log in from 1/2 hour before the webcast starts, throughout the time of the webcast

“Are local users on Windows XP assigned to the power users group by default?”

No, you need to assign them to the group

“When you demo you have 3 Virtual PCs running. I would like to duplicate this and load an ISO file for Exchange, Win2003 and XP. I think this is the three you are running. Where can I get the ISO files ?”

Think of each Virtual machine as if it were a physical node on your network. You need a licensed copy of the installation CD for each of the OS’s and Application servers you want to use and you need to install each of them to create the VM’s. These are not available for public consumption.

“Is there any issues with removing the domain admins from the local administrators group for a workstation in the domain?”

No – unless you consider now that you may be removing necessary administrative access for your administrators.

“What’s the difference between a group and ou?”

A group is for assigning permissions.  Group memberships help make it easier to grant rights of access to resources to users and computers.  OUs (Organizational Units) are for grouping objects within an Active Directory domain, and are mainly beneficial for assigning Group Policies to the objects within an OU, or delegating administrative authority over those objects within the OU.

“In SBS 2003, local users are automatically added to the Local Admin account. Is this a good idea? Should the users always be a member of the local administrators?”

No, users should not be members of the administrators group unless there is a pressing need. 

“If I am using Password never expires and I want to change that for all users in my domain, can I change that option for all users at one time or do I have to change it one by one?”

Select all the users and make the change.  Or better yet, use Group Policy at the domain level to not have expiring password.  But… it’s really a good idea to have passwords expire.  It has big benefits relating to security.

“Have seen from time to time that the computer when added to the domain, does not appear in the Computers container. Why is that?”

It’s just an occasional thing?  I’m not sure why that is, unless there are DNS or other issues with how certain computers are not able to see a DC, or perhaps replication isn’t happening the way it should. 

“Can you leverage any other products besides Exchange for user creation/integration? Or is it because AD and Exchange are both loosely coupled under LDAP to allow for this? Reason I ask was for something like say SharePoint. Thanks”

Most of our products can use AD for permissions. Account creation is typically a separate process.

“When you do not select ‘Password never expires’, how long/often does it force a password change from the user?”

By default, never.  You need to configure the maximum password age setting in Group Policy at the domain level Computer Configuration==>windows settings==>securitysettings==>account policies==>password policies

“Does this Exchange mailbox option appear only on the Exchange server or on all servers?”

On all Domain Controllers in a domain in which Exchange has been installed or connected to an Exchange 5.5 organization via the ADC. 

“Can additional fields be added to the user properties pages in Active Directory Users and Computers, such as a field bound to the employeeID attribute?”

Yes, almost all objects are extensible.

“How/where can we get Windows Admin Tools?”

They are on the CDROM, resource kits, microsoft.com, etc.

“Is there a place to find out what rights are assigned with each standard user groups (ie Remote Desktop).”


“At what number of users AD is a good solution for management?”

It’s not really just a matter of number of users. Number of computers, file servers, assigning permissions to resources like a file share all come into play when deciding to move from a peer to a domain model. 

“Is there a way on an xp desktop to have the exchange options like you do on the exchange server”

Yes, you can install the adminpak.msi from the Windows server CD to get the AD management tools and you can install the Exchange management tools on your XP machine as well, so that you can manage AD and Exchange from your workstation rather than from the server. see http://support.microsoft.com/kb/834121 and related links

“When accounts expire, are they deleted or disabled?”


“What time of the day do accounts expire on the day that you put in for the expiration?”

12 am midnight on the date specified

“Can the Log On To feature be assigned to an OU or Group?”


“What is an admin share?”

It’s a hidden share.  Any share who’s name ends in a “$” to hide it.  Example: ADMIN$ is actually c:winnt shared out for administrators to have access to.

“Is there an add-in to show you last login or the users sid in the ADUC?”

I am unaware of one.

“Can you use the Remote Control tab settings without selecting ‘Require users permission’ for an Administrator to view a users desktop without their knowledge?”

Unfortunately not.

“Is there a way to ‘dump’ (in an ‘offline’ readable format) all non-default settings in ADUC?”

Yes, you can use the resultant set of policy tools to build reports.

“The exchange server comes within the win2000 server operating system?”

It integrates with it, AD is the Directory service for Exchange, but Exchange is a separate application that needs to be purchased and licensed separately.

“Are these exchange tabs available with win 2000 server also?”


“What is the password for an Admin share?”

Shares don’t have passwords, they have permissions lists. Access Control Lists, if your account is on the list you get in, if not you don’t

“Does adminpak.msi include exchange properties? how do you enable these?”

By installing the schema for Exchange into active directory via the Exchange forest and domain prep process.

“How much account specific information about the user is available to other in the domain? Can the amount of information about a user be limited to others in the domain should they search Active Directory?”

Use ADSIEdit to check. You can modify what is replicated.  Be careful with the tool. http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/techref/en-us/Default.asp?url=/Resources/Documentation/windowsserv/2003/all/techref/en-us/adsiedit.asp.

“How can you disable ‘Outlook Web Access’ by default?

You could create your users with a template that has this disabled.  Or better still, you can manage it through the properties on the Exchange Server directly.

“Can the user have a different logon name from the e-mail account name”


“Are the Exchange features general attributes or can you add to the listings?”

When Exchange is installed there are a default set of Exchange attributes that can be managed from the ADUC, however, the AD Schema is extensible, so you can create your own custom attributes and replicate them throughout AD see http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/active_directory_schema.asp and related links

“If you disable a user account, will it still accept email to the account in Exchange?”


“What does dsmod stand for? thanks”

DSMOD is a utility to modify an existing object of a specific type in the directory.  DS=Directory Services, MOD=Modify

“How do you use the user template to copy to make many users?”

Create the template with the fields populated with your generic data (the account should remain disabled) then in the ADUC right click and say copy.

“Is there a way to export user information into a tab formatted file like Kevin is showing?”

Absolutely. See CSVDE and LDIFDE  as tools to allow you to do this..

“In creating a group container, is there a area where you can put the name of the owner on the display?”

The answer is yes. It is a property for the group although it isn’t commonly exposed in our tools UI.

“After migrating from exchange 5.5 to 2003 I can’t seem to find where to make changes to the ‘assistant’ field?”

That may have been folded into the Direct reports field on the organization tab

“Is there a way to see all the Q&A later?”

Yep.  You’re looking at it! J

“What tool that we use to rename user account in AD and Exch?”

Just right click the account in the Active Directory Users and Computers console

“With command line, if you have permission rights to only a part of the AD tree, will the command line be intuitive enough to add to your privilege level or is it an all or nothing meaning you must have enterprise level access?”


“Is cn short for common name?”


“Isn’t there going to be a problem in AD for Exchange with the capitalized OU object in that command line?”


“Has mail delivery changed in 2003? because in 2000 mail sent to a disabled user is refused and generates an NDR to the sender”

Hmmm. You may be correct but I thought it still delivered the mail in the event the account with assigned permissions needs to be changed.

“Can you find out through AD what computer(s) the user is logged on to?”

No, but you can enable am audit policy on the DCs that records authentication requests in the Security log of the event viewer.

“Where can I find a list of all these commands that are being used to query and add accounts from the command line?”

A lot of the commands are in the Help area of Windows Server 2003 (under the start button). Many are also in the deployment and operation guides.

“Are this commands only for win2003?”

Some are new, yes.

“Why would an Administrator use the command prompt to add users with the dsadd command? Multiple Adds? Faster than ADCU?”

For some people it’s faster, for people who write their own scripts, also, if you’re just deploying AD and you’re testing, it’s easy to create the scripts as you go and then just run them when you’re ready to deploy as I did in the demo.

“Will these commands {line} be able to be used from a remote machine or only on a DC?”

You can do these remotely also.

“Can I create two folders in AD Users & Computers under my domain to separate my groups & users or do I have to create two OU’s?”

The folder IS an OU

“Is there a way of forcing the address book in each users outlook to refresh?”

Yes, there are Outlook 2003 registry settings that control automatic or manual download and update of the OAB. I don’t recall how many of them are exposed via group policy but I know there are reg settings you can implement.

“This might be coming, but is there a way to randomly generate an initial password for all of the users at once?”

DSadd includes a command line switch to set a password, but not to randomly generate one.

“Can you please repeat the Blog Address?”

http://blogs.msdn.com/KevinRemde – but you knew that.

“Can the whole presentation be saved or just the PP?”

In 72 hours you will be able to register for this webcast and will be sent an email with links to download the PPT and WMV files.

“If you are a local admin on Windows server 2003 and Windows 2000 Server – Can you use those commands on those servers?”

Not on 2000, only 2003

“Not really a question: You did great today, guys! Bravo!”

Thanks much!

“Once a computer has been added to a domain, should the local Administrator account be disabled?”

No, but you may want to change its name.  And you should definitely assign it a a strong password.

“I’m sorry if this was asked, but where do we find homework?”

I’m posting all of the homework assignments to my blog.  Here is where you’ll find the homework for this week (week #2).

“Which username will the variable %username% return? The full username or the pre-windows 2000 username?”

Pre-windows 2000 username

“Are you sure DSADD isn’t in Windows 2000?”

My esteemed colleague, Keith Combs, pointed out that indeed DSADD and DSMOD were supported in Windows 2000 – perhaps as part of the Resource Kit.  See http://support.microsoft.com/kb/320187

“Will you cover changes in scripting for user profiles in 2003 next week?”

No scripting for profiles.  We talk about User Profiles in great detail – what they are and what they are for, and the different types of Profiles and their implications.

You can see the series and topics covered at http://www.microsoft.com/seminar/events/series/windowsserver2003admin.mspx

“Our users home drives are names with there usernames. Is there a way to record this in a template account? IE..\server%username%”

Yes… That will work there also.

“I use the command line mail tool Blat in some batch files. It requires an user name/password so it can authenticate so send email. Obviously, being in a batch file, the password is plain text. What’s the best way of having an user account that no one can take advantage of?”

Encrypt the file, or create a folder and enable encryption on that folder.  Put all such sensitive files in the encrypted folder.

“Can these command be use on Windows Small Business Server 2003?”


“Does the Remote Control option under user properties affect the computer RC setting?”

You can override it on the computer side. That wins over the user settings, I believe.

“hahahaha! ROFL. That picture was soo funny! Kind of looks like Rob Westover! :-)”

This one?…

 Donald Trumps Dog

Glad you liked it! (And I’m sure Rob will be glad, too!)