RE: [ActiveDir] ExchMbx Secondary SMTP
Admod, eh? That's where you are hiding it? Who woulda thunk :o. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of joe Sent: Wed 6/1/2005 7:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ExchMbx Secondary SMTP Correct ExchMbx will not currently add a secondary, this is pretty trivial to do with admod though. admod -b userdn proxyaddresses:+:smtp:[EMAIL PROTECTED] case on smtp is critical as it signals Exchange that it is a secondary. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Wednesday, June 01, 2005 8:14 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ExchMbx Secondary SMTP Hi (Joe): Am I correct that ExchMbx does not current support adding/deleting secondary SMTP addresses? Is there another way to script this or run it from the command line? Thanks. -- nme List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] ExchMbx Secondary SMTP
Joe says ExchMbx does not currently support this (got this info from his website). Now, if you are looking to script proxyaddresses, there are a number of sample vbscript codes out there to do this. What you need to understand is that proxyaddresses is multi-valued and should, therefore, be read/written with GetEx/PutEx rather than Get/Put. If you get this, then you will find that scripting it is not so complicated. Look at the "GetProxyAddy" subroutine in http://www.readymaids.com/Portals/1/Write%20out%20the%20SMTP%20Addresses%20of %20users%20OR%20Groups.txt Also look at the "ChangeProxy" subroutine in http://www.readymaids.com/Portals/1/Remove%20Orphaned%20SMTP%20Addresses%20-R US-helper%20.txt HTH Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Noah Eiger Sent: Wed 6/1/2005 5:14 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ExchMbx Secondary SMTP Hi (Joe): Am I correct that ExchMbx does not current support adding/deleting secondary SMTP addresses? Is there another way to script this or run it from the command line? Thanks. -- nme List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] ExchMbx Secondary SMTP
Correct ExchMbx will not currently add a secondary, this is pretty trivial to do with admod though. admod -b userdn proxyaddresses:+:smtp:[EMAIL PROTECTED] case on smtp is critical as it signals Exchange that it is a secondary. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah EigerSent: Wednesday, June 01, 2005 8:14 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] ExchMbx Secondary SMTP Hi (Joe): Am I correct that ExchMbx does not current support adding/deleting secondary SMTP addresses? Is there another way to script this or run it from the command line? Thanks. -- nme
[ActiveDir] ExchMbx Secondary SMTP
Hi (Joe): Am I correct that ExchMbx does not current support adding/deleting secondary SMTP addresses? Is there another way to script this or run it from the command line? Thanks. -- nme
RE: [ActiveDir] Microsoft iSCSI- iSNS Server 3.0 and iSCSI Initiator for Microsoft Clusters
Greetings, Just thought I would share what I discovered. I ended up using StringBeans Software to create an iSCSI target along with iSNS server 3.0 and the Microsoft iSCSI initiator 1.06. I now can mount a volume on our HP NAS box. I am sure if I used a Hardware based product from FalconStore, Stonefly, Equalogic or Intransa it would have saved me some time in understanding the configuration, however this is only being used for a proof of concept test. Thanks again to everyone comments. Sincerely, Jose Medeiros Former Vice President and Postmaster NTEA MCP+I, MCSE, NT4 MCT www.ntea.net www.tvnug.org www.sfntug.org -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Medeiros, Jose Sent: Tuesday, May 31, 2005 12:44 PM To: [ExchangeList]; ActiveDir@mail.activedir.org Subject: [ActiveDir] Microsoft ISCSI SNS Server and ISCSI Inatiotar for Microsoft Clusters Good Afternoon, I am trying to configure a HP 1200s NAS server appliance as an iSCSI Target server using Microsoft's iSNS server 3.0 along with a client server that we want to install Microsoft cluster server on that has the Microsoft iSCSI initiator 1.06. I having trouble configuring it, has any one done this yet? I am at a loss as to why I can not see the target server from a server that is running the ISCSI initiator. http://www.microsoft.com/downloads/details.aspx?familyid=12CB3C1A-15D6-4585-B385-BEFD1319F825&displaylang=en http://www.microsoft.com/downloads/details.aspx?FamilyID=0dbc4af5-9410-4080-a545-f90b45650e20&DisplayLang=en Thanks in advance. Jose Medeiros 408-449-6621 Cell List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] OT Assign Icon in script
Title: OT Assign Icon in script Is it possible to assign an icon to a shortcut, to all the computers in the domain via GPO Logon Scripts? What I have got is this: set ws = Wscript.CreateObject(“Wscript.Shell”) dsktop = ws.SpecialFolders(“Desktop”) Set scut = ws.createShortcut (dsktop & “\shortcut name.lnk”) scut. TargetPath = “http://enter url here” scut.Save Now this is all great and works (creating the Shortcut on the desktop) but I would also like to assign a custom icon is this at all possible? Thanks, Aaron Visser
RE: [ActiveDir] GPO oddity
More specifically, when you choose Enforced for a given GPO, it is moved to the bottom of the list of GPOs that a given user or computer will process. This means that it is processed last and, by virtue of that, overrides any conflicting settings processed earlier. It doesn't prevent downstream GPOs from being processed at all, which is probably an important distinction. From: [EMAIL PROTECTED] on behalf of Bazarewsky, Michael C. Sent: Wed 6/1/2005 12:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GPO oddity "Enforced" a. k. a. "No Override" takes precedence over "Block Policy Inheritance", see for example http://www.windowsitpro.com/Article/ArticleID/15420/15420.html So the "Enforced" 120 minute overrides the lower 3 minute setting even with "Block Policy Inheritance" set. This is true in Windows 2000 and Windows 2003. -- Michael C. Bazarewsky -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, May 31, 2005 9:26 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] GPO oddity We have a Default Domain level GPO that is set to "Enforced". In this GPO, we set a 120 minute screensaver timeout that locks the screensaver after 120 minutes. In a GPO at a lower OU level, we have an OU that has "Block Policy Inheritence" turned on, and a GPO is linked to that OU that sets the screensaver timeout to 3 minutes. For some reason, the users in that OU are getting the default domain GPO timeout of 120 minutes rather than the 3 minute screensaver timeout. I assume if we turn off "Enforced" on the default domain GPO, anyone that belongs to a Block Policy Inheritence OU will get their lower level GPO applied rather than the default domain GPO? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ <>
RE: [ActiveDir] Way OT: FTP not working for certain files...
I'll check GP - though nothing specific has been configured on those boxes...they are "out of the box" installs. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Way OT: FTP not working for certain files...
How about GP or DRM configurations? Just a shot in the dark... ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Visser > Sent: Wednesday, June 01, 2005 12:26 PM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] Way OT: FTP not working for certain files... > > What is the Web Server/FTP Server? And what clients have been > successful? I > would look into permissions due to the fact that you are > unable to copy the > said files to a USB drive. > > > On 6/1/05 10:40 AM, "Lou Vega" <[EMAIL PROTECTED]> wrote: > > > I thought it might be that too. The web server is a > non-Windows one. I also > > attempted to take the existing files and copy them to a USB > thumb drive > > which was FAT versus NTFS and the same files still did not > copy. The file > > perms on the web server are set apparently correct since > when I take them on > > a different computer they upload fine. > > > > All virus/malware scans come up negative. I've run McAfee, > Symantec and AVG > > all with the latest definitions and engines. Microsoft > Spyware reports > > nothing, nor does any other spyware/malware program I've > run (many at this > > point). > > > > > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of > Peter Jessop > > Sent: Wednesday, June 01, 2005 1:18 PM > > To: ActiveDir@mail.activedir.org > > Subject: Re: [ActiveDir] Way OT: FTP not working for > certain files... > > > > I think that you have to check the NTFS permissions on the > current website > > files > > > > Regards > > > > Peter > > List info : http://www.activedir.org/List.aspx > > List FAQ: http://www.activedir.org/ListFAQ.aspx > > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > > List info : http://www.activedir.org/List.aspx > > List FAQ: http://www.activedir.org/ListFAQ.aspx > > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GPO oddity
"Enforced" a. k. a. "No Override" takes precedence over "Block Policy Inheritance", see for example http://www.windowsitpro.com/Article/ArticleID/15420/15420.html So the "Enforced" 120 minute overrides the lower 3 minute setting even with "Block Policy Inheritance" set. This is true in Windows 2000 and Windows 2003. -- Michael C. Bazarewsky -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, May 31, 2005 9:26 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] GPO oddity We have a Default Domain level GPO that is set to "Enforced". In this GPO, we set a 120 minute screensaver timeout that locks the screensaver after 120 minutes. In a GPO at a lower OU level, we have an OU that has "Block Policy Inheritence" turned on, and a GPO is linked to that OU that sets the screensaver timeout to 3 minutes. For some reason, the users in that OU are getting the default domain GPO timeout of 120 minutes rather than the 3 minute screensaver timeout. I assume if we turn off "Enforced" on the default domain GPO, anyone that belongs to a Block Policy Inheritence OU will get their lower level GPO applied rather than the default domain GPO? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ smime.p7s Description: S/MIME cryptographic signature
RE: [ActiveDir] DC's not communicating with each other
Has the SMB configuration been amended? Could you have a Workstation/Server SMB signing mismatch? Mark -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: 01 June 2005 20:03 To: 'Matt Brown '; '[EMAIL PROTECTED] '; 'ActiveDir@mail.activedir.org ' Subject: RE: [ActiveDir] DC's not communicating with each other Does the PDC FSMO or the other DCs have any events with errors can possibly tell more about this issue? #JORGE# -Original Message- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 6/1/2005 6:39 PM Subject: [ActiveDir] DC's not communicating with each other I've talked about this a little before, but I dug in a littler further and found more info. I have 4 domain controllers in 1 domain. When I'm on one of the 3 DC's that is not the PDC and I try to connect to the PDC it tells me I'm not authorized. I get this when trying to connect to the PDC's AD users and computers, DNS, or even a file share. I can however connect to any of these services using the IP address. This is strange because all DC's can ping each other and resolve the IP addresses from the names just fine and I don't seem to be having any DNS issues. The 3 DC's (not the PDC) can connect to each other just fine. I'm pretty sure I'm going to need to remove 1 or more of the DC's from the domain and re-introduce them. I'm just trying to figure out if I should remove the PDC or remove the other 3 DCs. Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] restructuring domain
Freddy, I agree with Peter and others: and high on the plan priority is limiting student access, locking the desktop and software restrictions. In the pre-AD computer lab I worked at we had to manually reimage the PCs weekly. You probably want a RIS server, too. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of joe Sent: Monday, May 30, 2005 8:23 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] restructuring domain Agreed, this is a sure recipe for failure and luckily Freddie's Boss can point at someone as causing the issue... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Thursday, May 26, 2005 9:16 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] restructuring domain Might I respectfully suggest that before a plan is drafted, precise requirements be documented, with justification and therefore sponsorship. Your project is doomed to failure without this scoping and "management buy-in" from day one. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Jessop Sent: 26 May 2005 13:37 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] restructuring domain Freddie This is really a worst case scenario. ¡A school! On this listing are many people who know better than I but I suggest. Lower your boss's expectations. I don't think it is realistic in a week. You will only clean up this environment when you reinstall the PCs. Applying group policy on this setup may not be sufficient to obtain you expectation. You also need antivirus, SUS server for patch update, user policy. Before you start I would write down a plan and cost it in terms of money and person hours. I hope you don't have to give classes as well! Good luck Peter Jessop List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, Credit Suisse, its subsidiaries and affiliates (CS) do not waive any confidentiality or privilege. CS retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CS until they are confirmed by us. Message transmission is not guaranteed to be secure. == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Way OT: FTP not working for certain files...
What is the Web Server/FTP Server? And what clients have been successful? I would look into permissions due to the fact that you are unable to copy the said files to a USB drive. On 6/1/05 10:40 AM, "Lou Vega" <[EMAIL PROTECTED]> wrote: > I thought it might be that too. The web server is a non-Windows one. I also > attempted to take the existing files and copy them to a USB thumb drive > which was FAT versus NTFS and the same files still did not copy. The file > perms on the web server are set apparently correct since when I take them on > a different computer they upload fine. > > All virus/malware scans come up negative. I've run McAfee, Symantec and AVG > all with the latest definitions and engines. Microsoft Spyware reports > nothing, nor does any other spyware/malware program I've run (many at this > point). > > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Peter Jessop > Sent: Wednesday, June 01, 2005 1:18 PM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] Way OT: FTP not working for certain files... > > I think that you have to check the NTFS permissions on the current website > files > > Regards > > Peter > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DC's not communicating with each other
Does the PDC FSMO or the other DCs have any events with errors can possibly tell more about this issue? #JORGE# -Original Message- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 6/1/2005 6:39 PM Subject: [ActiveDir] DC's not communicating with each other I've talked about this a little before, but I dug in a littler further and found more info. I have 4 domain controllers in 1 domain. When I'm on one of the 3 DC's that is not the PDC and I try to connect to the PDC it tells me I'm not authorized. I get this when trying to connect to the PDC's AD users and computers, DNS, or even a file share. I can however connect to any of these services using the IP address. This is strange because all DC's can ping each other and resolve the IP addresses from the names just fine and I don't seem to be having any DNS issues. The 3 DC's (not the PDC) can connect to each other just fine. I'm pretty sure I'm going to need to remove 1 or more of the DC's from the domain and re-introduce them. I'm just trying to figure out if I should remove the PDC or remove the other 3 DCs. Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Way OT: FTP not working for certain files...
I thought it might be that too. The web server is a non-Windows one. I also attempted to take the existing files and copy them to a USB thumb drive which was FAT versus NTFS and the same files still did not copy. The file perms on the web server are set apparently correct since when I take them on a different computer they upload fine. All virus/malware scans come up negative. I've run McAfee, Symantec and AVG all with the latest definitions and engines. Microsoft Spyware reports nothing, nor does any other spyware/malware program I've run (many at this point). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Jessop Sent: Wednesday, June 01, 2005 1:18 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Way OT: FTP not working for certain files... I think that you have to check the NTFS permissions on the current website files Regards Peter List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Way OT: FTP not working for certain files...
I think that you have to check the NTFS permissions on the current website files Regards Peter List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DC's not communicating with each other
I'm having the same problem today except I only have 2 DC's. The problem child on my domain is the PDC though and it won't let me demote because it says it's not authorized and can't transfer FSMO roles, etc. to the BDC. I am trying to get a restore from backup for AD right now and my last resort I guess will be to manually remove the PDC from the domain and reintroduce it as a domain controller. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Wednesday, June 01, 2005 12:39 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DC's not communicating with each other I've talked about this a little before, but I dug in a littler further and found more info. I have 4 domain controllers in 1 domain. When I'm on one of the 3 DC's that is not the PDC and I try to connect to the PDC it tells me I'm not authorized. I get this when trying to connect to the PDC's AD users and computers, DNS, or even a file share. I can however connect to any of these services using the IP address. This is strange because all DC's can ping each other and resolve the IP addresses from the names just fine and I don't seem to be having any DNS issues. The 3 DC's (not the PDC) can connect to each other just fine. I'm pretty sure I'm going to need to remove 1 or more of the DC's from the domain and re-introduce them. I'm just trying to figure out if I should remove the PDC or remove the other 3 DCs. Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] DC's not communicating with each other
I've talked about this a little before, but I dug in a littler further and found more info. I have 4 domain controllers in 1 domain. When I'm on one of the 3 DC's that is not the PDC and I try to connect to the PDC it tells me I'm not authorized. I get this when trying to connect to the PDC's AD users and computers, DNS, or even a file share. I can however connect to any of these services using the IP address. This is strange because all DC's can ping each other and resolve the IP addresses from the names just fine and I don't seem to be having any DNS issues. The 3 DC's (not the PDC) can connect to each other just fine. I'm pretty sure I'm going to need to remove 1 or more of the DC's from the domain and re-introduce them. I'm just trying to figure out if I should remove the PDC or remove the other 3 DCs. Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] OT-Data ACLing
The command I to perform the function was: Subinacl /subdirectories X:\data\*.* /accountmigration=domain\existinguser=domain\newuser This will append newuser to everywhere existinguser is and on all files and directories. Regards Mark -Original Message- From: "Dean Wells" <[EMAIL PROTECTED]> Date: Wed, 1 Jun 2005 11:18:54 To:"Send - AD mailing list" <[EMAIL PROTECTED]> Subject: RE: [ActiveDir] OT-Data ACLing Interesting, I was under the impression that subinacl replaced the ACEs ... I assume I'm incorrect? Can you elaborate on what you did for my own purposes? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Wednesday, June 01, 2005 11:12 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT-Data ACLing Thanks Dean, mad day here, The SubInACL tool has done the job. Regards, Mark -Original Message- From: "Dean Wells" <[EMAIL PROTECTED]> Date: Wed, 1 Jun 2005 10:58:28 To:"Send - AD mailing list" <[EMAIL PROTECTED]> Subject: RE: [ActiveDir] OT-Data ACLing The reason I asked the question earlier was to determine the requirement you've noted below, aside from the unknown-to-me tool I mentioned earlier, I don't believe any of the command line ACL tools will do this out-of-the-box. That said, the script to achieve the desired end result is not overly complex (assuming the permission requirements for the new ACE are either static or derived in a non-complex manner)? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Wednesday, June 01, 2005 10:45 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT-Data ACLing It is domain users and the data is incorrectly permissioned with the group. -Original Message- From: <[EMAIL PROTECTED]> Date: Wed, 1 Jun 2005 06:45:25 To: Subject: RE: [ActiveDir] OT-Data ACLing Why not simply add the new group to the existing group that already has perm? Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Mark Parris Sent: Wed 6/1/2005 5:20 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT-Data ACLing All, Does anyone know of a utility that can look at a directory and identify where data is permissioned by a certain group and then append another group to that location to enable the new group to be permissioned on that data too. Example: D: is permissioned with Domain users in multiple directories but Not in every directory, I wish to search the directories and where Domain Users appears and append another group to that location. I hope this is clear. Regards Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ .Š†ÿÁŠŠƒ²§²B§Ã¶v®Š§²rz§ÃŠryýŠŠ™i½® List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ .+w֧B+v*rzVryi˽箊 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ [EMAIL PROTECTED] ��V�r�y4���i�
RE: [ActiveDir] OT-Data ACLing
Try: * SUBINACL with the /accountmigration option (http://www.microsoft.com/downloads/details.aspx?FamilyID=E8BA3E56-D8FE-4A91 -93CF-ED6985E3927B&displaylang=en & http://www.analogduck.com/main/subinacl) * SETACL with the -cpytrst option (TrusteeAction) (http://sourceforge.net/project/showfiles.php?group_id=69165 & http://setacl.sourceforge.net/html/doc-reference.html) I think its better to use SETACL (have not tried it myself) as SUBINACL also changes the owner and the primary group. See the documentation for the details Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 6/1/2005 2:20 PM Subject: [ActiveDir] OT-Data ACLing All, Does anyone know of a utility that can look at a directory and identify where data is permissioned by a certain group and then append another group to that location to enable the new group to be permissioned on that data too. Example: D: is permissioned with Domain users in multiple directories but Not in every directory, I wish to search the directories and where Domain Users appears and append another group to that location. I hope this is clear. Regards Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT-Data ACLing
Interesting, I was under the impression that subinacl replaced the ACEs ... I assume I'm incorrect? Can you elaborate on what you did for my own purposes? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Wednesday, June 01, 2005 11:12 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT-Data ACLing Thanks Dean, mad day here, The SubInACL tool has done the job. Regards, Mark -Original Message- From: "Dean Wells" <[EMAIL PROTECTED]> Date: Wed, 1 Jun 2005 10:58:28 To:"Send - AD mailing list" <[EMAIL PROTECTED]> Subject: RE: [ActiveDir] OT-Data ACLing The reason I asked the question earlier was to determine the requirement you've noted below, aside from the unknown-to-me tool I mentioned earlier, I don't believe any of the command line ACL tools will do this out-of-the-box. That said, the script to achieve the desired end result is not overly complex (assuming the permission requirements for the new ACE are either static or derived in a non-complex manner)? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Wednesday, June 01, 2005 10:45 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT-Data ACLing It is domain users and the data is incorrectly permissioned with the group. -Original Message- From: <[EMAIL PROTECTED]> Date: Wed, 1 Jun 2005 06:45:25 To: Subject: RE: [ActiveDir] OT-Data ACLing Why not simply add the new group to the existing group that already has perm? Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Mark Parris Sent: Wed 6/1/2005 5:20 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT-Data ACLing All, Does anyone know of a utility that can look at a directory and identify where data is permissioned by a certain group and then append another group to that location to enable the new group to be permissioned on that data too. Example: D: is permissioned with Domain users in multiple directories but Not in every directory, I wish to search the directories and where Domain Users appears and append another group to that location. I hope this is clear. Regards Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ .Š†ÿÁŠŠƒ²§²B§Ã¶v®Š§²rz§ÃŠryýŠŠ™i½® List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ .+w֧B+v*rzVryi˽箊 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] OT-Data ACLing
Thanks Dean, mad day here, The SubInACL tool has done the job. Regards, Mark -Original Message- From: "Dean Wells" <[EMAIL PROTECTED]> Date: Wed, 1 Jun 2005 10:58:28 To:"Send - AD mailing list" <[EMAIL PROTECTED]> Subject: RE: [ActiveDir] OT-Data ACLing The reason I asked the question earlier was to determine the requirement you've noted below, aside from the unknown-to-me tool I mentioned earlier, I don't believe any of the command line ACL tools will do this out-of-the-box. That said, the script to achieve the desired end result is not overly complex (assuming the permission requirements for the new ACE are either static or derived in a non-complex manner)? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Wednesday, June 01, 2005 10:45 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT-Data ACLing It is domain users and the data is incorrectly permissioned with the group. -Original Message- From: <[EMAIL PROTECTED]> Date: Wed, 1 Jun 2005 06:45:25 To: Subject: RE: [ActiveDir] OT-Data ACLing Why not simply add the new group to the existing group that already has perm? Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Mark Parris Sent: Wed 6/1/2005 5:20 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT-Data ACLing All, Does anyone know of a utility that can look at a directory and identify where data is permissioned by a certain group and then append another group to that location to enable the new group to be permissioned on that data too. Example: D: is permissioned with Domain users in multiple directories but Not in every directory, I wish to search the directories and where Domain Users appears and append another group to that location. I hope this is clear. Regards Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ .Š†ÿÁŠŠƒ²§²B§Ã¶v®Š§²rz§ÃŠryýŠŠ™i½® List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] OT-Data ACLing
Thanks this has done the job, Regards Mark -Original Message- From: "Cace, Andrew" <[EMAIL PROTECTED]> Date: Wed, 1 Jun 2005 08:54:38 To: Subject: RE: [ActiveDir] OT-Data ACLing Subinacl.exe from Microsoft will do what you are looking for. You can download subinacl.exe from http://www.microsoft.com/downloads/details.aspx?FamilyID=E8BA3E56-D8FE-4A91- 93CF-ED6985E3927B&displaylang=en. The version of subinacl.exe that is included in the Windows 2003 Resource Kit is bugged. Syntax: subinacl /file c:\*.* /accountmigration=domain\currentuser=domain\newuser -Andrew -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Wednesday, June 01, 2005 8:24 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT-Data ACLing Cacls does not appear to perform this function either, Many thanks. Mark -Original Message- From: "Mark Parris" <[EMAIL PROTECTED]> Date: Wed, 1 Jun 2005 13:18:39 To:ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT-Data ACLing I did no know calcs did this, been looking at xcacls ans scacls but no joy, will try, many thanks. Mark -Original Message- From: "Adams, Kenneth W \(Ken\)" <[EMAIL PROTECTED]> Date: Wed, 1 Jun 2005 08:59:24 To: Subject: RE: [ActiveDir] OT-Data ACLing There is a built-in utility called cacls that can do this for you. Another utility is a commercial product called Security Explorer by Small Wonders Software. Ken Adams -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Wednesday, June 01, 2005 8:20 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT-Data ACLing All, Does anyone know of a utility that can look at a directory and identify where data is permissioned by a certain group and then append another group to that location to enable the new group to be permissioned on that data too. Example: D: is permissioned with Domain users in multiple directories but Not in every directory, I wish to search the directories and where Domain Users appears and append another group to that location. I hope this is clear. Regards Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT-Data ACLing
The reason I asked the question earlier was to determine the requirement you've noted below, aside from the unknown-to-me tool I mentioned earlier, I don't believe any of the command line ACL tools will do this out-of-the-box. That said, the script to achieve the desired end result is not overly complex (assuming the permission requirements for the new ACE are either static or derived in a non-complex manner)? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Wednesday, June 01, 2005 10:45 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT-Data ACLing It is domain users and the data is incorrectly permissioned with the group. -Original Message- From: <[EMAIL PROTECTED]> Date: Wed, 1 Jun 2005 06:45:25 To: Subject: RE: [ActiveDir] OT-Data ACLing Why not simply add the new group to the existing group that already has perm? Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Mark Parris Sent: Wed 6/1/2005 5:20 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT-Data ACLing All, Does anyone know of a utility that can look at a directory and identify where data is permissioned by a certain group and then append another group to that location to enable the new group to be permissioned on that data too. Example: D: is permissioned with Domain users in multiple directories but Not in every directory, I wish to search the directories and where Domain Users appears and append another group to that location. I hope this is clear. Regards Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ .Š†ÿÁŠŠƒ²§²B§Ã¶v®Š§²rz§ÃŠryýŠŠ™i½® List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Way OT: FTP not working for certain files...
Hi list - I know this is woefully OT, but I'm really looking for a solution and haven't been able to find one. Here's the situation - I have a group of 3 Windows XP Pro computers which will not FTP current website files using any of several FTP programs to include WS_FTP, SmartFTP, CuteFTP and BlazeFTP as well as the built-in Windows FTP folders. If I create a brand new file, it will upload just fine using any of those programs. If I take the current existing files and put them on another computer they upload fine using the same network connection (which ruled out an obscure Linksys router issue). Has anyone run into a similar situation in the past? I had thought it to be a Windows XP Home issue at first (so Google suggested) so I bought 3 upgrade copies of Windows XP Pro and upgraded each of them over the weekend to no avail. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] OT-Data ACLing
It is domain users and the data is incorrectly permissioned with the group. -Original Message- From: <[EMAIL PROTECTED]> Date: Wed, 1 Jun 2005 06:45:25 To: Subject: RE: [ActiveDir] OT-Data ACLing Why not simply add the new group to the existing group that already has perm? Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Mark Parris Sent: Wed 6/1/2005 5:20 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT-Data ACLing All, Does anyone know of a utility that can look at a directory and identify where data is permissioned by a certain group and then append another group to that location to enable the new group to be permissioned on that data too. Example: D: is permissioned with Domain users in multiple directories but Not in every directory, I wish to search the directories and where Domain Users appears and append another group to that location. I hope this is clear. Regards Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] OT-Data ACLing
I wish to clone and append. Domain users is a common SID so it cannot be used for cross domain acling, so I need to clone domain users and append another group everywhere domain users appears. So the directory and files will have two groups ACL'd on it Domain users and new "group" and both sets of permissions can be utilised. I hope this is clearer. Mark -Original Message- From: "Dean Wells" <[EMAIL PROTECTED]> Date: Wed, 1 Jun 2005 09:39:07 To:"Send - AD mailing list" <[EMAIL PROTECTED]> Subject: RE: [ActiveDir] OT-Data ACLing My guess is you're missing what most are saying (with perhaps the exception of the 'Security Explorer' tool mentioned earlier as I'm not familiar with it), this can be done but likely requires an element of scripting. Are you trying to replace the existing ACE with a new security principal with identical permission or merely add a new ACE with some fixed permission or ? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Wednesday, June 01, 2005 9:24 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT-Data ACLing Cacls does not appear to perform this function either, Many thanks. Mark -Original Message- From: "Mark Parris" <[EMAIL PROTECTED]> Date: Wed, 1 Jun 2005 13:18:39 To:ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT-Data ACLing I did no know calcs did this, been looking at xcacls ans scacls but no joy, will try, many thanks. Mark -Original Message- From: "Adams, Kenneth W \(Ken\)" <[EMAIL PROTECTED]> Date: Wed, 1 Jun 2005 08:59:24 To: Subject: RE: [ActiveDir] OT-Data ACLing There is a built-in utility called cacls that can do this for you. Another utility is a commercial product called Security Explorer by Small Wonders Software. Ken Adams -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Wednesday, June 01, 2005 8:20 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT-Data ACLing All, Does anyone know of a utility that can look at a directory and identify where data is permissioned by a certain group and then append another group to that location to enable the new group to be permissioned on that data too. Example: D: is permissioned with Domain users in multiple directories but Not in every directory, I wish to search the directories and where Domain Users appears and append another group to that location. I hope this is clear. Regards Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT-Data ACLing
Subinacl.exe from Microsoft will do what you are looking for. You can download subinacl.exe from http://www.microsoft.com/downloads/details.aspx?FamilyID=E8BA3E56-D8FE-4A91- 93CF-ED6985E3927B&displaylang=en. The version of subinacl.exe that is included in the Windows 2003 Resource Kit is bugged. Syntax: subinacl /file c:\*.* /accountmigration=domain\currentuser=domain\newuser -Andrew -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Wednesday, June 01, 2005 8:24 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT-Data ACLing Cacls does not appear to perform this function either, Many thanks. Mark -Original Message- From: "Mark Parris" <[EMAIL PROTECTED]> Date: Wed, 1 Jun 2005 13:18:39 To:ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT-Data ACLing I did no know calcs did this, been looking at xcacls ans scacls but no joy, will try, many thanks. Mark -Original Message- From: "Adams, Kenneth W \(Ken\)" <[EMAIL PROTECTED]> Date: Wed, 1 Jun 2005 08:59:24 To: Subject: RE: [ActiveDir] OT-Data ACLing There is a built-in utility called cacls that can do this for you. Another utility is a commercial product called Security Explorer by Small Wonders Software. Ken Adams -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Wednesday, June 01, 2005 8:20 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT-Data ACLing All, Does anyone know of a utility that can look at a directory and identify where data is permissioned by a certain group and then append another group to that location to enable the new group to be permissioned on that data too. Example: D: is permissioned with Domain users in multiple directories but Not in every directory, I wish to search the directories and where Domain Users appears and append another group to that location. I hope this is clear. Regards Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ smime.p7s Description: S/MIME cryptographic signature
Re: [ActiveDir] NOVELL and WINDOWS 2003 AD
Apologies for the delay...i was away on vacation...Thanks a lot for all your inputs.. Thanks and Regards, On 5/23/05, Medeiros, Jose <[EMAIL PROTECTED]> wrote: > Hi Chadra, > > I am forwarding you the response from our Netware Consultant, > > " I'm assuming that by 'Novell' we mean 'NetWare' as Novell has different O/S > platforms with different DNS servers. > > The newer NetWare DNS in NetWare 6.5 will support AD: > http://support.novell.com/cgi-bin/search/searchtid.cgi?/10093063.htm > > eDirectory TREE name does not need to be a DNS record as we have other > resolvers (SLP) in use for that lookup. " > > Matthew Culver > Sr. Network Engineer > Novell Inc > > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Chandra Burra > Sent: Monday, May 23, 2005 7:47 AM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] NOVELL and WINDOWS 2003 AD > > > All, > > Quick one please.client wants to have same domain name for the > existing Novell directory and new Windows2003 AD as the same...ex; > xxx.com > > Can this be done ...if yes, then what are the implications...and also > they wanted to stay on the Novell DNS... > > Thanks you for inputs. > > > Chandra > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT-Data ACLing
Why not simply add the new group to the existing group that already has perm? Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Mark Parris Sent: Wed 6/1/2005 5:20 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT-Data ACLing All, Does anyone know of a utility that can look at a directory and identify where data is permissioned by a certain group and then append another group to that location to enable the new group to be permissioned on that data too. Example: D: is permissioned with Domain users in multiple directories but Not in every directory, I wish to search the directories and where Domain Users appears and append another group to that location. I hope this is clear. Regards Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT-Data ACLing
My guess is you're missing what most are saying (with perhaps the exception of the 'Security Explorer' tool mentioned earlier as I'm not familiar with it), this can be done but likely requires an element of scripting. Are you trying to replace the existing ACE with a new security principal with identical permission or merely add a new ACE with some fixed permission or ? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Wednesday, June 01, 2005 9:24 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT-Data ACLing Cacls does not appear to perform this function either, Many thanks. Mark -Original Message- From: "Mark Parris" <[EMAIL PROTECTED]> Date: Wed, 1 Jun 2005 13:18:39 To:ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT-Data ACLing I did no know calcs did this, been looking at xcacls ans scacls but no joy, will try, many thanks. Mark -Original Message- From: "Adams, Kenneth W \(Ken\)" <[EMAIL PROTECTED]> Date: Wed, 1 Jun 2005 08:59:24 To: Subject: RE: [ActiveDir] OT-Data ACLing There is a built-in utility called cacls that can do this for you. Another utility is a commercial product called Security Explorer by Small Wonders Software. Ken Adams -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Wednesday, June 01, 2005 8:20 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT-Data ACLing All, Does anyone know of a utility that can look at a directory and identify where data is permissioned by a certain group and then append another group to that location to enable the new group to be permissioned on that data too. Example: D: is permissioned with Domain users in multiple directories but Not in every directory, I wish to search the directories and where Domain Users appears and append another group to that location. I hope this is clear. Regards Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] OT-Data ACLing
Cacls does not appear to perform this function either, Many thanks. Mark -Original Message- From: "Mark Parris" <[EMAIL PROTECTED]> Date: Wed, 1 Jun 2005 13:18:39 To:ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT-Data ACLing I did no know calcs did this, been looking at xcacls ans scacls but no joy, will try, many thanks. Mark -Original Message- From: "Adams, Kenneth W \(Ken\)" <[EMAIL PROTECTED]> Date: Wed, 1 Jun 2005 08:59:24 To: Subject: RE: [ActiveDir] OT-Data ACLing There is a built-in utility called cacls that can do this for you. Another utility is a commercial product called Security Explorer by Small Wonders Software. Ken Adams -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Wednesday, June 01, 2005 8:20 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT-Data ACLing All, Does anyone know of a utility that can look at a directory and identify where data is permissioned by a certain group and then append another group to that location to enable the new group to be permissioned on that data too. Example: D: is permissioned with Domain users in multiple directories but Not in every directory, I wish to search the directories and where Domain Users appears and append another group to that location. I hope this is clear. Regards Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Enhancement Question
Hi Charles We had a similar question once and our answer was: We can use group policy to provide better help desk support through application upgrades, blocking of bad applications (ie. known spyware exe), and remote administration. For the end user this will mean help desk calls will reduce, and no longer involve a 4 hour drive across town and up to 3 weeks to see somebody - they can now generally be handled either via. chat or over the phone using remote administration. Albeit, very little of this requires AD but without AD at some locations, patching, updating software, and turning on remote desktop / turning off the firewall to allow remote desktop and assistance take weeks to set up - which to the user means weeks that he is unable to get something fixed, get help, get support, or even get the latest software update. The explanation - highlighting reduced time to support - seems to have made the users in that location very happy. Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] |-+--> | | "joe" | | | <[EMAIL PROTECTED]> | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 06/01/2005 09:06 AM AST| | | Please respond to | | | ActiveDir | |-+--> >--| | | | To: | | cc: (bcc: James Day/Contractor/NPS) | | Subject: RE: [ActiveDir] Enhancement Question | >--| I would be a bit concerned about the manager's approach. Playing up to the end users is not the proper way to run the infrastructure. If the users gripe about what is being done, the answer is simply we are doing these upgrades to be in a position to better support the environment with increased security, stability, and availability. End users should be concerned with their end user job, not what IT is doing. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Wednesday, June 01, 2005 8:54 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Enhancement Question Neil, We deployed AD based on a very serious and well defined business case. However, when we argued for this it was indicated that the end-user would not feel any effects and all of the enhancements would be on the management and stability side. Since then, however, we have a new network manager who would like us to show the end-user what the new benefits are from the upgrade. However, telling an end-user we can not manage your PC more effectively, well, they just don't care about that. So now I'm stuck looking for a way to show them how great AD is. I would like to thank everyone for their responses. Thanks, Charlie -Original Message- From: Ruston, Neil [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 01, 2005 4:21 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Enhancement Question It's funny how people approach AD this way - i.e. deploy and look to justify its existence thereafter :) When AD was designed and a business case was created, what were the perceived benefits back then? Why not try to create additional benefit along those lines? We all have different reasons for deploying AD - to some it's simply an upgrade, to others it's seen as a way to simplify / improve the Windows environment in many different ways. Identify your initial reasons for deploying AD and then build from there. For the record, I would argue that the end user need not see real, tangible benefits in order that AD be seen to benefit the business itself. The real benefits are normally less tangible. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: 31 May 2005 16:05 To: 'ActiveDir@mail.activedir.org' Subject: [ActiveDir] Enhancement Question This is an odd question. We have just about finished up rolling out AD 2003 (from an NT domain) and I have been charged with finding "severa
[ActiveDir] _msdcs question
The outgoing trust was successfully validated. The secure channel (SC) reset on domain controller \\nfhouvds01.theircompany.com of domain theircompany.com to domain ccc.ourcompany.com failed with error: There are currently no logon servers available to service the logon request. This is the only remaining thing I'm battling. I've set up WINS replication per suggestions, but still no-go. ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] OT-Data ACLing
I did no know calcs did this, been looking at xcacls ans scacls but no joy, will try, many thanks. Mark -Original Message- From: "Adams, Kenneth W \(Ken\)" <[EMAIL PROTECTED]> Date: Wed, 1 Jun 2005 08:59:24 To: Subject: RE: [ActiveDir] OT-Data ACLing There is a built-in utility called cacls that can do this for you. Another utility is a commercial product called Security Explorer by Small Wonders Software. Ken Adams -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Wednesday, June 01, 2005 8:20 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT-Data ACLing All, Does anyone know of a utility that can look at a directory and identify where data is permissioned by a certain group and then append another group to that location to enable the new group to be permissioned on that data too. Example: D: is permissioned with Domain users in multiple directories but Not in every directory, I wish to search the directories and where Domain Users appears and append another group to that location. I hope this is clear. Regards Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Enhancement Question
I would be a bit concerned about the manager's approach. Playing up to the end users is not the proper way to run the infrastructure. If the users gripe about what is being done, the answer is simply we are doing these upgrades to be in a position to better support the environment with increased security, stability, and availability. End users should be concerned with their end user job, not what IT is doing. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Wednesday, June 01, 2005 8:54 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Enhancement Question Neil, We deployed AD based on a very serious and well defined business case. However, when we argued for this it was indicated that the end-user would not feel any effects and all of the enhancements would be on the management and stability side. Since then, however, we have a new network manager who would like us to show the end-user what the new benefits are from the upgrade. However, telling an end-user we can not manage your PC more effectively, well, they just don't care about that. So now I'm stuck looking for a way to show them how great AD is. I would like to thank everyone for their responses. Thanks, Charlie -Original Message- From: Ruston, Neil [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 01, 2005 4:21 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Enhancement Question It's funny how people approach AD this way - i.e. deploy and look to justify its existence thereafter :) When AD was designed and a business case was created, what were the perceived benefits back then? Why not try to create additional benefit along those lines? We all have different reasons for deploying AD - to some it's simply an upgrade, to others it's seen as a way to simplify / improve the Windows environment in many different ways. Identify your initial reasons for deploying AD and then build from there. For the record, I would argue that the end user need not see real, tangible benefits in order that AD be seen to benefit the business itself. The real benefits are normally less tangible. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: 31 May 2005 16:05 To: 'ActiveDir@mail.activedir.org' Subject: [ActiveDir] Enhancement Question This is an odd question. We have just about finished up rolling out AD 2003 (from an NT domain) and I have been charged with finding "several ways to utilize Active Directory to optimize the management of our applications and infrastructure. At least one of the solutions should enhance functionality directly for the user community." I'm having problems of finding ways to enhance functionally for the end-users. Besides tying the AD into a one of our outsourced web based applications to reduce their password count I'm stretching. I know of a number of management and infrastructure enhancements that could be made but none enhance the functionality of our end-users to a point where they will notice it and say "Wow, now that's cool". Does anyone know of a location where I can get ideas on this topic? Increased security, stability, management. These core things are not seen by the end-user even though they directly affect them. I need to find something that the end-users will like to see and something that benefits them. I'm just coming up blank on this. In the past, I have always been instructions to use AD in ways that the end-user doesn't notice but increases the functionality. Thanks, Charlie List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, Credit Suisse, its subsidiaries and affiliates (CS) do not waive any confidentiality or privilege. CS retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CS until they are confirmed by us. Message transmission is not guaranteed to be secure. == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] lastlogontimestamp-
David, After researching, I was unable to decipher what a "remote NTLM Authentication" is. Can you give me an example of this? I am trying to come up with an effective account deletion policy in a school with high turnover. Thanks, Ken -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Friday, May 27, 2005 6:02 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- In 2003 RTM lastLogonTimeStamp gets updated during Kerberos authentications and interactive NTLM authentications. Remote NTLM auths do not cause it to be updated. There was talk to get this changed in SP1. > -Original Message- > To make matters worse, there is a fix out there somewhere > that causes ntlm auth to actually update this field (or am I > just dreaming it? :) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Enhancement Question
At the widget company that I converted from NT4 to 2K the reason was simply self-preservation. The NT4 architecture was ready to blow at any second due to size, we were running with 80k users in a single domain, 75k users in another, 60k in yet another. Obviously the domain structures were ready to collapse at any time. However once done, the automatic benefits of additional stability and delegation were well worth the move on their own even if the users didn't have anything to point at besides a possibly perceived stability increase[1]. Basically I am saying I agree with Neal. Users shouldn't even be aware of the underlying infrastructure let alone being sold on the benefits. In infrastructure ops positions I tend to say that the better things run, the less people know you and the things you work on exist. It isn't usually necessary to "invent" ways to use AD, things will crop up. Some ideas though: The first thing I would do is start ripping away native permissions from everyone but a couple of Ent Admins (say 3 or 4 tops) and everyone else gets by with delegated permissions, much easier to start that way versus trying to clean it up later. Goal, better security and enterprise stability. A strong step towards change control The next thing would be to start populating AD with object lifecycle management information. This includes object owners, review dates on when the owner has to say the object is still in use, expiration dates on when objects should be removed, etc. Again much easier to start that early versus later. Goal, a cleaner happier NOS Directory without baggage. Populate the organizational managament structures, location info, contact info, etc and set up a web site to allow creation of org charts and display user info. Don't store the pics in the directory, store them in a SQL Server or someplace else. Alternatively, stick all this info into AD/AM and leverage AD Auth to access the info. Check to see if the Polyarchy stuff ever made into a production setup in MIIS, that is an amazing way to display that info. If you have multiple platforms look to start using kerberos on them so you can have single sign on. Users should really notice this if they don't have it. Look at how or even if GPOs should be used for controlling machines and user experience. Publish printer and shared folder information. Set up a web based self password reset unlock system. See MIIS functionality or MTEC's PSYNCH. This could be done under NT4 as well but more secure I think under AD due to giving out delegated rights to do the work. Deploy Exchange 2003. joe [1] It couldn't be anything but perceived on the users side unless they were monitoring availability and performance which would be a stretch for those users. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Wednesday, June 01, 2005 5:21 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Enhancement Question It's funny how people approach AD this way - i.e. deploy and look to justify its existence thereafter :) When AD was designed and a business case was created, what were the perceived benefits back then? Why not try to create additional benefit along those lines? We all have different reasons for deploying AD - to some it's simply an upgrade, to others it's seen as a way to simplify / improve the Windows environment in many different ways. Identify your initial reasons for deploying AD and then build from there. For the record, I would argue that the end user need not see real, tangible benefits in order that AD be seen to benefit the business itself. The real benefits are normally less tangible. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: 31 May 2005 16:05 To: 'ActiveDir@mail.activedir.org' Subject: [ActiveDir] Enhancement Question This is an odd question. We have just about finished up rolling out AD 2003 (from an NT domain) and I have been charged with finding "several ways to utilize Active Directory to optimize the management of our applications and infrastructure. At least one of the solutions should enhance functionality directly for the user community." I'm having problems of finding ways to enhance functionally for the end-users. Besides tying the AD into a one of our outsourced web based applications to reduce their password count I'm stretching. I know of a number of management and infrastructure enhancements that could be made but none enhance the functionality of our end-users to a point where they will notice it and say "Wow, now that's cool". Does anyone know of a location where I can get ideas on this topic? Increased security, stability, management. These core things are not seen by the end-user even though they directly affect them. I need to find something that the end-users will like to see and something that benefits them. I'm just coming up blank on
RE: [ActiveDir] OT-Data ACLing
There is a built-in utility called cacls that can do this for you. Another utility is a commercial product called Security Explorer by Small Wonders Software. Ken Adams -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Wednesday, June 01, 2005 8:20 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT-Data ACLing All, Does anyone know of a utility that can look at a directory and identify where data is permissioned by a certain group and then append another group to that location to enable the new group to be permissioned on that data too. Example: D: is permissioned with Domain users in multiple directories but Not in every directory, I wish to search the directories and where Domain Users appears and append another group to that location. I hope this is clear. Regards Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Enhancement Question
Neil, We deployed AD based on a very serious and well defined business case. However, when we argued for this it was indicated that the end-user would not feel any effects and all of the enhancements would be on the management and stability side. Since then, however, we have a new network manager who would like us to show the end-user what the new benefits are from the upgrade. However, telling an end-user we can not manage your PC more effectively, well, they just don't care about that. So now I'm stuck looking for a way to show them how great AD is. I would like to thank everyone for their responses. Thanks, Charlie -Original Message- From: Ruston, Neil [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 01, 2005 4:21 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Enhancement Question It's funny how people approach AD this way - i.e. deploy and look to justify its existence thereafter :) When AD was designed and a business case was created, what were the perceived benefits back then? Why not try to create additional benefit along those lines? We all have different reasons for deploying AD - to some it's simply an upgrade, to others it's seen as a way to simplify / improve the Windows environment in many different ways. Identify your initial reasons for deploying AD and then build from there. For the record, I would argue that the end user need not see real, tangible benefits in order that AD be seen to benefit the business itself. The real benefits are normally less tangible. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: 31 May 2005 16:05 To: 'ActiveDir@mail.activedir.org' Subject: [ActiveDir] Enhancement Question This is an odd question. We have just about finished up rolling out AD 2003 (from an NT domain) and I have been charged with finding "several ways to utilize Active Directory to optimize the management of our applications and infrastructure. At least one of the solutions should enhance functionality directly for the user community." I'm having problems of finding ways to enhance functionally for the end-users. Besides tying the AD into a one of our outsourced web based applications to reduce their password count I'm stretching. I know of a number of management and infrastructure enhancements that could be made but none enhance the functionality of our end-users to a point where they will notice it and say "Wow, now that's cool". Does anyone know of a location where I can get ideas on this topic? Increased security, stability, management. These core things are not seen by the end-user even though they directly affect them. I need to find something that the end-users will like to see and something that benefits them. I'm just coming up blank on this. In the past, I have always been instructions to use AD in ways that the end-user doesn't notice but increases the functionality. Thanks, Charlie List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, Credit Suisse, its subsidiaries and affiliates (CS) do not waive any confidentiality or privilege. CS retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CS until they are confirmed by us. Message transmission is not guaranteed to be secure. == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] OT-Data ACLing
All, Does anyone know of a utility that can look at a directory and identify where data is permissioned by a certain group and then append another group to that location to enable the new group to be permissioned on that data too. Example: D: is permissioned with Domain users in multiple directories but Not in every directory, I wish to search the directories and where Domain Users appears and append another group to that location. I hope this is clear. Regards Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Home Directories
This is correct. It appears to have changed since NT. I found this out by checking permissions when I was troubleshooting a problem with home directories. You go to the security tab then choose advanced then highlight the account and choose edit. It will detail the permissions in effect. The effective permissions tab is very good too, because it allows you to see the impact of all group memberships and the impact on permissions. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dryden, Karen Sent: Tuesday, May 31, 2005 6:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Home Directories Modify rights doesn't give them the ability to delete files/folders. You have to go to the Advanced tab on permissions and edit their rights and check the box to enable them to delete their own home drive files/folders -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Rochford Sent: Tuesday, May 31, 2005 5:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Home Directories The trouble is that Microsoft's idea of "locked down" and my idea of "locked down" don't match... I work in a college (and I think Debbie works in a similar environment) and there's no way I'd give users full control over even their own folders - the most they get is "modify" on everything in their user area. (Giving full allows them to change permissions - most will do this accidentally and manage to remove themselves from the list or they will give access to other users. In a work environment this may be a good thing - it allows users to share work on an ad-hoc basis. For students, it's typically a way to move "pirate" material around...) There's also a problem in that if users can create folders in the root share then they will - again, some will do this accidentally and lose work in that way; others will do it maliciously. Whichever, when you have 14,000 folders to worry about you don't want odd ones sneaking in :-) The downside of this is that you can't then have the folder created by the redirection process as the user logs on; no big deal - we script the user creation so we also create the home folder with the permissions we want (admins, system - full; user - modify) On a regular basis we also force the permissions and ownership back to what they should be - I've found setacl (http://setacl.sourceforge.net) to be easier to use for this than subinacl. Steve > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Dan Holme > Sent: 27 May 2005 16:14 > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Home Directories > > The best practice permissions for the ROOT SHARE (for home > directories, roaming profiles & folder redirection) are > listed below. There is a lot of confusion about these perms, > b/c there are inconsistencies in MS doc. > I've tested these to make sure they work and (as you'll see) > they're pretty well locked down. > > The root share > == > ACL > Users*:Allow:List Folder & Create Folders > > Inheritance: This folder only ( THIS IS TRICKY AND > IS NOT THE DEFAULT Set "Apply onto" to "THIS FOLDER ONLY") > > *Or another group that includes users who will have > folders under this root > > Creator Owner:Allow:Full > Inheritance: Subfolders & files only > > System:Allow:Full > Inheritance: This folder, subfolders & files > > Administrators: > Set based on Enterprise information security policy > > Share > Hidden share name (sharename$) > Share permissions: Everyone:Allow:Full > > ** Do not create individual user folders ** How folders are > created === Home folders: created & > perm'd automatically > > Redirected folders: created, perm'd, user owner > > SUBINACL on Res Kit to change ownership if you must > create folder in advance. (Be sure to download newest patched > version of SubInACL from MS web site) > > Profiles: created & perm'd automatically > > > Hope this helps > > Dan > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: Friday, May 27, 2005 8:00 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Home Directories > > Yes, make sure that the top level home folder that your share > is pointing to does not have rights for those users to make > changes. They should only have rights at their individual folder. > > For instance: > > Share Level Perms > \\server\home1 is your home folder share which has the > following perms: > Administrators - FC > Domain Users - C > > NTFS Perms > That folder maps to h:\home1 on your server. Home1 should have the > following: > Administrators - FC > > There's a user folder under home1 that exists under home1 > that maps to JohnDoe such as h:\home1\johndoe. > > At the johndoe folder, you want to m
Re: [ActiveDir] group policy adm files
Hii, I guess your solution of disabling firewall via GPO lies in this link. http://msmvps.com/kwsupport/archive/2004/08/27/12477.aspx Dibendoo --- tech <[EMAIL PROTECTED]> wrote: > Hello, > > > > I wanted to know where the template files (.adm) > files of default domain > group policy is in windows 2000 advance server. Can > any one help? > > > > > > > > Yours truly, > > Roseta Radfar > > > > __ Do you Yahoo!? Yahoo! Mail - You care about security. So do we. http://promotions.yahoo.com/new_mail List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] group policy adm files
>From Group Policy Editor, drill down to administrative templates and then right click. Select Add or remove administrative templates Regards Peter List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Enhancement Question
It's funny how people approach AD this way - i.e. deploy and look to justify its existence thereafter :) When AD was designed and a business case was created, what were the perceived benefits back then? Why not try to create additional benefit along those lines? We all have different reasons for deploying AD - to some it's simply an upgrade, to others it's seen as a way to simplify / improve the Windows environment in many different ways. Identify your initial reasons for deploying AD and then build from there. For the record, I would argue that the end user need not see real, tangible benefits in order that AD be seen to benefit the business itself. The real benefits are normally less tangible. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: 31 May 2005 16:05 To: 'ActiveDir@mail.activedir.org' Subject: [ActiveDir] Enhancement Question This is an odd question. We have just about finished up rolling out AD 2003 (from an NT domain) and I have been charged with finding "several ways to utilize Active Directory to optimize the management of our applications and infrastructure. At least one of the solutions should enhance functionality directly for the user community." I'm having problems of finding ways to enhance functionally for the end-users. Besides tying the AD into a one of our outsourced web based applications to reduce their password count I'm stretching. I know of a number of management and infrastructure enhancements that could be made but none enhance the functionality of our end-users to a point where they will notice it and say "Wow, now that's cool". Does anyone know of a location where I can get ideas on this topic? Increased security, stability, management. These core things are not seen by the end-user even though they directly affect them. I need to find something that the end-users will like to see and something that benefits them. I'm just coming up blank on this. In the past, I have always been instructions to use AD in ways that the end-user doesn't notice but increases the functionality. Thanks, Charlie List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, Credit Suisse, its subsidiaries and affiliates (CS) do not waive any confidentiality or privilege. CS retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CS until they are confirmed by us. Message transmission is not guaranteed to be secure. == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Enhancement Question
Charlie: This is a question I'm getting from a LOT of my clients these days. I'd be happy to chat through some ideas with you, but it's too much to type out. Give me a shout and I'll spend a bit of time talking you through some "ooh-ahh-wow" things you can do with AD. 888.381.6956. Dan Holme Intelliem -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Tuesday, May 31, 2005 1:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Enhancement Question You could look at pre-populating the location field for printer searches. This is quite a nice feature that uses the IP subnet of the workstation the user is logged on to to locate the nearest printer. There's a few tasks you need to do to enable this, but it can be worth the effort, especially in distributed organisations. See the following whitepaper for more information on this. http://www.microsoft.com/windows2000/technologies/fileandprint/print/add eplo y.asp As you suggest, there are not a huge number of benefits that are directly visible to the end user. Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Wednesday, 1 June 2005 3:05 a.m. To: 'ActiveDir@mail.activedir.org' Subject: [ActiveDir] Enhancement Question This is an odd question. We have just about finished up rolling out AD 2003 (from an NT domain) and I have been charged with finding "several ways to utilize Active Directory to optimize the management of our applications and infrastructure. At least one of the solutions should enhance functionality directly for the user community." I'm having problems of finding ways to enhance functionally for the end-users. Besides tying the AD into a one of our outsourced web based applications to reduce their password count I'm stretching. I know of a number of management and infrastructure enhancements that could be made but none enhance the functionality of our end-users to a point where they will notice it and say "Wow, now that's cool". Does anyone know of a location where I can get ideas on this topic? Increased security, stability, management. These core things are not seen by the end-user even though they directly affect them. I need to find something that the end-users will like to see and something that benefits them. I'm just coming up blank on this. In the past, I have always been instructions to use AD in ways that the end-user doesn't notice but increases the functionality. Thanks, Charlie List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Home Directories
Modify permission on an NTFS ACL *does* include DELETE. Anyway, what Steve suggests is simply not possible to achieve without workarounds such as 'resetting the acl' regularly. Here's why, and a suggestion. 1) The CREATOR/OWNER of a file or folder ALWAYS can change permission on that file or folder. There's no way to prevent that. In other words, if you let a user save a file, they CAN change permission. 2) The only workaround I've heard for this (and I've not tested it myself but it is on good authority) is to set a SHARE permission of MODIFY (not Full Control). The lack of full control on a share apparently prohibits anyone (including the owner) from changing an ACL... cool assuming it's true, though managing share permissions is a whole other can of worms, and PLEASE don't go there with this thread. It's a solution, not a perfect one (and there isn't a perfect solution given Steve's requirements). 3) You can *always* "provision" anything in windows. Go bananas with a script or process that creates the folder for the user with the right permissions on that user's folder, and then of course you can restrict the root more. The permissions I listed are the minimum required permissions for out-of-box Windows functionality. Hope this helps. D -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, May 31, 2005 4:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Home Directories Are you sure about that? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dryden, Karen Sent: Tuesday, May 31, 2005 6:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Home Directories Modify rights doesn't give them the ability to delete files/folders. You have to go to the Advanced tab on permissions and edit their rights and check the box to enable them to delete their own home drive files/folders -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Rochford Sent: Tuesday, May 31, 2005 5:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Home Directories The trouble is that Microsoft's idea of "locked down" and my idea of "locked down" don't match... I work in a college (and I think Debbie works in a similar environment) and there's no way I'd give users full control over even their own folders - the most they get is "modify" on everything in their user area. (Giving full allows them to change permissions - most will do this accidentally and manage to remove themselves from the list or they will give access to other users. In a work environment this may be a good thing - it allows users to share work on an ad-hoc basis. For students, it's typically a way to move "pirate" material around...) There's also a problem in that if users can create folders in the root share then they will - again, some will do this accidentally and lose work in that way; others will do it maliciously. Whichever, when you have 14,000 folders to worry about you don't want odd ones sneaking in :-) The downside of this is that you can't then have the folder created by the redirection process as the user logs on; no big deal - we script the user creation so we also create the home folder with the permissions we want (admins, system - full; user - modify) On a regular basis we also force the permissions and ownership back to what they should be - I've found setacl (http://setacl.sourceforge.net) to be easier to use for this than subinacl. Steve > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Dan Holme > Sent: 27 May 2005 16:14 > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Home Directories > > The best practice permissions for the ROOT SHARE (for home > directories, roaming profiles & folder redirection) are listed below. > There is a lot of confusion about these perms, b/c there are > inconsistencies in MS doc. > I've tested these to make sure they work and (as you'll see) they're > pretty well locked down. > > The root share > == > ACL > Users*:Allow:List Folder & Create Folders > > Inheritance: This folder only ( THIS IS TRICKY AND IS NOT THE > DEFAULT Set "Apply onto" to "THIS FOLDER ONLY") > > *Or another group that includes users who will have folders under > this root > > Creator Owner:Allow:Full > Inheritance: Subfolders & files only > > System:Allow:Full > Inheritance: This folder, subfolders & files > > Administrators: > Set based on Enterprise information security policy > > Share > Hidden share name (sharename$) > Share permissions: Everyone:Allow:Full > > ** Do not create individual user folders ** How folders are created > === Home folders: created & perm'd automatically > > Redirected folders: created, perm'd, user owner > > SUBINACL on Res Kit to change ownership if you must cr
RE: [ActiveDir] group policy adm files
I replaced the files I have downloaded from microsoft but no use. Do you know why? Is there any thing else I should do? Thanks roseta -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Jessop Sent: Wednesday, June 01, 2005 10:24 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] group policy adm files Roseta .adm files are found in %systemroot%\inf Regards Peter List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/