RE: [ActiveDir] Sendmail
Title: Message I'd suggest a sendmail forum rather than AD. AD will provide a mostly standard LDAP setup, so this is really just an issue for configuring sendmail properly. I'd start at http://www.sendmail.org, specifically http://www.sendmail.org/~ca/email/doc8.12/cf/m4/ldap_routing.html Also note that you might need to extend AD with the Exchange 2000 attributes (via forestprep) to get all necessary fields in the schema. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis Inc. -Original Message-From: Luiz Carlos do Lago [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 25, 2003 4:43 PMTo: [EMAIL PROTECTED]Subject: RES: [ActiveDir] Sendmail I it tested using sendmail 8,12, but I am not understanding as to configure the LDAP routing, somebody can help me? -Mensagem original-De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]Em nome de Roger SeielstadEnviada em: tera-feira, 25 de fevereiro de 2003 17:32Para: '[EMAIL PROTECTED]'Assunto: RE: [ActiveDir] Sendmail For what purpose? Sendmail 8.12 supports LDAP based mail routing. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis Inc. -Original Message-From: Luiz Carlos do Lago [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 25, 2003 3:13 PMTo: 'ActiveDir (E-mail)Subject: [ActiveDir] Sendmail Hi All, Somebody already made the integration of Active Directory with the Sendmail? __ Luiz Carlos do Lagorea de Negcios e ImplantaoPRESSLINK - Sua ConsultoriaEm Redes( + 55 11 3726-73192 + 55 11 3726-7319* [EMAIL PROTECTED]__
RE: [ActiveDir] IE Maintenance Policy not available on XP ??
Am I the only one that fails to see the IE Maintenance policy when opening a GPO from XP ?? Thanks, --Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Lithgow Sent: Monday, February 24, 2003 12:40 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] IE Maintenance Policy not available on XP ?? Hi All, I don't seem to see the IE Maint policy from Windows XP ... I can see and edit it fine from Win2k... Is there something I must do to see the IE Maint policy from an XP machine.. I prefer to do all my GPO editing from XP.. as it has the additional XP only settings etc... Thanks for any help, --Steve List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] IE Maintenance Policy not available on XP ??
Yep. Its just you. Everyone else sees it just fine. Maybe you need glasses. :) -gil -Original Message- From: Steve Lithgow [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 26, 2003 8:57 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] IE Maintenance Policy not available on XP ?? Am I the only one that fails to see the IE Maintenance policy when opening a GPO from XP ?? Thanks, --Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Lithgow Sent: Monday, February 24, 2003 12:40 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] IE Maintenance Policy not available on XP ?? Hi All, I don't seem to see the IE Maint policy from Windows XP ... I can see and edit it fine from Win2k... Is there something I must do to see the IE Maint policy from an XP machine.. I prefer to do all my GPO editing from XP.. as it has the additional XP only settings etc... Thanks for any help, --Steve List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Remove the ability to create computer accounts in the computer container
Hello, Maybe the collective minds here can come up with something. I have given a group (Join Computers to the Domain group) the rights to join computers to the domain through the Default Domain policy. Only this group has rights to join computers to the domain. I have created a web page that creates a computer account (it checks first to make sure the computer account does not exist) base upon department specific input from the user. Once the account is created the user names his computer the same as the computer account and joins the domain. The problem I am having is that some of the user that are members of the Join Computers to the Domain group are not using the web page. They are using My network place, advanced, network identification.ect to join the domain. This creates a computer account in the computer container. When this happens I get a computer account showing up in the computer container that I do not know what department it belongs to. My solution (that does not work) was to remove all rights (including System rights) to the computer container. I figured without rights they would not be able to create the computer accounts. This did not work so I denied the ability to create all child objects for the Join computers group in the Computers Container. This did not work so I denied the right for Everyone. Also did not work. Any ideas on how to prevent all users from creating computer objects in the computers container? Thanks Greg Greg Felzer MCSE NT4, MCSE 2000, CCA, CCNA, CNA Senior Systems Engineer Center for Computing and Information Technology Medical University of South Carolina List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Remove the ability to create computer accounts inthe computer container
Any chance you would be willing to share your webpage to create the computer account? Thanks,jb -Original Message- From: Greg Felzer [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 26, 2003 11:28 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Remove the ability to create computer accounts in the computer container Hello, Maybe the collective minds here can come up with something. I have given a group (Join Computers to the Domain group) the rights to join computers to the domain through the Default Domain policy. Only this group has rights to join computers to the domain. I have created a web page that creates a computer account (it checks first to make sure the computer account does not exist) base upon department specific input from the user. Once the account is created the user names his computer the same as the computer account and joins the domain. The problem I am having is that some of the user that are members of the Join Computers to the Domain group are not using the web page. They are using My network place, advanced, network identification.ect to join the domain. This creates a computer account in the computer container. When this happens I get a computer account showing up in the computer container that I do not know what department it belongs to. My solution (that does not work) was to remove all rights (including System rights) to the computer container. I figured without rights they would not be able to create the computer accounts. This did not work so I denied the ability to create all child objects for the Join computers group in the Computers Container. This did not work so I denied the right for Everyone. Also did not work. Any ideas on how to prevent all users from creating computer objects in the computers container? Thanks Greg Greg Felzer MCSE NT4, MCSE 2000, CCA, CCNA, CNA Senior Systems Engineer Center for Computing and Information Technology Medical University of South Carolina List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Remove the ability to create computer accounts in the computer container
You may want to look into changing the default msDS-MachineAccountQuota. This setting allows any user to create 10 computer accounts by default. You can change this via a script, LDP or ADSI edit. If you change the default value to 0 then your delegation model will probably work but the default behavior will be changed. It may work... Keivn -Original Message- From: Greg Felzer [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 26, 2003 11:28 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Remove the ability to create computer accounts in the computer container Hello, Maybe the collective minds here can come up with something. I have given a group (Join Computers to the Domain group) the rights to join computers to the domain through the Default Domain policy. Only this group has rights to join computers to the domain. I have created a web page that creates a computer account (it checks first to make sure the computer account does not exist) base upon department specific input from the user. Once the account is created the user names his computer the same as the computer account and joins the domain. The problem I am having is that some of the user that are members of the Join Computers to the Domain group are not using the web page. They are using My network place, advanced, network identification.ect to join the domain. This creates a computer account in the computer container. When this happens I get a computer account showing up in the computer container that I do not know what department it belongs to. My solution (that does not work) was to remove all rights (including System rights) to the computer container. I figured without rights they would not be able to create the computer accounts. This did not work so I denied the ability to create all child objects for the Join computers group in the Computers Container. This did not work so I denied the right for Everyone. Also did not work. Any ideas on how to prevent all users from creating computer objects in the computers container? Thanks Greg Greg Felzer MCSE NT4, MCSE 2000, CCA, CCNA, CNA Senior Systems Engineer Center for Computing and Information Technology Medical University of South Carolina List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Connection Agreement
I have been looking on Microsofts site but not finding this answer Why is it that only the Administrator account and those account in the Enterprise Admins group can see connection agreements in the ADC and use the Exchange Tasks thru the ADUC on a workstation but not users created and made into Domain Administrators. These features are not available for some reason. No CA's are displayed and there are no exchange tasks available. While in ADUC I can see all for Exchange Tabs, however I can only view info not add/remove/modify data. Any help would be greatly appreciated. Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 914.681.8117 office 646.483.3325 cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Connection Agreement
Huh. Strange. Seems that someone has made modifications to your permissions, as by default - Domain Administrators (and all members therein) SHOULD be able to do what you describe. Now, making mods to CA, installing ADC, or configuring ADC is a different story. http://support.microsoft.com/default.aspx?scid=KB;en-us;q253286 Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Wednesday, February 26, 2003 12:05 PM To: ActiveDir (E-mail) Importance: High I have been looking on Microsofts site but not finding this answer Why is it that only the Administrator account and those account in the Enterprise Admins group can see connection agreements in the ADC and use the Exchange Tasks thru the ADUC on a workstation but not users created and made into Domain Administrators. These features are not available for some reason. No CA's are displayed and there are no exchange tasks available. While in ADUC I can see all for Exchange Tabs, however I can only view info not add/remove/modify data. Any help would be greatly appreciated. Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 914.681.8117 office 646.483.3325 cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Connection Agreement
Oh, BTW - Your need for High Importance = very Subjective. IOW, doesn't mean it's important or urgent to anyone else. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Wednesday, February 26, 2003 12:05 PM To: ActiveDir (E-mail) Importance: High I have been looking on Microsofts site but not finding this answer Why is it that only the Administrator account and those account in the Enterprise Admins group can see connection agreements in the ADC and use the Exchange Tasks thru the ADUC on a workstation but not users created and made into Domain Administrators. These features are not available for some reason. No CA's are displayed and there are no exchange tasks available. While in ADUC I can see all for Exchange Tabs, however I can only view info not add/remove/modify data. Any help would be greatly appreciated. Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 914.681.8117 office 646.483.3325 cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] security templates
Have reviewed these templates seem to have addressed the issue of services that have been introduced by SP3 such as BITS .. my only point would be the relation of these templates to those issued as part of the security operations guidelines from Microsoft ie. 1. version control of these templates is not consistent. 2. more importantly - seem to have some other inconsistencies - for example in the time between issuance of the two sets of templates MS have decided that baseline security event log should be set to max size of 180 or so MB where before 10 MB was deemed adequate - seem to changed their minds over auditlogretentioneperiod not major i guess in the context of an entire w2k installation but am just reflecting on the inconsistencies from an initial comparison of the 2 sets of templates views would be gladly received for further discussion GT - Original Message - From: Free, Bob [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, February 25, 2003 6:00 PM Subject: RE: [ActiveDir] security templates very keen to leverage the templates for baselining DC security and configuration distributed with the MS security operations guide, it would seem that these would have been developed certainly before SP3 (w2k by the way) which seems to have introduced a number of additional services eg The new Securing Windows 2000 Server solution is now available and contains a number of new templates: MSS Baseline.inf MSS DCBaseline Role.inf MSS Domain.inf MSS FilePrint Role.inf MSS IIS Role.inf MSS Infrastructure Role.inf MSS Optional File System ACLs.inf Since the original question was about services included in SP3, I took a quick glance and, BITS, for example is accounted for in the template framework. Download- http://microsoft.com/downloads/details.aspx?FamilyId=9964CF42-E236-4D73-AEF4 -7B4FDC0A25F6displaylang=en Guide- http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ prodtech/windows/secwin2k/default.asp -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 18, 2003 3:53 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security templates Thanks, Bob! ;-) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, February 18, 2003 5:26 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security templates Funny, I was just looking at those :-] http://www.microsoft.com/technet/treeview/default.asp?url=/tec hnet/security/issues/W2kCCSCG/W2kSCGcf.asp -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 18, 2003 3:22 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security templates Graham, Though I don't have a link to them in front of me at the moment, as you might recall, Microsoft submitted for and passed the Common Criteria. Microsoft (via SAIC) published a configuration and an administration guide that is a bit more current with templates, et. al. Look into those for your Security Configuration guidelines, in conjunction with the SecOps guides. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Tuesday, February 18, 2003 3:08 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] security templates very keen to leverage the templates for baselining DC security and configuration distributed with the MS security operations guide, it would seem that these would have been developed certainly before SP3 (w2k by the way) which seems to have introduced a number of additional services eg Automatic updates Background Intelligent transfer service would anyone have a reference on what additional services are added to the base w2k distribution and IDEALLY (says he being a bit lazy !!) updated revisions of the security templates to reflect a SP3 installation - if not i guess off to MMC i go !!! GT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive:
RE: [ActiveDir] Remove the ability to create computer accounts in the computer container
Wouldn't this prevent all users from creating computer accounts? I do not want to prevent them from creating them, just prevent them from creating them in the computers container. Greg Felzer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sullivan, Kevin Sent: Wednesday, February 26, 2003 11:47 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Remove the ability to create computer accounts in the computer container You may want to look into changing the default msDS-MachineAccountQuota. This setting allows any user to create 10 computer accounts by default. You can change this via a script, LDP or ADSI edit. If you change the default value to 0 then your delegation model will probably work but the default behavior will be changed. It may work... Keivn -Original Message- From: Greg Felzer [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 26, 2003 11:28 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Remove the ability to create computer accounts in the computer container Hello, Maybe the collective minds here can come up with something. I have given a group (Join Computers to the Domain group) the rights to join computers to the domain through the Default Domain policy. Only this group has rights to join computers to the domain. I have created a web page that creates a computer account (it checks first to make sure the computer account does not exist) base upon department specific input from the user. Once the account is created the user names his computer the same as the computer account and joins the domain. The problem I am having is that some of the user that are members of the Join Computers to the Domain group are not using the web page. They are using My network place, advanced, network identification.ect to join the domain. This creates a computer account in the computer container. When this happens I get a computer account showing up in the computer container that I do not know what department it belongs to. My solution (that does not work) was to remove all rights (including System rights) to the computer container. I figured without rights they would not be able to create the computer accounts. This did not work so I denied the ability to create all child objects for the Join computers group in the Computers Container. This did not work so I denied the right for Everyone. Also did not work. Any ideas on how to prevent all users from creating computer objects in the computers container? Thanks Greg Greg Felzer MCSE NT4, MCSE 2000, CCA, CCNA, CNA Senior Systems Engineer Center for Computing and Information Technology Medical University of South Carolina List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Remove the ability to create computer accounts inthe computer container
Greg, If you restrict it so that no one except the user your web script runs as can create accts and are specifying the container in your script, then they will still be able to create accts, they will just be forced to use your web script to do so. This would achive your stated goal, wouldn't it? -Original Message- From: Greg Felzer [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 26, 2003 1:33 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Remove the ability to create computer accounts in the computer container Wouldn't this prevent all users from creating computer accounts? I do not want to prevent them from creating them, just prevent them from creating them in the computers container. Greg Felzer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sullivan, Kevin Sent: Wednesday, February 26, 2003 11:47 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Remove the ability to create computer accounts in the computer container You may want to look into changing the default msDS-MachineAccountQuota. This setting allows any user to create 10 computer accounts by default. You can change this via a script, LDP or ADSI edit. If you change the default value to 0 then your delegation model will probably work but the default behavior will be changed. It may work... Keivn -Original Message- From: Greg Felzer [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 26, 2003 11:28 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Remove the ability to create computer accounts in the computer container Hello, Maybe the collective minds here can come up with something. I have given a group (Join Computers to the Domain group) the rights to join computers to the domain through the Default Domain policy. Only this group has rights to join computers to the domain. I have created a web page that creates a computer account (it checks first to make sure the computer account does not exist) base upon department specific input from the user. Once the account is created the user names his computer the same as the computer account and joins the domain. The problem I am having is that some of the user that are members of the Join Computers to the Domain group are not using the web page. They are using My network place, advanced, network identification.ect to join the domain. This creates a computer account in the computer container. When this happens I get a computer account showing up in the computer container that I do not know what department it belongs to. My solution (that does not work) was to remove all rights (including System rights) to the computer container. I figured without rights they would not be able to create the computer accounts. This did not work so I denied the ability to create all child objects for the Join computers group in the Computers Container. This did not work so I denied the right for Everyone. Also did not work. Any ideas on how to prevent all users from creating computer objects in the computers container? Thanks Greg Greg Felzer MCSE NT4, MCSE 2000, CCA, CCNA, CNA Senior Systems Engineer Center for Computing and Information Technology Medical University of South Carolina List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Remove the ability to create computer accounts inthe computer container
Seeing as that's the default container for creating computer accounts, and the only place those accounts will go when created by a machine joining the domain, I don't see that you're going to achieve what you want. Any reason you can't just script something to move all undesirable accounts out of that OU? -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis Inc. -Original Message- From: Greg Felzer [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 26, 2003 3:33 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Remove the ability to create computer accounts in the computer container Wouldn't this prevent all users from creating computer accounts? I do not want to prevent them from creating them, just prevent them from creating them in the computers container. Greg Felzer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sullivan, Kevin Sent: Wednesday, February 26, 2003 11:47 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Remove the ability to create computer accounts in the computer container You may want to look into changing the default msDS-MachineAccountQuota. This setting allows any user to create 10 computer accounts by default. You can change this via a script, LDP or ADSI edit. If you change the default value to 0 then your delegation model will probably work but the default behavior will be changed. It may work... Keivn -Original Message- From: Greg Felzer [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 26, 2003 11:28 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Remove the ability to create computer accounts in the computer container Hello, Maybe the collective minds here can come up with something. I have given a group (Join Computers to the Domain group) the rights to join computers to the domain through the Default Domain policy. Only this group has rights to join computers to the domain. I have created a web page that creates a computer account (it checks first to make sure the computer account does not exist) base upon department specific input from the user. Once the account is created the user names his computer the same as the computer account and joins the domain. The problem I am having is that some of the user that are members of the Join Computers to the Domain group are not using the web page. They are using My network place, advanced, network identification.ect to join the domain. This creates a computer account in the computer container. When this happens I get a computer account showing up in the computer container that I do not know what department it belongs to. My solution (that does not work) was to remove all rights (including System rights) to the computer container. I figured without rights they would not be able to create the computer accounts. This did not work so I denied the ability to create all child objects for the Join computers group in the Computers Container. This did not work so I denied the right for Everyone. Also did not work. Any ideas on how to prevent all users from creating computer objects in the computers container? Thanks Greg Greg Felzer MCSE NT4, MCSE 2000, CCA, CCNA, CNA Senior Systems Engineer Center for Computing and Information Technology Medical University of South Carolina List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] AD integrated DNS
We have a single domain, single zone that was upgraded from NT4. I would like to make the DNS AD-integrated, it now loads from the registry. Is it as simple as changing the Load zone data on startup to From Active Directory and registry in the DNS server properties? It is currently From registry. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD integrated DNS
Yes, its that simple. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis Inc. -Original Message- From: Jim Busick [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 26, 2003 4:37 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] AD integrated DNS We have a single domain, single zone that was upgraded from NT4. I would like to make the DNS AD-integrated, it now loads from the registry. Is it as simple as changing the Load zone data on startup to From Active Directory and registry in the DNS server properties? It is currently From registry. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Time stamp format in your Active Directory
Title: Message It might have always been this way, but I don't recall. Recently, we had a user escalate an issue requiring us to investigate date and time information on the user's account. To our surprise, we noticed the time was "11:7:2" and "17:1:40" which aren't human readable time formats if you ask me (see paste below). 1 whenChanged: 2/25/2003 11:7:2 Pacific Standard Time Pacific Daylight Time; 1 whenCreated: 5/10/2000 17:1:40 Pacific Standard Time Pacific Daylight Time; Can someone bring up LDP and confirm they have the same time formatting too? Thanks! AlanIshamProduct Manager, Messaging and Active Directory EngineeringIT Global Engineering, Intel Corporation
RE: [ActiveDir] Time stamp format in your Active Directory
Title: Message Yep - have it that way as well. Been that way as long as I remember As to being human readable, maybe if you are absolutely set on having two-digits for each field. From my perspective, I'm not set in my ways, and have no issues with making the transition. But, that's me! ;o) Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isham, Alan ASent: Wednesday, February 26, 2003 5:19 PMTo: [EMAIL PROTECTED] It might have always been this way, but I don't recall. Recently, we had a user escalate an issue requiring us to investigate date and time information on the user's account. To our surprise, we noticed the time was "11:7:2" and "17:1:40" which aren't human readable time formats if you ask me (see paste below). 1 whenChanged: 2/25/2003 11:7:2 Pacific Standard Time Pacific Daylight Time; 1 whenCreated: 5/10/2000 17:1:40 Pacific Standard Time Pacific Daylight Time; Can someone bring up LDP and confirm they have the same time formatting too? Thanks! AlanIshamProduct Manager, Messaging and Active Directory EngineeringIT Global Engineering, Intel Corporation