RE: [ActiveDir] Assigning permissions for domain user -- post Ser ver 2003 sp1 upgrade
Title: Message Unless the firewall is needed, you should disable it. At least then you have removed one factor from the issue. neil -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stephen G. MaczkoSent: 06 April 2005 22:24To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Assigning permissions for domain user -- post Server 2003 sp1 upgrade I'm no longer able to assign permissions on a client to a domain user. When i open a directory properties sheet, security tab and then press the Add btn, it takes a long time for the Users, computers groups box to show. Then when i select a user, the thing hangs. One other simptom, possibly related: it takes a looong time to pop up the runas box now from anywhere on the client. I've not used the security wizzard, because you can't use it on a DC, so i activated the firewall and manually opened a set of ports. The following is my partial list of portsa opened, those relevant to AD, etc. 53 DNS (TCP/UDP) 88 Kerberos (TCP/UDP) 123 NTP (UDP) (??) 464 Keberos password change (TCP/UDP) I also have all the appropriate ports for file-sharing; working well for the shares where permissions are already set up. The network is really very basic; i have one server/one client. It's actually a development environment; i need AD to mimick one of my clients. I also have ASP.NET and SQL Server on the server; they are working well, including ASP.NET debugging. Thanks for any suggestions! Steve == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure. ==
[ActiveDir] 675 events [Account Logon]
Earlier today, a DC was found at 85-95% CPU. It was also noted that there were continuous 675 events for one user account: Event Type: Failure Audit Event Source: Security Event Category: Account Logon Event ID: 675 Date: 4/7/2005 Time: 8:43:49 AM User: NT AUTHORITY\SYSTEM Computer: x Description: Pre-authentication failed: User Name: yyy User ID:\yy Service Name: krbtgt/ Pre-Authentication Type:0x2 Failure Code: 0x18 Client Address: a.b.c.d [We don't really have a user with ID yy - I have changed names to protect the innocent :) ] The users machine was switched off and CPU dropped from 90% to 75% and then down to the 50% range! Any ideas how we might explain this behaviour? Is this an account lockout type issue? Any help greatly appreciated. neil -Original Message- From: Ruston, Neil Sent: 07 April 2005 08:54 To: # GSI Core Infra EU; # IT GTI GSE Active Directory Team Subject: FW: [ActiveDir] SLOWW Logons FYI -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: 06 April 2005 22:10 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SLOWW Logons Staring a new thread from the original post, as I am going to address this from a troubleshooting methodology perspective, not a take a swing and perhaps one hit out of the park perspective. My approach to slow logon: 1) I always start with a userenv log (logging set to 10002). I then take the log, and begin looking for gaps of time in the log, to perhaps understand components that are being slow during user init. 2) If I don't immediately see an answer in the userenv, or at least a starting point (can go either way depending upon the case) I go with two pieces of data: userenv + network trace. Network trace can be tricky, given that you can't take it on the clientthe client hasn't logged on yet. :) Typically, I take the client machine and throw it on a silly little hub, and on that hub also place another machine which I take a trace from. Start the trace (some larger buffer, say 50MB or so), then boot the client + log on to the client, and I don't usually stop the trace until the logon is complete. From there, you can line up gaps of time in the userenv log to what was going over the wire. I find this approach more fruitful than just taking a trace and trying to guess where the problem is. ~Eric == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure. == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] 2000 to 2003 - one domain, one server
It might be worth promoting _any_ piece of hardware you have together before doing this for many reasons. Aside from that, make sure you hardware is listed in the MS HCl - http://www.microsoft.com/windows/catalog/server/default.aspx?subID=22xslt=c ategoryProductpgn=acb1d593-9364-44da-893e-3393eaec7cbc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Danny Sent: Tuesday, April 05, 2005 7:11 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] 2000 to 2003 - one domain, one server One domain on one DC - 2000 Server SP3. Considering an in-place upgrade to 2003 domain and OS. Technically, there is only one server available at this time for the upgrade. Will I simply run /forestprep and /domainprep, winnt32.exe /checkupgradeonly, winnt32.exe (from 2003 CD)? Any tips or anything I should watch out for? Thank you! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This message has been scanned for viruses by MailControl - (see http://bluepages.wsatkins.co.uk/?4318150) This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] 675 events [Account Logon]
See http://www.eventid.net/display.asp?eventid=675eventno=62source=Securityph ase=1 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: donderdag 7 april 2005 10:46 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] 675 events [Account Logon] Importance: High Earlier today, a DC was found at 85-95% CPU. It was also noted that there were continuous 675 events for one user account: Event Type: Failure Audit Event Source: Security Event Category: Account Logon Event ID: 675 Date: 4/7/2005 Time: 8:43:49 AM User: NT AUTHORITY\SYSTEM Computer: x Description: Pre-authentication failed: User Name: yyy User ID:\yy Service Name: krbtgt/ Pre-Authentication Type:0x2 Failure Code: 0x18 Client Address: a.b.c.d [We don't really have a user with ID yy - I have changed names to protect the innocent :) ] The users machine was switched off and CPU dropped from 90% to 75% and then down to the 50% range! Any ideas how we might explain this behaviour? Is this an account lockout type issue? Any help greatly appreciated. neil -Original Message- From: Ruston, Neil Sent: 07 April 2005 08:54 To: # GSI Core Infra EU; # IT GTI GSE Active Directory Team Subject: FW: [ActiveDir] SLOWW Logons FYI -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: 06 April 2005 22:10 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SLOWW Logons Staring a new thread from the original post, as I am going to address this from a troubleshooting methodology perspective, not a take a swing and perhaps one hit out of the park perspective. My approach to slow logon: 1) I always start with a userenv log (logging set to 10002). I then take the log, and begin looking for gaps of time in the log, to perhaps understand components that are being slow during user init. 2) If I don't immediately see an answer in the userenv, or at least a starting point (can go either way depending upon the case) I go with two pieces of data: userenv + network trace. Network trace can be tricky, given that you can't take it on the clientthe client hasn't logged on yet. :) Typically, I take the client machine and throw it on a silly little hub, and on that hub also place another machine which I take a trace from. Start the trace (some larger buffer, say 50MB or so), then boot the client + log on to the client, and I don't usually stop the trace until the logon is complete. From there, you can line up gaps of time in the userenv log to what was going over the wire. I find this approach more fruitful than just taking a trace and trying to guess where the problem is. ~Eric == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure. == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] SLOWWWWWW Logons
We ended up using 1412 for ours. Took a little bit of testing though. We started at 1300 and then worked up way to to get the largest size possible. I used a small application that gives you a GUI interface. I haven't looked at scripting it into logon scripts yet. If you want the GUI tool, drop me an e-mail off line. I got it off the internet but I don't recall the web URL. Thanks, Charlie -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 06, 2005 10:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SLOWW Logons http://www.winguides.com/registry/display.php/280/ I'd suggest 1400 as a good setting. The problem is that the VPN encapsulation adds size to the packets (like 60 bytes IIRC) and that can kick it over the top of the MTU of the links. Roger Seielstad E-mail Geek -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Wednesday, April 06, 2005 2:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SLOWW Logons They are connecting through a VPN Connection. How do you change the MTU Size? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Wednesday, April 06, 2005 4:47 PM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] SLOWW Logons Do they use a different logon script as everyone else or could the logon script have an additional program that might run for them and not some others. Also, are you connecting through a VPN connection? I had an issue at one of my locations where half the staff were having about a 30 minute logon time and the fix was to reset the default MTU packet size on the workstations. I think this had something to do with fragmentation and 2003 AD security packets that weren't supposed to be fragmented. It was an odd issue with a quick solution. Charlie -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 06, 2005 3:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SLOWW Logons Deleting the profile does this does it not? How would that explain the same problem on another computer? Roaming profiles are NOT being used Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Wednesday, April 06, 2005 4:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SLOWW Logons Have you tried deleting their account from the Document and settings folder then having them log back on? Back up their desktops first of course :) Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Wednesday, April 06, 2005 12:38 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] SLOWW Logons I have two users amongst 50 in a remote site that no matter what PC they login to it takes forever, but if someone else logs into that PC, they log on quickly with no problems. I have already run netdiag and everything passed, I have deleted the local profile on the computer, disjoined and rejoined the domain, changed the network card, provided a different IP address, verified I can access \\domainname\sysvol\domainname and rebooted the PC as well as all the domain controllers and the routers inbetween the sites. No ports are being blocked by anything, no changes to policies have been done, no new servers have been made domain controllers and none have been demoted. There are two Global Catalogs in that AD Site, replications is working and I have not thrown the PC out the window yet. What else could be happening here? Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ:
Re: [ActiveDir] SLOWWWWWW Logons
Title: Re: [ActiveDir] SLOWW Logons www.dslreports.com. Look under tests and tweaks. -Original Message- From: [EMAIL PROTECTED] [EMAIL PROTECTED] To: 'ActiveDir@mail.activedir.org' ActiveDir@mail.activedir.org Sent: Thu Apr 07 07:54:55 2005 Subject: RE: [ActiveDir] SLOWW Logons We ended up using 1412 for ours. Took a little bit of testing though. We started at 1300 and then worked up way to to get the largest size possible. I used a small application that gives you a GUI interface. I haven't looked at scripting it into logon scripts yet. If you want the GUI tool, drop me an e-mail off line. I got it off the internet but I don't recall the web URL. Thanks, Charlie -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 06, 2005 10:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SLOWW Logons http://www.winguides.com/registry/display.php/280/ I'd suggest 1400 as a good setting. The problem is that the VPN encapsulation adds size to the packets (like 60 bytes IIRC) and that can kick it over the top of the MTU of the links. Roger Seielstad E-mail Geek -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Salandra, Justin A. Sent: Wednesday, April 06, 2005 2:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SLOWW Logons They are connecting through a VPN Connection. How do you change the MTU Size? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Carerros, Charles Sent: Wednesday, April 06, 2005 4:47 PM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] SLOWW Logons Do they use a different logon script as everyone else or could the logon script have an additional program that might run for them and not some others. Also, are you connecting through a VPN connection? I had an issue at one of my locations where half the staff were having about a 30 minute logon time and the fix was to reset the default MTU packet size on the workstations. I think this had something to do with fragmentation and 2003 AD security packets that weren't supposed to be fragmented. It was an odd issue with a quick solution. Charlie -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 06, 2005 3:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SLOWW Logons Deleting the profile does this does it not? How would that explain the same problem on another computer? Roaming profiles are NOT being used Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mike Hogenauer Sent: Wednesday, April 06, 2005 4:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SLOWW Logons Have you tried deleting their account from the Document and settings folder then having them log back on? Back up their desktops first of course :) Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Salandra, Justin A. Sent: Wednesday, April 06, 2005 12:38 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] SLOWW Logons I have two users amongst 50 in a remote site that no matter what PC they login to it takes forever, but if someone else logs into that PC, they log on quickly with no problems. I have already run netdiag and everything passed, I have deleted the local profile on the computer, disjoined and rejoined the domain, changed the network card, provided a different IP address, verified I can access \\domainname\sysvol\domainname and rebooted the PC as well as all the domain controllers and the routers inbetween the sites. No ports are being blocked by anything, no changes to policies have been done, no new servers have been made domain controllers and none have been demoted. There are two Global Catalogs in that AD Site, replications is working and I have not thrown the PC out the window yet. What else could be happening here? Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info :
RE: [ActiveDir] SLOWWWWWW Logons
This sounds very much like an issue we had and the problem had to do with UDP packet fragmentation. Perhaps you can try the following Kerberos change. If it doesn't work, remove it. Add the following Value to the registry on one of the remote workstations, reboot and try again: HKLM/System/CurrentControlSet/Control/LSA/Kerberos/Parameters/MaxPacketS ize DWORD 0x580 (1408 decimal) Jim Becker Asst. Dir. of Administrative Systems State University of New York System Administration [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, April 06, 2005 4:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SLOWW Logons How much data are those two users pulling down from the domain controllers (network trace?) What's different about them? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Wednesday, April 06, 2005 3:38 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] SLOWW Logons I have two users amongst 50 in a remote site that no matter what PC they login to it takes forever, but if someone else logs into that PC, they log on quickly with no problems. I have already run netdiag and everything passed, I have deleted the local profile on the computer, disjoined and rejoined the domain, changed the network card, provided a different IP address, verified I can access \\domainname\sysvol\domainname and rebooted the PC as well as all the domain controllers and the routers inbetween the sites. No ports are being blocked by anything, no changes to policies have been done, no new servers have been made domain controllers and none have been demoted. There are two Global Catalogs in that AD Site, replications is working and I have not thrown the PC out the window yet. What else could be happening here? Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] SLOWWWWWW Logons
Oops, be careful, it wrapped... The value is MaxPacketSize -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Becker, Jim Sent: Thursday, April 07, 2005 8:37 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SLOWW Logons This sounds very much like an issue we had and the problem had to do with UDP packet fragmentation. Perhaps you can try the following Kerberos change. If it doesn't work, remove it. Add the following Value to the registry on one of the remote workstations, reboot and try again: HKLM/System/CurrentControlSet/Control/LSA/Kerberos/Parameters/MaxPacketS ize DWORD 0x580 (1408 decimal) Jim Becker Asst. Dir. of Administrative Systems State University of New York System Administration [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, April 06, 2005 4:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SLOWW Logons How much data are those two users pulling down from the domain controllers (network trace?) What's different about them? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Wednesday, April 06, 2005 3:38 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] SLOWW Logons I have two users amongst 50 in a remote site that no matter what PC they login to it takes forever, but if someone else logs into that PC, they log on quickly with no problems. I have already run netdiag and everything passed, I have deleted the local profile on the computer, disjoined and rejoined the domain, changed the network card, provided a different IP address, verified I can access \\domainname\sysvol\domainname and rebooted the PC as well as all the domain controllers and the routers inbetween the sites. No ports are being blocked by anything, no changes to policies have been done, no new servers have been made domain controllers and none have been demoted. There are two Global Catalogs in that AD Site, replications is working and I have not thrown the PC out the window yet. What else could be happening here? Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Extremely Weird Problem
Has anyone ever seen this? Our Audit settings in both our lab and production environments are changing themselves automatically. When we set them to the settings we would like, the settings actually switch back and increment the version # on the policy! Ive been on the phone with Microsoft for hours and hours at this point and they have never heard/seen this before. The audit settings are the only setting that seem to change. All others stay the way we set them. I can give more info if needed. I just want to know if anyone every heard of this. Thanks, Marc Schmieder
RE: [ActiveDir] SLOWWWWWW Logons
... presumably this sets the limit for Kerberos UDP packets, before TCP is used instead? or does it simply reduce the max packet size so as to minimise fragmentation of those packets? neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Becker, Jim Sent: 07 April 2005 13:40 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SLOWW Logons Oops, be careful, it wrapped... The value is MaxPacketSize -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Becker, Jim Sent: Thursday, April 07, 2005 8:37 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SLOWW Logons This sounds very much like an issue we had and the problem had to do with UDP packet fragmentation. Perhaps you can try the following Kerberos change. If it doesn't work, remove it. Add the following Value to the registry on one of the remote workstations, reboot and try again: HKLM/System/CurrentControlSet/Control/LSA/Kerberos/Parameters/MaxPacketS ize DWORD 0x580 (1408 decimal) Jim Becker Asst. Dir. of Administrative Systems State University of New York System Administration [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, April 06, 2005 4:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SLOWW Logons How much data are those two users pulling down from the domain controllers (network trace?) What's different about them? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Wednesday, April 06, 2005 3:38 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] SLOWW Logons I have two users amongst 50 in a remote site that no matter what PC they login to it takes forever, but if someone else logs into that PC, they log on quickly with no problems. I have already run netdiag and everything passed, I have deleted the local profile on the computer, disjoined and rejoined the domain, changed the network card, provided a different IP address, verified I can access \\domainname\sysvol\domainname and rebooted the PC as well as all the domain controllers and the routers inbetween the sites. No ports are being blocked by anything, no changes to policies have been done, no new servers have been made domain controllers and none have been demoted. There are two Global Catalogs in that AD Site, replications is working and I have not thrown the PC out the window yet. What else could be happening here? Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure. == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] SLOWWWWWW Logons
It set's the limit for UDP packet size before TCP is used instead to make sure UDP stuff can be contained, with overhead, within one standard ethernet packet. I sent my reply before I saw the VPN reference, so I'm not sure it applies now. But it won't hurt to try and as I said, if it doesn't improve the situation, to remove it. Jim -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Thursday, April 07, 2005 8:45 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] SLOWW Logons ... presumably this sets the limit for Kerberos UDP packets, before TCP is used instead? or does it simply reduce the max packet size so as to minimise fragmentation of those packets? neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Becker, Jim Sent: 07 April 2005 13:40 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SLOWW Logons Oops, be careful, it wrapped... The value is MaxPacketSize -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Becker, Jim Sent: Thursday, April 07, 2005 8:37 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SLOWW Logons This sounds very much like an issue we had and the problem had to do with UDP packet fragmentation. Perhaps you can try the following Kerberos change. If it doesn't work, remove it. Add the following Value to the registry on one of the remote workstations, reboot and try again: HKLM/System/CurrentControlSet/Control/LSA/Kerberos/Parameters/MaxPacketS ize DWORD 0x580 (1408 decimal) Jim Becker Asst. Dir. of Administrative Systems State University of New York System Administration [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, April 06, 2005 4:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SLOWW Logons How much data are those two users pulling down from the domain controllers (network trace?) What's different about them? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Wednesday, April 06, 2005 3:38 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] SLOWW Logons I have two users amongst 50 in a remote site that no matter what PC they login to it takes forever, but if someone else logs into that PC, they log on quickly with no problems. I have already run netdiag and everything passed, I have deleted the local profile on the computer, disjoined and rejoined the domain, changed the network card, provided a different IP address, verified I can access \\domainname\sysvol\domainname and rebooted the PC as well as all the domain controllers and the routers inbetween the sites. No ports are being blocked by anything, no changes to policies have been done, no new servers have been made domain controllers and none have been demoted. There are two Global Catalogs in that AD Site, replications is working and I have not thrown the PC out the window yet. What else could be happening here? Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure. == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Extremely Weird Problem
Title: Message Have you checked for a higher level GPO that may have these settings configured the way they are changing back to? My only other thought would be another person with permission to change the policy is changing it back. Ken Adams -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Schmieder, MarcSent: Thursday, April 07, 2005 8:44 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Extremely Weird Problem Has anyone ever seen this? Our Audit settings in both our lab and production environments are changing themselves automatically. When we set them to the settings we would like, the settings actually switch back and increment the version # on the policy! Ive been on the phone with Microsoft for hours and hours at this point and they have never heard/seen this before. The audit settings are the only setting that seem to change. All others stay the way we set them. I can give more info if needed. I just want to know if anyone every heard of this. Thanks, Marc Schmieder
RE: [ActiveDir] Extremely Weird Problem
Title: Message This isnt the case in either situation. The settings are all set to not defined, but the Default domain controllers policy changes back to a bunch of different settins 5 minutes after I change it. Also, how could a higher level group policy change a lower level group policy settings? There are only two policies in the domain: Default Domain and Default Domain Controllers. On 3 people are domain admins in the domain and Im the only one at work. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adams, Kenneth W (Ken) Sent: Thursday, April 07, 2005 9:02 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Extremely Weird Problem Have you checked for a higher level GPO that may have these settings configured the way they are changing back to? My only other thought would be another person with permission to change the policy is changing it back. Ken Adams -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Schmieder, Marc Sent: Thursday, April 07, 2005 8:44 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Extremely Weird Problem Has anyone ever seen this? Our Audit settings in both our lab and production environments are changing themselves automatically. When we set them to the settings we would like, the settings actually switch back and increment the version # on the policy! Ive been on the phone with Microsoft for hours and hours at this point and they have never heard/seen this before. The audit settings are the only setting that seem to change. All others stay the way we set them. I can give more info if needed. I just want to know if anyone every heard of this. Thanks, Marc Schmieder
RE: [ActiveDir] SLOWWWWWW Logons
Certainly good advice ~Eric. :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Wednesday, April 06, 2005 5:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SLOWW Logons Staring a new thread from the original post, as I am going to address this from a troubleshooting methodology perspective, not a take a swing and perhaps one hit out of the park perspective. My approach to slow logon: 1) I always start with a userenv log (logging set to 10002). I then take the log, and begin looking for gaps of time in the log, to perhaps understand components that are being slow during user init. 2) If I don't immediately see an answer in the userenv, or at least a starting point (can go either way depending upon the case) I go with two pieces of data: userenv + network trace. Network trace can be tricky, given that you can't take it on the clientthe client hasn't logged on yet. :) Typically, I take the client machine and throw it on a silly little hub, and on that hub also place another machine which I take a trace from. Start the trace (some larger buffer, say 50MB or so), then boot the client + log on to the client, and I don't usually stop the trace until the logon is complete. From there, you can line up gaps of time in the userenv log to what was going over the wire. I find this approach more fruitful than just taking a trace and trying to guess where the problem is. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Wednesday, April 06, 2005 12:38 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] SLOWW Logons I have two users amongst 50 in a remote site that no matter what PC they login to it takes forever, but if someone else logs into that PC, they log on quickly with no problems. I have already run netdiag and everything passed, I have deleted the local profile on the computer, disjoined and rejoined the domain, changed the network card, provided a different IP address, verified I can access \\domainname\sysvol\domainname and rebooted the PC as well as all the domain controllers and the routers inbetween the sites. No ports are being blocked by anything, no changes to policies have been done, no new servers have been made domain controllers and none have been demoted. There are two Global Catalogs in that AD Site, replications is working and I have not thrown the PC out the window yet. What else could be happening here? Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD logging
Did you notice ~Eric's post? I have to ask again: Why not just use the GPO? What drove you to the NTDS registry settings? That bit is still not clear to me. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Wednesday, April 06, 2005 5:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD logging Given the severity of the situation I set them all to 2 and have been watching the logs -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, April 06, 2005 1:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD logging Under diagnostics, there are many keys. Which one did you set? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Wednesday, April 06, 2005 4:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD logging HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics The default GPO also has auditing set for the domain right now to audit success and failure for all objects. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, April 06, 2005 1:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD logging Which registry setting did you set? And why there? Why not via GPO around account auditing? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Wednesday, April 06, 2005 3:51 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD logging Question, Hopefully this wont sound too newbie! Domain is 2003 native mode 6 domain controllers in 3 sites. I've turned up logging in the registry to a value of 2 on the server that holds the PDC Emulator role. I have also set success and failure auditing in the default domain GP on all objects. I created an account for testing then I deleted that account but I can't see a reference to the deletion anywhere? Where will I see a reference to the deletion? Wouldn't I find that in the Security log? Like I said sorry for the newbie question... Thanks in advance Mike List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LAN Manger v2.1 Authentication
Can anyone tell me what security template(s) I should use if I only wanted NTLMv2 and Kerberos authentication on in my environment? We have NT4, 2000, 2003 machines. Also, do I need to configure workstations, servers and dc's or just dc's? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Wednesday, April 06, 2005 11:42 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LAN Manger v2.1 Authentication Yes, I have seen this document... Thank you so much for the suggestion, this may be a bug from doing an in place upgrade of an NT 4 domain. I'll try applying 2003 server sp1 and see if it fixes this. It's probably best to not use a LANMANGER boot disk and just go to a WINPE boot disk that supports NTLMv2 and SMB signing. Jose :-) --- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al Sent: Wednesday, April 06, 2005 6:03 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LAN Manger v2.1 Authentication I assume you've seen this: http://support.microsoft.com/kb/325379 And since you've already disabled SMB signing the next step would be turn on auditing and check for and correct the errors you see. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Tuesday, April 05, 2005 5:46 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] LAN Manger v2.1 Authentication Greetings, We just upgraded out NT 4 servers to Windows 2003 server and the migration went as well as can be expected, however I am now trying to image several servers using Power Quest's drive image pro with a boot disk that uses LAN manger and I can no longer authenticate against AD. I changed the domain controller and domain security policy to allow LAN manager authentication and I disabled SMB signing. The server I am using for imaging is a 2000 member server to AD 2003 is and the AD controllers are in native mode. Would any one happen to know what else I need to disable in the domain controller security policy to allow a DOS boot disk to authenticate ? Also, I found that If I remove the imaging server from the domain authentication works with the boot disk. Any suggestions would be greatly appreciated. Sincerely, Jose Medeiros 408-449-6621 Cell MCP+I, MCSE, MCT NT Engineering Association SFNTUG www.ntea.net www.sfntug.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Extremely Weird Problem
Title: Message That is an extremely weird problem. You did not explain that you were working on the default domain controller policy in your highest (only?) domain. I was presuming that you were working on an OU group policy for the member servers. If that was the case, the domain policy could override the OU policy if the 'No override' box was checked. How many domain controllers do you have in operation within the domain? My next thought is one of the DCs is not synchronizing properly and is resetting the audit values and increasing the policy version #. Ken Adams -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Schmieder, MarcSent: Thursday, April 07, 2005 9:09 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Extremely Weird Problem This isnt the case in either situation. The settings are all set to not defined, but the Default domain controllers policy changes back to a bunch of different settins 5 minutes after I change it. Also, how could a higher level group policy change a lower level group policy settings? There are only two policies in the domain: Default Domain and Default Domain Controllers. On 3 people are domain admins in the domain and Im the only one at work. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adams, Kenneth W (Ken)Sent: Thursday, April 07, 2005 9:02 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Extremely Weird Problem Have you checked for a higher level GPO that may have these settings configured the way they are changing back to? My only other thought would be another person with permission to change the policy is changing it back. Ken Adams -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Schmieder, MarcSent: Thursday, April 07, 2005 8:44 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Extremely Weird Problem Has anyone ever seen this? Our Audit settings in both our lab and production environments are changing themselves automatically. When we set them to the settings we would like, the settings actually switch back and increment the version # on the policy! Ive been on the phone with Microsoft for hours and hours at this point and they have never heard/seen this before. The audit settings are the only setting that seem to change. All others stay the way we set them. I can give more info if needed. I just want to know if anyone every heard of this. Thanks, Marc Schmieder
RE: [ActiveDir] LAN Manger v2.1 Authentication
Internosis? Sounds familiar... Here's a starting point for that information: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKi t/b4001049-4dec-4f5b-a249-0f4dfd22c732.mspx -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Schmieder, Marc Sent: Thursday, April 07, 2005 9:25 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LAN Manger v2.1 Authentication Can anyone tell me what security template(s) I should use if I only wanted NTLMv2 and Kerberos authentication on in my environment? We have NT4, 2000, 2003 machines. Also, do I need to configure workstations, servers and dc's or just dc's? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Wednesday, April 06, 2005 11:42 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LAN Manger v2.1 Authentication Yes, I have seen this document... Thank you so much for the suggestion, this may be a bug from doing an in place upgrade of an NT 4 domain. I'll try applying 2003 server sp1 and see if it fixes this. It's probably best to not use a LANMANGER boot disk and just go to a WINPE boot disk that supports NTLMv2 and SMB signing. Jose :-) --- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al Sent: Wednesday, April 06, 2005 6:03 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LAN Manger v2.1 Authentication I assume you've seen this: http://support.microsoft.com/kb/325379 And since you've already disabled SMB signing the next step would be turn on auditing and check for and correct the errors you see. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Tuesday, April 05, 2005 5:46 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] LAN Manger v2.1 Authentication Greetings, We just upgraded out NT 4 servers to Windows 2003 server and the migration went as well as can be expected, however I am now trying to image several servers using Power Quest's drive image pro with a boot disk that uses LAN manger and I can no longer authenticate against AD. I changed the domain controller and domain security policy to allow LAN manager authentication and I disabled SMB signing. The server I am using for imaging is a 2000 member server to AD 2003 is and the AD controllers are in native mode. Would any one happen to know what else I need to disable in the domain controller security policy to allow a DOS boot disk to authenticate ? Also, I found that If I remove the imaging server from the domain authentication works with the boot disk. Any suggestions would be greatly appreciated. Sincerely, Jose Medeiros 408-449-6621 Cell MCP+I, MCSE, MCT NT Engineering Association SFNTUG www.ntea.net www.sfntug.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Extremely Weird Problem
Title: Message First of all we are seeing this in the lab AND in production. In the lab, we have 2 DCs in the root domain and 1 DC in the child domain. There were 2 in the child, but we removed it to test if that kept the policies from changing. This, so far, has fixed it, but that isnt a real resolution for the production environment. In the Lab root domain, when I make a change, then version/time are incremented properly. Then I force replication and check to make sure each DC has the proper version. That works fine. Then 3 minutes later the version on the policy is incremented again by 1 and the policies have reverted back! Unbelievable isnt it? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adams, Kenneth W (Ken) Sent: Thursday, April 07, 2005 9:25 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Extremely Weird Problem That is an extremely weird problem. You did not explain that you were working on the default domain controller policy in your highest (only?) domain. I was presuming that you were working on an OU group policy for the member servers. If that was the case, the domain policy could override the OU policy if the 'No override' box was checked. How many domain controllers do you have in operation within the domain? My next thought is one of the DCs is not synchronizing properly and is resetting the audit values and increasing the policy version #. Ken Adams -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Schmieder, Marc Sent: Thursday, April 07, 2005 9:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Extremely Weird Problem This isnt the case in either situation. The settings are all set to not defined, but the Default domain controllers policy changes back to a bunch of different settins 5 minutes after I change it. Also, how could a higher level group policy change a lower level group policy settings? There are only two policies in the domain: Default Domain and Default Domain Controllers. On 3 people are domain admins in the domain and Im the only one at work. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adams, Kenneth W (Ken) Sent: Thursday, April 07, 2005 9:02 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Extremely Weird Problem Have you checked for a higher level GPO that may have these settings configured the way they are changing back to? My only other thought would be another person with permission to change the policy is changing it back. Ken Adams -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Schmieder, Marc Sent: Thursday, April 07, 2005 8:44 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Extremely Weird Problem Has anyone ever seen this? Our Audit settings in both our lab and production environments are changing themselves automatically. When we set them to the settings we would like, the settings actually switch back and increment the version # on the policy! Ive been on the phone with Microsoft for hours and hours at this point and they have never heard/seen this before. The audit settings are the only setting that seem to change. All others stay the way we set them. I can give more info if needed. I just want to know if anyone every heard of this. Thanks, Marc Schmieder
[ActiveDir] DC location queries
Title: DC location queries I would like to ask for confirmation relating to the below scenarios and DC location: 1. Client in site with no DCs installed Client receives list of DCs which have registered SRV records on behalf of that site 2. Client in site with a DC but that DC is unavailable Client requests list of DCs registered at the domain level 3. Client in unknown site Client receives list of DCs associated with the defaultFirstNameSite We have only hub sites register as per point 2 and the default site has been renamed. How do I determine which site has assumed the role of the default site? Thanks, neil == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure. ==
[ActiveDir] Export Security Mailbox Rights members
I have an account that has a few unknown SIDs under the Security Tab Mailbox Rights. I can use psgetsid to get the names of these unknown SIDs, but I want to output these so I can copy and paste the SIDs. Is there any way to do this? -Devon __This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You.
Re: [ActiveDir] DC location queries
Hi Neil In you domain DNS zone you will see a list of the sites in the _SITES folder. Inside that are the site names and an _tcp folder. This contains the SRV records that are registered for that site. Once a client is site aware (after first logon) my understanding is this. 1) The client queries DNS for a list of DCs in its site. It will then try them in a random order. If nothing is returned, or this fails... 2) The client will query DNS for a list of DCs in the domain. It will then try them in a random order with (I believe) 100ms time out for each before contacting the next. Gil Kirkpatrick wrote a very good article on controlling this topology with SRV record priorities (ie.lower records are provided first and when they time out remaining records are provided), and on setting manual site coverage. http://www.windowsitpro.com/Windows/Article/ArticleID/37935/37935.html We have used this somewhat, setting the SRV record value for all DCs to 16, except for our hubsite (left at the default value of 0) for the domain. In our scenario the client will 1) Check the site, if there is nothing. 2) Check the hubsite, if they both time out 3) Check every other DC in the domain. Hope this helps; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] |-+-- | | Ruston, Neil | | | [EMAIL PROTECTED] | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 04/07/2005 03:07 PM CET| | | Please respond to | | | ActiveDir | |-+-- --| | | | To: ActiveDir@mail.activedir.org | | cc: (bcc: James Day/Contractor/NPS) | | Subject: [ActiveDir] DC location queries | --| I would like to ask for confirmation relating to the below scenarios and DC location: 1. Client in site with no DCs installed Client receives list of DCs which have registered SRV records on behalf of that site 2. Client in site with a DC but that DC is unavailable Client requests list of DCs registered at the domain level 3. Client in unknown site Client receives list of DCs associated with the defaultFirstNameSite We have only hub sites register as per point 2 and the default site has been renamed. How do I determine which site has assumed the role of the default site? Thanks, neil == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure. == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD logging
Yes I saw Eric's post, which does make sense; my real problem is I have accounts once a week for the past 2 months that literally disappears from AD... I have removed everyone but myself from all privileged groups; I've had all my admins reset passwords, I've made sure no scripts are running that would cause this to happen. I've even removed all logon scripts. I've never seen user accounts just disappear like this... So I set up a few test account then deleted them, I want to see where this gets logged to help me troubleshoot why other accounts see to just vanish?!?! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, April 07, 2005 6:13 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD logging Did you notice ~Eric's post? I have to ask again: Why not just use the GPO? What drove you to the NTDS registry settings? That bit is still not clear to me. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Wednesday, April 06, 2005 5:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD logging Given the severity of the situation I set them all to 2 and have been watching the logs -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, April 06, 2005 1:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD logging Under diagnostics, there are many keys. Which one did you set? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Wednesday, April 06, 2005 4:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD logging HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics The default GPO also has auditing set for the domain right now to audit success and failure for all objects. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, April 06, 2005 1:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD logging Which registry setting did you set? And why there? Why not via GPO around account auditing? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Wednesday, April 06, 2005 3:51 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD logging Question, Hopefully this wont sound too newbie! Domain is 2003 native mode 6 domain controllers in 3 sites. I've turned up logging in the registry to a value of 2 on the server that holds the PDC Emulator role. I have also set success and failure auditing in the default domain GP on all objects. I created an account for testing then I deleted that account but I can't see a reference to the deletion anywhere? Where will I see a reference to the deletion? Wouldn't I find that in the Security log? Like I said sorry for the newbie question... Thanks in advance Mike List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] W2K3 Forest trust w/Netdom
Hello! I'm trying to create a one way trust between two domains install.com and test.com. I need install.com to be the user domain and test.com to be the resource domain. I've added both to DNS and have upgraded both domain to W2K3 Server forest functionality mode. I can successfully create a transitive forest to forest utilizing the AD domains and trusts GUI. My problem, however, comes when I try to utilize Netdom to create a forest trust. I can successfully use the command: Netdom trust install.com /domain:test.com /UserD:Administrator /PasswordD:* /UserO:Administrator /PasswordO:* /PasswordT:* /Add This creates an external trust between the two domains that is nontransitive. I need a transitive forest trust. I tried adding the switches /Transitive:Yes and /ForestTransitive:Yes, to make it transitive, but they error out stating that this is for non-Windows Kerberos realms only. I haven't found a way to specify a forest trust. My question is: can you create a transitive forest trust using netdom, and if not, is there another utility for successfully doing this from the command line? Thanks! greg List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Change Password Policy
Really? This is what I'm afraid of and I'm having a hard time confirming. Does anyone know for sure? Thanks -Original Message-From: Roger Seielstad [mailto:[EMAIL PROTECTED]Sent: Wednesday, April 06, 2005 10:57 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Change Password Policy I don't believe you can block inheritance on domain password policy. Roger SeielstadE-mail Geek From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis OuelletSent: Wednesday, April 06, 2005 12:09 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Change Password Policy Hi Christine, It's going to be domain wide unless you set certain OUs to block inheritance. Have a look at http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/212eb1fd-11f4-465f-b243-73e542d06b2c.mspxfor more info! Thanks, Francis From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christine AllenSent: 6 avril 2005 14:58To: 'ActiveDir@mail.activedir.org'Subject: [ActiveDir] Change Password Policy Hello, We are looking to implement a gpo to force password changes. Is there anyway to restrict who this applies too? Or if I set it for the domain, it's domain wide. Thanks
RE: [ActiveDir] AD logging
That can be explained by sdprop which runs every 60 mins on the PDCe. It sets ACLs on privileged groups as per those ACLs set on the AdminSDHolder object in the domain. Different, unrelated issue, I'd say :) neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crawford, Scott Sent: 07 April 2005 16:13 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD logging I can't help much, but to say I've seen a similar situation. In my case, I had several group objects that I modified security on. After some time, say a few hours or so, the permissions would revert back to the default. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Thursday, April 07, 2005 9:41 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD logging Yes I saw Eric's post, which does make sense; my real problem is I have accounts once a week for the past 2 months that literally disappears from AD... I have removed everyone but myself from all privileged groups; I've had all my admins reset passwords, I've made sure no scripts are running that would cause this to happen. I've even removed all logon scripts. I've never seen user accounts just disappear like this... So I set up a few test account then deleted them, I want to see where this gets logged to help me troubleshoot why other accounts see to just vanish?!?! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, April 07, 2005 6:13 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD logging Did you notice ~Eric's post? I have to ask again: Why not just use the GPO? What drove you to the NTDS registry settings? That bit is still not clear to me. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Wednesday, April 06, 2005 5:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD logging Given the severity of the situation I set them all to 2 and have been watching the logs -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, April 06, 2005 1:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD logging Under diagnostics, there are many keys. Which one did you set? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Wednesday, April 06, 2005 4:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD logging HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics The default GPO also has auditing set for the domain right now to audit success and failure for all objects. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, April 06, 2005 1:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD logging Which registry setting did you set? And why there? Why not via GPO around account auditing? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Wednesday, April 06, 2005 3:51 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD logging Question, Hopefully this wont sound too newbie! Domain is 2003 native mode 6 domain controllers in 3 sites. I've turned up logging in the registry to a value of 2 on the server that holds the PDC Emulator role. I have also set success and failure auditing in the default domain GP on all objects. I created an account for testing then I deleted that account but I can't see a reference to the deletion anywhere? Where will I see a reference to the deletion? Wouldn't I find that in the Security log? Like I said sorry for the newbie question... Thanks in advance Mike List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info :
RE: [ActiveDir] Change Password Policy
Yes, I made a mistake in my first reply to you. I have a reply following joe's answer to your query. Francis From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christine AllenSent: 7 avril 2005 11:06To: 'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir] Change Password Policy Really? This is what I'm afraid of and I'm having a hard time confirming. Does anyone know for sure? Thanks -Original Message-From: Roger Seielstad [mailto:[EMAIL PROTECTED]Sent: Wednesday, April 06, 2005 10:57 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Change Password Policy I don't believe you can block inheritance on domain password policy. Roger SeielstadE-mail Geek From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis OuelletSent: Wednesday, April 06, 2005 12:09 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Change Password Policy Hi Christine, It's going to be domain wide unless you set certain OUs to block inheritance. Have a look at http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/212eb1fd-11f4-465f-b243-73e542d06b2c.mspxfor more info! Thanks, Francis From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christine AllenSent: 6 avril 2005 14:58To: 'ActiveDir@mail.activedir.org'Subject: [ActiveDir] Change Password Policy Hello, We are looking to implement a gpo to force password changes. Is there anyway to restrict who this applies too? Or if I set it for the domain, it's domain wide. Thanks
RE: [ActiveDir] Extremely Weird Problem
Title: Message How about setting up auditing on the PDC emulator DC for theGroupPolicyContainer object that represents that GPO? Then at least you might be able to see who is making the change. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Schmieder, MarcSent: Thursday, April 07, 2005 9:56 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Extremely Weird Problem First of all we are seeing this in the lab AND in production. In the lab, we have 2 DCs in the root domain and 1 DC in the child domain. There were 2 in the child, but we removed it to test if that kept the policies from changing. This, so far, has fixed it, but that isnt a real resolution for the production environment. In the Lab root domain, when I make a change, then version/time are incremented properly. Then I force replication and check to make sure each DC has the proper version. That works fine. Then 3 minutes later the version on the policy is incremented again by 1 and the policies have reverted back! Unbelievable isnt it? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adams, Kenneth W (Ken)Sent: Thursday, April 07, 2005 9:25 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Extremely Weird Problem That is an extremely weird problem. You did not explain that you were working on the default domain controller policy in your highest (only?) domain. I was presuming that you were working on an OU group policy for the member servers. If that was the case, the domain policy could override the OU policy if the 'No override' box was checked. How many domain controllers do you have in operation within the domain? My next thought is one of the DCs is not synchronizing properly and is resetting the audit values and increasing the policy version #. Ken Adams -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Schmieder, MarcSent: Thursday, April 07, 2005 9:09 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Extremely Weird Problem This isnt the case in either situation. The settings are all set to not defined, but the Default domain controllers policy changes back to a bunch of different settins 5 minutes after I change it. Also, how could a higher level group policy change a lower level group policy settings? There are only two policies in the domain: Default Domain and Default Domain Controllers. On 3 people are domain admins in the domain and Im the only one at work. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adams, Kenneth W (Ken)Sent: Thursday, April 07, 2005 9:02 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Extremely Weird Problem Have you checked for a higher level GPO that may have these settings configured the way they are changing back to? My only other thought would be another person with permission to change the policy is changing it back. Ken Adams -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Schmieder, MarcSent: Thursday, April 07, 2005 8:44 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Extremely Weird Problem Has anyone ever seen this? Our Audit settings in both our lab and production environments are changing themselves automatically. When we set them to the settings we would like, the settings actually switch back and increment the version # on the policy! Ive been on the phone with Microsoft for hours and hours at this point and they have never heard/seen this before. The audit settings are the only setting that seem to change. All others stay the way we set them. I can give more info if needed. I just want to know if anyone every heard of this. Thanks, Marc Schmieder
RE: [ActiveDir] Change Password Policy
The last time I checked, you could put a block inheritance on the Domain Controllers OU and this would block processing of a domain-linked GPO--even for account policy. In that case, the DCs simply use the default account policy that exists at that time. Obviously not a good thing to do. One thing I often do is, for whatever GPO islinked to the domain that enforces Account Policy, I set it to Enforced (No Override) to ensure that doesnt' happen. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christine AllenSent: Thursday, April 07, 2005 11:06 AMTo: 'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir] Change Password Policy Really? This is what I'm afraid of and I'm having a hard time confirming. Does anyone know for sure? Thanks -Original Message-From: Roger Seielstad [mailto:[EMAIL PROTECTED]Sent: Wednesday, April 06, 2005 10:57 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Change Password Policy I don't believe you can block inheritance on domain password policy. Roger SeielstadE-mail Geek From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis OuelletSent: Wednesday, April 06, 2005 12:09 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Change Password Policy Hi Christine, It's going to be domain wide unless you set certain OUs to block inheritance. Have a look at http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/212eb1fd-11f4-465f-b243-73e542d06b2c.mspxfor more info! Thanks, Francis From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christine AllenSent: 6 avril 2005 14:58To: 'ActiveDir@mail.activedir.org'Subject: [ActiveDir] Change Password Policy Hello, We are looking to implement a gpo to force password changes. Is there anyway to restrict who this applies too? Or if I set it for the domain, it's domain wide. Thanks
RE: [ActiveDir] MacOSX Active Directory Plug-in
Hi Brian, What version of Active Directory are you using? Did he have to turn off SMB signing and enable lanmanger ? Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Brian Desmond Sent: Wednesday, April 06, 2005 10:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MacOSX Active Directory Plug-in Jose Matt- This won't help you from a how to standpoint, but I can tell you for a fact that my mac guy has our 10.3 X boxes on the domain. Took him a while to figure it all out, but it does work... --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 c - 312.731.3132 From: [EMAIL PROTECTED] on behalf of Medeiros, Jose Sent: Wed 4/6/2005 8:16 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MacOSX Active Directory Plug-in Hi Matt, I also have a MAC running MAC OS 10.3.8 and have also tried adding my Mac to a 2003 Active Directory domain to no avail. I just can't get it to bind as a member workstation. However I have used ADMITMAC by Thursby software it works like a charm and it supports NTLMv2, SMB signing and Kerberos based tickets. The URL for Thursby is: http://www.thursby.com/ and http://www.thursby.com/products/admitmac-vs-panther.html With that said let me give you a URL's that you may also want to try: http://www.macwindows.com/ , if you figure out away to get it to work without Admit Mac please let me know as I am very interested. I hope this helps! Sincerely, Jose Medeiros MCP+I, MCSE, MCT www.ntea.net www.sfntug.org - -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Matt Brown Sent: Wednesday, April 06, 2005 9:29 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] MacOSX Active Directory Plug-in When adding Mac's to Active Directory using the Mac AD Directory Services Plug-in I can do it just fine using my Domain Admin account. But when I try to add the machine using an account in the group with privileges to add to the domain I get an error saying Insufficient Privileges. Anybody seen this or know of a privilege I need to set? All of my lab managers on campus have are in the group that can add computers to the domain and it works fine for the PC's. Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Change Password Policy
Something strange - if you download the MS Security Templates from the URL below, you get a few DC Templates and they all configure the Password Policy. Why would they do this if this policy has to be set with GPOs linked only at the domain level? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Beelders, IvorSent: Thursday, April 07, 2005 4:16 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Change Password Policy Maybe this will help Christine. I was looking into the same issue a few days ago. http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/bb99fdd4-f8e0-490f-adae-6814cf081ff7.mspx For domain accounts, the account policy must be defined in the Default Domain Policy Group Policy object (GPO) or in a new GPO that is linked to the root of the domain and given precedence over the Default Domain Policy GPO, which is enforced by the domain controllers that make up the domain. If more than one GPO containing account policy settings is linked at the domain level, the domain's account policy consists of the cumulative policy settings from all the domain-linked GPOs. A domain controller always obtains the account policy from a GPO linked to the domain, which by default is the Default Domain Policy GPO. This behavior occurs even if a different account policy is applied to the organizational unit (OU) that contains the domain controller. By default, workstations and servers joined to a domain (such as member computers) also receive the same account policy for their local accounts. However, local account policies for member computers can be differentiated from the domain account policy by defining an account policy for the OU that contains the member computers. Ivor Beelders Global Directory Services Group Information Management, Rexam Inc. Voice: +1 704 551 1507 Voice: +44 1438 785 5710 Mobile: +1 704 458 9580 Fax: +1 704 551 1627 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christine AllenSent: Thursday, April 07, 2005 10:06 AMTo: 'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir] Change Password Policy Really? This is what I'm afraid of and I'm having a hard time confirming. Does anyone know for sure? Thanks -Original Message-From: Roger Seielstad [mailto:[EMAIL PROTECTED]Sent: Wednesday, April 06, 2005 10:57 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Change Password Policy I don't believe you can block inheritance on domain password policy. Roger SeielstadE-mail Geek From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis OuelletSent: Wednesday, April 06, 2005 12:09 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Change Password Policy Hi Christine, It's going to be domain wide unless you set certain OUs to block inheritance. Have a look at http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/212eb1fd-11f4-465f-b243-73e542d06b2c.mspxfor more info! Thanks, Francis From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christine AllenSent: 6 avril 2005 14:58To: 'ActiveDir@mail.activedir.org'Subject: [ActiveDir] Change Password Policy Hello, We are looking to implement a gpo to force password changes. Is there anyway to restrict who this applies too? Or if I set it for the domain, it's domain wide. Thanks This message has been scanned for viruses by MailControl This communication (including any attachments) contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please do not distribute, copy or use this communication or the information. Instead, if you have received this communication in error, please notify the sender immediately and then destroy any copies of it.Due to the nature of the Internet, the sender is unable to ensure the integrity of this message and does not accept any liability or responsibility for any errors or omissions (whether as the result of this message having been intercepted or otherwise) in the contents of this message.Any views expressed in this communication are those of the individual sender, except where the sender specifically states them to be the views of the company. This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally
[ActiveDir] Time Sync between Forest Root and Child Domains
This should be a simple thing to do, but it's driving me up the wall. Here is what I would like to do: 1) Sync my PDCE in my forest root with a reliable internet time server 2) Have my other domain controllers in the forest root sync with the PDCE 3) Have the PDCE's in my child domains sync with the forest root PDCE I should be able to do this via Net Time, but so far I am getting no joy. Here us the problem: 1) Windows 2003 root domain 2) PDCE, and all other domain controllers in the root domain, keep synching with the first W2K3 server introduced in the root domain. This happens to be a virtual machine... 3) On the PDCE and all other domain controllers in the root domain, using net time /DOMAIN:(netbios name of our root) does not help. Still synced with this VM. Any suggestions? This should not be this diffucult Thanks, J This e-mail, and any attachment, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, re-transmission, copying, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. The contents of this message may contain personal views which are not the views of Discovery Communications, Inc. (DCI).
RE: [ActiveDir] Change Password Policy
Thanks. The reason for this is we have domain level service accounts for SQL and Exchange, etc. We don't want those to change those passwords. How do you folks handle these? Thanks for all your help! -Original Message-From: Francis Ouellet [mailto:[EMAIL PROTECTED]Sent: Wednesday, April 06, 2005 4:01 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Change Password Policy Yup, and that's the dumbest thing I've said today...or this week. Yeah, this week for sure. Next time I'll actually read my answers twice! /bangs head on desk Francis From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: 6 avril 2005 15:29To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Change Password Policy If it is for domain IDs you should have stopped right here "It's going to be domain" Policy for domain accounts such as password policy, lockout policy, etc, are whole domain or nothing due to the policy effectingchanges to values on the domain NC head AD object and then applying to all accounts regardless of hierarchy. It can be overridden by setting specific accounts to never expire but that usually just ends up being a huge security risk. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis OuelletSent: Wednesday, April 06, 2005 3:09 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Change Password Policy Hi Christine, It's going to be domain wide unless you set certain OUs to block inheritance. Have a look at http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/212eb1fd-11f4-465f-b243-73e542d06b2c.mspxfor more info! Thanks, Francis From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christine AllenSent: 6 avril 2005 14:58To: 'ActiveDir@mail.activedir.org'Subject: [ActiveDir] Change Password Policy Hello, We are looking to implement a gpo to force password changes. Is there anyway to restrict who this applies too? Or if I set it for the domain, it's domain wide. Thanks
RE: [ActiveDir] Export Security Mailbox Rights members
Is there an option for this in adfind? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Thursday, April 07, 2005 10:08 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Export Security Mailbox Rights members I have an account that has a few unknown SIDs under the Security Tab Mailbox Rights. I can use psgetsid to get the names of these unknown SIDs, but I want to output these so I can copy and paste the SIDs. Is there any way to do this? -Devon __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You.
Re: [ActiveDir] Time Sync between Forest Root and Child Domains
Set the time source on your Root PDC with net time /setsntp:SERVERNAME On all other DC's do not set a time source with net time /setsntp: By not setting a time source the DC's should all default to the Forest Root PDC. Or you can manually set the other DC's to sync with your forest PDC with net time /setsntp:PDCname [EMAIL PROTECTED] overy.com Sent by: To [EMAIL PROTECTED] ActiveDir@mail.activedir.org ail.activedir.org cc Subject 04/07/2005 11:33 [ActiveDir] Time Sync between AMForest Root and Child Domains Please respond to [EMAIL PROTECTED] tivedir.org This should be a simple thing to do, but it's driving me up the wall. Here is what I would like to do: 1) Sync my PDCE in my forest root with a reliable internet time server 2) Have my other domain controllers in the forest root sync with the PDCE 3) Have the PDCE's in my child domains sync with the forest root PDCE I should be able to do this via Net Time, but so far I am getting no joy. Here us the problem: 1) Windows 2003 root domain 2) PDCE, and all other domain controllers in the root domain, keep synching with the first W2K3 server introduced in the root domain. This happens to be a virtual machine... 3) On the PDCE and all other domain controllers in the root domain, using net time /DOMAIN:(netbios name of our root) does not help. Still synced with this VM. Any suggestions? This should not be this diffucult Thanks, J This e-mail, and any attachment, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, re-transmission, copying, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. The contents of this message may contain personal views which are not the views of Discovery Communications, Inc. (DCI). List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] SLOWWWWWW Logons
Would this help in outlook 2003 trying to login to Exchange 2003? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Thursday, April 07, 2005 8:45 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] SLOWW Logons ... presumably this sets the limit for Kerberos UDP packets, before TCP is used instead? or does it simply reduce the max packet size so as to minimise fragmentation of those packets? neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Becker, Jim Sent: 07 April 2005 13:40 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SLOWW Logons Oops, be careful, it wrapped... The value is MaxPacketSize -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Becker, Jim Sent: Thursday, April 07, 2005 8:37 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SLOWW Logons This sounds very much like an issue we had and the problem had to do with UDP packet fragmentation. Perhaps you can try the following Kerberos change. If it doesn't work, remove it. Add the following Value to the registry on one of the remote workstations, reboot and try again: HKLM/System/CurrentControlSet/Control/LSA/Kerberos/Parameters/MaxPacketS ize DWORD 0x580 (1408 decimal) Jim Becker Asst. Dir. of Administrative Systems State University of New York System Administration [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, April 06, 2005 4:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SLOWW Logons How much data are those two users pulling down from the domain controllers (network trace?) What's different about them? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Wednesday, April 06, 2005 3:38 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] SLOWW Logons I have two users amongst 50 in a remote site that no matter what PC they login to it takes forever, but if someone else logs into that PC, they log on quickly with no problems. I have already run netdiag and everything passed, I have deleted the local profile on the computer, disjoined and rejoined the domain, changed the network card, provided a different IP address, verified I can access \\domainname\sysvol\domainname and rebooted the PC as well as all the domain controllers and the routers inbetween the sites. No ports are being blocked by anything, no changes to policies have been done, no new servers have been made domain controllers and none have been demoted. There are two Global Catalogs in that AD Site, replications is working and I have not thrown the PC out the window yet. What else could be happening here? Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure. == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD logging
It gets logged in the security log of the domain controller. Once you turn on this logging, it's a lot of events for every action, so be careful to ensure that your event logs can handle it. http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Serve rHelp/5658fae8-985f-48cc-b1bf-bd47dc210916.mspx Event ID 624 = Create Success Audit Entry Event ID 630 = Delete Success Audit Entry It would be a good idea to undo any changes you've made up until now to be sure you're not confusing anything. Also, remember that this is a GPO setting so you'll want to be sure it applied to the domain controllers. Eventtriggers.exe might be useful for tracking this if you don't have something moving your log files over to another format. al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Thursday, April 07, 2005 10:41 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD logging Yes I saw Eric's post, which does make sense; my real problem is I have accounts once a week for the past 2 months that literally disappears from AD... I have removed everyone but myself from all privileged groups; I've had all my admins reset passwords, I've made sure no scripts are running that would cause this to happen. I've even removed all logon scripts. I've never seen user accounts just disappear like this... So I set up a few test account then deleted them, I want to see where this gets logged to help me troubleshoot why other accounts see to just vanish?!?! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, April 07, 2005 6:13 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD logging Did you notice ~Eric's post? I have to ask again: Why not just use the GPO? What drove you to the NTDS registry settings? That bit is still not clear to me. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Wednesday, April 06, 2005 5:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD logging Given the severity of the situation I set them all to 2 and have been watching the logs -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, April 06, 2005 1:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD logging Under diagnostics, there are many keys. Which one did you set? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Wednesday, April 06, 2005 4:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD logging HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics The default GPO also has auditing set for the domain right now to audit success and failure for all objects. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, April 06, 2005 1:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD logging Which registry setting did you set? And why there? Why not via GPO around account auditing? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Wednesday, April 06, 2005 3:51 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD logging Question, Hopefully this wont sound too newbie! Domain is 2003 native mode 6 domain controllers in 3 sites. I've turned up logging in the registry to a value of 2 on the server that holds the PDC Emulator role. I have also set success and failure auditing in the default domain GP on all objects. I created an account for testing then I deleted that account but I can't see a reference to the deletion anywhere? Where will I see a reference to the deletion? Wouldn't I find that in the Security log? Like I said sorry for the newbie question... Thanks in advance Mike List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ:
RE: [ActiveDir] MacOSX Active Directory Plug-in
Jose- It's a mix of 2k and 2k3 DCs, 2k native mode. Domain policy is not to require smb signing, but to request it. As far as LM, it's require ntlmv2 or better. --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 c - 312.731.3132 From: [EMAIL PROTECTED] on behalf of Medeiros, Jose Sent: Thu 4/7/2005 10:29 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MacOSX Active Directory Plug-in Hi Brian, What version of Active Directory are you using? Did he have to turn off SMB signing and enable lanmanger ? Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Brian Desmond Sent: Wednesday, April 06, 2005 10:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MacOSX Active Directory Plug-in Jose Matt- This won't help you from a how to standpoint, but I can tell you for a fact that my mac guy has our 10.3 X boxes on the domain. Took him a while to figure it all out, but it does work... --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 c - 312.731.3132 From: [EMAIL PROTECTED] on behalf of Medeiros, Jose Sent: Wed 4/6/2005 8:16 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MacOSX Active Directory Plug-in Hi Matt, I also have a MAC running MAC OS 10.3.8 and have also tried adding my Mac to a 2003 Active Directory domain to no avail. I just can't get it to bind as a member workstation. However I have used ADMITMAC by Thursby software it works like a charm and it supports NTLMv2, SMB signing and Kerberos based tickets. The URL for Thursby is: http://www.thursby.com/ and http://www.thursby.com/products/admitmac-vs-panther.html With that said let me give you a URL's that you may also want to try: http://www.macwindows.com/ , if you figure out away to get it to work without Admit Mac please let me know as I am very interested. I hope this helps! Sincerely, Jose Medeiros MCP+I, MCSE, MCT www.ntea.net www.sfntug.org - -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Matt Brown Sent: Wednesday, April 06, 2005 9:29 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] MacOSX Active Directory Plug-in When adding Mac's to Active Directory using the Mac AD Directory Services Plug-in I can do it just fine using my Domain Admin account. But when I try to add the machine using an account in the group with privileges to add to the domain I get an error saying Insufficient Privileges. Anybody seen this or know of a privilege I need to set? All of my lab managers on campus have are in the group that can add computers to the domain and it works fine for the PC's. Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ attachment: winmail.dat
[ActiveDir] 2003 SP1 DC Disaster Recovery Testing - Reboots after selecting install from Recovery Consonle
Testing backups. Fresh install of 2003 SP1 and Exchange 2003. Backed up System State and Exchange IS. Purposely Destroyed AD, Exchange DB's and deleted System State boot files. Rebooted server, of course NTLDR missing. So, I boot from Windows Server 2003 CD, hit R for Repair/Recovery. Select C:\Windows as the install, but then it just reboots. Am I missing something? Have a found a bug in 2003 SP1? ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] event viewer access
In an AD forest, every domain admin can view the event logs(except security) on all servers/dc's in every domain in the forest. My question is, how can you prevent a domain admin(who is not an enterprise admin) from viewing the event logs on a server/dc not in his/her domain? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] time sync script
I modified my original script and created this new one (enclosed) The only thing it will ask is what you want the log file to be (example: c:\time.csv) Assuming it will be run against a Domain, it will query against non-disabled Computers and Net Time them. The query is a standard LDAP: ((objectClass=Computer)(!userAccountControl:1.2.840.113556.1.4.803:=2)) I used against several domains and it seemed to work without a hitch. I commented out the on error resume next to check for errors, found none. Doug -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Tuesday, April 05, 2005 2:20 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] time sync script Anybody have a script that can check the time on client machines and auto sync them with the Domain Controller? Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Confidentiality Notice: The information contained in this message may be legally privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any release, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error please notify the author immediately by replying to this message and deleting the original message. Thank you. Set objShell = CreateObject(WScript.Shell) Set objExplorer = WScript.CreateObject(InternetExplorer.Application) dim objFS,TheFileObj,TheFilePath,objScriptExec TheFilePath = inputbox(Enter the log file name in the format: 'c:\time.csv') set objFS = CreateObject(Scripting.FileSystemObject) set TheFileObj = objFS.OpenTextFile(ThefilePath,2, true) gowindow() 'on error resume next Set rootDSE = GetObject(LDAP://RootDSE;) domainContainer = rootDSE.Get(defaultNamingContext) 'msgbox domainContainer Set conn = CreateObject(ADODB.Connection) conn.Provider = ADSDSOObject conn.Open ADs Provider LDAPStr = LDAP://; DomainContainer ;((objectClass=Computer)(!userAccountControl:1.2.840.113556.1.4.803:=2));distinguishedName,name,operatingSystem;subtree Set rs = conn.Execute(LDAPStr) If rs.RecordCount 0 Then rs.MoveFirst do until rs.EOF strPC = rs.Fields(0).Value strComputer2 = rs.Fields(1).Value returnCode = objShell.Run(%comspec% /c ping -n 2 -w 1000 strComputer2,7,True) if returnCode = 0 then setcode = objShell.Run(%comspec% /c net time \\ strComputer2 /DOMAIN: domainContainer /SET /y strComputer2,7,True) if setcode = 1 then TheFileObj.write(strComputer2 , rs.Fields(2).Value , Successful VBcrlf) objExplorer.Document.Body.InnerHTML = (strComputer2 , rs.Fields(2).Value , Successful VBcrlf) end if if setcode 1 then TheFileObj.write(strComputer2 , rs.Fields(2).Value , UnSuccessful VBcrlf) objExplorer.Document.Body.InnerHTML = (strComputer2 , rs.Fields(2).Value , UnSuccessful VBcrlf) end if end if if returnCode 0 then TheFileObj.write(strComputer2 , rs.Fields(2).Value , Unavailable VBcrlf) objExplorer.Document.Body.InnerHTML = (strComputer2 , rs.Fields(2).Value , Unavailable VBcrlf) end if rs.MoveNext loop End If TheFileObj.close objShell.Exec(notepad TheFilePath) sub gowindow() objExplorer.Navigate about:blank objExplorer.ToolBar = 0 objExplorer.StatusBar = 0 objExplorer.Width=500 objExplorer.Height = 100 objExplorer.Left = 0 objExplorer.Top = 0 Do While (objExplorer.Busy) Wscript.Sleep 100 Loop objExplorer.Visible = 1 objExplorer.Document.Body.InnerHTML = Accessing Time from the Domain Controller. end sub
RE: [ActiveDir] MacOSX Active Directory Plug-in
Are you sure that he is not using ADMIT Mac on the Mac Clients? To my knowledge the version of Samba www.samba.org in Panther does not support authentication using NTLM v2, please look at the Panther vs Admit Mac comparison at: http://www.thursby.com/products/admitmac-vs-panther.html Can you ask your admin which apple doc he used to get this to work? Are you sure that he is not just using Macintosh file service ( NT has had this since NT 3.51 and it supported Ethertalk ) on the Windows servers? If so this not the same thing that we are trying to accomplish with Active Directory member server binding. Thank you for looking into this! Regards, Jose Medeiros www.ntea.net www.sfntug.org --- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Brian Desmond Sent: Thursday, April 07, 2005 9:15 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MacOSX Active Directory Plug-in Jose- It's a mix of 2k and 2k3 DCs, 2k native mode. Domain policy is not to require smb signing, but to request it. As far as LM, it's require ntlmv2 or better. --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 c - 312.731.3132 From: [EMAIL PROTECTED] on behalf of Medeiros, Jose Sent: Thu 4/7/2005 10:29 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MacOSX Active Directory Plug-in Hi Brian, What version of Active Directory are you using? Did he have to turn off SMB signing and enable lanmanger ? Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Brian Desmond Sent: Wednesday, April 06, 2005 10:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MacOSX Active Directory Plug-in Jose Matt- This won't help you from a how to standpoint, but I can tell you for a fact that my mac guy has our 10.3 X boxes on the domain. Took him a while to figure it all out, but it does work... --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 c - 312.731.3132 From: [EMAIL PROTECTED] on behalf of Medeiros, Jose Sent: Wed 4/6/2005 8:16 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MacOSX Active Directory Plug-in Hi Matt, I also have a MAC running MAC OS 10.3.8 and have also tried adding my Mac to a 2003 Active Directory domain to no avail. I just can't get it to bind as a member workstation. However I have used ADMITMAC by Thursby software it works like a charm and it supports NTLMv2, SMB signing and Kerberos based tickets. The URL for Thursby is: http://www.thursby.com/ and http://www.thursby.com/products/admitmac-vs-panther.html With that said let me give you a URL's that you may also want to try: http://www.macwindows.com/ , if you figure out away to get it to work without Admit Mac please let me know as I am very interested. I hope this helps! Sincerely, Jose Medeiros MCP+I, MCSE, MCT www.ntea.net www.sfntug.org - -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Matt Brown Sent: Wednesday, April 06, 2005 9:29 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] MacOSX Active Directory Plug-in When adding Mac's to Active Directory using the Mac AD Directory Services Plug-in I can do it just fine using my Domain Admin account. But when I try to add the machine using an account in the group with privileges to add to the domain I get an error saying Insufficient Privileges. Anybody seen this or know of a privilege I need to set? All of my lab managers on campus have are in the group that can add computers to the domain and it works fine for the PC's. Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] MacOSX Active Directory Plug-in
If you having trouble binding with an Admin Account using the built in plug-in. Add the AD DNS Servers in your Networking on the Mac. I have been using it with just the standard Mac Active Directory plug-in for the past year in most of my labs. It works very well, my only problem is for some reason it's only letting me add them to the domain using a Domain Admin account unless I pre-create the computer account in Active Directory. I'd like to allow a group to add them, so my lab managers can add and remove them on there own. Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] event viewer access
Hey Tom... In W2k3, you can set the rights... http://support.microsoft.com/default.aspx?scid=kb;en-us;323076 On 2000, and 2003 there is a policy setting in the local user rights assingments manage auditing and security log Which can be set to a global group. However, you have to be careful with this. Some things have to apparently access the log and might not have the rights. Im going to guess SP's would, along with other weird problems you might experience. We tried it on XP boxes here so that security was the only ones that could access it, and found out we couldn't run system restore, and apply some patches without being in the group. We ended up setting it back to the default on the clients. John Kern, Tom [EMAIL PROTECTED] M To Sent by: ActiveDir (E-mail) [EMAIL PROTECTED] ActiveDir@mail.activedir.org ail.activedir.org cc Subject 04/07/2005 11:20 [ActiveDir] event viewer access AM Please respond to [EMAIL PROTECTED] tivedir.org In an AD forest, every domain admin can view the event logs(except security) on all servers/dc's in every domain in the forest. My question is, how can you prevent a domain admin(who is not an enterprise admin) from viewing the event logs on a server/dc not in his/her domain? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Looking for a specific tool
Check your inbox Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Dir. Services / Security www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, April 07, 2005 9:17 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Looking for a specific tool I'm having a hard time remembering where I've seen such a tool. Looking for a tool that enumerates group members and keeps following the nested groups until it distills to a non-group object. Has anybody seen such a tool? I know I could write something to do this, but I can't help but think I've seen such a thing and it seems a better use to find the tool instead :) Cheers, Al List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] MacOSX Active Directory Plug-in
SMB signing has nothing to do with binding the machine to the directory. That only has to do with mounting shared drives on windows machines, which isn't something that has to be done to bind it to the directory. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Thursday, April 07, 2005 12:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MacOSX Active Directory Plug-in If you having trouble binding with an Admin Account using the built in plug-in. Add the AD DNS Servers in your Networking on the Mac. I have been using it with just the standard Mac Active Directory plug-in for the past year in most of my labs. It works very well, my only problem is for some reason it's only letting me add them to the domain using a Domain Admin account unless I pre-create the computer account in Active Directory. I'd like to allow a group to add them, so my lab managers can add and remove them on there own. Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] SSL on OWA to change password
Not to sound naive but how do I do that? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Tuesday, April 05, 2005 11:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SSL on OWA to change password What's to change? Put an http redirect page on port 80 and redirect to 443 - they'll never know the difference. Roger Seielstad E-mail Geek -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Tuesday, April 05, 2005 2:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SSL on OWA to change password I would however my organization is not ready to change yet to it, but I need the Change password function working -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Tuesday, April 05, 2005 3:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SSL on OWA to change password Why would you not want to use it on the entire site (for the sake of argument?) I'm not sure I get it. Wouldn't you want it for all of owa? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Tuesday, April 05, 2005 12:34 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] SSL on OWA to change password Guys, I sent this to a different list but also wanted to bounce it off of you. Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 05, 2005 11:10 AM To: [EMAIL PROTECTED] Subject: [Exchange2000] SSL on OWA to change password Please check my logic here. TO enable SSL on only the IISADMPWD virtual Directory I do the following steps Create the IISADMPWD Virtual Directory Ensure proper rights and authenticated access are set on that directory Apply the hotfixes described in the KB Articles for Windows 2003 Run asutil.vbs script to set the PasswordChangeFlag to 0 Generate the SSL Certificate Apply the SSL Certificate Set the IISADMPWD Virtual Directory to require SSL Modify the Registry to show the Change Password button http://support.microsoft.com/default.aspx?scid=kb;en-us;297121 http://support.microsoft.com/kb/833734/EN-US/ http://support.microsoft.com/kb/327134/ I only want to use HTTPS on the change password screen, not the entire OWA Site. Thanks Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] Post message: [EMAIL PROTECTED] Unsubscribe: [EMAIL PROTECTED] Exchange 2000 FAQ: http://www.exchange-mail.org/faq.html Yahoo! Groups Links * To visit your group on the web, go to: http://groups.yahoo.com/group/Exchange2000/ * To unsubscribe from this group, send an email to: [EMAIL PROTECTED] * Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] event viewer access
Thanks. I took a look at the article and oddly enough, I don't have any of those settings in the local group policy on my win2k3 enterprise member server. Also, I take it there is no group policy to block read access to the app and system log on a win2k server? Finally, does anyone know what the default acl is on the system,app,dns,directory services,etc logs in win2000? what user groups can read a remote event log in the local and remote domains? thanks alot [EMAIL PROTECTED] wrote: Hey Tom... In W2k3, you can set the rights... http://support.microsoft.com/default.aspx?scid=kb;en-us;323076 On 2000, and 2003 there is a policy setting in the local user rights assingments manage auditing and security log Which can be set to a global group. However, you have to be careful with this. Some things have to apparently access the log and might not have the rights. Im going to guess SP's would, along with other weird problems you might experience. We tried it on XP boxes here so that security was the only ones that could access it, and found out we couldn't run system restore, and apply some patches without being in the group. We ended up setting it back to the default on the clients. John Kern, Tom [EMAIL PROTECTED] To Sent by: ActiveDir (E-mail) [EMAIL PROTECTED] ActiveDir@mail.activedir.org ail.activedir.org cc Subject 04/07/2005 11:20 [ActiveDir] event viewer access AM Please respond to [EMAIL PROTECTED] tivedir.org In an AD forest, every domain admin can view the event logs(except security) on all servers/dc's in every domain in the forest. My question is, how can you prevent a domain admin(who is not an enterprise admin) from viewing the event logs on a server/dc not in his/her domain? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] event viewer access
Hi Tom... The article says you have to enable these settings: Important: To view the group policy settings that are described in this article in the Group Policy editor, first complete the following steps, and then continue to the Use Group Policy to Set Your Application and System Log Security section: 1. Use a text editor such as Notepad to open the Sceregvl.inf in the %Windir%\Inf folder. 2. Add the following lines to the [Register Registry Values] section: MACHINE\System\CurrentControlSet\Services\Eventlog\Application\CustomS D,1,%AppCustomSD%,2 MACHINE\System\CurrentControlSet\Services\Eventlog\Security\CustomSD,1 ,%SecCustomSD%,2 MACHINE\System\CurrentControlSet\Services\Eventlog\System\CustomSD,1,% SysCustomSD%,2 MACHINE\System\CurrentControlSet\Services\Eventlog\Directory Service\CustomSD,1,%DSCustomSD%,2 MACHINE\System\CurrentControlSet\Services\Eventlog\DNS Server\CustomSD,1,%DNSCustomSD%,2 MACHINE\System\CurrentControlSet\Services\Eventlog\File Replication Service\CustomSD,1,%FRSCustomSD%,2 3. Add the following lines to the [Strings] section: AppCustomSD=Eventlog: Security descriptor for Application event log SecCustomSD=Eventlog: Security descriptor for Security event log SysCustomSD=Eventlog: Security descriptor for System event log DSCustomSD=Eventlog: Security descriptor for Directory Service event log DNSCustomSD=Eventlog: Security descriptor for DNS Server event log FRSCustomSD=Eventlog: Security descriptor for File Replication Service event log 4. Save the changes you made to the Sceregvl.inf file, and then run the regsvr32 scecli.dll command. 5. Start Gpedit.msc, and then double-click the following branches to expand them: Computer Configuration Windows Settings Security Settings Local Policies Security Options 6. View the right panel to find the new Eventlog settings. There is nothing I know of to do it in 2000. John Kern, Tom [EMAIL PROTECTED] M To Sent by: ActiveDir@mail.activedir.org [EMAIL PROTECTED] cc ail.activedir.org Subject RE: [ActiveDir] event viewer access 04/07/2005 12:20 PM Please respond to
RE: [ActiveDir] event viewer access
Aha! Sorry, I was careless in reading the article. Thanks [EMAIL PROTECTED] wrote: Hi Tom... The article says you have to enable these settings: Important: To view the group policy settings that are described in this article in the Group Policy editor, first complete the following steps, and then continue to the Use Group Policy to Set Your Application and System Log Security section: 1. Use a text editor such as Notepad to open the Sceregvl.inf in the %Windir%\Inf folder. 2. Add the following lines to the [Register Registry Values] section: MACHINE\System\CurrentControlSet\Services\Eventlog\Application\CustomS D,1,%AppCustomSD%,2 MACHINE\System\CurrentControlSet\Services\Eventlog\Security\CustomSD,1 ,%SecCustomSD%,2 MACHINE\System\CurrentControlSet\Services\Eventlog\System\CustomSD,1,% SysCustomSD%,2 MACHINE\System\CurrentControlSet\Services\Eventlog\Directory Service\CustomSD,1,%DSCustomSD%,2 MACHINE\System\CurrentControlSet\Services\Eventlog\DNS Server\CustomSD,1,%DNSCustomSD%,2 MACHINE\System\CurrentControlSet\Services\Eventlog\File Replication Service\CustomSD,1,%FRSCustomSD%,2 3. Add the following lines to the [Strings] section: AppCustomSD=Eventlog: Security descriptor for Application event log SecCustomSD=Eventlog: Security descriptor for Security event log SysCustomSD=Eventlog: Security descriptor for System event log DSCustomSD=Eventlog: Security descriptor for Directory Service event log DNSCustomSD=Eventlog: Security descriptor for DNS Server event log FRSCustomSD=Eventlog: Security descriptor for File Replication Service event log 4. Save the changes you made to the Sceregvl.inf file, and then run the regsvr32 scecli.dll command. 5. Start Gpedit.msc, and then double-click the following branches to expand them: Computer Configuration Windows Settings Security Settings Local Policies Security Options 6. View the right panel to find the new Eventlog settings. There is nothing I know of to do it in 2000. John Kern, Tom [EMAIL PROTECTED] To Sent by: ActiveDir@mail.activedir.org [EMAIL PROTECTED] cc ail.activedir.org Subject RE: [ActiveDir] event viewer access 04/07/2005 12:20 PM Please respond to [EMAIL PROTECTED] tivedir.org Thanks. I took a look at the article and oddly enough, I don't have any of those settings in the local group policy on my win2k3 enterprise member server. Also, I take it there is no group policy to block read access to the app and system log on a win2k server? Finally, does anyone know what the default acl is on the system,app,dns,directory services,etc logs in win2000? what user groups can read a remote event log in the local and remote domains? thanks alot [EMAIL PROTECTED] wrote: Hey Tom... In W2k3, you can set the rights... http://support.microsoft.com/default.aspx?scid=kb;en-us;323076 On 2000, and 2003 there is a policy setting in the local user rights assingments manage auditing and security log Which can be set to a global group. However, you have to be careful with this. Some things have to apparently access the log and might not have the rights. Im going to guess SP's would, along with other weird problems you might experience. We tried it on XP boxes here so that security was the only ones that could access it, and found out we couldn't run system restore, and apply some patches without being in the group. We ended up setting it back to the default on the clients. John Kern, Tom [EMAIL PROTECTED] To Sent by: ActiveDir (E-mail) [EMAIL PROTECTED] ActiveDir@mail.activedir.org ail.activedir.org cc Subject 04/07/2005 11:20 [ActiveDir] event viewer access AM Please respond to [EMAIL PROTECTED] tivedir.org In an AD forest, every domain admin can view the event logs(except security) on all servers/dc's in every domain in the forest. My question is, how can you prevent a domain admin(who is not an enterprise admin) from viewing the event logs on a server/dc not in his/her domain? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive:
[ActiveDir] GUID resolution
Hi, I know this has been asked before but I can't seem to find it in any threads. How do you reslove a guid to the human readble name of an object or attribute in AD? I'm running win2k in mixed mode. thanks alot List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] MacOSX Active Directory Plug-in
Hi Matt, Thank you for taking the time to reply. I did use the AD DNS server's, however I must have a configuration problem ( I was at Mac World a few months back and asked several people about this and I found no one that actually had it work onv Active Directory 2003 unless they used ADMIT MAC ). Would it be possible for you to make screen captures of your client configuration and send them to me directly, I would really appreciate it. Regards, Jose Medeiros - -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Matt Brown Sent: Thursday, April 07, 2005 9:42 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MacOSX Active Directory Plug-in If you having trouble binding with an Admin Account using the built in plug-in. Add the AD DNS Servers in your Networking on the Mac. I have been using it with just the standard Mac Active Directory plug-in for the past year in most of my labs. It works very well, my only problem is for some reason it's only letting me add them to the domain using a Domain Admin account unless I pre-create the computer account in Active Directory. I'd like to allow a group to add them, so my lab managers can add and remove them on there own. Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GUID resolution
1. Run LDP 2. Connect and BIND 3. Select Search 4. Enter Base DN of GUID=[whatever the GUID is] ... include the angled brackets 5. Populate other dialogs accordingly, enter and run -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, April 07, 2005 4:10 PM To: ActiveDir (E-mail) Subject: [ActiveDir] GUID resolution Hi, I know this has been asked before but I can't seem to find it in any threads. How do you reslove a guid to the human readble name of an object or attribute in AD? I'm running win2k in mixed mode. thanks alot List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GUID resolution
Do I leave in the dashes? I pulled the guid from an error i've been getting in the Directory Services log on a DC. When i enter the guid in ldp, I get this- ldap_search_s(ld, 1825a294808e4036adae51144dee742f, 0, (objectclass=*), attrList, 0, msg) Error: Search: Naming Violation. 64 Result 64: 0057: LdapErr: DSID-0C090563, comment: Error processing name, data 0, v893 Matched DNs: Getting 0 entries: I get the same thing when I leave in the dashes.- ldap_search_s(ld, 1825a294-808e-4036-adae-51144dee742f, 1, (objectclass=*), attrList, 0, msg) Error: Search: Naming Violation. 64 Result 64: 0057: LdapErr: DSID-0C090563, comment: Error processing name, data 0, v893 Matched DNs: Getting 0 entries: Thanks Dean Wells wrote: 1. Run LDP 2. Connect and BIND 3. Select Search 4. Enter Base DN of GUID=[whatever the GUID is] ... include the angled brackets 5. Populate other dialogs accordingly, enter and run List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Error
I keep getting this on a computer. Windows XP SP2 Windows cannot determine the user or computer name. (An internal error occurred. ). Group Policy processing aborted. Any ideas, I have already tried so much. Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GUID resolution
Seems you can also use that syntax GUID= as the argument to -b in ADFIND, which makes sense, and is nice to know. Is this because that attribute's syntax is an Octal string? I'm just curious...not knowing too much about the way these things are stored! Thanks! -DaveC Reuters CIO Infrastructure -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Thursday, April 07, 2005 5:22 PM To: Send - AD mailing list Subject: RE: [ActiveDir] GUID resolution Noticed you said you're using 2K ... dashes are of no concern, at least to 2K3 ... don't have 2K directory handy to test right now. Either way, can't even remember if the GUID=blah base is supported on 2K ... assuming it is, you missed the GUID= from the beginning of the entry. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, April 07, 2005 5:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GUID resolution Do I leave in the dashes? I pulled the guid from an error i've been getting in the Directory Services log on a DC. When i enter the guid in ldp, I get this- ldap_search_s(ld, 1825a294808e4036adae51144dee742f, 0, (objectclass=*), attrList, 0, msg) Error: Search: Naming Violation. 64 Result 64: 0057: LdapErr: DSID-0C090563, comment: Error processing name, data 0, v893 Matched DNs: Getting 0 entries: I get the same thing when I leave in the dashes.- ldap_search_s(ld, 1825a294-808e-4036-adae-51144dee742f, 1, (objectclass=*), attrList, 0, msg) Error: Search: Naming Violation. 64 Result 64: 0057: LdapErr: DSID-0C090563, comment: Error processing name, data 0, v893 Matched DNs: Getting 0 entries: Thanks Dean Wells wrote: 1. Run LDP 2. Connect and BIND 3. Select Search 4. Enter Base DN of GUID=[whatever the GUID is] ... include the angled brackets 5. Populate other dialogs accordingly, enter and run List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ - Visit our Internet site at http://www.reuters.com To find out more about Reuters Products and Services visit http://www.reuters.com/productinfo Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GUID resolution
I'm guessing you mean octet string ... if so and if I understand what you're asking, not really ... GUID= and SID= are little more than hard-coded bits of server-side intelligence ... am I even answering your question? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe Sent: Thursday, April 07, 2005 5:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GUID resolution Seems you can also use that syntax GUID= as the argument to -b in ADFIND, which makes sense, and is nice to know. Is this because that attribute's syntax is an Octal string? I'm just curious...not knowing too much about the way these things are stored! Thanks! -DaveC Reuters CIO Infrastructure -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Thursday, April 07, 2005 5:22 PM To: Send - AD mailing list Subject: RE: [ActiveDir] GUID resolution Noticed you said you're using 2K ... dashes are of no concern, at least to 2K3 ... don't have 2K directory handy to test right now. Either way, can't even remember if the GUID=blah base is supported on 2K ... assuming it is, you missed the GUID= from the beginning of the entry. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, April 07, 2005 5:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GUID resolution Do I leave in the dashes? I pulled the guid from an error i've been getting in the Directory Services log on a DC. When i enter the guid in ldp, I get this- ldap_search_s(ld, 1825a294808e4036adae51144dee742f, 0, (objectclass=*), attrList, 0, msg) Error: Search: Naming Violation. 64 Result 64: 0057: LdapErr: DSID-0C090563, comment: Error processing name, data 0, v893 Matched DNs: Getting 0 entries: I get the same thing when I leave in the dashes.- ldap_search_s(ld, 1825a294-808e-4036-adae-51144dee742f, 1, (objectclass=*), attrList, 0, msg) Error: Search: Naming Violation. 64 Result 64: 0057: LdapErr: DSID-0C090563, comment: Error processing name, data 0, v893 Matched DNs: Getting 0 entries: Thanks Dean Wells wrote: 1. Run LDP 2. Connect and BIND 3. Select Search 4. Enter Base DN of GUID=[whatever the GUID is] ... include the angled brackets 5. Populate other dialogs accordingly, enter and run List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ - Visit our Internet site at http://www.reuters.com To find out more about Reuters Products and Services visit http://www.reuters.com/productinfo Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Error
I have heard that error connected to a corrupt computer account on the network with the resolution being to join it to a workgroup reboot, then rejoin it to the domain. Is that one of the things you tried? -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Thursday, April 07, 2005 4:35 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Error I keep getting this on a computer. Windows XP SP2 Windows cannot determine the user or computer name. (An internal error occurred. ). Group Policy processing aborted. Any ideas, I have already tried so much. Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Error
Tried that and it did not work -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Thursday, April 07, 2005 5:56 PM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Error I have heard that error connected to a corrupt computer account on the network with the resolution being to join it to a workgroup reboot, then rejoin it to the domain. Is that one of the things you tried? -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Thursday, April 07, 2005 4:35 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Error I keep getting this on a computer. Windows XP SP2 Windows cannot determine the user or computer name. (An internal error occurred. ). Group Policy processing aborted. Any ideas, I have already tried so much. Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Error
Did you try removing the computer account from Active Directory OU that it resides and synching the active directory controllers before rejoining the workstation to the domain? If not you may want to try this again. Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Salandra, Justin A. Sent: Thursday, April 07, 2005 3:20 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error Tried that and it did not work -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Thursday, April 07, 2005 5:56 PM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Error I have heard that error connected to a corrupt computer account on the network with the resolution being to join it to a workgroup reboot, then rejoin it to the domain. Is that one of the things you tried? -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Thursday, April 07, 2005 4:35 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Error I keep getting this on a computer. Windows XP SP2 Windows cannot determine the user or computer name. (An internal error occurred. ). Group Policy processing aborted. Any ideas, I have already tried so much. Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GUID resolution
I'm running win2k sp4 in mixed mode. heres the result i get from prepending GUID- ldap_search_s(ld, GUID=c47ca389-0832-41bc-8030-3e0c7fd13674, 1, (objectclass=*), attrList, 0, msg) Error: Search: Invalid DN Syntax. 34 Result 34: 208F: NameErr: DSID-031001AA, problem 2006 (BAD_NAME), data 8350, best match of: 'GUID=c47ca389-0832-41bc-8030-3e0c7fd13674' Matched DNs: Getting 0 entries: Thanks -Original Message- From: Dean Wells [mailto:[EMAIL PROTECTED] Sent: Thursday, April 07, 2005 5:54 PM To: Send - AD mailing list Subject: RE: [ActiveDir] GUID resolution I'm guessing you mean octet string ... if so and if I understand what you're asking, not really ... GUID= and SID= are little more than hard-coded bits of server-side intelligence ... am I even answering your question? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe Sent: Thursday, April 07, 2005 5:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GUID resolution Seems you can also use that syntax GUID= as the argument to -b in ADFIND, which makes sense, and is nice to know. Is this because that attribute's syntax is an Octal string? I'm just curious...not knowing too much about the way these things are stored! Thanks! -DaveC Reuters CIO Infrastructure -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Thursday, April 07, 2005 5:22 PM To: Send - AD mailing list Subject: RE: [ActiveDir] GUID resolution Noticed you said you're using 2K ... dashes are of no concern, at least to 2K3 ... don't have 2K directory handy to test right now. Either way, can't even remember if the GUID=blah base is supported on 2K ... assuming it is, you missed the GUID= from the beginning of the entry. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, April 07, 2005 5:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GUID resolution Do I leave in the dashes? I pulled the guid from an error i've been getting in the Directory Services log on a DC. When i enter the guid in ldp, I get this- ldap_search_s(ld, 1825a294808e4036adae51144dee742f, 0, (objectclass=*), attrList, 0, msg) Error: Search: Naming Violation. 64 Result 64: 0057: LdapErr: DSID-0C090563, comment: Error processing name, data 0, v893 Matched DNs: Getting 0 entries: I get the same thing when I leave in the dashes.- ldap_search_s(ld, 1825a294-808e-4036-adae-51144dee742f, 1, (objectclass=*), attrList, 0, msg) Error: Search: Naming Violation. 64 Result 64: 0057: LdapErr: DSID-0C090563, comment: Error processing name, data 0, v893 Matched DNs: Getting 0 entries: Thanks Dean Wells wrote: 1. Run LDP 2. Connect and BIND 3. Select Search 4. Enter Base DN of GUID=[whatever the GUID is] ... include the angled brackets 5. Populate other dialogs accordingly, enter and run List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ - Visit our Internet site at http://www.reuters.com To find out more about Reuters Products and Services visit http://www.reuters.com/productinfo Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Filtering for GPO's
I have been looking at different ways I could filter a GPO. Basically here is the scenario. We are starting a migration to XP here shortly. Currently users on 2000 workstations. There are some specific policies that change the way we do business on the XP machines that I want to ensure do not effect the 2000 workstations. I thought of WMI filtering but according to the GPMC_administering.doc, 2000 will ignore the filtering and apply the GPO anyways. So that wont work. If I put all the 2000 workstations into a group and denied apply rights to that GPO would it keep that GPO from running if a user signed into the 2000 machine. But it would apply If the user signed into an XP machine. The policies are on the User side of the GPO. Thanks Jeff scripting is my enemy List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GUID resolution
I only want to know, because I know this guid is the guid of a DC. I get errors logged in the directory services event log(event id 1085) that my DC can't contact this dc for replication. This guid is not present in the _msdc zone on the root dc, so i'm wondering where the hell it is in AD and why my dc is still trying to rep with it? failed demotion? Right now, i just want to know the name of the dc and which domain its in. thanks again -Original Message- From: Kern, Tom Sent: Thursday, April 07, 2005 6:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GUID resolution I'm running win2k sp4 in mixed mode. heres the result i get from prepending GUID- ldap_search_s(ld, GUID=c47ca389-0832-41bc-8030-3e0c7fd13674, 1, (objectclass=*), attrList, 0, msg) Error: Search: Invalid DN Syntax. 34 Result 34: 208F: NameErr: DSID-031001AA, problem 2006 (BAD_NAME), data 8350, best match of: 'GUID=c47ca389-0832-41bc-8030-3e0c7fd13674' Matched DNs: Getting 0 entries: Thanks -Original Message- From: Dean Wells [mailto:[EMAIL PROTECTED] Sent: Thursday, April 07, 2005 5:54 PM To: Send - AD mailing list Subject: RE: [ActiveDir] GUID resolution I'm guessing you mean octet string ... if so and if I understand what you're asking, not really ... GUID= and SID= are little more than hard-coded bits of server-side intelligence ... am I even answering your question? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe Sent: Thursday, April 07, 2005 5:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GUID resolution Seems you can also use that syntax GUID= as the argument to -b in ADFIND, which makes sense, and is nice to know. Is this because that attribute's syntax is an Octal string? I'm just curious...not knowing too much about the way these things are stored! Thanks! -DaveC Reuters CIO Infrastructure -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Thursday, April 07, 2005 5:22 PM To: Send - AD mailing list Subject: RE: [ActiveDir] GUID resolution Noticed you said you're using 2K ... dashes are of no concern, at least to 2K3 ... don't have 2K directory handy to test right now. Either way, can't even remember if the GUID=blah base is supported on 2K ... assuming it is, you missed the GUID= from the beginning of the entry. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, April 07, 2005 5:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GUID resolution Do I leave in the dashes? I pulled the guid from an error i've been getting in the Directory Services log on a DC. When i enter the guid in ldp, I get this- ldap_search_s(ld, 1825a294808e4036adae51144dee742f, 0, (objectclass=*), attrList, 0, msg) Error: Search: Naming Violation. 64 Result 64: 0057: LdapErr: DSID-0C090563, comment: Error processing name, data 0, v893 Matched DNs: Getting 0 entries: I get the same thing when I leave in the dashes.- ldap_search_s(ld, 1825a294-808e-4036-adae-51144dee742f, 1, (objectclass=*), attrList, 0, msg) Error: Search: Naming Violation. 64 Result 64: 0057: LdapErr: DSID-0C090563, comment: Error processing name, data 0, v893 Matched DNs: Getting 0 entries: Thanks Dean Wells wrote: 1. Run LDP 2. Connect and BIND 3. Select Search 4. Enter Base DN of GUID=[whatever the GUID is] ... include the angled brackets 5. Populate other dialogs accordingly, enter and run List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ - Visit our Internet site at http://www.reuters.com To find out more about Reuters Products and Services visit http://www.reuters.com/productinfo Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive:
[ActiveDir] 2003 SP1 on VMware ESX - reboot issue
Heya all! Been having this annoying problem since the start of SP1 RC, basically when I reboot the vmware guest domain controller (SP1) it goes to reboot properly, then while starting up win2003 - it shutsdown instead. Host is ESX Server 2.1.0 build 7728 (yeah its rather old) VM events: Vmware ESX Server internal monitor error - Not implemented at 2182 (7728) I have 5 of my guest test DC and so far I can confirm all are having this problem. Anyone else has anything like this happening? Before SP1 all goes well.. Perhaps this should be a selling point of Virtual Server? :-) Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Error
Any luck with userenv.log or a manual gpupdate /force. Check out gpmc events (gpresult for that computer) to check if GPO is actually applying. Theres a KB on gigabit cards and GPO, not sure if this is the same events you are getting http://support.microsoft.com/default.aspx?scid=kb;en-us;326152 http://support.microsoft.com/default.aspx?scid=kb;en-us;840669 Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Friday, April 08, 2005 5:56 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Error I have heard that error connected to a corrupt computer account on the network with the resolution being to join it to a workgroup reboot, then rejoin it to the domain. Is that one of the things you tried? -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Thursday, April 07, 2005 4:35 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Error I keep getting this on a computer. Windows XP SP2 Windows cannot determine the user or computer name. (An internal error occurred. ). Group Policy processing aborted. Any ideas, I have already tried so much. Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] MacOSX Active Directory Plug-in
I'm quite certain about both of those, esp mac fs and admit mac. --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 c - 312.731.3132 From: [EMAIL PROTECTED] on behalf of Medeiros, Jose Sent: Thu 4/7/2005 11:35 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MacOSX Active Directory Plug-in Are you sure that he is not using ADMIT Mac on the Mac Clients? To my knowledge the version of Samba www.samba.org in Panther does not support authentication using NTLM v2, please look at the Panther vs Admit Mac comparison at: http://www.thursby.com/products/admitmac-vs-panther.html Can you ask your admin which apple doc he used to get this to work? Are you sure that he is not just using Macintosh file service ( NT has had this since NT 3.51 and it supported Ethertalk ) on the Windows servers? If so this not the same thing that we are trying to accomplish with Active Directory member server binding. Thank you for looking into this! Regards, Jose Medeiros www.ntea.net www.sfntug.org --- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Brian Desmond Sent: Thursday, April 07, 2005 9:15 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MacOSX Active Directory Plug-in Jose- It's a mix of 2k and 2k3 DCs, 2k native mode. Domain policy is not to require smb signing, but to request it. As far as LM, it's require ntlmv2 or better. --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 c - 312.731.3132 From: [EMAIL PROTECTED] on behalf of Medeiros, Jose Sent: Thu 4/7/2005 10:29 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MacOSX Active Directory Plug-in Hi Brian, What version of Active Directory are you using? Did he have to turn off SMB signing and enable lanmanger ? Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Brian Desmond Sent: Wednesday, April 06, 2005 10:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MacOSX Active Directory Plug-in Jose Matt- This won't help you from a how to standpoint, but I can tell you for a fact that my mac guy has our 10.3 X boxes on the domain. Took him a while to figure it all out, but it does work... --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 c - 312.731.3132 From: [EMAIL PROTECTED] on behalf of Medeiros, Jose Sent: Wed 4/6/2005 8:16 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MacOSX Active Directory Plug-in Hi Matt, I also have a MAC running MAC OS 10.3.8 and have also tried adding my Mac to a 2003 Active Directory domain to no avail. I just can't get it to bind as a member workstation. However I have used ADMITMAC by Thursby software it works like a charm and it supports NTLMv2, SMB signing and Kerberos based tickets. The URL for Thursby is: http://www.thursby.com/ and http://www.thursby.com/products/admitmac-vs-panther.html With that said let me give you a URL's that you may also want to try: http://www.macwindows.com/ , if you figure out away to get it to work without Admit Mac please let me know as I am very interested. I hope this helps! Sincerely, Jose Medeiros MCP+I, MCSE, MCT www.ntea.net www.sfntug.org - -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Matt Brown Sent: Wednesday, April 06, 2005 9:29 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] MacOSX Active Directory Plug-in When adding Mac's to Active Directory using the Mac AD Directory Services Plug-in I can do it just fine using my Domain Admin account. But when I try to add the machine using an account in the group with privileges to add to the domain I get an error saying Insufficient Privileges. Anybody seen this or know of a privilege I need to set? All of my lab managers on campus have are in the group that can add computers to the domain and it works fine for the PC's. Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ attachment: winmail.dat
RE: [ActiveDir] GUID resolution
Yikes...I completely botched that question because I left out a big chunk (that's what happens when you're about to walk out the door - sorry!) Let's try again: Seems you can also use that syntax GUID= as the argument to -b in ADFIND, which makes sense, and is nice to know, espcially because I couldn't figure out how to get DSQUERY to do the same. How come you can't query for the objectGUID as a filter (e.g. -- objectGUID=x--xxx ) - is this because that attribute's syntax is an octet string? I'm just curious...not knowing too much about the way these things are stored! I think the server-side intelligence bit would have answered my next question anyway. Thanks. -DaveC Reuters CIO Infrastructure -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Thursday, April 07, 2005 5:54 PM To: Send - AD mailing list Subject: RE: [ActiveDir] GUID resolution I'm guessing you mean octet string ... if so and if I understand what you're asking, not really ... GUID= and SID= are little more than hard-coded bits of server-side intelligence ... am I even answering your question? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe Sent: Thursday, April 07, 2005 5:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GUID resolution Seems you can also use that syntax GUID= as the argument to -b in ADFIND, which makes sense, and is nice to know. Is this because that attribute's syntax is an Octal string? I'm just curious...not knowing too much about the way these things are stored! Thanks! -DaveC Reuters CIO Infrastructure -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Thursday, April 07, 2005 5:22 PM To: Send - AD mailing list Subject: RE: [ActiveDir] GUID resolution Noticed you said you're using 2K ... dashes are of no concern, at least to 2K3 ... don't have 2K directory handy to test right now. Either way, can't even remember if the GUID=blah base is supported on 2K ... assuming it is, you missed the GUID= from the beginning of the entry. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, April 07, 2005 5:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GUID resolution Do I leave in the dashes? I pulled the guid from an error i've been getting in the Directory Services log on a DC. When i enter the guid in ldp, I get this- ldap_search_s(ld, 1825a294808e4036adae51144dee742f, 0, (objectclass=*), attrList, 0, msg) Error: Search: Naming Violation. 64 Result 64: 0057: LdapErr: DSID-0C090563, comment: Error processing name, data 0, v893 Matched DNs: Getting 0 entries: I get the same thing when I leave in the dashes.- ldap_search_s(ld, 1825a294-808e-4036-adae-51144dee742f, 1, (objectclass=*), attrList, 0, msg) Error: Search: Naming Violation. 64 Result 64: 0057: LdapErr: DSID-0C090563, comment: Error processing name, data 0, v893 Matched DNs: Getting 0 entries: Thanks Dean Wells wrote: 1. Run LDP 2. Connect and BIND 3. Select Search 4. Enter Base DN of GUID=[whatever the GUID is] ... include the angled brackets 5. Populate other dialogs accordingly, enter and run List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ - Visit our Internet site at http://www.reuters.com To find out more about Reuters Products and Services visit http://www.reuters.com/productinfo Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ - Visit our Internet site at http://www.reuters.com To find out more about Reuters Products and Services visit http://www.reuters.com/productinfo Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd. List info :
[ActiveDir] 802.11i
Has 802.11i come out yet? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GUID resolution
You are missing the closing . Regarding the question on GUID binding syntax, 2K supports both octet string and COM GUID style with dashes. Just don't get them mixed up. The octet string is NOT the same as the COM GUID with no dashes. bcd3e267-50ff-4780-afd6-d1bb3785ada5 and 67E2D3BCFF508047AFD6D1BB3785ADA5 are equivalent. Note the change of byte order on the first DWORD and the first 2 WORDs. Also, you can search by GUID and use them in LDIF files (generally for creating schema with fixed schemaIDGUID): (objectGUID=\67\E2\D3\BC\FF\50\80\47\AF\D6\D1\BB\37\85\AD\A5) and Z+LTvP9QgEev1tG7N4WtpQ== For the Base64 that LDIF requires. With SID binding, 2003 supports SDDL format and octet string, but 2K supports octet string only. HTH, Joe K. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, April 07, 2005 5:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GUID resolution I'm running win2k sp4 in mixed mode. heres the result i get from prepending GUID- ldap_search_s(ld, GUID=c47ca389-0832-41bc-8030-3e0c7fd13674, 1, (objectclass=*), attrList, 0, msg) Error: Search: Invalid DN Syntax. 34 Result 34: 208F: NameErr: DSID-031001AA, problem 2006 (BAD_NAME), data 8350, best match of: 'GUID=c47ca389-0832-41bc-8030-3e0c7fd13674' Matched DNs: Getting 0 entries: Thanks -Original Message- From: Dean Wells [mailto:[EMAIL PROTECTED] Sent: Thursday, April 07, 2005 5:54 PM To: Send - AD mailing list Subject: RE: [ActiveDir] GUID resolution I'm guessing you mean octet string ... if so and if I understand what you're asking, not really ... GUID= and SID= are little more than hard-coded bits of server-side intelligence ... am I even answering your question? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe Sent: Thursday, April 07, 2005 5:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GUID resolution Seems you can also use that syntax GUID= as the argument to -b in ADFIND, which makes sense, and is nice to know. Is this because that attribute's syntax is an Octal string? I'm just curious...not knowing too much about the way these things are stored! Thanks! -DaveC Reuters CIO Infrastructure -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Thursday, April 07, 2005 5:22 PM To: Send - AD mailing list Subject: RE: [ActiveDir] GUID resolution Noticed you said you're using 2K ... dashes are of no concern, at least to 2K3 ... don't have 2K directory handy to test right now. Either way, can't even remember if the GUID=blah base is supported on 2K ... assuming it is, you missed the GUID= from the beginning of the entry. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, April 07, 2005 5:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GUID resolution Do I leave in the dashes? I pulled the guid from an error i've been getting in the Directory Services log on a DC. When i enter the guid in ldp, I get this- ldap_search_s(ld, 1825a294808e4036adae51144dee742f, 0, (objectclass=*), attrList, 0, msg) Error: Search: Naming Violation. 64 Result 64: 0057: LdapErr: DSID-0C090563, comment: Error processing name, data 0, v893 Matched DNs: Getting 0 entries: I get the same thing when I leave in the dashes.- ldap_search_s(ld, 1825a294-808e-4036-adae-51144dee742f, 1, (objectclass=*), attrList, 0, msg) Error: Search: Naming Violation. 64 Result 64: 0057: LdapErr: DSID-0C090563, comment: Error processing name, data 0, v893 Matched DNs: Getting 0 entries: Thanks Dean Wells wrote: 1. Run LDP 2. Connect and BIND 3. Select Search 4. Enter Base DN of GUID=[whatever the GUID is] ... include the angled brackets 5. Populate other dialogs accordingly, enter and run List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ - Visit our Internet site at http://www.reuters.com To find out more about Reuters Products and Services visit http://www.reuters.com/productinfo Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive:
RE: [ActiveDir] 802.11i
Yes, it came out, didnt see its shadow ..looong winter J Seriously, its finalized and ratified, but Ive yet to see the compatible hardware in store. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Dir. Services / Security www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Thursday, April 07, 2005 7:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] 802.11i Has 802.11i come out yet? List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/