Disabling many AD user accounts on Windows Server 2003 without powershell

This may or may not help you but it's for my future reference.

My source was from dumping using MAP (Microsoft Assessment and Planning) toolkit using report "ActiveDevicesUsageTracker"

My AD wasn't using the default OU structure
Usable output = "Username" column = samID

Retrieve User-DN on Windows Server 2003
With the samID above, for each name

dsquery user -samid

Disable AD user accounts on Windows Server 2003
dsmod user user-DN -disabled yes

References (just got the important bits):
http://technet.microsoft.com/en-sg/library/cc781527(v=ws.10).aspx
https://kb.bluecoat.com/index?page=content&id=KB4548

Not related but I needed to get the AD group membership of those disabled AD accounts for clean up purposes.

Retrieve by AD user object AD group membership:
dsget user "" -memberof -expand 

Reference:
http://social.technet.microsoft.com/wiki/contents/articles/2195.active-directory-dsquery-commands.aspx

How-To fix RDP connection issue with error "The Local Security Authority cannot be contacted"

Can be caused by:

1. User must change password on next logon and RDC is set to use only Network Level Authentication. Affects "workgroup" computers or computers on another domain (compared to the one you're logging in from). 
2. Missing language pack 

References:

http://blog.mnewton.com/articles/Solution-RDP-The-Local-Security-Authority-cannot-be-contacted/

On how to disable NLA (assuming you can get access to your remote server using the suggested methods:

http://blog.mnewton.com/articles/Solution-RDP-The-Local-Security-Authority-cannot-be-contacted/

Can I perform a P2V conversion on an Active Directory domain controller? (Note!! Use at your own risk!)

Updated 2014-Apr: 

Summary; you can do it. Just make sure all the FSMO roles are on the DC that is being P2Ved. Also Microsoft test-case is based on only ONE DC. The ramifications of performing this action on a mult-DC environment is not clear.

In essence, this P2V test case is based on SCVMM and not VMware Converter. There are multiple steps involved. SCVMM will use VSS to take a snapshot of the current state of the AD and simultaneously create a VM (on MS platform) and start cloning.

VMware Converter process:

From the horses' mouth, this is how it coordinates with the ESXi layer, the source VM and the destination target VM.

1. Authenticate the Source Machine. (I take this as logging on to the source machine)

2. Get the Source VM information.

3. Install the Agent on the Source Computer.

4. Create a new Destination VM.

5. Call the VSS program to Clone or Snapshot the guest machine internally.

6. Copy the cloned info to the destination machine.

7. Uninstall the agent from the Source Machine.

"We do not invoke any other thing which will cause the Source Machine to hamper."

Original post 17 Feb 14

NOTE - Use these only at your OWN RISK. I cannot be held responsible for any issues that may arise through applying any of the following. It is generally a well known "no-no" to P2V and V2V a DC that is pre-2012.

(From Microsoft Support - Advisory only - Further details, if any, will be updated as more information becomes available)

Can I perform a P2V conversion on an Active Directory domain controller?

Yes. You can perform an offline P2V conversion on a domain controller. Performing the conversion offline helps avoid potential Active Directory USN rollback issues during the process.

http://technet.microsoft.com/en-us/library/dd221390.aspx

Recommendations:

Offline P2V:

The impact to the original is when you perform P2V, the source DC will restart into the Windows Preinstallation Environment. It is the recommended solution if you need to P2V multiple domain controllers. 

Online P2V:

SCVMM Online P2V will not impact original Physical environment, which has been double confirmed with System Center team.  But it will cause USN rollback problem for the virtual environment if you P2V multiple domain controllers. However, if you only P2V one DC with FSMO roles, it will not cause any problem.

If you P2V only one DC with FSMO role using Online P2V. Please perform the following steps on the converted DC in virtual machine:

1.         Clean up metadata for DCs no longer exist

Clean up server metadata

http://technet.microsoft.com/en-us/library/cc736378(v=ws.10).aspx

2.         Please disable initial synchronization when you start the virtual machine for the first time:

How to disable initial synchronization

On the PDC, go to the following registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters

Add the following Value:

Value name:  Repl Perform Initial Synchronizations Value type:  REG_DWORD Value data: 0  =============================

Have multiple fields in excel to compare and output results? Use vlookup in excel

--- Start of Rant ---

Let me tell you something. Sometimes in IT you're stuck with an unenviable task of scripting mass changes to AD, you've got the starting point - the requirements and the objects that need to be changed, you have somehow managed to extract the data required to be changed. Now you need to eye-ball both spread sheets line by line to make sure you can produce the script that will update the required attributes.

It's not fun.

--- End of Rant ---

With this it will be fun:
http://www.techonthenet.com/excel/formulas/vlookup.php

vmware vi fastpath unable to add server

"Error: You don't have permission to execute this command" - Append sudo to command line
"Error: Failed to add users" - Make sure your username parameter has a double "\". Note the red "\" . It is NOT a typo.

Eg: sudo vifp addserver vcenter.addomain.com --authpolicy adauth --username addomain\\adusername

HOWTO: Locating Global Catalog (GC) Servers in Windows Domain

nltest /dsgetdc: /GC

or

repadmin.exe /options * and use IS_GC for current domain options

The best way to disable 4300 computer accounts in Active driectory

Reposting here for my own reference.
Original thread can be found here

Here is a VBScript program Richard Mueller wrote a few years ago to disable computer accounts from a text file. The file name and path are hard coded in the program, so the file can be anywhere. The file must be a list of computer names (NetBIOS names), one name per line:

--- Begin script ---
Option Explicit

Dim strFile, objFSO, objFile
Dim objRootDSE, strDNSDomain, objTrans, strNetBIOSDomain
Dim strComputer, strComputerDN, objComputer

' Constants for the NameTranslate object.
Const ADS_NAME_INITTYPE_GC = 3
Const ADS_NAME_TYPE_NT4 = 3
Const ADS_NAME_TYPE_1779 = 1

' Specify text file of computer NetBIOS names.
strFile = "c:\Scripts\Computers.txt"

' Open the file for read access.
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.OpenTextFile(strFile, 1)

' Determine DNS name of domain from RootDSE.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")

' Use the NameTranslate object to find the NetBIOS domain name from the
' DNS domain name.
Set objTrans = CreateObject("NameTranslate")
objTrans.Init ADS_NAME_INITTYPE_GC, ""
objTrans.Set ADS_NAME_TYPE_1779, strDNSDomain
strNetBIOSDomain = objTrans.Get(ADS_NAME_TYPE_NT4)
' Remove trailing backslash.
strNetBIOSDomain = Left(strNetBIOSDomain, Len(strNetBIOSDomain) - 1)

' Read lines from the file.
Do Until objFile.AtEndOfStream
strComputer = Trim(objFile.ReadLine)
If (strComputer <> "") Then
' Convert NetBIOS name to DN.
' NetBIOS name must have "$" appended to end.
' Trap error if computer not found.
On Error Resume Next
objTrans.Set ADS_NAME_TYPE_NT4, strNetBIOSDomain & "\" & strComputer & "$"
If (Err.Number <> 0) Then
On Error GoTo 0
Wscript.Echo "Computer not found: " & strComputer
Else
On Error GoTo 0
strComputerDN = objTrans.Get(ADS_NAME_TYPE_1779)
' Bind to the computer object.
Set objComputer = GetObject("LDAP://" & strComputerDN)
' Disable the computer.
objComputer.AccountDisabled = True
objComputer.SetInfo
End If
End If
Loop

Wscript.Echo "Done"

--- End Script ---

How to reset trust between parent and child domains

Try this from the parent domain:

NETDOM TRUST parentdomain.com /Domain:child.parentdomain.com /UserD:child\administrator /PasswordD:* /UserO:parent\administrator /PasswordO:* /Reset /TwoWay

Reconnect child domain to AD forest after tombstone period without demoting child domain DCs

Frankly information on how to fix this problem IS available. It's just that Microsoft's support site contains KB articles that haven't been fully updated.

See this article: Orphaned child domain controller information may not be replicated to other Windows 2000 Server-based domain controllers

To resolve this issue, you must create a replication link, and you must enable one-way authentication instead of two-way authentication. To do this, follow these steps:

1. On a domain controller in the root domain, add the Replicator Allow SPN Fallback registry value. To do this, follow these steps.
   
   Note Perform steps 1 through 6 on this same domain controller.
   
   1. Click Start, click Run, type regedit, and then click OK.
   2. Locate and then click the following registry subkey:
      
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
   3. On the Edit menu, point to New, and then click DWORD Value.
   4. Type Replicator Allow SPN Fallback, and then press ENTER.
   5. Double-click Replicator Allow SPN Fallback in the right-pane, type 1 in the Value data box, and then click OK.
   6. Restart the domain controller.
2. At a command prompt, type the following:
   
   repadmin /optionsfully_qualified_domain_name_(FQDN)_of_the_root_domain_controller+DISABLE_NTDSCONN_XLATE
   
   
   Note The Repadmin.exe tool is located in the Windows 2000 Support Tools. 
   
   For additional information about how to install the Windows 2000 Support Tools, click the following article number to view the article in the Microsoft Knowledge Base:
   
   301423  How to install the Windows 2000 support tools to a Windows 2000 Server-based computer
3. At a command prompt, type the following:
   
   repadmin /add CN=Configuration,DC=Domain_Name,DC=Domain_NameFQDN_of_the_root_domain_controller FQDN_of_the_child_domain_controller
4. At a command prompt, type repadmin /showreps. A successful incoming connection should be displayed for the configuration naming context from the child domain controller.
5. At a command prompt, type the following:
   
   repadmin /options FQDN_of_the_root_domain_controller -DISABLE_NTDSCONN_XLATE
6. Remove the Replicator Allow SPN Fallback registry entry. To do this, follow these steps:
   
   1. Click Start, click Run, type regedit, and then click OK.
   2. Locate and then click the following registry subkey:
      
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
   3. Right-click Replicator Allow SPN Fallback, click Delete, and then click OK.
7. Force replication between all domain controllers in the root domain. To do this, follow these steps:
   
   1. On a domain controller in the root domain, click Start, point to Programs, point toAdministrative Tools, and then click Active Directory Sites and Services.
   2. Expand Sites, expand Servers, expand your Server_Name folder, and then click NTDS Settings.
   3. If there are other domain controllers in your environment to replicate, they will be listed in the right pane. Right-click the first domain controller in the list, click All Tasks, and then click Check Replication Topology to start the Knowledge Consistency Checker (KCC). 
      
      An incoming connection object from one or more of the child domain controllers is displayed. You may have to update the display by pressing F5.
      
      Note You must perform this step for each domain controller in the root domain.
8. Allow replication to occur throughout the forest. Then, run the repadmin /showreps command on the root domain controller and on the child domain controllers. This step makes sure that Active Directory directory service replication is successful. 
   
   Note The "Replication Allow SPN Fallback" registry entry enables the Active Directory to use one-way authentication if two-way authentication cannot be performed because of a failure to resolve a Service Principle Name (SPN) to a computer account.

@ARK-DS

Problem is almost resolved.  Been talking to Microsoft these last two weeks - we are at the last stage of monitoring replication and cleaning up.

And yes, you are right about KB http://support.microsoft.com/kb/887430. It's the first step required to rejoin the orphaned domain to parent. Unfortunately, I didn't get confirmation that this would work with Windows 2008 servers and in Windows 2003 Forest/Domain level installations - if I had, it would have saved a call to Microsoft. :-)  AND Microsoft's KB article was updated (APPLIES TO doesn't mention anything other than Windows 2000 Servers!!) See attached image kb887430.jpg

However, the whole process isn't as simple and involves many steps.

OK people, this is for the benefit of the masses.

From watching Microsoft troubleshoot the problem, besides the SOPs they ask you to do, (MPSReport, Network analyser captures, etc), these are the steps and things to take note of if you have a situation such as this.

1. You need to run the commands on the PDC.
2. You need to double-check using regedit even after using the "repadmin /regkey " - If you don't do that, although the command returns successful execution, the key might still be there.

www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_25306989.html#a30815303

Get all your AD troubleshooting tools from one place

MPS Reporting Tool:
This MPS Reporting Tool is utilized to gather detailed information regarding a systems current configuration. The data collected will assist the Microsoft Support Professional with fault isolation.


http://support.microsoft.com/kb/818742

Once downloaded, run the .exe file and it will extract (and run)

The interesting stuff is in %windir%\MPSReports\DirSvc\Bin

No more need to go hunting around for your support folder in your windows server CD/DVD/ISO!

Additional use link for Microsoft Network Monitor (v3.3):
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=983b941d-06cb-4658-b7f6-3088333d062f

Find FSMO roles

at command prompt type:

netdom query fsmo