From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji
Sent: Wednesday, September 13, 2006 11:06 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Specifying builtin accounts in GPO settings.
Sincerely,
_____
(, / | /) /) /)
/---| (/_ ______ ___// _ // _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
From: Matt Hargraves
Sent: Wed 9/13/2006 8:58 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Specifying builtin accounts in GPO settings.
On W2000 running OWA on a DC this was an issue … only case I know of. What are the issues you're having?
Thanks,
Brian Desmond
c - 312.731.3132
From: [EMAIL PROTECTED] [mailto:mailto:[EMAIL PROTECTED]] On Behalf Of Matt Hargraves
Sent: Wednesday, September 13, 2006 10:49 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Specifying builtin accounts in GPO settings.
We're having some issues with Exchange OWA and MS said something about IWAM when we called them. We're not granting them 'logon via terminal services', just testing 'log on locally', but if it works, that just creates an entire mess that we'd like to avoid.
On 9/13/06, Brian Desmond <[EMAIL PROTECTED]> wrote:
No it wouldn't. Why are you giving an IWAM account access to a remote machine?
From: mailto:[EMAIL PROTECTED][mailto:mailto:[EMAIL PROTECTED]] On Behalf Of Matt Hargraves
Sent: Wednesday, September 13, 2006 9:35 PMSubject: Re: [ActiveDir] Specifying builtin accounts in GPO settings.
Would something like IWAM_%servername% or something like that work? I really don't want to go throuh and specify 45 account names in the "Log on locally" right for an OU if I can do it with a more simple command. I'll try just about anything :)
Thanks,
MattOn 9/12/06, Brian Desmond <[EMAIL PROTECTED]> wrote:
And if you think about it they couldn't – if you have two DCs running IIS they both have IUSR and IWAM accounts in AD, so SIDs have to be different.
From: mailto:[EMAIL PROTECTED][mailto:mailto:[EMAIL PROTECTED]] On Behalf Of Darren Mar-Elia
Sent: Tuesday, September 12, 2006 2:29 PMSubject: RE: [ActiveDir] Specifying builtin accounts in GPO settings.
Matt-
I don't think these accounts have well-known SIDs, so I'm not sure that's going to help. You can easily verify using psgetsid from Sysinternals. I checked a couple accounts here (though they were domain accounts) and they were not well-known SIDs.
Darren
Darren Mar-Elia
For comprehensive Windows Group Policy Information, check out http://www.gpoguy.com/-- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guide , the definitive resource for Group Policy information.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Hargraves
Sent: Tuesday, September 12, 2006 10:00 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Specifying builtin accounts in GPO settings.I am trying to specify the builtin IWAM/IUSR accounts in GPO settings. We have a set of servers within an OU where they require the account to have rights on the local servers, call them Server1, Server2, Server3. We obviously don't want to create the setting for IWAM_Server1, IWAM_Server2, etc.... I believe that this account has a common SID, if I simply do a browse for the account on one machine, will it resolve to SID and apply the setting for all accounts, or is there another way to do this (like specifying "Builtin\Administrator" would work for the builtin Administrator account) no matter what the name happens to be on a local machine?