Graham - I have no documentation of an 'allowedrunlist' policy or setting in NT 4.0 (not saying that it doesn't exist - just in the limited time I have this AM I can't find anything). But, given that it does exist, yes - that's what I'm saying. If the policy does truly enforce WHO can run WHAT - then this could be an issue.
With that being said - this agent (ADMT), in my experience, runs at the LocalSystem context, and therefore should not be subject to the rules of a ruleset applied by system policy, AFAIK. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Friday, July 11, 2003 5:20 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] admt 2.0 - nt4 computer migration Rick, thanks for post reply. is your inference then that it is conceivable that a restrictive allowedrunlist "tattooed" into the registry is able to prevent whatever application it is to run on the NT4 workstation. ??? GT ----- Original Message ----- From: "Rick Kingslan" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, July 10, 2003 1:13 AM Subject: RE: [ActiveDir] admt 2.0 - nt4 computer migration > Graham, > > System Policy on NT 4.0 is truly tatooed to the system. If you turn > it off > and back on, it's still there - unless manually removed or the policy > is backed out via the de-application of said policy. > > And, sadly - I can't tell you right now what needs to run (yes the > Agent, damn it - but what IS the Agent?).... > > Rick Kingslan MCSE, MCSA, MCT > Microsoft MVP - Active Directory > Associate Expert > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner > Sent: Wednesday, July 09, 2003 4:25 PM > To: [EMAIL PROTECTED] > Subject: Re: [ActiveDir] admt 2.0 - nt4 computer migration > > but then thinking about it no - when i failed on the first nt4 host thought > it was down to that computer so tried another one straight away - same > access denied result > > have spoken with the developers of the nt4 build - there is a system policy > with an allowedrunlist policy - that was that even while logged off > this registry value is tattooed into the computer registry ???? > > if this is possible which i must confess to not being sure on then > need to work out what actually needs to be allowed to run for the admt > dispatch agent to execute > > clutching at straws a bit !!! > > GT > > > ----- Original Message ----- > From: "Wilkinson, Stephen" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, July 09, 2003 2:01 PM > Subject: RE: [ActiveDir] admt 2.0 - nt4 computer migration > > > > I think Larry's first response could be it Graham. > > > > We saw exactly this in our testing with the Quest Migrator product. > > You must make sure there is no computer account with the same name > > already in the AD - hiding in an OU you least expect it! (ours got > > there during testing by manually moving test boxes in and out of the > > ad domain and forgetting to remove the computer accounts. > > > > > > Stephen Wilkinson > > > > Tel +44(0)207 4759276 > > Mobile +44(0)7973 143970 > > E-Mail: [EMAIL PROTECTED] > > > > > > -----Original Message----- > > From: Duncan, Larry [mailto:[EMAIL PROTECTED] > > Sent: 08 July 2003 21:45 > > To: '[EMAIL PROTECTED]' > > > > Has the "Everyone" group been added to the "Pre-Windows 2000 > > Compatible Access" group in the new domain? > > > > > > -----Original Message----- > > From: Graham Turner [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, July 08, 2003 3:24 PM > > To: [EMAIL PROTECTED] > > Subject: [ActiveDir] admt 2.0 - nt4 computer migration > > > > Am attempting the migration of computer from NT4 source domain to > > Windows 2000 target domain. > > > > the migration environment is working fine with windows 2000 > > professional clients > > > > have got issues with the migration of an NT4 workstation > > > > the extract from dispatch.log on the admt server is attached from > > which i > am > > hoping to get a few clues as to the "access denied" > > > > have checked the "obvious" issues such as sourcedom\domain admins > > being a member of the local administrators group and the computer > > migration being run while logged an as a member of that > > sourcedom\domain admins group > > > > Thanks > > > > GT > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > -------------------------------------------------------------------- > > -- If you have received this e-mail in error or wish to read our > > e-mail disclaimer statement and monitoring policy, please refer to > > http://www.drkw.com/disc/email/ or contact the sender. > > -------------------------------------------------------------------- > > -- > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
