RE: [ActiveDir] W2K3 with W2K2
So what I am hearing is that I can go ahead and put the Windows 2003 server in place after I run adprep /forestprep and adprep /domainprep. I understand I will not have all the capabilities of W2k3 but thats not what I am concerned about. I just want to have that box in place so when I do decide to update a w2k3 server is already in place. -- Jake -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Thursday, July 22, 2004 2:41 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] W2K3 with W2K2 The Win2K3 will have to get the roles, at least the PDCE and the Domain Naming master roles, otherwise your domain will not function correctly This is not correct - the domain will still function perfectly well, but you won't be able to leverage some of the new features of Win2k3, which you'll only get after you've transferred those roles (e.g. Application Partitions, new well-known-security-principals and groups, Quota container etc.). However, you won't have a chance to add a 2003 DC to the 2000 domain prior to prepping it with the 2003 schema and domain updates (ADPREP) - see other reply with link to KB. So in a way Windows 2003 will have to take over the domain since you need to plan your schema update carefully. Still, you can stick to your 2000 DCs and FSMO role holders until you feel comfortable to move them. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, July 21, 2004 11:32 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] W2K3 with W2K2 Let's agree that there is no PDC/BDC concept. Now, if all you want to do is get your Domain ready for when you will eventually move to 2003, then you should just run the adprep /forestprep and adprep /domainprep in your domain and wait. IF you want to get a win2K3 DC into the Domain now, then there is this concept called WITO (hello, Joe :)). It's the Walk In, Take Over principle. The Win2K3 will have to get the roles, at least the PDCE and the Domain Naming master roles, otherwise your domain will not function correctly, and many of the benefits of a Win2K3 Domain will NOT be available to you. I have been able to get a win2K3 DC to install successfully into a test domain without transferring the roles or upgrading the DC that originally has these roles, but what I've heard and read is that is not something you want to do in a production environment. The people who taught me that (and wrote the book on that) are on this list. They may be able to explain further. Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Jacob Stabl Sent: Wed 7/21/2004 1:19 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] W2K3 with W2K2 I know this issue has been talked about before but searching through some old post in my inbox I didn't find the exact answer I was looking for. Is there a problem in joining a Window 2003 server as the BDC of in a Windows 2000 network? Will there be any problems or unavailable features? I don't want Windows 2003 to take over the domain. Reason for doing this is so next year if I decide to upgrade the domain to Windows 2003 it will be easier, I just move roles and such to that server. In my simple mind this all makes sense. Any suggestions? Thanks -- Jacob Stabl Network Engineer Plain Local Schools http://eagle.stark.k12.oh.us Work: 330.492.3500 x.383 Cell: 330.495.7243 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Display specifier dsa.msc
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello, I want to migrate a NT4 domain to 2003. I need to display attribute employee-number in dsa.msa, on the user's property. With display specifier ? do I need to create dll ? How can I do that ? Thanks, Olivier BATARD, Technicien systme - Poste 1655 Gestion Interne SIGMA Informatique http://www.sigma.fr 3 rue Newton, BP 4127, 44241 La Chapelle sur Erdre Cedex -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFA/8IvUC+eYXFu1pARAvPbAJ9zeXkmzQ8UfNGAYtvfNh51MOw1PACfWRHw WyT7BJi2crw4++HEvZq9KKE= =cLDI -END PGP SIGNATURE- List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Summer Maintenance
Maybe I am being ignorant but can I use sysprep if I have specialized software that I want to have on my master image?? -- Jake _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, July 21, 2004 8:09 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance Please explain the reasoning here. Running newsid does not constitute running sysprep. --Brian -Original Message- From: Jared Manhat [mailto:[EMAIL PROTECTED] Sent: Wed 7/21/2004 4:00 PM To: [EMAIL PROTECTED] Cc: Subject: RE: [ActiveDir] Summer Maintenance Yes, just use Ghost and run Sysinternals NewSID on each pc... BEFORE ADDING IT TO THE DOMAIN. http://www.sysinternals.com/ntw2k/source/newsid.shtml Jared Manhat Systems Administrator Accutest Laboratories 2235 Route 130 Dayton, NJ 08810 (732) 329-0200 x254 _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jacob Stabl Sent: Wednesday, July 21, 2004 4:49 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance I have word of using sysprep along with Ghost. From what I have read sysprep is just do the OS and allows for different configurations. If I am doing a lab that has special software and the same hardware config, is it not better to just use ghost after the master computer has been configured? -- Jake _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert N. Leali Sent: Wednesday, July 21, 2004 9:37 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance I think you can use Unicast instead of Multicast in the newer versions of Norton ghost. It goes slower but it won't bog down the network. Also, make sure your hop count is set correctly. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Rochford Sent: Sunday, July 18, 2004 12:13 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance We tend to do them in blocks of max 30 because it's more manageable (and most rooms don't have more than that many computers!) I've done it enough times now to know that although we shouldn't have to get involved with boot floppies sometimes things just don't go the way you plan :-) Not sure why Ghost does cause the network problems you describe but I know it does and we just plan round it - making sure no-one's trying to do anything important at the same time etc. Steve _ From: Brian Desmond [mailto:[EMAIL PROTECTED] Sent: 16 July 2004 21:31 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance Things really slow down when multicasting to a load of computers where I am (all Cisco 2900XL series switches with fiber links to a 4005 series backbone switch). The multicast slows to a crawl, as does other network traffic. --Brian Desmond mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] Payton on the Web! http://www.wpcp.org Http://www.wpcp.org v: 773.534.0034 x135 f: 773.534.0035 _ From: Doug M. Long [mailto:[EMAIL PROTECTED] On Behalf Of Doug M. Long Sent: Friday, July 16, 2004 1:07 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance If your multicasting, network congestion shouldnt be an issue (assuming that you are putting the same image on all machines), right? Or am I missing something here? _ From: [EMAIL PROTECTED] on behalf of Brian Desmond Sent: Fri 7/16/2004 11:13 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance You got it Steve. I don't know if you've ever done this before, but be prepared to have a handful of them screw up and need reimaging with a floppy disk. Also, don't think of doing em all at once. 100 - 150 is enough to saturate your network. --Brian -Original Message- From: Steve Rochford [mailto:[EMAIL PROTECTED] Sent: Fri 7/16/2004 8:08 AM To: [EMAIL PROTECTED] Cc: Subject: RE: [ActiveDir] Summer Maintenance I love comments like The result is that as the imaged computers are powered up, the admin will type in each unique computer name and walk away. We're re-imaging about 1000 student computers this summer and I'm not intending to go anywhere near most of them so typing in anything is a no-no! As others have said, Ghost will happily rename and join to the domain and it will also work with sysprep so you can have the best of both worlds :-) Steve -Original Message- From: Brad Corob [mailto:[EMAIL PROTECTED] Sent: 15 July 2004 05:00 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance 2) Regardless of how you image the computers, using sysprep is the *only* supported way of using imaged workstations on a network. Look into it if you haven't used it. I find it quite simple to use and extrememly effective. The sysprep process can be automated. I typically find it most useful to automate all of the mini-setup answers except for computer name. The result is that as the imaged
[ActiveDir] How to restrict access to event viewer
Hy, Can you share you experiences about how to restrict access to event viewer to only onegroup ? local and remote access ? Thks.AVISO LEGAL:Esta informacion es privada y confidencial y esta dirigida unicamente a su destinatario. Si usted no es el destinatario original de este mensaje y por este medio pudo acceder a dicha informacion por favor elimine el mensaje. La distribucion o copia de este mensaje esta estrictamente prohibida. Esta comunicacion es solo para propositos de informacion y no debe ser considerada como propuesta, aceptacion ni como una declaracion de voluntad oficial de REPSOL YPF S.A. y/o subsidiarias y/o afiliadas. La transmision de e-mails no garantiza que el correo electronico sea seguro o libre de error. Por consiguiente, no manifestamos que esta informacion sea completa o precisa. Toda informacion esta sujeta a alterarse sin previo aviso. This information is private and confidential and intended for the recipient only. If you are not the intended recipient of this message you are hereby notified that any review, disseminastribution or copying of this message is strictly prohibited. This communication is for information purposes only and shall not be regarded neither as a proposal, acceptance nor as a statement of will or official statement from REPSOL YPF S.A. and/or subsidiaries and/or affiliates. Email transmission cannot be guaranteed to be secure or error-free. Therefore, we do not represent that this information is complete or accurate and it should not be relied upon as such. All information is subject to change without notice.
RE: [ActiveDir] Summer Maintenance
Title: Message Yep... Sysprep just takes care of the base uniquewindows side of things. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jacob StablSent: 22 July 2004 14:33To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Summer Maintenance Maybe I am being ignorant but can I use sysprep if I have specialized software that I want to have on my master image?? -- Jake From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Wednesday, July 21, 2004 8:09 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Summer Maintenance Please explain the reasoning here. Running newsid does not constitute running sysprep. --Brian -Original Message- From: Jared Manhat [mailto:[EMAIL PROTECTED] Sent: Wed 7/21/2004 4:00 PM To: [EMAIL PROTECTED] Cc: Subject: RE: [ActiveDir] Summer Maintenance Yes, just use Ghost and run Sysinternals NewSID on each pc BEFORE ADDING IT TO THE DOMAIN. http://www.sysinternals.com/ntw2k/source/newsid.shtml Jared Manhat Systems Administrator Accutest Laboratories 2235 Route 130 Dayton, NJ 08810 (732) 329-0200 x254 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jacob StablSent: Wednesday, July 21, 2004 4:49 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Summer Maintenance I have word of using sysprep along with Ghost. From what I have read sysprep is just do the OS and allows for different configurations. If I am doing a lab that has special software and the same hardware config, is it not better to just use ghost after the master computer has been configured? -- Jake From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert N. LealiSent: Wednesday, July 21, 2004 9:37 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Summer Maintenance I think you can use Unicast instead of Multicast in the newer versions of Norton ghost. It goes slower but it wont bog down the network. Also, make sure your hop count is set correctly. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve RochfordSent: Sunday, July 18, 2004 12:13 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Summer Maintenance We tend to do them in blocks of max 30 because it's more manageable (and most rooms don't have more than that many computers!) I've done it enough times now to know that although we shouldn't have to get involved with boot floppies sometimes things just don't go the way you plan :-) Not sure why Ghost does cause the network problems you describe but I know it does and we just plan round it - making sure no-one's trying to do anything important at the same time etc. Steve From: Brian Desmond [mailto:[EMAIL PROTECTED] Sent: 16 July 2004 21:31To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Summer Maintenance Things really slow down when multicasting to a load of computers where I am (all Cisco 2900XL series switches with fiber links to a 4005 series backbone switch). The multicast slows to a crawl, as does other network traffic. --Brian Desmond [EMAIL PROTECTED] Payton on the Web! Http://www.wpcp.org v: 773.534.0034 x135 f: 773.534.0035 From: Doug M. Long [mailto:[EMAIL PROTECTED] On Behalf Of Doug M. LongSent: Friday, July 16, 2004 1:07 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Summer Maintenance If your multicasting, network congestion shouldnt be an issue (assuming that you are putting the same image on all machines), right? Or am I missing something here? From: [EMAIL PROTECTED] on behalf of Brian DesmondSent: Fri 7/16/2004 11:13 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Summer Maintenance You got it Steve. I don't know if you've ever done this before, but be prepared to have a handful of them screw up and need reimaging with a floppy disk. Also, don't think of doing em all at once. 100 - 150 is enough to saturate your network. --Brian -Original Message- From: Steve Rochford [mailto:[EMAIL PROTECTED] Sent: Fri 7/16/2004 8:08 AM To: [EMAIL PROTECTED] Cc: Subject: RE: [ActiveDir] Summer Maintenance I love comments like "The result is that as the imaged computers arepowered up, the admin will type in each unique computer name and walkaway."We're
RE: [ActiveDir] Summer Maintenance
Title: Message You should of course test it anyway, post syprep to ensure. -Original Message-From: Rutherford, Robert Sent: 22 July 2004 15:07To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Summer Maintenance Yep... Sysprep just takes care of the base uniquewindows side of things. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jacob StablSent: 22 July 2004 14:33To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Summer Maintenance Maybe I am being ignorant but can I use sysprep if I have specialized software that I want to have on my master image?? -- Jake From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Wednesday, July 21, 2004 8:09 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Summer Maintenance Please explain the reasoning here. Running newsid does not constitute running sysprep. --Brian -Original Message- From: Jared Manhat [mailto:[EMAIL PROTECTED] Sent: Wed 7/21/2004 4:00 PM To: [EMAIL PROTECTED] Cc: Subject: RE: [ActiveDir] Summer Maintenance Yes, just use Ghost and run Sysinternals NewSID on each pc BEFORE ADDING IT TO THE DOMAIN. http://www.sysinternals.com/ntw2k/source/newsid.shtml Jared Manhat Systems Administrator Accutest Laboratories 2235 Route 130 Dayton, NJ 08810 (732) 329-0200 x254 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jacob StablSent: Wednesday, July 21, 2004 4:49 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Summer Maintenance I have word of using sysprep along with Ghost. From what I have read sysprep is just do the OS and allows for different configurations. If I am doing a lab that has special software and the same hardware config, is it not better to just use ghost after the master computer has been configured? -- Jake From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert N. LealiSent: Wednesday, July 21, 2004 9:37 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Summer Maintenance I think you can use Unicast instead of Multicast in the newer versions of Norton ghost. It goes slower but it wont bog down the network. Also, make sure your hop count is set correctly. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve RochfordSent: Sunday, July 18, 2004 12:13 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Summer Maintenance We tend to do them in blocks of max 30 because it's more manageable (and most rooms don't have more than that many computers!) I've done it enough times now to know that although we shouldn't have to get involved with boot floppies sometimes things just don't go the way you plan :-) Not sure why Ghost does cause the network problems you describe but I know it does and we just plan round it - making sure no-one's trying to do anything important at the same time etc. Steve From: Brian Desmond [mailto:[EMAIL PROTECTED] Sent: 16 July 2004 21:31To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Summer Maintenance Things really slow down when multicasting to a load of computers where I am (all Cisco 2900XL series switches with fiber links to a 4005 series backbone switch). The multicast slows to a crawl, as does other network traffic. --Brian Desmond [EMAIL PROTECTED] Payton on the Web! Http://www.wpcp.org v: 773.534.0034 x135 f: 773.534.0035 From: Doug M. Long [mailto:[EMAIL PROTECTED] On Behalf Of Doug M. LongSent: Friday, July 16, 2004 1:07 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Summer Maintenance If your multicasting, network congestion shouldnt be an issue (assuming that you are putting the same image on all machines), right? Or am I missing something here? From: [EMAIL PROTECTED] on behalf of Brian DesmondSent: Fri 7/16/2004 11:13 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Summer Maintenance You got it Steve. I don't know if you've ever done this before, but be prepared to have a handful of
RE: [ActiveDir] Summer Maintenance
Title: RE: [ActiveDir] Summer Maintenance Most likely the answer is yes, speaking from experience in a K-12 setting. What is the specialized software? Why not roll out the software as an msi file using group policies? Robert From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jacob Stabl Sent: Thursday, July 22, 2004 7:33 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance Maybe I am being ignorant but can I use sysprep if I have specialized software that I want to have on my master image?? -- Jake From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, July 21, 2004 8:09 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance Please explain the reasoning here. Running newsid does not constitute running sysprep. --Brian -Original Message- From: Jared Manhat [mailto:[EMAIL PROTECTED] Sent: Wed 7/21/2004 4:00 PM To: [EMAIL PROTECTED] Cc: Subject: RE: [ActiveDir] Summer Maintenance Yes, just use Ghost and run Sysinternals NewSID on each pc BEFORE ADDING IT TO THE DOMAIN. http://www.sysinternals.com/ntw2k/source/newsid.shtml Jared Manhat Systems Administrator Accutest Laboratories 2235 Route 130 Dayton, NJ 08810 (732) 329-0200 x254 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jacob Stabl Sent: Wednesday, July 21, 2004 4:49 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance I have word of using sysprep along with Ghost. From what I have read sysprep is just do the OS and allows for different configurations. If I am doing a lab that has special software and the same hardware config, is it not better to just use ghost after the master computer has been configured? -- Jake From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert N. Leali Sent: Wednesday, July 21, 2004 9:37 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance I think you can use Unicast instead of Multicast in the newer versions of Norton ghost. It goes slower but it wont bog down the network. Also, make sure your hop count is set correctly. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Rochford Sent: Sunday, July 18, 2004 12:13 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance We tend to do them in blocks of max 30 because it's more manageable (and most rooms don't have more than that many computers!) I've done it enough times now to know that although we shouldn't have to get involved with boot floppies sometimes things just don't go the way you plan :-) Not sure why Ghost does cause the network problems you describe but I know it does and we just plan round it - making sure no-one's trying to do anything important at the same time etc. Steve From: Brian Desmond [mailto:[EMAIL PROTECTED] Sent: 16 July 2004 21:31 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance Things really slow down when multicasting to a load of computers where I am (all Cisco 2900XL series switches with fiber links to a 4005 series backbone switch). The multicast slows to a crawl, as does other network traffic. --Brian Desmond [EMAIL PROTECTED] Payton on the Web! Http://www.wpcp.org v: 773.534.0034 x135 f: 773.534.0035 From: Doug M. Long [mailto:[EMAIL PROTECTED] On Behalf Of Doug M. Long Sent: Friday, July 16, 2004 1:07 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance If your multicasting, network congestion shouldnt be an issue (assuming that you are putting the same image on all machines), right? Or am I missing something here? From: [EMAIL PROTECTED] on behalf of Brian Desmond Sent: Fri 7/16/2004 11:13 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance You got it Steve. I don't know if you've ever done this before, but be prepared to have a handful of them screw up and need reimaging with a floppy disk. Also, don't think of doing em all at once. 100 - 150 is enough to saturate your network. --Brian -Original Message- From: Steve Rochford [mailto:[EMAIL PROTECTED] Sent: Fri 7/16/2004 8:08 AM To: [EMAIL PROTECTED] Cc: Subject: RE: [ActiveDir] Summer Maintenance I love comments like The result is that as the imaged computers are powered up, the admin will type in each unique computer name and walk away. We're re-imaging about 1000 student computers this summer and I'm not intending to go anywhere near most of them so typing in anything is a no-no! As others have said, Ghost will happily rename and join to the domain and it will also work with sysprep so you can have the best of both worlds :-) Steve -Original Message- From: Brad Corob [mailto:[EMAIL PROTECTED]] Sent: 15 July 2004 05:00 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance 2)
[ActiveDir] Renaming The Admin Account
People, OK, I know you guys are the Experts and I know MS says, rename it, but tell me the answer to these questions please. Let's say you run NTFS permissions on your local PCs. Lets say your standards are (for EVERY FILE/FOLDER OBJECT ON THE PC): Full Control for Local Admin, Domain Admin and System. Modify for Everyone (At least where it is not a security risk). [1] What is displayed locally to the User (for Admin accounts) when they look at NTFS permissions on their file/folder objects? [2] What do you as the Admin select in the ACL, when you set new permissions for file/folder objects? Thanks RH - Rocky Habeeb Microsoft Systems Administrator - James W. Sewall Company Old Town, Maine - 207.827.4456 habr @ jws.com www.jws.com - List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Display specifier dsa.msc
Cannot do this with Display specifier, you will have to create your own DLL to do this and register on every machine you want the extension to be visible. Have a look in the archive for this list for some detailed posts on this. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Olivier BATARD Sent: 22 July 2004 03:33 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Display specifier dsa.msc -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello, I want to migrate a NT4 domain to 2003. I need to display attribute employee-number in dsa.msa, on the user's property. With display specifier ? do I need to create dll ? How can I do that ? Thanks, Olivier BATARD, Technicien systme - Poste 1655 Gestion Interne SIGMA Informatique http://www.sigma.fr 3 rue Newton, BP 4127, 44241 La Chapelle sur Erdre Cedex -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFA/8IvUC+eYXFu1pARAvPbAJ9zeXkmzQ8UfNGAYtvfNh51MOw1PACfWRHw WyT7BJi2crw4++HEvZq9KKE= =cLDI -END PGP SIGNATURE- List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Renaming The Admin Account
1) The easiest way to see would have been to test it - the answer is they would see the accounts and granted permissions. 2)I'm not sure what you mean? What is a standard? There isn't really one as it depends on the environment. A good rule is of course not to give everybody full control and not to use deny as it complicates things. If you want to be precise with what you want to achieve and I'm sure we could help. BR Rob -Original Message- From: Rocky Habeeb [mailto:[EMAIL PROTECTED] Sent: 22 July 2004 15:25 To: [EMAIL PROTECTED] Subject: [ActiveDir] Renaming The Admin Account People, OK, I know you guys are the Experts and I know MS says, rename it, but tell me the answer to these questions please. Let's say you run NTFS permissions on your local PCs. Lets say your standards are (for EVERY FILE/FOLDER OBJECT ON THE PC): Full Control for Local Admin, Domain Admin and System. Modify for Everyone (At least where it is not a security risk). [1] What is displayed locally to the User (for Admin accounts) when they look at NTFS permissions on their file/folder objects? [2] What do you as the Admin select in the ACL, when you set new permissions for file/folder objects? Thanks RH - Rocky Habeeb Microsoft Systems Administrator - James W. Sewall Company Old Town, Maine - 207.827.4456 habr @ jws.com www.jws.com - List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes. The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] AD and WINS
Is there a way to restrict access to WINS like DNS in Server 2003? For Example, if we want the DNS admins to Administer the Wins servers, how do you go about give them access just to WINS administration? Any help would be appreciate it! Thanks, Mario *** The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. *** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD and WINS
I believe access to WINS requires local admin access. To allow them to administer WINS, they will have to be a local admin on the box where WINS is running. Denny -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario Sent: Thursday, July 22, 2004 10:51 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] AD and WINS Is there a way to restrict access to WINS like DNS in Server 2003? For Example, if we want the DNS admins to Administer the Wins servers, how do you go about give them access just to WINS administration? Any help would be appreciate it! Thanks, Mario *** The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. *** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD and WINS
I think Server op will do it. -Original Message- From: Depp, Dennis M. [mailto:[EMAIL PROTECTED] Sent: 22 July 2004 16:04 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD and WINS I believe access to WINS requires local admin access. To allow them to administer WINS, they will have to be a local admin on the box where WINS is running. Denny -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario Sent: Thursday, July 22, 2004 10:51 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] AD and WINS Is there a way to restrict access to WINS like DNS in Server 2003? For Example, if we want the DNS admins to Administer the Wins servers, how do you go about give them access just to WINS administration? Any help would be appreciate it! Thanks, Mario *** The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. *** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes. The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Possible OT: Network boot disk with windows 2003.
Barts is the best, especially on CD :) Clyde, Check out www.bootdisk.com. Under the Network boot disks give Barts a shot. It's pretty good and customizable. Dave - - David J. Perdue MCSE 2000, MCSE NT, MCSA, MCP+I Network Security Engineer, InDyne Inc Comm: (805) 606-4597DSN: 276-4597 [EMAIL PROTECTED] - - -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burns, Clyde Sent: Wednesday, July 21, 2004 6:38 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Possible OT: Network boot disk with windows 2003. Does anyone know of a way to get a DOS network boot diskette to authenticate in a windows 2003 AD domain short of disabling the following on the DC's local policy? Domain Member: Digitally encrypt or sign secure channel data (always) Microsoft network server: Digitally sign communication (always) Thanks Clyde Burns List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Display specifier dsa.msc
If all you want to do is View the attribute in ADUC's Right pane as a column, you can with display specifies. Start with this link to add the column http://msdn.microsoft.com/library/en-us/ad/ad/modifying_existing_user_interf aces.asp?frame=true If you need to be able to modify it, you can create a new property page COM object (harder) or add an entry to the context menu when you right click on it (Easier). Check out Chapter 24 of the O'Rielly Active Directory 2nd edition book for a good overview of how to do it by integrating a simple script into the context menu. The combination of the display column and the context menu script may give you a cheap and cheerful way of accomplishing what you want. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nicolas Blank Sent: Thursday, July 22, 2004 10:37 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Display specifier dsa.msc Cannot do this with Display specifier, you will have to create your own DLL to do this and register on every machine you want the extension to be visible. Have a look in the archive for this list for some detailed posts on this. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Olivier BATARD Sent: 22 July 2004 03:33 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Display specifier dsa.msc -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello, I want to migrate a NT4 domain to 2003. I need to display attribute employee-number in dsa.msa, on the user's property. With display specifier ? do I need to create dll ? How can I do that ? Thanks, Olivier BATARD, Technicien systme - Poste 1655 Gestion Interne SIGMA Informatique http://www.sigma.fr 3 rue Newton, BP 4127, 44241 La Chapelle sur Erdre Cedex -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFA/8IvUC+eYXFu1pARAvPbAJ9zeXkmzQ8UfNGAYtvfNh51MOw1PACfWRHw WyT7BJi2crw4++HEvZq9KKE= =cLDI -END PGP SIGNATURE- List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Renaming The Admin Account
I'll answer the second question first: When assigning NTFS permissions to resources, I select the local Administrators group and the local System account with Full Control. I then select the appropriate control group or groups, or individual accounts (domain accounts) and set them with the appropriate permissions. I NEVER set control groups or individuals with Full Control. The highest permissions they get is Modify when appropriate. That prevents them from removing the local Administrators and/or System account (which breaks backup and recovery processes). For the first question, the users see the permissions for all accounts that are permitted on the resource IF they see the security tab. With some share connections, users don't see the security tab, so they can't see the permissions at all. Kenneth W. (Ken) Adams, MCSA, MCSE -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Thursday, July 22, 2004 10:25 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Renaming The Admin Account People, OK, I know you guys are the Experts and I know MS says, rename it, but tell me the answer to these questions please. Let's say you run NTFS permissions on your local PCs. Lets say your standards are (for EVERY FILE/FOLDER OBJECT ON THE PC): Full Control for Local Admin, Domain Admin and System. Modify for Everyone (At least where it is not a security risk). [1] What is displayed locally to the User (for Admin accounts) when they look at NTFS permissions on their file/folder objects? [2] What do you as the Admin select in the ACL, when you set new permissions for file/folder objects? Thanks RH - Rocky Habeeb Microsoft Systems Administrator - James W. Sewall Company Old Town, Maine - 207.827.4456 habr @ jws.com www.jws.com - List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Renaming The Admin Account
Rob, We set permissions on our Users PCs according to Trusted Systems Services Windows NT Security Guidelines developed for the NSA in 1999. We run in a moderate to severe lockdown. We open up NTFS permissions only as much as is needed for Users to operate. As such, any User can open up Windows Explorer and click Security and look at the Security NTFS permission structure of any file and folder on their PC. Maybe they can adjust it, maybe not. It depends on how we set it. If we rename the Domain Admin account to JohnDoe and then create a bogus account called Administrator, obviously, when we go set permissions on a system, we are not going to select the Administrator account when we actually need the Domain Admin to have Full Control to that object. And I'm not going to select JohnDoe and grant him Full Control as that pretty much tells people where the Domain Admin account is. So what do you do? I need DAs to have FC. What do I select? How do I keep the User from immediately seeing where the DA account is. As far as testing it, forget it. Ten years ago, I renamed the DA account on a Windows NT 4.0 domain. I could not get back in. I had to rebuild the domain, albeit a small one of less than 100 Users, from scratch, and I swore I would never do it again. Now convince me to do it. RH -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Rutherford, Robert Sent: Thursday, July 22, 2004 10:47 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Renaming The Admin Account 1) The easiest way to see would have been to test it - the answer is they would see the accounts and granted permissions. 2)I'm not sure what you mean? What is a standard? There isn't really one as it depends on the environment. A good rule is of course not to give everybody full control and not to use deny as it complicates things. If you want to be precise with what you want to achieve and I'm sure we could help. BR Rob -Original Message- From: Rocky Habeeb [mailto:[EMAIL PROTECTED] Sent: 22 July 2004 15:25 To: [EMAIL PROTECTED] Subject: [ActiveDir] Renaming The Admin Account People, OK, I know you guys are the Experts and I know MS says, rename it, but tell me the answer to these questions please. Let's say you run NTFS permissions on your local PCs. Lets say your standards are (for EVERY FILE/FOLDER OBJECT ON THE PC): Full Control for Local Admin, Domain Admin and System. Modify for Everyone (At least where it is not a security risk). [1] What is displayed locally to the User (for Admin accounts) when they look at NTFS permissions on their file/folder objects? [2] What do you as the Admin select in the ACL, when you set new permissions for file/folder objects? Thanks RH - Rocky Habeeb Microsoft Systems Administrator - James W. Sewall Company Old Town, Maine - 207.827.4456 habr @ jws.com www.jws.com - List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes. The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Renaming The Admin Account
The admin tools resolve the SID to the friendly name for you. In other words, you're not actually working with the friendly names when viewing or assigning permissions, but this is how it appears to you. Tony -- Original Message -- Wrom: KJVZCMHVIBGDADRZFSQHYUCDDJBLV Reply-To: [EMAIL PROTECTED] Date: Thu, 22 Jul 2004 10:25:14 -0400 People, OK, I know you guys are the Experts and I know MS says, rename it, but tell me the answer to these questions please. Let's say you run NTFS permissions on your local PCs. Lets say your standards are (for EVERY FILE/FOLDER OBJECT ON THE PC): Full Control for Local Admin, Domain Admin and System. Modify for Everyone (At least where it is not a security risk). [1] What is displayed locally to the User (for Admin accounts) when they look at NTFS permissions on their file/folder objects? [2] What do you as the Admin select in the ACL, when you set new permissions for file/folder objects? Thanks RH - Rocky Habeeb Microsoft Systems Administrator - James W. Sewall Company Old Town, Maine - 207.827.4456 habr @ jws.com www.jws.com - List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Renaming The Admin Account
Umm... In the default install NTFS permissions are set up via GROUP ACE's instead of the individual ACE for the local administrator account. If you look at the NTFS permissions on %systemroot%\system32 you will see permissions only for GROUPS not individual accounts (e.g. Administrators, Creator Owner, Power Users, System, Users). Also remember that the ACE is actually a stamp with the SID of the group or user. The GUI and OS actually do the translation of the SID to the friendly display name. For example the well known SID of the local administrator account is S-1-5-domain/workstation SID-500. (See http://support.microsoft.com/?kbid=243330) The actual display name of the account is irrelevant except for us humans, the OS will translate that display name or login name to the SID when checking permissions. When you rename the local administrator account nothing happens except for changing the effective display name and the name that us humans use to log in with. The SID still stays the same and all of the permissions are the same. So for your questions... 1. IF you have ACL'd things with the actual Admin account instead of groups, what is displayed to the user in the GUI is the display name of the Admin account. If you have renamed the Admin account then the renamed display name is what is shown (e.g. Administrator = Admin). 2. What are you asking here?? If as an admin you want to permission the local Admin account to the folder then this is a bad idea. Use groups instead of individual accounts. If you actually need to do this then what you will pick in the GUI is the renamed admin account (e.g. Admin). -Stuart Fuller -Original Message- From: Rocky Habeeb [mailto:[EMAIL PROTECTED] Sent: Thursday, July 22, 2004 8:25 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Renaming The Admin Account People, OK, I know you guys are the Experts and I know MS says, rename it, but tell me the answer to these questions please. Let's say you run NTFS permissions on your local PCs. Lets say your standards are (for EVERY FILE/FOLDER OBJECT ON THE PC): Full Control for Local Admin, Domain Admin and System. Modify for Everyone (At least where it is not a security risk). [1] What is displayed locally to the User (for Admin accounts) when they look at NTFS permissions on their file/folder objects? [2] What do you as the Admin select in the ACL, when you set new permissions for file/folder objects? Thanks RH - Rocky Habeeb Microsoft Systems Administrator - James W. Sewall Company Old Town, Maine - 207.827.4456 habr @ jws.com www.jws.com - List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Summer Maintenance
Title: RE: [ActiveDir] Summer Maintenance MSI is good for some stuff but not for labs that are reimaged a few times a week. -- Jake From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert N. LealiSent: Thursday, July 22, 2004 10:19 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Summer Maintenance Most likely the answer is yes, speaking from experience in a K-12 setting. What is the specialized software? Why not roll out the software as an msi file using group policies? Robert From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jacob StablSent: Thursday, July 22, 2004 7:33 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Summer Maintenance Maybe I am being ignorant but can I use sysprep if I have specialized software that I want to have on my master image?? -- Jake From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Wednesday, July 21, 2004 8:09 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Summer Maintenance Please explain the reasoning here. Running newsid does not constitute running sysprep. --Brian -Original Message- From: Jared Manhat [mailto:[EMAIL PROTECTED] Sent: Wed 7/21/2004 4:00 PM To: [EMAIL PROTECTED] Cc: Subject: RE: [ActiveDir] Summer Maintenance Yes, just use Ghost and run Sysinternals NewSID on each pc BEFORE ADDING IT TO THE DOMAIN. http://www.sysinternals.com/ntw2k/source/newsid.shtml Jared Manhat Systems Administrator Accutest Laboratories 2235 Route 130 Dayton, NJ 08810 (732) 329-0200 x254 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jacob StablSent: Wednesday, July 21, 2004 4:49 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Summer Maintenance I have word of using sysprep along with Ghost. From what I have read sysprep is just do the OS and allows for different configurations. If I am doing a lab that has special software and the same hardware config, is it not better to just use ghost after the master computer has been configured? -- Jake From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert N. LealiSent: Wednesday, July 21, 2004 9:37 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Summer Maintenance I think you can use Unicast instead of Multicast in the newer versions of Norton ghost. It goes slower but it wont bog down the network. Also, make sure your hop count is set correctly. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve RochfordSent: Sunday, July 18, 2004 12:13 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Summer Maintenance We tend to do them in blocks of max 30 because it's more manageable (and most rooms don't have more than that many computers!) I've done it enough times now to know that although we shouldn't have to get involved with boot floppies sometimes things just don't go the way you plan :-) Not sure why Ghost does cause the network problems you describe but I know it does and we just plan round it - making sure no-one's trying to do anything important at the same time etc. Steve From: Brian Desmond [mailto:[EMAIL PROTECTED] Sent: 16 July 2004 21:31To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Summer Maintenance Things really slow down when multicasting to a load of computers where I am (all Cisco 2900XL series switches with fiber links to a 4005 series backbone switch). The multicast slows to a crawl, as does other network traffic. --Brian Desmond [EMAIL PROTECTED] Payton on the Web! Http://www.wpcp.org v: 773.534.0034 x135 f: 773.534.0035 From: Doug M. Long [mailto:[EMAIL PROTECTED] On Behalf Of Doug M. LongSent: Friday, July 16, 2004 1:07 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Summer Maintenance If your multicasting, network congestion shouldnt be an issue (assuming that you are putting the same image on all machines), right? Or am I missing something here? From: [EMAIL PROTECTED] on behalf of Brian DesmondSent: Fri 7/16/2004 11:13 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Summer Maintenance You got it Steve. I don't know if you've ever done this before, but be prepared to have a handful of them screw up and need reimaging with a floppy disk. Also, don't think of doing em all at once. 100 - 150 is enough to saturate your network. --Brian -Original Message- From: Steve Rochford [mailto:[EMAIL PROTECTED] Sent: Fri 7/16/2004 8:08 AM To: [EMAIL PROTECTED] Cc: Subject: RE: [ActiveDir] Summer Maintenance I love comments like "The result is that as the imaged computers arepowered up, the admin will type in each unique
[ActiveDir] Exceeding the LDAP Look Through Limit
I have a customer who has created an OU and populated it with objects that have many attributes. He is now encountering this error: [LDAP: error code 11 - 2024: SvcErr: DSID-02050AA0, problem 5008 (ADMIN _LIMIT_EXCEEDED), data -1026 ]; remaining name 'cn=CN\=JPRAKASH\,CN\=Computers\,DC\=jupiter\,DC\=lan,ou=S ubscriptions,dc=jupiter,dc=lan' Is there a maximum size limitation for user defined objects in AD? Can that value be modified? Where would one modify it? Would it be in the LDAP policies/protocols configuration? TIA! Steve
RE: [ActiveDir] Renaming The Admin Account
Rocky You shouldn't actually need to assign permissions directly to the domain Administrator account. Generally the account should be left well alone and only used when absolutely necessary. If you really need to assign permissions to domain administrators, use the Domain Admins group instead. Tony -- Original Message -- Wrom: JEXXIMQZUIVOTQNQEMSFDULHPQQWO Reply-To: [EMAIL PROTECTED] Date: Thu, 22 Jul 2004 11:18:47 -0400 Rob, We set permissions on our Users PCs according to Trusted Systems Services Windows NT Security Guidelines developed for the NSA in 1999. We run in a moderate to severe lockdown. We open up NTFS permissions only as much as is needed for Users to operate. As such, any User can open up Windows Explorer and click Security and look at the Security NTFS permission structure of any file and folder on their PC. Maybe they can adjust it, maybe not. It depends on how we set it. If we rename the Domain Admin account to JohnDoe and then create a bogus account called Administrator, obviously, when we go set permissions on a system, we are not going to select the Administrator account when we actually need the Domain Admin to have Full Control to that object. And I'm not going to select JohnDoe and grant him Full Control as that pretty much tells people where the Domain Admin account is. So what do you do? I need DAs to have FC. What do I select? How do I keep the User from immediately seeing where the DA account is. As far as testing it, forget it. Ten years ago, I renamed the DA account on a Windows NT 4.0 domain. I could not get back in. I had to rebuild the domain, albeit a small one of less than 100 Users, from scratch, and I swore I would never do it again. Now convince me to do it. RH -Original Message- Wrom: YIYZUNNYCGPKYLEJGDGVCJVTLBXFGGMEPY [mailto:[EMAIL PROTECTED] Behalf Of Rutherford, Robert Sent: Thursday, July 22, 2004 10:47 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Renaming The Admin Account 1) The easiest way to see would have been to test it - the answer is they would see the accounts and granted permissions. 2)I'm not sure what you mean? What is a standard? There isn't really one as it depends on the environment. A good rule is of course not to give everybody full control and not to use deny as it complicates things. If you want to be precise with what you want to achieve and I'm sure we could help. BR Rob -Original Message- Wrom: OQKEDOTWFAOBUZXUWLSZLKBRNVWWCUFPEG Sent: 22 July 2004 15:25 To: [EMAIL PROTECTED] Subject: [ActiveDir] Renaming The Admin Account People, OK, I know you guys are the Experts and I know MS says, rename it, but tell me the answer to these questions please. Let's say you run NTFS permissions on your local PCs. Lets say your standards are (for EVERY FILE/FOLDER OBJECT ON THE PC): Full Control for Local Admin, Domain Admin and System. Modify for Everyone (At least where it is not a security risk). [1] What is displayed locally to the User (for Admin accounts) when they look at NTFS permissions on their file/folder objects? [2] What do you as the Admin select in the ACL, when you set new permissions for file/folder objects? Thanks RH - Rocky Habeeb Microsoft Systems Administrator - James W. Sewall Company Old Town, Maine - 207.827.4456 habr @ jws.com www.jws.com - List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes. The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive:
RE: [ActiveDir] AD and WINS
You can make a Global security group in the AD called Wins Admins and then add the group to the local administrators group of the WINS servers either manually or via a GPO. Then all you have to do is populate the AD group with the users.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Thursday, July 22, 2004 11:13 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD and WINS I think Server op will do it. -Original Message- From: Depp, Dennis M. [mailto:[EMAIL PROTECTED] Sent: 22 July 2004 16:04 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD and WINS I believe access to WINS requires local admin access. To allow them to administer WINS, they will have to be a local admin on the box where WINS is running. Denny -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario Sent: Thursday, July 22, 2004 10:51 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] AD and WINS Is there a way to restrict access to WINS like DNS in Server 2003? For Example, if we want the DNS admins to Administer the Wins servers, how do you go about give them access just to WINS administration? Any help would be appreciate it! Thanks, Mario *** The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. *** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes. The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Renaming The Admin Account
Right! My point exactly! So if your policy is to include the Domain Admin in NTFS permissions, there's no point in renaming your Domain Admin account. Thanks Tony. RH -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Tony Murray Sent: Thursday, July 22, 2004 11:25 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Renaming The Admin Account The admin tools resolve the SID to the friendly name for you. In other words, you're not actually working with the friendly names when viewing or assigning permissions, but this is how it appears to you. Tony -- Original Message -- Wrom: KJVZCMHVIBGDADRZFSQHYUCDDJBLV Reply-To: [EMAIL PROTECTED] Date: Thu, 22 Jul 2004 10:25:14 -0400 People, OK, I know you guys are the Experts and I know MS says, rename it, but tell me the answer to these questions please. Let's say you run NTFS permissions on your local PCs. Lets say your standards are (for EVERY FILE/FOLDER OBJECT ON THE PC): Full Control for Local Admin, Domain Admin and System. Modify for Everyone (At least where it is not a security risk). [1] What is displayed locally to the User (for Admin accounts) when they look at NTFS permissions on their file/folder objects? [2] What do you as the Admin select in the ACL, when you set new permissions for file/folder objects? Thanks RH - Rocky Habeeb Microsoft Systems Administrator - James W. Sewall Company Old Town, Maine - 207.827.4456 habr @ jws.com www.jws.com - List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Renaming The Admin Account
I apologise, but your question was not that clear to me. 1) If you want to stop them seeing an account/permissions then the de-selecting or denying the 'read permissions' advanced permission should work. 2) Permissions are typically based on group anyway, thus they wouldn't see the admin name. Rob -Original Message- From: Rocky Habeeb [mailto:[EMAIL PROTECTED] Sent: 22 July 2004 16:19 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Renaming The Admin Account Rob, We set permissions on our Users PCs according to Trusted Systems Services Windows NT Security Guidelines developed for the NSA in 1999. We run in a moderate to severe lockdown. We open up NTFS permissions only as much as is needed for Users to operate. As such, any User can open up Windows Explorer and click Security and look at the Security NTFS permission structure of any file and folder on their PC. Maybe they can adjust it, maybe not. It depends on how we set it. If we rename the Domain Admin account to JohnDoe and then create a bogus account called Administrator, obviously, when we go set permissions on a system, we are not going to select the Administrator account when we actually need the Domain Admin to have Full Control to that object. And I'm not going to select JohnDoe and grant him Full Control as that pretty much tells people where the Domain Admin account is. So what do you do? I need DAs to have FC. What do I select? How do I keep the User from immediately seeing where the DA account is. As far as testing it, forget it. Ten years ago, I renamed the DA account on a Windows NT 4.0 domain. I could not get back in. I had to rebuild the domain, albeit a small one of less than 100 Users, from scratch, and I swore I would never do it again. Now convince me to do it. RH -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Rutherford, Robert Sent: Thursday, July 22, 2004 10:47 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Renaming The Admin Account 1) The easiest way to see would have been to test it - the answer is they would see the accounts and granted permissions. 2)I'm not sure what you mean? What is a standard? There isn't really one as it depends on the environment. A good rule is of course not to give everybody full control and not to use deny as it complicates things. If you want to be precise with what you want to achieve and I'm sure we could help. BR Rob -Original Message- From: Rocky Habeeb [mailto:[EMAIL PROTECTED] Sent: 22 July 2004 15:25 To: [EMAIL PROTECTED] Subject: [ActiveDir] Renaming The Admin Account People, OK, I know you guys are the Experts and I know MS says, rename it, but tell me the answer to these questions please. Let's say you run NTFS permissions on your local PCs. Lets say your standards are (for EVERY FILE/FOLDER OBJECT ON THE PC): Full Control for Local Admin, Domain Admin and System. Modify for Everyone (At least where it is not a security risk). [1] What is displayed locally to the User (for Admin accounts) when they look at NTFS permissions on their file/folder objects? [2] What do you as the Admin select in the ACL, when you set new permissions for file/folder objects? Thanks RH - Rocky Habeeb Microsoft Systems Administrator - James W. Sewall Company Old Town, Maine - 207.827.4456 habr @ jws.com www.jws.com - List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes. The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive:
[ActiveDir] W2k3 DNS Scalability
Potentially interesting oddity occurred today... Our primary and secondary Windows 2003 / AD integrated DNS server services abended at almost the exact same time. I have custom WMI monitoring set to auto-restart them, send email, call the president, and of course...raise the national threat level. The servers are dedicated AD boxes, so no rogue software or odd config. The servers are Dell PowerEdge 2560s with 4 GB RAM, 3.06GHz processors and lots diskspace on a RAID 1 / RAID 5 config. The reason that I suspect performance / scalability is that when I check the utilization trend reports and each server was averaging 82 queries/sec. But surely, the servers can handle more. Heck the over all CPU utilization is about 3%. We have most of the Windows platform using these two DNS servers, but still have more to go. Eventually the load will be distributed among soon to have future AD DCs. But I was very surprised to see the processes crash. All other trended perfmon metrics were well within reason. Any thoughts? Anyone perform specific DNS customizations to their respective dedicated AD DNS servers? TIA. Eric Jones, Senior SE Intel Server Group (W) 336.424.3084 (M) 336.457.2591 www.vfc.com
RE: [ActiveDir] Renaming The Admin Account
If you just remember the principle "put users in group, assign permission to group", then you'll remember that neither JohnDoe nor Administrator should show up anywhere in your ACL enumeration Rather, you ACL will look something like this: Computername\AdministratorS - F System - F etc, etc. You will NOT need to add the following to the ACL: ComputerName\Administrator (notice the missing "S") Domain Admins Domain\Administrator Why? First, because by adding Computername\AdministratorS in the first example, you have essentially taken care of the three in second example. "Domain\Administrator" is a member of "Domain Admins", which is a member of Computername\AdministratorS. Likewise, "ComputerName\Administrator" is a member of "Computername\AdministratorS". Then your fear about your users knowing the name of your Domain Admin account becomes non-existent (although this should have been of no concern in the first place). If anyone looks at the permission on an object, they won't see those 3 listed. Now, as to how your ACL "may" be messed up by an account rename. You need to remember that an account's nameis not THE significant part when ACE/ACL are concerned. It's the account's SID, and this does NOT change, even after you've renamed an account. Your permissions will still persist through a rename. As to the problem you encountered after renaming a DA, I can only speculate that there was "something else" causing that. I ALWAYS rename my DAs. Been doing it for a while now without running into similar problem. Are you convinced yet? Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP -Directory Services www.readymaids.com - we know ITwww.akomolafe.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Rocky HabeebSent: Thu 7/22/2004 8:18 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Renaming The Admin Account Rob, We set permissions on our Users PCs according to Trusted Systems Services Windows NT Security Guidelines developed for the NSA in 1999. We run in a moderate to severe lockdown. We open up NTFS permissions only as much as is needed for Users to operate. As such, any User can open up Windows Explorer and click Security and look at the Security NTFS permission structure of any file and folder on their PC. Maybe they can adjust it, maybe not. It depends on how we set it. If we rename the Domain Admin account to "JohnDoe" and then create a bogus account called "Administrator", obviously, when we go set permissions on a system, we are not going to select the "Administrator" account when we actually need the Domain Admin to have Full Control to that object. And I'm not going to select "JohnDoe" and grant him Full Control as that pretty much tells people where the Domain Admin account is. So what do you do? I need DAs to have FC. What do I select? How do I keep the User from immediately seeing where the DA account is. As far as testing it, forget it. Ten years ago, I renamed the DA account on a Windows NT 4.0 domain. I could not get back in. I had to rebuild the domain, albeit a small one of less than 100 Users, from scratch, and I swore I would never do it again. Now convince me to do it. RH
[ActiveDir] W2k3 DNS Scalability - More NFO
Potentially interesting oddity occurred today... Our primary and secondary Windows 2003 / AD integrated DNS server services abended at almost the exact same time with the following error message in the eventlog: Reporting queued error: faulting application dns.exe, version 5.2.3790.0, faulting module msvcrt.dll, version 7.0.3790.0, fault address 0x000351e4. I have custom WMI monitoring set to auto-restart DNS, send email, call the president, and of course...raise the national threat level. The servers are dedicated AD boxes, so no rogue software or odd config. The servers are Dell PowerEdge 2560s with 4 GB RAM, 3.06GHz processors and lots diskspace on a RAID 1 / RAID 5 config. The reason that I suspect performance / scalability is that when I check the utilization trend reports and each server was averaging 82 queries/sec. But surely, the servers can handle more. Heck the over all CPU utilization is about 3%. We have most of the Windows platform using these two DNS servers, but still have more to go. Eventually the load will be distributed among soon to have future AD DCs. But I was very surprised to see the processes crash. All other trended perfmon metrics were well within reason. Any thoughts? Anyone perform specific DNS customizations to their respective dedicated AD DNS servers? TIA. Eric Jones, Senior SE Intel Server Group (W) 336.424.3084 (M) 336.457.2591 www.vfc.com
RE: [ActiveDir] AD and WINS
Do they have to be local Admins, or will Server op work as well? Denny -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carr, Jonathan (OFT) Sent: Thursday, July 22, 2004 11:50 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD and WINS You can make a Global security group in the AD called Wins Admins and then add the group to the local administrators group of the WINS servers either manually or via a GPO. Then all you have to do is populate the AD group with the users.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Thursday, July 22, 2004 11:13 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD and WINS I think Server op will do it. -Original Message- From: Depp, Dennis M. [mailto:[EMAIL PROTECTED] Sent: 22 July 2004 16:04 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD and WINS I believe access to WINS requires local admin access. To allow them to administer WINS, they will have to be a local admin on the box where WINS is running. Denny -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario Sent: Thursday, July 22, 2004 10:51 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] AD and WINS Is there a way to restrict access to WINS like DNS in Server 2003? For Example, if we want the DNS admins to Administer the Wins servers, how do you go about give them access just to WINS administration? Any help would be appreciate it! Thanks, Mario *** The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. *** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes. The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Exceeding the LDAP Look Through Limit
By the looks of this - he's getting the error when doing an LDAP query, correct? The Admin limit limits the number of results that are returned in a query, I believe the default is 1000 in w2k and 1500 in w2k3. I think this is the error you're seeing. If you need to retrieve more than this number, you need to use paged results. Search MSDN for "LDAP paged results" for more info. Paul Cotter Microsoft MVP - MIIS 2003 ~nodisc. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve BrashearSent: Thursday, July 22, 2004 10:40 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Exceeding the LDAP Look Through Limit I have a customer who has created an OU and populated it with objects that have many attributes. He is now encountering this error: "[LDAP: error code 11 - 2024: SvcErr: DSID-02050AA0, problem 5008 (ADMIN_LIMIT_EXCEEDED), data -1026]; remaining name 'cn=CN\=JPRAKASH\,CN\=Computers\,DC\=jupiter\,DC\=lan,ou=Subscriptions,dc=jupiter,dc=lan'" Is there a maximum size limitation for user defined objects in AD? Can that value be modified? Where would one modify it? Would it be in the LDAP policies/protocols configuration? TIA!Steve
RE: [ActiveDir] Renaming The Admin Account
Well there is... Not much but you may as well. It just makes it that little bit more difficult for the novice hacker/opportunist shoulder surfer. -Original Message- From: Rocky Habeeb [mailto:[EMAIL PROTECTED] Sent: 22 July 2004 16:53 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Renaming The Admin Account Right! My point exactly! So if your policy is to include the Domain Admin in NTFS permissions, there's no point in renaming your Domain Admin account. Thanks Tony. RH -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Tony Murray Sent: Thursday, July 22, 2004 11:25 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Renaming The Admin Account The admin tools resolve the SID to the friendly name for you. In other words, you're not actually working with the friendly names when viewing or assigning permissions, but this is how it appears to you. Tony -- Original Message -- Wrom: KJVZCMHVIBGDADRZFSQHYUCDDJBLV Reply-To: [EMAIL PROTECTED] Date: Thu, 22 Jul 2004 10:25:14 -0400 People, OK, I know you guys are the Experts and I know MS says, rename it, but tell me the answer to these questions please. Let's say you run NTFS permissions on your local PCs. Lets say your standards are (for EVERY FILE/FOLDER OBJECT ON THE PC): Full Control for Local Admin, Domain Admin and System. Modify for Everyone (At least where it is not a security risk). [1] What is displayed locally to the User (for Admin accounts) when they look at NTFS permissions on their file/folder objects? [2] What do you as the Admin select in the ACL, when you set new permissions for file/folder objects? Thanks RH - Rocky Habeeb Microsoft Systems Administrator - James W. Sewall Company Old Town, Maine - 207.827.4456 habr @ jws.com www.jws.com - List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes. The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Renaming The Admin Account
You are confusing several different user/group objects: 1. The domain account named Administrator 2. The domain group named Domain Admins 3. The local account named Administrator 4. The local group named Administrators (note the s at the end) The security guidelines say that you should rename numbers 1 and 3 above. Default configuration for a domain has: 1. The domain account Administrator is a member of the domain group Domain Admins 2. The domain group Domain Admins is a member of the local group Administrators (with the s) on each domain member. You could then use the local group Administrators to grant the appropriate NTFS permissions to files/folders. Users that then looked at the NTFS permissions would only see the group name. However for the more technically savvy people out there, renaming the local Administrator account is not fool proof since it has a well-known SID. The built-in Administrator account is the only one that ends in -500. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Thursday, July 22, 2004 8:53 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Renaming The Admin Account Right! My point exactly! So if your policy is to include the Domain Admin in NTFS permissions, there's no point in renaming your Domain Admin account. Thanks Tony. RH -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Tony Murray Sent: Thursday, July 22, 2004 11:25 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Renaming The Admin Account The admin tools resolve the SID to the friendly name for you. In other words, you're not actually working with the friendly names when viewing or assigning permissions, but this is how it appears to you. Tony -- Original Message -- Wrom: KJVZCMHVIBGDADRZFSQHYUCDDJBLV Reply-To: [EMAIL PROTECTED] Date: Thu, 22 Jul 2004 10:25:14 -0400 People, OK, I know you guys are the Experts and I know MS says, rename it, but tell me the answer to these questions please. Let's say you run NTFS permissions on your local PCs. Lets say your standards are (for EVERY FILE/FOLDER OBJECT ON THE PC): Full Control for Local Admin, Domain Admin and System. Modify for Everyone (At least where it is not a security risk). [1] What is displayed locally to the User (for Admin accounts) when they look at NTFS permissions on their file/folder objects? [2] What do you as the Admin select in the ACL, when you set new permissions for file/folder objects? Thanks RH - Rocky Habeeb Microsoft Systems Administrator - James W. Sewall Company Old Town, Maine - 207.827.4456 habr @ jws.com www.jws.com - List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Exceeding the LDAP Look Through Limit
I could probably tell you which admin limit youre exceeding if you tell me the OS version service pack level. Most admin limits are there to protect perf of the box prevent against DoS attacks. Better than changing the limits would be to change the query to use LDAP RFC compliant ways to performing the action w/o changing lmits. For example, if the limit is # of objects returned per page, rather than using a huge page youd do a paged search. So the questions that would be of interest: 1) OS and service pack level 2) What is the action being performed (as an example, if this is a search, baseDN + scope + filter) Thanks! ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Brashear Sent: Thursday, July 22, 2004 10:40 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Exceeding the LDAP Look Through Limit I have a customer who has created an OU and populated it with objects that have many attributes. He is now encountering this error: [LDAP: error code 11 - 2024: SvcErr: DSID-02050AA0, problem 5008 (ADMIN _LIMIT_EXCEEDED), data -1026 ]; remaining name 'cn=CN\=JPRAKASH\,CN\=Computers\,DC\=jupiter\,DC\=lan,ou=S ubscriptions,dc=jupiter,dc=lan' Is there a maximum size limitation for user defined objects in AD? Can that value be modified? Where would one modify it? Would it be in the LDAP policies/protocols configuration? TIA! Steve
[ActiveDir] GP is denying shortcuts.
Title: GP is denying shortcuts. I have created a Software Restriction Policy which is Disallow by default, I have created my additional rules to allow the paths to programs I want to run (ie: C:\Program Files\Microsoft Office). The Enforcement properties are to restrict all software except libraries, and I have removed LNK MDB from the Designated File Types. When a user logs in and tries to open a link to an allowed app they receive the message C:\Program Files\ Windows cannot open this program because its being blocked but when they drill down to the install directory they CAN run the allowed program. This happens with links on their Desktop, Taskbar and some in the Start Menu. Anyone have any ideas or ever see this before? Thanks Jared Manhat Systems Administrator Accutest Laboratories 2235 Route 130 Dayton, NJ 08810 (732) 329-0200 x254
RE: [ActiveDir] W2K3 with W2K2
Read KB 325379. Although this document is about upgrading DCs to 2003, it has some good information you need to know - particularly if you are running Exchange 2000. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jacob Stabl Sent: Thursday, July 22, 2004 8:17 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] W2K3 with W2K2 So what I am hearing is that I can go ahead and put the Windows 2003 server in place after I run adprep /forestprep and adprep /domainprep. I understand I will not have all the capabilities of W2k3 but that's not what I am concerned about. I just want to have that box in place so when I do decide to update a w2k3 server is already in place. -- Jake -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Thursday, July 22, 2004 2:41 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] W2K3 with W2K2 The Win2K3 will have to get the roles, at least the PDCE and the Domain Naming master roles, otherwise your domain will not function correctly This is not correct - the domain will still function perfectly well, but you won't be able to leverage some of the new features of Win2k3, which you'll only get after you've transferred those roles (e.g. Application Partitions, new well-known-security-principals and groups, Quota container etc.). However, you won't have a chance to add a 2003 DC to the 2000 domain prior to prepping it with the 2003 schema and domain updates (ADPREP) - see other reply with link to KB. So in a way Windows 2003 will have to take over the domain since you need to plan your schema update carefully. Still, you can stick to your 2000 DCs and FSMO role holders until you feel comfortable to move them. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, July 21, 2004 11:32 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] W2K3 with W2K2 Let's agree that there is no PDC/BDC concept. Now, if all you want to do is get your Domain ready for when you will eventually move to 2003, then you should just run the adprep /forestprep and adprep /domainprep in your domain and wait. IF you want to get a win2K3 DC into the Domain now, then there is this concept called WITO (hello, Joe :)). It's the Walk In, Take Over principle. The Win2K3 will have to get the roles, at least the PDCE and the Domain Naming master roles, otherwise your domain will not function correctly, and many of the benefits of a Win2K3 Domain will NOT be available to you. I have been able to get a win2K3 DC to install successfully into a test domain without transferring the roles or upgrading the DC that originally has these roles, but what I've heard and read is that is not something you want to do in a production environment. The people who taught me that (and wrote the book on that) are on this list. They may be able to explain further. Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Jacob Stabl Sent: Wed 7/21/2004 1:19 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] W2K3 with W2K2 I know this issue has been talked about before but searching through some old post in my inbox I didn't find the exact answer I was looking for. Is there a problem in joining a Window 2003 server as the BDC of in a Windows 2000 network? Will there be any problems or unavailable features? I don't want Windows 2003 to take over the domain. Reason for doing this is so next year if I decide to upgrade the domain to Windows 2003 it will be easier, I just move roles and such to that server. In my simple mind this all makes sense. Any suggestions? Thanks -- Jacob Stabl Network Engineer Plain Local Schools http://eagle.stark.k12.oh.us Work: 330.492.3500 x.383 Cell: 330.495.7243 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] DHCP
I have an authorized dhcp server. when i add a new scope(i already had one pervious working scope), it won't hand out addresses for that new scope. I have an event id 1051 logged in the event viewer saying it is not authorized. i know i need to be an enterprise admin to authorize a dhcp server but do i need to be one to create an additional scope as well? thanks(and oh yeah, all my ip helper addresses are correct in my router) .+-wi0-+YbmPi0-+bf.+-j! 0j!oryIV+v*
RE: [ActiveDir] Renaming The Admin Account
You could argue that. But, if you consider the fact that most hackwares and viruses/trojans that carry their own account/password dictionaries don't do SID enumeration, you'd understand the significance of renaming the accounts. Because they don't do SID enumeration/translation, these hackwares are useless against your infrastructure because they just go through looking for accounts named Administrator or admin or root and similar. If they don't find one, they move on. Unless you are a direct target of concentrated hack/crack attempts, it's not common for SID translation to be done. Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Rocky Habeeb Sent: Thu 7/22/2004 8:53 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Renaming The Admin Account Right! My point exactly! So if your policy is to include the Domain Admin in NTFS permissions, there's no point in renaming your Domain Admin account. Thanks Tony. RH -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Tony Murray Sent: Thursday, July 22, 2004 11:25 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Renaming The Admin Account The admin tools resolve the SID to the friendly name for you. In other words, you're not actually working with the friendly names when viewing or assigning permissions, but this is how it appears to you. Tony -- Original Message -- Wrom: KJVZCMHVIBGDADRZFSQHYUCDDJBLV Reply-To: [EMAIL PROTECTED] Date: Thu, 22 Jul 2004 10:25:14 -0400 People, OK, I know you guys are the Experts and I know MS says, rename it, but tell me the answer to these questions please. Let's say you run NTFS permissions on your local PCs. Lets say your standards are (for EVERY FILE/FOLDER OBJECT ON THE PC): Full Control for Local Admin, Domain Admin and System. Modify for Everyone (At least where it is not a security risk). [1] What is displayed locally to the User (for Admin accounts) when they look at NTFS permissions on their file/folder objects? [2] What do you as the Admin select in the ACL, when you set new permissions for file/folder objects? Thanks RH - Rocky Habeeb Microsoft Systems Administrator - James W. Sewall Company Old Town, Maine - 207.827.4456 habr @ jws.com www.jws.com - List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Renaming The Admin Account
Deji, You know I love you (and Tony, and Guido, and Robbie and Gil, and Roger and of course joe, and all the other heavyweights), but, we're not confused on the accounts and their memberships. I just feel it's important to have the Domain Admin (the individual) as Full Control on everything. As such, its pointless to rename him because he can be seen. However, you might just convince me to try it if you will tell me how to keep Users from viewing membership in AD of the Microsoft native groups, like Domain Administrators. ;-) That might be enough for me to try it. RH _ -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Deji AkomolafeSent: Thursday, July 22, 2004 12:10 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Renaming The Admin Account If you just remember the principle "put users in group, assign permission to group", then you'll remember that neither JohnDoe nor Administrator should show up anywhere in your ACL enumeration Rather, you ACL will look something like this: Computername\AdministratorS - F System - F etc, etc. You will NOT need to add the following to the ACL: ComputerName\Administrator (notice the missing "S") Domain Admins Domain\Administrator Why? First, because by adding Computername\AdministratorS in the first example, you have essentially taken care of the three in second example. "Domain\Administrator" is a member of "Domain Admins", which is a member of Computername\AdministratorS. Likewise, "ComputerName\Administrator" is a member of "Computername\AdministratorS". Then your fear about your users knowing the name of your Domain Admin account becomes non-existent (although this should have been of no concern in the first place). If anyone looks at the permission on an object, they won't see those 3 listed. Now, as to how your ACL "may" be messed up by an account rename. You need to remember that an account's nameis not THE significant part when ACE/ACL are concerned. It's the account's SID, and this does NOT change, even after you've renamed an account. Your permissions will still persist through a rename. As to the problem you encountered after renaming a DA, I can only speculate that there was "something else" causing that. I ALWAYS rename my DAs. Been doing it for a while now without running into similar problem. Are you convinced yet? Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP -Directory Services www.readymaids.com - we know ITwww.akomolafe.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Rocky HabeebSent: Thu 7/22/2004 8:18 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Renaming The Admin Account Rob, We set permissions on our Users PCs according to Trusted Systems Services Windows NT Security Guidelines developed for the NSA in 1999. We run in a moderate to severe lockdown. We open up NTFS permissions only as much as is needed for Users to operate. As such, any User can open up Windows Explorer and click Security and look at the Security NTFS permission structure of any file and folder on their PC. Maybe they can adjust it, maybe not. It depends on how we set it. If we rename the Domain Admin account to "JohnDoe" and then create a bogus account called "Administrator", obviously, when we go set permissions on a system, we are not going to select the "Administrator" account when we actually need the Domain Admin to have Full Control to that object. And I'm not going to select "JohnDoe" and grant him Full Control as that pretty much tells people where the Domain Admin account is. So what do you do? I need DAs to have FC. What do I select? How do I keep the User from immediately seeing where the DA account is. As far as testing it, forget it. Ten years ago, I renamed the DA account on a Windows NT 4.0 domain. I could not get back in. I had to rebuild the domain, albeit a small one of less than 100 Users, from scratch, and I swore I would never do it again. Now convince me to do it. RH
RE: [ActiveDir] Renaming The Admin Account
You just prove that you are very confused about membership? Tony, Robbie, Guido, Gil, Roger, and Joe That's an expensive club. Can't afford the membership fee. Next thing I know, you'd be lumping me in with Dean :-P Seriously, let's back up a bit. Let's ask why you'd want to give permission to Domain\Administrator (the user), instead of Domain\Domain Admins (the group). Before you answer that, remember the basic principle put users in group, give permission to group. You want to keep users from viewing membership in AD? Where are they viewing the membership from? In the Local Users and Groups? From the ACEs on files and folders? I ask because, if you have added ONLY groups instead of Users, the name of the users are not viewable in those places. Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Rocky Habeeb Sent: Thu 7/22/2004 10:32 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Renaming The Admin Account Deji, You know I love you (and Tony, and Guido, and Robbie and Gil, and Roger and of course joe, and all the other heavyweights), but, we're not confused on the accounts and their memberships. I just feel it's important to have the Domain Admin (the individual) as Full Control on everything. As such, its pointless to rename him because he can be seen. However, you might just convince me to try it if you will tell me how to keep Users from viewing membership in AD of the Microsoft native groups, like Domain Administrators. ;-) That might be enough for me to try it. RH _ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Deji Akomolafe Sent: Thursday, July 22, 2004 12:10 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Renaming The Admin Account If you just remember the principle put users in group, assign permission to group, then you'll remember that neither JohnDoe nor Administrator should show up anywhere in your ACL enumeration Rather, you ACL will look something like this: Computername\AdministratorS - F System - F etc, etc. You will NOT need to add the following to the ACL: ComputerName\Administrator (notice the missing S) Domain Admins Domain\Administrator Why? First, because by adding Computername\AdministratorS in the first example, you have essentially taken care of the three in second example. Domain\Administrator is a member of Domain Admins, which is a member of Computername\AdministratorS. Likewise, ComputerName\Administrator is a member of Computername\AdministratorS. Then your fear about your users knowing the name of your Domain Admin account becomes non-existent (although this should have been of no concern in the first place). If anyone looks at the permission on an object, they won't see those 3 listed. Now, as to how your ACL may be messed up by an account rename. You need to remember that an account's name is not THE significant part when ACE/ACL are concerned. It's the account's SID, and this does NOT change, even after you've renamed an account. Your permissions will still persist through a rename. As to the problem you encountered after renaming a DA, I can only speculate that there was something else causing that. I ALWAYS rename my DAs. Been doing it for a while now without running into similar problem. Are you convinced yet? Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Rocky Habeeb Sent: Thu 7/22/2004 8:18 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Renaming The Admin Account Rob, We set permissions on our Users PCs according to Trusted Systems Services Windows NT Security Guidelines developed for the NSA in 1999. We run in a moderate to severe lockdown. We open up NTFS permissions only as much as is needed for Users to operate. As such, any User can open up Windows Explorer and click Security and look at the Security NTFS permission structure of any file and folder on their PC. Maybe they can adjust it, maybe not. It depends on how we set it. If we rename the Domain Admin account to JohnDoe and then create a bogus account called Administrator, obviously, when we go set permissions on a
RE: [ActiveDir] AD and WINS
Ok so for clarification. If the 2003 Server is a DC and Wins it needs Server Ops If it's a 2003 Standalone server make it a local admin? Did I get that right? Thanks for everyone's help! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Thursday, July 22, 2004 11:45 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD and WINS Server Ops is only present on DC's so unless you have WINS on your DC's.moot point anyway because, no, they can't administer WINS. W2K WINS added the WINS users group but it only provides read access to the WINS db -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Depp, Dennis M. Sent: Thursday, July 22, 2004 9:16 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD and WINS Do they have to be local Admins, or will Server op work as well? Denny -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carr, Jonathan (OFT) Sent: Thursday, July 22, 2004 11:50 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD and WINS You can make a Global security group in the AD called Wins Admins and then add the group to the local administrators group of the WINS servers either manually or via a GPO. Then all you have to do is populate the AD group with the users.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Thursday, July 22, 2004 11:13 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD and WINS I think Server op will do it. -Original Message- From: Depp, Dennis M. [mailto:[EMAIL PROTECTED] Sent: 22 July 2004 16:04 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD and WINS I believe access to WINS requires local admin access. To allow them to administer WINS, they will have to be a local admin on the box where WINS is running. Denny -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario Sent: Thursday, July 22, 2004 10:51 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] AD and WINS Is there a way to restrict access to WINS like DNS in Server 2003? For Example, if we want the DNS admins to Administer the Wins servers, how do you go about give them access just to WINS administration? Any help would be appreciate it! Thanks, Mario *** The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. *** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes. The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ:
RE: [ActiveDir] Customize Group Permissions
Title: Customize Group Permissions Yes, this is possible. Check out restricted groups in group policy. --Brian Desmond [EMAIL PROTECTED] Payton on the Web! Http://www.wpcp.org v: 773.534.0034 x135 f: 773.534.0035 From: Jared Manhat [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 21, 2004 3:37 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Customize Group Permissions I though I read somewhere in the MS Server 2003 Deployment Kit under Designing a Managed Environment that it was possible to modify to local pcs group permissions using GP. Has anyone heard of this? What Im trying to do is assign Install Printer Drivers to Power Users. Thanks Jared Manhat Systems Administrator Accutest Laboratories smime.p7s Description: S/MIME cryptographic signature
RE: [ActiveDir] Summer Maintenance
Title: RE: [ActiveDir] Summer Maintenance Yes. There are no circumstances under which you should not sysprep an image that you plan to deploy. The only time you should not is if youre using ghost to *replace* a machine. --Brian Desmond [EMAIL PROTECTED] Payton on the Web! Http://www.wpcp.org v: 773.534.0034 x135 f: 773.534.0035 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jacob Stabl Sent: Thursday, July 22, 2004 8:33 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance Maybe I am being ignorant but can I use sysprep if I have specialized software that I want to have on my master image?? -- Jake From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, July 21, 2004 8:09 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance Please explain the reasoning here. Running newsid does not constitute running sysprep. --Brian -Original Message- From: Jared Manhat [mailto:[EMAIL PROTECTED] Sent: Wed 7/21/2004 4:00 PM To: [EMAIL PROTECTED] Cc: Subject: RE: [ActiveDir] Summer Maintenance Yes, just use Ghost and run Sysinternals NewSID on each pc BEFORE ADDING IT TO THE DOMAIN. http://www.sysinternals.com/ntw2k/source/newsid.shtml Jared Manhat Systems Administrator Accutest Laboratories 2235 Route 130 Dayton, NJ 08810 (732) 329-0200 x254 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jacob Stabl Sent: Wednesday, July 21, 2004 4:49 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance I have word of using sysprep along with Ghost. From what I have read sysprep is just do the OS and allows for different configurations. If I am doing a lab that has special software and the same hardware config, is it not better to just use ghost after the master computer has been configured? -- Jake From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert N. Leali Sent: Wednesday, July 21, 2004 9:37 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance I think you can use Unicast instead of Multicast in the newer versions of Norton ghost. It goes slower but it wont bog down the network. Also, make sure your hop count is set correctly. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Rochford Sent: Sunday, July 18, 2004 12:13 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance We tend to do them in blocks of max 30 because it's more manageable (and most rooms don't have more than that many computers!) I've done it enough times now to know that although we shouldn't have to get involved with boot floppies sometimes things just don't go the way you plan :-) Not sure why Ghost does cause the network problems you describe but I know it does and we just plan round it - making sure no-one's trying to do anything important at the same time etc. Steve From: Brian Desmond [mailto:[EMAIL PROTECTED] Sent: 16 July 2004 21:31 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance Things really slow down when multicasting to a load of computers where I am (all Cisco 2900XL series switches with fiber links to a 4005 series backbone switch). The multicast slows to a crawl, as does other network traffic. --Brian Desmond [EMAIL PROTECTED] Payton on the Web! Http://www.wpcp.org v: 773.534.0034 x135 f: 773.534.0035 From: Doug M. Long [mailto:[EMAIL PROTECTED] On Behalf Of Doug M. Long Sent: Friday, July 16, 2004 1:07 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance If your multicasting, network congestion shouldnt be an issue (assuming that you are putting the same image on all machines), right? Or am I missing something here? From: [EMAIL PROTECTED] on behalf of Brian Desmond Sent: Fri 7/16/2004 11:13 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance You got it Steve. I don't know if you've ever done this before, but be prepared to have a handful of them screw up and need reimaging with a floppy disk. Also, don't think of doing em all at once. 100 - 150 is enough to saturate your network. --Brian -Original Message- From: Steve Rochford [mailto:[EMAIL PROTECTED] Sent: Fri 7/16/2004 8:08 AM To: [EMAIL PROTECTED] Cc: Subject: RE: [ActiveDir] Summer Maintenance I love comments like The result is that as the imaged computers are powered up, the admin will type in each unique computer name and walk away. We're re-imaging about 1000 student computers this summer and I'm not intending to go anywhere near most of them so typing in anything is a no-no! As others have said, Ghost will happily rename and join to the domain and it will also work with sysprep so you can have the best of both worlds :-) Steve -Original Message- From: Brad Corob
RE: [ActiveDir] Summer Maintenance
Title: RE: [ActiveDir] Summer Maintenance I beg to differ. Im in a highschool with thousands of machines. I image labs, pcs, etc all the time. 95% of software is deployed via group policy and MSIs. Havent had any problems in the past year of doing this. --Brian Desmond [EMAIL PROTECTED] Payton on the Web! Http://www.wpcp.org v: 773.534.0034 x135 f: 773.534.0035 From: Jacob Stabl [mailto:[EMAIL PROTECTED] Sent: Thursday, July 22, 2004 10:27 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance MSI is good for some stuff but not for labs that are reimaged a few times a week. -- Jake From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert N. Leali Sent: Thursday, July 22, 2004 10:19 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance Most likely the answer is yes, speaking from experience in a K-12 setting. What is the specialized software? Why not roll out the software as an msi file using group policies? Robert From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jacob Stabl Sent: Thursday, July 22, 2004 7:33 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance Maybe I am being ignorant but can I use sysprep if I have specialized software that I want to have on my master image?? -- Jake From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, July 21, 2004 8:09 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance Please explain the reasoning here. Running newsid does not constitute running sysprep. --Brian -Original Message- From: Jared Manhat [mailto:[EMAIL PROTECTED] Sent: Wed 7/21/2004 4:00 PM To: [EMAIL PROTECTED] Cc: Subject: RE: [ActiveDir] Summer Maintenance Yes, just use Ghost and run Sysinternals NewSID on each pc BEFORE ADDING IT TO THE DOMAIN. http://www.sysinternals.com/ntw2k/source/newsid.shtml Jared Manhat Systems Administrator Accutest Laboratories 2235 Route 130 Dayton, NJ 08810 (732) 329-0200 x254 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jacob Stabl Sent: Wednesday, July 21, 2004 4:49 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance I have word of using sysprep along with Ghost. From what I have read sysprep is just do the OS and allows for different configurations. If I am doing a lab that has special software and the same hardware config, is it not better to just use ghost after the master computer has been configured? -- Jake From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert N. Leali Sent: Wednesday, July 21, 2004 9:37 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance I think you can use Unicast instead of Multicast in the newer versions of Norton ghost. It goes slower but it wont bog down the network. Also, make sure your hop count is set correctly. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Rochford Sent: Sunday, July 18, 2004 12:13 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance We tend to do them in blocks of max 30 because it's more manageable (and most rooms don't have more than that many computers!) I've done it enough times now to know that although we shouldn't have to get involved with boot floppies sometimes things just don't go the way you plan :-) Not sure why Ghost does cause the network problems you describe but I know it does and we just plan round it - making sure no-one's trying to do anything important at the same time etc. Steve From: Brian Desmond [mailto:[EMAIL PROTECTED] Sent: 16 July 2004 21:31 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance Things really slow down when multicasting to a load of computers where I am (all Cisco 2900XL series switches with fiber links to a 4005 series backbone switch). The multicast slows to a crawl, as does other network traffic. --Brian Desmond [EMAIL PROTECTED] Payton on the Web! Http://www.wpcp.org v: 773.534.0034 x135 f: 773.534.0035 From: Doug M. Long [mailto:[EMAIL PROTECTED] On Behalf Of Doug M. Long Sent: Friday, July 16, 2004 1:07 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance If your multicasting, network congestion shouldnt be an issue (assuming that you are putting the same image on all machines), right? Or am I missing something here? From: [EMAIL PROTECTED] on behalf of Brian Desmond Sent: Fri 7/16/2004 11:13 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance You got it Steve. I don't know if you've ever done this before, but be prepared to have a handful of them screw up and need reimaging with a floppy disk. Also, don't think of doing em all at once. 100 - 150 is enough to saturate your network. --Brian
RE: [ActiveDir] AD and WINS
I'm betting there's a control access right (aka extended right) you can delegate this group on your server OUs to manage WINS. No evidence, but, I'm inclined to believe there is such a thing. Look at the Server Ops delegations. --Brian Desmond [EMAIL PROTECTED] Payton on the Web! Http://www.wpcp.org v: 773.534.0034 x135 f: 773.534.0035 -Original Message- From: Carr, Jonathan (OFT) [mailto:[EMAIL PROTECTED] Sent: Thursday, July 22, 2004 10:50 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD and WINS You can make a Global security group in the AD called Wins Admins and then add the group to the local administrators group of the WINS servers either manually or via a GPO. Then all you have to do is populate the AD group with the users.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Thursday, July 22, 2004 11:13 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD and WINS I think Server op will do it. -Original Message- From: Depp, Dennis M. [mailto:[EMAIL PROTECTED] Sent: 22 July 2004 16:04 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD and WINS I believe access to WINS requires local admin access. To allow them to administer WINS, they will have to be a local admin on the box where WINS is running. Denny -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario Sent: Thursday, July 22, 2004 10:51 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] AD and WINS Is there a way to restrict access to WINS like DNS in Server 2003? For Example, if we want the DNS admins to Administer the Wins servers, how do you go about give them access just to WINS administration? Any help would be appreciate it! Thanks, Mario *** The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. *** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes. The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ smime.p7s Description: S/MIME cryptographic signature
[ActiveDir] AD and Exchange - Slightly OT
Hello! Please assist, sorry for the slightly OT post: Situation: We have a security root domain (root) and below it our primary child domain (Domain A). We recently created a second domain underneath the root domain (domain B) with a two way trust between the two child domains (A and B). Our DNS for Domain A and B both forward up to the root. Our Exchange 2003 server is sitting in Domain A. I recently created a user (with a mailbox) on Domain B from the Exchange server in Domain A TestUser1. Problem(s): Exchange never stamped an email address onto TestUser1. I created an SMTP address for the user manually. Now I want to create an Outlook profile and Outlook does not see the new user. The Outlook client is installed on a machine that is connected to Domain B as is TestUser1s account. The machine has a static IP, DNS, and WINS. DNS and WINS are both pointing to the new Domain (B). Do I have a DNS problem? I can resolve other names that are already in the GAL via the Outlook client, but not TestUser1. Any advice you can give would be greatly appreciated! Thanks! Joe Pelle Infrastructure Architect Information Technology Valassis / IT 19975 Victor Parkway Livonia, MI 48152 Tel 734.591.7324 Fax 734.632.6151 [EMAIL PROTECTED] http://www.valassis.com/ This message may have included proprietary or protected information. This message and the information contained herein are not to be further communicated without my express written consent.
RE: [ActiveDir] AD and WINS
Return Receipt Your RE: [ActiveDir] AD and WINS document : was Ryan McDonald/bankersbank received by: at: 07/22/2004 02:25:35 PM List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD and WINS
Return Receipt Your document: RE: [ActiveDir] AD and WINS was received by: Justin Leney/US/DCI at: 07/22/2004 02:27:37 PM
RE: [ActiveDir] W2k3 DNS Scalability - More NFO
They can handle more. Sounds like you found a bug of some sort unless you have some other application that is using msvcrt.dll and isn't cleaning up well. I don't see the same results with similar configuration. Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, July 22, 2004 12:15 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] W2k3 DNS Scalability - More NFO Potentially interesting oddity occurred today... Our primary and secondary Windows 2003 / AD integrated DNS server services abended at almost the exact same time with the following error message in the eventlog: Reporting queued error: faulting application dns.exe, version 5.2.3790.0, faulting module msvcrt.dll, version 7.0.3790.0, fault address 0x000351e4. I have custom WMI monitoring set to auto-restart DNS, send email, call the president, and of course...raise the national threat level. The servers are dedicated AD boxes, so no rogue software or odd config. The servers are Dell PowerEdge 2560s with 4 GB RAM, 3.06GHz processors and lots diskspace on a RAID 1 / RAID 5 config. The reason that I suspect performance / scalability is that when I check the utilization trend reports and each server was averaging 82 queries/sec. But surely, the servers can handle more. Heck the over all CPU utilization is about 3%. We have most of the Windows platform using these two DNS servers, but still have more to go. Eventually the load will be distributed among soon to have future AD DCs. But I was very surprised to see the processes crash. All other trended perfmon metrics were well within reason. Any thoughts? Anyone perform specific DNS customizations to their respective dedicated AD DNS servers? TIA. Eric Jones, Senior SEIntel Server Group(W) 336.424.3084(M) 336.457.2591www.vfc.com
RE: [ActiveDir] W2k3 DNS Scalability - More NFO
Sent that last one a little faster than I should have. :) Since I have a similar config and don't see the same issue, it's possible that you have a configuration issue such as a name resolution loop or other problem that results in this type of crash. It might pay to look at the configuration closely to ensure it's configured correctly and nothing weird has happened. Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, July 22, 2004 12:15 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] W2k3 DNS Scalability - More NFO Potentially interesting oddity occurred today... Our primary and secondary Windows 2003 / AD integrated DNS server services abended at almost the exact same time with the following error message in the eventlog: Reporting queued error: faulting application dns.exe, version 5.2.3790.0, faulting module msvcrt.dll, version 7.0.3790.0, fault address 0x000351e4. I have custom WMI monitoring set to auto-restart DNS, send email, call the president, and of course...raise the national threat level. The servers are dedicated AD boxes, so no rogue software or odd config. The servers are Dell PowerEdge 2560s with 4 GB RAM, 3.06GHz processors and lots diskspace on a RAID 1 / RAID 5 config. The reason that I suspect performance / scalability is that when I check the utilization trend reports and each server was averaging 82 queries/sec. But surely, the servers can handle more. Heck the over all CPU utilization is about 3%. We have most of the Windows platform using these two DNS servers, but still have more to go. Eventually the load will be distributed among soon to have future AD DCs. But I was very surprised to see the processes crash. All other trended perfmon metrics were well within reason. Any thoughts? Anyone perform specific DNS customizations to their respective dedicated AD DNS servers? TIA. Eric Jones, Senior SEIntel Server Group(W) 336.424.3084(M) 336.457.2591www.vfc.com
[ActiveDir] DHCP
I have an authorized dhcp server. when i add a new scope(i already had one pervious working scope), it won't hand out addresses for that new scope. I have an event id 1051 logged in the event viewer saying it is not authorized. i know i need to be an enterprise admin to authorize a dhcp server but do i need to be one to create an additional scope as well? thanks(and oh yeah, all my ip helper addresses are correct in my router)
RE: [ActiveDir] AD and WINS
If the 2003 Server is a DC and Wins it needs Server Ops No sorry, the point I was trying to make was merely that [A] server ops did not exist on a member server and [B] that it is a moot point because even IF WINS is running on a DC, Server Operators can NOT manage WINS.. To be able to completely administer WINS you must be an administrator, therefore if it is running on a DC you need to be in the administrators group or Domain Admins to change configuration information on WINS servers using the WINS console or the netsh wins commands. If there are users who need read-only access to the WINS console, add them to the WINS Users group instead of to the Administrators group. WINS Users can search for WINS records and view replication partners and other configuration information, but they cannot change settings on the WINS server. They can also use a subset of the netsh wins context to query records etc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario Sent: Thursday, July 22, 2004 11:16 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] AD and WINS Ok so for clarification. If the 2003 Server is a DC and Wins it needs Server Ops If it's a 2003 Standalone server make it a local admin? Did I get that right? Thanks for everyone's help! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Thursday, July 22, 2004 11:45 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD and WINS Server Ops is only present on DC's so unless you have WINS on your DC's.moot point anyway because, no, they can't administer WINS. W2K WINS added the WINS users group but it only provides read access to the WINS db -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Depp, Dennis M. Sent: Thursday, July 22, 2004 9:16 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD and WINS Do they have to be local Admins, or will Server op work as well? Denny -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carr, Jonathan (OFT) Sent: Thursday, July 22, 2004 11:50 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD and WINS You can make a Global security group in the AD called Wins Admins and then add the group to the local administrators group of the WINS servers either manually or via a GPO. Then all you have to do is populate the AD group with the users.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Thursday, July 22, 2004 11:13 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD and WINS I think Server op will do it. -Original Message- From: Depp, Dennis M. [mailto:[EMAIL PROTECTED] Sent: 22 July 2004 16:04 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD and WINS I believe access to WINS requires local admin access. To allow them to administer WINS, they will have to be a local admin on the box where WINS is running. Denny -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario Sent: Thursday, July 22, 2004 10:51 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] AD and WINS Is there a way to restrict access to WINS like DNS in Server 2003? For Example, if we want the DNS admins to Administer the Wins servers, how do you go about give them access just to WINS administration? Any help would be appreciate it! Thanks, Mario *** The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. *** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for
RE: [ActiveDir] AD and Exchange - Slightly OT
Do you have any custom recipient policies or did you modify the default recipient policy? Jeremy - Jeremy Burkes SSP MIS Department [EMAIL PROTECTED] PH: 202-764-1270 -Original Message-From: Pelle, Joe [mailto:[EMAIL PROTECTED]Sent: Thursday, July 22, 2004 2:26 PMTo: ActiveDir ([EMAIL PROTECTED])Subject: [ActiveDir] AD and Exchange - Slightly OT Hello! Please assist, sorry for the slightly OT post: Situation: We have a security root domain (root) and below it our primary child domain (Domain A). We recently created a second domain underneath the root domain (domain B) with a two way trust between the two child domains (A and B). Our DNS for Domain A and B both forward up to the root. Our Exchange 2003 server is sitting in Domain A. I recently created a user (with a mailbox) on Domain B from the Exchange server in Domain A TestUser1. Problem(s): Exchange never stamped an email address onto TestUser1. I created an SMTP address for the user manually. Now I want to create an Outlook profile and Outlook does not see the new user. The Outlook client is installed on a machine that is connected to Domain B as is TestUser1s account. The machine has a static IP, DNS, and WINS. DNS and WINS are both pointing to the new Domain (B). Do I have a DNS problem? I can resolve other names that are already in the GAL via the Outlook client, but not TestUser1. Any advice you can give would be greatly appreciated! Thanks! Joe Pelle Infrastructure Architect Information Technology Valassis / IT 19975 Victor Parkway Livonia, MI 48152 Tel 734.591.7324 Fax 734.632.6151 [EMAIL PROTECTED] http://www.valassis.com/ This message may have included proprietary or protected information. This message and the information contained herein are not to be further communicated without my express written consent.
RE: [ActiveDir] AD and WINS
I'll take that bet :-) Many have bemoaned the fact that you can't delegate WINS administration or that there is no equivalent of DnsAdmins for WINS. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Thursday, July 22, 2004 11:21 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD and WINS I'm betting there's a control access right (aka extended right) you can delegate this group on your server OUs to manage WINS. No evidence, but, I'm inclined to believe there is such a thing. Look at the Server Ops delegations. --Brian Desmond [EMAIL PROTECTED] Payton on the Web! Http://www.wpcp.org v: 773.534.0034 x135 f: 773.534.0035 -Original Message- From: Carr, Jonathan (OFT) [mailto:[EMAIL PROTECTED] Sent: Thursday, July 22, 2004 10:50 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD and WINS You can make a Global security group in the AD called Wins Admins and then add the group to the local administrators group of the WINS servers either manually or via a GPO. Then all you have to do is populate the AD group with the users.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Thursday, July 22, 2004 11:13 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD and WINS I think Server op will do it. -Original Message- From: Depp, Dennis M. [mailto:[EMAIL PROTECTED] Sent: 22 July 2004 16:04 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD and WINS I believe access to WINS requires local admin access. To allow them to administer WINS, they will have to be a local admin on the box where WINS is running. Denny -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario Sent: Thursday, July 22, 2004 10:51 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] AD and WINS Is there a way to restrict access to WINS like DNS in Server 2003? For Example, if we want the DNS admins to Administer the Wins servers, how do you go about give them access just to WINS administration? Any help would be appreciate it! Thanks, Mario *** The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. *** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes. The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD and Exchange - Slightly OT
Sorry I meant to say do you have any custom recipient policies above the default recipient policy and/or do you have a RUS for your second domain, domain B. Jeremy - Jeremy Burkes SSP MIS Department [EMAIL PROTECTED] PH: 202-764-1270 -Original Message-From: Pelle, Joe [mailto:[EMAIL PROTECTED]Sent: Thursday, July 22, 2004 2:26 PMTo: ActiveDir ([EMAIL PROTECTED])Subject: [ActiveDir] AD and Exchange - Slightly OT Hello! Please assist, sorry for the slightly OT post: Situation: We have a security root domain (root) and below it our primary child domain (Domain A). We recently created a second domain underneath the root domain (domain B) with a two way trust between the two child domains (A and B). Our DNS for Domain A and B both forward up to the root. Our Exchange 2003 server is sitting in Domain A. I recently created a user (with a mailbox) on Domain B from the Exchange server in Domain A TestUser1. Problem(s): Exchange never stamped an email address onto TestUser1. I created an SMTP address for the user manually. Now I want to create an Outlook profile and Outlook does not see the new user. The Outlook client is installed on a machine that is connected to Domain B as is TestUser1s account. The machine has a static IP, DNS, and WINS. DNS and WINS are both pointing to the new Domain (B). Do I have a DNS problem? I can resolve other names that are already in the GAL via the Outlook client, but not TestUser1. Any advice you can give would be greatly appreciated! Thanks! Joe Pelle Infrastructure Architect Information Technology Valassis / IT 19975 Victor Parkway Livonia, MI 48152 Tel 734.591.7324 Fax 734.632.6151 [EMAIL PROTECTED] http://www.valassis.com/ This message may have included proprietary or protected information. This message and the information contained herein are not to be further communicated without my express written consent.
RE: [ActiveDir] Renaming The Admin Account
Okay, First off, yes the club's expensive. And rightly so, but, do you know what joe wanted to come to my little shop and point out to me exactly what I already know (which is exactly how much I don't know already.)? Now HE was expensive. Serves him right for getting fired. ;-O. No wait. He didn't get fired. Some of the |stupidest| people in the world (notice the absolute symbol) just let him walk! I'm telling you, that was about as smart as the Russians selling us Alaska for 7 million. I could not believe that. How smart do you have to be? Not as smart as joe, that much I know. Now, let me show you how much I don't know. ( I can explain why that is someday, if it comes to that). When I click (on my W2K boxes in my mixed mode W2K domain) on My Network Places Entire Network Directory DNSDomainName it opens up my AD and everybody can see all the OUs. If I click on my Microsoft_Groups (OU which houses the native groups) I see every group. If I click on Domain Admins, I see the members. The same with all the other groups. How do I hide the memberships of these native MS groups? Thanks Deji (and all youse other guys!) RH __ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: Thursday, July 22, 2004 2:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Renaming The Admin Account You just prove that you are very confused about membership? Tony, Robbie, Guido, Gil, Roger, and Joe That's an expensive club. Can't afford the membership fee. Next thing I know, you'd be lumping me in with Dean :-P Seriously, let's back up a bit. Let's ask why you'd want to give permission to Domain\Administrator (the user), instead of Domain\Domain Admins (the group). Before you answer that, remember the basic principle put users in group, give permission to group. You want to keep users from viewing membership in AD? Where are they viewing the membership from? In the Local Users and Groups? From the ACEs on files and folders? I ask because, if you have added ONLY groups instead of Users, the name of the users are not viewable in those places. Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Rocky Habeeb Sent: Thu 7/22/2004 10:32 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Renaming The Admin Account Deji, You know I love you (and Tony, and Guido, and Robbie and Gil, and Roger and of course joe, and all the other heavyweights), but, we're not confused on the accounts and their memberships. I just feel it's important to have the Domain Admin (the individual) as Full Control on everything. As such, its pointless to rename him because he can be seen. However, you might just convince me to try it if you will tell me how to keep Users from viewing membership in AD of the Microsoft native groups, like Domain Administrators. ;-) That might be enough for me to try it. RH _ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Deji Akomolafe Sent: Thursday, July 22, 2004 12:10 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Renaming The Admin Account If you just remember the principle put users in group, assign permission to group, then you'll remember that neither JohnDoe nor Administrator should show up anywhere in your ACL enumeration Rather, you ACL will look something like this: Computername\AdministratorS - F System - F etc, etc. You will NOT need to add the following to the ACL: ComputerName\Administrator (notice the missing S) Domain Admins Domain\Administrator Why? First, because by adding Computername\AdministratorS in the first example, you have essentially taken care of the three in second example. Domain\Administrator is a member of Domain Admins, which is a member of Computername\AdministratorS. Likewise, ComputerName\Administrator is a member of Computername\AdministratorS. Then your fear about your users knowing the name of your Domain Admin account becomes non-existent (although this should have been of no concern in the first place). If anyone looks at the permission on an object, they won't see those 3 listed. Now, as to how your ACL may be messed up by an account rename. You need to remember that an account's name is not THE significant part when ACE/ACL are concerned. It's the account's SID, and this does NOT change, even after you've renamed an account. Your permissions will still persist through a rename. As to the problem you encountered after renaming a DA, I can only speculate that there was something else causing
Re: [ActiveDir] Question about replication connection objects
Anyone have thoughts on this? --- David Adner [EMAIL PROTECTED] wrote: I know if I modify an automatically generated connection object, it gets renamed to its GUID and takes on the behavior of a manually created CO (meaning the KCC will no longer automatically maintain it). What if I move an automatically generated CO between DC's? The name doesn't get renamed, but does that mean it stayed automatic or is it now in effect manual? If it's the latter, how can I determine if it's behaving like a manual CO? Is there some attribute to look for? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD and Exchange - Slightly OT
We have a mixed E5.5 and 2003 environment and the only recipient policies we have are the 5.5 policies and the default policy. I have not changed any of them. Joe Pelle Infrastructure Architect Information Technology Valassis / IT 19975 Victor Parkway Livonia, MI 48152 Tel 734.591.7324 Fax 734.632.6151 [EMAIL PROTECTED] http://www.valassis.com/ This message may have included proprietary or protected information. This message and the information contained herein are not to be further communicated without my express written consent. From: Burkes, Jeremy [Contractor] [mailto:[EMAIL PROTECTED] Sent: Thursday, July 22, 2004 3:05 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD and Exchange - Slightly OT Do you have any custom recipient policies or did you modify the default recipient policy? Jeremy - Jeremy Burkes SSP MIS Department [EMAIL PROTECTED] PH: 202-764-1270 -Original Message- From: Pelle, Joe [mailto:[EMAIL PROTECTED] Sent: Thursday, July 22, 2004 2:26 PM To: ActiveDir ([EMAIL PROTECTED]) Subject: [ActiveDir] AD and Exchange - Slightly OT Hello! Please assist, sorry for the slightly OT post: Situation: We have a security root domain (root) and below it our primary child domain (Domain A). We recently created a second domain underneath the root domain (domain B) with a two way trust between the two child domains (A and B). Our DNS for Domain A and B both forward up to the root. Our Exchange 2003 server is sitting in Domain A. I recently created a user (with a mailbox) on Domain B from the Exchange server in Domain A TestUser1. Problem(s): Exchange never stamped an email address onto TestUser1. I created an SMTP address for the user manually. Now I want to create an Outlook profile and Outlook does not see the new user. The Outlook client is installed on a machine that is connected to Domain B as is TestUser1s account. The machine has a static IP, DNS, and WINS. DNS and WINS are both pointing to the new Domain (B). Do I have a DNS problem? I can resolve other names that are already in the GAL via the Outlook client, but not TestUser1. Any advice you can give would be greatly appreciated! Thanks! Joe Pelle Infrastructure Architect Information Technology Valassis / IT 19975 Victor Parkway Livonia, MI 48152 Tel 734.591.7324 Fax 734.632.6151 [EMAIL PROTECTED] http://www.valassis.com/ This message may have included proprietary or protected information. This message and the information contained herein are not to be further communicated without my express written consent.
RE: [ActiveDir] Customize Group Permissions
Title: Customize Group Permissions One thing to be really careful of though. It will replace the contents of the local group. The only exception to this is the default local Admin account in the local Administrators group. That account will stay. If you are using software, like SMS, that generates it's own local admin account be sure that it is getting left in. Dave -- David J. PerdueMCSE 2000, MCSE NT, MCSA, MCP+INetworkSecurity Engineer, InDyne IncComm: (805) 606-4597 DSN: 276-4597 [EMAIL PROTECTED]-- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Thursday, July 22, 2004 11:18 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Customize Group Permissions Yes, this is possible. Check out restricted groups in group policy. --Brian Desmond [EMAIL PROTECTED] Payton on the Web! Http://www.wpcp.org v: 773.534.0034 x135 f: 773.534.0035 From: Jared Manhat [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 21, 2004 3:37 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Customize Group Permissions I though I read somewhere in the MS Server 2003 Deployment Kit under Designing a Managed Environment that it was possible to modify to local pc's group permissions using GP. Has anyone heard of this? What I'm trying to do is assign Install Printer Drivers to Power Users. Thanks Jared Manhat Systems Administrator Accutest Laboratories
RE: [ActiveDir] DHCP
Did you authorize it by fqdn or by address? I think it needs to be authorized by address. nme From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Thursday, July 22, 2004 11:57 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] DHCP I have an authorized dhcp server. when i add a new scope(i already had one pervious working scope), it won't hand out addresses for that new scope. I have an event id 1051 logged in the event viewer saying it is not authorized. i know i need to be an enterprise admin to authorize a dhcp server but do i need to be one to create an additional scope as well? thanks(and oh yeah, all my ip helper addresses are correct in my router)
RE: [ActiveDir] KIX script and Active Directory
If you want to continue using Kix scripting you can create security groups and assign the appropriate users to those security groups, afterwards use the InGroup (Kix) function and assign drive mappings etc. accordingly Atleast that's one way of doing it From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jacqui HurstSent: Thursday, July 22, 2004 3:31 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] KIX script and Active Directory I am working on a migration from NT4 to Windows 2003 which includes the collapsing of a number of domains into a single domain. Part of the existing NT4 login script uses the NT4 domain as a variable to setup things like users drive mappings e.g. xx-fileserver-01 where xx is the domain code. These scripts are written in KIX. As Im not the worlds greatest code writer and there are a fair few login scripts I am looking for a way to set a variable that can be used by the login script to set the users location without rewriting all of the scripts. I dont really want to use group membership if I have to I would rather use an attribute in the active directory and look this up. Has anyone got any advice? Many thanks in advance Jacqui
RE: [ActiveDir] AD and Exchange - Slightly OT
AH, thanks for the clarification. Im a little slow! Anyway, I do have custome recipient policies above the default but they were copied over from the 5.5 sites. do you have a RUS for your second domain, domain B. I have not added anything additional so I guess the answer is NO. Do I need RUS on Domain B? If so, how? Joe Pelle Infrastructure Architect Information Technology Valassis / IT 19975 Victor Parkway Livonia, MI 48152 Tel 734.591.7324 Fax 734.632.6151 [EMAIL PROTECTED] http://www.valassis.com/ This message may have included proprietary or protected information. This message and the information contained herein are not to be further communicated without my express written consent. From: Burkes, Jeremy [Contractor] [mailto:[EMAIL PROTECTED] Sent: Thursday, July 22, 2004 3:14 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD and Exchange - Slightly OT Sorry I meant to say do you have any custom recipient policies above the default recipient policy and/or do you have a RUS for your second domain, domain B. Jeremy - Jeremy Burkes SSP MIS Department [EMAIL PROTECTED] PH: 202-764-1270 -Original Message- From: Pelle, Joe [mailto:[EMAIL PROTECTED] Sent: Thursday, July 22, 2004 2:26 PM To: ActiveDir ([EMAIL PROTECTED]) Subject: [ActiveDir] AD and Exchange - Slightly OT Hello! Please assist, sorry for the slightly OT post: Situation: We have a security root domain (root) and below it our primary child domain (Domain A). We recently created a second domain underneath the root domain (domain B) with a two way trust between the two child domains (A and B). Our DNS for Domain A and B both forward up to the root. Our Exchange 2003 server is sitting in Domain A. I recently created a user (with a mailbox) on Domain B from the Exchange server in Domain A TestUser1. Problem(s): Exchange never stamped an email address onto TestUser1. I created an SMTP address for the user manually. Now I want to create an Outlook profile and Outlook does not see the new user. The Outlook client is installed on a machine that is connected to Domain B as is TestUser1s account. The machine has a static IP, DNS, and WINS. DNS and WINS are both pointing to the new Domain (B). Do I have a DNS problem? I can resolve other names that are already in the GAL via the Outlook client, but not TestUser1. Any advice you can give would be greatly appreciated! Thanks! Joe Pelle Infrastructure Architect Information Technology Valassis / IT 19975 Victor Parkway Livonia, MI 48152 Tel 734.591.7324 Fax 734.632.6151 [EMAIL PROTECTED] http://www.valassis.com/ This message may have included proprietary or protected information. This message and the information contained herein are not to be further communicated without my express written consent.
RE: [ActiveDir] AD and Exchange - Slightly OT
I have not yet created a RUS. I didnt know I had to I have to domainprep B first, right?! Joe Pelle Infrastructure Architect Information Technology Valassis / IT 19975 Victor Parkway Livonia, MI 48152 Tel 734.591.7324 Fax 734.632.6151 [EMAIL PROTECTED] http://www.valassis.com/ This message may have included proprietary or protected information. This message and the information contained herein are not to be further communicated without my express written consent. From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Thursday, July 22, 2004 3:42 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD and Exchange - Slightly OT Very likely that you have notcreated a RUS for domainB, but if you did, go ahead and troubleshoot it. Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pelle, Joe Sent: Thursday, July 22, 2004 2:26 PM To: ActiveDir ([EMAIL PROTECTED]) Subject: [ActiveDir] AD and Exchange - Slightly OT Hello! Please assist, sorry for the slightly OT post: Situation: We have a security root domain (root) and below it our primary child domain (Domain A). We recently created a second domain underneath the root domain (domain B) with a two way trust between the two child domains (A and B). Our DNS for Domain A and B both forward up to the root. Our Exchange 2003 server is sitting in Domain A. I recently created a user (with a mailbox) on Domain B from the Exchange server in Domain A TestUser1. Problem(s): Exchange never stamped an email address onto TestUser1. I created an SMTP address for the user manually. Now I want to create an Outlook profile and Outlook does not see the new user. The Outlook client is installed on a machine that is connected to Domain B as is TestUser1s account. The machine has a static IP, DNS, and WINS. DNS and WINS are both pointing to the new Domain (B). Do I have a DNS problem? I can resolve other names that are already in the GAL via the Outlook client, but not TestUser1. Any advice you can give would be greatly appreciated! Thanks! Joe Pelle Infrastructure Architect Information Technology Valassis / IT 19975 Victor Parkway Livonia, MI 48152 Tel 734.591.7324 Fax 734.632.6151 [EMAIL PROTECTED] http://www.valassis.com/ This message may have included proprietary or protected information. This message and the information contained herein are not to be further communicated without my express written consent.
RE: [ActiveDir] AD and Exchange - Slightly OT
As I remember each domain has to have a recipient update service setup in order to update the email addresses. Do you have one for the second domain? Did you run domainprep on the new domain? Jacqui From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pelle, Joe Sent: 22 July 2004 19:26 To: ActiveDir ([EMAIL PROTECTED]) Subject: [ActiveDir] AD and Exchange - Slightly OT Hello! Please assist, sorry for the slightly OT post: Situation: We have a security root domain (root) and below it our primary child domain (Domain A). We recently created a second domain underneath the root domain (domain B) with a two way trust between the two child domains (A and B). Our DNS for Domain A and B both forward up to the root. Our Exchange 2003 server is sitting in Domain A. I recently created a user (with a mailbox) on Domain B from the Exchange server in Domain A TestUser1. Problem(s): Exchange never stamped an email address onto TestUser1. I created an SMTP address for the user manually. Now I want to create an Outlook profile and Outlook does not see the new user. The Outlook client is installed on a machine that is connected to Domain B as is TestUser1s account. The machine has a static IP, DNS, and WINS. DNS and WINS are both pointing to the new Domain (B). Do I have a DNS problem? I can resolve other names that are already in the GAL via the Outlook client, but not TestUser1. Any advice you can give would be greatly appreciated! Thanks! Joe Pelle Infrastructure Architect Information Technology Valassis / IT 19975 Victor Parkway Livonia, MI 48152 Tel 734.591.7324 Fax 734.632.6151 [EMAIL PROTECTED] http://www.valassis.com/ This message may have included proprietary or protected information. This message and the information contained herein are not to be further communicated without my express written consent.
RE: [ActiveDir] AD and Exchange - Slightly OT
In addition, take a closer look at that Recipient Policy. It's possible that it's configured to stamp ONLY mail-enable objects of DomainA. Will need to create another one for DomainB, if that's the case. Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Mulnick, Al Sent: Thu 7/22/2004 12:42 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD and Exchange - Slightly OT Very likely that you have not created a RUS for domainB, but if you did, go ahead and troubleshoot it. Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pelle, Joe Sent: Thursday, July 22, 2004 2:26 PM To: ActiveDir ([EMAIL PROTECTED]) Subject: [ActiveDir] AD and Exchange - Slightly OT Hello! Please assist, sorry for the slightly OT post: Situation: We have a security root domain (root) and below it our primary child domain (Domain A). We recently created a second domain underneath the root domain (domain B) with a two way trust between the two child domains (A and B). Our DNS for Domain A and B both forward up to the root. Our Exchange 2003 server is sitting in Domain A. I recently created a user (with a mailbox) on Domain B from the Exchange server in Domain A - TestUser1. Problem(s): Exchange never stamped an email address onto TestUser1. I created an SMTP address for the user manually. Now I want to create an Outlook profile and Outlook does not see the new user. The Outlook client is installed on a machine that is connected to Domain B as is TestUser1's account. The machine has a static IP, DNS, and WINS. DNS and WINS are both pointing to the new Domain (B). Do I have a DNS problem? I can resolve other names that are already in the GAL via the Outlook client, but not TestUser1. Any advice you can give would be greatly appreciated! Thanks! Joe Pelle Infrastructure Architect Information Technology Valassis / IT 19975 Victor Parkway Livonia, MI 48152 Tel 734.591.7324 Fax 734.632.6151 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] http://www.valassis.com/ http://www.valassis.com/ This message may have included proprietary or protected information. This message and the information contained herein are not to be further communicated without my express written consent. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Renaming The Admin Account
This is by design. You open adsiedit.msc, navigate to the top DC=youdomainname under the Domain partition, right-click on the DC=yourdomainame and click properties. In the security tab, you will see that Authenticated users have Read access to the whole tree down. You can remove this permission or alter it, but you need to know it was put there for a number of reasons. One of the things that I know will complain IF you remove this permission is .you guessed it .. Exchange/Outlook. A favorite symptom is that your users will not be able to delete or move certain pieces of email. They will get the famous object no longer exists phantom error. That is one. There are other reasons for leaving the READ permission in place. The reason for renaming is NOT so much to hide/obfuscate things from YOUR users. It is to deter external attacks. And, it's a deterrence, not a FIX. It's like the recommendation to change your Router's banner or your SMTP banner to make them less obvious to passive/curious attackers. This recommendation does NOT in itself protect anything, or even thwart a determined attacker. But, like I said earlier, it makes you less vulnerable to the generalized attacks like Mofei or most of the hackwares/scripts. As for Joe coming over to your little shop to give you some edukashun, all I can say is. be afraid...be very, very afraid :) Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Rocky Habeeb Sent: Thu 7/22/2004 12:22 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Renaming The Admin Account Okay, First off, yes the club's expensive. And rightly so, but, do you know what joe wanted to come to my little shop and point out to me exactly what I already know (which is exactly how much I don't know already.)? Now HE was expensive. Serves him right for getting fired. ;-O. No wait. He didn't get fired. Some of the |stupidest| people in the world (notice the absolute symbol) just let him walk! I'm telling you, that was about as smart as the Russians selling us Alaska for 7 million. I could not believe that. How smart do you have to be? Not as smart as joe, that much I know. Now, let me show you how much I don't know. ( I can explain why that is someday, if it comes to that). When I click (on my W2K boxes in my mixed mode W2K domain) on My Network Places Entire Network Directory DNSDomainName it opens up my AD and everybody can see all the OUs. If I click on my Microsoft_Groups (OU which houses the native groups) I see every group. If I click on Domain Admins, I see the members. The same with all the other groups. How do I hide the memberships of these native MS groups? Thanks Deji (and all youse other guys!) RH __ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: Thursday, July 22, 2004 2:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Renaming The Admin Account You just prove that you are very confused about membership? Tony, Robbie, Guido, Gil, Roger, and Joe That's an expensive club. Can't afford the membership fee. Next thing I know, you'd be lumping me in with Dean :-P Seriously, let's back up a bit. Let's ask why you'd want to give permission to Domain\Administrator (the user), instead of Domain\Domain Admins (the group). Before you answer that, remember the basic principle put users in group, give permission to group. You want to keep users from viewing membership in AD? Where are they viewing the membership from? In the Local Users and Groups? From the ACEs on files and folders? I ask because, if you have added ONLY groups instead of Users, the name of the users are not viewable in those places. Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Rocky Habeeb Sent: Thu 7/22/2004 10:32 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Renaming The Admin Account Deji, You know I love you (and Tony, and Guido, and Robbie and Gil, and Roger and of course joe, and all the other heavyweights), but, we're not confused on the accounts and their memberships. I just feel it's important to have the Domain Admin (the individual) as Full Control on everything. As such, its pointless to rename him because he can be seen. However, you might just convince me to try it if you will tell me how to keep Users from viewing membership in AD of the Microsoft native groups, like Domain Administrators. ;-) That might be enough for me to try it. RH
RE: [ActiveDir] Renaming The Admin Account
Rocky - this thread is actually quite incredible - you're wandering from user and group names and object types to NTFS permission and nesting objects into groups, over to discussing SIDs and friendly names, and now you're talking about the visibility of memberships of groups in AD ;-) Also, I don't know about your domain, but I never knew that there was an account called Domain Admin - by default, you should only have an Administrator account that is member of the Domain Admins group (and if this is the root, it would also be member of the Enterprise Admins and Schema Admins group)... Besides the Best Practise of renaming the default Adminstrator account (not group), it's also a good practise to take it out of the Schema Admins group (this group should be empty until you want to change anything in the schema - will prevent accidental schema extensions, e.g. by some crappy program or script) So, I'm not sure which is the part that's really most painful to you, but I guess you mainly want to hide any hints to the default Admin account in your domain as otherwise renaming them doesn't make any sense to you - is that about right? I think Deji already covered very well on how you shouldn't set ACLs for any user-account directly - you'll merely do so via groups and the account that has access to the (non-homeshare) resource won't be visible by looking at the ACLs of the machine. This includes administrative accounts. And if people see a group on an ACL (e.g. Domain Admins), you don't want them to be able to lookup who is a Domain Admin by checking the group-membership of that group - right again? This can also be resolved by setting the appropriate permissions on the respective AD OU which contains the groups (or any other objects) which you don't want your users to view. E.g. move your administrative accounts and the Domain Admins group to a separate OU in your domain and then remove the Read permissions for Authenticated Users on that OU - this will hinder them to browse to that OU and so they can't even try to open the group to see the content. You could also work with permissions on the groups themselves, but that's more and unnessesary work. If you don't even want your users to see the special OU, then you'll have to work with the List Object permission. LIST OBJECT is not active or visible in the ACL Editor by default. To activate (for whole AD forest) change the DSHeuristics property on the Directory Service object (cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration,dc=ForestRootDomain) to 001. The first two bits impact the ANR searching in AD, so don't change them without knowing what you want them to be. BTW, it's much easier to implement the strategy of a special OU (e.g. Domain Operations), when you have separate accounts for administrative users - i.e. they have another normal account for eMail etc. All adminsitrative accounts should be in this special OU. And thanks for the flowers in your previous mails - I'll send some of them to Deano ;-) Cheers, Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Thursday, July 22, 2004 9:23 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Renaming The Admin Account Okay, First off, yes the club's expensive. And rightly so, but, do you know what joe wanted to come to my little shop and point out to me exactly what I already know (which is exactly how much I don't know already.)? Now HE was expensive. Serves him right for getting fired. ;-O. No wait. He didn't get fired. Some of the |stupidest| people in the world (notice the absolute symbol) just let him walk! I'm telling you, that was about as smart as the Russians selling us Alaska for 7 million. I could not believe that. How smart do you have to be? Not as smart as joe, that much I know. Now, let me show you how much I don't know. ( I can explain why that is someday, if it comes to that). When I click (on my W2K boxes in my mixed mode W2K domain) on My Network Places Entire Network Directory DNSDomainName it opens up my AD and everybody can see all the OUs. If I click on my Microsoft_Groups (OU which houses the native groups) I see every group. If I click on Domain Admins, I see the members. The same with all the other groups. How do I hide the memberships of these native MS groups? Thanks Deji (and all youse other guys!) RH __ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: Thursday, July 22, 2004 2:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Renaming The Admin Account You just prove that you are very confused about membership? Tony, Robbie, Guido, Gil, Roger, and Joe That's an expensive club. Can't afford the membership fee. Next thing I know, you'd be lumping me in with Dean :-P Seriously, let's back up a bit.
RE: [ActiveDir] KIX script and Active Directory
Title: Message I don't understand your question fully. You say you want to "set a variable" which will control drive mappings, but then you go on to say that you want to look up an attribute in AD to set the location. What attribute would that be? Can you be more specific? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jacqui HurstSent: Thursday, July 22, 2004 2:31 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] KIX script and Active Directory I am working on a migration from NT4 to Windows 2003 which includes the collapsing of a number of domains into a single domain. Part of the existing NT4 login script uses the NT4 domain as a variable to setup things like users drive mappings e.g. xx-fileserver-01 where xx is the domain code. These scripts are written in KIX. As Im not the worlds greatest code writer and there are a fair few login scripts I am looking for a way to set a variable that can be used by the login script to set the users location without rewriting all of the scripts. I dont really want to use group membership if I have to I would rather use an attribute in the active directory and look this up. Has anyone got any advice? Many thanks in advance Jacqui
RE: [ActiveDir] AD and Exchange - Slightly OT
Jacqui, I have not domainprepd the new domain and have not created a recipient update service for the new domain. I did not know I needed to do that thank you for the posts! VERY HELPFUL! Im still learning about Exchange! Joe Pelle Infrastructure Architect Information Technology Valassis / IT 19975 Victor Parkway Livonia, MI 48152 Tel 734.591.7324 Fax 734.632.6151 [EMAIL PROTECTED] http://www.valassis.com/ This message may have included proprietary or protected information. This message and the information contained herein are not to be further communicated without my express written consent. From: Jacqui Hurst [mailto:[EMAIL PROTECTED] Sent: Thursday, July 22, 2004 4:23 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD and Exchange - Slightly OT As I remember each domain has to have a recipient update service setup in order to update the email addresses. Do you have one for the second domain? Did you run domainprep on the new domain? Jacqui From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pelle, Joe Sent: 22 July 2004 19:26 To: ActiveDir ([EMAIL PROTECTED]) Subject: [ActiveDir] AD and Exchange - Slightly OT Hello! Please assist, sorry for the slightly OT post: Situation: We have a security root domain (root) and below it our primary child domain (Domain A). We recently created a second domain underneath the root domain (domain B) with a two way trust between the two child domains (A and B). Our DNS for Domain A and B both forward up to the root. Our Exchange 2003 server is sitting in Domain A. I recently created a user (with a mailbox) on Domain B from the Exchange server in Domain A TestUser1. Problem(s): Exchange never stamped an email address onto TestUser1. I created an SMTP address for the user manually. Now I want to create an Outlook profile and Outlook does not see the new user. The Outlook client is installed on a machine that is connected to Domain B as is TestUser1s account. The machine has a static IP, DNS, and WINS. DNS and WINS are both pointing to the new Domain (B). Do I have a DNS problem? I can resolve other names that are already in the GAL via the Outlook client, but not TestUser1. Any advice you can give would be greatly appreciated! Thanks! Joe Pelle Infrastructure Architect Information Technology Valassis / IT 19975 Victor Parkway Livonia, MI 48152 Tel 734.591.7324 Fax 734.632.6151 [EMAIL PROTECTED] http://www.valassis.com/ This message may have included proprietary or protected information. This message and the information contained herein are not to be further communicated without my express written consent.
RE: [ActiveDir] DHCP
If it's a new scope, is the scope within the range of IP addresses and subnet masks available on that router segment? I fought an issue like this once and it was a subnet mask problem, but we were looking for something harder to fix... :-) Took a while to see it right under our noses... ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Thursday, July 22, 2004 1:52 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DHCP I browsed for it by name thru the mmc. the server is authorized and is giving out addresses, just in one scope. i'm not an enterprise admin, just a domain admin. i created a second scope and the mmc gives me no error and says its active but addresses are not being given out on the new scope. as i said, my ip helper adresses in my router are fine, but that subnet gets no ip's. though it does get the scope options such as dns server and wins, etc. and i got that event id 1051 when i first created the scope but no futher errors since then. i have rebooted as well so i'm thinking i may need to be enterprise admin to create a new scope on an authoired dhcp server?!!! i just wanna confirm. thanks -Original Message- From: Noah Eiger [mailto:[EMAIL PROTECTED] Sent: Thursday, July 22, 2004 3:59 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DHCP Did you authorize it by fqdn or by address? I think it needs to be authorized by address. nme From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Thursday, July 22, 2004 11:57 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] DHCP I have an authorized dhcp server. when i add a new scope(i already had one pervious working scope), it won't hand out addresses for that new scope. I have an event id 1051 logged in the event viewer saying it is not authorized. i know i need to be an enterprise admin to authorize a dhcp server but do i need to be one to create an additional scope as well? thanks(and oh yeah, all my ip helper addresses are correct in my router) List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] How to restrict access to event viewer
Do you mean that you want to control permissions on the different logs within Event Viewer? If so, it's absolutely possible if you change the SDDL in the Registry, however you need to write a customized GPO template to push them out to the servers unless you want to manually edit each server's Registry. Regards, /Jimmy - Jimmy Andersson, Q Advice AB Principal AdvisorMicrosoft MVP - Directory Services-- www.qadvice.com -- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, July 22, 2004 3:47 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] How to restrict access to event viewerSensitivity: Private Hy, Can you share you experiences about how to restrict access to event viewer to only onegroup ? local and remote access ? Thks. AVISO LEGAL:Esta informacion es privada y confidencial y esta dirigida unicamente a su destinatario. Si usted no es el destinatario original de este mensaje y por este medio pudo acceder a dicha informacion por favor elimine el mensaje. La distribucion o copia de este mensaje esta estrictamente prohibida. Esta comunicacion es solo para propositos de informacion y no debe ser considerada como propuesta, aceptacion ni como una declaracion de voluntad oficial de REPSOL YPF S.A. y/o subsidiarias y/o afiliadas. La transmision de e-mails no garantiza que el correo electronico sea seguro o libre de error. Por consiguiente, no manifestamos que esta informacion sea completa o precisa. Toda informacion esta sujeta a alterarse sin previo aviso.This information is private and confidential and intended for the recipient only. If you are not the intended recipient of this message you are hereby notified that any review, disseminastribution or copying of this message is strictly prohibited. This communication is for information purposes only and shall not be regarded neither as a proposal, acceptance nor as a statement of will or official statement from REPSOL YPF S.A. and/or subsidiaries and/or affiliates. Email transmission cannot be guaranteed to be secure or error-free. Therefore, we do not represent that this information is complete or accurate and it should not be relied upon as such. All information is subject to change without notice.
Re: [ActiveDir] AD and Exchange - Slightly OT
Check out the Exchange Admin guide, Exchange Deployment Guide and Planning an Exchange Messaging System, all on microsoft.com/exchange/library. I'm reading the admin guide, all three have helped with with Exchange 5.5 to 2003 migration. Robert -Original Message- From: [EMAIL PROTECTED] [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Sent: Thu Jul 22 17:14:30 2004 Subject: RE: [ActiveDir] AD and Exchange - Slightly OT Jacqui, I have not domainprep'd the new domain and have not created a recipient update service for the new domain. I did not know I needed to do that... thank you for the posts! VERY HELPFUL! I'm still learning about Exchange! Joe Pelle Infrastructure Architect Information Technology Valassis / IT 19975 Victor Parkway Livonia, MI 48152 Tel 734.591.7324 Fax 734.632.6151 [EMAIL PROTECTED] http://www.valassis.com/ This message may have included proprietary or protected information. This message and the information contained herein are not to be further communicated without my express written consent. _ From: Jacqui Hurst [mailto:[EMAIL PROTECTED] Sent: Thursday, July 22, 2004 4:23 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD and Exchange - Slightly OT As I remember each domain has to have a recipient update service setup in order to update the email addresses. Do you have one for the second domain? Did you run domainprep on the new domain? Jacqui _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pelle, Joe Sent: 22 July 2004 19:26 To: ActiveDir ([EMAIL PROTECTED]) Subject: [ActiveDir] AD and Exchange - Slightly OT Hello! Please assist, sorry for the slightly OT post: Situation: We have a security root domain (root) and below it our primary child domain (Domain A). We recently created a second domain underneath the root domain (domain B) with a two way trust between the two child domains (A and B). Our DNS for Domain A and B both forward up to the root. Our Exchange 2003 server is sitting in Domain A. I recently created a user (with a mailbox) on Domain B from the Exchange server in Domain A - TestUser1. Problem(s): Exchange never stamped an email address onto TestUser1. I created an SMTP address for the user manually. Now I want to create an Outlook profile and Outlook does not see the new user. The Outlook client is installed on a machine that is connected to Domain B as is TestUser1's account. The machine has a static IP, DNS, and WINS. DNS and WINS are both pointing to the new Domain (B). Do I have a DNS problem? I can resolve other names that are already in the GAL via the Outlook client, but not TestUser1. Any advice you can give would be greatly appreciated! Thanks! Joe Pelle Infrastructure Architect Information Technology Valassis / IT 19975 Victor Parkway Livonia, MI 48152 Tel 734.591.7324 Fax 734.632.6151 [EMAIL PROTECTED] http://www.valassis.com/ This message may have included proprietary or protected information. This message and the information contained herein are not to be further communicated without my express written consent. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DHCP
yes it is. the router is fine. if i use a static address on that subnet, it works and there is connectivity. if i configure the client to use dhcp, nothing. all it gets is the scope options. i guess what my question really is, is- if a dhcp server has been authorized by an enterprise admin with a scope, do you need to be an enterprise admin to create a new scope? i can't find any docs addressing this issue, so to speak(ha ha). -Original Message- From: Charlie Kaiser [mailto:[EMAIL PROTECTED] Sent: Thursday, July 22, 2004 5:43 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DHCP If it's a new scope, is the scope within the range of IP addresses and subnet masks available on that router segment? I fought an issue like this once and it was a subnet mask problem, but we were looking for something harder to fix... :-) Took a while to see it right under our noses... ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Thursday, July 22, 2004 1:52 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DHCP I browsed for it by name thru the mmc. the server is authorized and is giving out addresses, just in one scope. i'm not an enterprise admin, just a domain admin. i created a second scope and the mmc gives me no error and says its active but addresses are not being given out on the new scope. as i said, my ip helper adresses in my router are fine, but that subnet gets no ip's. though it does get the scope options such as dns server and wins, etc. and i got that event id 1051 when i first created the scope but no futher errors since then. i have rebooted as well so i'm thinking i may need to be enterprise admin to create a new scope on an authoired dhcp server?!!! i just wanna confirm. thanks -Original Message- From: Noah Eiger [mailto:[EMAIL PROTECTED] Sent: Thursday, July 22, 2004 3:59 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DHCP Did you authorize it by fqdn or by address? I think it needs to be authorized by address. nme From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Thursday, July 22, 2004 11:57 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] DHCP I have an authorized dhcp server. when i add a new scope(i already had one pervious working scope), it won't hand out addresses for that new scope. I have an event id 1051 logged in the event viewer saying it is not authorized. i know i need to be an enterprise admin to authorize a dhcp server but do i need to be one to create an additional scope as well? thanks(and oh yeah, all my ip helper addresses are correct in my router) List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] KIX script and Active Directory
Check out the %USERDOMAIN% AND %USERDNSDOMAIN% environment variables. Run set from a command prompt to get a list of them. --Brian -Original Message- From: Jacqui Hurst [mailto:[EMAIL PROTECTED] Sent: Thu 7/22/2004 2:31 PM To: [EMAIL PROTECTED] Cc: Subject: [ActiveDir] KIX script and Active Directory I am working on a migration from NT4 to Windows 2003 which includes the collapsing of a number of domains into a single domain. Part of the existing NT4 login script uses the NT4 domain as a variable to setup things like users drive mappings e.g. xx-fileserver-01 where xx is the domain code. These scripts are written in KIX. As Im not the worlds greatest code writer and there are a fair few login scripts I am looking for a way to set a variable that can be used by the login script to set the users location without rewriting all of the scripts. I dont really want to use group membership if I have to I would rather use an attribute in the active directory and look this up. Has anyone got any advice? Many thanks in advance Jacqui winmail.dat
[ActiveDir] NTP server
Where does everyone have their NTP services come from? We are getting rid of our current firewall which has NTP on it and everything is pointed to it for NTP services. Our new firewall won't have NTP built in, so we are going to have to set up an internal NTP server for all our internal hosts to sync to. Do we put it in the DMZ or the internal network? Or does it matter? Do we just install NTP on an existing Win2k server in our DMZ? What is everyone else doing for NTP? Thanks ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] NTP server
Hey Russ, This link describes how W2K and W2K3 handle NTP: http://www.netpro.com/products/techdocs/ad_timesync.pdf This link lists public Stratum 1 and Stratum 2 time servers: http://www.eecis.udel.edu/~mills/ntp/servers.html It would make sense to use the PDC emulator as the time server for devices in the respective domains. -gil Gil Kirkpatrick CTO, NetPro From: [EMAIL PROTECTED] on behalf of Rimmerman, Russ Sent: Thu 7/22/2004 5:24 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] NTP server Where does everyone have their NTP services come from? We are getting rid of our current firewall which has NTP on it and everything is pointed to it for NTP services. Our new firewall won't have NTP built in, so we are going to have to set up an internal NTP server for all our internal hosts to sync to. Do we put it in the DMZ or the internal network? Or does it matter? Do we just install NTP on an existing Win2k server in our DMZ? What is everyone else doing for NTP? Thanks ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ winmail.dat
RE: [ActiveDir] NTP server
I use my PDC. It syncs with the government. All you rclients automatically talk to the PDC unless you told em not to. --Brian -Original Message- From: Rimmerman, Russ [mailto:[EMAIL PROTECTED] Sent: Thu 7/22/2004 7:24 PM To: '[EMAIL PROTECTED]' Cc: Subject: [ActiveDir] NTP server Where does everyone have their NTP services come from? We are getting rid of our current firewall which has NTP on it and everything is pointed to it for NTP services. Our new firewall won't have NTP built in, so we are going to have to set up an internal NTP server for all our internal hosts to sync to. Do we put it in the DMZ or the internal network? Or does it matter? Do we just install NTP on an existing Win2k server in our DMZ? What is everyone else doing for NTP? Thanks ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ winmail.dat