[ActiveDir] UF_PASSWD_NOTREQD on domain controller?
Hi All, I didn't get any response from my posting below, so I thought I would try again. I do have additional information on this issue: if I check with ADSIEdit on the child DC in question, the value is different, 0x82000 (as it should be), than what is reported in DCDiag. Could this be some bug in the DCDiag software that was upgraded in SP1? Original post: Daily I run a DCDiag report for the domain controllers in my enterprise. I noticed that after I upgraded my FSMO root domain controller (where I run the DCDiag report) to W2K3/SP1 from W2K3, I see the following for one of my child domain controllers: Warning: Attribute userAccountControl of X is: 0x82020 = ( UF_PASSWD_NOTREQD | UF_SERVER_TRUST_ACCOUNT | UF_TRUSTED_FOR_DELEGATION ) Typical setting for a DC is 0x82000 = ( UF_SERVER_TRUST_ACCOUNT | UF_TRUSTED_FOR_DELEGATION ) This may be affecting replication? I am not aware of anything changing on the child DC in question. A password not required for a DC computer account doesn't make much sense. Googling doesn't appear to produce anything useful. Any thoughts on what this might mean? Thanks! Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Windows / AD Conferences
DEC IT Forum TechEd #JORGE# -Original Message- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 5/17/2005 4:35 AM Subject: [ActiveDir] Windows / AD Conferences If you had to go to three conferences a year on Microsoft Windows / Active Directory / Security, which would you attend? Thanks, Charlie List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Active Directory Permission for Exchange DL
I have an Exchange Distribution List that I would like to give users (actually a security group) permission to modify the members of the group. I gave the users read and also gave them write permissions on the property tab for the write Members attribute of the object. However, it does not work I put myself in the group and gave it plenty of time for replication. The only information I could find is that the user or group must be an owner to be able to modify members of a Distribution List. I find that hard to believe. What rights am I missing, is there some other attribute they need permission to be able to modify members? Jeremy - Jeremy Burkes Strategic Systems Program MIS Department [EMAIL PROTECTED] PH: 202-764-1270 "All that is necessary for the forces of evil to win in the world is for enough good men to do nothing." - Edmund Burke "It is not how many times you get knocked down, it is how many times you get back up." - Vince Lombardi
[ActiveDir] Restricted Groups GPO
---BeginMessage--- I have reports from our France and German locations that any Windows XP installs that aren't in the English language aren't getting our restricted groups GPO that ensures specific global groups are in the local administrators group on all desktops and servers. The problem appears to be that the GPO modifies the Administrators group, however in France, for example, it's called Administrateurs. The GPO appears not to be smart enough to realize that's the same thing, so it's not modifying this French version (or German). Is there a workaround for this?? Thanks winmail.dat---End Message--- ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~
RE: [ActiveDir] Citrix
Thanks. Am I correct that in a 2000 environment it has to be on a DC? -Original Message- From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: Monday, May 16, 2005 6:43 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Citrix Christine, Your TS Licensing Server doesn't need to be on a DC (although thats what most people do). Currently have a Windows 2000 Licensing Server running on a DC and a 2003 one running on a mamber server in a 2k domain, works fine. G. Christine Allen wrote: Yes you do and if its a 2000 or 2003 domain it needs to be on a DC. Once you install the TS licensing service, you need to call the MS clearing house to active them. -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Monday, May 16, 2005 5:28 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Citrix If I have citrix installed on a Windows 2000 Server, do I have to also have installed and functioning a Terminal Server License Server? People in my environment that are connecting to citrix from workstations that are in the domain are unable to open up a session, but those outside my org who have an account are able to open up the session. What could be the issue? Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Citrix
No, it does not have to be on a DC if you change a registry setting on the Citrix servers to point to the TS Licensing server on a member server. If this entry is changed the server will no longer use the discovery process to find the TS licensing server and go directly to the hard coded server. Chris Ryan The Kroger Company [EMAIL PROTECTED] Office (513) 698-1935 Cell (513) 623-5362 Christine Allen christine.easton @bmchp.orgTo Sent by: 'ActiveDir@mail.activedir.org' [EMAIL PROTECTED] ActiveDir@mail.activedir.org ail.activedir.org cc Subject 05/17/2005 09:20 RE: [ActiveDir] Citrix AM Please respond to [EMAIL PROTECTED] tivedir.org Thanks. Am I correct that in a 2000 environment it has to be on a DC? -Original Message- From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: Monday, May 16, 2005 6:43 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Citrix Christine, Your TS Licensing Server doesn't need to be on a DC (although thats what most people do). Currently have a Windows 2000 Licensing Server running on a DC and a 2003 one running on a mamber server in a 2k domain, works fine. G. Christine Allen wrote: Yes you do and if its a 2000 or 2003 domain it needs to be on a DC. Once you install the TS licensing service, you need to call the MS clearing house to active them. -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Monday, May 16, 2005 5:28 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Citrix If I have citrix installed on a Windows 2000 Server, do I have to also have installed and functioning a Terminal Server License Server? People in my environment that are connecting to citrix from workstations that are in the domain are unable to open up a session, but those outside my org who have an account are able to open up the session. What could be the issue? Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Citrix
ahhh, thanks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 17, 2005 9:31 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Citrix No, it does not have to be on a DC if you change a registry setting on the Citrix servers to point to the TS Licensing server on a member server. If this entry is changed the server will no longer use the discovery process to find the TS licensing server and go directly to the hard coded server. Chris Ryan The Kroger Company [EMAIL PROTECTED] Office (513) 698-1935 Cell (513) 623-5362 Christine Allen christine.easton @bmchp.orgTo Sent by: 'ActiveDir@mail.activedir.org' [EMAIL PROTECTED] ActiveDir@mail.activedir.org ail.activedir.org cc Subject 05/17/2005 09:20 RE: [ActiveDir] Citrix AM Please respond to [EMAIL PROTECTED] tivedir.org Thanks. Am I correct that in a 2000 environment it has to be on a DC? -Original Message- From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: Monday, May 16, 2005 6:43 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Citrix Christine, Your TS Licensing Server doesn't need to be on a DC (although thats what most people do). Currently have a Windows 2000 Licensing Server running on a DC and a 2003 one running on a mamber server in a 2k domain, works fine. G. Christine Allen wrote: Yes you do and if its a 2000 or 2003 domain it needs to be on a DC. Once you install the TS licensing service, you need to call the MS clearing house to active them. -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Monday, May 16, 2005 5:28 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Citrix If I have citrix installed on a Windows 2000 Server, do I have to also have installed and functioning a Terminal Server License Server? People in my environment that are connecting to citrix from workstations that are in the domain are unable to open up a session, but those outside my org who have an account are able to open up the session. What could be the issue? Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Active Directory Permission for Exchange DL
If you gave a group write permissions on the Members attribute of the Distribution Group, and then you put yourself in the group with write permissions, you would need to log out and log back in to pick up the change in the group membership and thus get rights to modify the Dist Group. See the thread from last week with the subject "Sticky group membership". Hunter From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy [Contractor]Sent: Tuesday, May 17, 2005 5:24 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Active Directory Permission for Exchange DL I have an Exchange Distribution List that I would like to give users (actually a security group) permission to modify the members of the group. I gave the users read and also gave them write permissions on the property tab for the write Members attribute of the object. However, it does not work I put myself in the group and gave it plenty of time for replication. The only information I could find is that the user or group must be an owner to be able to modify members of a Distribution List. I find that hard to believe. What rights am I missing, is there some other attribute they need permission to be able to modify members? Jeremy - Jeremy Burkes Strategic Systems Program MIS Department [EMAIL PROTECTED] PH: 202-764-1270 "All that is necessary for the forces of evil to win in the world is for enough good men to do nothing." - Edmund Burke "It is not how many times you get knocked down, it is how many times you get back up." - Vince Lombardi
[ActiveDir] Schema Directory Partition replication error
The situation is as follows: We have a server that is experiencing hardware problems (motherboard probably) that has been running as PDC for 2 years now. We configured a new and more powerfull server and wanted this one to run as new PDC. I tried taking a systemstate backup from the old server and restoring it on the new one, with the result that the new server wont reboot anymore. Now I'm trying to setup the new server as a SDC, then kill the old PDC and make the SDC authorative so the new server becomes PDC. All good and well, but i get this errormessage wheni try to setup the SDC http://blog.saxgod.be/media/1/20050517-schemamappartitie_uk.jpg My idea of it is that it says 'ahserv.' instead of the fqdn ahserv.cvo-ah.be., but not to sure about that.. DNS is running on the current PDC and is allowed to update. When I check the folders netlogon creates inside the domain they point to ahserv. and not ahserv.cvo-ah.be. .. I tried setting all records to the fqdn and then setup the SDC but it didn't help (it also still said ahserv. instead of the fqdn in the error message, so not sure it worked by manually editing the dns records) Someone out there that knows how to fix this ? Hope someone can help me. Roberto De Lise
RE: [ActiveDir] Restricted Groups GPO
Instead of using the name administrators, use the well-known SID. S-1-5-32-544 for Administrators. There's a list of other SIDS that should be the same on all boxes, regardless of language, here. http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/e n-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-u s/prnc_sid_cids.asp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, May 17, 2005 6:30 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Restricted Groups GPO I have reports from our France and German locations that any Windows XP installs that aren't in the English language aren't getting our restricted groups GPO that ensures specific global groups are in the local administrators group on all desktops and servers. The problem appears to be that the GPO modifies the Administrators group, however in France, for example, it's called Administrateurs. The GPO appears not to be smart enough to realize that's the same thing, so it's not modifying this French version (or German). Is there a workaround for this?? Thanks ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Active Directory Permission for Exchange DL
Hi there, If you want a user to modify the members of an Exchange Distribution List (DL), you have to give those users : Allow Read/write on telephone and mail options ACEs of the DL (I don't know the englsh version of the ACEs, 'cause i have french OS :-( Regards, Yann TIROA BEGIN:VCARD VERSION:2.1 N:TIROA;YANN FN:TIROA YANN ORG:Université Claude Bernard Lyon I;Environnement Numérique de Travail TITLE:Assistant Ingénieur TEL;WORK;VOICE:04 26 23 44 25 ADR;WORK:;;;Villeurbanne Cedex;69;69622;FRANCE LABEL;WORK;ENCODING=QUOTED-PRINTABLE:Villeurbanne Cedex, 69 69622=0D=0AFRANCE EMAIL;PREF;INTERNET:[EMAIL PROTECTED] REV:20050517T124542Z END:VCARD
RE: [ActiveDir] Restricted Groups GPO
Thanks. I think that will help. On that URL with the SIDs, it says Administrator is S-1-5-domain-500. What do you replace domain with? Or where do I find that domain replacment info from? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crawford, Scott Sent: Tuesday, May 17, 2005 10:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Restricted Groups GPO Instead of using the name administrators, use the well-known SID. S-1-5-32-544 for Administrators. There's a list of other SIDS that should be the same on all boxes, regardless of language, here. http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/e n-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-u s/prnc_sid_cids.asp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, May 17, 2005 6:30 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Restricted Groups GPO I have reports from our France and German locations that any Windows XP installs that aren't in the English language aren't getting our restricted groups GPO that ensures specific global groups are in the local administrators group on all desktops and servers. The problem appears to be that the GPO modifies the Administrators group, however in France, for example, it's called Administrateurs. The GPO appears not to be smart enough to realize that's the same thing, so it's not modifying this French version (or German). Is there a workaround for this?? Thanks ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir]
Thanks Everyone for you help. Eddie, I've been in educational institutions in the past. The temptation is to make the hard boundary at the school building, but it's unlikely that every school would have the IT people needed to manage a separate domain. Definitely go with OUs so you can centrally manage user accounts. Delegate computer and other objects to the school IT staff as OU administrators--the OUs act much like NT4 resource domains did. If WAN links are iffy, you could put 1 DC in each school; manage the central office, the bus maintenance facilities centrally. Good luck! AL Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com -- A good plan today is better than a perfect plan tomorrow. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Eddie Greene Sent: Monday, May 16, 2005 10:39 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] We have not rolled out AD yet and are banging our heads against the wall figuring out which way to go. We have 24 Schools 1 Main office, 1 Maintenance shop, 1 Bus Garage. would it be best for use to roll out a single domain or 27 domains in our forest. it is not important for our users to be able to go to other locations and log into the system. It would be nice to be able to replicate a folder with all the schools that contains programs you never have when you need them (i.e. Adobe). I haven't got a clear understanding of Domains vs. OUs. One way I read it would be best for each school to be a domain and in another reading I think that each school just needs to be their own OU. any help would be greatly appreciated Eddie List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Adfind and GUID
OK, so am I missing something here? Following the directions for adfind,
I am trying to locate an object by GUID. Here is my cmd line. What am I
missing?
adfind -binenc -f
objectguid={{GUID:9AD0431B-B677-4BF9-A63E-DD29036123FF}}
Help?
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Restricted Groups GPO
Download sid2user from http://www.ntbugtraq.com/default.aspx?pid=55did=6 to find out the SID for any user. The administratorS group should be the same SID on all machines though. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, May 17, 2005 10:56 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Restricted Groups GPO Thanks. I think that will help. On that URL with the SIDs, it says Administrator is S-1-5-domain-500. What do you replace domain with? Or where do I find that domain replacment info from? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crawford, Scott Sent: Tuesday, May 17, 2005 10:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Restricted Groups GPO Instead of using the name administrators, use the well-known SID. S-1-5-32-544 for Administrators. There's a list of other SIDS that should be the same on all boxes, regardless of language, here. http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/e n-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-u s/prnc_sid_cids.asp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, May 17, 2005 6:30 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Restricted Groups GPO I have reports from our France and German locations that any Windows XP installs that aren't in the English language aren't getting our restricted groups GPO that ensures specific global groups are in the local administrators group on all desktops and servers. The problem appears to be that the GPO modifies the Administrators group, however in France, for example, it's called Administrateurs. The GPO appears not to be smart enough to realize that's the same thing, so it's not modifying this French version (or German). Is there a workaround for this?? Thanks ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] delegation not working on Win2k AD
I was under the impression that the setting in the GPO add workstations to a domain was the legacy way of granting such permissions and the correct way was on an OU where the accounts would live would be to grant create and delete computer objects and then grant full control to those objects. Regards Mark -Original Message- From: Medeiros, Jose [EMAIL PROTECTED] Date: Mon, 16 May 2005 13:44:26 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] delegation not working on Win2k AD Hi Michael, By default everyone in the domain can join up to 10 computers. My only thought is that you may have inadvertnly configured the wrong setting and after they added the 10 machines they are now be denied the right to do so. The corerect seeting is add workstations to a domain . Sincerely, Jose Medeiros Former Vice President and Postmaster NTEA MCP+I, MCSE, NT4 MCT www.ntea.net www.tvnug.org www.sfntug.org -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Bruyere, Michel Sent: Monday, May 16, 2005 11:46 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] delegation not working on Win2k AD Hi, I used the delegation wizard to delegate the join computer to the domain task to the technicians group. Everything worked fine until today. For no apparent reasons, it gives an access denied to the technicians group members when they try to join a computer to the domain. Nothing has changed on the system, I mean manually. When I go into the security tab, I can see that they have the right to create computer objects. I tried to use the delegation wizard again, but still no go. Ideas anyone? Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Citrix
I just want to be sure that everyone has the right information...I'm sorry for correcting so much lately. If the Terminal Services Licensing Server is installed on Windows 2000, it MUST be on a Domain Controller (if you think there is a way to alter this that IS SUPPORTED by Microsoft Dev, please reply to me offline as I'd be interested in hearing your opinion). Yes, you can bypass the discovery process by modifying the registry value mentioned in the following article: http://support.microsoft.com/kb/q239107 Here's a little snippet from that article: To select a specific license server, locate the following key in the registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService\Paramet ers Add the following value: Name: DefaultLicenseServer Data type: REG_SZ Data value: ServerName Substitute the NetBIOS name of the appropriate license server for ServerName. If the license server is located on a remote subnet, make sure the Terminal Services-based computer can resolve the NetBIOS name. If the Terminal Services Licensing Server is installed on Windows Server 2003, then it CAN be on a member server. Again, to over-ride the discovery process by modifying the registry as mentioned in the following article(pay attention to the difference as you are adding keys here instead of values): http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/S erverHelp/46844a6e-386f-4ce3-98e5-d5377b5d6ba9.mspx Here is a snipped from that article: Using the registry 1.Click Start, click Run, type regedit, and then click OK. 2.Locate, and then click, the following key in the registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService\Paramet ers 3.On the Edit menu, point to New, click Key, and then type LicenseServers to name the new key. 4.Locate, and then click, the following key in the registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService\Paramet ers\LicenseServers 5.On the Edit menu, point to New, click Key, and then type ServerName where ServerName is the NetBIOS name of the license server that you want to use, and then press ENTER. The new key name can be any of the following designations that represent the license server: * The NetBIOS name of the server * The fully-qualified domain name (FQDN) of the server * The IP address of the server 6.Restart your computer So to sum it up...if the Terminal Services Licensing Server is 2000, must be on DC. If it's on 2003, can be member server. Have a great day! Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christine Allen Sent: Tuesday, May 17, 2005 9:35 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Citrix ahhh, thanks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 17, 2005 9:31 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Citrix No, it does not have to be on a DC if you change a registry setting on the Citrix servers to point to the TS Licensing server on a member server. If this entry is changed the server will no longer use the discovery process to find the TS licensing server and go directly to the hard coded server. Chris Ryan The Kroger Company [EMAIL PROTECTED] Office (513) 698-1935 Cell (513) 623-5362 Christine Allen christine.easton @bmchp.org To Sent by: 'ActiveDir@mail.activedir.org' [EMAIL PROTECTED] ActiveDir@mail.activedir.org ail.activedir.org cc Subject 05/17/2005 09:20 RE: [ActiveDir] Citrix AM Please respond to [EMAIL PROTECTED] tivedir.org Thanks. Am I correct that in a 2000 environment it has to be on a DC? -Original Message- From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: Monday, May 16, 2005 6:43 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Citrix Christine, Your TS Licensing Server doesn't need to be on a DC (although thats what most people do). Currently have a Windows 2000 Licensing Server running on a DC and a 2003 one running on a mamber server in a 2k domain, works fine. G. Christine Allen wrote: Yes you do and if its a 2000 or 2003 domain it needs to be on a DC. Once you install the TS licensing service, you need to call the MS clearing house to active them. -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Monday, May 16, 2005 5:28 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Citrix If I have citrix installed on a Windows 2000 Server, do I have to also have installed and functioning a Terminal Server License Server? People in my environment that are connecting to citrix from workstations
RE: [ActiveDir] Active Directory Permission for Exchange DL
No, the only attribute they need to have write permissions on is Members. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Tuesday, May 17, 2005 9:33 AM To: [EMAIL PROTECTED] Cc: ActiveDir@mail.activedir.org Subject: [ActiveDir] Active Directory Permission for Exchange DL Hi there, If you want a user to modify the members of an Exchange Distribution List (DL), you have to give those users : Allow Read/write on telephone and mail options ACEs of the DL (I don't know the englsh version of the ACEs, 'cause i have french OS :-( Regards, Yann TIROA List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] delegation not working on Win2k AD
I would run the delegation wizard at the Domain.com level and delegate the Join a computer to the domain permission instead of creating a GPO. By using the wizard it grants the Create Computer Objects permission on This object and all child objects. Setting this permission at the OU level will allow the user to move computer objects between OU's but not join computers to the domain. Chris Ryan The Kroger Company [EMAIL PROTECTED] Office (513) 698-1935 Cell (513) 623-5362 Mark Parris [EMAIL PROTECTED] it.co.uk To Sent by: ActiveDir@mail.activedir.org [EMAIL PROTECTED] cc ail.activedir.org Subject Re: [ActiveDir] delegation not 05/17/2005 12:25 working on Win2k AD PM Please respond to [EMAIL PROTECTED] tivedir.org I was under the impression that the setting in the GPO add workstations to a domain was the legacy way of granting such permissions and the correct way was on an OU where the accounts would live would be to grant create and delete computer objects and then grant full control to those objects. Regards Mark -Original Message- From: Medeiros, Jose [EMAIL PROTECTED] Date: Mon, 16 May 2005 13:44:26 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] delegation not working on Win2k AD Hi Michael, By default everyone in the domain can join up to 10 computers. My only thought is that you may have inadvertnly configured the wrong setting and after they added the 10 machines they are now be denied the right to do so. The corerect seeting is add workstations to a domain . Sincerely, Jose Medeiros Former Vice President and Postmaster NTEA MCP+I, MCSE, NT4 MCT www.ntea.net www.tvnug.org www.sfntug.org -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Bruyere, Michel Sent: Monday, May 16, 2005 11:46 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] delegation not working on Win2k AD Hi, I used the delegation wizard to delegate the join computer to the domain task to the technicians group. Everything worked fine until today. For no apparent reasons, it gives an access denied to the technicians group members when they try to join a computer to the domain. Nothing has changed on the system, I mean manually. When I go into the security tab, I can see that they have the right to create computer objects. I tried to use the delegation wizard again, but still no go. Ideas anyone? Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Citrix
Hi Robert, Your comments are very much appreciated. We all some times wonder just how accurate the information of what is being posted actually is. Of course we all make mistakes including Microsoft support staff :-) Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Robert Williams (RRE) Sent: Tuesday, May 17, 2005 9:30 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Citrix I just want to be sure that everyone has the right information...I'm sorry for correcting so much lately. If the Terminal Services Licensing Server is installed on Windows 2000, it MUST be on a Domain Controller (if you think there is a way to alter this that IS SUPPORTED by Microsoft Dev, please reply to me offline as I'd be interested in hearing your opinion). Yes, you can bypass the discovery process by modifying the registry value mentioned in the following article: http://support.microsoft.com/kb/q239107 Here's a little snippet from that article: To select a specific license server, locate the following key in the registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService\Paramet ers Add the following value: Name: DefaultLicenseServer Data type: REG_SZ Data value: ServerName Substitute the NetBIOS name of the appropriate license server for ServerName. If the license server is located on a remote subnet, make sure the Terminal Services-based computer can resolve the NetBIOS name. If the Terminal Services Licensing Server is installed on Windows Server 2003, then it CAN be on a member server. Again, to over-ride the discovery process by modifying the registry as mentioned in the following article(pay attention to the difference as you are adding keys here instead of values): http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/S erverHelp/46844a6e-386f-4ce3-98e5-d5377b5d6ba9.mspx Here is a snipped from that article: Using the registry 1.Click Start, click Run, type regedit, and then click OK. 2.Locate, and then click, the following key in the registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService\Paramet ers 3.On the Edit menu, point to New, click Key, and then type LicenseServers to name the new key. 4.Locate, and then click, the following key in the registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService\Paramet ers\LicenseServers 5.On the Edit menu, point to New, click Key, and then type ServerName where ServerName is the NetBIOS name of the license server that you want to use, and then press ENTER. The new key name can be any of the following designations that represent the license server: * The NetBIOS name of the server * The fully-qualified domain name (FQDN) of the server * The IP address of the server 6.Restart your computer So to sum it up...if the Terminal Services Licensing Server is 2000, must be on DC. If it's on 2003, can be member server. Have a great day! Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christine Allen Sent: Tuesday, May 17, 2005 9:35 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Citrix ahhh, thanks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 17, 2005 9:31 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Citrix No, it does not have to be on a DC if you change a registry setting on the Citrix servers to point to the TS Licensing server on a member server. If this entry is changed the server will no longer use the discovery process to find the TS licensing server and go directly to the hard coded server. Chris Ryan The Kroger Company [EMAIL PROTECTED] Office (513) 698-1935 Cell (513) 623-5362 Christine Allen christine.easton @bmchp.org To Sent by: 'ActiveDir@mail.activedir.org' [EMAIL PROTECTED] ActiveDir@mail.activedir.org ail.activedir.org cc Subject 05/17/2005 09:20 RE: [ActiveDir] Citrix AM Please respond to [EMAIL PROTECTED] tivedir.org Thanks. Am I correct that in a 2000 environment it has to be on a DC? -Original Message- From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: Monday, May 16, 2005 6:43 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Citrix Christine, Your TS Licensing Server doesn't need to be on a DC (although thats what most people do). Currently have a Windows 2000 Licensing Server running on a DC and a 2003 one running on a mamber server in a 2k domain, works fine. G. Christine Allen wrote: Yes you do and if its a 2000 or 2003 domain it needs to be on a DC. Once you install the TS licensing
RE: [ActiveDir] Adfind and GUID
A thread similar to this subject appeared on this list not too long ago.
One nice way of doing that was with this syntax:
adfind -b GUID=----
-DaveC
Reuters
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Hutchins, Mike
Sent: Tuesday, May 17, 2005 12:10 PM
To: ActiveDir@mail.activedir.org
Subject: [spam] [ActiveDir] Adfind and GUID
OK, so am I missing something here? Following the directions for adfind,
I am trying to locate an object by GUID. Here is my cmd line. What am I
missing?
adfind -binenc -f
objectguid={{GUID:9AD0431B-B677-4BF9-A63E-DD29036123FF}}
Help?
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
-
Visit our Internet site at http://www.reuters.com
To find out more about Reuters Products and Services visit
http://www.reuters.com/productinfo
Any views expressed in this message are those of the individual
sender, except where the sender specifically states them to be
the views of Reuters Ltd.
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Restricted Groups GPO
OK but what about the Administrator user. I want to add Administrator (aka Administrateur in French) to the Power Users, and Administrators groups on each machine. Administrator is a different SID on each PC. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crawford, Scott Sent: Tuesday, May 17, 2005 11:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Restricted Groups GPO Download sid2user from http://www.ntbugtraq.com/default.aspx?pid=55did=6 to find out the SID for any user. The administratorS group should be the same SID on all machines though. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, May 17, 2005 10:56 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Restricted Groups GPO Thanks. I think that will help. On that URL with the SIDs, it says Administrator is S-1-5-domain-500. What do you replace domain with? Or where do I find that domain replacment info from? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crawford, Scott Sent: Tuesday, May 17, 2005 10:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Restricted Groups GPO Instead of using the name administrators, use the well-known SID. S-1-5-32-544 for Administrators. There's a list of other SIDS that should be the same on all boxes, regardless of language, here. http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/e n-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-u s/prnc_sid_cids.asp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, May 17, 2005 6:30 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Restricted Groups GPO I have reports from our France and German locations that any Windows XP installs that aren't in the English language aren't getting our restricted groups GPO that ensures specific global groups are in the local administrators group on all desktops and servers. The problem appears to be that the GPO modifies the Administrators group, however in France, for example, it's called Administrateurs. The GPO appears not to be smart enough to realize that's the same thing, so it's not modifying this French version (or German). Is there a workaround for this?? Thanks ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Adfind and GUID
If you are searching for an object with a specific objectGUID you can do it
one of two ways
adfind -b base DN -binenc -f objectguid={{GUID:someguid}}
Or by using the GUID= format of
adfind -b GUID=someguid -s base
If you use the former I recommend a GC search like this
adfind -gc -b -binenc -f objectguid={{GUID:someguid}}
That searches from the root of the directory and will cover all domains and
trees.
Also note that that -binenc format will work for GUIDs in any binary GUID
attribute. The GUID= mechanism will only work for objectGUIDs. So for
instance, this would work against schemaIDGUID too.
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Hutchins, Mike
Sent: Tuesday, May 17, 2005 12:10 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Adfind and GUID
OK, so am I missing something here? Following the directions for adfind, I
am trying to locate an object by GUID. Here is my cmd line. What am I
missing?
adfind -binenc -f
objectguid={{GUID:9AD0431B-B677-4BF9-A63E-DD29036123FF}}
Help?
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Adfind and GUID
Outstanding, thanks!
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe
Sent: Tuesday, May 17, 2005 11:02 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Adfind and GUID
A thread similar to this subject appeared on this list not too long ago.
One nice way of doing that was with this syntax:
adfind -b GUID=----
-DaveC
Reuters
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Hutchins, Mike
Sent: Tuesday, May 17, 2005 12:10 PM
To: ActiveDir@mail.activedir.org
Subject: [spam] [ActiveDir] Adfind and GUID
OK, so am I missing something here? Following the directions for adfind,
I am trying to locate an object by GUID. Here is my cmd line. What am I
missing?
adfind -binenc -f
objectguid={{GUID:9AD0431B-B677-4BF9-A63E-DD29036123FF}}
Help?
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
-
Visit our Internet site at http://www.reuters.com
To find out more about Reuters Products and Services visit
http://www.reuters.com/productinfo
Any views expressed in this message are those of the individual
sender, except where the sender specifically states them to be the
views of Reuters Ltd.
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Restricted Groups GPO
A restricted group GPO will not remove the Local Admin Account from the Local Admin Group. That is the only account that is not effected by the GPO. It will stay in the Local Admin Group after the policy is applied. //SIGNED// David J. Perdue -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, May 17, 2005 10:19 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Restricted Groups GPO OK but what about the Administrator user. I want to add Administrator (aka Administrateur in French) to the Power Users, and Administrators groups on each machine. Administrator is a different SID on each PC. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crawford, Scott Sent: Tuesday, May 17, 2005 11:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Restricted Groups GPO Download sid2user from http://www.ntbugtraq.com/default.aspx?pid=55did=6 to find out the SID for any user. The administratorS group should be the same SID on all machines though. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, May 17, 2005 10:56 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Restricted Groups GPO Thanks. I think that will help. On that URL with the SIDs, it says Administrator is S-1-5-domain-500. What do you replace domain with? Or where do I find that domain replacment info from? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crawford, Scott Sent: Tuesday, May 17, 2005 10:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Restricted Groups GPO Instead of using the name administrators, use the well-known SID. S-1-5-32-544 for Administrators. There's a list of other SIDS that should be the same on all boxes, regardless of language, here. http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/e n-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-u s/prnc_sid_cids.asp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, May 17, 2005 6:30 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Restricted Groups GPO I have reports from our France and German locations that any Windows XP installs that aren't in the English language aren't getting our restricted groups GPO that ensures specific global groups are in the local administrators group on all desktops and servers. The problem appears to be that the GPO modifies the Administrators group, however in France, for example, it's called Administrateurs. The GPO appears not to be smart enough to realize that's the same thing, so it's not modifying this French version (or German). Is there a workaround for this?? Thanks ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ:
RE: [ActiveDir] Adfind and GUID
You will want to add -base to that if the GUID refers to a container type
object. Basically what happens is that you are only setting a base DN for
the search and by default, adfind will do a objectclass=* query from that
base.
So for instance, if you enter the GUID for an OU with a bunch of objects,
you will end up dumping the OU attributes as well as all of the objects in
that OU. It could be quite a surprise if you are expecting only a single
object. :o)
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe
Sent: Tuesday, May 17, 2005 1:02 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Adfind and GUID
A thread similar to this subject appeared on this list not too long ago.
One nice way of doing that was with this syntax:
adfind -b GUID=----
-DaveC
Reuters
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Hutchins, Mike
Sent: Tuesday, May 17, 2005 12:10 PM
To: ActiveDir@mail.activedir.org
Subject: [spam] [ActiveDir] Adfind and GUID
OK, so am I missing something here? Following the directions for adfind, I
am trying to locate an object by GUID. Here is my cmd line. What am I
missing?
adfind -binenc -f
objectguid={{GUID:9AD0431B-B677-4BF9-A63E-DD29036123FF}}
Help?
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
-
Visit our Internet site at http://www.reuters.com
To find out more about Reuters Products and Services visit
http://www.reuters.com/productinfo
Any views expressed in this message are those of the individual sender,
except where the sender specifically states them to be the views of
Reuters Ltd.
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE : [ActiveDir] delegation not working on Win2k AD
Hello ;-) If You want to delegate creation of computers for a subset of users, you may have to create a security groups (ie:technicians group), then go to the Default domain controller policy on Domain Controllers OU, and not on the Default Domain Policy of your Domain root. Add your group to Join computer to the domain. Notice that you have already security objects such as authenticated users: remove this group if necessary. Then your users will have the rights to join computers to domain: those will appear by default in Computers container. Cheers, Yann TIROA I would run the delegation wizard at the Domain.com level and delegate the Join a computer to the domain permission instead of creating a GPO. By using the wizard it grants the Create Computer Objects permission on This object and all child objects. Setting this permission at the OU level will allow the user to move computer objects between OU's but not join computers to the domain. Chris Ryan The Kroger Company [EMAIL PROTECTED] Office (513) 698-1935 Cell (513) 623-5362 Mark Parris [EMAIL PROTECTED] it.co.uk To Sent by: ActiveDir@mail.activedir.org [EMAIL PROTECTED] cc ail.activedir.org Subject Re: [ActiveDir] delegation not 05/17/2005 12:25 working on Win2k AD PM Please respond to [EMAIL PROTECTED] tivedir.org I was under the impression that the setting in the GPO add workstations to a domain was the legacy way of granting such permissions and the correct way was on an OU where the accounts would live would be to grant create and delete computer objects and then grant full control to those objects. Regards Mark -Original Message- From: Medeiros, Jose [EMAIL PROTECTED] Date: Mon, 16 May 2005 13:44:26 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] delegation not working on Win2k AD Hi Michael, By default everyone in the domain can join up to 10 computers. My only thought is that you may have inadvertnly configured the wrong setting and after they added the 10 machines they are now be denied the right to do so. The corerect seeting is add workstations to a domain . Sincerely, Jose Medeiros Former Vice President and Postmaster NTEA MCP+I, MCSE, NT4 MCT www.ntea.net www.tvnug.org www.sfntug.org -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Bruyere, Michel Sent: Monday, May 16, 2005 11:46 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] delegation not working on Win2k AD Hi, I used the delegation wizard to delegate the join computer to the domain task to the technicians group. Everything worked fine until today. For no apparent reasons, it gives an access denied to the technicians group members when they try to join a computer to the domain. Nothing has changed on the system, I mean manually. When I go into the security tab, I can see that they have the right to create computer objects. I tried to use the delegation wizard again, but still no go. Ideas anyone? Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ winmail.dat
[ActiveDir] AD-Integrated DNS Record Query
Hello folks I hope someone can help here: Scenario: DC1 and DC2 with AD-Integrated DNS Zone called MYDNS.NET I create a Host Record on DC1 in MYDNS.NET zone and gets AD-replicated to DC2. I can see the metadata of this record using Replmon etc - all ok so far! Now, someone deletes this record! I need to find that on which DC this got deleted from? How can I do so? Thanks All james _ Want to block unwanted pop-ups? Download the free MSN Toolbar now! http://toolbar.msn.co.uk/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] delegation not working on Win2k AD
Title: Re: [ActiveDir] delegation not working on Win2k AD Hi, Thanks for the hint, but I did it too Here are the settings I have. In the user rights the group technicians is allowed to add computers to the domain. I also have the following perms on the Computers OU List content Read all properties Write all properties Read permissions Create computer objects Delete computer objects Read Container info Write container info Read heuristics Write heuristics I used the delegation wizard on the domain, not on the OU. Is there anything else Im missing? Thanks De: TIROA YANN [mailto:[EMAIL PROTECTED] De la part de TIROA YANN Envoyé: Tuesday, May 17, 2005 2:23 PM À: ActiveDir@mail.activedir.org; Bruyere, Michel Objet: RE: [ActiveDir] delegation not working on Win2k AD Hello ;-) If You want to delegate creation of computers for a subset of users, you may have to create a security groups (ie:technicians group), then go to the Default domain controller policy on Domain Controllers OU, and not on the Default Domain Policy of your Domain root. Add your group to Join computer to the domain. Notice that you have already security objects such as authenticated users: remove this group if necessary. Then yourusers will have the rights to join computers to domain: those will appear by default in Computers container. Cheers, Yann TIROA I would run the delegation wizard at the Domain.com level and delegate the Join a computer to the domain permission instead of creating a GPO. By using the wizard it grants the Create Computer Objects permission on This object and all child objects. Setting this permission at the OU level will allow the user to move computer objects between OU's but not join computers to the domain. Chris Ryan The Kroger Company [EMAIL PROTECTED] Office (513) 698-1935 Cell (513) 623-5362 Mark Parris [EMAIL PROTECTED] it.co.uk To Sent by: ActiveDir@mail.activedir.org [EMAIL PROTECTED] cc ail.activedir.org Subject Re: [ActiveDir] delegation not 05/17/2005 12:25 working on Win2k AD PM Please respond to [EMAIL PROTECTED] tivedir.org I was under the impression that the setting in the GPO add workstations to a domain was the legacy way of granting such permissions and the correct way was on an OU where the accounts would live would be to grant create and delete computer objects and then grant full control to those objects. Regards Mark -Original Message- From: Medeiros, Jose [EMAIL PROTECTED] Date: Mon, 16 May 2005 13:44:26 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] delegation not working on Win2k AD Hi Michael, By default everyone in the domain can join up to 10 computers. My only thought is that you may have inadvertnly configured the wrong setting and after they added the 10 machines they are now be denied the right to do so. The corerect seeting is add workstations to a domain . Sincerely, Jose Medeiros Former Vice President and Postmaster NTEA MCP+I, MCSE, NT4 MCT www.ntea.net www.tvnug.org www.sfntug.org -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Bruyere, Michel Sent: Monday, May 16, 2005 11:46 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] delegation not working on Win2k AD Hi, I used the delegation wizard to delegate the join computer to the domain task to the technicians group. Everything worked fine until today. For no apparent reasons, it gives an access denied to the technicians group members when they try to join a computer to the domain. Nothing has changed on the system, I mean manually. When I go into the security tab, I can see that they have the right to create computer objects. I tried to use the delegation wizard again, but still no go. Ideas anyone? Thanks List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD-Integrated DNS Record Query
If you are auditing Directory Service Access (for success and failure) you will see a success event of ID 566 whenever an AD-intg record is created/deleted (or modified). The clue to the deletion is that you will see the following (in addition to others): Accesses: Write Property Properties: Write Property Default Property set dnsRecord dNSTomstoned You will see the name of the person that did the deletion in Client User Name and you will see the record deleted in ObjectName. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of James Green Sent: Tue 5/17/2005 12:03 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD-Integrated DNS Record Query Hello folks I hope someone can help here: Scenario: DC1 and DC2 with AD-Integrated DNS Zone called MYDNS.NET I create a Host Record on DC1 in MYDNS.NET zone and gets AD-replicated to DC2. I can see the metadata of this record using Replmon etc - all ok so far! Now, someone deletes this record! I need to find that on which DC this got deleted from? How can I do so? Thanks All james _ Want to block unwanted pop-ups? Download the free MSN Toolbar now! http://toolbar.msn.co.uk/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Adfind and GUID
Good thing you spotted this thread. I had a feeling my answer needed
some tweaking :-)
-DaveC
Reuters IST Service Delivery
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, May 17, 2005 1:55 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Adfind and GUID
You will want to add -base to that if the GUID refers to a container
type object. Basically what happens is that you are only setting a base
DN for the search and by default, adfind will do a objectclass=* query
from that base.
So for instance, if you enter the GUID for an OU with a bunch of
objects, you will end up dumping the OU attributes as well as all of the
objects in that OU. It could be quite a surprise if you are expecting
only a single object. :o)
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe
Sent: Tuesday, May 17, 2005 1:02 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Adfind and GUID
A thread similar to this subject appeared on this list not too long ago.
One nice way of doing that was with this syntax:
adfind -b GUID=----
-DaveC
Reuters
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Hutchins, Mike
Sent: Tuesday, May 17, 2005 12:10 PM
To: ActiveDir@mail.activedir.org
Subject: [spam] [ActiveDir] Adfind and GUID
OK, so am I missing something here? Following the directions for adfind,
I am trying to locate an object by GUID. Here is my cmd line. What am I
missing?
adfind -binenc -f
objectguid={{GUID:9AD0431B-B677-4BF9-A63E-DD29036123FF}}
Help?
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
-
Visit our Internet site at http://www.reuters.com
To find out more about Reuters Products and Services visit
http://www.reuters.com/productinfo
Any views expressed in this message are those of the individual
sender, except where the sender specifically states them to be the
views of Reuters Ltd.
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
-
Visit our Internet site at http://www.reuters.com
To find out more about Reuters Products and Services visit
http://www.reuters.com/productinfo
Any views expressed in this message are those of the individual
sender, except where the sender specifically states them to be
the views of Reuters Ltd.
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Citrix
In order to reduce the polling needed to find TS Licensing Servers, MS really changed the behavior in 2003--not to mention the additional licensing types and options. (At least, that's what they told us.) It's really confusing now so do study carefully the docs Robert referenced. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Medeiros, Jose Sent: Tuesday, May 17, 2005 10:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Citrix Hi Robert, Your comments are very much appreciated. We all some times wonder just how accurate the information of what is being posted actually is. Of course we all make mistakes including Microsoft support staff :-) Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Robert Williams (RRE) Sent: Tuesday, May 17, 2005 9:30 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Citrix I just want to be sure that everyone has the right information...I'm sorry for correcting so much lately. If the Terminal Services Licensing Server is installed on Windows 2000, it MUST be on a Domain Controller (if you think there is a way to alter this that IS SUPPORTED by Microsoft Dev, please reply to me offline as I'd be interested in hearing your opinion). Yes, you can bypass the discovery process by modifying the registry value mentioned in the following article: http://support.microsoft.com/kb/q239107 Here's a little snippet from that article: To select a specific license server, locate the following key in the registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService\Paramet ers Add the following value: Name: DefaultLicenseServer Data type: REG_SZ Data value: ServerName Substitute the NetBIOS name of the appropriate license server for ServerName. If the license server is located on a remote subnet, make sure the Terminal Services-based computer can resolve the NetBIOS name. If the Terminal Services Licensing Server is installed on Windows Server 2003, then it CAN be on a member server. Again, to over-ride the discovery process by modifying the registry as mentioned in the following article(pay attention to the difference as you are adding keys here instead of values): http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/S erverHelp/46844a6e-386f-4ce3-98e5-d5377b5d6ba9.mspx Here is a snipped from that article: Using the registry 1.Click Start, click Run, type regedit, and then click OK. 2.Locate, and then click, the following key in the registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService\Paramet ers 3.On the Edit menu, point to New, click Key, and then type LicenseServers to name the new key. 4.Locate, and then click, the following key in the registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService\Paramet ers\LicenseServers 5.On the Edit menu, point to New, click Key, and then type ServerName where ServerName is the NetBIOS name of the license server that you want to use, and then press ENTER. The new key name can be any of the following designations that represent the license server: * The NetBIOS name of the server * The fully-qualified domain name (FQDN) of the server * The IP address of the server 6.Restart your computer So to sum it up...if the Terminal Services Licensing Server is 2000, must be on DC. If it's on 2003, can be member server. Have a great day! Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christine Allen Sent: Tuesday, May 17, 2005 9:35 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Citrix ahhh, thanks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 17, 2005 9:31 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Citrix No, it does not have to be on a DC if you change a registry setting on the Citrix servers to point to the TS Licensing server on a member server. If this entry is changed the server will no longer use the discovery process to find the TS licensing server and go directly to the hard coded server. Chris Ryan The Kroger Company [EMAIL PROTECTED] Office (513) 698-1935 Cell (513) 623-5362 Christine Allen christine.easton @bmchp.org To Sent by: 'ActiveDir@mail.activedir.org' [EMAIL PROTECTED] ActiveDir@mail.activedir.org ail.activedir.org cc Subject 05/17/2005 09:20 RE: [ActiveDir] Citrix AM Please respond to [EMAIL PROTECTED] tivedir.org Thanks. Am I correct that in a 2000 environment it has to be on a DC? -Original Message- From: Glenn Corbett
RE: [ActiveDir] Citrix
Thanks. -Christine Christine N. Allen Systems Engineer Boston Medical Center HealthNet Plan 2 Copley Place Boston, MA 02216 617-748-6034 617-297-4407 [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 17, 2005 4:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Citrix In order to reduce the polling needed to find TS Licensing Servers, MS really changed the behavior in 2003--not to mention the additional licensing types and options. (At least, that's what they told us.) It's really confusing now so do study carefully the docs Robert referenced. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Medeiros, Jose Sent: Tuesday, May 17, 2005 10:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Citrix Hi Robert, Your comments are very much appreciated. We all some times wonder just how accurate the information of what is being posted actually is. Of course we all make mistakes including Microsoft support staff :-) Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Robert Williams (RRE) Sent: Tuesday, May 17, 2005 9:30 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Citrix I just want to be sure that everyone has the right information...I'm sorry for correcting so much lately. If the Terminal Services Licensing Server is installed on Windows 2000, it MUST be on a Domain Controller (if you think there is a way to alter this that IS SUPPORTED by Microsoft Dev, please reply to me offline as I'd be interested in hearing your opinion). Yes, you can bypass the discovery process by modifying the registry value mentioned in the following article: http://support.microsoft.com/kb/q239107 Here's a little snippet from that article: To select a specific license server, locate the following key in the registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService\Paramet ers Add the following value: Name: DefaultLicenseServer Data type: REG_SZ Data value: ServerName Substitute the NetBIOS name of the appropriate license server for ServerName. If the license server is located on a remote subnet, make sure the Terminal Services-based computer can resolve the NetBIOS name. If the Terminal Services Licensing Server is installed on Windows Server 2003, then it CAN be on a member server. Again, to over-ride the discovery process by modifying the registry as mentioned in the following article(pay attention to the difference as you are adding keys here instead of values): http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/S erverHelp/46844a6e-386f-4ce3-98e5-d5377b5d6ba9.mspx Here is a snipped from that article: Using the registry 1.Click Start, click Run, type regedit, and then click OK. 2.Locate, and then click, the following key in the registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService\Paramet ers 3.On the Edit menu, point to New, click Key, and then type LicenseServers to name the new key. 4.Locate, and then click, the following key in the registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService\Paramet ers\LicenseServers 5.On the Edit menu, point to New, click Key, and then type ServerName where ServerName is the NetBIOS name of the license server that you want to use, and then press ENTER. The new key name can be any of the following designations that represent the license server: * The NetBIOS name of the server * The fully-qualified domain name (FQDN) of the server * The IP address of the server 6.Restart your computer So to sum it up...if the Terminal Services Licensing Server is 2000, must be on DC. If it's on 2003, can be member server. Have a great day! Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christine Allen Sent: Tuesday, May 17, 2005 9:35 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Citrix ahhh, thanks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 17, 2005 9:31 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Citrix No, it does not have to be on a DC if you change a registry setting on the Citrix servers to point to the TS Licensing server on a member server. If this entry is changed the server will no longer use the discovery process to find the TS licensing server and go directly to the hard coded server. Chris Ryan The Kroger Company [EMAIL PROTECTED] Office (513) 698-1935 Cell (513) 623-5362 Christine Allen christine.easton @bmchp.org To Sent by: 'ActiveDir@mail.activedir.org' [EMAIL PROTECTED] ActiveDir@mail.activedir.org
[ActiveDir] Replication failures - lingering objects
I have a DC that appears to have had some time synch problems before I got here Subsequently, all other DCs have discontinued replication for the cn=configuration (per repadmin) with this DC. My question is; the first event I can see showing replication problems with this DC is on April 8th, which should mean that Im not past the 60 day garbage collection period. It seems to me that I could modify the reg setting to allow the other DCs to resume replication and no lingering objects would be reintroduced because the deleted object info is still present. The offending DC is running Windows 2000 SP3. Any thoughts? TIA -Alex
RE: [ActiveDir] Replication failures - lingering objects
Woops, 60day tombstone lifetime, not garbage collection. From: Alex Fontana Sent: Tuesday, May 17, 2005 1:53 PM To: 'ActiveDir@mail.activedir.org' Subject: Replication failures - lingering objects I have a DC that appears to have had some time synch problems before I got here Subsequently, all other DCs have discontinued replication for the cn=configuration (per repadmin) with this DC. My question is; the first event I can see showing replication problems with this DC is on April 8th, which should mean that Im not past the 60 day garbage collection period. It seems to me that I could modify the reg setting to allow the other DCs to resume replication and no lingering objects would be reintroduced because the deleted object info is still present. The offending DC is running Windows 2000 SP3. Any thoughts? TIA -Alex
RE: [ActiveDir] Adfind and GUID
Something in the subject caught my eye, not sure what it was...
I have to admit to being pretty busy right now and not looking at most of
the posts. During the day I am working on customers and writing internal KB
articles for, well, internal use. During the evening I am doing all sorts of
personal things as well as updating admod to fix a little bug eg and add
binary update capability for writing GUID and SID attributes as well as
binary blobs and also I have added password SET capability[1].
The weather ended up not being the greatest this last weekend so I checked
the source out and started hacking away. Now I am trying to make sure I
didn't break anything and the documentation will reflect the new
functionality properly.
Your prompting on the lowercase bug combined with the property set
discussion prompted me to work on the binary update capability. I hacked my
schema and made it so attributeSecurityGUID was multivalued and even after I
did that ADSIEDIT wouldn't let me stick in multiple values so[2] I hacked
admod to let me insert GUID values and it was able to. Unfortunately, AD
still only looks at the first value and as ~Eric is quick to point out,
order isn't guaranteed in multivalue attributes so just doing what I did is
an interesting way to add an opportunity for inconsistent permissioning
behavior. Exciting in and of itself, but unfortunately not in line with my
goal.
I expect to release the new version of admod in the next week.
joe
[1] This sucks, I actually broke down and used ADSI for this piece since
there is no guaranteed LDAP mechanism. How many people really run certs and
SSL on their DCs? How many of you that do looked at the perf between using
SSL and not using SSL. Yes, security can be costly, but jeez!
[2] LDP has made me burn up three left mouse buttons already from excessive
clicking so I try to avoid it. :o)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe
Sent: Tuesday, May 17, 2005 3:52 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Adfind and GUID
Good thing you spotted this thread. I had a feeling my answer needed some
tweaking :-)
-DaveC
Reuters IST Service Delivery
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, May 17, 2005 1:55 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Adfind and GUID
You will want to add -base to that if the GUID refers to a container type
object. Basically what happens is that you are only setting a base DN for
the search and by default, adfind will do a objectclass=* query from that
base.
So for instance, if you enter the GUID for an OU with a bunch of objects,
you will end up dumping the OU attributes as well as all of the objects in
that OU. It could be quite a surprise if you are expecting only a single
object. :o)
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe
Sent: Tuesday, May 17, 2005 1:02 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Adfind and GUID
A thread similar to this subject appeared on this list not too long ago.
One nice way of doing that was with this syntax:
adfind -b GUID=----
-DaveC
Reuters
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Hutchins, Mike
Sent: Tuesday, May 17, 2005 12:10 PM
To: ActiveDir@mail.activedir.org
Subject: [spam] [ActiveDir] Adfind and GUID
OK, so am I missing something here? Following the directions for adfind, I
am trying to locate an object by GUID. Here is my cmd line. What am I
missing?
adfind -binenc -f
objectguid={{GUID:9AD0431B-B677-4BF9-A63E-DD29036123FF}}
Help?
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Exclude a drive letter
Title: Exclude a drive letter Does anybody know how I can exclude a certain driveletter from being used, by using a goup policy? What I mean is this: In my firm the users all have a home drive which resides on the server. Unfortunately that drive is assigned the letter D (dont ask me why, I think this goes way back). Now when they connect a usd device, the device tries to assign itself the D drive as well. That poses a problem because the users only have the user right and they are not admins, they dont have acces to the diskmanagement snapin and giving them that right is not according to policy so that is not an option. That means that now they have to call an admin, me , who has to change the driveletter of the usb device. Changing the letter of the home drive is not really an option because a lot off applications are being started from that drive with the path: d:\\etcetera. Is it possible to exclude the letter D, so it wont be assigned to a usb device that gets connected? Thanks in advance very much.
RE: [ActiveDir]
One simple question in relation to domain vs. OU - do you need specific and different security policy (i.e. Password or Lockout settings) for any of the locations that you are considering? If no - then most likely OU's will work for you. OUs are going to allow (and, in fact are designed for) collecting like users and computers into a structure that is specifically designed for implementing administrative management. Domains, however, would require a Domain Admin per domain, which begins to lend too much complexity to the scenario. Specifically, you will have the use of two key things - one is delegation of authority and / or control, as well as Group Policy. Also, you will want to look into sites for each of the remote locations, and also review your network topology (the actual network infrastructure) to determine if the implementation of a number of separate sites is appropriate. I suspect that to control replication and to give a reasonable logon and use 'experience' for your users, you are going to want to seriously consider domain controllers for each site. If you are interested in Dfs (which it sounds as though you are, with the shared folder concept for applications), dedicating a server in most locations for file and print would be a thought as well. Your first decision point is domain vs. OU - I'd suggest the OUs over a bunch of domains. Learn about sites, replication, and Dfs. These will serve you well over the process. Also, get to know our own Brian Desmond here on the list. He's sys admin / designer / all around 'good guy' with a school district in (Chicago???). He's been there, done that with what you are doing. Good luck! Rick Kingslan MCSE, MCSA, MCT, CISSP Microsoft MVP: Windows Server / Directory Services Windows Server / Rights Management Windows Security (Affiliate) Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone WebLog - www.msmvps.com/willhack4food -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eddie Greene Sent: Monday, May 16, 2005 11:39 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] We have not rolled out AD yet and are banging our heads against the wall figuring out which way to go. We have 24 Schools 1 Main office, 1 Maintenance shop, 1 Bus Garage. would it be best for use to roll out a single domain or 27 domains in our forest. it is not important for our users to be able to go to other locations and log into the system. It would be nice to be able to replicate a folder with all the schools that contains programs you never have when you need them (i.e. Adobe). I haven't got a clear understanding of Domains vs. OUs. One way I read it would be best for each school to be a domain and in another reading I think that each school just needs to be their own OU. any help would be greatly appreciated Eddie List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] delegation not working on Win2k AD
Title: Re: [ActiveDir] delegation not working on Win2k AD I agree with many of the other posts here a domain level is likely the correct area to do this, simply because the usual location for a joined computer is the Computers Container not an OU. If they dont have access to the container, then they arent going to be able to join them. What is the scope of the delegated permissions? Is it This object and all child objects? Also, I think that Id create a new delegation in the Advanced properties of the AD Securities tab (it might exist if you arent used to using the Advanced view of Security in AD, you wont see it) for the techs. This time, however you are going to want to select Computer Objects from the dropdown, then select Full Control for the techs. Save this. If you dont have a clear idea on how to proceed, reply back. Ill send or post detailed instructions with pictures, if necessary, on how to do exactly what you want. -rtk From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: Tuesday, May 17, 2005 2:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] delegation not working on Win2k AD Hi, Thanks for the hint, but I did it too Here are the settings I have. In the user rights the group technicians is allowed to add computers to the domain. I also have the following perms on the Computers OU List content Read all properties Write all properties Read permissions Create computer objects Delete computer objects Read Container info Write container info Read heuristics Write heuristics I used the delegation wizard on the domain, not on the OU. Is there anything else Im missing? Thanks De: TIROA YANN [mailto:[EMAIL PROTECTED] De la part de TIROA YANN Envoyé: Tuesday, May 17, 2005 2:23 PM À: ActiveDir@mail.activedir.org; Bruyere, Michel Objet: RE: [ActiveDir] delegation not working on Win2k AD Hello ;-) If You want to delegate creation of computers for a subset of users, you may have to create a security groups (ie:technicians group), then go to the Default domain controller policy on Domain Controllers OU, and not on the Default Domain Policy of your Domain root. Add your group to Join computer to the domain. Notice that you have already security objects such as authenticated users: remove this group if necessary. Then yourusers will have the rights to join computers to domain: those will appear by default in Computers container. Cheers, Yann TIROA I would run the delegation wizard at the Domain.com level and delegate the Join a computer to the domain permission instead of creating a GPO. By using the wizard it grants the Create Computer Objects permission on This object and all child objects. Setting this permission at the OU level will allow the user to move computer objects between OU's but not join computers to the domain. Chris Ryan The Kroger Company [EMAIL PROTECTED] Office (513) 698-1935 Cell (513) 623-5362 Mark Parris [EMAIL PROTECTED] it.co.uk To Sent by: ActiveDir@mail.activedir.org [EMAIL PROTECTED] cc ail.activedir.org Subject Re: [ActiveDir] delegation not 05/17/2005 12:25 working on Win2k AD PM Please respond to [EMAIL PROTECTED] tivedir.org I was under the impression that the setting in the GPO add workstations to a domain was the legacy way of granting such permissions and the correct way was on an OU where the accounts would live would be to grant create and delete computer objects and then grant full control to those objects. Regards Mark -Original Message- From: Medeiros, Jose [EMAIL PROTECTED] Date: Mon, 16 May 2005 13:44:26 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] delegation not working on Win2k AD Hi Michael, By default everyone in the domain can join up to 10 computers. My only thought is that you may have inadvertnly configured the wrong setting and after they added the 10 machines they are now be denied the right to do so. The corerect seeting is add workstations to a domain . Sincerely, Jose Medeiros Former Vice President and Postmaster NTEA MCP+I, MCSE, NT4 MCT www.ntea.net www.tvnug.org www.sfntug.org -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Bruyere, Michel Sent: Monday, May 16, 2005 11:46 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] delegation not working on Win2k AD Hi, I used the delegation wizard to delegate the join computer to the domain task to the technicians group. Everything worked fine until today. For no apparent reasons, it gives an access denied to the technicians group members when they try to join a computer to the domain. Nothing has changed on the system, I mean manually. When I go into the security tab, I can see that they have the right to create computer objects. I tried to use the delegation wizard again, but still no go. Ideas
RE: [ActiveDir] Replication failures - lingering objects
If youre concerned that there might be a problem I dont see any real value in taking a chance. I tend to treat DCs much like tin soldiers. Their purpose in life is primarily object repository and authN. If the object repository cant be trusted (possibly out of date) then the authN function is worthless. (Reverse is true as well). Me, Alex Id find an alternative way to get any critical data off of it (shouldnt be any its a DC for gosh sakes!) and then flatten it. Rebuild, join, dcpromo, and all is good. -rtk From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Fontana Sent: Tuesday, May 17, 2005 3:53 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Replication failures - lingering objects I have a DC that appears to have had some time synch problems before I got here Subsequently, all other DCs have discontinued replication for the cn=configuration (per repadmin) with this DC. My question is; the first event I can see showing replication problems with this DC is on April 8th, which should mean that Im not past the 60 day garbage collection period. It seems to me that I could modify the reg setting to allow the other DCs to resume replication and no lingering objects would be reintroduced because the deleted object info is still present. The offending DC is running Windows 2000 SP3. Any thoughts? TIA -Alex
RE: [ActiveDir] Replication failures - lingering objects
Try with repadmin /removelingering object Or disable the strict replication key on all domain controllers and re-enable once the objects has been replicated (you can delete later on if you want to) Mod the below /d value for enable/disable of strictrepl key FOR /F skip=1 usebackq delims== %i IN (`netdom query dc`) DO reg add \\%i\HKLM\System\CurrentControlSet\Services\NTDS\Parameters /v Strict Replication Consistency /t REG_DWORD /d 1 /f Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Fontana Sent: Wednesday, May 18, 2005 4:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Replication failures - lingering objects I have a DC that appears to have had some time synch problems before I got here Subsequently, all other DCs have discontinued replication for the cn=configuration (per repadmin) with this DC. My question is; the first event I can see showing replication problems with this DC is on April 8th, which should mean that Im not past the 60 day garbage collection period. It seems to me that I could modify the reg setting to allow the other DCs to resume replication and no lingering objects would be reintroduced because the deleted object info is still present. The offending DC is running Windows 2000 SP3. Any thoughts? TIA -Alex
RE: [ActiveDir] UF_PASSWD_NOTREQD on domain controller?
Does it give the same error if you run dcdiag directly on the DC? Are you using the 2003 SP1 version of dcdiag? When I've seen this error in the past I've just changed the value to 0x82000. If you're 100% certain that it's really correct, then maybe you should check it against a few different DC's. Perhaps some of them have a different value for that computer object...? Not supposed to happen, but you never know. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Tuesday, May 17, 2005 05:58 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] UF_PASSWD_NOTREQD on domain controller? Hi All, I didn't get any response from my posting below, so I thought I would try again. I do have additional information on this issue: if I check with ADSIEdit on the child DC in question, the value is different, 0x82000 (as it should be), than what is reported in DCDiag. Could this be some bug in the DCDiag software that was upgraded in SP1? Original post: Daily I run a DCDiag report for the domain controllers in my enterprise. I noticed that after I upgraded my FSMO root domain controller (where I run the DCDiag report) to W2K3/SP1 from W2K3, I see the following for one of my child domain controllers: Warning: Attribute userAccountControl of X is: 0x82020 = ( UF_PASSWD_NOTREQD | UF_SERVER_TRUST_ACCOUNT | UF_TRUSTED_FOR_DELEGATION ) Typical setting for a DC is 0x82000 = ( UF_SERVER_TRUST_ACCOUNT | UF_TRUSTED_FOR_DELEGATION ) This may be affecting replication? I am not aware of anything changing on the child DC in question. A password not required for a DC computer account doesn't make much sense. Googling doesn't appear to produce anything useful. Any thoughts on what this might mean? Thanks! Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] UF_PASSWD_NOTREQD on domain controller?
Having UF_PASSWD_NOTREQD wouldn't break anything but would be unusualy for a DC I think. Usually you find that on accounts precreated by ADUC. For some reason it doesn't clear the flag after the account is created, I actually filed that as a bug with MS a long time ago because netdom doesn't do it. You can use any LDAP tool to verify the setting but I find ADFIND to be the easiest. I would hit every DC in the domain just to be sure they all agree. adfind -h dc -default -f (objectcategory=computer)(name=dc_to_check) useraccountcontrol -samdc The -samdc will decode the useraccountcontrol to simple mnemonics like below. F:\tempadfind -default -f (objectcategory=computer)(name=2k3dc01) useraccountcontrol -samdc AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 Using server: 2k3dc01.joe.com Directory: Windows Server 2003 Base DN: DC=joe,DC=com dn:CN=2K3DC01,OU=Domain Controllers,DC=joe,DC=com userAccountControl: 532480 [DC(8192);TRUST_DELEG(524288)] 1 Objects returned -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Tuesday, May 17, 2005 6:58 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] UF_PASSWD_NOTREQD on domain controller? Hi All, I didn't get any response from my posting below, so I thought I would try again. I do have additional information on this issue: if I check with ADSIEdit on the child DC in question, the value is different, 0x82000 (as it should be), than what is reported in DCDiag. Could this be some bug in the DCDiag software that was upgraded in SP1? Original post: Daily I run a DCDiag report for the domain controllers in my enterprise. I noticed that after I upgraded my FSMO root domain controller (where I run the DCDiag report) to W2K3/SP1 from W2K3, I see the following for one of my child domain controllers: Warning: Attribute userAccountControl of X is: 0x82020 = ( UF_PASSWD_NOTREQD | UF_SERVER_TRUST_ACCOUNT | UF_TRUSTED_FOR_DELEGATION ) Typical setting for a DC is 0x82000 = ( UF_SERVER_TRUST_ACCOUNT | UF_TRUSTED_FOR_DELEGATION ) This may be affecting replication? I am not aware of anything changing on the child DC in question. A password not required for a DC computer account doesn't make much sense. Googling doesn't appear to produce anything useful. Any thoughts on what this might mean? Thanks! Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
