The Microsoft SharePoint Administration Toolkit contains functionality to help manage Microsoft Office SharePoint Server (MOSS) 2007 and Windows SharePoint Services (WSS) version 3.0. This toolkit contains the ability to diagnose performance issues, perform bulk operations on site collections, an Stsadm operation to update alert e-mails after the URL for a Web application has been changed, and a User Profile Replication Engine tool.
The supported operating systems include Windows Server 2003, Windows Server 2008, Windows Vista and Windows XP. You must have MOSS 2007 or WSS 3.0 installed on your computer. Microsoft recommends that version 1.0 and 2.0 of the SharePoint Administration Toolkit be uninstalled first before you install version 3.0 of the SharePoint Administration Toolkit.
Here are the download links:
SharePoint Permission Reporting Tool
Included in the SharePoint Administration Toolkit from Microsoft is the Permission Reporting Tool, which provides various components to help better understand how security is being derived and applied across and within sites, lists and item. The tool includes three components – the Compare Permissions Sets function, the Check Effective Permissions function and the Broken Inheritance Reports function. Here’s a video on TechNet that will show you how to use the Permission Reporting Tool.
I am glad someone is looking out for Site Administrators. There is a lot of focus on resources for Network and SharePoint Administrators, for obvious reasons, but it’s important to also keep the Site Administrators in mind. I’ve noticed that my colleague Sharee English is often talking and blogging about Site Administrators. She recently posted a blog that lists training resources for SharePoint Site Administrators. Here’s a quote from her blog.
“Site Administrators have the largest burden when it comes to SharePoint. They are responsible for managing permissions, creating lists and libraries, and maintaining metadata. Most site administrators have never done any of these things before and may not even know what some of these things mean. Luckily there are so many resources available.”
Click here for more details and links to the resources that she has listed.
NetDom is a command-line tool that is built into Windows Server 2008. It is available if you have the Active Directory Domain Services (AD DS) server role installed. To use NetDom, you must run the NetDom command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.
You can use NetDom to:
- Join a computer that runs Windows XP Professional or Windows Vista to a Windows Server 2008 or Windows Server 2003 or Windows 2000 or Windows NT 4.0 domain.
- Provide an option to specify the organizational unit (OU) for the computer account.
- Generate a random computer password for an initial Join operation.
- Manage computer accounts for domain member workstations and member servers. Management operations include:
- Add, Remove, Query.
- An option to specify the OU for the computer account.
- An option to move an existing computer account for a member workstation from one domain to another while maintaining the security descriptor on the computer account.
- Establish one-way or two-way trust relationships between domains, including the following kinds of trust relationships:
- From a Windows 2000 or Windows Server 2003 or Windows Server 2008 domain to a Windows NT 4.0 domain.
- From a Windows 2000 or Windows Server 2003 or Windows Server 2008 domain to a Windows 2000 or Windows Server 2003 or Windows Server 2008 domain in another enterprise.
- Between two Windows 2000 or Windows Server 2003 or Windows Server 2008 domains in an enterprise (a shortcut trust).
- The Windows Server 2008 or Windows Server 2003 or Windows 2000 Server half of an interoperable Kerberos protocol realm.
- Verify or reset the secure channel for the following configurations:
- Member workstations and servers.
- Backup domain controllers (BDCs) in a Windows NT 4.0 domain.
- Specific Windows Server 2008 or Windows Server 2003 or Windows 2000 replicas.
- Manage trust relationships between domains, including the following operations:
- Enumerate trust relationships (direct and indirect).
- View and change some attributes on a trust.
Here are the NetDom commands.
|Netdom add||Adds a workstation or server account to the domain.|
|Netdom computername||Manages the primary and alternate names for a computer. This command can safely rename Active Directory domain controllers as well as member servers.|
|Netdom join||Joins a workstation or member server to a domain. The act of joining a computer to a domain creates an account for the computer on the domain, if it does not already exist.|
|Netdom move||Moves a workstation or member server to a new domain. The act of moving a computer to a new domain creates an account for the computer on the domain, if it does not already exist.|
|Netdom query||Queries the domain for information such as membership and trust.|
|Netdom remove||Removes a workstation or server from the domain.|
|Netdom movent4bdc||Renames a Windows NT 4.0 backup domain controller to reflect a domain name change. This can assist in Windows NT 4.0 domain renaming efforts.|
|Netdom renamecomputer||Renames a domain computer and its corresponding domain account. Use this command to rename domain workstations and member servers only. To rename domain controllers, use the netdom computername command.|
|Netdom reset||Resets the secure connection between a workstation and a domain controller.|
|Netdom resetpwd||Resets the computer account password for a domain controller.|
|Netdom trust||Establishes, verifies, or resets a trust relationship between domains.|
|Netdom verify||Verifies the secure connection between a workstation and a domain controller.|
Microsoft has listed lots of examples on TechNet here. Here are some of them.
NOTE: The following examples apply to at least Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1 and Windows Server 2003 with SP2.
Example 1: Add a Workstation or Member Server to a Windows NT 4.0 Domain
To add the workstation mywksta to the Windows NT 4.0 domainreskita, type the following at the command line:
netdom add /d:reskita mywksta /ud:mydomain\admin /pd:password
Example 2: Add a Workstation or Member Server to a Windows Server 2003 Domain
To add the workstation mywksta to the Windows Server 2003 domain devgroup.example.com in the organizational unit (OU) Dsys/workstations, type the following at the command prompt:
netdom add/d:devgroup.example.com mywksta /OU:OU=Dsys,OU=Workstations,DC=microsoft,DC=com
Example 3: Move a Windows NT 4.0 BDC to a new domain
To join myBDC to the Windows NT 4.0 domain reskita type the following at the command prompt:
netdom mybdc moveNT4BDC /domain:reskita
Example 4: Add an alternate name for a Windows Server 2003 domain controller
To give an alternate name for the domain controller DC in the example.com domain, use the following syntax:
netdom computername dc /add:altDC.example.com
A name must first exist as an alternate before it can be made the primary name of a computer.
Example 5: Rename a domain controller in a Windows Server 2003 domain
To rename the domain controller DC to altDC in the example.com domain use the following syntax:
netdom computername dc /makeprimary:altdc.example.com
To rename a member server you must choose one of the existing alternate names for the computer and make it the new primary name.
Example 6: Rename a Member Server
To rename the member server member to member1, type the following at the command prompt:
netdom renamecomputer member /newname:member1.example.com /userd:administrator
Example 7: Join a Workstation or Member Server to a Domain
To join mywksta to the devgroup.example.com domain in the Dsys/workstations organizational unit, type the following at the command prompt:
netdom join /d:devgroup.example.com mywksta /OU:OU=Dsys,OU=Workstations,DC=microsoft,DC=com
Besides adding the computer account to the domain, the workstation is modified to contain the appropriate shared secret to complete the join operation.
Example 8: Remove a Workstation or Member Server from a Domain
To remove mywksta from the mydomain domain and make the workstation a part of a workgroup, type the following at the command prompt:
netdom remove /d:mydomain mywksta /ud:mydomain\admin /pd:password
Example 9: Move a Workstation or Member Server from One Domain to Another
To move mywksta from its current domain into the mydomain domain, type the following at the command prompt:
netdom move /d:mydomain mywksta /ud:mydomain\admin /pd:password
If the destination is a Windows 2000 domain, the Security ID history (SIDHistory) for the workstation is updated, retaining the security permissions that the computer account had previously.
Example 10: Reset the secure channel for a workstation, member server, or Windows NT 4.0 BDC
To reset the secure channel secret maintained between mywksta and devgroup.example.com (regardless of OU), type the following at the command prompt:
netdom reset /d:devgroup.example.com mywksta
To reset the secure channel between the Windows NT 4.0 PDC for Northamerica and the backup domain controller NABDC, type the following at the command prompt:
netdom reset /d:Northamerica NABDC
Example 11: Force a Secure Channel Session Between a Member and a Specific Domain Controller
Members often establish secure channel sessions with non-local domain controllers. To force a secure channel session between a member and a specific domain controller by using the /server parameter with the reset operation, type the following at the command prompt:
netdom reset /d:devgroup.example.com mywksta /Server:mylocalbdc
Example 12: Verify a Workstation or Member Server Secure Channel
To verify the secure channel secret is maintained between mywksta and devgroup.example.com, type the following at the command prompt:
netdom verify /d:devgroup.example.com mywksta
Example 13: Establish a One-Way Trust Relationship
When used with the trust operation, the /d:Domain parameter always refers to the trusted domain.
To set the Windows NT 4.0 resource domain USA-Chicago to trust the Windows NT 4.0 account domain Northamerica, type the following at the command prompt:
netdom trust /d:Northamerica USA-Chicago /add /Ud:Northamerica\admin /Pd:* /Uo:USA-Chicago\admin /Po:*
Press Enter and the following prompt is displayed:
Password for Northamerica\admin:
Enter the password for Northamerica\admin and press Enter. The following prompt is displayed:
Password for USA-Chicago\admin:
Enter the password for USA-Chicago\admin and press Enter.
The user must have credentials for both domains. The /pd parameter can be used to specify the password for Northamerica\admin and the /po parameter can be used to specify the password for USA-Chicago\admin. If passwords are not provided on the command line, the user is prompted for both.
If you then want to specify a two-way trust, type the following at the command prompt
netdom trust /d:marketing.example.com engineering.example.com /add /twoway /Uo:firstname.lastname@example.org /Ud:email@example.com:
Example 14: Establish a One-Way Trust Relationship from a Windows Domain to a Non-Windows Kerberos Realm
To establish a one-way trust where Northamerica trusts the non-Windows Kerberos realm ATHENA, type the following at the command prompt:
netdom trust /d:ATHENA Northamerica /add /PT:password /realm
The /d parameter specifies the trusted domain and the /realm parameter indicates that this is a non-Windows Kerberos realm. The order of the domains is not important. Credentials to the Windows 2000 domain can be supplied if needed.
If you want to set the Kerberos realm ATHENA to trust the Northamerica domain, type the following at the command prompt:
netdom trust /d:Northamerica ATHENA /add
Non-Windows Kerberos trusts are created as non-transitive. If you want to change the trust from ATHENA to Northamerica as transitive, type the following at the command prompt:
netdom trust Northamerica /d:ATHENA /trans:yes
To display the transitive state, type the following at the command prompt:
netdom trust Northamerica /d:ATHENA /trans
The order of the two domains above is not important. Either can be the non-Windows Kerberos domain.
Example 15: Break a One-Way Trust Relationship
To undo the trust that USA-Chicago has for Northamerica, type the following at the command prompt:
netdom trust /d:Northamerica USA-Chicago /remove
Example 16: Break a Two-Way Trust Relationship
To break a two-way trust relationship, type the following at the command prompt:
netdom trust /d:marketing.example.com Engineering.example.com /remove /twoway /Uo:firstname.lastname@example.org /Ud:email@example.com
Example 17: Verify a Specific Trust Relationship
To verify the one-way trust that USA-Chicago has for Northamerica, type the following at the command prompt:
netdom trust /d:Northamerica USA-Chicago /verify
To verify a two-way trust between the Northamerica and Europe domains, type the following at the command prompt:
netdom trust /d:Northamerica EUROPE /verify /twoway
The /verify parameter checks that the appropriate shared secrets are synchronized between the two items involved in the trust.
Example 18: Reset a Specific Trust Relationship
To reset the secure channel for the one-way trust between Northamerica and USA-Chicago, type the following at the command prompt:
netdom trust /d:Northamerica USA-Chicago /Ud:Northamerica\admin /reset
The /reset parameter synchronizes the appropriate shared secrets if they are not already synchronized.
Example 19: Verify Kerberos Functionality
To verify Kerberos authentication between a workstation and a service located in the domain devgroup.example.com, type the following at the command prompt:
netdom trust /d:devgroup.example.com /verify /KERBEROS
When you use the NetDom trust operation with the /verify /kerberos parameters, it seeks a session ticket for the Kerberos Admin service in the target domain. If successful, you can conclude that all Kerberos operations (for example KDC referrals) are operating correctly between the workstation and the target domain.
Example 20: View All Workstation Members in a Domain
To list all the workstations in the domain Northamerica, type the following at the command prompt:
netdom query /d:Northamerica WORKSTATION
Example 21: View All Server Members in a Domain
To list all of the servers in Northamerica, type the following at the command prompt:
netdom query /d:Northamerica SERVER
Example 22: View All Domain Controller Members in a Domain
To list all the domain controllers in the domain Northamerica, type the following at the command prompt:
netdom query /d:Northamerica DC
Example 23: View All Organizational Unit Members in a Domain
To list all of the OUs in devgroup.example.com, type the following at the command prompt:
netdom query /d:devgroup.example.com OU
Example 24: List the Primary Domain Controller Member in a Domain
To list the PDC for Northamerica, type the following at the command prompt:
netdom query /d:Northamerica PDC
Example 25: List the Primary Domain Controller Emulator in a Domain
To list the current PDC emulator for devgroup.example.com, type the following at the command prompt:
netdom query /d:devgroup.example.com FSMO
NOTE: There are more examples on TechNet here.
For those of you who are using Windows 7, you may have notice that it’s a vast improvement over Windows Vista. I wholeheartedly recommend Windows 7 to my clients and students and just about everyone who uses Windows. Microsoft should be commended for doing a great job with Windows 7. People are often quick to criticize Microsoft when they see a lack of quality or security in Microsoft’s products so I believe people should also be quick to praise Microsoft when they do a good job.
Overall, I am very impressed with Windows 7 operating system (OS). I can go on with all the great things in Windows 7 but in this post I am going to focus on what I believe is missing in Windows 7. Here’s a short list.
Windows 7 does not allow you to make a copy of your CDs or DVDs. You can burn (i.e. copy) music, pictures and videos to a DVD but you cannot make a copy of your own data, pictures or video CDs/DVDs. Your option: Use a third-party tool.
Unlike Windows XP, Microsoft no longer provides a newsreader in its new operating systems. Your option: Use a third-party tool, like Mozilla’s Thunderbird.
Technically, Sound Recorder is not missing but Microsoft has significantly downgraded the Sound Recorder utility in Windows 7. Unlike Windows XP, which contains a fully-functional Sound Recorder utility that lets you edit, mix files, and includes several special effects, the Windows 7 Sound Recorder utility looks like it was created by a 5 year-old during his lunch break at the daycare. The only thing you can do is record the sound and save the file. That’s about it. People are still trying to figure out Microsoft’s logic behind their decision. They couldn’t enhance the Sound Recorder tool so they decided they will make it worse than before and offer a stripped-down version instead. Why? No one knows. If it wasn’t important then why not remove it from the OS all together? Your option: Use a third-party tool.
Support for Microsoft Virtual PC 2007
Unlike Windows XP, Microsoft does not offer support for Microsoft Virtual PC 2007 in Windows 7. This raises numerous virtualization issues, some of which I have documented in this blog.
By not providing support for Microsoft Virtual PC 2007 and to make things even worse…..not offering support for running x64 guest operating systems in Virtual PC 2007 or Virtual Server 2005, Microsoft is encouraging Windows 7 users to look for alternate solutions, such as VMware Server. I am hoping Microsoft will revise this bad marketing decision because these days 64-bit hardware and software is very common and Microsoft really needs to rethink it’s strategy. Your option: Use a third-party tool.
Windows 7 doesn’t include any anti-virus software. You can, however, install Microsoft Security Essentials, which is free and protects your PC against viruses, spyware, and other malicious software, Your option: Either use a third-party tool such as AVGFree, or install Microsoft Security Essentials.
In the past joining Microsoft SpyNet was optional (e.g. in Windows Defender) but with Microsoft Security Essentials you are only given two choices.
Choice #1: You must agree to have information automatically collected and sent to Microsoft, including your personal information.
Choice #2: You must agree to have information automatically collected and sent to Microsoft, including your personal information.
That’s right. Those are the only two choices. You can either send “some” information to Microsoft or you can send “a lot” of information to Microsoft. So what’s your pleasure?
Basic Membership: You agree to send some information to Microsoft.
Advanced Membership: You agree to send a lot of information to Microsoft.
In either case Microsoft warns you that you might be risking your privacy because your personal information might be unintentionally sent to Microsoft. Do you have the option to not send personal information to Microsoft? Absolutely not! If you want to use Microsoft Security Essentials you have no choice but to agree to risk your privacy.
The Recovery Console in earlier versions of Windows is no longer available in Windows 7. Recovery Console was awesome because it easily allowed you to managed services and drivers by enabling or disabling them. It also allowed you to fix the boot sector and master boot record, etc. Starting with Windows Vista, the Recovery Console has been replaced by several tools that are located in the System Recovery Options menu. What this means is that you now have to go through a bunch of steps and recovery of the system is not as simple in some cases as it used to be in the previous versions.
I may update this post and add more items to the list of things that are missing in Windows 7 in the future as I discover them. The purpose of this post is to let Microsoft know what’s missing in Windows 7 so they can hopefully add these components either with optional Windows Updates, service packs or in the next OS. I think it would be great if Microsoft could provide some explanation to the consumers when they leave things out of the OS. Frankly, there might be some very good explanations or reasoning behind the decisions but if the consumers don’t know then it causes confusion. For instance, to avoid confusion, Microsoft could say we couldn’t get a 64-bit version of the newsreader in time so we left it out of the OS and will add it at a later date.
I believe most people will be able to live with some of what’s missing in Windows 7 but the lack of support for 64-bit virtualization and the inability to duplicate CDs/DVDs are something that deserves a lot of press……along with all the cool stuff included in Windows 7.
Copyright © 2013 Zubair Alexander. All rights reserved.
|« Jan||Mar »|
24 queries. 0.445 seconds