[ActiveDir] Account Lockouts
Title: Account Lockouts Hi everyone, I was hoping that you someone could help me out with this: We have a mixed environment of W2K DC's and there is a requirement from our Systems Support Centre to track Account Lockouts. As this can take place on any DC I was wondering if someone out there was using a tool to interrogate the directory to retrieve this information from the DC that registers the lockout. At the moment we have a tedious exercise of filtering each DC's log for event ID 644. Thanks in advance, Yusuf Success is: "Set high aspirations in life. The Challenge is in our minds. We are limited not by reality but by our own imaginations". __ Disclaimer and confidentiality note Everything in this e-mail and any attachments relating to the official business of Standard Bank Group Limited is proprietary to the company. It is confidential, legally privileged and protected by law. Standard Bank does not own and endorse any other content. Views and opinions are those of the sender unless clearly stated as being that of Standard Bank. The person addressed in the e-mail is the sole authorised recipient. Please notify the sender immediately if it has unintentionally reached you and do not read, disclose or use the content in any way. Standard Bank can not assure that the integrity of this communication has been maintained nor that it is free of errors, virus, interception or interference. ___
RE: [ActiveDir] downlevel client authentication
Well, you're all partially correct. AD (whether mixed mode or not) appears the same as a straight NT4 domain to all downlevel (i.e. non-AD aware clients). What that means is that the PDC emulator is the only place passwords can be changed by these clients. It also means that any DC can authenticate users. The thing to keep in mind is how NT4 style domains actually authenticate. Assuming WINS is available, a client queries WINS for domain controllers who can service the domain to which the client is trying to authenticate (looking for 1Ch records in WINS). WINS returns up to 25 domain controllers - in NO particular order - to the client. There is no guarantee that the DCs returned will be local to the client. Does that help at all? -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis Inc. -Original Message- From: Mike Baudino [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 01, 2003 6:23 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] downlevel client authentication All, Please help me resolve a discussion with some strong opinions on both sides of the camp. You see, our reading on the role of the PDC Emulator in regard to a mixed-mode domain with downlevel clients (we're not upgrading the NT4.0 client software) has left us with differing interpretations. We agree and understand that the PDC Emulator is contacted directlry by the downlevel clients to change their passwords. We also understand and agree that the PDC Emulator is the source of SAM replication. Our disagreement is in authentication. Some folks are reading it as all downlevel client activity, including authentication, is done at the PDC emulator. Others read this as the downlevel client is authenticated by the domain controller that responds first (or the last time the client was authenticated [we're also a bit unclear on that concept]). To me, this is very clear (but I could be the cause of the confusion). In a branch office environment running mixed mode we would have a combination of Win2k and NT4.0 domain controllers in the field offices. The NT4.0 BDC's are not aware of the fact that they're really part of an AD domain and nor would the clients. Thus, if the client's don't know about AD, and the BDC doesn't know about AD, how would the client know that it had to contact the PDC emulator to be authenticated? It wouldn't. Hence, downlevel client authentication must occur at any domain controller (again, the one that responds first [or the last one]). Please help clear this up and please include a link to something that helps clear this up. Thanks, Mike Baudino *** PLEASE NOTE *** This E-Mail/telefax message and any documents accompanying this transmission may contain privileged and/or confidential information and is intended solely for the addressee(s) named above. If you are not the intended addressee/recipient, you are hereby notified that any use of, disclosure, copying, distribution, or reliance on the contents of this E-Mail/telefax information is strictly prohibited and may result in legal action against you. Please reply to the sender advising of the error in transmission and immediately delete/destroy the message and any accompanying documents. Thank you. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Slightly OT: Deleting Accounts
I am re-writing several scripts to delete accounts. We are running AD Native Mode, with a single Exchange 2000 Server. When I programmatically delete a user account (using Windows Scripting Host) does the Exchange email account get deleted as well? I know a users Exchange email account can not exist without the AD account, but Im wondering what happens to any messages and data that exist on the Exchange server? Thanks in advance. -Tom Barber Systems Manager Alfred State College
Re: [ActiveDir] Connect to printer
Try this vbs script: Set WshNetwork = CreateObject(WScript.Network) WshNetwork.AddWindowsPrinterConnection \\printserver\printer_mane WshNetwork.SetDefaultPrinter \\printserver\printer_name good luck [EMAIL PROTECTED] writes: Original Message Follows From: Richard Sumilang [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [ActiveDir] Connect to printer Date: Tue, 1 Apr 2003 10:26:45 -0800 I have a Windows 2000 network running and all users log in to the server using Active Directory. I would like to have a bat script automatically connect people to a shared printer and have it set as the default. Please help :-) Brahim Bouchaiba Network administrator Information technology 617-7359720 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Account Lockouts
There are a few things that you can do. 1. Ensure all your W2K DCs have SP3. There are a few improvements/fixes in the way lockouts are communicated between DCs. 2. Have a look at the Account Lockout Status tool (ALS.EXE). This pulls information from each DC in the domain regarding the lockout status, bad pw attemtps, etc. You may need to contact your Microsoft TAM for ALS.EXE as I don't know if it has made it into the resource kit tools yet. 3. Eventcomb can be useful for grouping event information from log files on different DCs. 4. Look for Event 681 entries on the PDC Emulator DC. Have a look at http://support.microsoft.com/default.aspx?scid=kb;[LN];273499 for information on how to interpret the resulting error codes. You can use Dumpel.exe to filter the results if necessary. 5. If you have password complexity as part of your account policy then you should be able to safely increase the account lockout threshold to something nearer 15 attempts. This should reduce the burden on your help desk. Tony -- Original Message -- From: Mayet, Yusuf Y [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 2 Apr 2003 14:47:42 +0200 Hi everyone, I was hoping that you someone could help me out with this: We have a mixed environment of W2K DC's and there is a requirement from our Systems Support Centre to track Account Lockouts. As this can take place on any DC I was wondering if someone out there was using a tool to interrogate the directory to retrieve this information from the DC that registers the lockout. At the moment we have a tedious exercise of filtering each DC's log for event ID 644. Thanks in advance, Yusuf Success is: Set high aspirations in life. The Challenge is in our minds. We are limited not by reality but by our own imaginations. __ Disclaimer and confidentiality note Everything in this e-mail and any attachments relating to the official business of Standard Bank Group Limited is proprietary to the company. It is confidential, legally privileged and protected by law. Standard Bank does not own and endorse any other content. Views and opinions are those of the sender unless clearly stated as being that of Standard Bank. The person addressed in the e-mail is the sole authorised recipient. Please notify the sender immediately if it has unintentionally reached you and do not read, disclose or use the content in any way. Standard Bank can not assure that the integrity of this communication has been maintained nor that it is free of errors, virus, interception or interference. __ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Account Lockouts
This type of problem is easily solved if you've set the DBFlag for logon
events for netlogon. Otherwise it is almost impossible to track in an
environment with NT Desktops -- the event ends up in the event logs of
the offending desktop, not the DC. In an environment with 9x desktops,
this is still difficult to track, since the events can be in the logs of
any DC, but are not centraliuzed. Debugging netlogon, solves all that,
and is fairly easy -- only requiring a registry change on 2000 DCs.
Here are relevant articles --
http://support.microsoft.com/default.aspx?scid=kb;en-us;189541
http://support.microsoft.com/default.aspx?scid=kb;en-us;109626
Additionally, you will need to set up some method to recover the
netlogon text files and to make certain the DCs hard drive doesn't get
filled by them.
The following is a script to move the netlogon.log file when it fills.
My apologies if this gets poorly formatted in email
---
_
'Script to move a NETLOGON.LOG
'file when it reaches a certain size
'declare variables
Dim FSO 'FileSystem Object
Dim sSystemRoot 'System Root path
Dim sFilePath 'Full Path to the Netlogon.log file
Dim sWMIFilePath'Path to Netlogon.log expressed with \\
for WMI
Dim sComputer 'Target Computer
Dim oWMIService 'Windows Management Service Object
Dim colMonitoredEvents 'Collection of monitored events
Dim oLatestEvent'Trigger instance
Dim lTriggerSize'Size at which to move the netlogon.log
file in bytes
Dim lCurrentSize'Size of file currently
Dim sTargetName 'Archive file name
' - based on the lastmodified time of
the file
Dim sArchivePath'Path to archive files
Dim sTempPath 'initial path of renamed but unmoved file
Dim sTargetPath 'Full path of archive file
'initialize variables and objects
sComputer = . 'local machine
'Path to archive files
sArchivePath = \\servername\sharename\subfolder
set FSO = CreateObject(Scripting.FileSystemObject)
lTriggerSize = 67108864
'The file path is based on the system root
sSystemRoot = FSO.GetSpecialFolder(0)
sFilePath = sSystemRoot \debug\netlogon.log
sWMIFilePath = Replace(sFilePath, \, \\)
'Instantiate WMI
Set objWMIService = GetObject(winmgmts: _
{impersonationLevel=impersonate}!\\ _
sComputer \root\cimv2)
'Now create an event sink for when the file is modified
Set colMonitoredEvents = objWMIService.ExecNotificationQuery _
(SELECT * FROM __InstanceModificationEvent WITHIN 10 WHERE _
TargetInstance ISA 'CIM_DataFile' and _
TargetInstance.Name=' sWMIFilePath ')
Do
Set oLatestEvent = colMonitoredEvents.NextEvent
'Now determine if the file size is exceeded
lCurrentSize = cLng(oLatestEvent.TargetInstance.FileSize)
if lCurrentSize = lTriggerSize then
'Now our criteria are met so begin to manipulate the log
'first determine the last modified time for use as a
filename
sTargetName =
Left(oLatestEvent.TargetInstance.LastModified, _
14) .log
sTempPath = sSystemRoot \debug\ sTargetName
'Rename the netlogon.log file appropriately
FSO.MoveFile sFilePath, sSystemRoot \debug\
sTargetName
'Now move the renamed file
sTargetPath = sArchivePath \ sTargetName
FSO.MoveFile sTempPath, sTargetPath
end if
Loop
-
Then all you need to do is filter the netlogon.log files.
-Patrick R. Sweeney http://boston.craigslist.org/bos/res/8484283.html
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mayet, Yusuf Y
Sent: Wednesday, April 02, 2003 7:48 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Account Lockouts
Hi everyone,
I was hoping that you someone could help me out with this:
We have a mixed environment of W2K DC's and there is a requirement from
our Systems Support Centre to track Account Lockouts.
As this can take place on any DC I was wondering if someone out there
was using a tool to interrogate the directory to retrieve this
information from the DC that registers the lockout.
At the moment we have a tedious exercise of filtering each DC's log for
event ID 644.
Thanks in advance,
Yusuf
Success is: Set high aspirations in life. The Challenge is in our
minds. We are limited not by reality but by our own imaginations.
__
Disclaimer and confidentiality note
Everything in this e-mail and any attachments relating to the
official business of Standard Bank Group Limited is proprietary to the
company. It is confidential, legally privileged and protected by law.
Standard Bank does not own and endorse any other content. Views and
opinions are those of the sender unless
RE: [ActiveDir] Connect to printer
Ok, I hope no one addressed this already, but here is what we have been using. Con2prt.exe from the Resource Kit (any version): Con2prt.exe /cd \\server\printshare That is all you need. There are other switches with con2prt that you can check out as well. Again, I hope this helps and is not a repeat. Chris - Christopher England Server Administrator MCP, Server+, Network+, A+ College Information Technology Office Indiana University -Original Message- From: Brahim Bouchaiba [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 02, 2003 8:12 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Connect to printer Try this vbs script: Set WshNetwork = CreateObject(WScript.Network) WshNetwork.AddWindowsPrinterConnection \\printserver\printer_mane WshNetwork.SetDefaultPrinter \\printserver\printer_name good luck [EMAIL PROTECTED] writes: Original Message Follows From: Richard Sumilang [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [ActiveDir] Connect to printer Date: Tue, 1 Apr 2003 10:26:45 -0800 I have a Windows 2000 network running and all users log in to the server using Active Directory. I would like to have a bat script automatically connect people to a shared printer and have it set as the default. Please help :-) Brahim Bouchaiba Network administrator Information technology 617-7359720 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Slightly OT: Deleting Accounts
Title: Message
No; it
doesn't get deleted. I've used the following sub-routine for the same purpose on
our student network. Call it with deletemailbox full path to user -
you'll need to change the servername to match your exchange
server.
What I normally do for our staff network is run a
routine which checks to see if the user still exists on the payroll database and
when they last changed their password; if they're not on the payroll and they've
not changed their password recently then I use a script to disable the account
and move them to a special OU, adding a comment with the date on which this was
done. This makes it easy to re-enable the account when you find that our HR
department has just "lost" a member of staff (which they do with
disturbing regularity!!) and also easy to
just delete them en-masse if they don't get used for a month or
so.
Steve
Sub deletemailbox(recip)servername="computer01"Set objPerson =
Createobject("CDO.Person") 'InitializeSet objMailbox =
Createobject("IMailboxStore") 'InitializeobjPerson.DataSource.Open
recipSet objMailbox = objPersonIf objMailbox.HomeMDB = "" Then writelog "No Mailbox
Found for " recipnameElse
objMailbox.DeleteMailbox
objPerson.Datasource.Save writelog "Mailbox for "
recipName " delete successfully."End
IfEnd Sub
-Original Message-From: Barber, Thomas
[mailto:[EMAIL PROTECTED] Sent: 02 April 2003
14:04To: [EMAIL PROTECTED]Subject:
[ActiveDir] Slightly OT: Deleting Accounts
I am re-writing several scripts to
delete accounts. We are running AD Native Mode, with a single Exchange
2000 Server. When I programmatically delete a user account (using
Windows Scripting Host) does the Exchange email account get deleted as
well? I know a users Exchange email account can not exist without the
AD account, but Im wondering what happens to any messages and data that exist
on the Exchange server?
Thanks in
advance.
-Tom Barber
Systems
Manager
Alfred
State
College
�
[ActiveDir] OT RIS ISSUE:
Title: OT RIS ISSUE: I am currently trying to RIS servers on a tested and am able to do so however I wish to set partition sizes so that the system partition is 10GB but RIS seems to just format and utilise ALL the available space even when I have FDISK'd and set the primary partition size. My thoughts were that if I FDISK'd and set the partition size RIS would format the partition as NTFS and away we go...any feedback would be appreciated. James
[ActiveDir] move users ou to ou
Title: OT RIS ISSUE: I am working on some Active Directory OU delegation and have a quick question. Basically, I need to find out what are the minimum permissions that I can grant for OU Administrators to move users from one Organizational Unit to another Organizational Unit. We want to deny OU Admins from deleting these User objects but want to allow them to move the users. What are the minimum set of privileges I can give these administrators to move the user objects? Any guidance or suggestions.
RE: [ActiveDir] downlevel client authentication
The choice is governed by the secure channel. This is established on a first-response basis. Given the absence of the DSClient the client behavior should still be as described in Q266729. This seems to be borne out by your experiences. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Wednesday, April 02, 2003 10:25 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] downlevel client authentication We have about 20 remote WAN sites, each running an AD domain controller. Almost every site still has a fair number of NT4 and win98 clients - none with the AD client installed. I have a kixtart script that runs on the workstation from the login script that logs (among other things) the authenticating server. What I see is that overwhelmingly, back-level clients hit their local AD DC for authentication. This leads me to believe that either WINS responses are sorted by IP subnet (so that the local DC is presented first), or that workstations attempt to find a DC by broadcast before using WINS, or, possibly, that a workstation attempts to open a socket to all DCs returned by wins, and the first to complete is the one that's used. This would normally be the closest DC. I'm curious, but not enough so to fire up a sniffer. The confusion comes from the fact that Microsoft has published conflicting information on how clients authenticate, and how backlevel clients authenticate in an AD environment. If memory serves, the Windows 2000 server help system explicitly states that backlevel clients authenticate against the PDC emulator, which is incorrect. I know this was a big issue for us when we went AD. We were scared to death to turn off our old remote BDCs - even a call to PSS could definitively answer the question. A good clue came from examining the log files that my script created. I saw that even with a local BDC, the local AD DC was authenticating backlevel clients. The definitive answer came when we simply shut a BDC down at a small remote site, and noticed that the AD DC picked right up. -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 02, 2003 7:49 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] downlevel client authentication Well, you're all partially correct. AD (whether mixed mode or not) appears the same as a straight NT4 domain to all downlevel (i.e. non-AD aware clients). What that means is that the PDC emulator is the only place passwords can be changed by these clients. It also means that any DC can authenticate users. The thing to keep in mind is how NT4 style domains actually authenticate. Assuming WINS is available, a client queries WINS for domain controllers who can service the domain to which the client is trying to authenticate (looking for 1Ch records in WINS). WINS returns up to 25 domain controllers - in NO particular order - to the client. There is no guarantee that the DCs returned will be local to the client. Does that help at all? -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis Inc. -Original Message- From: Mike Baudino [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 01, 2003 6:23 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] downlevel client authentication All, Please help me resolve a discussion with some strong opinions on both sides of the camp. You see, our reading on the role of the PDC Emulator in regard to a mixed-mode domain with downlevel clients (we're not upgrading the NT4.0 client software) has left us with differing interpretations. We agree and understand that the PDC Emulator is contacted directlry by the downlevel clients to change their passwords. We also understand and agree that the PDC Emulator is the source of SAM replication. Our disagreement is in authentication. Some folks are reading it as all downlevel client activity, including authentication, is done at the PDC emulator. Others read this as the downlevel client is authenticated by the domain controller that responds first (or the last time the client was authenticated [we're also a bit unclear on that concept]). To me, this is very clear (but I could be the cause of the confusion). In a branch office environment running mixed mode we would have a combination of Win2k and NT4.0 domain controllers in the field offices. The NT4.0 BDC's are not aware of the fact that they're really part of an AD domain and nor would the clients. Thus, if the client's don't know about AD, and the BDC doesn't know about AD, how would the client know that it had to contact the PDC emulator to be authenticated? It wouldn't. Hence, downlevel client authentication must occur at any domain controller (again, the one that responds first [or the last one]). Please help clear this up and please include a link to something that helps clear this up.
RE: [ActiveDir] downlevel client authentication
SetPrfDc can be used to force the secure channel to certain machines. It doesn't particularly make sense to run on client machines, but it was useful in an NT 4.0 Master Domain environment to keep the secure channels between resource domain Dcs and master Domain DCs site-specific. Forcing local authentication is definitely much easier in AD, but was not impossible in NT 4.0. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Wednesday, April 02, 2003 10:28 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] downlevel client authentication You are correct on both counts. Terminology-wise, I consider non-AD aware clients as downlevel, whereas older OS's with the DSClient installed really aren't downlevel anymore. As far as DC order, it will try each of the returned DCs. There still is no rhyme nor reason to the order in which they are returned however, so there is little that can be done to manage which DC authenticates. Frankly, that's one of my favorite benefits of AD. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis Inc. -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 02, 2003 9:31 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] downlevel client authentication Yes - in reality, it does. However, I just want to point out the difference when downlevel clients have the DS Client applied. It can now change passwords at ANY DC. Not just the PDC-E. So, does AD aware in your example include those with the DS Client? And, Roger - correct me if I'm wrong, if the first DC in the list of returned DCs does NOT answer (down, busy), it then moves to the next one in the list. Hence, the behavior that we saw in NT domains is still accurate - the PDC didn't do much authentication. Unless, of course, if it was the only DC. ;-) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Wednesday, April 02, 2003 6:49 AM To: '[EMAIL PROTECTED]' Well, you're all partially correct. AD (whether mixed mode or not) appears the same as a straight NT4 domain to all downlevel (i.e. non-AD aware clients). What that means is that the PDC emulator is the only place passwords can be changed by these clients. It also means that any DC can authenticate users. The thing to keep in mind is how NT4 style domains actually authenticate. Assuming WINS is available, a client queries WINS for domain controllers who can service the domain to which the client is trying to authenticate (looking for 1Ch records in WINS). WINS returns up to 25 domain controllers - in NO particular order - to the client. There is no guarantee that the DCs returned will be local to the client. Does that help at all? -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis Inc. -Original Message- From: Mike Baudino [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 01, 2003 6:23 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] downlevel client authentication All, Please help me resolve a discussion with some strong opinions on both sides of the camp. You see, our reading on the role of the PDC Emulator in regard to a mixed-mode domain with downlevel clients (we're not upgrading the NT4.0 client software) has left us with differing interpretations. We agree and understand that the PDC Emulator is contacted directlry by the downlevel clients to change their passwords. We also understand and agree that the PDC Emulator is the source of SAM replication. Our disagreement is in authentication. Some folks are reading it as all downlevel client activity, including authentication, is done at the PDC emulator. Others read this as the downlevel client is authenticated by the domain controller that responds first (or the last time the client was authenticated [we're also a bit unclear on that concept]). To me, this is very clear (but I could be the cause of the confusion). In a branch office environment running mixed mode we would have a combination of Win2k and NT4.0 domain controllers in the field offices. The NT4.0 BDC's are not aware of the fact that they're really part of an AD domain and nor would the clients. Thus, if the client's don't know about AD, and the BDC doesn't know about AD, how would the client know that it had to contact the PDC emulator to be authenticated? It wouldn't. Hence, downlevel client authentication must occur at any domain controller (again, the one that responds first [or the last one]). Please help clear this
RE: [ActiveDir] downlevel client authentication
Thanks everyone for your replies. I especially appreciate the real world answers... This should help put to rest our discussion. Mike Baudino Patrick R. Sweeney [EMAIL PROTECTED]@mail.activedir.org on 04/02/2003 09:52:17 AM Please respond to [EMAIL PROTECTED] Sent by:[EMAIL PROTECTED] To:[EMAIL PROTECTED] cc: Subject:RE: [ActiveDir] downlevel client authentication The choice is governed by the secure channel. This is established on a first-response basis. Given the absence of the DSClient the client behavior should still be as described in Q266729. This seems to be borne out by your experiences. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Wednesday, April 02, 2003 10:25 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] downlevel client authentication We have about 20 remote WAN sites, each running an AD domain controller. Almost every site still has a fair number of NT4 and win98 clients - none with the AD client installed. I have a kixtart script that runs on the workstation from the login script that logs (among other things) the authenticating server. What I see is that overwhelmingly, back-level clients hit their local AD DC for authentication. This leads me to believe that either WINS responses are sorted by IP subnet (so that the local DC is presented first), or that workstations attempt to find a DC by broadcast before using WINS, or, possibly, that a workstation attempts to open a socket to all DCs returned by wins, and the first to complete is the one that's used. This would normally be the closest DC. I'm curious, but not enough so to fire up a sniffer. The confusion comes from the fact that Microsoft has published conflicting information on how clients authenticate, and how backlevel clients authenticate in an AD environment. If memory serves, the Windows 2000 server help system explicitly states that backlevel clients authenticate against the PDC emulator, which is incorrect. I know this was a big issue for us when we went AD. We were scared to death to turn off our old remote BDCs - even a call to PSS could definitively answer the question. A good clue came from examining the log files that my script created. I saw that even with a local BDC, the local AD DC was authenticating backlevel clients. The definitive answer came when we simply shut a BDC down at a small remote site, and noticed that the AD DC picked right up. -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 02, 2003 7:49 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] downlevel client authentication Well, you're all partially correct. AD (whether mixed mode or not) appears the same as a straight NT4 domain to all downlevel (i.e. non-AD aware clients). What that means is that the PDC emulator is the only place passwords can be changed by these clients. It also means that any DC can authenticate users. The thing to keep in mind is how NT4 style domains actually authenticate. Assuming WINS is available, a client queries WINS for domain controllers who can service the domain to which the client is trying to authenticate (looking for 1Ch records in WINS). WINS returns up to 25 domain controllers - in NO particular order - to the client. There is no guarantee that the DCs returned will be local to the client. Does that help at all? -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis Inc. -Original Message- From: Mike Baudino [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 01, 2003 6:23 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] downlevel client authentication All, Please help me resolve a discussion with some strong opinions on both sides of the camp. You see, our reading on the role of the PDC Emulator in regard to a mixed-mode domain with downlevel clients (we're not upgrading the NT4.0 client software) has left us with differing interpretations. We agree and understand that the PDC Emulator is contacted directlry by the downlevel clients to change their passwords. We also understand and agree that the PDC Emulator is the source of SAM replication. Our disagreement is in authentication. Some folks are reading it as all downlevel client activity, including authentication, is done at the PDC emulator. Others read this as the downlevel client is authenticated by the domain controller that responds first (or the last time the client was authenticated [we're also a bit unclear on that concept]). To me, this is very clear (but I could be the cause of the confusion). In a branch office environment running mixed mode we would have a combination of Win2k and NT4.0 domain controllers in the field offices. The NT4.0 BDC's are not aware of the fact that they're really part of an AD domain and nor would the clients. Thus, if the client's don't know about AD, and the BDC
RE: [ActiveDir] Problem updating object attributes in Active Directory -Using Directory SDK
Jonas, It doesn't make sense so far :) Are we still talking about failed updates to the url attribute, or are we talking about updating the members attribute? If you could post the code snippet and the names of some of the groups, that might yield a clue. -gil -Original Message- From: Jonas Almfeldt [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 02, 2003 1:52 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Problem updating object attributes in Active Dire ctory -Using Directory SDK I have noticed a pattern for the unsuccessful MODIFY commands.. It appears to be group objects not having any group members that does not get updated. The non-updated groups I have looked at does not have parent groups either. This is only a guess. Does it make sense? / Jonas On Tue, 1 Apr 2003, Gil Kirkpatrick wrote: Joan, Re: the url attribute not being updated... That's a mystery. I would check to make sure that your code is updating it with a new (not the same) value. I can't imagine that there would be a bug of that magnitude in the Directory SDK. Is there any consistency as to when the url attribute is updated and when it is not? Perhaps it fails on certain object classes or in certain OUs? In that case it might be an access rights or content rules issue. But in those cases you should still get an exception... -gil List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] downlevel client authentication
Absolutely - I never said it was impossible, but the options to do so had their downsides. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis Inc. -Original Message- From: Patrick R. Sweeney [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 02, 2003 10:56 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] downlevel client authentication SetPrfDc can be used to force the secure channel to certain machines. It doesn't particularly make sense to run on client machines, but it was useful in an NT 4.0 Master Domain environment to keep the secure channels between resource domain Dcs and master Domain DCs site-specific. Forcing local authentication is definitely much easier in AD, but was not impossible in NT 4.0. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Wednesday, April 02, 2003 10:28 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] downlevel client authentication You are correct on both counts. Terminology-wise, I consider non-AD aware clients as downlevel, whereas older OS's with the DSClient installed really aren't downlevel anymore. As far as DC order, it will try each of the returned DCs. There still is no rhyme nor reason to the order in which they are returned however, so there is little that can be done to manage which DC authenticates. Frankly, that's one of my favorite benefits of AD. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis Inc. -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 02, 2003 9:31 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] downlevel client authentication Yes - in reality, it does. However, I just want to point out the difference when downlevel clients have the DS Client applied. It can now change passwords at ANY DC. Not just the PDC-E. So, does AD aware in your example include those with the DS Client? And, Roger - correct me if I'm wrong, if the first DC in the list of returned DCs does NOT answer (down, busy), it then moves to the next one in the list. Hence, the behavior that we saw in NT domains is still accurate - the PDC didn't do much authentication. Unless, of course, if it was the only DC. ;-) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Wednesday, April 02, 2003 6:49 AM To: '[EMAIL PROTECTED]' Well, you're all partially correct. AD (whether mixed mode or not) appears the same as a straight NT4 domain to all downlevel (i.e. non-AD aware clients). What that means is that the PDC emulator is the only place passwords can be changed by these clients. It also means that any DC can authenticate users. The thing to keep in mind is how NT4 style domains actually authenticate. Assuming WINS is available, a client queries WINS for domain controllers who can service the domain to which the client is trying to authenticate (looking for 1Ch records in WINS). WINS returns up to 25 domain controllers - in NO particular order - to the client. There is no guarantee that the DCs returned will be local to the client. Does that help at all? -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis Inc. -Original Message- From: Mike Baudino [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 01, 2003 6:23 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] downlevel client authentication All, Please help me resolve a discussion with some strong opinions on both sides of the camp. You see, our reading on the role of the PDC Emulator in regard to a mixed-mode domain with downlevel clients (we're not upgrading the NT4.0 client software) has left us with differing interpretations. We agree and understand that the PDC Emulator is contacted directlry by the downlevel clients to change their passwords. We also understand and agree that the PDC Emulator is the source of SAM replication. Our disagreement is in authentication. Some folks are reading it as all downlevel client activity, including authentication, is done at the PDC emulator. Others read this as the downlevel client is authenticated by the domain controller that responds first (or the last time the client was authenticated [we're also a bit unclear on that concept]). To me, this is very clear (but I could be the cause of the confusion). In a branch office
Re: [ActiveDir] dynamic disks
Norton Ghost 2003 It's harder to have not it. It works in WIndows 2000 (NT) and copy the first disk DIRECTLY in the second and give you the possibility to repart, remove etc. or 1) I have the other disk in line as 2nd disk 2) I format it in NTFS new = NTFS old (4=4 or 5=5) 3) I use Xcopy (the new XCOPY 2000) with all the useful options from first disk to the second disk (Also security option, and the copy of the file that if in use will make at the reboot) 4) After the succesful copy I change disk and after one or two boot to make the pagefile and the reallocate and the real firm of the disk in the refistry and other it is ready this is very longer but partially it less expensive. BYe From: Pelle, Joe [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Subject: [ActiveDir] dynamic disks Date: Mon, 31 Mar 2003 17:50:17 -0500 Anyone know of some secret voodoo that will allow me to dynamically change the partition size of my system partition without rebuilding the server? I need to make the drive bigger... Joe Pelle Systems Administrator Information Technology Valassis / Targeted Print Media Solutions 35955 Schoolcraft Rd. Livonia, MI 48150 Tel 734.632.3753 Fax 734.632.6240 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] http://www.valassis.com/ http://www.valassis.com/ This message may have included proprietary or protected information. This message and the information contained herein are not to be further communicated without my express written consent. _ The new MSN 8: advanced junk mail protection and 2 months FREE* http://join.msn.com/?page=features/junkmail List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] dynamic disks
NG2003 works on scsi disks? -Original Message- From: stefano tufillaro [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 02, 2003 2:08 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] dynamic disks Norton Ghost 2003 It's harder to have not it. It works in WIndows 2000 (NT) and copy the first disk DIRECTLY in the second and give you the possibility to repart, remove etc. or 1) I have the other disk in line as 2nd disk 2) I format it in NTFS new = NTFS old (4=4 or 5=5) 3) I use Xcopy (the new XCOPY 2000) with all the useful options from first disk to the second disk (Also security option, and the copy of the file that if in use will make at the reboot) 4) After the succesful copy I change disk and after one or two boot to make the pagefile and the reallocate and the real firm of the disk in the refistry and other it is ready this is very longer but partially it less expensive. BYe From: Pelle, Joe [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Subject: [ActiveDir] dynamic disks Date: Mon, 31 Mar 2003 17:50:17 -0500 Anyone know of some secret voodoo that will allow me to dynamically change the partition size of my system partition without rebuilding the server? I need to make the drive bigger... Joe Pelle Systems Administrator Information Technology Valassis / Targeted Print Media Solutions 35955 Schoolcraft Rd. Livonia, MI 48150 Tel 734.632.3753 Fax 734.632.6240 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] http://www.valassis.com/ http://www.valassis.com/ This message may have included proprietary or protected information. This message and the information contained herein are not to be further communicated without my express written consent. _ The new MSN 8: advanced junk mail protection and 2 months FREE* http://join.msn.com/?page=features/junkmail List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Connect to printer
Or G(roup) P(olicies) From: Mike Celone [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Connect to printer Date: Tue, 1 Apr 2003 21:55:25 -0500 You can also use rundll32 printui.dll,PrintUIEntry which is part of Windows 2000. Just type rundll32 printui.dll,PrintUIEntry /? For the help file. Mike -Original Message- From: Devan Pala [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 01, 2003 8:51 PM To: [EMAIL PROTECTED] con2prt on the resource kit works like a charm, HTH... 8-) Original Message Follows From: Richard Sumilang [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [ActiveDir] Connect to printer Date: Tue, 1 Apr 2003 10:26:45 -0800 I have a Windows 2000 network running and all users log in to the server using Active Directory. I would like to have a bat script automatically connect people to a shared printer and have it set as the default. Please help :-) List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ _ Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ _ Add photos to your messages with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] dynamic disks
Yes. It works INTO Windows 2000 so use the HW native (not as the previous) Bye From: Weston Rogers [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] dynamic disks Date: Wed, 2 Apr 2003 14:16:24 -0500 NG2003 works on scsi disks? -Original Message- From: stefano tufillaro [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 02, 2003 2:08 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] dynamic disks Norton Ghost 2003 It's harder to have not it. It works in WIndows 2000 (NT) and copy the first disk DIRECTLY in the second and give you the possibility to repart, remove etc. or 1) I have the other disk in line as 2nd disk 2) I format it in NTFS new = NTFS old (4=4 or 5=5) 3) I use Xcopy (the new XCOPY 2000) with all the useful options from first disk to the second disk (Also security option, and the copy of the file that if in use will make at the reboot) 4) After the succesful copy I change disk and after one or two boot to make the pagefile and the reallocate and the real firm of the disk in the refistry and other it is ready this is very longer but partially it less expensive. BYe From: Pelle, Joe [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Subject: [ActiveDir] dynamic disks Date: Mon, 31 Mar 2003 17:50:17 -0500 Anyone know of some secret voodoo that will allow me to dynamically change the partition size of my system partition without rebuilding the server? I need to make the drive bigger... Joe Pelle Systems Administrator Information Technology Valassis / Targeted Print Media Solutions 35955 Schoolcraft Rd. Livonia, MI 48150 Tel 734.632.3753 Fax 734.632.6240 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] http://www.valassis.com/ http://www.valassis.com/ This message may have included proprietary or protected information. This message and the information contained herein are not to be further communicated without my express written consent. _ The new MSN 8: advanced junk mail protection and 2 months FREE* http://join.msn.com/?page=features/junkmail List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ _ Add photos to your e-mail with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Controlling information shared/viewable by Active Directory
Three part question for the group. One of the good things about AD is the ability to use it to centralize information about users and providing an access method for other users. By filling in the fields in the ADUC - first name, last name, phone number, email address etc, you make this information available to others via AD. Anyone in the domain or forest can access this information by going to (using XP or 2000) the search feature and looking in Active Directory. Like I said. This is a good thing. My question is how do you control it? First. If you have information in the ADUC that you only want selected individuals to access, how do you configure it so that it is not viewable by users using the search feature? Second. If you have specific users you do NOT want to be viewable at all in the search feature, how do you block that? Third. If you have multiple domains, can you set the security in such a way as to block what other domains would see? For instance, in my domain I may want the users to be able to see all the information, but when users from other domains search, they should only be able to see the name, phone number, and email address. A fourth bonus question. Is it possible to set the permission on the search feature so that users if they look up their own information can modify it, but no one else (other than administrators of course) can change it? I'm assuming that all of this is possible via security settings, but I don't know where. A guide to the where these specific information can be found would also be great. Any help would be greatly appreciated. Cheers Steve List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Controlling information shared/viewable by Active Directory
Hi stephen I use AD to centralize several types of informations. COntrol, management, info and other WITHOUT using 3d part SW or utility. It was hard at the beginning but it's possible. MSDN and technet this e-mail list and several sites that you will find with samples and/or utilities. Four examples: 1) centralized eventlog capture,archiving and retrieval,reporting in SQL datbase AD published.(Visual basic, visual c++ and AD 2) central repository of articles, snippet, help on -line, utilities, memorandum, capture move, automa works etc. all in internal www site that you read and use by web browser 3) Terminal remote administration by TS or Netmeeting or VINC or other utilities driven by web paged 4) Extension AD to make (or have) other active directory services (the real 2000 applications not the 'normal' application that are projected as well as NT/95/98 compliant and after run in 2000 pseudo-mode) But all with non exaustive documentation by Microsoft But it's possible Bye Stephan From: Bell, Stephen [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [ActiveDir] Controlling information shared/viewable by Active Directory Date: Wed, 2 Apr 2003 11:45:42 -0800 Three part question for the group. One of the good things about AD is the ability to use it to centralize information about users and providing an access method for other users. By filling in the fields in the ADUC - first name, last name, phone number, email address etc, you make this information available to others via AD. Anyone in the domain or forest can access this information by going to (using XP or 2000) the search feature and looking in Active Directory. Like I said. This is a good thing. My question is how do you control it? First. If you have information in the ADUC that you only want selected individuals to access, how do you configure it so that it is not viewable by users using the search feature? Second. If you have specific users you do NOT want to be viewable at all in the search feature, how do you block that? Third. If you have multiple domains, can you set the security in such a way as to block what other domains would see? For instance, in my domain I may want the users to be able to see all the information, but when users from other domains search, they should only be able to see the name, phone number, and email address. A fourth bonus question. Is it possible to set the permission on the search feature so that users if they look up their own information can modify it, but no one else (other than administrators of course) can change it? I'm assuming that all of this is possible via security settings, but I don't know where. A guide to the where these specific information can be found would also be great. Any help would be greatly appreciated. Cheers Steve List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ _ STOP MORE SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Controlling information shared/viewable by ActiveDirectory
Stephen, The answers to almost all your questions lie in the realm of access control lists (ACLs). The security mechanisms in AD are quite flexible; you can control access down to specific attributes, operations, and users. To answer your specific questions... 1. Use ACLs to make the information unavailable. 2. Use ACLs to make the information unavailable. 3. Yes 4. Yes, although these are not permissions on the search feature. You use ACLs to grant update access to SELF, and deny update access to everyone else. I think there are ways to configure ADUC to display only certain attributes, but I don't know much about that. Someone else on the list certainly can comment. The best reference I think is the Distributed Systems Guide in the Windows 2000 Server Resource Kit, Chapter 12 Access Control. You can read it online starting at http://www.microsoft.com/windows2000/techinfo/reskit/en-us/default.asp?url=/ windows2000/techinfo/reskit/en-us/distrib/dsce_ctl_MFXC.asp?frame=true . There are certainly other articles and white papers and such, but the DSG explains how all the machinery works, which I think is important to figuring what you can and can't do. -gil -Original Message- From: Bell, Stephen [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 02, 2003 12:46 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Controlling information shared/viewable by Active Directory Three part question for the group. One of the good things about AD is the ability to use it to centralize information about users and providing an access method for other users. By filling in the fields in the ADUC - first name, last name, phone number, email address etc, you make this information available to others via AD. Anyone in the domain or forest can access this information by going to (using XP or 2000) the search feature and looking in Active Directory. Like I said. This is a good thing. My question is how do you control it? First. If you have information in the ADUC that you only want selected individuals to access, how do you configure it so that it is not viewable by users using the search feature? Second. If you have specific users you do NOT want to be viewable at all in the search feature, how do you block that? Third. If you have multiple domains, can you set the security in such a way as to block what other domains would see? For instance, in my domain I may want the users to be able to see all the information, but when users from other domains search, they should only be able to see the name, phone number, and email address. A fourth bonus question. Is it possible to set the permission on the search feature so that users if they look up their own information can modify it, but no one else (other than administrators of course) can change it? I'm assuming that all of this is possible via security settings, but I don't know where. A guide to the where these specific information can be found would also be great. Any help would be greatly appreciated. Cheers Steve List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Termminal Services Default Session
I use Terminal Server Client to administer remote servers. But I can only have 2 session at a time doing this. Is there a way to increase this to 3 or 4 or is 2 the default?Do you Yahoo!? Yahoo! Tax Center - File online, calculators, forms, and more
RE: [ActiveDir] Termminal Services Default Session
2 remote connections is the limit for remote administration mode. If you want more connections then you need to move to application mode. -Original Message- From: Daniel Chaveco [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 02, 2003 3:15 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Termminal Services Default Session I use Terminal Server Client to administer remote servers. But I can only have 2 session at a time doing this. Is there a way to increase this to 3 or 4 or is 2 the default? Do you Yahoo!? Yahoo! Tax Center - File online, calculators, forms, and more �
RE: [ActiveDir] Termminal Services Default Session
Title: Message Hi Daniel, When you use TS for management, you get 2 sessions. AFAIK, if you want more sessions, you have to start buying additional TS licenses. -gil -Original Message-From: Daniel Chaveco [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 02, 2003 2:15 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Termminal Services Default SessionI use Terminal Server Client to administer remote servers. But I can only have 2 session at a time doing this. Is there a way to increase this to 3 or 4 or is 2 the default? Do you Yahoo!?Yahoo! Tax Center - File online, calculators, forms, and more
RE: [ActiveDir] Termminal Services Default Session
TS in remote administration mode is limited to 2 remote sessions, add the local console and you have 3 total. You could set it up in application mode but I would question having that many people administering remote servers concurrentlyThen you also go down the licensing path. -Original Message- From: Daniel Chaveco [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 02, 2003 1:15 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Termminal Services Default Session I use Terminal Server Client to administer remote servers. But I can only have 2 session at a time doing this. Is there a way to increase this to 3 or 4 or is 2 the default? Do you Yahoo!? Yahoo! Tax Center - File online, calculators, forms, and more List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT RIS ISSUE:
Title: OT RIS ISSUE: There is a switch in the RISetup answer file that can be set to have a partition created on the first hard drive. I did a quick TechNet search and couldnt find it. I will continue to look but thought possibly someone may have the reference. Kevin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 02, 2003 9:12 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] OT RIS ISSUE: I am currently trying to RIS servers on a tested and am able to do so however I wish to set partition sizes so that the system partition is 10GB but RIS seems to just format and utilise ALL the available space even when I have FDISK'd and set the primary partition size. My thoughts were that if I FDISK'd and set the partition size RIS would format the partition as NTFS and away we go...any feedback would be appreciated. James �
