FW: [ActiveDir] Create Trusted Domain Object permission
Hi, I have two windows 2003 forest and one of my forests is in mixed mode environment. I want to create a trust relationship from one domain controller in one forest to the entire domain controller in other forest. I know that transitive trust will only work in Native when both forests are in native mode. I can not raise the level of my second forest. Now I want to create a user in the second forest with Create Trusted domain object permission so that I can create the trust between two forest using that users. My problem is that that permission are not working in windows 2003. I have tested this permission in windows 2000 some time back, and it was working. Any body has an idea, has Microsoft changed something with this permission??? Or any other way, so that I by giving the minimum rights to a user just for creation of trust. Thanks, Manjeet
[ActiveDir] Dinu Dantu/Kishinev/MD/Leventis is out of the office.
I will be out of the office starting 05/03/2005 and will not return until 05/04/2005. I will respond to your message when I return. = LEGAL DISCLAIMER: This e-mail contains proprietary information some or all of which may be legally privileged. It is for the intended recipient only. If an addressing or transmission error has misdirected this e-mail, please notify the author by replying to this e-mail. If you are not the intended recipient you must not use, disclose, distribute, copy, or print this e-mail. = List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Checking if security principal is used in an ACL on the FS
Title: Checking if security principal is used in an ACL on the FS Hi Guido, Thank you for your feedback! You hit the nail on its head concerning the nested groups issue and "disabling the group". The nested groups issue isn't that complex for use as those groups were migrated fron Novell and in Novell nested groups is not possible (at least in 4.x/5.x) The only objects that are nested are Novell containers that have been "translated" into an AD security group. The easy part is that this nesting structure is top-down if you look at the novell container structure Very interesting "disabling the group" by changing its scope to distribution. So easy and never thought about that one. Thanks! Cheers, #JORGE# From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Monday, May 02, 2005 22:36To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Checking if security principal is used in an ACL on the FS hey Jorge - when you prepare for nr (2), don't forget the groups that are nested into other groups - they could be nested into other AD groups or into local server groups on the target resource. This won't make your analysis any easier, I know. And who says you can't do this by name? You'll find a few tools that report on ACLs by listing the names of the respectivesecurity principals(I know thatQuest's Reporing tool does this - but I'm sure there are others as well) = might bea more reasonable approach, esp. if you want to check the results against the existing ACLs on the FS Also, before you delete any security group, I'd suggest to "disable" the group simply by changing it's scope from security to distribution = this way the group is no longer added to anyone's security token at logon and you'll quickly hear from the users if they're missing some access... /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida PintoSent: Montag, 2. Mai 2005 17:06To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Checking if security principal is used in an ACL on the FS Hi, After a migration we did we want to cleanup some security principals (mostly groups) Situation: * File server with data that uses AD groups for the ACLs * AD OU structure with groups where most of them are used on the file system to protect in some manner. (the groups are not used for anything else!) What I want to do: * Cleanup ALL unused groups Possible unused groups that can be removed: (1) groups with no members but used on the file system (2) groups with members but not used anywhere on the file system Solution for (1) * Query AD for al empty groups from the OU structure and delete them * Force AD replication * Use SUBINACL to remove deleted SIDs with the option /CLEANDELETEDSIDSFROM Solution for (2) * Get all used SIDs used on the file system * Get all GROUP SIDs from AD * "Extract the file system SIDs from the GROUP sids in AD and remove the groups that are left Anyone got any other ideas or a tool that can do this for (2) PS.: It would be nice if the file system was integrated with AD like in the NDS Cheers, #JORGE# This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] Solaris authentication
Title: RE: [ActiveDir] Ocra I know someone doing auth from Solaris 9 and 10 against AD via Kerberos in production. I dont know how they are populating /etc/passwd but can find out. Ive never used NIS against AD so couldnt say whats going on here. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Monday, May 02, 2005 7:26 PM To: ActiveDir@mail.activedir.org Subject: Solaris authentication Anyone know if this is passed in plain text? If so, i dont see any advantage to this versus the NIS server in SFU. Seems that the *nix community is making no progress in the secure authentication arena if this is the case. Any ideas or thoughts? http://docs.sun.com/source/816-6775-10/a_activedirauth.html
RE: [ActiveDir] seize schema master question
For a six-pack I'll try almost anything! The intent was not to make the child domain think that there was never a parent... we just (for the 48 hour DR test) didn't think having the parent was necessary. The root of my question was could we seize the schema master role from the parent DC and place that role on the child DC - and then successfully install exchange? Joe Pelle Senior Infrastructure Architect Information Technology Valassis / IT 19975 Victor Parkway Livonia, MI 48152 Tel 734.591.7324 Fax 734.632.6151 [EMAIL PROTECTED] http://www.valassis.com/ This message may include proprietary or protected information. If you are not the intended recipient, please notify me, delete this message, and do not further communicate the information contained herein without my express written consent. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, May 02, 2005 4:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] seize schema master question From the way I am reading this, it appears that you are yanking out (a copy of) a child domain and expecting to be able to transfer the Schema (which existed in the root) to a DC in the child domain. For all intent and purpose, you now want your newly-minted (DR'ed) Domain to appear as if it never had a parent before. You want to do this because you just found out that the DR'ed domain is headless and Exchange won't install. If that understanding is correct, I think you are SOL. You can't just prune and graft domains like that. I vaguely remember the Guido trick that Jorge alluded to, but I didn't understand the concept he was describing, so I can't tell you if that might work for you in this case. Six-pack says it won't. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Pelle, Joe Sent: Mon 5/2/2005 9:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] seize schema master question Why would you want to resurrect the root domain if its working? The child domain was working fine - but I need Exchange installed - which meant I needed the schema role What do you mean with But since the schema master would in theory never have been online - ever - the seizure would be the appropriate step For the DR test ONLY - the schema master server was not scheduled to be restored - therefore we would never bring that online - allowing the seizure of the schema role (assuming that you can seize the role from a parent domain) Isn't it true that your forest root domain is OK and up and that you were restoring only the child domain? No - the root was never restored. The original question was that would we need to restore the root to get exchange installed. The plans were only to restore the child domain Trying to understand this one here.. Me too! Joe Pelle Senior Infrastructure Architect Information Technology Valassis / IT 19975 Victor Parkway Livonia, MI 48152 Tel 734.591.7324 Fax 734.632.6151 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] http://www.valassis.com/ http://www.valassis.com/ This message may include proprietary or protected information. If you are not the intended recipient, please notify me, delete this message, and do not further communicate the information contained herein without my express written consent. From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: Monday, May 02, 2005 11:13 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] seize schema master question Why would you want to resurrect the root domain if its working? What do you mean with But since the schema master would in theory never have been online - ever - the seizure would be the appropriate step Isn't it true that your forest root domain is OK and up and that you were restoring only the child domain? Trying to understand this one here.. Cheers #JORGE# From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pelle, Joe Sent: maandag 2 mei 2005 16:04 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] seize schema master question Thanks for the feedback everyone In retrospect resurrecting the root domain would have been the smart thing to do for many reasons (dependencies). But since the schema master would in theory never have been online - ever - the seizure would be the appropriate step - I just didn't know if moving the schema master to a child domain would have any ill effects on the rest of the infrastructure... Thanks again to all who responded! Joe Pelle Senior Infrastructure Architect Information Technology Valassis / IT 19975 Victor Parkway Livonia, MI 48152 Tel 734.591.7324 Fax 734.632.6151
[ActiveDir] Problem in Xp system
Hi All, I have a Win Xp system with latest configuration having 1GB Ram, It is working fine. But i am not able to attch files in yahoo mail, When i try to attch files it is getting stuck not getting done, From other system it is working fine. 1) There is no firewall or Service Pack -2 in my system 2) Internet is working fine 3) When i use another gateway it is working fine 4)Windows and NAV is updated Thanks regards, Rakesh __Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
RE: [ActiveDir] Resetting the DSRM password (w2k and w2k3)
Title: Resetting the DSRM password (w2k and w2k3) Hi Neil, If you use a remote tool to execute the command...First determine the OS(e.g. through WMI) and then run the remote tool with the correct command line A remote tool that could be usefull in this is PSEXEC from PSTOOLS from SYSINTERNALS as this one does not need a server component Cheers#JORGE# From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, NeilSent: Tuesday, May 03, 2005 12:30To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Resetting the DSRM password (w2k and w2k3) Some time ago, I wrote a batch file to reset the DSRM password on all DCs in a domain to some string, which is then executed every n days. The script uses setpwd to change the pw and works fine on w2k sp3 DCs. I am now in the throws of testing a w2k and w2k3 mixed (DC) environment and looking for issues which may arise in such a mixed env. Setpwd appears to be one such issue since setpwd does not function from w2k to w2k3 DCs and the new ntdsutil option to 'reset DSRM password' does not function from w2k3 to w2k DCs. Is there a newer version of setpwd which works cross platform? Is the above a known issue? Must I use setpwd for w2k DCs and ntdsutil for w2k3 DCs? Any further comments or feedback from those that have encountered this issue? Thanks, neil ==This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure.== This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] seize schema master question
Why do you want to install Exchange during a DR test as you mention in The root of my question was could we seize the schema master role from the parent DC and place that role on the child DC - and then successfully install exchange? That's still not clear to me #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pelle, Joe Sent: Tuesday, May 03, 2005 12:41 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] seize schema master question For a six-pack I'll try almost anything! The intent was not to make the child domain think that there was never a parent... we just (for the 48 hour DR test) didn't think having the parent was necessary. The root of my question was could we seize the schema master role from the parent DC and place that role on the child DC - and then successfully install exchange? Joe Pelle Senior Infrastructure Architect Information Technology Valassis / IT 19975 Victor Parkway Livonia, MI 48152 Tel 734.591.7324 Fax 734.632.6151 [EMAIL PROTECTED] http://www.valassis.com/ This message may include proprietary or protected information. If you are not the intended recipient, please notify me, delete this message, and do not further communicate the information contained herein without my express written consent. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, May 02, 2005 4:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] seize schema master question From the way I am reading this, it appears that you are yanking out (a copy of) a child domain and expecting to be able to transfer the Schema (which existed in the root) to a DC in the child domain. For all intent and purpose, you now want your newly-minted (DR'ed) Domain to appear as if it never had a parent before. You want to do this because you just found out that the DR'ed domain is headless and Exchange won't install. If that understanding is correct, I think you are SOL. You can't just prune and graft domains like that. I vaguely remember the Guido trick that Jorge alluded to, but I didn't understand the concept he was describing, so I can't tell you if that might work for you in this case. Six-pack says it won't. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Pelle, Joe Sent: Mon 5/2/2005 9:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] seize schema master question Why would you want to resurrect the root domain if its working? The child domain was working fine - but I need Exchange installed - which meant I needed the schema role What do you mean with But since the schema master would in theory never have been online - ever - the seizure would be the appropriate step For the DR test ONLY - the schema master server was not scheduled to be restored - therefore we would never bring that online - allowing the seizure of the schema role (assuming that you can seize the role from a parent domain) Isn't it true that your forest root domain is OK and up and that you were restoring only the child domain? No - the root was never restored. The original question was that would we need to restore the root to get exchange installed. The plans were only to restore the child domain Trying to understand this one here.. Me too! Joe Pelle Senior Infrastructure Architect Information Technology Valassis / IT 19975 Victor Parkway Livonia, MI 48152 Tel 734.591.7324 Fax 734.632.6151 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] http://www.valassis.com/ http://www.valassis.com/ This message may include proprietary or protected information. If you are not the intended recipient, please notify me, delete this message, and do not further communicate the information contained herein without my express written consent. From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: Monday, May 02, 2005 11:13 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] seize schema master question Why would you want to resurrect the root domain if its working? What do you mean with But since the schema master would in theory never have been online - ever - the seizure would be the appropriate step Isn't it true that your forest root domain is OK and up and that you were restoring only the child domain? Trying to understand this one here.. Cheers #JORGE# From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pelle, Joe Sent: maandag 2 mei 2005 16:04 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] seize schema master question Thanks for the feedback everyone In retrospect resurrecting the root domain would have been the smart
[ActiveDir] Create Trusted Domain Object permission
Hi, I have two windows 2003 forest and one of my forests is in mixed mode environment. I want to create a trust relationship from one domain controller in one forest to the entire domain controller in other forest. I know that transitive trust will only work in Native when both forests are in native mode. I can not raise the level of my second forest. Now I want to create a user in the second forest with Create Trusted domain object permission so that I can create the trust between two forest using that users. My problem is that that permission are not working in windows 2003. I have tested this permission in windows 2000 some time back, and it was working. Any body has an idea, has Microsoft changed something with this permission??? Or any other way, so that I by giving the minimum rights to a user just for creation of trust. Thanks, Manjeet
RE: [ActiveDir] seize schema master question
Joe, you wouldn't be able to restore Exchange nor install new Exchange without the forest root. Exchange writes to the configuration NC which is forest-wide cn=Microsoft Exchange,cn=Services,cn=Configuration,dc=root domain. I suppose it's possible to do something with some slight of hand to write to a copy in the child domain, but it would get ugly quickly if you tried. To do your Exchange DR you'll need both the root and the child. It's one of the reasons that an empty root design is not favored any longer in many designs. (Of course, Microsoft still needs to update their docs to reflect this. ;) I'm assuming of course that you're not installing new apps during DR scenarios, but then again I haven't seen your DR scenario information. Correct me if I'm wrong. In addition to the docs Jorge points out in his other email, you may want to have a look at the DR papers for Exchange http://www.microsoft.com/exchange/library for some additional information. Basically, you'll need to restore the root, then the child, then the application(s). There's also some cleanup for the domains as you are working them in that needs to get done since presumably there are no additional domain controllers to replicate with (again, I'm making an assumption that your DR scenario fits the model I'm envisioning; stop the madness if needed). 2K3 sp1 reportedly has some new features around this in ntdsutil so it's worth looking at when developing your DR plan. I think it's a great idea to test these types of concepts so you can find issues exactly like this. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Monday, May 02, 2005 3:55 PM To: 'Pelle, Joe '; '[EMAIL PROTECTED] '; 'ActiveDir@mail.activedir.org ' Subject: RE: [ActiveDir] seize schema master question As I said before... for a disaster recovery plan, you NEED to take everything into account within an AD forest. There are too many dependencies to restore only a child domain without having a forest root domain in place. What I'm still trying to understand is why you want to install exchange during a disaster recovery scenario. Can you explain that one? In my opinion when doing a disaster recovery, no new implementations (or serious changes)(and installing an exchange org in a forest is a serious change to me) would occur before the forest was working more than OK! #JORGE# -Original Message- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 5/2/2005 6:18 PM Subject: RE: [ActiveDir] seize schema master question Why would you want to resurrect the root domain if its working? The child domain was working fine - but I need Exchange installed - which meant I needed the schema role What do you mean with But since the schema master would in theory never have been online - ever - the seizure would be the appropriate step For the DR test ONLY - the schema master server was not scheduled to be restored - therefore we would never bring that online - allowing the seizure of the schema role (assuming that you can seize the role from a parent domain) Isn't it true that your forest root domain is OK and up and that you were restoring only the child domain? No - the root was never restored. The original question was that would we need to restore the root to get exchange installed. The plans were only to restore the child domain Trying to understand this one here.. Me too! Joe Pelle Senior Infrastructure Architect Information Technology Valassis / IT 19975 Victor Parkway Livonia, MI 48152 Tel 734.591.7324 Fax 734.632.6151 mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] http://www.valassis.com/ http://www.valassis.com/ This message may include proprietary or protected information. If you are not the intended recipient, please notify me, delete this message, and do not further communicate the information contained herein without my express written consent. _ From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: Monday, May 02, 2005 11:13 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] seize schema master question Why would you want to resurrect the root domain if its working? What do you mean with But since the schema master would in theory never have been online - ever - the seizure would be the appropriate step Isn't it true that your forest root domain is OK and up and that you were restoring only the child domain? Trying to understand this one here.. Cheers #JORGE# _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pelle, Joe Sent: maandag 2 mei 2005 16:04 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] seize schema master question Thanks for the feedback everyone In retrospect resurrecting the root domain would have been the smart thing to do for many reasons (dependencies). But since the schema master would in theory never have been
RE: [ActiveDir] Solaris authentication
Title: RE: [ActiveDir] Ocra The directions you reference on the sunone site make it look to me like it's an LDAP bind. Best way to know for sure would be to trace it on the network to see what is passed. If ldap bind, be sure to use some sort of encryption such as SSL. I'm curious what the requirement here is? If just to allow solaris to authenticate via kerb with AD and allow AD users to login to solaris workstations, have you considered a product such as Centrify? www.centrify.com Far cry better and easier to implement. I'm interested in hearing what the requirements are though. The docs you referenced indicate a configuration that would be a PITA to manage in terms of reliability and effort IMHO. Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric FleischmanSent: Tuesday, May 03, 2005 3:20 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Solaris authentication I know someone doing auth from Solaris 9 and 10 against AD via Kerberos in production. I dont know how they are populating /etc/passwd but can find out. Ive never used NIS against AD so couldnt say whats going on here. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. LongSent: Monday, May 02, 2005 7:26 PMTo: ActiveDir@mail.activedir.orgSubject: Solaris authentication Anyone know if this is passed in plain text? If so, i dont see any advantage to this versus the NIS server in SFU. Seems that the *nix community is making no progress in the secure authentication arena if this is the case. Any ideas or thoughts? http://docs.sun.com/source/816-6775-10/a_activedirauth.html
RE: [ActiveDir] Problem in Xp system
Rakesh, One thing you could try and that is to see whether or not the Upload Manager Service is set to Automatic under services. Another issue could be that you have a slow bandwidth and a large file and a timeout is occurring between you and yahoo. You could try and attach a smaller file and verify whether or not that works...should that work split the file using WinZip or alternatively compress it with the aforementioned. James From: [EMAIL PROTECTED] on behalf of rakesh jakhar Sent: Tue 3/05/2005 8:52 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Problem in Xp system Hi All, I have a Win Xp system with latest configuration having 1GB Ram, It is working fine. But i am not able to attch files in yahoo mail, When i try to attch files it is getting stuck not getting done, From other system it is working fine. 1) There is no firewall or Service Pack -2 in my system 2) Internet is working fine 3) When i use another gateway it is working fine 4)Windows and NAV is updated Thanks regards, Rakesh __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com winmail.dat
RE: [ActiveDir] seize schema master question
Don't you have to install Exchange before you can restore it? Joe Pelle Senior Infrastructure Architect Information Technology Valassis / IT 19975 Victor Parkway Livonia, MI 48152 Tel 734.591.7324 Fax 734.632.6151 [EMAIL PROTECTED] http://www.valassis.com/ This message may include proprietary or protected information. If you are not the intended recipient, please notify me, delete this message, and do not further communicate the information contained herein without my express written consent. -Original Message- From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 03, 2005 7:02 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] seize schema master question Why do you want to install Exchange during a DR test as you mention in The root of my question was could we seize the schema master role from the parent DC and place that role on the child DC - and then successfully install exchange? That's still not clear to me #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pelle, Joe Sent: Tuesday, May 03, 2005 12:41 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] seize schema master question For a six-pack I'll try almost anything! The intent was not to make the child domain think that there was never a parent... we just (for the 48 hour DR test) didn't think having the parent was necessary. The root of my question was could we seize the schema master role from the parent DC and place that role on the child DC - and then successfully install exchange? Joe Pelle Senior Infrastructure Architect Information Technology Valassis / IT 19975 Victor Parkway Livonia, MI 48152 Tel 734.591.7324 Fax 734.632.6151 [EMAIL PROTECTED] http://www.valassis.com/ This message may include proprietary or protected information. If you are not the intended recipient, please notify me, delete this message, and do not further communicate the information contained herein without my express written consent. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, May 02, 2005 4:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] seize schema master question From the way I am reading this, it appears that you are yanking out (a copy of) a child domain and expecting to be able to transfer the Schema (which existed in the root) to a DC in the child domain. For all intent and purpose, you now want your newly-minted (DR'ed) Domain to appear as if it never had a parent before. You want to do this because you just found out that the DR'ed domain is headless and Exchange won't install. If that understanding is correct, I think you are SOL. You can't just prune and graft domains like that. I vaguely remember the Guido trick that Jorge alluded to, but I didn't understand the concept he was describing, so I can't tell you if that might work for you in this case. Six-pack says it won't. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Pelle, Joe Sent: Mon 5/2/2005 9:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] seize schema master question Why would you want to resurrect the root domain if its working? The child domain was working fine - but I need Exchange installed - which meant I needed the schema role What do you mean with But since the schema master would in theory never have been online - ever - the seizure would be the appropriate step For the DR test ONLY - the schema master server was not scheduled to be restored - therefore we would never bring that online - allowing the seizure of the schema role (assuming that you can seize the role from a parent domain) Isn't it true that your forest root domain is OK and up and that you were restoring only the child domain? No - the root was never restored. The original question was that would we need to restore the root to get exchange installed. The plans were only to restore the child domain Trying to understand this one here.. Me too! Joe Pelle Senior Infrastructure Architect Information Technology Valassis / IT 19975 Victor Parkway Livonia, MI 48152 Tel 734.591.7324 Fax 734.632.6151 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] http://www.valassis.com/ http://www.valassis.com/ This message may include proprietary or protected information. If you are not the intended recipient, please notify me, delete this message, and do not further communicate the information contained herein without my express written consent. From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: Monday, May 02, 2005 11:13 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] seize schema master question Why would you
RE: [ActiveDir] seize schema master question
Al, I appreciate the response - very definitive and to the point. We will add the root restore into our newly revised :) DR plans. Thanks to all who responded. Helped me out a ton! Not to open a whole new can of worms - but - what (other than what you described below) is the reason(s) empty root domains are not preferred? Joe Pelle Senior Infrastructure Architect Information Technology Valassis / IT 19975 Victor Parkway Livonia, MI 48152 Tel 734.591.7324 Fax 734.632.6151 [EMAIL PROTECTED] http://www.valassis.com/ This message may include proprietary or protected information. If you are not the intended recipient, please notify me, delete this message, and do not further communicate the information contained herein without my express written consent. -Original Message- From: Al Mulnick [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 03, 2005 7:05 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] seize schema master question Joe, you wouldn't be able to restore Exchange nor install new Exchange without the forest root. Exchange writes to the configuration NC which is forest-wide cn=Microsoft Exchange,cn=Services,cn=Configuration,dc=root domain. I suppose it's possible to do something with some slight of hand to write to a copy in the child domain, but it would get ugly quickly if you tried. To do your Exchange DR you'll need both the root and the child. It's one of the reasons that an empty root design is not favored any longer in many designs. (Of course, Microsoft still needs to update their docs to reflect this. ;) I'm assuming of course that you're not installing new apps during DR scenarios, but then again I haven't seen your DR scenario information. Correct me if I'm wrong. In addition to the docs Jorge points out in his other email, you may want to have a look at the DR papers for Exchange http://www.microsoft.com/exchange/library for some additional information. Basically, you'll need to restore the root, then the child, then the application(s). There's also some cleanup for the domains as you are working them in that needs to get done since presumably there are no additional domain controllers to replicate with (again, I'm making an assumption that your DR scenario fits the model I'm envisioning; stop the madness if needed). 2K3 sp1 reportedly has some new features around this in ntdsutil so it's worth looking at when developing your DR plan. I think it's a great idea to test these types of concepts so you can find issues exactly like this. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Monday, May 02, 2005 3:55 PM To: 'Pelle, Joe '; '[EMAIL PROTECTED] '; 'ActiveDir@mail.activedir.org ' Subject: RE: [ActiveDir] seize schema master question As I said before... for a disaster recovery plan, you NEED to take everything into account within an AD forest. There are too many dependencies to restore only a child domain without having a forest root domain in place. What I'm still trying to understand is why you want to install exchange during a disaster recovery scenario. Can you explain that one? In my opinion when doing a disaster recovery, no new implementations (or serious changes)(and installing an exchange org in a forest is a serious change to me) would occur before the forest was working more than OK! #JORGE# -Original Message- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 5/2/2005 6:18 PM Subject: RE: [ActiveDir] seize schema master question Why would you want to resurrect the root domain if its working? The child domain was working fine - but I need Exchange installed - which meant I needed the schema role What do you mean with But since the schema master would in theory never have been online - ever - the seizure would be the appropriate step For the DR test ONLY - the schema master server was not scheduled to be restored - therefore we would never bring that online - allowing the seizure of the schema role (assuming that you can seize the role from a parent domain) Isn't it true that your forest root domain is OK and up and that you were restoring only the child domain? No - the root was never restored. The original question was that would we need to restore the root to get exchange installed. The plans were only to restore the child domain Trying to understand this one here.. Me too! Joe Pelle Senior Infrastructure Architect Information Technology Valassis / IT 19975 Victor Parkway Livonia, MI 48152 Tel 734.591.7324 Fax 734.632.6151 mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] http://www.valassis.com/ http://www.valassis.com/ This message may include proprietary or protected information. If you are not the intended recipient, please notify me, delete this message, and do not further communicate the information contained herein without my express written consent. _ From: Jorge de Almeida
RE: [ActiveDir] Solaris authentication
Title: RE: [ActiveDir] Ocra In a previous job, Ive been able to configure users on our Solaris/Linux boxes to authenticate against AD via kerb without purchasing any additional products. First, you would need to configure the Kerberos client on the *nix box to talk to your AD domain. Then, depending on the service you want the users to authenticate to, i.e. ssh, samba, ftp, and as long as theres a PAM module for the service, you configure the service to use the Kerberos client. Thats pretty much it in a nutshell. If you do a Google search for the words configure kerberos pam active directory, youll find a lot of documents on how to configure this setup. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Tuesday, May 03, 2005 7:11 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Solaris authentication The directions you reference on the sunone site make it look to me like it's an LDAP bind. Best way to know for sure would be to trace it on the network to see what is passed. If ldap bind, be sure to use some sort of encryption such as SSL. I'm curious what the requirement here is? If just to allow solaris to authenticate via kerb with AD and allow AD users to login to solaris workstations, have you considered a product such as Centrify? www.centrify.com Far cry better and easier to implement. I'm interested in hearing what the requirements are though. The docs you referenced indicate a configuration that would be a PITA to manage in terms of reliability and effort IMHO. Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Tuesday, May 03, 2005 3:20 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Solaris authentication I know someone doing auth from Solaris 9 and 10 against AD via Kerberos in production. I dont know how they are populating /etc/passwd but can find out. Ive never used NIS against AD so couldnt say whats going on here. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Monday, May 02, 2005 7:26 PM To: ActiveDir@mail.activedir.org Subject: Solaris authentication Anyone know if this is passed in plain text? If so, i dont see any advantage to this versus the NIS server in SFU. Seems that the *nix community is making no progress in the secure authentication arena if this is the case. Any ideas or thoughts? http://docs.sun.com/source/816-6775-10/a_activedirauth.html The information contained in this email message may be privileged, confidential, and protected from disclosure. Any unauthorized use, printing, copying, disclosure, dissemination of or reliance upon this communication by persons other than the intended recipient may be subject to legal restriction or sanction. If you think that you have received this E-mail message in error, please reply to the sender and delete this email promptly.
[ActiveDir] How to make a user member of Built in Administrator group
Hi, I want to make one user the member of Build in administrator group of all the domain within the forest, with out making the user of Enterprise admin. Or, Say, I have made the user member of Enterprise admin. Then how to deny that user to perform any AD related activities. Actually, my requirement is I want to create a trust from one forest to all the domain controller in the other forest. Without the Enterprise admin credential. Thanks, Manjeet
RE: [ActiveDir] Compaq raid controllers(OT)
I'm using a compaq 5300. Everytime I add a drive, it goes to array B and i can't seem to find anyway to move it to arrray A. also, i had a logical drive on an extended partition in windows 2k. it was a basic disk and i upgraded to dynamic and i'm not allowed to extend it to another physical drive(array B). Is this by design or am I missing something? Does a drive have to be originally formatted as dynamic to achieve this? thanks for all your help Medeiros, Jose wrote: Hi Tom, What model controller do you have? I expanded a our raid 5 array on a Compaq Proliant 1500 using a Smart 2DH raid controller with NT 3.51 back in 1998 when I supported the servers at LSI Logic and it worked with out having to recreate the array. Glenn is right that lower end Proliant controllers did not support this option. As for Expanding the C: Partition Power Quest has a product called Server Magic ( They are now owned by Symantec and changed the name to Volume Manager ). If your only expanding the data partition's you can do so with Dynamic Volumes in 2000 / 2003 server and then add the additional space once you have added it to the drive array in the controller raid utility. Regards, Jose Medeiros MCP+I, MCSE, NT4 MCT http://www.ntea.net http://www.sfntug.org -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Glenn Corbett Sent: Saturday, April 30, 2005 4:04 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Compaq raid controllers(OT) Tom, First Question. Some of the older Compaq RAID Controllers didn't allow raid expansion, but all of the new models (52xx, 5i, 64xx, 6i) should allow this. Check the firmware levels on the card, and also check the version of the PSP (ProLiant Support Pack) your running on the server. From within Windows, you should be able to expand the array no problems. There will be performance hit while it does it (since its shuffling data around), but the machine should be reasonably happy. Second Question. You *might* be able to extended the C: partition, but the requirements outlined in the Microsoft Support Article: http://support.microsoft.com/default.aspx?scid=kb;en-us;325590, are fairly stringent: - For Basic volumes, the unallocated space for the extension must be the next contiguous space on the same disk (this wouldnt be do-able, unless you deleted the second partition before attempting the resize). - Only the extension of data volumes is supported. System or boot volumes may be blocked from being extended. (well, seeing as your trying to extend the C: drive, this could be a problem) Last Question, A Single Channel (scsi bus) within a controller can have any number of arrays consisting anywhere from a single drive, up to a full bus. Its purely a logical distinction. Glenn Kern, Tom wrote: Hi, I have a server with a 70gig raid 5 array(3 physical drives). Is there any way to add more drives to extend the array to more length. Like adding a 30gig drive to the existing raid array and making a 100gig c: drive or is this impossible. everytime I add a new drive to the controller, compaq sees 2 arrays- arrayA being the 70gig(3 drives) and arrayB being the new drive. It doesn't give me an option of adding the 30gig drive to arrayA. so i have 2 paritions in widows- a 70gig c: volume and a 30 gig E: volume. so, i have 2 questions-\is it not possible on the hardware level to add a new drive to an already existing array? and, is there any way to extend the c: partition?(this is win2k and i assume its not because the drive was originally a basic disk, but i just want to make sure). i assume if you format any drive as basic and later upgrade to dynamic, extending a non-contigious volume won't work... Ok, i have one more question as well :)- when a raid controller shows 2 arrays, does that mean the drives are on 2 diff scsi channels or is that just a logical distinction.. Thanks alot. sorry for the OT, i know this isn't a compaq list... List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Solaris authentication
Title: RE: [ActiveDir] Ocra That primer says that it is usingLDAP Auth[1]. LDAP is not an Auth protocol as much as some would like it to force it to try and be. It is just a guess but I expect, this, which is the usual in the *nix world, is a simple LDAP bind that is redirected. They are not using SSL[2] but they could be using TLS but the lack of any mention of TLS or SSL or certs would tend to make me expect to see clear text passwords zipping across the network. I really dislike steps 9 10. It looks like they have a hardcoded userid requirement. I always hate when companies do that crap. That should be configurable. Other than that, as Al mentioned this looks like a pain to use. If you are using AD as a backend auth store for anything, you should use kerberos to do it. Unlike LDAP, kerberos *IS* an authentication protocol. As Alan mentioned, you can do this without purchasing any third party tools. HOWEVER, expect to have a kerberos Dev/Troubleshooting team especially if you have anything other than one or two basic *nix platforms or multiple domains in the forest (multirealm in kerberos parlance). Basic MIT Kerberos really doesn't work well in a multirealm environment that is handled so easily and transparently by Windows. You will tend to have to write custom code if you want to do multirealm which will be a pain to maintain. Also the whole management of *nix computer objects in AD can be a pain through the default mechanisms and I have seen special perl services written to handle the whole keytab and account management portion of the integration running on Windows machines that talk to the *nix boxes through sockets. This is where products from Centrify and Vintela really help out. It makes it so you don't have to do any of that dev work. You simply load up the products and the *nix boxes integrate with AD. This includes auth, authorization, group policies, etc. Additionally you get to deal with one product across all your *nix platforms versus having custom versions of MIT for Solaris, RH Linux, SUSE Linux, HPUX, etc etc etc. Again, if you have to deal with multirealm, you probably don't want to do this with the default kerberos packages. joe [1] The other option is to create and register an authentication module which specifically performs LDAP authentication against the Active Directory. [2] See step 3, port 389. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. LongSent: Monday, May 02, 2005 10:26 PMTo: ActiveDir@mail.activedir.orgSubject: Solaris authentication Anyone know if this is passed in plain text? If so, i dont see any advantage to this versus the NIS server in SFU. Seems that the *nix community is making no progress in the secure authentication arena if this is the case. Any ideas or thoughts? http://docs.sun.com/source/816-6775-10/a_activedirauth.html
RE: [ActiveDir] using GPO with scripts
Yeah locking the account because they haven't read the doc yet seems a little counter productive but if it is that important... Go for it. Just warn the help desk staff ahead of time. :o) I agree with the staggered mechanism of alert the user and then alert their manager later if they haven't complied. If you want to get fancy you could even have a compliance reporting mechanism to put pressure on the managers. Reports go to the CEO showing compliance in percentages of the whole company at any given time (say monthly) and also percentages by division or group or whatever (depends on your size). A quickie alternative would be to store the info in an AD/AM instead of in AD. Don't have to extend the AD Schema then but can use the AD scripting knowledge you have. Obviously it could go into SQL Server as well but that seems a bit expensive for this. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, May 02, 2005 10:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] using GPO with scripts Depends how you setup the attribute (search for extending schema in AD). I wouldn't have the website do this based on authentication. You want to be sure they read it, so you would want to treat it like you do with other agreements i.e. EULA agreements and have the OK navigation button disabled unless and until they click 'I Agree' As for notification, use email and bug the crud out of them. Or bug their manager if they don't respond in x amount of days. I see the .mil in the addr, which tells me you likely have managers that don't like to be bothered with this kind of piddly stuff. :) As for whether or not to update in AD, I'm not one to agree so easily that adding a custom attribute or even using an existing one is so worth it. I suppose it depends and there are many pros and cons both directions I'm sure. I'd favor some other recording method in many instances myself. As for permissions, you would have to permissions to modify the attribute using the credentials provided. For the sake of tamper-resistance, I would guess that you would want to make this a restricted attribute field. You may additionally want to lock out or disable their account until they read this if it's that important. Makes me wonder how they'll get to the page if they're locked out, but Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Monday, May 02, 2005 7:03 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] using GPO with scripts I like this idea of using the custom attribute in AD. I am assuming that I need to use ADSI or similar tool to create this Custom Attribute. Once the attribute is there. I would need to configure Active X script or something that will update this attribute when the user authenticates to the website correct? Do I need the web services account to run this script so that it has privileges to change the attribute within AD? Jeff -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, May 02, 2005 4:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] using GPO with scripts You could even tie into the change password functionality. Take away everyone's right to change their password in the directory and make them go to a website to do it, that website forces them to read that page first. and if they don't agree to what's listed on the HR site you can go ahead and lock their account ;-) I'd likely vote for a custom attribute in AD where you store the last time they've checked the HR website = you can then send out eMails to the user (and their manager) that it's time to re-confirm their HR data. We use this mechanism for many things (the place where you store the last confirmation date naturally depends on your environment - if AD is your main central directory, there's nothing bad in using it for this. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Montag, 2. Mai 2005 22:23 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] using GPO with scripts Does it have to be displayed every 90 days or do they have to acknowledge reading it every 90 days? I expect the latter in case there are some sort of legal implications. Have the website be authenticated and have it update a custom created field in AD for each user as they acknowledge the page. Have a logon script that reads that attribute from AD and pops the IE window based on it. You could also have something else sending emails as the time approaches as well for people who don't log off and on or otherwise don't see the logon script (such as someone who logs in via VPN or logs into their workstation instead of the domain - like me). You could even tie into the change password functionality. Take away everyone's right
RE: [ActiveDir] How to make a user member of Built in Administrat or group
Are you trying to make this a one-way trust? I dont think it is possible to share each other's schema metadata, that is, to extend the schema,without sharing the schema admin permission which is a part of the Enterprise Admins rights. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Manjeet SinghSent: Tuesday, May 03, 2005 8:47 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] How to make a user member of Built in Administrator group Hi, I want to make one user the member of Build in administrator group of all the domain within the forest, with out making the user of Enterprise admin. Or, Say, I have made the user member of Enterprise admin. Then how to deny that user to perform any AD related activities. Actually, my requirement is I want to create a trust from one forest to all the domain controller in the other forest. Without the Enterprise admin credential. Thanks, Manjeet
[ActiveDir] Tracking OU Deletion
Hello All, We had an OU that was first moved and then deleted from our production environment last night. Below is a list of what we are auditing. My question is, what events should I look for to determine who moved and Deleted the OU? Or, am I out of luck as we are not auditing object access success? Local Policies/Audit Policy |---+-| |Policy |Setting | |---+-| |Audit account logon events |Success, Failure | |---+-| |Audit account management |Success, Failure | |---+-| |Audit directory service access |Failure | |---+-| |Audit logon events |Success, Failure | |---+-| |Audit object access|Failure | |---+-| |Audit policy change|Success, Failure | |---+-| |Audit privilege use|No auditing | |---+-| |Audit process tracking |No auditing | |---+-| |Audit system events|Success, Failure | |---+-| Chris Ryan The Kroger Company [EMAIL PROTECTED] Office (513) 698-1935 Cell (513) 623-5362 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Solaris authentication
Title: RE: [ActiveDir] Ocra I may sounds like an idiot, but you guys are always talking about tracing stuff on the network to see if it is in plain text, and I have no clue how to do it. This is something I would really like to know how to do (as I think it would really help me understand some things.along with lessen the load of me asking these questions to you guysJ). I have tried using ethereal to do this, but either it doesnt do it, or I just dont know how to use the thing (which I am about 99% positive is the problem). Do any of you have the quick and dirty steps to do this? Or a link to a good tutorial (which I cant seem to find)? As far as REQs Al. 1. FREE 2. Add little complexity Looks like I will either just use SFU, or keep the user repositories separate. I was just hoping that something free had come along since the last time that I looked that was worth doing. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Tuesday, May 03, 2005 7:11 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Solaris authentication The directions you reference on the sunone site make it look to me like it's an LDAP bind. Best way to know for sure would be to trace it on the network to see what is passed. If ldap bind, be sure to use some sort of encryption such as SSL. I'm curious what the requirement here is? If just to allow solaris to authenticate via kerb with AD and allow AD users to login to solaris workstations, have you considered a product such as Centrify? www.centrify.com Far cry better and easier to implement. I'm interested in hearing what the requirements are though. The docs you referenced indicate a configuration that would be a PITA to manage in terms of reliability and effort IMHO. Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Tuesday, May 03, 2005 3:20 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Solaris authentication I know someone doing auth from Solaris 9 and 10 against AD via Kerberos in production. I dont know how they are populating /etc/passwd but can find out. Ive never used NIS against AD so couldnt say whats going on here. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Monday, May 02, 2005 7:26 PM To: ActiveDir@mail.activedir.org Subject: Solaris authentication Anyone know if this is passed in plain text? If so, i dont see any advantage to this versus the NIS server in SFU. Seems that the *nix community is making no progress in the secure authentication arena if this is the case. Any ideas or thoughts? http://docs.sun.com/source/816-6775-10/a_activedirauth.html
RE: [ActiveDir] Tracking OU Deletion
To track an OU deletion you need SUCCESS on Audit directory service access AND you need to configure the objects that should be audited for DELETE actions by a certain security principal (group, user, etc) Security ID 566 #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, May 03, 2005 16:18 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Tracking OU Deletion Hello All, We had an OU that was first moved and then deleted from our production environment last night. Below is a list of what we are auditing. My question is, what events should I look for to determine who moved and Deleted the OU? Or, am I out of luck as we are not auditing object access success? Local Policies/Audit Policy |---+-| |Policy |Setting | |---+-| |Audit account logon events |Success, Failure | |---+-| |Audit account management |Success, Failure | |---+-| |Audit directory service access |Failure | |---+-| |Audit logon events |Success, Failure | |---+-| |Audit object access|Failure | |---+-| |Audit policy change|Success, Failure | |---+-| |Audit privilege use|No auditing | |---+-| |Audit process tracking |No auditing | |---+-| |Audit system events|Success, Failure | |---+-| Chris Ryan The Kroger Company [EMAIL PROTECTED] Office (513) 698-1935 Cell (513) 623-5362 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GP DeActivate Norton
Find the registry key in NAV that enables or disables Script Blocking, and set it to disabled then import that .reg into an AdministrativeGroup Policy template and there ya go! Nathaniel Bahta General Dynamics Network Systems From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter JessopSent: Tuesday, May 03, 2005 10:39 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] GP DeActivate Norton Good day to you all.Can anyone tell me how to deactivate Norton AV script blocking with GP?ThanksPeter Jessop
Re: [ActiveDir] How to make a user member of Built in Administrat or group
Can you make the user a member of the domain admins of each of the domains in the forest? Can you use restricted groups on the clients to mandate the members of the local built in adminsitrators? Final option use member of option. To do this create a group with this user as a member. Create a member of restricted group that has this group a member of the local admins. Dennis On 5/3/05, Bahta Nathaniel V Contr NASIC/SCNA [EMAIL PROTECTED] wrote: Are you trying to make this a one-way trust? I dont think it is possible to share each other's schema metadata, that is, to extend the schema, without sharing the schema admin permission which is a part of the Enterprise Admins rights. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Manjeet Singh Sent: Tuesday, May 03, 2005 8:47 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] How to make a user member of Built in Administrator group Hi, I want to make one user the member of Build in administrator group of all the domain within the forest, with out making the user of Enterprise admin. Or, Say, I have made the user member of Enterprise admin. Then how to deny that user to perform any AD related activities. Actually, my requirement is I want to create a trust from one forest to all the domain controller in the other forest. Without the Enterprise admin credential. Thanks, Manjeet List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Compaq raid controllers(OT)
Tom, Your using a 5300 controller? Sounds like the issue that your having is that the drive your using is connected to the wrong channel of the array. The 5300 is either a 2 or 4 channel controller. http://h18000.www1.hp.com/products/servers/proliantstorage/arraycontrollers/smartarray5300/index.htmlMake sure your on the latest version of Firmware which is 3.54b. Compaq gave lifetime technical support for servers and three year hardware replacement warranty. I would also call HP their support can walk you through your issue and it's a free call 800-474-6836. Regards, Jose Medeiros - -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kern, Tom Sent: Tuesday, May 03, 2005 6:25 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Compaq raid controllers(OT) I'm using a compaq 5300. Everytime I add a drive, it goes to array B and i can't seem to find anyway to move it to arrray A. also, i had a logical drive on an extended partition in windows 2k. it was a basic disk and i upgraded to dynamic and i'm not allowed to extend it to another physical drive(array B). Is this by design or am I missing something? Does a drive have to be originally formatted as dynamic to achieve this? thanks for all your help Medeiros, Jose wrote: Hi Tom, What model controller do you have? I expanded a our raid 5 array on a Compaq Proliant 1500 using a Smart 2DH raid controller with NT 3.51 back in 1998 when I supported the servers at LSI Logic and it worked with out having to recreate the array. Glenn is right that lower end Proliant controllers did not support this option. As for Expanding the C: Partition Power Quest has a product called Server Magic ( They are now owned by Symantec and changed the name to Volume Manager ). If your only expanding the data partition's you can do so with Dynamic Volumes in 2000 / 2003 server and then add the additional space once you have added it to the drive array in the controller raid utility. Regards, Jose Medeiros MCP+I, MCSE, NT4 MCT http://www.ntea.net http://www.sfntug.org -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Glenn Corbett Sent: Saturday, April 30, 2005 4:04 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Compaq raid controllers(OT) Tom, First Question. Some of the older Compaq RAID Controllers didn't allow raid expansion, but all of the new models (52xx, 5i, 64xx, 6i) should allow this. Check the firmware levels on the card, and also check the version of the PSP (ProLiant Support Pack) your running on the server. From within Windows, you should be able to expand the array no problems. There will be performance hit while it does it (since its shuffling data around), but the machine should be reasonably happy. Second Question. You *might* be able to extended the C: partition, but the requirements outlined in the Microsoft Support Article: http://support.microsoft.com/default.aspx?scid=kb;en-us;325590, are fairly stringent: - For Basic volumes, the unallocated space for the extension must be the next contiguous space on the same disk (this wouldnt be do-able, unless you deleted the second partition before attempting the resize). - Only the extension of data volumes is supported. System or boot volumes may be blocked from being extended. (well, seeing as your trying to extend the C: drive, this could be a problem) Last Question, A Single Channel (scsi bus) within a controller can have any number of arrays consisting anywhere from a single drive, up to a full bus. Its purely a logical distinction. Glenn Kern, Tom wrote: Hi, I have a server with a 70gig raid 5 array(3 physical drives). Is there any way to add more drives to extend the array to more length. Like adding a 30gig drive to the existing raid array and making a 100gig c: drive or is this impossible. everytime I add a new drive to the controller, compaq sees 2 arrays- arrayA being the 70gig(3 drives) and arrayB being the new drive. It doesn't give me an option of adding the 30gig drive to arrayA. so i have 2 paritions in widows- a 70gig c: volume and a 30 gig E: volume. so, i have 2 questions-\is it not possible on the hardware level to add a new drive to an already existing array? and, is there any way to extend the c: partition?(this is win2k and i assume its not because the drive was originally a basic disk, but i just want to make sure). i assume if you format any drive as basic and later upgrade to dynamic, extending a non-contigious volume won't work... Ok, i have one more question as well :)- when a raid controller shows 2 arrays, does that mean the drives are on 2 diff scsi channels or is that just a logical distinction.. Thanks alot. sorry for the OT, i know
RE: [ActiveDir] Compaq raid controllers(OT)
all the drives are on the same port on the array. there is only one cable. is there something i'm missing? should they be in different bays I assume the ports coresepond to a channel(or not)? Thanks Medeiros, Jose wrote: Tom, Your using a 5300 controller? Sounds like the issue that your having is that the drive your using is connected to the wrong channel of the array. The 5300 is either a 2 or 4 channel controller. http://h18000.www1.hp.com/products/servers/proliantstorage/arraycontrollers/smartarray5300/index.htmlMake sure your on the latest version of Firmware which is 3.54b. Compaq gave lifetime technical support for servers and three year hardware replacement warranty. I would also call HP their support can walk you through your issue and it's a free call 800-474-6836. Regards, Jose Medeiros - -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kern, Tom Sent: Tuesday, May 03, 2005 6:25 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Compaq raid controllers(OT) I'm using a compaq 5300. Everytime I add a drive, it goes to array B and i can't seem to find anyway to move it to arrray A. also, i had a logical drive on an extended partition in windows 2k. it was a basic disk and i upgraded to dynamic and i'm not allowed to extend it to another physical drive(array B). Is this by design or am I missing something? Does a drive have to be originally formatted as dynamic to achieve this? thanks for all your help Medeiros, Jose wrote: Hi Tom, What model controller do you have? I expanded a our raid 5 array on a Compaq Proliant 1500 using a Smart 2DH raid controller with NT 3.51 back in 1998 when I supported the servers at LSI Logic and it worked with out having to recreate the array. Glenn is right that lower end Proliant controllers did not support this option. As for Expanding the C: Partition Power Quest has a product called Server Magic ( They are now owned by Symantec and changed the name to Volume Manager ). If your only expanding the data partition's you can do so with Dynamic Volumes in 2000 / 2003 server and then add the additional space once you have added it to the drive array in the controller raid utility. Regards, Jose Medeiros MCP+I, MCSE, NT4 MCT http://www.ntea.net http://www.sfntug.org -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Glenn Corbett Sent: Saturday, April 30, 2005 4:04 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Compaq raid controllers(OT) Tom, First Question. Some of the older Compaq RAID Controllers didn't allow raid expansion, but all of the new models (52xx, 5i, 64xx, 6i) should allow this. Check the firmware levels on the card, and also check the version of the PSP (ProLiant Support Pack) your running on the server. From within Windows, you should be able to expand the array no problems. There will be performance hit while it does it (since its shuffling data around), but the machine should be reasonably happy. Second Question. You *might* be able to extended the C: partition, but the requirements outlined in the Microsoft Support Article: http://support.microsoft.com/default.aspx?scid=kb;en-us;325590, are fairly stringent: - For Basic volumes, the unallocated space for the extension must be the next contiguous space on the same disk (this wouldnt be do-able, unless you deleted the second partition before attempting the resize). - Only the extension of data volumes is supported. System or boot volumes may be blocked from being extended. (well, seeing as your trying to extend the C: drive, this could be a problem) Last Question, A Single Channel (scsi bus) within a controller can have any number of arrays consisting anywhere from a single drive, up to a full bus. Its purely a logical distinction. Glenn Kern, Tom wrote: Hi, I have a server with a 70gig raid 5 array(3 physical drives). Is there any way to add more drives to extend the array to more length. Like adding a 30gig drive to the existing raid array and making a 100gig c: drive or is this impossible. everytime I add a new drive to the controller, compaq sees 2 arrays- arrayA being the 70gig(3 drives) and arrayB being the new drive. It doesn't give me an option of adding the 30gig drive to arrayA. so i have 2 paritions in widows- a 70gig c: volume and a 30 gig E: volume. so, i have 2 questions-\is it not possible on the hardware level to add a new drive to an already existing array? and, is there any way to extend the c: partition?(this is win2k and i assume its not because the drive was originally a basic disk, but i just want to make sure). i assume if you format any drive as basic and later upgrade to dynamic, extending a non-contigious
RE: [ActiveDir] Compaq raid controllers(OT)
Your not providing enough information, such as what is the server model. How many drive's can each bay hold? If your using a ML530 or ML570 the support six in each, unless it's an external storage array. You stated that you are using a 5300 series smart array controller, however your also stating that it has only one channel. To the best of my knowledge Compaq made it with either two ( 5302) or four channels (5304 is a 5302 with an expansion card ). Why don't you just call HP Proliant support it's free, 800-474-6836. ) Good luck, Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kern, Tom Sent: Tuesday, May 03, 2005 9:55 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Compaq raid controllers(OT) all the drives are on the same port on the array. there is only one cable. is there something i'm missing? should they be in different bays I assume the ports coresepond to a channel(or not)? Thanks Medeiros, Jose wrote: Tom, Your using a 5300 controller? Sounds like the issue that your having is that the drive your using is connected to the wrong channel of the array. The 5300 is either a 2 or 4 channel controller. http://h18000.www1.hp.com/products/servers/proliantstorage/arraycontrollers/smartarray5300/index.htmlMake sure your on the latest version of Firmware which is 3.54b. Compaq gave lifetime technical support for servers and three year hardware replacement warranty. I would also call HP their support can walk you through your issue and it's a free call 800-474-6836. Regards, Jose Medeiros - -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kern, Tom Sent: Tuesday, May 03, 2005 6:25 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Compaq raid controllers(OT) I'm using a compaq 5300. Everytime I add a drive, it goes to array B and i can't seem to find anyway to move it to arrray A. also, i had a logical drive on an extended partition in windows 2k. it was a basic disk and i upgraded to dynamic and i'm not allowed to extend it to another physical drive(array B). Is this by design or am I missing something? Does a drive have to be originally formatted as dynamic to achieve this? thanks for all your help Medeiros, Jose wrote: Hi Tom, What model controller do you have? I expanded a our raid 5 array on a Compaq Proliant 1500 using a Smart 2DH raid controller with NT 3.51 back in 1998 when I supported the servers at LSI Logic and it worked with out having to recreate the array. Glenn is right that lower end Proliant controllers did not support this option. As for Expanding the C: Partition Power Quest has a product called Server Magic ( They are now owned by Symantec and changed the name to Volume Manager ). If your only expanding the data partition's you can do so with Dynamic Volumes in 2000 / 2003 server and then add the additional space once you have added it to the drive array in the controller raid utility. Regards, Jose Medeiros MCP+I, MCSE, NT4 MCT http://www.ntea.net http://www.sfntug.org -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Glenn Corbett Sent: Saturday, April 30, 2005 4:04 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Compaq raid controllers(OT) Tom, First Question. Some of the older Compaq RAID Controllers didn't allow raid expansion, but all of the new models (52xx, 5i, 64xx, 6i) should allow this. Check the firmware levels on the card, and also check the version of the PSP (ProLiant Support Pack) your running on the server. From within Windows, you should be able to expand the array no problems. There will be performance hit while it does it (since its shuffling data around), but the machine should be reasonably happy. Second Question. You *might* be able to extended the C: partition, but the requirements outlined in the Microsoft Support Article: http://support.microsoft.com/default.aspx?scid=kb;en-us;325590, are fairly stringent: - For Basic volumes, the unallocated space for the extension must be the next contiguous space on the same disk (this wouldnt be do-able, unless you deleted the second partition before attempting the resize). - Only the extension of data volumes is supported. System or boot volumes may be blocked from being extended. (well, seeing as your trying to extend the C: drive, this could be a problem) Last Question, A Single Channel (scsi bus) within a controller can have any number of arrays consisting anywhere from a single drive, up to a full bus. Its purely a logical distinction. Glenn Kern, Tom wrote: Hi, I have a server with a 70gig raid 5 array(3 physical drives). Is there any way to add more drives to extend the array to more
[ActiveDir] DC priority
Title: RE: [ActiveDir] Ocra The majority of my outlook clients connect to our backup DC, and I am not sure why this is. Main DC GC all FSMO roles server class Backup DC GC desktop class They both have the same weight and priority in the DNS. The main DC is a much more robust machine with RAID 1 for the OS and RAID 50 (or 05, I forget) for the page file and AD database (versus a desktop machine for the backup DC), so I would like to send the majority of request to it. Is there a reason that most request are going to the backup DC? Would adjusting the weight and/or priority even help? Ideas or suggestions? This would be the correct reference? http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/df86810b-9fc5-49b8-a704-d01c042cf460.mspx
RE: [ActiveDir] using GPO with scripts
Well found out some more information. Love how you get the full info when you need it. NOT Anyways. Seems the website is just a web interface to a database with their personnel information. They want to ensure the user visits the site every 90 days to make updates if needed. They are request a Runonce type operation for IE when the user launches IE that will send them to the Database every 90 days but of course not send the entire population there at once. So I am thinking a field within the personnel database that will be a timestamp. Now can I have our homepage run a script in the background that checks this field to see if the timestamp is greater than 90 days? And then if it is redirect them to the database website? Sounds better than dealing with login scripts and schema changes. Jeff -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, May 03, 2005 10:13 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] using GPO with scripts Yeah locking the account because they haven't read the doc yet seems a little counter productive but if it is that important... Go for it. Just warn the help desk staff ahead of time. :o) I agree with the staggered mechanism of alert the user and then alert their manager later if they haven't complied. If you want to get fancy you could even have a compliance reporting mechanism to put pressure on the managers. Reports go to the CEO showing compliance in percentages of the whole company at any given time (say monthly) and also percentages by division or group or whatever (depends on your size). A quickie alternative would be to store the info in an AD/AM instead of in AD. Don't have to extend the AD Schema then but can use the AD scripting knowledge you have. Obviously it could go into SQL Server as well but that seems a bit expensive for this. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, May 02, 2005 10:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] using GPO with scripts Depends how you setup the attribute (search for extending schema in AD). I wouldn't have the website do this based on authentication. You want to be sure they read it, so you would want to treat it like you do with other agreements i.e. EULA agreements and have the OK navigation button disabled unless and until they click 'I Agree' As for notification, use email and bug the crud out of them. Or bug their manager if they don't respond in x amount of days. I see the .mil in the addr, which tells me you likely have managers that don't like to be bothered with this kind of piddly stuff. :) As for whether or not to update in AD, I'm not one to agree so easily that adding a custom attribute or even using an existing one is so worth it. I suppose it depends and there are many pros and cons both directions I'm sure. I'd favor some other recording method in many instances myself. As for permissions, you would have to permissions to modify the attribute using the credentials provided. For the sake of tamper-resistance, I would guess that you would want to make this a restricted attribute field. You may additionally want to lock out or disable their account until they read this if it's that important. Makes me wonder how they'll get to the page if they're locked out, but Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Monday, May 02, 2005 7:03 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] using GPO with scripts I like this idea of using the custom attribute in AD. I am assuming that I need to use ADSI or similar tool to create this Custom Attribute. Once the attribute is there. I would need to configure Active X script or something that will update this attribute when the user authenticates to the website correct? Do I need the web services account to run this script so that it has privileges to change the attribute within AD? Jeff -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, May 02, 2005 4:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] using GPO with scripts You could even tie into the change password functionality. Take away everyone's right to change their password in the directory and make them go to a website to do it, that website forces them to read that page first. and if they don't agree to what's listed on the HR site you can go ahead and lock their account ;-) I'd likely vote for a custom attribute in AD where you store the last time they've checked the HR website = you can then send out eMails to the user (and their manager) that it's time to re-confirm their HR data. We use this mechanism for many things (the place where you store the last confirmation date naturally depends on your environment - if AD is
RE: [ActiveDir] DC priority
Older Outlook clients use the exchange server as a proxy to access the GAL provided by the DSPROXY component on the exchange server Newer outlook clients (2000 and up) get a referral from the exchange server to a GC. These clients access the GAL on the GC through the Name Service Provider Interface (NSPI) on the GC. If I'm correct Exchange discovers (by default dynamically) the DCs/GCs by executing a LDAP query against the directory and not by using DNS as you think. So tuning DNS weights/priorities will not help with this. To realize what you you could statically define the DCs/GCs. As it says this is STATIC. For more info see * http://support.microsoft.com/?id=250570 (Directory service server detection and DSAccess usage) * http://support.microsoft.com/?id=875427 (Global catalog server placement and ratios in an Exchange 2000 Server organization or in an Exchange Server 2003 organization) * http://www.windowsitpro.com/Windows/Article/ArticleID/25330/25330.html Cheers, #JORGE# -Original Message- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 5/3/2005 8:41 PM Subject: [ActiveDir] DC priority The majority of my outlook clients connect to our backup DC, and I am not sure why this is. Main DCGC all FSMO roles server class Backup DCGC desktop class They both have the same weight and priority in the DNS. The main DC is a much more robust machine with RAID 1 for the OS and RAID 50 (or 05, I forget) for the page file and AD database (versus a desktop machine for the backup DC), so I would like to send the majority of request to it. Is there a reason that most request are going to the backup DC? Would adjusting the weight and/or priority even help? Ideas or suggestions? This would be the correct reference? http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/O perations/df86810b-9fc5-49b8-a704-d01c042cf460.mspx http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ Operations/df86810b-9fc5-49b8-a704-d01c042cf460.mspx This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] administrator password change in Startup script in GPO
I have created a startup script to change my administrator password on specific machines as part of my group policy. These computers are part of a group, I have applied the policy to this group, and set the security permissions appropriately. When I run gpupdate on the pc, I get no error in the Event log, but when I restart the machine, the administrator account password has not been changed. I have run replmon.exe and have found that 1 dc (out of 30) is not replicating, as it is out of hard drive space on c:. Could 1 out of 30 dc's be causing the problem, or is there something else I am missing? How long should it take, before the policy takes effect? Thanks, Brenda
[ActiveDir] Rogue Folder - Can't Take Ownership
I have a folder on a Windows 2000 member server that I can't take ownership of. I am using an account that is a member of the Domain Administrators, and the Domain Administrators is a member of the local Administrators group. The folder is buried deep in the All Users profile and was created by Symantec Anti-Virus 7.5 to hold quarantined items. I took ownership of the parent folder and told Windows to replace the owner on all subfolders and files, but it just says Access is Denied when it gets to the Quarantine folder. I tried the command line tools xcacls and cacls with no luck. Does anyone know of a better tool or something that I missed? Thanks for your help! Jeff Confidential This e-mail and any files transmitted with it are the property of Belkin Corporation and/or its affiliates, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipients or otherwise have reason to believe that you have received this e-mail in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] License Service
In AD Sites and Services there is a Licensing setting that you can set on each site to tell it which server to replicate from. I had this setup for a server that has since been decommissioned and now I can't change this setting. How do I do this and do I even have to? Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] How to make a user member of Built in Administrat or group
FIRST: You can use restricted groups in a GPO. However in that is in the forest root domain then members of the builtin administrators have control over the enterprise administrators group. SECOND: If a user is a member of one of the builtin groups (ent admins, dom admins, builtin admins) there is no way to restrict access to other activities I'm not sure if I understand what you want with "Actually, my requirement is I want to create a trust from one forest to all the domain controller in the other forest. Without the Enterprise admin credential." Are you saying: * I have a user in forest 1 and I want that user to be an admin of all resources in forest 2? If yes, you could add that user to the builtin administrators of forest 2. It is not possible to add the user from forest 1 to the domain admins or enterprise admins group of forest 2. However if you want to add the user from forest1 to the builtin administrators of forest2, be carefull because if forest1 gets compromised and that user is misused then it is also possuble to comprimise forest2 To mitigate this risk create a user account in forest2, assign appropriate admins permissions and use the RUNAS option froma workstation in forest 1 Cheers, #JORGE# From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Manjeet SinghSent: Tuesday, May 03, 2005 14:47To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] How to make a user member of Built in Administrator group Hi, I want to make one user the member of Build in administrator group of all the domain within the forest, with out making the user of Enterprise admin. Or, Say, I have made the user member of Enterprise admin. Then how to deny that user to perform any AD related activities. Actually, my requirement is I want to create a trust from one forest to all the domain controller in the other forest. Without the Enterprise admin credential. Thanks, Manjeet This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] License Service
There is no need to use the licensing option as the license service is disabled by default. To change that value if you want to you could use ADSIedit #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: dinsdag 3 mei 2005 23:14 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] License Service In AD Sites and Services there is a Licensing setting that you can set on each site to tell it which server to replicate from. I had this setup for a server that has since been decommissioned and now I can't change this setting. How do I do this and do I even have to? Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] administrator password change in Startup script in GPO
Brenda- It is possible that if that one DC is the one that your test workstation is getting GPOs from, that it could be preventing the script from working. Your best bet is to put some kind of debugging into the script. Like have it write an empty file to the local hard drive at the end and see if the file is getting there. Also, look in the Application event log for events with a source of Userinit. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda CaseySent: Tuesday, May 03, 2005 2:04 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] administrator password change in Startup script in GPO I have created a startup script to change my administrator password on specific machines as part of my group policy. These computers are part of a group, I have applied the policy to this group, and set the security permissions appropriately. When I run gpupdate on the pc, I get no error in the Event log, but when I restart the machine, the administrator account password has not been changed. I have run replmon.exe and have found that 1 dc (out of 30) is not replicating, as it is out of hard drive space on c:. Could 1 out of 30 dc's be causing the problem, or is there something else I am missing? How long should it take, before the policy takes effect? Thanks, Brenda
RE: [ActiveDir] How to make a user member of Built in Administrat or group
Hi Dennis, You can add them to the enterprise admin group although this is quite an extended right and I am not sure if this is what you want. To add users to the built in admin group you can create a policy 'local admin' and apply it to the computer OU only (otherwise they are admin on member servers as well). To do so edit the following part: computer settings - security settings - restricted groups - add a group in here (BUILTIN\Administrators) and add the members you want. Ensure that you put the administrator group in it as well as this resets the default permissions and you still want to have the default groups to be a local admin. I use that as well and it works fine! I see if I find another link for you. Cheers, Katrin Wilhelm (MCSA) CVGT Employment Training Specialists Australia E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dennis Depp Sent: Wednesday, 4 May 2005 1:01 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] How to make a user member of Built in Administrat or group Can you make the user a member of the domain admins of each of the domains in the forest? Can you use restricted groups on the clients to mandate the members of the local built in adminsitrators? Final option use member of option. To do this create a group with this user as a member. Create a member of restricted group that has this group a member of the local admins. Dennis On 5/3/05, Bahta Nathaniel V Contr NASIC/SCNA [EMAIL PROTECTED] wrote: Are you trying to make this a one-way trust? I dont think it is possible to share each other's schema metadata, that is, to extend the schema, without sharing the schema admin permission which is a part of the Enterprise Admins rights. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Manjeet Singh Sent: Tuesday, May 03, 2005 8:47 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] How to make a user member of Built in Administrator group Hi, I want to make one user the member of Build in administrator group of all the domain within the forest, with out making the user of Enterprise admin. Or, Say, I have made the user member of Enterprise admin. Then how to deny that user to perform any AD related activities. Actually, my requirement is I want to create a trust from one forest to all the domain controller in the other forest. Without the Enterprise admin credential. Thanks, Manjeet List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Confidentiality: The contents contain privileged and/or confidential information intended for the named recipient of this email. CVGT does not warrant that the contents of any electronically transmitted information will remain confidential. If the reader of this email is not the intended recipient you are hereby notified that any use, reproduction, disclosure or distribution of the information contained in the email is prohibited. If you receive this email in error, please reply to us immediately and delete the document. Viruses: It is the recipient/client's duties to virus scan and otherwise test the information provided before loading onto any computer system. No warranty is made that this material is free from computer virus or any other defect or error. Any loss/damage incurred by using this material is not the sender's responsibility. CVGTs entire liability will be limited to resupplying the material. Please contact us at www.cvgt.com.au for further information regarding this disclaimer List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] best practice?
Hello all, Question,you want to re-imagepc's thatare domain members. You want to immediately rejoin domain using same name.Siteissingle W2k DC/GCon 3 hour replication cycle with fsmo holders. Should youremove from domain, image and rejoin or just image rejoin and reset computer account? Would either of these ways work given site setup? Anyinput appreciated. John Shukovsky JrNetwork AdministratorNJ Department of Human Services609-861-6031 This E-mail, including any attachments, may be intended solely for the personal and confidential use of the sender and recipient(s) named above. This message may include advisory, consultative and/or deliberative material and, as such, would be privileged and confidential and not a public document. Any Information in this e-mail identifying a client of the Department of Human Services is confidential. If you have received this e-mail in error, you must not review, transmit, convert to hard copy, copy, use or disseminate this e-mail or any attachments to it and you must delete this message. You are requested to notify the sender by return e-mail.
RE: [ActiveDir] best practice?
If you use norton ghost to take images there should be a problem. But I wouldn't run a risk :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Shukovsky JrSent: Wednesday, May 04, 2005 05:35To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] best practice? Hello all, Question,you want to re-imagepc's thatare domain members. You want to immediately rejoin domain using same name.Siteissingle W2k DC/GCon 3 hour replication cycle with fsmo holders. Should youremove from domain, image and rejoin or just image rejoin and reset computer account? Would either of these ways work given site setup? Anyinput appreciated. John Shukovsky JrNetwork AdministratorNJ Department of Human Services609-861-6031 This E-mail, including any attachments, may be intended solely for the personal and confidential use of the sender and recipient(s) named above. This message may include advisory, consultative and/or deliberative material and, as such, would be privileged and confidential and not a public document. Any Information in this e-mail identifying a client of the Department of Human Services is confidential. If you have received this e-mail in error, you must not review, transmit, convert to hard copy, copy, use or disseminate this e-mail or any attachments to it and you must delete this message. You are requested to notify the sender by return e-mail.
RE: [ActiveDir] GP DeActivate Norton
stop Norton Script blocking service. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter JessopSent: Tuesday, May 03, 2005 19:39To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] GP DeActivate Norton Good day to you all.Can anyone tell me how to deactivate Norton AV script blocking with GP?ThanksPeter Jessop