RE: [ActiveDir] ADC Question
Hi Todd, We use ADC like this - creating accounts in AD, and allowing ADC to manage the creation of 5.5 mailboxes across four Exchange servers. You can specify the Exchange server to use by setting msExchHomeServerName on the AD account. ADC then uses this to place the mailbox in Exchange. We ran into a number of little problems doing this - if you have trouble then feel free to mail me offline for more information. Cheers dave -Original Message- From: Myrick, Todd (CIT) [mailto:[EMAIL PROTECTED]] Sent: 15 July 2002 17:44 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] ADC Question Thanks Justin and all who replied. Someone said it did have issues though when it came to selecting a preferred server though. We have 12 Exchange mailbox servers. Have any of you attempted to create ADC accounts on a specific server? Thanks Todd -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Monday, July 15, 2002 12:25 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] ADC Question Yes it can, once configured all info from AD populates Exchange and vice versa -Original Message- From: Myrick, Todd (CIT) [mailto:[EMAIL PROTECTED]] Sent: Friday, July 12, 2002 9:46 AM To: '[EMAIL PROTECTED]' Subject:[ActiveDir] ADC Question YI haven't had time to test this in our testbed, but wanted to see if anyone out there has done this yet. Can the ADC create mailboxes in a Exchange 5.5 directory from information in the AD? Thanks Todd List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] browse AD with XP client
Hi there, I've a question regarding browsing the Active Directory with clients. On a W2K client there's a folder in "My Network Places" where I can browse through the AD structur in order to find objects in AD. I did not found this option on a XP client. Can someone tell me where this browsing feature is located in Windows XP or what has to be configured that it is available? At the moment no policies are configured in the AD. thanks for your help Volker
Re: [ActiveDir] browse AD with XP client
Volker I don't know if there is the browse equivalent, but the XP search has the option to look specifically in AD. If you find out the answer to this let me know. All the best, Andy - Original Message - From: SEYBOLDT,VOLKER (HP-Germany,ex1) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, July 16, 2002 1:04 PM Subject: [ActiveDir] browse AD with XP client Hi there, I've a question regarding browsing the Active Directory with clients. On a W2K client there's a folder in My Network Places where I can browse through the AD structur in order to find objects in AD. I did not found this option on a XP client. Can someone tell me where this browsing feature is located in Windows XP or what has to be configured that it is available? At the moment no policies are configured in the AD. thanks for your help Volker List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] browse AD with XP client
Here's an answer to this question posted by a Microsoft employee in the Microsoft AD newsgroup yesterday. It includes an (unsupported) method to get the functionality into XP. * This has been discussed at length in this forum already. It was removed from the Windows XP client. Without wishing to open up the whole discussion again - you can read it for yourself. There are lots of good reasons for not allowing users to randomly browse around the network and in particularly the directory. I suggest you read the rest of the discussions yourself - it gets a little bit heated at times. But since you asked :- The following process is TOTALLY UNSUPPORTED and provided AS IS with no warranties, and confers no rights. To re-enable the Directory folder on a Windows XP Professional client PC in a Domain Environment 1. Copy the dsfolder.dll from a Windows 2000 (SP2 or later) machine to the Windows XP machines (It is in the SYSTEM32 folder under the WINNT folder on Windows 2000 (by default) and needs to go into the SYSTEM32 folder usually under WINDOWS on Windows XP (by default) 2. Close all instances of Windows Explorer 3. Run regsvr32 dsfolder.dll on the XP machines. 4. Done The above process is TOTALLY UNSUPPORTED and provided AS IS with no warranties, and confers no rights. ** Tony www.activedir.org -- Original Message -- From: SEYBOLDT,VOLKER (HP-Germany,ex1) [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Tue, 16 Jul 2002 13:04:14 +0200 Hi there, I've a question regarding browsing the Active Directory with clients. On a W2K client there's a folder in My Network Places where I can browse through the AD structur in order to find objects in AD. I did not found this option on a XP client. Can someone tell me where this browsing feature is located in Windows XP or what has to be configured that it is available? At the moment no policies are configured in the AD. thanks for your help Volker List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Site Login
Hello Everyone I was at Comdex in Toronto last week and got talking to a Microsoft Techie about how I want to eliminate the domain requirement when a student logs into the network. He said you can do this by making the desktops sign into the site they are apart of rather then the domain, any ideas on how to do this? Rene List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] ADC Question
Dave I would be interested in knowing how you solved that problem. Eventually I may have multiple servers that run exchange. Thanks Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 914.681.8117 office 646.483.3325 cell [EMAIL PROTECTED] -Original Message- From: Thornley, Dave H [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 16, 2002 3:30 AM To: '[EMAIL PROTECTED]' Subject:RE: [ActiveDir] ADC Question Hi Todd, We use ADC like this - creating accounts in AD, and allowing ADC to manage the creation of 5.5 mailboxes across four Exchange servers. You can specify the Exchange server to use by setting msExchHomeServerName on the AD account. ADC then uses this to place the mailbox in Exchange. We ran into a number of little problems doing this - if you have trouble then feel free to mail me offline for more information. Cheers dave -Original Message- From: Myrick, Todd (CIT) [mailto:[EMAIL PROTECTED]] Sent: 15 July 2002 17:44 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] ADC Question Thanks Justin and all who replied. Someone said it did have issues though when it came to selecting a preferred server though. We have 12 Exchange mailbox servers. Have any of you attempted to create ADC accounts on a specific server? Thanks Todd -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Monday, July 15, 2002 12:25 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] ADC Question Yes it can, once configured all info from AD populates Exchange and vice versa -Original Message- From: Myrick, Todd (CIT) [mailto:[EMAIL PROTECTED]] Sent: Friday, July 12, 2002 9:46 AM To: '[EMAIL PROTECTED]' Subject:[ActiveDir] ADC Question YI haven't had time to test this in our testbed, but wanted to see if anyone out there has done this yet. Can the ADC create mailboxes in a Exchange 5.5 directory from information in the AD? Thanks Todd List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Site Login
I think you do that by setting subnets to sites and making sure that there is a Global Catalog server in each site. However, all down-level clients can only login to the PDC Emulator, there is no other way for down-level clients, unless someone has figured out a way. -Original Message- From: Rene Chakraborty [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 16, 2002 7:37 AM To: [EMAIL PROTECTED] Subject:[ActiveDir] Site Login Hello Everyone I was at Comdex in Toronto last week and got talking to a Microsoft Techie about how I want to eliminate the domain requirement when a student logs into the network. He said you can do this by making the desktops sign into the site they are apart of rather then the domain, any ideas on how to do this? Rene List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Site Login
AD can hold millions of objects, there is however a limit to the OU structure you can have, I think the OU Structure can only be 62 levels deep and I believe after 40 levels the GPO's no longer travel down the levels. I heard this from a consultant that taught AD as a MCT. He showed me the level limit, but I have not seen the GPO limit. -Original Message- From: Rene Chakraborty [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 16, 2002 9:23 AM To: [EMAIL PROTECTED] Subject:Re: [ActiveDir] Site Login Comments Welcome: I am considering the idea of merging all my child-domains back into the parent domain but am not sure. I've have 47,568 users in AD, 112 servers and 3,200 workstations across 8 sites. I've heard AD horror stories if you try to have this many objects in 1 AD domain. Comments? Rene - Original Message - From: Salandra, Justin A. [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, July 16, 2002 9:16 AM Subject: RE: [ActiveDir] Site Login I think you do that by setting subnets to sites and making sure that there is a Global Catalog server in each site. However, all down-level clients can only login to the PDC Emulator, there is no other way for down-level clients, unless someone has figured out a way. -Original Message- From: Rene Chakraborty [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 16, 2002 7:37 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Site Login Hello Everyone I was at Comdex in Toronto last week and got talking to a Microsoft Techie about how I want to eliminate the domain requirement when a student logs into the network. He said you can do this by making the desktops sign into the site they are apart of rather then the domain, any ideas on how to do this? Rene List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Site Login
Interesting, I have not heard of that, does anyone else here able to shed some light on this? -Original Message- From: Rene Chakraborty [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 16, 2002 9:45 AM To: [EMAIL PROTECTED] Subject:Re: [ActiveDir] Site Login Well a associate of mine who has a similiar AD size at his place of work told me while AD holds the objects, issues such as rights changes become a problem. Rene - Original Message - From: Salandra, Justin A. [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, July 16, 2002 9:34 AM Subject: RE: [ActiveDir] Site Login AD can hold millions of objects, there is however a limit to the OU structure you can have, I think the OU Structure can only be 62 levels deep and I believe after 40 levels the GPO's no longer travel down the levels. I heard this from a consultant that taught AD as a MCT. He showed me the level limit, but I have not seen the GPO limit. -Original Message- From: Rene Chakraborty [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 16, 2002 9:23 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Site Login Comments Welcome: I am considering the idea of merging all my child-domains back into the parent domain but am not sure. I've have 47,568 users in AD, 112 servers and 3,200 workstations across 8 sites. I've heard AD horror stories if you try to have this many objects in 1 AD domain. Comments? Rene - Original Message - From: Salandra, Justin A. [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, July 16, 2002 9:16 AM Subject: RE: [ActiveDir] Site Login I think you do that by setting subnets to sites and making sure that there is a Global Catalog server in each site. However, all down-level clients can only login to the PDC Emulator, there is no other way for down-level clients, unless someone has figured out a way. -Original Message- From: Rene Chakraborty [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 16, 2002 7:37 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Site Login Hello Everyone I was at Comdex in Toronto last week and got talking to a Microsoft Techie about how I want to eliminate the domain requirement when a student logs into the network. He said you can do this by making the desktops sign into the site they are apart of rather then the domain, any ideas on how to do this? Rene List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Software Distribution
One of my network administrators assigns Office XP Pro to all his users. This is working, but now he is implementing a Terminal Server, and when users login to Terminal Services, the GPO is not installing the App? Any Ideas? Does he have to Publish it to the terminal server instead of depending on the assign to the user. The GPO that is assigned to the users is deployed at the OU level. Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 914.681.8117 office 646.483.3325 cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] ADC Question
More details then :-) We've got four Exchange servers, and use a utility I wrote to generate Domain accounts and mailboxes for new users. It's been through several revisions, orginally creating NT4 domain accounts and 5.5 mailboxes, but all it does now is to create the AD account, and set enough for the ADC to pick it up and create an Exchange 5.5 mailbox. It creates a normal account, then adds the following attrbutes to the object mailNickname (alias in Exchange 5.5) msExchHomeServerName (Server to hold the mailbox) textEncodedORAddress (the mailbox X400 address) There's a list of attributes that will trigger ADC replication if set in Q253841. This gives a known set of mail addresses at the end, x400 is set directly and smtp is alias@. This worked very well for a while, then we started to see an intermittent problem affecting mailbox permissions. Some (a high percentage) mailboxes were created OK, but the users rights to their mailbox were simply 'Custom' in Exchange 5.5 administrator. Accounts created via ADUC were fine. We never got to the bottom of this, but it is worth mentioning that ADC has a very poor reputation, and is known to be extremely buggy. I got around this by creating a security descriptor with the access mask ADS_RIGHT_EXCH_MODIFY_USER_ATT | ADS_RIGHT_EXCH_MAIL_SEND_AS | ADS_RIGHT_EXCH_MAIL_RECEIVE_AS then adding it to the msExchMailboxSecurityDescriptor attribute. This is basically User permissions as far as Exchange 5.5 is concerned, so it accepts it, then when ADC replicates from Exchange to AD it updates this attribute to what it should be (Full mailbox access). I hope this is some help! Cheers dave -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: 16 July 2002 14:14 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] ADC Question Dave I would be interested in knowing how you solved that problem. Eventually I may have multiple servers that run exchange. Thanks Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 914.681.8117 office 646.483.3325 cell [EMAIL PROTECTED] -Original Message- From: Thornley, Dave H [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 16, 2002 3:30 AM To: '[EMAIL PROTECTED]' Subject:RE: [ActiveDir] ADC Question Hi Todd, We use ADC like this - creating accounts in AD, and allowing ADC to manage the creation of 5.5 mailboxes across four Exchange servers. You can specify the Exchange server to use by setting msExchHomeServerName on the AD account. ADC then uses this to place the mailbox in Exchange. We ran into a number of little problems doing this - if you have trouble then feel free to mail me offline for more information. Cheers dave -Original Message- From: Myrick, Todd (CIT) [mailto:[EMAIL PROTECTED]] Sent: 15 July 2002 17:44 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] ADC Question Thanks Justin and all who replied. Someone said it did have issues though when it came to selecting a preferred server though. We have 12 Exchange mailbox servers. Have any of you attempted to create ADC accounts on a specific server? Thanks Todd -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Monday, July 15, 2002 12:25 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] ADC Question Yes it can, once configured all info from AD populates Exchange and vice versa -Original Message- From: Myrick, Todd (CIT) [mailto:[EMAIL PROTECTED]] Sent: Friday, July 12, 2002 9:46 AM To: '[EMAIL PROTECTED]' Subject:[ActiveDir] ADC Question YI haven't had time to test this in our testbed, but wanted to see if anyone out there has done this yet. Can the ADC create mailboxes in a Exchange 5.5 directory from information in the AD? Thanks Todd List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] ADC Question
What I want to eventually do is have my server running 5.5, upgrading to 2000 and then implementing several exchange 2000 servers at locations that have more then 150 users, which ends up being three sites. I will be making all the domains at all facilities as child domains of my domain tree before I do this. What I want is that when a user is created via script or via aduc to have the users mailbox created on the right mail server, namely the server at their location. I hope this helps in understanding what I want to do. -Original Message- From: Thornley, Dave H [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 16, 2002 10:08 AM To: '[EMAIL PROTECTED]' Subject:RE: [ActiveDir] ADC Question More details then :-) We've got four Exchange servers, and use a utility I wrote to generate Domain accounts and mailboxes for new users. It's been through several revisions, orginally creating NT4 domain accounts and 5.5 mailboxes, but all it does now is to create the AD account, and set enough for the ADC to pick it up and create an Exchange 5.5 mailbox. It creates a normal account, then adds the following attrbutes to the object mailNickname (alias in Exchange 5.5) msExchHomeServerName (Server to hold the mailbox) textEncodedORAddress (the mailbox X400 address) There's a list of attributes that will trigger ADC replication if set in Q253841. This gives a known set of mail addresses at the end, x400 is set directly and smtp is alias@. This worked very well for a while, then we started to see an intermittent problem affecting mailbox permissions. Some (a high percentage) mailboxes were created OK, but the users rights to their mailbox were simply 'Custom' in Exchange 5.5 administrator. Accounts created via ADUC were fine. We never got to the bottom of this, but it is worth mentioning that ADC has a very poor reputation, and is known to be extremely buggy. I got around this by creating a security descriptor with the access mask ADS_RIGHT_EXCH_MODIFY_USER_ATT | ADS_RIGHT_EXCH_MAIL_SEND_AS | ADS_RIGHT_EXCH_MAIL_RECEIVE_AS then adding it to the msExchMailboxSecurityDescriptor attribute. This is basically User permissions as far as Exchange 5.5 is concerned, so it accepts it, then when ADC replicates from Exchange to AD it updates this attribute to what it should be (Full mailbox access). I hope this is some help! Cheers dave -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: 16 July 2002 14:14 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] ADC Question Dave I would be interested in knowing how you solved that problem. Eventually I may have multiple servers that run exchange. Thanks Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 914.681.8117 office 646.483.3325 cell [EMAIL PROTECTED] -Original Message- From: Thornley, Dave H [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 16, 2002 3:30 AM To: '[EMAIL PROTECTED]' Subject:RE: [ActiveDir] ADC Question Hi Todd, We use ADC like this - creating accounts in AD, and allowing ADC to manage the creation of 5.5 mailboxes across four Exchange servers. You can specify the Exchange server to use by setting msExchHomeServerName on the AD account. ADC then uses this to place the mailbox in Exchange. We ran into a number of little problems doing this - if you have trouble then feel free to mail me offline for more information. Cheers dave -Original Message- From: Myrick, Todd (CIT) [mailto:[EMAIL PROTECTED]] Sent: 15 July 2002 17:44 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] ADC Question Thanks Justin and all who replied. Someone said it did have issues though when it came to selecting a preferred server though. We have 12 Exchange mailbox servers. Have any of you attempted to create ADC accounts on a specific server? Thanks Todd -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Monday, July 15, 2002 12:25 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] ADC Question Yes it can, once configured all info from AD populates Exchange and vice versa -Original Message- From: Myrick, Todd (CIT) [mailto:[EMAIL PROTECTED]] Sent: Friday, July 12, 2002 9:46 AM To: '[EMAIL PROTECTED]' Subject:[ActiveDir] ADC Question YI haven't had time to test this in our testbed, but wanted to see if anyone out there has done this yet. Can the ADC create mailboxes in a Exchange 5.5 directory from information in the AD? Thanks Todd List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ:
Re: [ActiveDir] Site Login
Well, I have done some testing between NDS and AD and one thing I find is for certain. When you are dealing with a large number of users, NDS handles rights allocation faster and with less problems. Rene - Original Message - From: Salandra, Justin A. [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, July 16, 2002 10:04 AM Subject: RE: [ActiveDir] Site Login Interesting, I have not heard of that, does anyone else here able to shed some light on this? -Original Message- From: Rene Chakraborty [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 16, 2002 9:45 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Site Login Well a associate of mine who has a similiar AD size at his place of work told me while AD holds the objects, issues such as rights changes become a problem. Rene - Original Message - From: Salandra, Justin A. [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, July 16, 2002 9:34 AM Subject: RE: [ActiveDir] Site Login AD can hold millions of objects, there is however a limit to the OU structure you can have, I think the OU Structure can only be 62 levels deep and I believe after 40 levels the GPO's no longer travel down the levels. I heard this from a consultant that taught AD as a MCT. He showed me the level limit, but I have not seen the GPO limit. -Original Message- From: Rene Chakraborty [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 16, 2002 9:23 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Site Login Comments Welcome: I am considering the idea of merging all my child-domains back into the parent domain but am not sure. I've have 47,568 users in AD, 112 servers and 3,200 workstations across 8 sites. I've heard AD horror stories if you try to have this many objects in 1 AD domain. Comments? Rene - Original Message - From: Salandra, Justin A. [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, July 16, 2002 9:16 AM Subject: RE: [ActiveDir] Site Login I think you do that by setting subnets to sites and making sure that there is a Global Catalog server in each site. However, all down-level clients can only login to the PDC Emulator, there is no other way for down-level clients, unless someone has figured out a way. -Original Message- From: Rene Chakraborty [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 16, 2002 7:37 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Site Login Hello Everyone I was at Comdex in Toronto last week and got talking to a Microsoft Techie about how I want to eliminate the domain requirement when a student logs into the network. He said you can do this by making the desktops sign into the site they are apart of rather then the domain, any ideas on how to do this? Rene List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Software Distribution
What is loopback policy processing? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 16, 2002 10:36 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Software Distribution Is loopback policy processing enabled? Ben Please respond to [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] From:Salandra, Justin A. [EMAIL PROTECTED]@mail.activedir.org To:'[EMAIL PROTECTED]' [EMAIL PROTECTED] cc: Subject:[ActiveDir] Software Distribution One of my network administrators assigns Office XP Pro to all his users. This is working, but now he is implementing a Terminal Server, and when users login to Terminal Services, the GPO is not installing the App? Any Ideas? Does he have to Publish it to the terminal server instead of depending on the assign to the user. The GPO that is assigned to the users is deployed at the OU level. Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 914.681.8117 office 646.483.3325 cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ** The information contained in this e-mail is intended only for the person or entity to which it is addressed and may contain confidential and / or privileged material. If you are not the intended recipient of this e-mail, the use of this information or any disclosure, copying or distribution is prohibited and may be unlawful. If you received this in error, please contact the sender and delete the material from any computer. BAA, the world's leading airport company - http://www.baa.com **
RE: [ActiveDir] ADC Question
Justin, You can do this via ADUC. If you've installed the Exchange 2000 System Manager then when you choose to mailbox enable an account you should see your Exchange 5.5 servers in the list you can use. If you use a script you need to set (at least) msExchHomeServerName when you create the account to specify which server in the site to use. If each site only has a single server then I don't think you even need this as it will use the only server available. ADC CAs are created per site, so a single server site will not have a decision to make about which server to use, regardless of the structure of the Exchange directory. dave -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: 16 July 2002 15:15 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] ADC Question What I want to eventually do is have my server running 5.5, upgrading to 2000 and then implementing several exchange 2000 servers at locations that have more then 150 users, which ends up being three sites. I will be making all the domains at all facilities as child domains of my domain tree before I do this. What I want is that when a user is created via script or via aduc to have the users mailbox created on the right mail server, namely the server at their location. I hope this helps in understanding what I want to do. -Original Message- From: Thornley, Dave H [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 16, 2002 10:08 AM To: '[EMAIL PROTECTED]' Subject:RE: [ActiveDir] ADC Question More details then :-) We've got four Exchange servers, and use a utility I wrote to generate Domain accounts and mailboxes for new users. It's been through several revisions, orginally creating NT4 domain accounts and 5.5 mailboxes, but all it does now is to create the AD account, and set enough for the ADC to pick it up and create an Exchange 5.5 mailbox. It creates a normal account, then adds the following attrbutes to the object mailNickname (alias in Exchange 5.5) msExchHomeServerName (Server to hold the mailbox) textEncodedORAddress (the mailbox X400 address) There's a list of attributes that will trigger ADC replication if set in Q253841. This gives a known set of mail addresses at the end, x400 is set directly and smtp is alias@. This worked very well for a while, then we started to see an intermittent problem affecting mailbox permissions. Some (a high percentage) mailboxes were created OK, but the users rights to their mailbox were simply 'Custom' in Exchange 5.5 administrator. Accounts created via ADUC were fine. We never got to the bottom of this, but it is worth mentioning that ADC has a very poor reputation, and is known to be extremely buggy. I got around this by creating a security descriptor with the access mask ADS_RIGHT_EXCH_MODIFY_USER_ATT | ADS_RIGHT_EXCH_MAIL_SEND_AS | ADS_RIGHT_EXCH_MAIL_RECEIVE_AS then adding it to the msExchMailboxSecurityDescriptor attribute. This is basically User permissions as far as Exchange 5.5 is concerned, so it accepts it, then when ADC replicates from Exchange to AD it updates this attribute to what it should be (Full mailbox access). I hope this is some help! Cheers dave -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: 16 July 2002 14:14 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] ADC Question Dave I would be interested in knowing how you solved that problem. Eventually I may have multiple servers that run exchange. Thanks Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 914.681.8117 office 646.483.3325 cell [EMAIL PROTECTED] -Original Message- From: Thornley, Dave H [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 16, 2002 3:30 AM To: '[EMAIL PROTECTED]' Subject:RE: [ActiveDir] ADC Question Hi Todd, We use ADC like this - creating accounts in AD, and allowing ADC to manage the creation of 5.5 mailboxes across four Exchange servers. You can specify the Exchange server to use by setting msExchHomeServerName on the AD account. ADC then uses this to place the mailbox in Exchange. We ran into a number of little problems doing this - if you have trouble then feel free to mail me offline for more information. Cheers dave -Original Message- From: Myrick, Todd (CIT) [mailto:[EMAIL PROTECTED]] Sent: 15 July 2002 17:44 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] ADC Question Thanks Justin and all who replied. Someone said it did have issues though when it came to selecting a preferred server though. We have 12 Exchange mailbox servers. Have any of you attempted to create ADC accounts on a specific server? Thanks Todd -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Monday, July 15, 2002 12:25 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] ADC Question Yes it can, once configured all info from AD populates Exchange and vice versa
Re: [ActiveDir] Site Login
Hi Rene, I have a friend who administers a directory for a large university with approximately double the number of users you mention and quite a few more servers, across 15 sites. There are no scalability problems with doing this, but its worth noting that your life will be easier the better you plan the initial OU structure and associated right delegation/group policies. If you haven't read it, grab a copy of Mission Critical Active Directory ( Mickey Balladelli, Jan de Clercq, Butterworth-Heinemann; ISBN: 182400). The authors, involved with Compaq, describe how they designed and built an AD containing 100 million users (the entire US phone book), just to prove a point. Makes interesting reading! Cheers, Paul |-+-- | | Rene Chakraborty | | | [EMAIL PROTECTED]| | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 16/07/2002 14:22 | | | Please respond to | | | ActiveDir | | | | |-+-- --| | | | To: [EMAIL PROTECTED] | | cc: | | Subject: Re: [ActiveDir] Site Login | --| Comments Welcome: I am considering the idea of merging all my child-domains back into the parent domain but am not sure. I've have 47,568 users in AD, 112 servers and 3,200 workstations across 8 sites. I've heard AD horror stories if you try to have this many objects in 1 AD domain. Comments? Rene - Original Message - From: Salandra, Justin A. [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, July 16, 2002 9:16 AM Subject: RE: [ActiveDir] Site Login I think you do that by setting subnets to sites and making sure that there is a Global Catalog server in each site. However, all down-level clients can only login to the PDC Emulator, there is no other way for down-level clients, unless someone has figured out a way. -Original Message- From: Rene Chakraborty [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 16, 2002 7:37 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Site Login Hello Everyone I was at Comdex in Toronto last week and got talking to a Microsoft Techie about how I want to eliminate the domain requirement when a student logs into the network. He said you can do this by making the desktops sign into the site they are apart of rather then the domain, any ideas on how to do this? Rene List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] ADC Question
All of my exchange servers will be in the same organization but in different domains and different AD Sites. -Original Message- From: Thornley, Dave H [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 16, 2002 10:23 AM To: '[EMAIL PROTECTED]' Subject:RE: [ActiveDir] ADC Question Justin, You can do this via ADUC. If you've installed the Exchange 2000 System Manager then when you choose to mailbox enable an account you should see your Exchange 5.5 servers in the list you can use. If you use a script you need to set (at least) msExchHomeServerName when you create the account to specify which server in the site to use. If each site only has a single server then I don't think you even need this as it will use the only server available. ADC CAs are created per site, so a single server site will not have a decision to make about which server to use, regardless of the structure of the Exchange directory. dave -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: 16 July 2002 15:15 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] ADC Question What I want to eventually do is have my server running 5.5, upgrading to 2000 and then implementing several exchange 2000 servers at locations that have more then 150 users, which ends up being three sites. I will be making all the domains at all facilities as child domains of my domain tree before I do this. What I want is that when a user is created via script or via aduc to have the users mailbox created on the right mail server, namely the server at their location. I hope this helps in understanding what I want to do. -Original Message- From: Thornley, Dave H [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 16, 2002 10:08 AM To: '[EMAIL PROTECTED]' Subject:RE: [ActiveDir] ADC Question More details then :-) We've got four Exchange servers, and use a utility I wrote to generate Domain accounts and mailboxes for new users. It's been through several revisions, orginally creating NT4 domain accounts and 5.5 mailboxes, but all it does now is to create the AD account, and set enough for the ADC to pick it up and create an Exchange 5.5 mailbox. It creates a normal account, then adds the following attrbutes to the object mailNickname (alias in Exchange 5.5) msExchHomeServerName (Server to hold the mailbox) textEncodedORAddress (the mailbox X400 address) There's a list of attributes that will trigger ADC replication if set in Q253841. This gives a known set of mail addresses at the end, x400 is set directly and smtp is alias@. This worked very well for a while, then we started to see an intermittent problem affecting mailbox permissions. Some (a high percentage) mailboxes were created OK, but the users rights to their mailbox were simply 'Custom' in Exchange 5.5 administrator. Accounts created via ADUC were fine. We never got to the bottom of this, but it is worth mentioning that ADC has a very poor reputation, and is known to be extremely buggy. I got around this by creating a security descriptor with the access mask ADS_RIGHT_EXCH_MODIFY_USER_ATT | ADS_RIGHT_EXCH_MAIL_SEND_AS | ADS_RIGHT_EXCH_MAIL_RECEIVE_AS then adding it to the msExchMailboxSecurityDescriptor attribute. This is basically User permissions as far as Exchange 5.5 is concerned, so it accepts it, then when ADC replicates from Exchange to AD it updates this attribute to what it should be (Full mailbox access). I hope this is some help! Cheers dave -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: 16 July 2002 14:14 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] ADC Question Dave I would be interested in knowing how you solved that problem. Eventually I may have multiple servers that run exchange. Thanks Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 914.681.8117 office 646.483.3325 cell [EMAIL PROTECTED] -Original Message- From: Thornley, Dave H [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 16, 2002 3:30 AM To: '[EMAIL PROTECTED]' Subject:RE: [ActiveDir] ADC Question Hi Todd, We use ADC like this - creating accounts in AD, and allowing ADC to manage the creation of 5.5 mailboxes across four Exchange servers. You can specify the Exchange server to use by setting msExchHomeServerName on the AD account. ADC then uses this to place the mailbox in Exchange. We ran into a number of little problems doing this - if you have trouble then feel free to mail me offline for more information. Cheers dave -Original Message- From: Myrick, Todd (CIT) [mailto:[EMAIL PROTECTED]] Sent: 15 July 2002 17:44 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] ADC Question Thanks Justin and all who replied. Someone said it did have issues though when it came to selecting a preferred server though. We have 12 Exchange mailbox servers. Have any of you attempted to create ADC accounts on a specific server?
RE: [ActiveDir] ADC Question
Should I install the Exchange 2000 System manager in my current environment of Exchange 5.5 and the Exchange 2000 ADC? -Original Message- From: Thornley, Dave H [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 16, 2002 10:23 AM To: '[EMAIL PROTECTED]' Subject:RE: [ActiveDir] ADC Question Justin, You can do this via ADUC. If you've installed the Exchange 2000 System Manager then when you choose to mailbox enable an account you should see your Exchange 5.5 servers in the list you can use. If you use a script you need to set (at least) msExchHomeServerName when you create the account to specify which server in the site to use. If each site only has a single server then I don't think you even need this as it will use the only server available. ADC CAs are created per site, so a single server site will not have a decision to make about which server to use, regardless of the structure of the Exchange directory. dave -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: 16 July 2002 15:15 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] ADC Question What I want to eventually do is have my server running 5.5, upgrading to 2000 and then implementing several exchange 2000 servers at locations that have more then 150 users, which ends up being three sites. I will be making all the domains at all facilities as child domains of my domain tree before I do this. What I want is that when a user is created via script or via aduc to have the users mailbox created on the right mail server, namely the server at their location. I hope this helps in understanding what I want to do. -Original Message- From: Thornley, Dave H [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 16, 2002 10:08 AM To: '[EMAIL PROTECTED]' Subject:RE: [ActiveDir] ADC Question More details then :-) We've got four Exchange servers, and use a utility I wrote to generate Domain accounts and mailboxes for new users. It's been through several revisions, orginally creating NT4 domain accounts and 5.5 mailboxes, but all it does now is to create the AD account, and set enough for the ADC to pick it up and create an Exchange 5.5 mailbox. It creates a normal account, then adds the following attrbutes to the object mailNickname (alias in Exchange 5.5) msExchHomeServerName (Server to hold the mailbox) textEncodedORAddress (the mailbox X400 address) There's a list of attributes that will trigger ADC replication if set in Q253841. This gives a known set of mail addresses at the end, x400 is set directly and smtp is alias@. This worked very well for a while, then we started to see an intermittent problem affecting mailbox permissions. Some (a high percentage) mailboxes were created OK, but the users rights to their mailbox were simply 'Custom' in Exchange 5.5 administrator. Accounts created via ADUC were fine. We never got to the bottom of this, but it is worth mentioning that ADC has a very poor reputation, and is known to be extremely buggy. I got around this by creating a security descriptor with the access mask ADS_RIGHT_EXCH_MODIFY_USER_ATT | ADS_RIGHT_EXCH_MAIL_SEND_AS | ADS_RIGHT_EXCH_MAIL_RECEIVE_AS then adding it to the msExchMailboxSecurityDescriptor attribute. This is basically User permissions as far as Exchange 5.5 is concerned, so it accepts it, then when ADC replicates from Exchange to AD it updates this attribute to what it should be (Full mailbox access). I hope this is some help! Cheers dave -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: 16 July 2002 14:14 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] ADC Question Dave I would be interested in knowing how you solved that problem. Eventually I may have multiple servers that run exchange. Thanks Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 914.681.8117 office 646.483.3325 cell [EMAIL PROTECTED] -Original Message- From: Thornley, Dave H [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 16, 2002 3:30 AM To: '[EMAIL PROTECTED]' Subject:RE: [ActiveDir] ADC Question Hi Todd, We use ADC like this - creating accounts in AD, and allowing ADC to manage the creation of 5.5 mailboxes across four Exchange servers. You can specify the Exchange server to use by setting msExchHomeServerName on the AD account. ADC then uses this to place the mailbox in Exchange. We ran into a number of little problems doing this - if you have trouble then feel free to mail me offline for more information. Cheers dave -Original Message- From: Myrick, Todd (CIT) [mailto:[EMAIL PROTECTED]] Sent: 15 July 2002 17:44 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] ADC Question Thanks Justin and all who replied. Someone said it did have issues though when it came to selecting a preferred server though. We have 12 Exchange mailbox servers. Have any of you attempted to create ADC accounts on a
[ActiveDir] Educating users on proper AD use ;-)
Title: Educating users on proper AD use ;-) Hello I understand that Microsoft wants users to get away from Network Neighborhood and start using features of Active Directory. In most of the books that I have there is mention of this and that eventually you won't have to use Network Neighborhood and broadcast based browsing will go away. But what will replace it? I want to turn it off across my officespace so I have no NBT broadcast browsing. I'm at a crossroads where I've just setup a native AD and want to use it properly and get users to make a behavioral change when accessing resources. So far I'm familiar with the standard My Network Places - Entire Network - Entire Contents - where there is then a choice for Microsoft Windows Network and Directory - AD Domain Double clicking this shows you all your OrgUnits but is this something you really want your users to see? Seems way to confusing and I'd rather not having them poking around looking at who my DCs are!. The alternative of course is to right click on your AD domain and choose Find which is better but most users will never figure this out. Is there a more direct way of acessing this utility? So I could use a GP to put it on all desktops or something. I'm so tired of browsing :-( Ken-
[ActiveDir] OU Security
Title: Message OK, so if I collapse the Child-domains into the parent and go with 1 domain with OUs seperating the users. Is there any way to contain the users and make 99% sure they cannot attack a server? Rene
[ActiveDir] unable to query a newly created attribute
I just created a new attribute in AD and set a while using ADSI Edit for the user class. But I am unable to query it using VBScript. I get the following error: Error Type: Provider (0x80004005) Unspecified error /ADSQuery.asp, line 52 I am using windows integrated authentication. Can anyone give me somehints on what to look for while debugging this? Thanks __ Do You Yahoo!? Yahoo! Autos - Get free new car price quotes http://autos.yahoo.com List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Software Update Services:
Title: Message Dennis, My apologies I must have been on a rant I stand corrected. James -Original Message- From: Dennis M. Depp [mailto:[EMAIL PROTECTED]] Sent: Wednesday, 17 July 2002 3:27 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Software Update Services: James, I read this white paper and I understand you can redirect Automatic updates to go to your SUS server instead of Windows update. How do these changes ensure the appropriate security patches have been applied to a particular desktop? SUS is still a pull technology. I can setup a client to automatically pull the informaiton, but it is still a pull technology. If I want to ensure the hotfixes are installed, I still need to verify with an applications such as HfNetChk. Dennis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED] Sent: Monday, July 15, 2002 7:58 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Software Update Services: Dennis, Download the SUS Deployment White Paper approx. 2.3MB: http://www.microsoft.com/windows2000/windowsupdate/sus/susdeployment.asp Page 55 of the White Paper starts explaining how to utilise Group Policy and Administrative Templates in order to redirect Automatic Updates to a server running SUS. You will have to install the client on all PCs/ Servers as well approx. 1MB. It is an *.msi so you can roll it out through Group Policy as wellany probs. send me an e-mail. James -Original Message- From: Dennis M. Depp [mailto:[EMAIL PROTECTED]] Sent: Monday, 15 July 2002 9:25 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Software Update Services: While I think the idea of SUS is good, I fail to see how this eliminates the need for hfnetchk or the security baseline analyser. SUS is a pull technology. You still need some method to ensure the clients are pulling the infromation from the server. Dennis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, July 11, 2002 2:24 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Software Update Services: All, Havent contributed for a while but this will more than make up for that. In a nut shell Software Update Services (SUS) allows you to synchronise an internal server with the Microsoft Update servers and test and approve updates to deploy...too good to be true, no more hfnetchk, qchain, security baseline analyser seems not. Works on our test bed, give it a godetails @: http://www.microsoft.com/windows2000/windowsupdate/sus/ James List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OU Security
I'm not sure what you mean by attack. If you mean attack in the hacking sense of the word, then IMHO, child domains and OUs won't make any difference. Once you are on the wire, most traditional techniques are independent of how you logon to what ever network. Diane -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Rene Chakraborty Sent: Tuesday, July 16, 2002 10:40 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] OU Security OK, so if I collapse the Child-domains into the parent and go with 1 domain with OUs seperating the users. Is there any way to contain the users and make 99% sure they cannot attack a server? Rene attachment: winmail.dat