RE: [ActiveDir] W2K3 with W2K2

2004-07-22 Thread Jacob Stabl 
So what I am hearing is that I can go ahead and put the Windows 2003 server
in place after I run adprep /forestprep and adprep /domainprep.  I
understand I will not have all the capabilities of W2k3 but that’s not what
I am concerned about.  I just want to have that box in place so when I do
decide to update a w2k3 server is already in place.


--
Jake

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido
Sent: Thursday, July 22, 2004 2:41 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] W2K3 with W2K2

The Win2K3 will have to get the roles, at least the PDCE and the Domain
Naming master roles, otherwise your domain will not function correctly 

This is not correct - the domain will still function perfectly well, but you
won't be able to leverage some of the new features of Win2k3, which you'll
only get after you've transferred those roles (e.g. Application Partitions,
new well-known-security-principals and groups, Quota container etc.).

However, you won't have a chance to add a 2003 DC to the 2000 domain prior
to prepping it with the 2003 schema and domain updates (ADPREP) - see other
reply with link to KB.  So in a way Windows 2003 will have to take over the
domain since you need to plan your schema update carefully.  Still, you can
stick to your 2000 DCs and FSMO role holders until you feel comfortable to
move them.

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, July 21, 2004 11:32 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] W2K3 with W2K2

Let's agree that there is no PDC/BDC concept. Now, if all you want to do is
get your Domain ready for when you will eventually move to 2003, then you
should just run the adprep /forestprep and adprep /domainprep in your domain
and wait. IF you want to get a win2K3 DC into the Domain now, then there is
this concept called WITO (hello, Joe :)). It's the Walk In, Take Over
principle. The Win2K3 will have to get the roles, at least the PDCE and the
Domain Naming master roles, otherwise your domain will not function
correctly, and many of the benefits of a Win2K3 Domain will NOT be available
to you. I have been able to get a win2K3 DC to install successfully into a
test domain without transferring the roles or upgrading the DC that
originally has these roles, but what I've heard and read is that is not
something you want to do in a production environment.
 
The people who taught me that (and wrote the book on that) are on this list.
They may be able to explain further.
 
 
Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Jacob Stabl
Sent: Wed 7/21/2004 1:19 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] W2K3 with W2K2



I know this issue has been talked about before but searching through some
old post in my inbox I didn't find the exact answer I was looking for.

Is there a problem in joining a Window 2003 server as the BDC of in a
Windows 2000 network?  Will there be any problems or unavailable features?
I don't want Windows 2003 to take over the domain.  Reason for doing this is
so next year if I decide to upgrade the domain to Windows 2003 it will be
easier, I just move roles and such to that server.  In my simple mind this
all makes sense.  Any suggestions?

Thanks

--
Jacob Stabl
Network Engineer
Plain Local Schools
http://eagle.stark.k12.oh.us
Work: 330.492.3500 x.383
Cell: 330.495.7243

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Display specifier dsa.msc

2004-07-22 Thread Olivier BATARD 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hello,

I want to migrate a NT4 domain to 2003.

I need to display attribute employee-number in dsa.msa, on the user's 
property. With display specifier ? do I need to create dll ?

How can I do that ?

Thanks,

Olivier BATARD, Technicien systme - Poste 1655
Gestion Interne
SIGMA Informatique http://www.sigma.fr
3 rue Newton, BP 4127, 44241 La Chapelle sur Erdre Cedex
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFA/8IvUC+eYXFu1pARAvPbAJ9zeXkmzQ8UfNGAYtvfNh51MOw1PACfWRHw
WyT7BJi2crw4++HEvZq9KKE=
=cLDI
-END PGP SIGNATURE-
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Summer Maintenance

2004-07-22 Thread Jacob Stabl 
Maybe I am being ignorant but can I use sysprep if I have specialized
software that I want to have on my master image??
 
 

-- 
Jake 

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Wednesday, July 21, 2004 8:09 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Summer Maintenance


Please explain the reasoning here. Running newsid does not constitute
running sysprep.
 
--Brian

-Original Message- 
From: Jared Manhat [mailto:[EMAIL PROTECTED] 
Sent: Wed 7/21/2004 4:00 PM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: RE: [ActiveDir] Summer Maintenance



Yes, just use Ghost and run Sysinternals NewSID on each pc... BEFORE ADDING
IT TO THE DOMAIN.

http://www.sysinternals.com/ntw2k/source/newsid.shtml

 

Jared Manhat 
Systems Administrator 
Accutest Laboratories 
2235 Route 130 
Dayton, NJ 08810 
(732) 329-0200 x254 


  _  


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jacob Stabl
Sent: Wednesday, July 21, 2004 4:49 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Summer Maintenance

 

I have word of using sysprep along with Ghost.  From what I have read
sysprep is just do the OS and allows for different configurations.  If I am
doing a lab that has special software and the same hardware config, is it
not better to just use ghost after the master computer has been configured?

 

-- 
Jake 

 

 


  _  


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Robert N. Leali
Sent: Wednesday, July 21, 2004 9:37 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Summer Maintenance

I think you can use Unicast instead of Multicast in the newer versions of
Norton ghost.  It goes slower but it won't bog down the network.  Also, make
sure your hop count is set correctly. 

 


  _  


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Rochford
Sent: Sunday, July 18, 2004 12:13 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Summer Maintenance

 

We tend to do them in blocks of max 30 because it's more manageable (and
most rooms don't have more than that many computers!)

 

I've done it enough times now to know that although we shouldn't have to get
involved with boot floppies sometimes things just don't go the way you plan
:-)

 

Not sure why Ghost does cause the network problems you describe but I know
it does and we just plan round it - making sure no-one's trying to do
anything important at the same time etc.

 

Steve

 


  _  


From: Brian Desmond [mailto:[EMAIL PROTECTED] 
Sent: 16 July 2004 21:31
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Summer Maintenance

Things really slow down when multicasting to a load of computers where I am
(all Cisco 2900XL series switches with fiber links to a 4005 series backbone
switch). The multicast slows to a crawl, as does other network traffic.

 

--Brian Desmond

 mailto:[EMAIL PROTECTED] [EMAIL PROTECTED]

Payton on the Web!  http://www.wpcp.org Http://www.wpcp.org

 

v: 773.534.0034 x135

f: 773.534.0035

 

 


  _  


From: Doug M. Long [mailto:[EMAIL PROTECTED] On Behalf Of
Doug M. Long
Sent: Friday, July 16, 2004 1:07 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Summer Maintenance

 

If your multicasting, network congestion shouldnt be an issue (assuming that
you are putting the same image on all machines), right? Or am I missing
something here? 

 


  _  


From: [EMAIL PROTECTED] on behalf of Brian Desmond
Sent: Fri 7/16/2004 11:13 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Summer Maintenance

You got it Steve. I don't know if you've ever done this before, but be
prepared to have a handful of them screw up and need reimaging with a floppy
disk. Also, don't think of doing em all at once. 100 - 150 is enough to
saturate your network.

 

--Brian

-Original Message- 
From: Steve Rochford [mailto:[EMAIL PROTECTED] 
Sent: Fri 7/16/2004 8:08 AM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: RE: [ActiveDir] Summer Maintenance

I love comments like  The result is that as the imaged computers are
powered up, the admin will type in each unique computer name and walk
away.

We're re-imaging about 1000 student computers this summer and I'm not
intending to go anywhere near most of them so typing in anything is a
no-no! As others have said, Ghost will happily rename and join to the
domain and it will also work with sysprep so you can have the best of
both worlds :-)

Steve

-Original Message-
From: Brad Corob [mailto:[EMAIL PROTECTED]
Sent: 15 July 2004 05:00
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Summer Maintenance

2) Regardless of how you image the computers, using sysprep is the
*only* supported way of using imaged workstations on a network.  Look
into it if you haven't used it.  I find it quite simple to use and
extrememly
effective.   The sysprep process can be automated.  I typically find it
most
useful to automate all of the mini-setup answers except for computer
name.
The result is that as the imaged

[ActiveDir] How to restrict access to event viewer

2004-07-22 Thread JCARROS 



Hy, 
 
Can you share you experiences about how to restrict access to event viewer to 
only onegroup ? local and remote access ?

Thks.AVISO LEGAL:Esta informacion es privada y confidencial y esta dirigida unicamente a su destinatario. Si usted no es el destinatario original de este mensaje y por este medio pudo acceder a dicha informacion por favor elimine el mensaje. La distribucion o copia de este mensaje esta estrictamente prohibida. Esta comunicacion es solo para propositos de informacion y no debe ser considerada como propuesta, aceptacion ni como una declaracion de voluntad oficial de REPSOL YPF S.A. y/o subsidiarias y/o afiliadas. La transmision de e-mails no garantiza que el correo electronico sea seguro o libre de error. Por consiguiente, no manifestamos que esta informacion sea completa o precisa. Toda informacion esta sujeta a alterarse sin previo aviso. 

This information is private and confidential and intended for the recipient only. If you are not the intended recipient of this message you are hereby notified that any review, disseminastribution or copying of this message is strictly prohibited. This communication is for information purposes only and shall not be regarded neither as a proposal, acceptance nor as a statement of will or official statement from REPSOL YPF S.A. and/or subsidiaries and/or affiliates. Email transmission cannot be guaranteed to be secure or error-free. Therefore, we do not represent that this information is complete or accurate and it should not be relied upon as such. All information is subject to change without notice.

RE: [ActiveDir] Summer Maintenance

2004-07-22 Thread Rutherford, Robert 
Title: Message



Yep... 
Sysprep just takes care of the base uniquewindows side of 
things.

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Jacob StablSent: 22 July 2004 
  14:33To: [EMAIL PROTECTED]Subject: RE:
  [ActiveDir] Summer Maintenance
  Maybe I am being ignorant but can I use sysprep if I have 
  specialized software that I want to have on my master 
  image??
  
  
  -- Jake 
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Brian 
  DesmondSent: Wednesday, July 21, 2004 8:09 PMTo:
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Summer
  Maintenance
  
  Please explain the reasoning here. Running newsid does not constitute 
  running sysprep.
  
  --Brian
  
-Original Message- From: Jared Manhat 
[mailto:[EMAIL PROTECTED] Sent: Wed 7/21/2004 4:00 PM 
To: [EMAIL PROTECTED] Cc: 
Subject: RE: [ActiveDir] Summer Maintenance

Yes, just use Ghost 
and run Sysinternals NewSID on each pc BEFORE ADDING IT TO THE
DOMAIN.
http://www.sysinternals.com/ntw2k/source/newsid.shtml


Jared 
Manhat 
Systems 
Administrator 
Accutest
Laboratories 
2235 Route 
130 
Dayton, NJ 
08810 
(732) 329-0200 
x254 





From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Jacob StablSent: Wednesday, July 21, 2004 4:49 
PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Summer
Maintenance

I have word of 
using sysprep along with Ghost. From what I have read sysprep is just 
do the OS and allows for different configurations. If I am doing a lab 
that has special software and the same hardware config, is it not better to 
just use ghost after the master computer has been 
configured?


-- Jake 






From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Robert N. 
LealiSent: Wednesday, July 
21, 2004 9:37 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Summer
Maintenance
I think you can use 
Unicast instead of Multicast in the newer versions of Norton ghost. It 
goes slower but it wont bog down the network. Also, make sure your 
hop count is set correctly. 





From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Steve RochfordSent: Sunday, July 18, 2004 12:13 
PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Summer
Maintenance

We tend to do them 
in blocks of max 30 because it's more manageable (and most rooms don't have 
more than that many computers!)

I've done it enough 
times now to know that although we shouldn't have to get involved with boot 
floppies sometimes things just don't go the way you plan 
:-)

Not sure why Ghost 
does cause the network problems you describe but I know it does and we just 
plan round it - making sure no-one's trying to do anything important at the 
same time etc.

Steve




From: Brian 
Desmond [mailto:[EMAIL PROTECTED] Sent: 16 July 2004 21:31To: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Summer
Maintenance
Things 
really slow down when multicasting to a load of computers where I am (all 
Cisco 2900XL series switches with fiber links to a 4005 series backbone 
switch). The multicast slows to a crawl, as does other network 
traffic.


--Brian 
Desmond
[EMAIL PROTECTED]
Payton on 
the Web! Http://www.wpcp.org

v:
773.534.0034 x135
f:
773.534.0035






From: Doug 
M. Long [mailto:[EMAIL PROTECTED] On Behalf Of Doug M. LongSent: Friday, July 16, 2004 1:07 
PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Summer
Maintenance



If your 
multicasting, network congestion shouldnt be an issue (assuming that you are 
putting the same image on all machines), right? Or am I missing something 
here? 





From: 
[EMAIL PROTECTED] on behalf of Brian DesmondSent: Fri 7/16/2004 11:13 
AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Summer
Maintenance


You got it Steve. I don't know if you've ever done 
this before, but be prepared to have a handful of them screw up and need 
reimaging with a floppy disk. Also, don't think of doing em all at once. 100 
- 150 is enough to saturate your network.



--Brian

  -Original 
  Message- From: Steve 
  Rochford [mailto:[EMAIL PROTECTED] Sent: Fri 7/16/2004 8:08 AM
  To: 
  [EMAIL PROTECTED] Cc: Subject: RE: [ActiveDir] Summer 
  Maintenance
  I 
  love comments like "The result is that as the imaged computers
  arepowered up, the admin will type in each unique computer name and 
  walkaway."We're

RE: [ActiveDir] Summer Maintenance

2004-07-22 Thread Rutherford, Robert 
Title: Message



You 
should of course test it anyway, post syprep to ensure.

  
  -Original Message-From: Rutherford, 
  Robert Sent: 22 July 2004 15:07To: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Summer
  Maintenance
  Yep... Sysprep just takes care of the base uniquewindows side of 
  things.
  

-Original Message-From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Jacob
StablSent: 22 July 2004 14:33To: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Summer
Maintenance
Maybe I am being ignorant but can I use sysprep if I 
have specialized software that I want to have on my master 
image??


-- Jake 



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Brian
DesmondSent: Wednesday, July 21, 2004 8:09 PMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Summer
Maintenance

Please explain the reasoning here. Running newsid does not constitute 
running sysprep.

--Brian

  -Original Message- From: Jared Manhat 
  [mailto:[EMAIL PROTECTED] Sent: Wed 7/21/2004 4:00 PM
  To: [EMAIL PROTECTED] Cc: 
  Subject: RE: [ActiveDir] Summer 
Maintenance
  
  Yes, just use 
  Ghost and run Sysinternals NewSID on each pc BEFORE ADDING IT TO THE 
  DOMAIN.
  http://www.sysinternals.com/ntw2k/source/newsid.shtml
  
  
  Jared 
  Manhat 
  Systems 
  Administrator 
  Accutest 
  Laboratories 
  2235 Route 
  130 
  Dayton, NJ
  08810
  (732) 329-0200 
  x254 
  
  
  
  
  
  From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Jacob StablSent: Wednesday, July 21, 2004 4:49 
  PMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Summer 
  Maintenance
  
  I have word of 
  using sysprep along with Ghost. From what I have read sysprep is 
  just do the OS and allows for different configurations. If I am 
  doing a lab that has special software and the same hardware config, is it 
  not better to just use ghost after the master computer has been 
  configured?
  
  
  -- Jake 
  
  
  
  
  
  
  From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Robert N. 
  LealiSent: Wednesday, 
  July 21, 2004 9:37 AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Summer 
  Maintenance
  I think you can 
  use Unicast instead of Multicast in the newer versions of Norton 
  ghost. It goes slower but it wont bog down the network. Also, 
  make sure your hop count is set correctly. 
  
  
  
  
  
  From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Steve 
  RochfordSent: Sunday, 
  July 18, 2004 12:13 PMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Summer 
  Maintenance
  
  We tend to do 
  them in blocks of max 30 because it's more manageable (and most rooms 
  don't have more than that many computers!)
  
  I've done it 
  enough times now to know that although we shouldn't have to get involved 
  with boot floppies sometimes things just don't go the way you plan
  :-)
  
  Not sure why 
  Ghost does cause the network problems you describe but I know it does and 
  we just plan round it - making sure no-one's trying to do anything
  important at the same time etc.
  
  Steve
  
  
  
  
  From: 
  Brian Desmond [mailto:[EMAIL PROTECTED] Sent: 16 July 2004 21:31To: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Summer 
  Maintenance
  Things 
  really slow down when multicasting to a load of computers where I am (all 
  Cisco 2900XL series switches with fiber links to a 4005 series backbone 
  switch). The multicast slows to a crawl, as does other network 
  traffic.
  
  
  --Brian 
  Desmond
  [EMAIL PROTECTED]
  Payton 
  on the Web! Http://www.wpcp.org
  
  v: 
  773.534.0034 x135
  f: 
  773.534.0035
  
  
  
  
  
  
  From: 
  Doug M. Long [mailto:[EMAIL PROTECTED] On Behalf Of Doug M. LongSent: Friday, July 16, 2004 1:07 
  PMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Summer 
  Maintenance
  
  
  
  If your
  multicasting, network congestion shouldnt be an issue (assuming that you 
  are putting the same image on all machines), right? Or am I missing
  something here? 
  
  
  
  
  
  From: 
  [EMAIL PROTECTED] on behalf of Brian DesmondSent: Fri 7/16/2004 11:13 
  AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Summer 
  Maintenance
  
  
  You got it Steve. I don't know if you've ever done 
  this before, but be prepared to have a handful of

RE: [ActiveDir] Summer Maintenance

2004-07-22 Thread Robert N. Leali 
Title: RE: [ActiveDir] Summer Maintenance








Most likely the answer is yes, speaking
from experience in a K-12 setting. What is the specialized
software? Why not roll out the software as an msi file using group
policies?



Robert











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jacob Stabl
Sent: Thursday, July 22, 2004 7:33
AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Summer
Maintenance





Maybe I am being ignorant but can I use
sysprep if I have specialized software that I want to have on my master image??









--

Jake
















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Wednesday, July 21, 2004
8:09 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Summer
Maintenance



Please explain the reasoning here. Running newsid does not constitute
running sysprep.











--Brian







-Original
Message- 
From: Jared Manhat
[mailto:[EMAIL PROTECTED] 
Sent: Wed 7/21/2004 4:00 PM 
To: [EMAIL PROTECTED]

Cc: 
Subject: RE: [ActiveDir] Summer
Maintenance



Yes, just use Ghost and run Sysinternals
NewSID on each pc BEFORE ADDING IT TO THE DOMAIN.

http://www.sysinternals.com/ntw2k/source/newsid.shtml





Jared Manhat 
Systems Administrator 
Accutest Laboratories 
2235 Route 130 
Dayton, NJ 08810 
(732) 329-0200 x254 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jacob Stabl
Sent: Wednesday, July 21, 2004
4:49 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Summer
Maintenance





I have word of using sysprep along with
Ghost. From what I have read sysprep is just do the OS and allows for
different configurations. If I am doing a lab that has special software
and the same hardware config, is it not better to just use ghost after the
master computer has been configured?







--

Jake
















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert
 N. Leali
Sent: Wednesday, July 21, 2004
9:37 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Summer
Maintenance

I think you can use Unicast instead of
Multicast in the newer versions of Norton ghost. It goes slower but it
wont bog down the network. Also, make sure your hop count is set
correctly. 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Rochford
Sent: Sunday, July 18, 2004 12:13
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Summer
Maintenance





We tend to do them in blocks of max 30
because it's more manageable (and most rooms don't have more than that many
computers!)



I've done it enough times now to know that
although we shouldn't have to get involved with boot floppies sometimes things
just don't go the way you plan :-)



Not sure why Ghost does cause the network
problems you describe but I know it does and we just plan round it - making
sure no-one's trying to do anything important at the same time etc.



Steve









From: Brian
Desmond [mailto:[EMAIL PROTECTED] 
Sent: 16 July 2004 21:31
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Summer
Maintenance

Things
really slow down when multicasting to a load of computers where I am (all Cisco
2900XL series switches with fiber links to a 4005 series backbone switch). The
multicast slows to a crawl, as does other network traffic.





--Brian Desmond

[EMAIL PROTECTED]

Payton on the
Web! Http://www.wpcp.org



v: 773.534.0034
x135

f: 773.534.0035















From: Doug M. Long
[mailto:[EMAIL PROTECTED] On
Behalf Of Doug M. Long
Sent: Friday, July 16, 2004 1:07
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Summer
Maintenance









If your multicasting, network congestion
shouldnt be an issue (assuming that you are putting the same image on all
machines), right? Or am I missing something here? 















From:
[EMAIL PROTECTED] on behalf of Brian Desmond
Sent: Fri 7/16/2004 11:13 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Summer
Maintenance







You got it Steve. I don't know if you've ever done this before, but be
prepared to have a handful of them screw up and need reimaging with a floppy
disk. Also, don't think of doing em all at once. 100 - 150 is enough to
saturate your network.











--Brian







-Original
Message- 
From: Steve Rochford
[mailto:[EMAIL PROTECTED] 
Sent: Fri 7/16/2004 8:08 AM 
To: [EMAIL PROTECTED]

Cc: 
Subject: RE: [ActiveDir] Summer
Maintenance



I love
comments like The result is that as the imaged computers are
powered up, the admin will type in each unique computer name and walk
away.

We're re-imaging about 1000 student computers this summer and I'm not
intending to go anywhere near most of them so typing in anything is a
no-no! As others have said, Ghost will happily rename and join to the
domain and it will also work with sysprep so you can have the best of
both worlds :-)

Steve

-Original Message-
From: Brad Corob [mailto:[EMAIL PROTECTED]]
Sent: 15 July 2004 05:00
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Summer Maintenance

2)

[ActiveDir] Renaming The Admin Account

2004-07-22 Thread Rocky Habeeb 
People,

OK, I know you guys are the Experts and I know MS says, rename it, but tell
me the answer to these questions please.  Let's say you run NTFS permissions
on your local PCs.  Lets say your standards are (for EVERY FILE/FOLDER
OBJECT ON THE PC):
Full Control for Local Admin, Domain Admin and System.
Modify for Everyone (At least where it is not a security risk).
[1]  What is displayed locally to the User (for Admin accounts) when they
look at NTFS permissions on their file/folder objects?
[2]  What do you as the Admin select in the ACL, when you set new
permissions for file/folder objects?

Thanks

RH
-
Rocky Habeeb
Microsoft Systems Administrator
-
James W. Sewall Company
Old Town, Maine
-
207.827.4456
habr @ jws.com
www.jws.com
-


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Display specifier dsa.msc

2004-07-22 Thread Nicolas Blank 
Cannot do this with Display specifier, you will have to create your own
DLL to do this and register on every machine you want the extension to
be visible.

Have a look in the archive for this list for some detailed posts on
this.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Olivier BATARD
Sent: 22 July 2004 03:33 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Display specifier dsa.msc

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hello,

I want to migrate a NT4 domain to 2003.

I need to display attribute employee-number in dsa.msa, on the user's 
property. With display specifier ? do I need to create dll ?

How can I do that ?

Thanks,

Olivier BATARD, Technicien systme - Poste 1655
Gestion Interne
SIGMA Informatique http://www.sigma.fr
3 rue Newton, BP 4127, 44241 La Chapelle sur Erdre Cedex
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFA/8IvUC+eYXFu1pARAvPbAJ9zeXkmzQ8UfNGAYtvfNh51MOw1PACfWRHw
WyT7BJi2crw4++HEvZq9KKE=
=cLDI
-END PGP SIGNATURE-
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Renaming The Admin Account

2004-07-22 Thread Rutherford, Robert 
1) The easiest way to see would have been to test it - the answer is
they would see the accounts and granted permissions.
2)I'm not sure what you mean? What is a standard? There isn't really one
as it depends on the environment. A good rule is of course not to give
everybody full control and not to use deny as it complicates things. If
you want to be precise with what you want to achieve and I'm sure we
could help.

BR

Rob

-Original Message-
From: Rocky Habeeb [mailto:[EMAIL PROTECTED] 
Sent: 22 July 2004 15:25
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Renaming The Admin Account


People,

OK, I know you guys are the Experts and I know MS says, rename it, but
tell me the answer to these questions please.  Let's say you run NTFS
permissions on your local PCs.  Lets say your standards are (for EVERY
FILE/FOLDER OBJECT ON THE PC): Full Control for Local Admin, Domain
Admin and System. Modify for Everyone (At least where it is not a
security risk). [1]  What is displayed locally to the User (for Admin
accounts) when they look at NTFS permissions on their file/folder
objects? [2]  What do you as the Admin select in the ACL, when you set
new permissions for file/folder objects?

Thanks

RH
-
Rocky Habeeb
Microsoft Systems Administrator
-
James W. Sewall Company
Old Town, Maine
-
207.827.4456
habr @ jws.com
www.jws.com
-


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and the information it contains are confidential and may be privileged. If 
you have received this e-mail in error please notify the sender immediately and delete 
the material from any computer. Unless you are the intended recipient, you should not 
copy this e-mail for any purpose, or disclose its contents to any other person. 
The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this 
communication as it has been transmitted over a public network. Whilst the MCPS-PRS 
Alliance monitors all communications for potential viruses, we accept no 
responsibility for any loss or damage caused by this e-mail and the information it 
contains.
It is the recipient's responsibility to scan this e-mail and any attachments for 
viruses. Any 
e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality 
control and other purposes.

The MCPS-PRS Alliance Limited is a limited company registered in England under company 
number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 
3AB.

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] AD and WINS

2004-07-22 Thread Rosales, Mario 
Is there a way to restrict access to WINS like DNS in Server 2003?

For Example, if we want the DNS admins to Administer the Wins servers, how
do you go about give them access just to WINS administration?

Any help would be appreciate it!

Thanks,
Mario


*** 
 The contents of this communication are intended only for the addressee and
may contain confidential and/or privileged material. If you are not the
intended recipient, please do not read, copy, use or disclose this
communication and notify the sender.  Opinions, conclusions and other
information in this communication that do not relate to the official
business of my company shall be understood as neither given nor endorsed by
it.  
*** 


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] AD and WINS

2004-07-22 Thread Depp, Dennis M. 
I believe access to WINS requires local admin access.   To allow them to
administer WINS, they will have to be a local admin on the box where
WINS is running.

Denny

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario
Sent: Thursday, July 22, 2004 10:51 AM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] AD and WINS

Is there a way to restrict access to WINS like DNS in Server 2003?

For Example, if we want the DNS admins to Administer the Wins servers,
how
do you go about give them access just to WINS administration?

Any help would be appreciate it!

Thanks,
Mario



*** 
 The contents of this communication are intended only for the addressee
and
may contain confidential and/or privileged material. If you are not the
intended recipient, please do not read, copy, use or disclose this
communication and notify the sender.  Opinions, conclusions and other
information in this communication that do not relate to the official
business of my company shall be understood as neither given nor endorsed
by
it.  

*** 


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] AD and WINS

2004-07-22 Thread Rutherford, Robert 
I think Server op will do it.

-Original Message-
From: Depp, Dennis M. [mailto:[EMAIL PROTECTED] 
Sent: 22 July 2004 16:04
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD and WINS


I believe access to WINS requires local admin access.   To allow them to
administer WINS, they will have to be a local admin on the box where
WINS is running.

Denny

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario
Sent: Thursday, July 22, 2004 10:51 AM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] AD and WINS

Is there a way to restrict access to WINS like DNS in Server 2003?

For Example, if we want the DNS admins to Administer the Wins servers,
how do you go about give them access just to WINS administration?

Any help would be appreciate it!

Thanks,
Mario



*** 
 The contents of this communication are intended only for the addressee
and may contain confidential and/or privileged material. If you are not
the intended recipient, please do not read, copy, use or disclose this
communication and notify the sender.  Opinions, conclusions and other
information in this communication that do not relate to the official
business of my company shall be understood as neither given nor endorsed
by it.  

*** 


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and the information it contains are confidential and may be privileged. If 
you have received this e-mail in error please notify the sender immediately and delete 
the material from any computer. Unless you are the intended recipient, you should not 
copy this e-mail for any purpose, or disclose its contents to any other person. 
The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this 
communication as it has been transmitted over a public network. Whilst the MCPS-PRS 
Alliance monitors all communications for potential viruses, we accept no 
responsibility for any loss or damage caused by this e-mail and the information it 
contains.
It is the recipient's responsibility to scan this e-mail and any attachments for 
viruses. Any 
e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality 
control and other purposes.

The MCPS-PRS Alliance Limited is a limited company registered in England under company 
number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 
3AB.

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Possible OT: Network boot disk with windows 2003.

2004-07-22 Thread ddh 
Barts is the best, especially on CD :)

 Clyde,
 
 Check out www.bootdisk.com.  Under the Network boot 
disks give Barts a shot.
 It's pretty good and customizable.
 
 Dave 
 
 
 -
- 
 David J. Perdue
 MCSE 2000, MCSE NT, MCSA, MCP+I 
 Network Security Engineer, InDyne Inc 
 Comm: (805) 606-4597DSN: 276-4597 
 [EMAIL PROTECTED]
 -
- 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On 
Behalf Of Burns, Clyde
 Sent: Wednesday, July 21, 2004 6:38 AM
 To: [EMAIL PROTECTED]
 Subject: [ActiveDir] Possible OT: Network boot disk 
with windows 2003.
 
 
 Does anyone know of a way to get a DOS network boot 
diskette to authenticate
 in a windows 2003 AD domain short of disabling the 
following on the DC's
 local policy?
 
 Domain Member: Digitally encrypt or sign secure 
channel data (always)
 Microsoft network server: Digitally sign 
communication (always)
 
 
 Thanks
 Clyde Burns
 
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: http://www.mail-archive.com/activedir%
40mail.activedir.org/
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: http://www.mail-archive.com/activedir%
40mail.activedir.org/




List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Display specifier dsa.msc

2004-07-22 Thread Frost . David 
If all you want to do is View the attribute in ADUC's Right pane as a
column, you can with display specifies.  Start with this link to add the
column

http://msdn.microsoft.com/library/en-us/ad/ad/modifying_existing_user_interf
aces.asp?frame=true 

If you need to be able to modify it, you can create a new property page COM
object (harder) or add an entry to the context menu when you right click on
it (Easier). 

Check out Chapter 24 of the O'Rielly Active Directory 2nd edition book for a
good overview of how to do it by integrating a simple script into the
context menu.  The combination of the display column and the context menu
script may give you a cheap and cheerful way of accomplishing what you want.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Nicolas Blank
Sent: Thursday, July 22, 2004 10:37 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Display specifier dsa.msc

Cannot do this with Display specifier, you will have to create your own DLL
to do this and register on every machine you want the extension to be
visible.

Have a look in the archive for this list for some detailed posts on this.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Olivier BATARD
Sent: 22 July 2004 03:33 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Display specifier dsa.msc

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hello,

I want to migrate a NT4 domain to 2003.

I need to display attribute employee-number in dsa.msa, on the user's
property. With display specifier ? do I need to create dll ?

How can I do that ?

Thanks,

Olivier BATARD, Technicien systme - Poste 1655 Gestion Interne SIGMA
Informatique http://www.sigma.fr
3 rue Newton, BP 4127, 44241 La Chapelle sur Erdre Cedex -BEGIN PGP
SIGNATURE-
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFA/8IvUC+eYXFu1pARAvPbAJ9zeXkmzQ8UfNGAYtvfNh51MOw1PACfWRHw
WyT7BJi2crw4++HEvZq9KKE=
=cLDI
-END PGP SIGNATURE-
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Renaming The Admin Account

2004-07-22 Thread Adams, Kenneth W \(Ken\) 
I'll answer the second question first:  When assigning NTFS permissions
to resources, I select the local Administrators group and the local
System account with Full Control.  I then select the appropriate control
group or groups, or individual accounts (domain accounts) and set them
with the appropriate permissions.  I NEVER set control groups or
individuals with Full Control.  The highest permissions they get is
Modify when appropriate.  That prevents them from removing the local
Administrators and/or System account (which breaks backup and recovery
processes).

For the first question, the users see the permissions for all accounts
that are permitted on the resource IF they see the security tab.  With
some share connections, users don't see the security tab, so they can't
see the permissions at all.

Kenneth W. (Ken) Adams, MCSA, MCSE



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb
Sent: Thursday, July 22, 2004 10:25 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Renaming The Admin Account


People,

OK, I know you guys are the Experts and I know MS says, rename it, but
tell
me the answer to these questions please.  Let's say you run NTFS
permissions
on your local PCs.  Lets say your standards are (for EVERY FILE/FOLDER
OBJECT ON THE PC):
Full Control for Local Admin, Domain Admin and System.
Modify for Everyone (At least where it is not a security risk).
[1]  What is displayed locally to the User (for Admin accounts) when
they
look at NTFS permissions on their file/folder objects?
[2]  What do you as the Admin select in the ACL, when you set new
permissions for file/folder objects?

Thanks

RH
-
Rocky Habeeb
Microsoft Systems Administrator
-
James W. Sewall Company
Old Town, Maine
-
207.827.4456
habr @ jws.com
www.jws.com
-


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Renaming The Admin Account

2004-07-22 Thread Rocky Habeeb 
Rob,

We set permissions on our Users PCs according to Trusted Systems Services
Windows NT Security Guidelines developed for the NSA in 1999.  We run in a
moderate to severe lockdown.  We open up NTFS permissions only as much as is
needed for Users to operate.  As such, any User can open up Windows Explorer
and click Security and look at the Security NTFS permission structure of any
file and folder on their PC.  Maybe they can adjust it, maybe not.  It
depends on how we set it.

If we rename the Domain Admin account to JohnDoe and then create a bogus
account called Administrator, obviously, when we go set permissions on a
system, we are not going to select the Administrator account when we
actually need the Domain Admin to have Full Control to that object.  And I'm
not going to select JohnDoe and grant him Full Control as that pretty much
tells people where the Domain Admin account is.  So what do you do?

I need DAs to have FC.  What do I select?  How do I keep the User from
immediately seeing where the DA account is.  As far as testing it, forget
it.  Ten years ago, I renamed the DA account on a Windows NT 4.0 domain.  I
could not get back in.  I had to rebuild the domain, albeit a small one of
less than 100 Users, from scratch, and I swore I would never do it again.

Now convince me to do it.

RH



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Rutherford,
Robert
Sent: Thursday, July 22, 2004 10:47 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Renaming The Admin Account


1) The easiest way to see would have been to test it - the answer is
they would see the accounts and granted permissions.
2)I'm not sure what you mean? What is a standard? There isn't really one
as it depends on the environment. A good rule is of course not to give
everybody full control and not to use deny as it complicates things. If
you want to be precise with what you want to achieve and I'm sure we
could help.

BR

Rob

-Original Message-
From: Rocky Habeeb [mailto:[EMAIL PROTECTED]
Sent: 22 July 2004 15:25
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Renaming The Admin Account


People,

OK, I know you guys are the Experts and I know MS says, rename it, but
tell me the answer to these questions please.  Let's say you run NTFS
permissions on your local PCs.  Lets say your standards are (for EVERY
FILE/FOLDER OBJECT ON THE PC): Full Control for Local Admin, Domain
Admin and System. Modify for Everyone (At least where it is not a
security risk). [1]  What is displayed locally to the User (for Admin
accounts) when they look at NTFS permissions on their file/folder
objects? [2]  What do you as the Admin select in the ACL, when you set
new permissions for file/folder objects?

Thanks

RH
-
Rocky Habeeb
Microsoft Systems Administrator
-
James W. Sewall Company
Old Town, Maine
-
207.827.4456
habr @ jws.com
www.jws.com
-


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and the information it contains are confidential and may be
privileged. If you have received this e-mail in error please notify the
sender immediately and delete the material from any computer. Unless you are
the intended recipient, you should not copy this e-mail for any purpose, or
disclose its contents to any other person.
The MCPS-PRS Alliance is not responsible for the completeness or accuracy of
this communication as it has been transmitted over a public network. Whilst
the MCPS-PRS Alliance monitors all communications for potential viruses, we
accept no responsibility for any loss or damage caused by this e-mail and
the information it contains.
It is the recipient's responsibility to scan this e-mail and any attachments
for viruses. Any
e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for
quality control and other purposes.

The MCPS-PRS Alliance Limited is a limited company registered in England
under company number 03444246 whose registered office is at c/o 29-33
Berners Street, London, W1T 3AB.

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/




List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Renaming The Admin Account

2004-07-22 Thread Tony Murray 
The admin tools resolve the SID to the friendly name for you.  In other words, you're 
not actually working with the friendly names when viewing or assigning permissions, 
but this is how it appears to you.

Tony
-- Original Message --
Wrom: KJVZCMHVIBGDADRZFSQHYUCDDJBLV
Reply-To: [EMAIL PROTECTED]
Date:  Thu, 22 Jul 2004 10:25:14 -0400

People,

OK, I know you guys are the Experts and I know MS says, rename it, but tell
me the answer to these questions please.  Let's say you run NTFS permissions
on your local PCs.  Lets say your standards are (for EVERY FILE/FOLDER
OBJECT ON THE PC):
Full Control for Local Admin, Domain Admin and System.
Modify for Everyone (At least where it is not a security risk).
[1]  What is displayed locally to the User (for Admin accounts) when they
look at NTFS permissions on their file/folder objects?
[2]  What do you as the Admin select in the ACL, when you set new
permissions for file/folder objects?

Thanks

RH
-
Rocky Habeeb
Microsoft Systems Administrator
-
James W. Sewall Company
Old Town, Maine
-
207.827.4456
habr @ jws.com
www.jws.com
-


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

 





Sent via the WebMail system at mail.activedir.org


 
   
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Renaming The Admin Account

2004-07-22 Thread Fuller, Stuart 
Umm...

In the default install NTFS permissions are set up via GROUP ACE's instead
of the individual ACE for the local administrator account.  If you look at
the NTFS permissions on %systemroot%\system32 you will see permissions only
for GROUPS not individual accounts (e.g. Administrators, Creator Owner,
Power Users, System, Users).  

Also remember that the ACE is actually a stamp with the SID of the group or
user.  The GUI and OS actually do the translation of the SID to the friendly
display name. For example the well known SID of the local administrator
account is S-1-5-domain/workstation SID-500. (See
http://support.microsoft.com/?kbid=243330)  The actual display name of the
account is irrelevant except for us humans, the OS will translate that
display name or login name to the SID when checking permissions.  

When you rename the local administrator account nothing happens except for
changing the effective display name and the name that us humans use to log
in with.  The SID still stays the same and all of the permissions are the
same. 

So for your questions...

1. IF you have ACL'd things with the actual Admin account instead of groups,
what is displayed to the user in the GUI is the display name of the Admin
account.  If you have renamed the Admin account then the renamed display
name is what is shown (e.g. Administrator = Admin).

2. What are you asking here?? If as an admin you want to permission the
local Admin account to the folder then this is a bad idea.  Use groups
instead of individual accounts.  If you actually need to do this then what
you will pick in the GUI is the renamed admin account (e.g. Admin).

-Stuart Fuller


-Original Message-
From: Rocky Habeeb [mailto:[EMAIL PROTECTED] 
Sent: Thursday, July 22, 2004 8:25 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Renaming The Admin Account

People,

OK, I know you guys are the Experts and I know MS says, rename it, but tell
me the answer to these questions please.  Let's say you run NTFS permissions
on your local PCs.  Lets say your standards are (for EVERY FILE/FOLDER
OBJECT ON THE PC):
Full Control for Local Admin, Domain Admin and System.
Modify for Everyone (At least where it is not a security risk).
[1]  What is displayed locally to the User (for Admin accounts) when they
look at NTFS permissions on their file/folder objects?
[2]  What do you as the Admin select in the ACL, when you set new
permissions for file/folder objects?

Thanks

RH
-
Rocky Habeeb
Microsoft Systems Administrator
-
James W. Sewall Company
Old Town, Maine
-
207.827.4456
habr @ jws.com
www.jws.com
-


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Summer Maintenance

2004-07-22 Thread Jacob Stabl 
Title: RE: [ActiveDir] Summer Maintenance



MSI is good for some stuff but not for labs that are 
reimaged a few times a week.

-- Jake 



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Robert N. 
LealiSent: Thursday, July 22, 2004 10:19 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Summer 
Maintenance


Most likely the answer 
is yes, speaking from experience in a K-12 setting. What is the 
specialized software? Why not roll out the software as an msi file using 
group policies?

Robert





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Jacob 
StablSent: Thursday, July 22, 
2004 7:33 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Summer 
Maintenance

Maybe I am being 
ignorant but can I use sysprep if I have specialized software that I want to 
have on my master image??



-- 
Jake 






From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Brian 
DesmondSent: Wednesday, July 
21, 2004 8:09 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Summer 
Maintenance

Please explain the reasoning here. Running newsid does 
not constitute running sysprep.



--Brian

  
  -Original Message- From: Jared Manhat 
  [mailto:[EMAIL PROTECTED] Sent: Wed 7/21/2004 4:00 PM To: [EMAIL PROTECTED] 
  Cc: Subject: RE: [ActiveDir] Summer 
  Maintenance
  Yes, just use Ghost 
  and run Sysinternals NewSID on each pc BEFORE ADDING IT TO THE 
  DOMAIN.
  http://www.sysinternals.com/ntw2k/source/newsid.shtml
  
  
  Jared 
  Manhat 
  Systems 
  Administrator 
  Accutest 
  Laboratories 
  2235 Route 
  130 
  Dayton, NJ 08810 (732) 329-0200 
  x254 
  
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Jacob 
  StablSent: Wednesday, July 
  21, 2004 4:49 PMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Summer 
  Maintenance
  
  I have word of using 
  sysprep along with Ghost. From what I have read sysprep is just do the 
  OS and allows for different configurations. If I am doing a lab that has 
  special software and the same hardware config, is it not better to just use 
  ghost after the master computer has been 
  configured?
  
  
  -- Jake 
  
  
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Robert N. LealiSent: Wednesday, July 21, 2004 9:37 
  AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Summer 
  Maintenance
  I think you can use 
  Unicast instead of Multicast in the newer versions of Norton ghost. It 
  goes slower but it wont bog down the network. Also, make sure your hop 
  count is set correctly. 
  
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Steve 
  RochfordSent: Sunday, July 
  18, 2004 12:13 PMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Summer 
  Maintenance
  
  We tend to do them in 
  blocks of max 30 because it's more manageable (and most rooms don't have more 
  than that many computers!)
  
  I've done it enough 
  times now to know that although we shouldn't have to get involved with boot 
  floppies sometimes things just don't go the way you plan 
  :-)
  
  Not sure why Ghost 
  does cause the network problems you describe but I know it does and we just 
  plan round it - making sure no-one's trying to do anything important at the 
  same time etc.
  
  Steve
  
  
  
  
  From: Brian 
  Desmond [mailto:[EMAIL PROTECTED] Sent: 16 July 2004 21:31To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Summer 
  Maintenance
  Things 
  really slow down when multicasting to a load of computers where I am (all 
  Cisco 2900XL series switches with fiber links to a 4005 series backbone 
  switch). The multicast slows to a crawl, as does other network 
  traffic.
  
  
  --Brian 
  Desmond
  [EMAIL PROTECTED]
  Payton on 
  the Web! Http://www.wpcp.org
  
  v: 
  773.534.0034 x135
  f: 
  773.534.0035
  
  
  
  
  
  
  From: Doug M. 
  Long [mailto:[EMAIL PROTECTED] On Behalf Of Doug M. LongSent: Friday, July 16, 2004 1:07 
  PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Summer 
  Maintenance
  
  
  
  If your 
  multicasting, network congestion shouldnt be an issue (assuming that you are 
  putting the same image on all machines), right? Or am I missing something 
  here? 
  
  
  
  
  
  From: 
  [EMAIL PROTECTED] on behalf of Brian DesmondSent: Fri 7/16/2004 11:13 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Summer 
  Maintenance
  
  
  You got it Steve. I don't know if you've ever done 
  this before, but be prepared to have a handful of them screw up and need 
  reimaging with a floppy disk. Also, don't think of doing em all at once. 100 - 
  150 is enough to saturate your network.
  
  
  
  --Brian
  

-Original Message- From: Steve Rochford 
[mailto:[EMAIL PROTECTED] Sent: Fri 7/16/2004 8:08 AM 
To: [EMAIL PROTECTED] 
Cc: Subject: RE: [ActiveDir] Summer 
Maintenance
I love 
comments like "The result is that as the imaged computers 
arepowered up, the admin will type in each unique

[ActiveDir] Exceeding the LDAP Look Through Limit

2004-07-22 Thread Steve Brashear 








I have a customer who has created an OU and
populated it with objects that have many attributes. He is now encountering
this error:



[LDAP: error code
11 - 2024: SvcErr: DSID-02050AA0, problem 5008 (ADMIN
_LIMIT_EXCEEDED), data -1026
]; remaining name 'cn=CN\=JPRAKASH\,CN\=Computers\,DC\=jupiter\,DC\=lan,ou=S
ubscriptions,dc=jupiter,dc=lan'



Is there a maximum size limitation for
user defined objects in AD?

Can that value be modified?

Where would one modify it? Would it be in
the LDAP policies/protocols configuration?



TIA!

Steve

RE: [ActiveDir] Renaming The Admin Account

2004-07-22 Thread Tony Murray 
Rocky

You shouldn't actually need to assign permissions directly to the domain Administrator 
account.  Generally the account should be left well alone and only used when 
absolutely necessary.  If you really need to assign permissions to domain 
administrators, use the Domain Admins group instead.

Tony
-- Original Message --
Wrom: JEXXIMQZUIVOTQNQEMSFDULHPQQWO
Reply-To: [EMAIL PROTECTED]
Date:  Thu, 22 Jul 2004 11:18:47 -0400

Rob,

We set permissions on our Users PCs according to Trusted Systems Services
Windows NT Security Guidelines developed for the NSA in 1999.  We run in a
moderate to severe lockdown.  We open up NTFS permissions only as much as is
needed for Users to operate.  As such, any User can open up Windows Explorer
and click Security and look at the Security NTFS permission structure of any
file and folder on their PC.  Maybe they can adjust it, maybe not.  It
depends on how we set it.

If we rename the Domain Admin account to JohnDoe and then create a bogus
account called Administrator, obviously, when we go set permissions on a
system, we are not going to select the Administrator account when we
actually need the Domain Admin to have Full Control to that object.  And I'm
not going to select JohnDoe and grant him Full Control as that pretty much
tells people where the Domain Admin account is.  So what do you do?

I need DAs to have FC.  What do I select?  How do I keep the User from
immediately seeing where the DA account is.  As far as testing it, forget
it.  Ten years ago, I renamed the DA account on a Windows NT 4.0 domain.  I
could not get back in.  I had to rebuild the domain, albeit a small one of
less than 100 Users, from scratch, and I swore I would never do it again.

Now convince me to do it.

RH



-Original Message-
Wrom: YIYZUNNYCGPKYLEJGDGVCJVTLBXFGGMEPY
[mailto:[EMAIL PROTECTED] Behalf Of Rutherford,
Robert
Sent: Thursday, July 22, 2004 10:47 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Renaming The Admin Account


1) The easiest way to see would have been to test it - the answer is
they would see the accounts and granted permissions.
2)I'm not sure what you mean? What is a standard? There isn't really one
as it depends on the environment. A good rule is of course not to give
everybody full control and not to use deny as it complicates things. If
you want to be precise with what you want to achieve and I'm sure we
could help.

BR

Rob

-Original Message-
Wrom: OQKEDOTWFAOBUZXUWLSZLKBRNVWWCUFPEG
Sent: 22 July 2004 15:25
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Renaming The Admin Account


People,

OK, I know you guys are the Experts and I know MS says, rename it, but
tell me the answer to these questions please.  Let's say you run NTFS
permissions on your local PCs.  Lets say your standards are (for EVERY
FILE/FOLDER OBJECT ON THE PC): Full Control for Local Admin, Domain
Admin and System. Modify for Everyone (At least where it is not a
security risk). [1]  What is displayed locally to the User (for Admin
accounts) when they look at NTFS permissions on their file/folder
objects? [2]  What do you as the Admin select in the ACL, when you set
new permissions for file/folder objects?

Thanks

RH
-
Rocky Habeeb
Microsoft Systems Administrator
-
James W. Sewall Company
Old Town, Maine
-
207.827.4456
habr @ jws.com
www.jws.com
-


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and the information it contains are confidential and may be
privileged. If you have received this e-mail in error please notify the
sender immediately and delete the material from any computer. Unless you are
the intended recipient, you should not copy this e-mail for any purpose, or
disclose its contents to any other person.
The MCPS-PRS Alliance is not responsible for the completeness or accuracy of
this communication as it has been transmitted over a public network. Whilst
the MCPS-PRS Alliance monitors all communications for potential viruses, we
accept no responsibility for any loss or damage caused by this e-mail and
the information it contains.
It is the recipient's responsibility to scan this e-mail and any attachments
for viruses. Any
e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for
quality control and other purposes.

The MCPS-PRS Alliance Limited is a limited company registered in England
under company number 03444246 whose registered office is at c/o 29-33
Berners Street, London, W1T 3AB.

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:

RE: [ActiveDir] AD and WINS

2004-07-22 Thread Carr, Jonathan \(OFT\) 
You can make a Global security group in the AD called Wins Admins and
then add the group to the local administrators group of the WINS servers
either manually or via a GPO.  Then all you have to do is populate the
AD group with the users..  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rutherford,
Robert
Sent: Thursday, July 22, 2004 11:13 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD and WINS

I think Server op will do it.

-Original Message-
From: Depp, Dennis M. [mailto:[EMAIL PROTECTED]
Sent: 22 July 2004 16:04
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD and WINS


I believe access to WINS requires local admin access.   To allow them to
administer WINS, they will have to be a local admin on the box where
WINS is running.

Denny

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario
Sent: Thursday, July 22, 2004 10:51 AM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] AD and WINS

Is there a way to restrict access to WINS like DNS in Server 2003?

For Example, if we want the DNS admins to Administer the Wins servers,
how do you go about give them access just to WINS administration?

Any help would be appreciate it!

Thanks,
Mario



*** 
 The contents of this communication are intended only for the addressee
and may contain confidential and/or privileged material. If you are not
the intended recipient, please do not read, copy, use or disclose this
communication and notify the sender.  Opinions, conclusions and other
information in this communication that do not relate to the official
business of my company shall be understood as neither given nor endorsed
by it.  

*** 


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and the information it contains are confidential and may be
privileged. If you have received this e-mail in error please notify the
sender immediately and delete the material from any computer. Unless you
are the intended recipient, you should not copy this e-mail for any
purpose, or disclose its contents to any other person. 
The MCPS-PRS Alliance is not responsible for the completeness or
accuracy of this communication as it has been transmitted over a public
network. Whilst the MCPS-PRS Alliance monitors all communications for
potential viruses, we accept no responsibility for any loss or damage
caused by this e-mail and the information it contains.
It is the recipient's responsibility to scan this e-mail and any
attachments for viruses. Any 
e-mails sent to and from the MCPS-PRS Alliance servers may be monitored
for quality control and other purposes.

The MCPS-PRS Alliance Limited is a limited company registered in England
under company number 03444246 whose registered office is at c/o 29-33
Berners Street, London, W1T 3AB.

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Renaming The Admin Account

2004-07-22 Thread Rocky Habeeb 
Right!
My point exactly!
So if your policy is to include the Domain Admin in NTFS permissions,
there's no point in renaming your Domain Admin account.

Thanks Tony.

RH





-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Tony Murray
Sent: Thursday, July 22, 2004 11:25 AM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Renaming The Admin Account


The admin tools resolve the SID to the friendly name for you.  In other
words, you're not actually working with the friendly names when viewing or
assigning permissions, but this is how it appears to you.

Tony
-- Original Message --
Wrom: KJVZCMHVIBGDADRZFSQHYUCDDJBLV
Reply-To: [EMAIL PROTECTED]
Date:  Thu, 22 Jul 2004 10:25:14 -0400

People,

OK, I know you guys are the Experts and I know MS says, rename it, but tell
me the answer to these questions please.  Let's say you run NTFS permissions
on your local PCs.  Lets say your standards are (for EVERY FILE/FOLDER
OBJECT ON THE PC):
Full Control for Local Admin, Domain Admin and System.
Modify for Everyone (At least where it is not a security risk).
[1]  What is displayed locally to the User (for Admin accounts) when they
look at NTFS permissions on their file/folder objects?
[2]  What do you as the Admin select in the ACL, when you set new
permissions for file/folder objects?

Thanks

RH
-
Rocky Habeeb
Microsoft Systems Administrator
-
James W. Sewall Company
Old Town, Maine
-
207.827.4456
habr @ jws.com
www.jws.com
-


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/







Sent via the WebMail system at mail.activedir.org




List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Renaming The Admin Account

2004-07-22 Thread Rutherford, Robert 
I apologise, but your question was not that clear to me. 

1) If you want to stop them seeing an account/permissions then the
de-selecting or denying the 'read permissions' advanced permission
should work.

2) Permissions are typically based on group anyway, thus they wouldn't
see the admin name.

Rob



-Original Message-
From: Rocky Habeeb [mailto:[EMAIL PROTECTED] 
Sent: 22 July 2004 16:19
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Renaming The Admin Account


Rob,

We set permissions on our Users PCs according to Trusted Systems
Services Windows NT Security Guidelines developed for the NSA in 1999.
We run in a moderate to severe lockdown.  We open up NTFS permissions
only as much as is needed for Users to operate.  As such, any User can
open up Windows Explorer and click Security and look at the Security
NTFS permission structure of any file and folder on their PC.  Maybe
they can adjust it, maybe not.  It depends on how we set it.

If we rename the Domain Admin account to JohnDoe and then create a
bogus account called Administrator, obviously, when we go set
permissions on a system, we are not going to select the Administrator
account when we actually need the Domain Admin to have Full Control to
that object.  And I'm not going to select JohnDoe and grant him Full
Control as that pretty much tells people where the Domain Admin account
is.  So what do you do?

I need DAs to have FC.  What do I select?  How do I keep the User from
immediately seeing where the DA account is.  As far as testing it,
forget it.  Ten years ago, I renamed the DA account on a Windows NT 4.0
domain.  I could not get back in.  I had to rebuild the domain, albeit a
small one of less than 100 Users, from scratch, and I swore I would
never do it again.

Now convince me to do it.

RH



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Rutherford,
Robert
Sent: Thursday, July 22, 2004 10:47 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Renaming The Admin Account


1) The easiest way to see would have been to test it - the answer is
they would see the accounts and granted permissions. 2)I'm not sure what
you mean? What is a standard? There isn't really one as it depends on
the environment. A good rule is of course not to give everybody full
control and not to use deny as it complicates things. If you want to be
precise with what you want to achieve and I'm sure we could help.

BR

Rob

-Original Message-
From: Rocky Habeeb [mailto:[EMAIL PROTECTED]
Sent: 22 July 2004 15:25
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Renaming The Admin Account


People,

OK, I know you guys are the Experts and I know MS says, rename it, but
tell me the answer to these questions please.  Let's say you run NTFS
permissions on your local PCs.  Lets say your standards are (for EVERY
FILE/FOLDER OBJECT ON THE PC): Full Control for Local Admin, Domain
Admin and System. Modify for Everyone (At least where it is not a
security risk). [1]  What is displayed locally to the User (for Admin
accounts) when they look at NTFS permissions on their file/folder
objects? [2]  What do you as the Admin select in the ACL, when you set
new permissions for file/folder objects?

Thanks

RH
-
Rocky Habeeb
Microsoft Systems Administrator
-
James W. Sewall Company
Old Town, Maine
-
207.827.4456
habr @ jws.com
www.jws.com
-


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and the information it contains are confidential and may be
privileged. If you have received this e-mail in error please notify the
sender immediately and delete the material from any computer. Unless you
are the intended recipient, you should not copy this e-mail for any
purpose, or disclose its contents to any other person. The MCPS-PRS
Alliance is not responsible for the completeness or accuracy of this
communication as it has been transmitted over a public network. Whilst
the MCPS-PRS Alliance monitors all communications for potential viruses,
we accept no responsibility for any loss or damage caused by this e-mail
and the information it contains. It is the recipient's responsibility to
scan this e-mail and any attachments for viruses. Any e-mails sent to
and from the MCPS-PRS Alliance servers may be monitored for quality
control and other purposes.

The MCPS-PRS Alliance Limited is a limited company registered in England
under company number 03444246 whose registered office is at c/o 29-33
Berners Street, London, W1T 3AB.

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:

[ActiveDir] W2k3 DNS Scalability

2004-07-22 Thread Eric_Jones 

Potentially interesting oddity occurred
today...

Our primary and secondary Windows 2003
/ AD integrated DNS server services abended at almost the exact same time.
I have custom WMI monitoring set to auto-restart them, send email,
call the president, and of course...raise the national threat level. 

The servers are dedicated AD boxes,
so no rogue software or odd config. The servers are Dell PowerEdge
2560s with 4 GB RAM, 3.06GHz processors and lots diskspace on a RAID 1
/ RAID 5 config.

The reason that I suspect performance
/ scalability is that when I check the utilization trend reports and each
server was averaging 82 queries/sec. But surely, the servers can handle
more. Heck the over all CPU utilization is about 3%. We have
most of the Windows platform using these two DNS servers, but still have
more to go. Eventually the load will be distributed among soon to
have future AD DCs. But I was very surprised to see the processes
crash. All other trended perfmon metrics were well within reason.

Any thoughts? Anyone perform specific
DNS customizations to their respective dedicated AD DNS servers?

TIA.



Eric Jones, Senior SE
Intel Server Group
(W) 336.424.3084
(M) 336.457.2591
www.vfc.com

RE: [ActiveDir] Renaming The Admin Account

2004-07-22 Thread Deji Akomolafe 



If you just remember the principle "put users in group, assign permission to group", then you'll remember that neither JohnDoe nor Administrator should show up anywhere in your ACL enumeration Rather, you ACL will look something like this:

Computername\AdministratorS - F
System - F
etc, etc.

You will NOT need to add the following to the ACL:
ComputerName\Administrator (notice the missing "S")
Domain Admins
Domain\Administrator

Why? First, because by adding Computername\AdministratorS in the first example, you have essentially taken care of the three in second example. "Domain\Administrator" is a member of "Domain Admins", which is a member of Computername\AdministratorS. Likewise, "ComputerName\Administrator" is a member of "Computername\AdministratorS".

Then your fear about your users knowing the name of your Domain Admin account becomes non-existent (although this should have been of no concern in the first place). If anyone looks at the permission on an object, they won't see those 3 listed.

Now, as to how your ACL "may" be messed up by an account rename. You need to remember that an account's nameis not THE significant part when ACE/ACL are concerned. It's the account's SID, and this does NOT change, even after you've renamed an account. Your permissions will still persist through a rename.

As to the problem you encountered after renaming a DA, I can only speculate that there was "something else" causing that. I ALWAYS rename my DAs. Been doing it for a while now without running into similar problem.

Are you convinced yet?



Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP -Directory Services
www.readymaids.com - we know ITwww.akomolafe.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: Rocky HabeebSent: Thu 7/22/2004 8:18 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Renaming The Admin Account
Rob,

We set permissions on our Users PCs according to Trusted Systems Services
Windows NT Security Guidelines developed for the NSA in 1999.  We run in a
moderate to severe lockdown.  We open up NTFS permissions only as much as is
needed for Users to operate.  As such, any User can open up Windows Explorer
and click Security and look at the Security NTFS permission structure of any
file and folder on their PC.  Maybe they can adjust it, maybe not.  It
depends on how we set it.

If we rename the Domain Admin account to "JohnDoe" and then create a bogus
account called "Administrator", obviously, when we go set permissions on a
system, we are not going to select the "Administrator" account when we
actually need the Domain Admin to have Full Control to that object.  And I'm
not going to select "JohnDoe" and grant him Full Control as that pretty much
tells people where the Domain Admin account is.  So what do you do?

I need DAs to have FC.  What do I select?  How do I keep the User from
immediately seeing where the DA account is.  As far as testing it, forget
it.  Ten years ago, I renamed the DA account on a Windows NT 4.0 domain.  I
could not get back in.  I had to rebuild the domain, albeit a small one of
less than 100 Users, from scratch, and I swore I would never do it again.

Now convince me to do it.

RH

[ActiveDir] W2k3 DNS Scalability - More NFO

2004-07-22 Thread Eric_Jones 

Potentially interesting oddity occurred
today...

Our primary and secondary Windows 2003
/ AD integrated DNS server services abended at almost the exact same time
with the following error message in the eventlog:

Reporting queued error:
faulting application dns.exe, version 5.2.3790.0, faulting module msvcrt.dll,
version 7.0.3790.0, fault address 0x000351e4.

I have custom WMI monitoring set to
auto-restart DNS, send email, call the president, and of course...raise
the national threat level. The servers are dedicated AD boxes, so
no rogue software or odd config. The servers are Dell PowerEdge 2560s
with 4 GB RAM, 3.06GHz processors and lots diskspace on a RAID 1 / RAID
5 config.

The reason that I suspect performance
/ scalability is that when I check the utilization trend reports and each
server was averaging 82 queries/sec. But surely, the servers can handle
more. Heck the over all CPU utilization is about 3%. We have
most of the Windows platform using these two DNS servers, but still have
more to go. Eventually the load will be distributed among soon to
have future AD DCs. But I was very surprised to see the processes
crash. All other trended perfmon metrics were well within reason.

Any thoughts? Anyone perform specific
DNS customizations to their respective dedicated AD DNS servers?


TIA.



Eric Jones, Senior SE
Intel Server Group
(W) 336.424.3084
(M) 336.457.2591
www.vfc.com

RE: [ActiveDir] AD and WINS

2004-07-22 Thread Depp, Dennis M. 
Do they have to be local Admins, or will Server op work as well?

Denny 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carr, Jonathan
(OFT)
Sent: Thursday, July 22, 2004 11:50 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD and WINS

You can make a Global security group in the AD called Wins Admins and
then add the group to the local administrators group of the WINS servers
either manually or via a GPO.  Then all you have to do is populate the
AD group with the users..  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rutherford,
Robert
Sent: Thursday, July 22, 2004 11:13 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD and WINS

I think Server op will do it.

-Original Message-
From: Depp, Dennis M. [mailto:[EMAIL PROTECTED]
Sent: 22 July 2004 16:04
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD and WINS


I believe access to WINS requires local admin access.   To allow them to
administer WINS, they will have to be a local admin on the box where
WINS is running.

Denny

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario
Sent: Thursday, July 22, 2004 10:51 AM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] AD and WINS

Is there a way to restrict access to WINS like DNS in Server 2003?

For Example, if we want the DNS admins to Administer the Wins servers,
how do you go about give them access just to WINS administration?

Any help would be appreciate it!

Thanks,
Mario



*** 
 The contents of this communication are intended only for the addressee
and may contain confidential and/or privileged material. If you are not
the intended recipient, please do not read, copy, use or disclose this
communication and notify the sender.  Opinions, conclusions and other
information in this communication that do not relate to the official
business of my company shall be understood as neither given nor endorsed
by it.  

*** 


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and the information it contains are confidential and may be
privileged. If you have received this e-mail in error please notify the
sender immediately and delete the material from any computer. Unless you
are the intended recipient, you should not copy this e-mail for any
purpose, or disclose its contents to any other person. 
The MCPS-PRS Alliance is not responsible for the completeness or
accuracy of this communication as it has been transmitted over a public
network. Whilst the MCPS-PRS Alliance monitors all communications for
potential viruses, we accept no responsibility for any loss or damage
caused by this e-mail and the information it contains.
It is the recipient's responsibility to scan this e-mail and any
attachments for viruses. Any 
e-mails sent to and from the MCPS-PRS Alliance servers may be monitored
for quality control and other purposes.

The MCPS-PRS Alliance Limited is a limited company registered in England
under company number 03444246 whose registered office is at c/o 29-33
Berners Street, London, W1T 3AB.

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Exceeding the LDAP Look Through Limit

2004-07-22 Thread Cotter, Paul M. 



By the looks of this - he's getting the error when doing an 
LDAP query, correct? The Admin limit limits the number of results that are 
returned in a query, I believe the default is 1000 in w2k and 1500 in 
w2k3. I think this is the error you're seeing.

If you need to retrieve more than this number, you need to 
use paged results. Search MSDN for "LDAP paged results" for more 
info.

Paul 
Cotter
Microsoft MVP - 
MIIS 2003


~nodisc.


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Steve 
  BrashearSent: Thursday, July 22, 2004 10:40 AMTo: 
  [EMAIL PROTECTED]Subject: [ActiveDir] Exceeding the LDAP 
  Look Through Limit
  
  
  I have a customer who has 
  created an OU and populated it with objects that have many attributes. 
  He is now encountering this error:
  
  "[LDAP: error code 11 
  - 2024: SvcErr: DSID-02050AA0, problem 5008 (ADMIN_LIMIT_EXCEEDED), 
  data -1026]; remaining name 
  'cn=CN\=JPRAKASH\,CN\=Computers\,DC\=jupiter\,DC\=lan,ou=Subscriptions,dc=jupiter,dc=lan'"
  
  Is there a maximum 
  size limitation for user defined objects in AD?
  Can that value be 
  modified?
  Where would one 
  modify it? Would it be in the LDAP policies/protocols 
  configuration?
  
  TIA!Steve

RE: [ActiveDir] Renaming The Admin Account

2004-07-22 Thread Rutherford, Robert 
Well there is... Not much but you may as well. It just makes it that
little bit more difficult for the novice hacker/opportunist shoulder
surfer.

-Original Message-
From: Rocky Habeeb [mailto:[EMAIL PROTECTED] 
Sent: 22 July 2004 16:53
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Renaming The Admin Account


Right!
My point exactly!
So if your policy is to include the Domain Admin in NTFS permissions,
there's no point in renaming your Domain Admin account.

Thanks Tony.

RH





-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Tony Murray
Sent: Thursday, July 22, 2004 11:25 AM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Renaming The Admin Account


The admin tools resolve the SID to the friendly name for you.  In other
words, you're not actually working with the friendly names when viewing
or assigning permissions, but this is how it appears to you.

Tony
-- Original Message --
Wrom: KJVZCMHVIBGDADRZFSQHYUCDDJBLV
Reply-To: [EMAIL PROTECTED]
Date:  Thu, 22 Jul 2004 10:25:14 -0400

People,

OK, I know you guys are the Experts and I know MS says, rename it, but
tell me the answer to these questions please.  Let's say you run NTFS
permissions on your local PCs.  Lets say your standards are (for EVERY
FILE/FOLDER OBJECT ON THE PC): Full Control for Local Admin, Domain
Admin and System. Modify for Everyone (At least where it is not a
security risk). [1]  What is displayed locally to the User (for Admin
accounts) when they look at NTFS permissions on their file/folder
objects? [2]  What do you as the Admin select in the ACL, when you set
new permissions for file/folder objects?

Thanks

RH
-
Rocky Habeeb
Microsoft Systems Administrator
-
James W. Sewall Company
Old Town, Maine
-
207.827.4456
habr @ jws.com
www.jws.com
-


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/







Sent via the WebMail system at mail.activedir.org




List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/



List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and the information it contains are confidential and may be privileged. If 
you have received this e-mail in error please notify the sender immediately and delete 
the material from any computer. Unless you are the intended recipient, you should not 
copy this e-mail for any purpose, or disclose its contents to any other person. 
The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this 
communication as it has been transmitted over a public network. Whilst the MCPS-PRS 
Alliance monitors all communications for potential viruses, we accept no 
responsibility for any loss or damage caused by this e-mail and the information it 
contains.
It is the recipient's responsibility to scan this e-mail and any attachments for 
viruses. Any 
e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality 
control and other purposes.

The MCPS-PRS Alliance Limited is a limited company registered in England under company 
number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 
3AB.

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Renaming The Admin Account

2004-07-22 Thread Passo, Larry 
You are confusing several different user/group objects:

1. The domain account named Administrator
2. The domain group named Domain Admins
3. The local account named Administrator
4. The local group named Administrators (note the s at the end)

The security guidelines say that you should rename numbers 1 and 3
above.

Default configuration for a domain has:
1. The domain account Administrator is a member of the domain group
Domain Admins
2. The domain group Domain Admins is a member of the local group
Administrators (with the s) on each domain member.

You could then use the local group Administrators to grant the
appropriate NTFS permissions to files/folders. Users that then looked at
the NTFS permissions would only see the group name.

However for the more technically savvy people out there, renaming the
local Administrator account is not fool proof since it has a well-known
SID. The built-in Administrator account is the only one that ends in
-500.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb
Sent: Thursday, July 22, 2004 8:53 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Renaming The Admin Account

Right!
My point exactly!
So if your policy is to include the Domain Admin in NTFS permissions,
there's no point in renaming your Domain Admin account.

Thanks Tony.

RH





-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Tony Murray
Sent: Thursday, July 22, 2004 11:25 AM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Renaming The Admin Account


The admin tools resolve the SID to the friendly name for you.  In other
words, you're not actually working with the friendly names when viewing
or
assigning permissions, but this is how it appears to you.

Tony
-- Original Message --
Wrom: KJVZCMHVIBGDADRZFSQHYUCDDJBLV
Reply-To: [EMAIL PROTECTED]
Date:  Thu, 22 Jul 2004 10:25:14 -0400

People,

OK, I know you guys are the Experts and I know MS says, rename it, but
tell
me the answer to these questions please.  Let's say you run NTFS
permissions
on your local PCs.  Lets say your standards are (for EVERY FILE/FOLDER
OBJECT ON THE PC):
Full Control for Local Admin, Domain Admin and System.
Modify for Everyone (At least where it is not a security risk).
[1]  What is displayed locally to the User (for Admin accounts) when
they
look at NTFS permissions on their file/folder objects?
[2]  What do you as the Admin select in the ACL, when you set new
permissions for file/folder objects?

Thanks

RH
-
Rocky Habeeb
Microsoft Systems Administrator
-
James W. Sewall Company
Old Town, Maine
-
207.827.4456
habr @ jws.com
www.jws.com
-


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/







Sent via the WebMail system at mail.activedir.org




List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/



List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Exceeding the LDAP Look Through Limit

2004-07-22 Thread Eric Fleischman 








I could probably tell you which admin
limit youre exceeding if you tell me the OS version  service pack
level.



Most admin limits are there to protect
perf of the box  prevent against DoS attacks. Better than changing the
limits would be to change the query to use LDAP RFC compliant ways to
performing the action w/o changing lmits. For example, if the limit is # of
objects returned per page, rather than using a huge page youd do a paged
search.



So the questions that would be of
interest:

1) OS and service pack level

2) What is the action being performed (as an example, if this is a
search, baseDN + scope + filter)



Thanks!

~Eric













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Brashear
Sent: Thursday, July 22, 2004
10:40 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Exceeding the
LDAP Look Through Limit





I have a customer who has created an OU and
populated it with objects that have many attributes. He is now
encountering this error:



[LDAP: error code
11 - 2024: SvcErr: DSID-02050AA0, problem 5008 (ADMIN
_LIMIT_EXCEEDED), data -1026
]; remaining name 'cn=CN\=JPRAKASH\,CN\=Computers\,DC\=jupiter\,DC\=lan,ou=S
ubscriptions,dc=jupiter,dc=lan'



Is there a maximum size limitation for
user defined objects in AD?

Can that value be modified?

Where would one modify it? Would it
be in the LDAP policies/protocols configuration?



TIA!

Steve

[ActiveDir] GP is denying shortcuts.

2004-07-22 Thread Jared Manhat 
Title: GP is denying shortcuts.






I have created a Software Restriction Policy which is Disallow by default, I have created my additional rules to allow the paths to programs I want to run (ie: C:\Program Files\Microsoft Office). The Enforcement properties are to restrict all software except libraries, and I have removed LNK  MDB from the Designated File Types.

When a user logs in and tries to open a link to an allowed app they receive the message C:\Program Files\ Windows cannot open this program because its being blocked but when they drill down to the install directory they CAN run the allowed program.

This happens with links on their Desktop, Taskbar and some in the Start Menu.

Anyone have any ideas or ever see this before?

Thanks

Jared Manhat

Systems Administrator

Accutest Laboratories

2235 Route 130

Dayton, NJ 08810

(732) 329-0200 x254

RE: [ActiveDir] W2K3 with W2K2

2004-07-22 Thread Ken Cornetet 
Read KB 325379. Although this document is about upgrading DCs to 2003, it has some 
good information you need to know - particularly if you are running Exchange 2000.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jacob Stabl
Sent: Thursday, July 22, 2004 8:17 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] W2K3 with W2K2


So what I am hearing is that I can go ahead and put the Windows 2003 server in place 
after I run adprep /forestprep and adprep /domainprep.  I understand I will not have 
all the capabilities of W2k3 but that's not what I am concerned about.  I just want to 
have that box in place so when I do decide to update a w2k3 server is already in place.


--
Jake

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido
Sent: Thursday, July 22, 2004 2:41 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] W2K3 with W2K2

The Win2K3 will have to get the roles, at least the PDCE and the Domain Naming master 
roles, otherwise your domain will not function correctly 

This is not correct - the domain will still function perfectly well, but you won't be 
able to leverage some of the new features of Win2k3, which you'll only get after 
you've transferred those roles (e.g. Application Partitions, new 
well-known-security-principals and groups, Quota container etc.).

However, you won't have a chance to add a 2003 DC to the 2000 domain prior to prepping 
it with the 2003 schema and domain updates (ADPREP) - see other reply with link to KB. 
 So in a way Windows 2003 will have to take over the domain since you need to plan 
your schema update carefully.  Still, you can stick to your 2000 DCs and FSMO role 
holders until you feel comfortable to move them.

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, July 21, 2004 11:32 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] W2K3 with W2K2

Let's agree that there is no PDC/BDC concept. Now, if all you want to do is get your 
Domain ready for when you will eventually move to 2003, then you should just run the 
adprep /forestprep and adprep /domainprep in your domain and wait. IF you want to get 
a win2K3 DC into the Domain now, then there is this concept called WITO (hello, Joe 
:)). It's the Walk In, Take Over principle. The Win2K3 will have to get the roles, 
at least the PDCE and the Domain Naming master roles, otherwise your domain will not 
function correctly, and many of the benefits of a Win2K3 Domain will NOT be available 
to you. I have been able to get a win2K3 DC to install successfully into a test domain 
without transferring the roles or upgrading the DC that originally has these roles, 
but what I've heard and read is that is not something you want to do in a production 
environment.
 
The people who taught me that (and wrote the book on that) are on this list. They may 
be able to explain further.
 
 
Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Jacob Stabl
Sent: Wed 7/21/2004 1:19 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] W2K3 with W2K2



I know this issue has been talked about before but searching through some old post in 
my inbox I didn't find the exact answer I was looking for.

Is there a problem in joining a Window 2003 server as the BDC of in a Windows 2000 
network?  Will there be any problems or unavailable features? I don't want Windows 
2003 to take over the domain.  Reason for doing this is so next year if I decide to 
upgrade the domain to Windows 2003 it will be easier, I just move roles and such to 
that server.  In my simple mind this all makes sense.  Any suggestions?

Thanks

--
Jacob Stabl
Network Engineer
Plain Local Schools
http://eagle.stark.k12.oh.us
Work: 330.492.3500 x.383
Cell: 330.495.7243

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] DHCP

2004-07-22 Thread Kern, Tom 
I have an authorized dhcp server.
when i add a new scope(i already had one pervious working scope), it won't hand out 
addresses for that new scope. I have an event id 1051 logged in the event viewer 
saying it is not authorized.
i know i need to be an enterprise admin to authorize a dhcp server but do i need to be 
one to create an additional scope as well?
 
thanks(and oh yeah, all my ip helper addresses are correct in my router)
 
.+-wi0-+YbmPi0-+bf.+-j!
0j!oryIV+v*

RE: [ActiveDir] Renaming The Admin Account

2004-07-22 Thread deji 
You could argue that. But, if you consider the fact that most hackwares and
viruses/trojans that carry their own account/password dictionaries don't do
SID enumeration, you'd understand the significance of renaming the accounts.
Because they don't do SID enumeration/translation, these hackwares are
useless against your infrastructure because they just go through looking for
accounts named Administrator or admin or root and similar. If they
don't find one, they move on.
 
Unless you are a direct target of concentrated hack/crack attempts, it's not
common for SID translation to be done.
 
Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Rocky Habeeb
Sent: Thu 7/22/2004 8:53 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Renaming The Admin Account



Right!
My point exactly!
So if your policy is to include the Domain Admin in NTFS permissions,
there's no point in renaming your Domain Admin account.

Thanks Tony.

RH





-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Tony Murray
Sent: Thursday, July 22, 2004 11:25 AM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Renaming The Admin Account


The admin tools resolve the SID to the friendly name for you.  In other
words, you're not actually working with the friendly names when viewing or
assigning permissions, but this is how it appears to you.

Tony
-- Original Message --
Wrom: KJVZCMHVIBGDADRZFSQHYUCDDJBLV
Reply-To: [EMAIL PROTECTED]
Date:  Thu, 22 Jul 2004 10:25:14 -0400

People,

OK, I know you guys are the Experts and I know MS says, rename it, but tell
me the answer to these questions please.  Let's say you run NTFS permissions
on your local PCs.  Lets say your standards are (for EVERY FILE/FOLDER
OBJECT ON THE PC):
Full Control for Local Admin, Domain Admin and System.
Modify for Everyone (At least where it is not a security risk).
[1]  What is displayed locally to the User (for Admin accounts) when they
look at NTFS permissions on their file/folder objects?
[2]  What do you as the Admin select in the ACL, when you set new
permissions for file/folder objects?

Thanks

RH
-
Rocky Habeeb
Microsoft Systems Administrator
-
James W. Sewall Company
Old Town, Maine
-
207.827.4456
habr @ jws.com
www.jws.com
-


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/







Sent via the WebMail system at mail.activedir.org




List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Renaming The Admin Account

2004-07-22 Thread Rocky Habeeb 



Deji,

You 
know I love you (and Tony, and Guido, and Robbie and Gil, and Roger and of 
course joe, and all the other heavyweights), but, we're not confused on the 
accounts and their memberships. I just feel it's important to have the 
Domain Admin (the individual) as Full Control on everything. As such, its 
pointless to rename him because he can be seen.

However, you might just convince me to try it if you will tell me how to 
keep Users from viewing membership in AD of the Microsoft native groups, like 
Domain Administrators. ;-)

That 
might be enough for me to try it.

RH

_



  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of Deji 
  AkomolafeSent: Thursday, July 22, 2004 12:10 PMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Renaming The 
  Admin Account
  
  If you just remember the 
  principle "put users in group, assign permission to group", then you'll 
  remember that neither JohnDoe nor Administrator should show up anywhere in 
  your ACL enumeration Rather, you ACL will look something like 
  this:
  
  Computername\AdministratorS - 
  F
  System - F
  etc, etc.
  
  You will NOT need to add the following to 
  the ACL:
  ComputerName\Administrator (notice the 
  missing "S")
  Domain Admins
  Domain\Administrator
  
  Why? First, because by adding 
  Computername\AdministratorS in the first example, you have essentially taken 
  care of the three in second example. "Domain\Administrator" is a member of "Domain 
  Admins", which is a member of Computername\AdministratorS. Likewise, "ComputerName\Administrator" is a member of "Computername\AdministratorS".
  
  Then your fear about your users knowing 
  the name of your Domain Admin account becomes non-existent (although this 
  should have been of no concern in the first place). If anyone looks at the 
  permission on an object, they won't see those 3 listed.
  
  Now, as to how your ACL "may" be messed 
  up by an account rename. You need to remember that an account's nameis 
  not THE significant part when ACE/ACL are concerned. It's the account's SID, 
  and this does NOT change, even after you've renamed an account. Your 
  permissions will still persist through a rename.
  
  As to the problem you encountered after 
  renaming a DA, I can only speculate that there was "something else" causing 
  that. I ALWAYS rename my DAs. Been doing it for a while now without running 
  into similar problem.
  
  Are you convinced yet?
  
  
  
  Sincerely,Dèjì Akómöláfé, 
  MCSE MCSA MCP+I
  Microsoft MVP 
  -Directory Services
  www.readymaids.com - we 
  know ITwww.akomolafe.comDo you now realize that 
  Today is the Tomorrow you were worried about Yesterday? 
  -anon
  
  
  From: Rocky HabeebSent: Thu 
  7/22/2004 8:18 AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Renaming The 
  Admin Account
  Rob,

We set permissions on our Users PCs according to Trusted Systems Services
Windows NT Security Guidelines developed for the NSA in 1999.  We run in a
moderate to severe lockdown.  We open up NTFS permissions only as much as is
needed for Users to operate.  As such, any User can open up Windows Explorer
and click Security and look at the Security NTFS permission structure of any
file and folder on their PC.  Maybe they can adjust it, maybe not.  It
depends on how we set it.

If we rename the Domain Admin account to "JohnDoe" and then create a bogus
account called "Administrator", obviously, when we go set permissions on a
system, we are not going to select the "Administrator" account when we
actually need the Domain Admin to have Full Control to that object.  And I'm
not going to select "JohnDoe" and grant him Full Control as that pretty much
tells people where the Domain Admin account is.  So what do you do?

I need DAs to have FC.  What do I select?  How do I keep the User from
immediately seeing where the DA account is.  As far as testing it, forget
it.  Ten years ago, I renamed the DA account on a Windows NT 4.0 domain.  I
could not get back in.  I had to rebuild the domain, albeit a small one of
less than 100 Users, from scratch, and I swore I would never do it again.

Now convince me to do it.

RH

RE: [ActiveDir] Renaming The Admin Account

2004-07-22 Thread deji 
You just prove that you are very confused about membership? Tony, Robbie,
Guido, Gil, Roger, and Joe That's an expensive club. Can't afford the
membership fee. Next thing I know, you'd be lumping me in with Dean :-P
 
Seriously, let's back up a bit. Let's ask why you'd want to give permission
to Domain\Administrator (the user), instead of Domain\Domain Admins (the
group). Before you answer that, remember the basic principle put users in
group, give permission to group.
 
You want to keep users from viewing membership in AD? Where are they viewing
the membership from? In the Local Users and Groups? From the ACEs on files
and folders? I ask because, if you have added ONLY groups instead of Users,
the name of the users are not viewable in those places.
 
 
Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Rocky Habeeb
Sent: Thu 7/22/2004 10:32 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Renaming The Admin Account


Deji,
 
You know I love you (and Tony, and Guido, and Robbie and Gil, and Roger and
of course joe, and all the other heavyweights), but, we're not confused on
the accounts and their memberships.  I just feel it's important to have the
Domain Admin (the individual) as Full Control on everything.  As such, its
pointless to rename him because he can be seen.
 
However, you might just convince me to try it if you will tell me how to keep
Users from viewing membership in AD of the Microsoft native groups, like
Domain Administrators. ;-)
 
That might be enough for me to try it.
 
RH
 
_
 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Deji Akomolafe
Sent: Thursday, July 22, 2004 12:10 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Renaming The Admin Account


If you just remember the principle put users in group, assign
permission to group, then you'll remember that neither JohnDoe nor
Administrator should show up anywhere in your ACL enumeration Rather, you ACL
will look something like this:
 
Computername\AdministratorS - F
System - F
etc, etc.
 
You will NOT need to add the following to the ACL:
ComputerName\Administrator (notice the missing S)
Domain Admins
Domain\Administrator
 
Why? First, because by adding Computername\AdministratorS in the
first example, you have essentially taken care of the three in second
example. Domain\Administrator is a member of Domain Admins, which is a
member of Computername\AdministratorS. Likewise, ComputerName\Administrator
is a member of Computername\AdministratorS.
 
Then your fear about your users knowing the name of your Domain Admin
account becomes non-existent (although this should have been of no concern in
the first place). If anyone looks at the permission on an object, they won't
see those 3 listed.
 
Now, as to how your ACL may be messed up by an account rename. You
need to remember that an account's name is not THE significant part when
ACE/ACL are concerned. It's the account's SID, and this does NOT change, even
after you've renamed an account. Your permissions will still persist through
a rename.
 
As to the problem you encountered after renaming a DA, I can only
speculate that there was something else causing that. I ALWAYS rename my
DAs. Been doing it for a while now without running into similar problem.
 
Are you convinced yet?
 
Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: Rocky Habeeb
Sent: Thu 7/22/2004 8:18 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Renaming The Admin Account


Rob,

We set permissions on our Users PCs according to Trusted Systems
Services
Windows NT Security Guidelines developed for the NSA in 1999.  We run
in a
moderate to severe lockdown.  We open up NTFS permissions only as
much as is
needed for Users to operate.  As such, any User can open up Windows
Explorer
and click Security and look at the Security NTFS permission structure
of any
file and folder on their PC.  Maybe they can adjust it, maybe not.
It
depends on how we set it.

If we rename the Domain Admin account to JohnDoe and then create a
bogus
account called Administrator, obviously, when we go set permissions
on a

RE: [ActiveDir] AD and WINS

2004-07-22 Thread Rosales, Mario 
Ok so for clarification.

If the 2003 Server is a DC and Wins it needs Server Ops
If it's a 2003 Standalone server make it a local admin?

Did I get that right?

Thanks for everyone's help! 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob
Sent: Thursday, July 22, 2004 11:45 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD and WINS

Server Ops is only present on DC's so unless you have WINS on your
DC's.moot point anyway because, no, they can't administer WINS. W2K WINS
added the WINS users group but it only provides read access to the WINS db

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Depp, Dennis M.
Sent: Thursday, July 22, 2004 9:16 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD and WINS

Do they have to be local Admins, or will Server op work as well?

Denny 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carr, Jonathan
(OFT)
Sent: Thursday, July 22, 2004 11:50 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD and WINS

You can make a Global security group in the AD called Wins Admins and then
add the group to the local administrators group of the WINS servers either
manually or via a GPO.  Then all you have to do is populate the AD group
with the users..  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert
Sent: Thursday, July 22, 2004 11:13 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD and WINS

I think Server op will do it.

-Original Message-
From: Depp, Dennis M. [mailto:[EMAIL PROTECTED]
Sent: 22 July 2004 16:04
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD and WINS


I believe access to WINS requires local admin access.   To allow them to
administer WINS, they will have to be a local admin on the box where WINS is
running.

Denny

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario
Sent: Thursday, July 22, 2004 10:51 AM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] AD and WINS

Is there a way to restrict access to WINS like DNS in Server 2003?

For Example, if we want the DNS admins to Administer the Wins servers, how
do you go about give them access just to WINS administration?

Any help would be appreciate it!

Thanks,
Mario



***
 The contents of this communication are intended only for the addressee and
may contain confidential and/or privileged material. If you are not the
intended recipient, please do not read, copy, use or disclose this
communication and notify the sender.  Opinions, conclusions and other
information in this communication that do not relate to the official
business of my company shall be understood as neither given nor endorsed by
it.  

*** 


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and the information it contains are confidential and may be
privileged. If you have received this e-mail in error please notify the
sender immediately and delete the material from any computer. Unless you
are the intended recipient, you should not copy this e-mail for any
purpose, or disclose its contents to any other person. 
The MCPS-PRS Alliance is not responsible for the completeness or
accuracy of this communication as it has been transmitted over a public
network. Whilst the MCPS-PRS Alliance monitors all communications for
potential viruses, we accept no responsibility for any loss or damage
caused by this e-mail and the information it contains.
It is the recipient's responsibility to scan this e-mail and any
attachments for viruses. Any 
e-mails sent to and from the MCPS-PRS Alliance servers may be monitored
for quality control and other purposes.

The MCPS-PRS Alliance Limited is a limited company registered in England
under company number 03444246 whose registered office is at c/o 29-33
Berners Street, London, W1T 3AB.

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ:

RE: [ActiveDir] Customize Group Permissions

2004-07-22 Thread Brian Desmond 
Title: Customize Group Permissions








Yes,
this is possible. Check out restricted groups in group policy. 





--Brian Desmond

[EMAIL PROTECTED]

Payton on the
Web! Http://www.wpcp.org



v: 773.534.0034
x135

f: 773.534.0035















From: Jared Manhat
[mailto:[EMAIL PROTECTED] 
Sent: Wednesday, July 21, 2004
3:37 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Customize
Group Permissions





I
though I read somewhere in the MS Server 2003 Deployment Kit
under Designing a Managed Environment that it was possible to
modify to local pcs group permissions using GP. Has anyone heard of
this?

What
Im
trying to do is assign Install Printer Drivers to Power Users.

Thanks

Jared Manhat

Systems Administrator

Accutest
Laboratories








smime.p7s
Description: S/MIME cryptographic signature

RE: [ActiveDir] Summer Maintenance

2004-07-22 Thread Brian Desmond 
Title: RE: [ActiveDir] Summer Maintenance








Yes.
There are no circumstances under which you should not sysprep an image that you
plan to deploy. The only time you should not is if youre using ghost to
*replace* a machine.





--Brian Desmond

[EMAIL PROTECTED]

Payton on the
Web! Http://www.wpcp.org



v: 773.534.0034
x135

f: 773.534.0035















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jacob Stabl
Sent: Thursday, July 22, 2004 8:33
AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Summer
Maintenance





Maybe I am being ignorant but can I use
sysprep if I have specialized software that I want to have on my master image??









--

Jake
















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Wednesday, July 21, 2004
8:09 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Summer
Maintenance



Please explain the reasoning here. Running newsid does not constitute
running sysprep.











--Brian







-Original
Message- 
From: Jared Manhat
[mailto:[EMAIL PROTECTED] 
Sent: Wed 7/21/2004 4:00 PM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: RE: [ActiveDir] Summer
Maintenance



Yes, just use Ghost and run Sysinternals
NewSID on each pc BEFORE ADDING IT TO THE DOMAIN.

http://www.sysinternals.com/ntw2k/source/newsid.shtml





Jared Manhat 
Systems Administrator 
Accutest Laboratories 
2235 Route 130 
Dayton, NJ 08810 
(732) 329-0200 x254 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jacob Stabl
Sent: Wednesday, July 21, 2004
4:49 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Summer
Maintenance





I have word of using sysprep along with
Ghost. From what I have read sysprep is just do the OS and allows for
different configurations. If I am doing a lab that has special software
and the same hardware config, is it not better to just use ghost after the
master computer has been configured?







--

Jake
















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert N. Leali
Sent: Wednesday, July 21, 2004
9:37 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Summer
Maintenance

I think you can use Unicast instead of
Multicast in the newer versions of Norton ghost. It goes slower but it
wont bog down the network. Also, make sure your hop count is set
correctly. 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Rochford
Sent: Sunday, July 18, 2004 12:13
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Summer
Maintenance





We tend to do them in blocks of max 30
because it's more manageable (and most rooms don't have more than that many
computers!)



I've done it enough times now to know that
although we shouldn't have to get involved with boot floppies sometimes things
just don't go the way you plan :-)



Not sure why Ghost does cause the network
problems you describe but I know it does and we just plan round it - making
sure no-one's trying to do anything important at the same time etc.



Steve









From: Brian
Desmond [mailto:[EMAIL PROTECTED] 
Sent: 16 July 2004 21:31
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Summer
Maintenance

Things
really slow down when multicasting to a load of computers where I am (all Cisco
2900XL series switches with fiber links to a 4005 series backbone switch). The
multicast slows to a crawl, as does other network traffic.





--Brian Desmond

[EMAIL PROTECTED]

Payton on the
Web! Http://www.wpcp.org



v: 773.534.0034
x135

f: 773.534.0035















From: Doug M. Long
[mailto:[EMAIL PROTECTED] On
Behalf Of Doug M. Long
Sent: Friday, July 16, 2004 1:07
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Summer
Maintenance









If your multicasting, network congestion
shouldnt be an issue (assuming that you are putting the same image on all
machines), right? Or am I missing something here? 















From: [EMAIL PROTECTED]
on behalf of Brian Desmond
Sent: Fri 7/16/2004 11:13 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Summer
Maintenance







You got it Steve. I don't know if you've ever done this before, but be
prepared to have a handful of them screw up and need reimaging with a floppy
disk. Also, don't think of doing em all at once. 100 - 150 is enough to
saturate your network.











--Brian







-Original
Message- 
From: Steve Rochford
[mailto:[EMAIL PROTECTED] 
Sent: Fri 7/16/2004 8:08 AM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: RE: [ActiveDir] Summer
Maintenance



I love
comments like The result is that as the imaged computers are
powered up, the admin will type in each unique computer name and walk
away.

We're re-imaging about 1000 student computers this summer and I'm not
intending to go anywhere near most of them so typing in anything is a
no-no! As others have said, Ghost will happily rename and join to the
domain and it will also work with sysprep so you can have the best of
both worlds :-)

Steve

-Original Message-
From: Brad Corob

RE: [ActiveDir] Summer Maintenance

2004-07-22 Thread Brian Desmond 
Title: RE: [ActiveDir] Summer Maintenance








I beg to
differ. Im in a highschool with thousands of machines. I image labs, pcs,
etc all the time. 95% of software is deployed via group policy and MSIs. Havent
had any problems in the past year of doing this.





--Brian Desmond

[EMAIL PROTECTED]

Payton on the
Web! Http://www.wpcp.org



v: 773.534.0034
x135

f: 773.534.0035















From: Jacob Stabl
[mailto:[EMAIL PROTECTED] 
Sent: Thursday, July 22, 2004
10:27 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Summer
Maintenance





MSI is good for some stuff but not for
labs that are reimaged a few times a week.







--

Jake
















From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Robert N. Leali
Sent: Thursday, July 22, 2004
10:19 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Summer
Maintenance

Most likely the answer is yes, speaking
from experience in a K-12 setting. What is the specialized
software? Why not roll out the software as an msi file using group
policies?



Robert











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jacob Stabl
Sent: Thursday, July 22, 2004 7:33
AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Summer
Maintenance





Maybe I am being ignorant but can I use
sysprep if I have specialized software that I want to have on my master image??









--

Jake
















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Wednesday, July 21, 2004
8:09 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Summer
Maintenance



Please explain the reasoning here. Running newsid does not constitute
running sysprep.











--Brian







-Original
Message- 
From: Jared Manhat
[mailto:[EMAIL PROTECTED] 
Sent: Wed 7/21/2004 4:00 PM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: RE: [ActiveDir] Summer
Maintenance



Yes, just use Ghost and run Sysinternals
NewSID on each pc BEFORE ADDING IT TO THE DOMAIN.

http://www.sysinternals.com/ntw2k/source/newsid.shtml





Jared Manhat 
Systems Administrator 
Accutest Laboratories 
2235 Route 130 
Dayton, NJ 08810 
(732) 329-0200 x254 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jacob Stabl
Sent: Wednesday, July 21, 2004 4:49
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Summer
Maintenance





I have word of using sysprep along with
Ghost. From what I have read sysprep is just do the OS and allows for
different configurations. If I am doing a lab that has special software
and the same hardware config, is it not better to just use ghost after the
master computer has been configured?







--

Jake
















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert N. Leali
Sent: Wednesday, July 21, 2004
9:37 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Summer
Maintenance

I think you can use Unicast instead of
Multicast in the newer versions of Norton ghost. It goes slower but it
wont bog down the network. Also, make sure your hop count is set
correctly. 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Rochford
Sent: Sunday, July 18, 2004 12:13
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Summer
Maintenance





We tend to do them in blocks of max 30
because it's more manageable (and most rooms don't have more than that many
computers!)



I've done it enough times now to know that
although we shouldn't have to get involved with boot floppies sometimes things
just don't go the way you plan :-)



Not sure why Ghost does cause the network
problems you describe but I know it does and we just plan round it - making
sure no-one's trying to do anything important at the same time etc.



Steve









From: Brian
Desmond [mailto:[EMAIL PROTECTED] 
Sent: 16 July 2004 21:31
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Summer
Maintenance

Things
really slow down when multicasting to a load of computers where I am (all Cisco
2900XL series switches with fiber links to a 4005 series backbone switch). The
multicast slows to a crawl, as does other network traffic.





--Brian Desmond

[EMAIL PROTECTED]

Payton on the
Web! Http://www.wpcp.org



v: 773.534.0034
x135

f: 773.534.0035















From: Doug M. Long
[mailto:[EMAIL PROTECTED] On
Behalf Of Doug M. Long
Sent: Friday, July 16, 2004 1:07
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Summer
Maintenance









If your multicasting, network congestion
shouldnt be an issue (assuming that you are putting the same image on all
machines), right? Or am I missing something here? 















From: [EMAIL PROTECTED]
on behalf of Brian Desmond
Sent: Fri 7/16/2004 11:13 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Summer
Maintenance







You got it Steve. I don't know if you've ever done this before, but be
prepared to have a handful of them screw up and need reimaging with a floppy
disk. Also, don't think of doing em all at once. 100 - 150 is enough to
saturate your network.











--Brian

RE: [ActiveDir] AD and WINS

2004-07-22 Thread Brian Desmond 
I'm betting there's a control access right (aka extended right) you can
delegate this group on your server OUs to manage WINS. No evidence, but, I'm
inclined to believe there is such a thing. Look at the Server Ops
delegations.

--Brian Desmond
[EMAIL PROTECTED]
Payton on the Web! Http://www.wpcp.org
 
v: 773.534.0034 x135
f: 773.534.0035
 
 
-Original Message-
From: Carr, Jonathan (OFT) [mailto:[EMAIL PROTECTED] 
Sent: Thursday, July 22, 2004 10:50 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD and WINS

You can make a Global security group in the AD called Wins Admins and
then add the group to the local administrators group of the WINS servers
either manually or via a GPO.  Then all you have to do is populate the
AD group with the users..  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rutherford,
Robert
Sent: Thursday, July 22, 2004 11:13 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD and WINS

I think Server op will do it.

-Original Message-
From: Depp, Dennis M. [mailto:[EMAIL PROTECTED]
Sent: 22 July 2004 16:04
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD and WINS


I believe access to WINS requires local admin access.   To allow them to
administer WINS, they will have to be a local admin on the box where
WINS is running.

Denny

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario
Sent: Thursday, July 22, 2004 10:51 AM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] AD and WINS

Is there a way to restrict access to WINS like DNS in Server 2003?

For Example, if we want the DNS admins to Administer the Wins servers,
how do you go about give them access just to WINS administration?

Any help would be appreciate it!

Thanks,
Mario



*** 
 The contents of this communication are intended only for the addressee
and may contain confidential and/or privileged material. If you are not
the intended recipient, please do not read, copy, use or disclose this
communication and notify the sender.  Opinions, conclusions and other
information in this communication that do not relate to the official
business of my company shall be understood as neither given nor endorsed
by it.  

*** 


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and the information it contains are confidential and may be
privileged. If you have received this e-mail in error please notify the
sender immediately and delete the material from any computer. Unless you
are the intended recipient, you should not copy this e-mail for any
purpose, or disclose its contents to any other person. 
The MCPS-PRS Alliance is not responsible for the completeness or
accuracy of this communication as it has been transmitted over a public
network. Whilst the MCPS-PRS Alliance monitors all communications for
potential viruses, we accept no responsibility for any loss or damage
caused by this e-mail and the information it contains.
It is the recipient's responsibility to scan this e-mail and any
attachments for viruses. Any 
e-mails sent to and from the MCPS-PRS Alliance servers may be monitored
for quality control and other purposes.

The MCPS-PRS Alliance Limited is a limited company registered in England
under company number 03444246 whose registered office is at c/o 29-33
Berners Street, London, W1T 3AB.

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


smime.p7s
Description: S/MIME cryptographic signature

[ActiveDir] AD and Exchange - Slightly OT

2004-07-22 Thread Pelle, Joe 








Hello! Please assist, sorry for the slightly OT post:



Situation: We have a security
root domain (root) and below it our primary child domain (Domain A). We recently
created a second domain underneath the root domain (domain B) with a two way
trust between the two child domains (A and B). Our DNS for Domain A and B
both forward up to the root. Our Exchange 2003 server is sitting in Domain
A. I recently created a user (with a mailbox) on Domain B from the
Exchange server in Domain A  TestUser1. 



Problem(s): Exchange
never stamped an email address onto TestUser1. I created an SMTP address
for the user manually. Now I want to create an Outlook profile and
Outlook does not see the new user. The Outlook client is installed on a
machine that is connected to Domain B as is TestUser1s account. The
machine has a static IP, DNS, and WINS. DNS and WINS are both pointing to
the new Domain (B). 



Do I have a DNS problem? I can resolve other names
that are already in the GAL via the Outlook client, but not TestUser1. 



Any advice you can give would be greatly appreciated! 



Thanks! 



Joe
Pelle

Infrastructure Architect

Information Technology

Valassis / IT

19975 Victor Parkway Livonia, MI
 48152

Tel 734.591.7324 Fax 734.632.6151

[EMAIL PROTECTED]

http://www.valassis.com/



This message may have included
proprietary or protected information. This message and the information
contained herein are not to be further communicated without my express written
consent.

RE: [ActiveDir] AD and WINS

2004-07-22 Thread rmcdonald 

Return Receipt
   
Your  RE: [ActiveDir] AD and WINS  
document   
:  
   
was   Ryan McDonald/bankersbank
received   
by:
   
at:   07/22/2004 02:25:35 PM   
   




List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] AD and WINS

2004-07-22 Thread Justin_Leney 

Return Receipt


Your document:
RE: [ActiveDir] AD and WINS


was received by:
Justin Leney/US/DCI


at:
07/22/2004 02:27:37 PM

RE: [ActiveDir] W2k3 DNS Scalability - More NFO

2004-07-22 Thread Mulnick, Al 



They can handle more. Sounds like you 
found a bug of some sort unless you have some other application that is using 
msvcrt.dll and isn't cleaning up well. I don't see the same results with 
similar configuration.

Al 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Thursday, July 22, 2004 12:15 
PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] 
W2k3 DNS Scalability - More NFO
Potentially interesting oddity 
occurred today... Our primary and 
secondary Windows 2003 / AD integrated DNS server services abended at almost the 
exact same time with the following error message in the eventlog: 
Reporting queued error: 
faulting application dns.exe, version 5.2.3790.0, faulting module msvcrt.dll, 
version 7.0.3790.0, fault address 0x000351e4. I have custom WMI monitoring set to auto-restart DNS, 
send email, call the president, and of course...raise the national threat level. 
The servers are dedicated AD boxes, so no rogue software or odd config. 
The servers are Dell PowerEdge 2560s with 4 GB RAM, 3.06GHz processors and 
lots diskspace on a RAID 1 / RAID 5 config. The reason that I suspect performance / scalability is that when I check 
the utilization trend reports and each server was averaging 82 queries/sec. But 
surely, the servers can handle more. Heck the over all CPU utilization is 
about 3%. We have most of the Windows platform using these two DNS 
servers, but still have more to go. Eventually the load will be 
distributed among soon to have future AD DCs. But I was very surprised to 
see the processes crash. All other trended perfmon metrics were well 
within reason. Any thoughts? 
Anyone perform specific DNS customizations to their respective dedicated 
AD DNS servers? TIA. 
Eric Jones, Senior SEIntel 
Server Group(W) 336.424.3084(M) 
336.457.2591www.vfc.com

RE: [ActiveDir] W2k3 DNS Scalability - More NFO

2004-07-22 Thread Mulnick, Al 



Sent that last one a little faster than I should 
have. :)

Since I have a similar config and don't see the same issue, 
it's possible that you have a configuration issue such as a name resolution loop 
or other problem that results in this type of crash. It might pay to look 
at the configuration closely to ensure it's configured correctly and nothing 
weird has happened.

Al


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Thursday, July 22, 2004 12:15 
PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] 
W2k3 DNS Scalability - More NFO
Potentially interesting oddity 
occurred today... Our primary and 
secondary Windows 2003 / AD integrated DNS server services abended at almost the 
exact same time with the following error message in the eventlog: 
Reporting queued error: 
faulting application dns.exe, version 5.2.3790.0, faulting module msvcrt.dll, 
version 7.0.3790.0, fault address 0x000351e4. I have custom WMI monitoring set to auto-restart DNS, 
send email, call the president, and of course...raise the national threat level. 
The servers are dedicated AD boxes, so no rogue software or odd config. 
The servers are Dell PowerEdge 2560s with 4 GB RAM, 3.06GHz processors and 
lots diskspace on a RAID 1 / RAID 5 config. The reason that I suspect performance / scalability is that when I check 
the utilization trend reports and each server was averaging 82 queries/sec. But 
surely, the servers can handle more. Heck the over all CPU utilization is 
about 3%. We have most of the Windows platform using these two DNS 
servers, but still have more to go. Eventually the load will be 
distributed among soon to have future AD DCs. But I was very surprised to 
see the processes crash. All other trended perfmon metrics were well 
within reason. Any thoughts? 
Anyone perform specific DNS customizations to their respective dedicated 
AD DNS servers? TIA. 
Eric Jones, Senior SEIntel 
Server Group(W) 336.424.3084(M) 
336.457.2591www.vfc.com

[ActiveDir] DHCP

2004-07-22 Thread Kern, Tom 
I have an authorized dhcp server.
when i add a new scope(i already had one pervious working scope), it won't 
hand out addresses for that new scope. I have an event id 1051 logged in the 
event viewer saying it is not authorized.
i know i need to be an enterprise admin to authorize a dhcp server but do i 
need to be one to create an additional scope as well?

thanks(and oh yeah, all my ip helper addresses are correct in my 
router)

RE: [ActiveDir] AD and WINS

2004-07-22 Thread Free, Bob 
If the 2003 Server is a DC and Wins it needs Server Ops

No sorry, the point I was trying to make was merely that [A] server ops
did not exist on a member server and [B] that it is a moot point because
even IF WINS is running on a DC, Server Operators can NOT manage WINS.. 

To be able to completely administer WINS you must be an administrator,
therefore if it is running on a DC you need to be in the administrators
group or Domain Admins to change configuration information on WINS
servers using the WINS console or the netsh wins commands. 

If there are users who need read-only access to the WINS console, add
them to the WINS Users group instead of to the Administrators group.
WINS Users can search for WINS records and view replication partners and
other configuration information, but they cannot change settings on the
WINS server. They can also use a subset of the netsh wins context to
query records etc

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario
Sent: Thursday, July 22, 2004 11:16 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] AD and WINS

Ok so for clarification.

If the 2003 Server is a DC and Wins it needs Server Ops
If it's a 2003 Standalone server make it a local admin?

Did I get that right?

Thanks for everyone's help! 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob
Sent: Thursday, July 22, 2004 11:45 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD and WINS

Server Ops is only present on DC's so unless you have WINS on your
DC's.moot point anyway because, no, they can't administer WINS. W2K
WINS
added the WINS users group but it only provides read access to the WINS
db

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Depp, Dennis M.
Sent: Thursday, July 22, 2004 9:16 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD and WINS

Do they have to be local Admins, or will Server op work as well?

Denny 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carr, Jonathan
(OFT)
Sent: Thursday, July 22, 2004 11:50 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD and WINS

You can make a Global security group in the AD called Wins Admins and
then
add the group to the local administrators group of the WINS servers
either
manually or via a GPO.  Then all you have to do is populate the AD group
with the users..  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rutherford,
Robert
Sent: Thursday, July 22, 2004 11:13 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD and WINS

I think Server op will do it.

-Original Message-
From: Depp, Dennis M. [mailto:[EMAIL PROTECTED]
Sent: 22 July 2004 16:04
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD and WINS


I believe access to WINS requires local admin access.   To allow them to
administer WINS, they will have to be a local admin on the box where
WINS is
running.

Denny

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario
Sent: Thursday, July 22, 2004 10:51 AM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] AD and WINS

Is there a way to restrict access to WINS like DNS in Server 2003?

For Example, if we want the DNS admins to Administer the Wins servers,
how
do you go about give them access just to WINS administration?

Any help would be appreciate it!

Thanks,
Mario



***
 The contents of this communication are intended only for the addressee
and
may contain confidential and/or privileged material. If you are not the
intended recipient, please do not read, copy, use or disclose this
communication and notify the sender.  Opinions, conclusions and other
information in this communication that do not relate to the official
business of my company shall be understood as neither given nor endorsed
by
it.  

*** 


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and the information it contains are confidential and may be
privileged. If you have received this e-mail in error please notify the
sender immediately and delete the material from any computer. Unless you
are the intended recipient, you should not copy this e-mail for any
purpose, or disclose its contents to any other person. 
The MCPS-PRS Alliance is not responsible for the completeness or
accuracy of this communication as it has been transmitted over a public
network. Whilst the MCPS-PRS Alliance monitors all communications for

RE: [ActiveDir] AD and Exchange - Slightly OT

2004-07-22 Thread Burkes, Jeremy [Contractor] 



Do you 
have any custom recipient policies or did you modify the default recipient 
policy?

Jeremy

- 
Jeremy Burkes SSP MIS Department [EMAIL PROTECTED] PH: 202-764-1270 

  -Original Message-From: Pelle, Joe 
  [mailto:[EMAIL PROTECTED]Sent: Thursday, July 22, 2004 2:26 
  PMTo: ActiveDir ([EMAIL PROTECTED])Subject: 
  [ActiveDir] AD and Exchange - Slightly OT
  
  Hello! Please assist, sorry 
  for the slightly OT post:
  
  Situation: 
  We have a security root domain 
  (root) and below it our primary child domain (Domain A). We recently 
  created a second domain underneath the root domain (domain B) with a two way 
  trust between the two child domains (A and B). Our DNS for Domain A and 
  B both forward up to the root. Our Exchange 2003 server is sitting in 
  Domain A. I recently created a user (with a mailbox) on Domain B from 
  the Exchange server in Domain A  TestUser1. 
  
  Problem(s): 
  Exchange never stamped an email address onto TestUser1. I created an 
  SMTP address for the user manually. Now I want to create an Outlook 
  profile and Outlook does not see the new user. The Outlook client is 
  installed on a machine that is connected to Domain B as is TestUser1s 
  account. The machine has a static IP, DNS, and WINS. DNS and WINS 
  are both pointing to the new Domain (B). 
  
  Do I have a DNS problem? I 
  can resolve other names that are already in the GAL via the Outlook client, 
  but not TestUser1. 
  
  Any advice you can give would be 
  greatly appreciated! 
  
  Thanks! 
  
  
  Joe 
  Pelle
  Infrastructure 
  Architect
  Information 
  Technology
  Valassis / 
  IT
  19975 Victor 
  Parkway Livonia, MI 
  48152
  Tel 
  734.591.7324 Fax 734.632.6151
  [EMAIL PROTECTED]
  http://www.valassis.com/
  
  This message may 
  have included proprietary or protected information. This message and the 
  information contained herein are not to be further communicated without my 
  express written consent.

RE: [ActiveDir] AD and WINS

2004-07-22 Thread Free, Bob 
I'll take that bet :-)

Many have bemoaned the fact that you can't delegate WINS administration
or that there is no equivalent of DnsAdmins for WINS. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Thursday, July 22, 2004 11:21 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD and WINS

I'm betting there's a control access right (aka extended right) you can
delegate this group on your server OUs to manage WINS. No evidence, but,
I'm
inclined to believe there is such a thing. Look at the Server Ops
delegations.

--Brian Desmond
[EMAIL PROTECTED]
Payton on the Web! Http://www.wpcp.org
 
v: 773.534.0034 x135
f: 773.534.0035
 
 
-Original Message-
From: Carr, Jonathan (OFT) [mailto:[EMAIL PROTECTED] 
Sent: Thursday, July 22, 2004 10:50 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD and WINS

You can make a Global security group in the AD called Wins Admins and
then add the group to the local administrators group of the WINS servers
either manually or via a GPO.  Then all you have to do is populate the
AD group with the users..  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rutherford,
Robert
Sent: Thursday, July 22, 2004 11:13 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD and WINS

I think Server op will do it.

-Original Message-
From: Depp, Dennis M. [mailto:[EMAIL PROTECTED]
Sent: 22 July 2004 16:04
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD and WINS


I believe access to WINS requires local admin access.   To allow them to
administer WINS, they will have to be a local admin on the box where
WINS is running.

Denny

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario
Sent: Thursday, July 22, 2004 10:51 AM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] AD and WINS

Is there a way to restrict access to WINS like DNS in Server 2003?

For Example, if we want the DNS admins to Administer the Wins servers,
how do you go about give them access just to WINS administration?

Any help would be appreciate it!

Thanks,
Mario



*** 
 The contents of this communication are intended only for the addressee
and may contain confidential and/or privileged material. If you are not
the intended recipient, please do not read, copy, use or disclose this
communication and notify the sender.  Opinions, conclusions and other
information in this communication that do not relate to the official
business of my company shall be understood as neither given nor endorsed
by it.  

*** 


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and the information it contains are confidential and may be
privileged. If you have received this e-mail in error please notify the
sender immediately and delete the material from any computer. Unless you
are the intended recipient, you should not copy this e-mail for any
purpose, or disclose its contents to any other person. 
The MCPS-PRS Alliance is not responsible for the completeness or
accuracy of this communication as it has been transmitted over a public
network. Whilst the MCPS-PRS Alliance monitors all communications for
potential viruses, we accept no responsibility for any loss or damage
caused by this e-mail and the information it contains.
It is the recipient's responsibility to scan this e-mail and any
attachments for viruses. Any 
e-mails sent to and from the MCPS-PRS Alliance servers may be monitored
for quality control and other purposes.

The MCPS-PRS Alliance Limited is a limited company registered in England
under company number 03444246 whose registered office is at c/o 29-33
Berners Street, London, W1T 3AB.

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] AD and Exchange - Slightly OT

2004-07-22 Thread Burkes, Jeremy [Contractor] 



Sorry 
I meant to say do you have any custom recipient policies above the default 
recipient policy and/or do you have a RUS for your second domain, domain 
B.

Jeremy
- Jeremy Burkes SSP 
MIS Department [EMAIL PROTECTED] PH: 
202-764-1270 

  -Original Message-From: Pelle, Joe 
  [mailto:[EMAIL PROTECTED]Sent: Thursday, July 22, 2004 2:26 
  PMTo: ActiveDir ([EMAIL PROTECTED])Subject: 
  [ActiveDir] AD and Exchange - Slightly OT
  
  Hello! Please assist, sorry 
  for the slightly OT post:
  
  Situation: 
  We have a security root domain 
  (root) and below it our primary child domain (Domain A). We recently 
  created a second domain underneath the root domain (domain B) with a two way 
  trust between the two child domains (A and B). Our DNS for Domain A and 
  B both forward up to the root. Our Exchange 2003 server is sitting in 
  Domain A. I recently created a user (with a mailbox) on Domain B from 
  the Exchange server in Domain A  TestUser1. 
  
  Problem(s): 
  Exchange never stamped an email address onto TestUser1. I created an 
  SMTP address for the user manually. Now I want to create an Outlook 
  profile and Outlook does not see the new user. The Outlook client is 
  installed on a machine that is connected to Domain B as is TestUser1s 
  account. The machine has a static IP, DNS, and WINS. DNS and WINS 
  are both pointing to the new Domain (B). 
  
  Do I have a DNS problem? I 
  can resolve other names that are already in the GAL via the Outlook client, 
  but not TestUser1. 
  
  Any advice you can give would be 
  greatly appreciated! 
  
  Thanks! 
  
  
  Joe 
  Pelle
  Infrastructure 
  Architect
  Information 
  Technology
  Valassis / 
  IT
  19975 Victor 
  Parkway Livonia, MI 
  48152
  Tel 
  734.591.7324 Fax 734.632.6151
  [EMAIL PROTECTED]
  http://www.valassis.com/
  
  This message may 
  have included proprietary or protected information. This message and the 
  information contained herein are not to be further communicated without my 
  express written consent.

RE: [ActiveDir] Renaming The Admin Account

2004-07-22 Thread Rocky Habeeb 
Okay,

First off, yes the club's expensive.  And rightly so, but, do you know what
joe wanted to come to my little shop and point out to me exactly what I
already know (which is exactly how much I don't know already.)?  Now HE
was expensive.  Serves him right for getting fired. ;-O.  No wait.  He
didn't get fired.  Some of the |stupidest| people in the world (notice the
absolute symbol) just let him walk!  I'm telling you, that was about as
smart as the Russians selling us Alaska for 7 million.  I could not believe
that.  How smart do you have to be?  Not as smart as joe, that much I know.

Now, let me show you how much I don't know. ( I can explain why that is
someday, if it comes to that).  When I click (on my W2K boxes in my mixed
mode W2K domain) on My Network Places  Entire Network  Directory 
DNSDomainName it opens up my AD and everybody can see all the OUs.  If I
click on my Microsoft_Groups (OU which houses the native groups) I see every
group.  If I click on Domain Admins, I see the members.  The same with all
the other groups.  How do I hide the memberships of these native MS groups?

Thanks Deji (and all youse other guys!)

RH
__




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, July 22, 2004 2:16 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Renaming The Admin Account


You just prove that you are very confused about membership? Tony, Robbie,
Guido, Gil, Roger, and Joe That's an expensive club. Can't afford the
membership fee. Next thing I know, you'd be lumping me in with Dean :-P

Seriously, let's back up a bit. Let's ask why you'd want to give permission
to Domain\Administrator (the user), instead of Domain\Domain Admins (the
group). Before you answer that, remember the basic principle put users in
group, give permission to group.

You want to keep users from viewing membership in AD? Where are they viewing
the membership from? In the Local Users and Groups? From the ACEs on files
and folders? I ask because, if you have added ONLY groups instead of Users,
the name of the users are not viewable in those places.


Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Rocky Habeeb
Sent: Thu 7/22/2004 10:32 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Renaming The Admin Account


Deji,

You know I love you (and Tony, and Guido, and Robbie and Gil, and Roger and
of course joe, and all the other heavyweights), but, we're not confused on
the accounts and their memberships.  I just feel it's important to have the
Domain Admin (the individual) as Full Control on everything.  As such, its
pointless to rename him because he can be seen.

However, you might just convince me to try it if you will tell me how to
keep
Users from viewing membership in AD of the Microsoft native groups, like
Domain Administrators. ;-)

That might be enough for me to try it.

RH

_



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Deji Akomolafe
Sent: Thursday, July 22, 2004 12:10 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Renaming The Admin Account


If you just remember the principle put users in group, assign
permission to group, then you'll remember that neither JohnDoe nor
Administrator should show up anywhere in your ACL enumeration Rather, you
ACL
will look something like this:

Computername\AdministratorS - F
System - F
etc, etc.

You will NOT need to add the following to the ACL:
ComputerName\Administrator (notice the missing S)
Domain Admins
Domain\Administrator

Why? First, because by adding Computername\AdministratorS in the
first example, you have essentially taken care of the three in second
example. Domain\Administrator is a member of Domain Admins, which is a
member of Computername\AdministratorS. Likewise,
ComputerName\Administrator
is a member of Computername\AdministratorS.

Then your fear about your users knowing the name of your Domain Admin
account becomes non-existent (although this should have been of no concern
in
the first place). If anyone looks at the permission on an object, they won't
see those 3 listed.

Now, as to how your ACL may be messed up by an account rename. You
need to remember that an account's name is not THE significant part when
ACE/ACL are concerned. It's the account's SID, and this does NOT change,
even
after you've renamed an account. Your permissions will still persist through
a rename.

As to the problem you encountered after renaming a DA, I can only
speculate that there was something else causing

Re: [ActiveDir] Question about replication connection objects

2004-07-22 Thread David Adner 
Anyone have thoughts on this?

--- David Adner [EMAIL PROTECTED] wrote:
 I know if I modify an automatically generated
 connection object, it gets renamed to its GUID and
 takes on the behavior of a manually created CO
 (meaning the KCC will no longer automatically
 maintain
 it).
 
 What if I move an automatically generated CO
 between
 DC's?  The name doesn't get renamed, but does that
 mean it stayed automatic or is it now in effect
 manual?  If it's the latter, how can I determine if
 it's behaving like a manual CO?  Is there some
 attribute to look for?

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] AD and Exchange - Slightly OT

2004-07-22 Thread Pelle, Joe 








We have a mixed E5.5 and 2003 environment
and the only recipient policies we have are the 5.5 policies and the default policy.
I have not changed any of them. 





Joe
Pelle

Infrastructure Architect

Information Technology

Valassis / IT

19975 Victor Parkway Livonia, MI
 48152

Tel 734.591.7324 Fax 734.632.6151

[EMAIL PROTECTED]

http://www.valassis.com/



This message may have included
proprietary or protected information. This message and the information
contained herein are not to be further communicated without my express written
consent.













From: Burkes, Jeremy
[Contractor] [mailto:[EMAIL PROTECTED] 
Sent: Thursday, July 22, 2004 3:05
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD and
Exchange - Slightly OT







Do you have any custom recipient policies
or did you modify the default recipient policy?











Jeremy











-

Jeremy
Burkes 
SSP

MIS
Department 
[EMAIL PROTECTED]

PH:
202-764-1270 





-Original Message-
From: Pelle, Joe
[mailto:[EMAIL PROTECTED]
Sent: Thursday, July 22, 2004 2:26
PM
To: ActiveDir
([EMAIL PROTECTED])
Subject: [ActiveDir] AD and
Exchange - Slightly OT

Hello! Please assist, sorry for the slightly OT post:



Situation: We have a security
root domain (root) and below it our primary child domain (Domain A). We
recently created a second domain underneath the root domain (domain B) with a
two way trust between the two child domains (A and B). Our DNS for Domain
A and B both forward up to the root. Our Exchange 2003 server is sitting
in Domain A. I recently created a user (with a mailbox) on Domain B from
the Exchange server in Domain A  TestUser1. 



Problem(s): Exchange
never stamped an email address onto TestUser1. I created an SMTP address
for the user manually. Now I want to create an Outlook profile and
Outlook does not see the new user. The Outlook client is installed on a
machine that is connected to Domain B as is TestUser1s account.
The machine has a static IP, DNS, and WINS. DNS and WINS are both
pointing to the new Domain (B). 



Do I have a DNS problem? I can resolve other names
that are already in the GAL via the Outlook client, but not TestUser1. 



Any advice you can give would be greatly appreciated! 



Thanks! 



Joe
Pelle

Infrastructure Architect

Information Technology

Valassis / IT

19975 Victor Parkway Livonia, MI
 48152

Tel 734.591.7324 Fax 734.632.6151

[EMAIL PROTECTED]

http://www.valassis.com/



This message may have included
proprietary or protected information. This message and the information
contained herein are not to be further communicated without my express written
consent.

RE: [ActiveDir] Customize Group Permissions

2004-07-22 Thread Perdue David J Contr InDyne/Enterprise IT 
Title: Customize Group Permissions



One thing to be really careful of though. It will 
replace the contents of the local group. The only exception to this is the 
default local Admin account in the local Administrators group. That 
account will stay. If you are using software, like SMS, that generates 
it's own local admin account be sure that it is getting left 
in.

Dave

-- David J. 
PerdueMCSE 2000, MCSE NT, MCSA, MCP+INetworkSecurity Engineer, 
InDyne IncComm: (805) 
606-4597 DSN: 276-4597 [EMAIL PROTECTED]--



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Brian 
DesmondSent: Thursday, July 22, 2004 11:18 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Customize Group 
Permissions


Yes, 
this is possible. Check out restricted groups in group policy. 



--Brian 
Desmond
[EMAIL PROTECTED]
Payton on the 
Web! Http://www.wpcp.org

v: 
773.534.0034 x135
f: 
773.534.0035






From: Jared 
Manhat [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 21, 2004 3:37 
PMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] Customize Group 
Permissions

I 
though I read somewhere in 
the MS 
Server 2003 Deployment Kit under Designing a Managed Environment that 
it was possible to modify to local pc's group permissions using GP. Has anyone 
heard of this?
What I'm trying to do is 
assign Install Printer Drivers to Power Users.
Thanks
Jared 
Manhat
Systems 
Administrator
Accutest 
Laboratories

RE: [ActiveDir] DHCP

2004-07-22 Thread Noah Eiger 








Did you authorize it by fqdn or by address? I think it needs to be authorized by
address.



nme











From: Kern, Tom
[mailto:[EMAIL PROTECTED] 
Sent: Thursday, July 22, 2004 11:57 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] DHCP







I have an authorized dhcp server.





when i add a new scope(i already had one pervious
working scope), it won't hand out addresses for that new scope. I have an event
id 1051 logged in the event viewer saying it is not authorized.





i know i need to be an enterprise admin to authorize a
dhcp server but do i need to be one to create an additional scope as well?











thanks(and oh yeah, all my ip helper addresses are
correct in my router)

RE: [ActiveDir] KIX script and Active Directory

2004-07-22 Thread Michael Wassell 



If you want to continue using Kix scripting you can create 
security groups and assign the appropriate users to those security groups, 
afterwards use the InGroup (Kix) function and assign drive mappings etc. 
accordingly

Atleast that's one way of doing 
it


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Jacqui 
HurstSent: Thursday, July 22, 2004 3:31 PMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] KIX script and 
Active Directory


I am working on a migration from NT4 
to Windows 2003 which includes the collapsing of a number of domains into a 
single domain. Part of the existing NT4 login script uses the NT4 domain 
as a variable to setup things like users drive mappings e.g. xx-fileserver-01 
where xx is the domain code. These scripts are written in KIX. As Im not 
the worlds greatest code writer and there are a fair few login scripts I am 
looking for a way to set a variable that can be used by the login script to set 
the users location without rewriting all of the 
scripts.

I dont really want to use group 
membership if I have to I would rather use an attribute in the active directory 
and look this up.

Has anyone got any 
advice?


Many thanks in 
advance

Jacqui

RE: [ActiveDir] AD and Exchange - Slightly OT

2004-07-22 Thread Pelle, Joe 








AH, thanks for the clarification. Im
a little slow! 



Anyway, I do have custome recipient
policies above the default but they were copied over from the 5.5 sites. do you have a RUS for your second domain, domain B. I have
not added anything additional so I guess the answer is NO. Do I need
RUS on Domain B? If so, how?





Joe
Pelle

Infrastructure Architect

Information Technology

Valassis / IT

19975 Victor Parkway Livonia, MI
 48152

Tel 734.591.7324 Fax 734.632.6151

[EMAIL PROTECTED]

http://www.valassis.com/



This message may have included
proprietary or protected information. This message and the information
contained herein are not to be further communicated without my express written
consent.













From: Burkes, Jeremy
[Contractor] [mailto:[EMAIL PROTECTED] 
Sent: Thursday, July 22, 2004 3:14
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD and
Exchange - Slightly OT







Sorry I meant to say do you have any
custom recipient policies above the default recipient policy and/or do you have
a RUS for your second domain, domain B.











Jeremy





-

Jeremy
Burkes 
SSP

MIS
Department 
[EMAIL PROTECTED]

PH:
202-764-1270 



-Original Message-
From: Pelle, Joe [mailto:[EMAIL PROTECTED]
Sent: Thursday, July 22, 2004 2:26
PM
To: ActiveDir
([EMAIL PROTECTED])
Subject: [ActiveDir] AD and
Exchange - Slightly OT

Hello! Please assist, sorry for the slightly OT post:



Situation: We have a security
root domain (root) and below it our primary child domain (Domain A). We
recently created a second domain underneath the root domain (domain B) with a
two way trust between the two child domains (A and B). Our DNS for Domain
A and B both forward up to the root. Our Exchange 2003 server is sitting
in Domain A. I recently created a user (with a mailbox) on Domain B from
the Exchange server in Domain A  TestUser1. 



Problem(s): Exchange
never stamped an email address onto TestUser1. I created an SMTP address for
the user manually. Now I want to create an Outlook profile and Outlook
does not see the new user. The Outlook client is installed on a machine
that is connected to Domain B as is TestUser1s account. The
machine has a static IP, DNS, and WINS. DNS and WINS are both pointing to
the new Domain (B). 



Do I have a DNS problem? I can resolve other names
that are already in the GAL via the Outlook client, but not TestUser1. 



Any advice you can give would be greatly appreciated! 



Thanks! 



Joe
Pelle

Infrastructure Architect

Information Technology

Valassis / IT

19975 Victor Parkway Livonia, MI
 48152

Tel 734.591.7324 Fax 734.632.6151

[EMAIL PROTECTED]

http://www.valassis.com/



This message may have included
proprietary or protected information. This message and the information
contained herein are not to be further communicated without my express written
consent.

RE: [ActiveDir] AD and Exchange - Slightly OT

2004-07-22 Thread Pelle, Joe 








I have not yet created a RUS. I didnt
know I had to I have to domainprep B first, right?! 





Joe
Pelle

Infrastructure Architect

Information Technology

Valassis / IT

19975 Victor Parkway Livonia, MI
 48152

Tel 734.591.7324 Fax 734.632.6151

[EMAIL PROTECTED]

http://www.valassis.com/



This message may have included
proprietary or protected information. This message and the information
contained herein are not to be further communicated without my express written
consent.













From: Mulnick, Al
[mailto:[EMAIL PROTECTED] 
Sent: Thursday, July 22, 2004 3:42
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD and
Exchange - Slightly OT





Very likely that you have notcreated
a RUS for domainB, but if you did, go ahead and troubleshoot it.



Al









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pelle, Joe
Sent: Thursday, July 22, 2004 2:26
PM
To: ActiveDir
([EMAIL PROTECTED])
Subject: [ActiveDir] AD and
Exchange - Slightly OT

Hello! Please assist, sorry for the slightly OT post:



Situation: We have a security
root domain (root) and below it our primary child domain (Domain A). We
recently created a second domain underneath the root domain (domain B) with a
two way trust between the two child domains (A and B). Our DNS for Domain
A and B both forward up to the root. Our Exchange 2003 server is sitting
in Domain A. I recently created a user (with a mailbox) on Domain B from
the Exchange server in Domain A  TestUser1. 



Problem(s): Exchange
never stamped an email address onto TestUser1. I created an SMTP address
for the user manually. Now I want to create an Outlook profile and
Outlook does not see the new user. The Outlook client is installed on a
machine that is connected to Domain B as is TestUser1s account.
The machine has a static IP, DNS, and WINS. DNS and WINS are both
pointing to the new Domain (B). 



Do I have a DNS problem? I can resolve other names
that are already in the GAL via the Outlook client, but not TestUser1. 



Any advice you can give would be greatly appreciated! 



Thanks! 



Joe
Pelle

Infrastructure Architect

Information Technology

Valassis / IT

19975
  Victor Parkway Livonia,
 MI 48152

Tel 734.591.7324 Fax 734.632.6151

[EMAIL PROTECTED]

http://www.valassis.com/



This message may have included
proprietary or protected information. This message and the information
contained herein are not to be further communicated without my express written
consent.

RE: [ActiveDir] AD and Exchange - Slightly OT

2004-07-22 Thread Jacqui Hurst 








As I remember each domain has to have a
recipient update service setup in order to update the email addresses. Do you
have one for the second domain? Did you run domainprep on the new domain? 





Jacqui











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pelle, Joe
Sent: 22 July 2004 19:26
To: ActiveDir
([EMAIL PROTECTED])
Subject: [ActiveDir] AD and
Exchange - Slightly OT





Hello! Please assist, sorry for the slightly OT
post:



Situation: We
have a security root domain (root) and below it our primary child domain
(Domain A). We recently created a second domain underneath the root
domain (domain B) with a two way trust between the two child domains (A and
B). Our DNS for Domain A and B both forward up to the root. Our
Exchange 2003 server is sitting in Domain A. I recently created a user
(with a mailbox) on Domain B from the Exchange server in Domain A 
TestUser1. 



Problem(s):
Exchange never stamped an email address onto TestUser1. I created an SMTP
address for the user manually. Now I want to create an Outlook profile
and Outlook does not see the new user. The Outlook client is installed on
a machine that is connected to Domain B as is TestUser1s account.
The machine has a static IP, DNS, and WINS. DNS and WINS are both
pointing to the new Domain (B). 



Do I have a DNS problem? I can resolve other
names that are already in the GAL via the Outlook client, but not
TestUser1. 



Any advice you can give would be greatly appreciated!




Thanks! 



Joe
Pelle

Infrastructure Architect

Information Technology

Valassis / IT

19975 Victor Parkway Livonia, MI 48152

Tel 734.591.7324
Fax 734.632.6151

[EMAIL PROTECTED]

http://www.valassis.com/



This message may have
included proprietary or protected information. This message and the
information contained herein are not to be further communicated without my
express written consent.

RE: [ActiveDir] AD and Exchange - Slightly OT

2004-07-22 Thread deji 
In addition, take a closer look at that Recipient Policy. It's possible that
it's configured to stamp ONLY mail-enable objects of DomainA. Will need to
create another one for DomainB, if that's the case.
 
 
Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Mulnick, Al
Sent: Thu 7/22/2004 12:42 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD and Exchange - Slightly OT


Very likely that you have not created a RUS for domainB, but if you did, go
ahead and troubleshoot it.
 
Al



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Pelle, Joe
Sent: Thursday, July 22, 2004 2:26 PM
To: ActiveDir ([EMAIL PROTECTED])
Subject: [ActiveDir] AD and Exchange - Slightly OT



Hello!  Please assist, sorry for the slightly OT post:

 

Situation: We have a security root domain (root) and below it our primary
child domain (Domain A).  We recently created a second domain underneath the
root domain (domain B) with a two way trust between the two child domains (A
and B).  Our DNS for Domain A and B both forward up to the root.  Our
Exchange 2003 server is sitting in Domain A.  I recently created a user (with
a mailbox) on Domain B from the Exchange server in Domain A - TestUser1. 

 

Problem(s):  Exchange never stamped an email address onto TestUser1.  I
created an SMTP address for the user manually.  Now I want to create an
Outlook profile and Outlook does not see the new user.  The Outlook client is
installed on a machine that is connected to Domain B as is TestUser1's
account.  The machine has a static IP, DNS, and WINS.  DNS and WINS are both
pointing to the new Domain (B).  

 

Do I have a DNS problem?  I can resolve other names that are already in the
GAL via the Outlook client, but not TestUser1.  

 

Any advice you can give would be greatly appreciated! 

 

Thanks! 

 

Joe Pelle

Infrastructure Architect

Information Technology

Valassis / IT

19975 Victor Parkway Livonia, MI 48152

Tel 734.591.7324  Fax 734.632.6151

[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] 

http://www.valassis.com/ http://www.valassis.com/ 

 

This message may have included proprietary or protected information.  This
message and the information contained herein are not to be further
communicated without my express written consent.

 

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Renaming The Admin Account

2004-07-22 Thread deji 
This is by design. You open adsiedit.msc, navigate to the top
DC=youdomainname under the Domain partition, right-click on the
DC=yourdomainame and click properties. In the security tab, you will see that
Authenticated users have Read access to the whole tree down.
 
You can remove this permission or alter it, but you need to know it was put
there for a number of reasons. One of the things that I know will complain IF
you remove this permission is .you guessed it .. Exchange/Outlook. A
favorite symptom is that your users will not be able to delete or move
certain pieces of email. They will get the famous object no longer exists
phantom error. That is one. There are other reasons for leaving the READ
permission in place.
 
The reason for renaming is NOT so much to hide/obfuscate things from YOUR
users. It is to deter external attacks. And, it's a deterrence, not a FIX.
It's like the recommendation to change your Router's banner or your SMTP
banner to make them less obvious to passive/curious attackers. This
recommendation does NOT in itself protect anything, or even thwart a
determined attacker. But, like I said earlier, it makes you less vulnerable
to the generalized attacks like Mofei or most of the hackwares/scripts.
 
As for Joe coming over to your little shop to give you some edukashun, all I
can say is. be afraid...be very, very afraid :) 
 
Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Rocky Habeeb
Sent: Thu 7/22/2004 12:22 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Renaming The Admin Account



Okay,

First off, yes the club's expensive.  And rightly so, but, do you know what
joe wanted to come to my little shop and point out to me exactly what I
already know (which is exactly how much I don't know already.)?  Now HE
was expensive.  Serves him right for getting fired. ;-O.  No wait.  He
didn't get fired.  Some of the |stupidest| people in the world (notice the
absolute symbol) just let him walk!  I'm telling you, that was about as
smart as the Russians selling us Alaska for 7 million.  I could not believe
that.  How smart do you have to be?  Not as smart as joe, that much I know.

Now, let me show you how much I don't know. ( I can explain why that is
someday, if it comes to that).  When I click (on my W2K boxes in my mixed
mode W2K domain) on My Network Places  Entire Network  Directory 
DNSDomainName it opens up my AD and everybody can see all the OUs.  If I
click on my Microsoft_Groups (OU which houses the native groups) I see every
group.  If I click on Domain Admins, I see the members.  The same with all
the other groups.  How do I hide the memberships of these native MS groups?

Thanks Deji (and all youse other guys!)

RH
__




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, July 22, 2004 2:16 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Renaming The Admin Account


You just prove that you are very confused about membership? Tony, Robbie,
Guido, Gil, Roger, and Joe That's an expensive club. Can't afford the
membership fee. Next thing I know, you'd be lumping me in with Dean :-P

Seriously, let's back up a bit. Let's ask why you'd want to give permission
to Domain\Administrator (the user), instead of Domain\Domain Admins (the
group). Before you answer that, remember the basic principle put users in
group, give permission to group.

You want to keep users from viewing membership in AD? Where are they viewing
the membership from? In the Local Users and Groups? From the ACEs on files
and folders? I ask because, if you have added ONLY groups instead of Users,
the name of the users are not viewable in those places.


Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Rocky Habeeb
Sent: Thu 7/22/2004 10:32 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Renaming The Admin Account


Deji,

You know I love you (and Tony, and Guido, and Robbie and Gil, and Roger and
of course joe, and all the other heavyweights), but, we're not confused on
the accounts and their memberships.  I just feel it's important to have the
Domain Admin (the individual) as Full Control on everything.  As such, its
pointless to rename him because he can be seen.

However, you might just convince me to try it if you will tell me how to
keep
Users from viewing membership in AD of the Microsoft native groups, like
Domain Administrators. ;-)

That might be enough for me to try it.

RH

RE: [ActiveDir] Renaming The Admin Account

2004-07-22 Thread Grillenmeier, Guido 
Rocky - this thread is actually quite incredible - you're wandering from user and 
group names and object types to NTFS permission and nesting objects into groups, over 
to discussing SIDs and friendly names, and now you're talking about the visibility of 
memberships of groups in AD ;-)

Also, I don't know about your domain, but I never knew that there was an account 
called Domain Admin - by default, you should only have an Administrator account 
that is member of the Domain Admins group (and if this is the root, it would also be 
member of the Enterprise Admins and Schema Admins group)...  Besides the Best 
Practise of renaming the default Adminstrator account (not group), it's also a good 
practise to take it out of the Schema Admins group (this group should be empty until 
you want to change anything in the schema - will prevent accidental schema extensions, 
e.g. by some crappy program or script)


So, I'm not sure which is the part that's really most painful to you, but I guess you 
mainly want to hide any hints to the default Admin account in your domain as otherwise 
renaming them doesn't make any sense to you - is that about right? 

I think Deji already covered very well on how you shouldn't set ACLs for any 
user-account directly - you'll merely do so via groups and the account that has access 
to the (non-homeshare) resource won't be visible by looking at the ACLs of the 
machine. This includes administrative accounts. 


And if people see a group on an ACL (e.g. Domain Admins), you don't want them to be 
able to lookup who is a Domain Admin by checking the group-membership of that group - 
right again?

This can also be resolved by setting the appropriate permissions on the respective AD 
OU which contains the groups (or any other objects) which you don't want your users to 
view.  E.g. move your administrative accounts and the Domain Admins group to a 
separate OU in your domain and then remove the Read permissions for Authenticated 
Users on that OU - this will hinder them to browse to that OU and so they can't even 
try to open the group to see the content.  You could also work with permissions on the 
groups themselves, but that's more and unnessesary work.  If you don't even want your 
users to see the special OU, then you'll have to work with the List Object 
permission.

LIST OBJECT is not active or visible in the ACL Editor by default. To activate (for 
whole AD forest) change the DSHeuristics property on the Directory Service object 
(cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration,dc=ForestRootDomain) 
to 001. The first two bits impact the ANR searching in AD, so don't change them 
without knowing what you want them to be.

BTW, it's much easier to implement the strategy of a special OU (e.g. Domain 
Operations), when you have separate accounts for administrative users - i.e. they 
have another normal account for eMail etc.  All adminsitrative accounts should be in 
this special OU.


And thanks for the flowers in your previous mails - I'll send some of them to Deano ;-)


Cheers,
Guido


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb
Sent: Thursday, July 22, 2004 9:23 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Renaming The Admin Account

Okay,

First off, yes the club's expensive.  And rightly so, but, do you know what joe wanted 
to come to my little shop and point out to me exactly what I already know (which is 
exactly how much I don't know already.)?  Now HE was expensive.  Serves him right 
for getting fired. ;-O.  No wait.  He didn't get fired.  Some of the |stupidest| 
people in the world (notice the absolute symbol) just let him walk!  I'm telling you, 
that was about as smart as the Russians selling us Alaska for 7 million.  I could not 
believe that.  How smart do you have to be?  Not as smart as joe, that much I know.

Now, let me show you how much I don't know. ( I can explain why that is someday, if it 
comes to that).  When I click (on my W2K boxes in my mixed mode W2K domain) on My 
Network Places  Entire Network  Directory  DNSDomainName it opens up my AD and 
everybody can see all the OUs.  If I click on my Microsoft_Groups (OU which houses the 
native groups) I see every group.  If I click on Domain Admins, I see the members.  
The same with all the other groups.  How do I hide the memberships of these native MS 
groups?

Thanks Deji (and all youse other guys!)

RH
__




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED]
Sent: Thursday, July 22, 2004 2:16 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Renaming The Admin Account


You just prove that you are very confused about membership? Tony, Robbie, Guido, 
Gil, Roger, and Joe That's an expensive club. Can't afford the membership fee. 
Next thing I know, you'd be lumping me in with Dean :-P

Seriously, let's back up a bit.

RE: [ActiveDir] KIX script and Active Directory

2004-07-22 Thread Ken Cornetet 
Title: Message



I 
don't understand your question fully. You say you want to "set a variable" which 
will control drive mappings, but then you go on to say that you want to look up 
an attribute in AD to set the location. What attribute would that 
be?

Can 
you be more specific?

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Jacqui HurstSent: Thursday, July 22, 2004 2:31 
  PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] 
  KIX script and Active Directory
  
  I am working on a migration from 
  NT4 to Windows 2003 which includes the collapsing of a number of domains into 
  a single domain. Part of the existing NT4 login script uses the NT4 
  domain as a variable to setup things like users drive mappings e.g. 
  xx-fileserver-01 where xx is the domain code. These scripts are written in 
  KIX. As Im not the worlds greatest code writer and there are a fair few 
  login scripts I am looking for a way to set a variable that can be used by the 
  login script to set the users location without rewriting all of the 
  scripts.
  
  I dont really want to use group 
  membership if I have to I would rather use an attribute in the active 
  directory and look this up.
  
  Has anyone got any 
  advice?
  
  
  Many thanks in 
  advance
  
  Jacqui

RE: [ActiveDir] AD and Exchange - Slightly OT

2004-07-22 Thread Pelle, Joe 








Jacqui,



I have not domainprepd the new
domain and have not created a recipient update service for the new domain. I
did not know I needed to do that thank you for the posts! VERY
HELPFUL! Im still learning about Exchange! 





Joe
Pelle

Infrastructure Architect

Information Technology

Valassis / IT

19975 Victor Parkway Livonia, MI
 48152

Tel 734.591.7324 Fax 734.632.6151

[EMAIL PROTECTED]

http://www.valassis.com/



This message may have included
proprietary or protected information. This message and the information
contained herein are not to be further communicated without my express written
consent.













From: Jacqui Hurst
[mailto:[EMAIL PROTECTED] 
Sent: Thursday, July 22, 2004 4:23
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD and
Exchange - Slightly OT





As I remember each domain
has to have a recipient update service setup in order to update the email
addresses. Do you have one for the second domain? Did you run
domainprep on the new domain? 





Jacqui











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pelle, Joe
Sent: 22 July 2004 19:26
To: ActiveDir
([EMAIL PROTECTED])
Subject: [ActiveDir] AD and
Exchange - Slightly OT





Hello! Please assist, sorry for the slightly OT post:



Situation: We have a security
root domain (root) and below it our primary child domain (Domain A). We
recently created a second domain underneath the root domain (domain B) with a
two way trust between the two child domains (A and B). Our DNS for Domain
A and B both forward up to the root. Our Exchange 2003 server is sitting
in Domain A. I recently created a user (with a mailbox) on Domain B from
the Exchange server in Domain A  TestUser1. 



Problem(s): Exchange
never stamped an email address onto TestUser1. I created an SMTP address
for the user manually. Now I want to create an Outlook profile and
Outlook does not see the new user. The Outlook client is installed on a
machine that is connected to Domain B as is TestUser1s account.
The machine has a static IP, DNS, and WINS. DNS and WINS are both
pointing to the new Domain (B). 



Do I have a DNS problem? I can resolve other names
that are already in the GAL via the Outlook client, but not TestUser1. 



Any advice you can give would be greatly appreciated! 



Thanks! 



Joe
Pelle

Infrastructure Architect

Information Technology

Valassis / IT

19975 Victor Parkway Livonia, MI
 48152

Tel 734.591.7324 Fax 734.632.6151

[EMAIL PROTECTED]

http://www.valassis.com/



This message may have included
proprietary or protected information. This message and the information
contained herein are not to be further communicated without my express written
consent.

RE: [ActiveDir] DHCP

2004-07-22 Thread Charlie Kaiser 
If it's a new scope, is the scope within the range of IP addresses and
subnet masks available on that router segment? I fought an issue like this
once and it was a subnet mask problem, but we were looking for something
harder to fix... :-)
Took a while to see it right under our noses...

**
Charlie Kaiser
MCSE, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**
 

 -Original Message-
 From: Kern, Tom [mailto:[EMAIL PROTECTED] 
 Sent: Thursday, July 22, 2004 1:52 PM
 To: [EMAIL PROTECTED]
 Subject: RE: [ActiveDir] DHCP
 
 I browsed for it by name thru the mmc. 
 the server is authorized and is giving out addresses, just in 
 one scope.
 i'm not an enterprise admin, just a domain admin. i created a 
 second scope and the mmc gives me no error and says its 
 active but addresses are not being given out on the new scope.
 as i said, my ip helper adresses in my router are fine, but 
 that subnet gets no ip's. though it does get the scope 
 options such as dns server and wins, etc.
 and i got that event id 1051 when i first created the scope 
 but no futher errors since then. i have rebooted as well
 so i'm thinking i may need to be enterprise admin to create a 
 new scope on an authoired dhcp server?!!!
 i just wanna confirm.
 thanks
   -Original Message-
   From: Noah Eiger [mailto:[EMAIL PROTECTED]
   Sent: Thursday, July 22, 2004 3:59 PM
   To: [EMAIL PROTECTED]
   Subject: RE: [ActiveDir] DHCP
   
   
   Did you authorize it by fqdn or by address? I think it 
 needs to be authorized by address.

   nme

   
 
 
   From: Kern, Tom [mailto:[EMAIL PROTECTED] 
   Sent: Thursday, July 22, 2004 11:57 AM
   To: [EMAIL PROTECTED]
   Subject: [ActiveDir] DHCP

   I have an authorized dhcp server.
   when i add a new scope(i already had one pervious 
 working scope), it won't hand out addresses for that new 
 scope. I have an event id 1051 logged in the event viewer 
 saying it is not authorized.
   i know i need to be an enterprise admin to authorize a 
 dhcp server but do i need to be one to create an additional 
 scope as well?

   thanks(and oh yeah, all my ip helper addresses are 
 correct in my router)

 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] How to restrict access to event viewer

2004-07-22 Thread Jimmy Andersson 



Do you mean that you want to control permissions on the 
different logs within Event Viewer?
If so, it's absolutely possible if you change the SDDL in 
the Registry, however you need to write a customized GPO template to push them 
out to the servers unless you want to manually edit each server's 
Registry.

Regards,
/Jimmy
- Jimmy 
Andersson, Q Advice 
AB 
Principal AdvisorMicrosoft MVP - Directory 
Services-- www.qadvice.com --



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Thursday, July 22, 2004 3:47 
PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] How 
to restrict access to event viewerSensitivity: 
Private

Hy, 
 
Can you share you experiences about how to restrict access to event viewer to 
only onegroup ? local and remote access ?

Thks.

AVISO LEGAL:Esta informacion es privada y confidencial y 
esta dirigida unicamente a su destinatario. Si usted no es el destinatario 
original de este mensaje y por este medio pudo acceder a dicha informacion por 
favor elimine el mensaje. La distribucion o copia de este mensaje esta 
estrictamente prohibida. Esta comunicacion es solo para propositos de 
informacion y no debe ser considerada como propuesta, aceptacion ni como una 
declaracion de voluntad oficial de REPSOL YPF S.A. y/o subsidiarias y/o 
afiliadas. La transmision de e-mails no garantiza que el correo electronico sea 
seguro o libre de error. Por consiguiente, no manifestamos que esta informacion 
sea completa o precisa. Toda informacion esta sujeta a alterarse sin previo 
aviso.This information is private and confidential and intended for the 
recipient only. If you are not the intended recipient of this message you are 
hereby notified that any review, disseminastribution or copying of this message 
is strictly prohibited. This communication is for information purposes only and 
shall not be regarded neither as a proposal, acceptance nor as a statement of 
will or official statement from REPSOL YPF S.A. and/or subsidiaries and/or 
affiliates. Email transmission cannot be guaranteed to be secure or error-free. 
Therefore, we do not represent that this information is complete or accurate and 
it should not be relied upon as such. All information is subject to change 
without notice.

Re: [ActiveDir] AD and Exchange - Slightly OT

2004-07-22 Thread Robert Mezzone 
Check out the Exchange Admin guide, Exchange Deployment Guide and Planning
an Exchange Messaging System, all on microsoft.com/exchange/library. I'm
reading the admin guide, all three have helped with with Exchange 5.5 to
2003 migration.

Robert


-Original Message-
From: [EMAIL PROTECTED]
[EMAIL PROTECTED]
To: [EMAIL PROTECTED] [EMAIL PROTECTED]
Sent: Thu Jul 22 17:14:30 2004
Subject: RE: [ActiveDir] AD and Exchange - Slightly OT

Jacqui,

 

I have not domainprep'd the new domain and have not created a recipient
update service for the new domain.  I did not know I needed to do that...
thank you for the posts!  VERY HELPFUL!  I'm still learning about Exchange! 

 

Joe Pelle

Infrastructure Architect

Information Technology

Valassis / IT

19975 Victor Parkway Livonia, MI 48152

Tel 734.591.7324  Fax 734.632.6151

[EMAIL PROTECTED]

http://www.valassis.com/

 

This message may have included proprietary or protected information.  This
message and the information contained herein are not to be further
communicated without my express written consent.

 

  _  

From: Jacqui Hurst [mailto:[EMAIL PROTECTED] 
Sent: Thursday, July 22, 2004 4:23 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD and Exchange - Slightly OT

 

As I remember each domain has to have a recipient update service setup in
order to update the email addresses.  Do you have one for the second domain?
Did you run domainprep on the new domain? 

 

 

Jacqui

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Pelle, Joe
Sent: 22 July 2004 19:26
To: ActiveDir ([EMAIL PROTECTED])
Subject: [ActiveDir] AD and Exchange - Slightly OT

 

Hello!  Please assist, sorry for the slightly OT post:

 

Situation: We have a security root domain (root) and below it our primary
child domain (Domain A).  We recently created a second domain underneath the
root domain (domain B) with a two way trust between the two child domains (A
and B).  Our DNS for Domain A and B both forward up to the root.  Our
Exchange 2003 server is sitting in Domain A.  I recently created a user
(with a mailbox) on Domain B from the Exchange server in Domain A -
TestUser1. 

 

Problem(s):  Exchange never stamped an email address onto TestUser1.  I
created an SMTP address for the user manually.  Now I want to create an
Outlook profile and Outlook does not see the new user.  The Outlook client
is installed on a machine that is connected to Domain B as is TestUser1's
account.  The machine has a static IP, DNS, and WINS.  DNS and WINS are both
pointing to the new Domain (B).  

 

Do I have a DNS problem?  I can resolve other names that are already in the
GAL via the Outlook client, but not TestUser1.  

 

Any advice you can give would be greatly appreciated! 

 

Thanks! 

 

Joe Pelle

Infrastructure Architect

Information Technology

Valassis / IT

19975 Victor Parkway Livonia, MI 48152

Tel 734.591.7324  Fax 734.632.6151

[EMAIL PROTECTED]

http://www.valassis.com/

 

This message may have included proprietary or protected information.  This
message and the information contained herein are not to be further
communicated without my express written consent.

 

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DHCP

2004-07-22 Thread Kern, Tom 

yes it is. the router is fine. if i use a static address on that subnet, it works and 
there is connectivity. if i configure the client to use dhcp, nothing. all it gets is 
the scope options.
i guess what my question really is, is- if a dhcp server has been authorized by an 
enterprise admin with a scope, do you need to be an enterprise admin to create a new 
scope?
i can't find any docs addressing this issue, so to speak(ha ha).
-Original Message-
From: Charlie Kaiser [mailto:[EMAIL PROTECTED]
Sent: Thursday, July 22, 2004 5:43 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] DHCP


If it's a new scope, is the scope within the range of IP addresses and
subnet masks available on that router segment? I fought an issue like this
once and it was a subnet mask problem, but we were looking for something
harder to fix... :-)
Took a while to see it right under our noses...

**
Charlie Kaiser
MCSE, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**
 

 -Original Message-
 From: Kern, Tom [mailto:[EMAIL PROTECTED] 
 Sent: Thursday, July 22, 2004 1:52 PM
 To: [EMAIL PROTECTED]
 Subject: RE: [ActiveDir] DHCP
 
 I browsed for it by name thru the mmc. 
 the server is authorized and is giving out addresses, just in 
 one scope.
 i'm not an enterprise admin, just a domain admin. i created a 
 second scope and the mmc gives me no error and says its 
 active but addresses are not being given out on the new scope.
 as i said, my ip helper adresses in my router are fine, but 
 that subnet gets no ip's. though it does get the scope 
 options such as dns server and wins, etc.
 and i got that event id 1051 when i first created the scope 
 but no futher errors since then. i have rebooted as well
 so i'm thinking i may need to be enterprise admin to create a 
 new scope on an authoired dhcp server?!!!
 i just wanna confirm.
 thanks
   -Original Message-
   From: Noah Eiger [mailto:[EMAIL PROTECTED]
   Sent: Thursday, July 22, 2004 3:59 PM
   To: [EMAIL PROTECTED]
   Subject: RE: [ActiveDir] DHCP
   
   
   Did you authorize it by fqdn or by address? I think it 
 needs to be authorized by address.

   nme

   
 
 
   From: Kern, Tom [mailto:[EMAIL PROTECTED] 
   Sent: Thursday, July 22, 2004 11:57 AM
   To: [EMAIL PROTECTED]
   Subject: [ActiveDir] DHCP

   I have an authorized dhcp server.
   when i add a new scope(i already had one pervious 
 working scope), it won't hand out addresses for that new 
 scope. I have an event id 1051 logged in the event viewer 
 saying it is not authorized.
   i know i need to be an enterprise admin to authorize a 
 dhcp server but do i need to be one to create an additional 
 scope as well?

   thanks(and oh yeah, all my ip helper addresses are 
 correct in my router)

 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] KIX script and Active Directory

2004-07-22 Thread Brian Desmond 
Check out the %USERDOMAIN% AND %USERDNSDOMAIN%  environment variables. Run set from 
a command prompt to get a list of them.
 
--Brian

-Original Message- 
From: Jacqui Hurst [mailto:[EMAIL PROTECTED] 
Sent: Thu 7/22/2004 2:31 PM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: [ActiveDir] KIX script and Active Directory



I am working on a migration from NT4 to Windows 2003 which includes the 
collapsing of a number of domains into a single domain.  Part of the existing NT4 
login script uses the NT4 domain as a variable to setup things like users drive 
mappings e.g. xx-fileserver-01 where xx is the domain code. These scripts are written 
in KIX.  As Im not the worlds greatest code writer and there are a fair few login 
scripts I am looking for a way to set a variable that can be used by the login script 
to set the users location without rewriting all of the scripts.

 

I dont really want to use group membership if I have to I would rather use 
an attribute in the active directory and look this up.

 

Has anyone got any advice?

 

 

Many thanks in advance

 

Jacqui

 

 

winmail.dat

[ActiveDir] NTP server

2004-07-22 Thread Rimmerman, Russ 

Where does everyone have their NTP services come from?  We are getting rid
of our current firewall which has NTP on it and everything is pointed to it
for NTP services.  Our new firewall won't have NTP built in, so we are going
to have to set up an internal NTP server for all our internal hosts to sync
to.  Do we put it in the DMZ or the internal network?  Or  does it matter?
Do we just install NTP on an existing Win2k server in our DMZ?  What is
everyone else doing for NTP?

Thanks

~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] NTP server

2004-07-22 Thread Gil Kirkpatrick 
Hey Russ,
 
This link describes how W2K and W2K3 handle NTP: 
http://www.netpro.com/products/techdocs/ad_timesync.pdf
This link lists public Stratum 1 and Stratum 2 time servers: 
http://www.eecis.udel.edu/~mills/ntp/servers.html
 
It would make sense to use the PDC emulator as the time server for devices in the 
respective domains.
 
-gil
 
Gil Kirkpatrick
CTO, NetPro



From: [EMAIL PROTECTED] on behalf of Rimmerman, Russ
Sent: Thu 7/22/2004 5:24 PM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] NTP server




Where does everyone have their NTP services come from?  We are getting rid
of our current firewall which has NTP on it and everything is pointed to it
for NTP services.  Our new firewall won't have NTP built in, so we are going
to have to set up an internal NTP server for all our internal hosts to sync
to.  Do we put it in the DMZ or the internal network?  Or  does it matter?
Do we just install NTP on an existing Win2k server in our DMZ?  What is
everyone else doing for NTP?

Thanks

~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


winmail.dat

RE: [ActiveDir] NTP server

2004-07-22 Thread Brian Desmond 
I use my PDC. It syncs with the government. All you rclients automatically talk to the 
PDC unless you told em not to.
 
--Brian

-Original Message- 
From: Rimmerman, Russ [mailto:[EMAIL PROTECTED] 
Sent: Thu 7/22/2004 7:24 PM 
To: '[EMAIL PROTECTED]' 
Cc: 
Subject: [ActiveDir] NTP server




Where does everyone have their NTP services come from?  We are getting rid
of our current firewall which has NTP on it and everything is pointed to it
for NTP services.  Our new firewall won't have NTP built in, so we are going
to have to set up an internal NTP server for all our internal hosts to sync
to.  Do we put it in the DMZ or the internal network?  Or  does it matter?
Do we just install NTP on an existing Win2k server in our DMZ?  What is
everyone else doing for NTP?

Thanks

~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


winmail.dat