RE: [ActiveDir] ExchMbx Secondary SMTP

[deji]

Admod, eh? That's where you are hiding it? Who woulda thunk :o.
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of joe
Sent: Wed 6/1/2005 7:40 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ExchMbx Secondary SMTP


Correct ExchMbx will not currently add a secondary, this is pretty trivial to
do with admod though.
 
admod -b userdn proxyaddresses:+:smtp:[EMAIL PROTECTED] 
 
case on smtp is critical as it signals Exchange that it is a secondary.
 
   joe



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger
Sent: Wednesday, June 01, 2005 8:14 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] ExchMbx Secondary SMTP


Hi (Joe):
 
Am I correct that ExchMbx does not current support adding/deleting secondary
SMTP addresses? Is there another way to script this or run it from the
command line?
 
Thanks.
 
-- nme
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] ExchMbx Secondary SMTP

[deji]

Joe says ExchMbx does not currently support this (got this info from his
website). Now, if you are looking to script proxyaddresses, there are a
number of sample vbscript codes out there to do this. What you need to
understand is that proxyaddresses is multi-valued and should, therefore, be
read/written with GetEx/PutEx rather than Get/Put. If you get this, then you
will find that scripting it is not so complicated.
 
Look at the "GetProxyAddy" subroutine in
http://www.readymaids.com/Portals/1/Write%20out%20the%20SMTP%20Addresses%20of
%20users%20OR%20Groups.txt
 
Also look at the "ChangeProxy" subroutine in
http://www.readymaids.com/Portals/1/Remove%20Orphaned%20SMTP%20Addresses%20-R
US-helper%20.txt
 
HTH
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Noah Eiger
Sent: Wed 6/1/2005 5:14 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] ExchMbx Secondary SMTP


Hi (Joe):
 
Am I correct that ExchMbx does not current support adding/deleting secondary
SMTP addresses? Is there another way to script this or run it from the
command line?
 
Thanks.
 
-- nme
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] ExchMbx Secondary SMTP

[joe]

Correct ExchMbx will not currently add a secondary, this is 
pretty trivial to do with admod though.
 
admod -b userdn proxyaddresses:+:smtp:[EMAIL PROTECTED] 

 
case on smtp is critical as it signals Exchange that it is 
a secondary.
 
   joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Noah 
EigerSent: Wednesday, June 01, 2005 8:14 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] ExchMbx Secondary 
SMTP


Hi 
(Joe):
 
Am I correct that ExchMbx does not current support adding/deleting secondary 
SMTP addresses? Is there another way to script this or run it from the command 
line?
 
Thanks.
 
-- 
nme

[ActiveDir] ExchMbx Secondary SMTP

[Noah Eiger]

Hi (Joe):

 

Am I correct that ExchMbx
does not current support adding/deleting secondary SMTP addresses? Is there
another way to script this or run it from the command line?

 

Thanks.

 

-- nme

RE: [ActiveDir] Microsoft iSCSI- iSNS Server 3.0 and iSCSI Initiator for Microsoft Clusters

[Medeiros, Jose]

Greetings, 

Just thought I would share what I discovered. I ended up using StringBeans 
Software to create an iSCSI target along with iSNS server 3.0 and the Microsoft 
iSCSI initiator 1.06. I now can mount a volume on our HP NAS box. 

I am sure if I used a Hardware based product from FalconStore, Stonefly, 
Equalogic or Intransa it would have saved me some time in understanding the 
configuration, however this is only being used for a proof of concept test.

Thanks again to everyone comments.

Sincerely, 

Jose Medeiros
Former Vice President and Postmaster NTEA
MCP+I, MCSE, NT4 MCT
www.ntea.net
www.tvnug.org
www.sfntug.org

--

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Medeiros, Jose
Sent: Tuesday, May 31, 2005 12:44 PM
To: [ExchangeList]; ActiveDir@mail.activedir.org
Subject: [ActiveDir] Microsoft ISCSI SNS Server and ISCSI Inatiotar for
Microsoft Clusters


Good Afternoon, 

I am trying to configure a HP 1200s NAS server appliance as an iSCSI Target 
server using Microsoft's iSNS server 3.0 along with a client server that we 
want to install Microsoft cluster server on that has the Microsoft iSCSI 
initiator 1.06.

I having trouble configuring it, has any one done this yet? I am at a loss as 
to why I can not see the target server from a server that is running the ISCSI 
initiator.

http://www.microsoft.com/downloads/details.aspx?familyid=12CB3C1A-15D6-4585-B385-BEFD1319F825&displaylang=en

http://www.microsoft.com/downloads/details.aspx?FamilyID=0dbc4af5-9410-4080-a545-f90b45650e20&DisplayLang=en

Thanks in advance.

Jose Medeiros
408-449-6621 Cell



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] OT Assign Icon in script

[Aaron Visser]

Title: OT Assign Icon in script



Is it possible to assign an icon to a shortcut, to all the computers in the domain via GPO Logon Scripts?

What I have got is this:
set ws = Wscript.CreateObject(“Wscript.Shell”)
dsktop = ws.SpecialFolders(“Desktop”)

Set scut = ws.createShortcut (dsktop & “\shortcut name.lnk”)
scut. TargetPath = “http://enter url here”
scut.Save

Now this is all great and works (creating the Shortcut on the desktop) but I would also like to assign a custom icon is this at all possible?

Thanks,

Aaron Visser

RE: [ActiveDir] GPO oddity

[Darren Mar-Elia]

More specifically, when you choose Enforced for a given GPO, it is moved to the 
bottom of the list of GPOs that a given user or computer will process. This 
means that it is processed last and, by virtue of that, overrides any 
conflicting settings processed earlier. It doesn't prevent downstream GPOs from 
being processed at all, which is probably an important distinction.



From: [EMAIL PROTECTED] on behalf of Bazarewsky, Michael C.
Sent: Wed 6/1/2005 12:35 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GPO oddity



"Enforced" a. k. a. "No Override" takes precedence over "Block Policy
Inheritance", see for example

http://www.windowsitpro.com/Article/ArticleID/15420/15420.html

So the "Enforced" 120 minute overrides the lower 3 minute setting even with
"Block Policy Inheritance" set.  This is true in Windows 2000 and Windows
2003.

-- Michael C. Bazarewsky

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, May 31, 2005 9:26 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] GPO oddity


We have a Default Domain level GPO that is set to "Enforced".  In this
GPO, we set a 120 minute screensaver timeout that locks the screensaver
after 120 minutes.

In a GPO at a lower OU level, we have an OU that has "Block Policy
Inheritence" turned on, and a GPO is linked to that OU that sets the
screensaver timeout to 3 minutes.

For some reason, the users in that OU are getting the default domain GPO
timeout of 120 minutes rather than the 3 minute screensaver timeout.


I assume if we turn off "Enforced" on the default domain GPO, anyone
that belongs to a Block Policy Inheritence OU will get their lower level
GPO applied rather than the default domain GPO?


~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



<>

RE: [ActiveDir] Way OT: FTP not working for certain files...

[Lou Vega]

I'll check GP - though nothing specific has been configured on those
boxes...they are "out of the box" installs.



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Way OT: FTP not working for certain files...

[Charlie Kaiser]

How about GP or DRM configurations? Just a shot in the dark...

**
Charlie Kaiser
MCSE, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**
 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Visser
> Sent: Wednesday, June 01, 2005 12:26 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Way OT: FTP not working for certain files...
> 
> What is the Web Server/FTP Server? And what clients have been 
> successful? I
> would look into permissions due to the fact that you are 
> unable to copy the
> said files to a USB drive.
> 
> 
> On 6/1/05 10:40 AM, "Lou Vega" <[EMAIL PROTECTED]> wrote:
> 
> > I thought it might be that too. The web server is a 
> non-Windows one. I also
> > attempted to take the existing files and copy them to a USB 
> thumb drive
> > which was FAT versus NTFS and the same files still did not 
> copy. The file
> > perms on the web server are set apparently correct since 
> when I take them on
> > a different computer they upload fine.
> > 
> > All virus/malware scans come up negative. I've run McAfee, 
> Symantec and AVG
> > all with the latest definitions and engines. Microsoft 
> Spyware reports
> > nothing, nor does any other spyware/malware program I've 
> run (many at this
> > point).
> > 
> > 
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of 
> Peter Jessop
> > Sent: Wednesday, June 01, 2005 1:18 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: Re: [ActiveDir] Way OT: FTP not working for 
> certain files...
> > 
> > I think that you have to check the NTFS permissions on the 
> current website
> > files
> > 
> > Regards
> > 
> > Peter
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> > 
> > 
> > 
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] GPO oddity

[Bazarewsky, Michael C.]

"Enforced" a. k. a. "No Override" takes precedence over "Block Policy
Inheritance", see for example 

http://www.windowsitpro.com/Article/ArticleID/15420/15420.html

So the "Enforced" 120 minute overrides the lower 3 minute setting even with
"Block Policy Inheritance" set.  This is true in Windows 2000 and Windows
2003.

-- Michael C. Bazarewsky

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, May 31, 2005 9:26 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] GPO oddity


We have a Default Domain level GPO that is set to "Enforced".  In this
GPO, we set a 120 minute screensaver timeout that locks the screensaver
after 120 minutes.

In a GPO at a lower OU level, we have an OU that has "Block Policy
Inheritence" turned on, and a GPO is linked to that OU that sets the
screensaver timeout to 3 minutes.

For some reason, the users in that OU are getting the default domain GPO
timeout of 120 minutes rather than the 3 minute screensaver timeout. 


I assume if we turn off "Enforced" on the default domain GPO, anyone
that belongs to a Block Policy Inheritence OU will get their lower level
GPO applied rather than the default domain GPO? 


~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



smime.p7s
Description: S/MIME cryptographic signature

RE: [ActiveDir] DC's not communicating with each other

[Mark Parris]

Has the SMB configuration been amended? Could you have a Workstation/Server
SMB signing mismatch?

Mark

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida
Pinto
Sent: 01 June 2005 20:03
To: 'Matt Brown '; '[EMAIL PROTECTED] ';
'ActiveDir@mail.activedir.org '
Subject: RE: [ActiveDir] DC's not communicating with each other

Does the PDC FSMO or the other DCs have any events with errors can possibly
tell more about this issue?
#JORGE#

-Original Message-
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: 6/1/2005 6:39 PM
Subject: [ActiveDir] DC's not communicating with each other

I've talked about this a little before, but I dug in a littler further
and
found more info.
 
I have 4 domain controllers in 1 domain.
 
When I'm on one of the 3 DC's that is not the PDC and I try to connect
to
the PDC it tells me I'm not authorized.  I get this when trying to
connect
to the PDC's AD users and computers, DNS, or even a file share.  I can
however connect to any of these services using the IP address. This is
strange because all DC's can ping each other and resolve the IP
addresses
from the names just fine and I don't seem to be having any DNS issues.
The
3 DC's (not the PDC) can connect to each other just fine.

I'm pretty sure I'm going to need to remove 1 or more of the DC's from
the
domain and re-introduce them.  I'm just trying to figure out if I should
remove the PDC or remove the other 3 DCs.

Thanks,
--
Matt Brown
[ SELECT * FROM IT WHERE EyeContact=True ]
Information Technology System Specialist
Eastern Washington University



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] restructuring domain

[al_maurer]

Freddy, I agree with Peter and others: and high on the plan priority is 
limiting student access, locking the desktop and software restrictions.  In the 
pre-AD computer lab I worked at we had to manually reimage the PCs weekly.  You 
probably want a RIS server, too.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of joe
Sent: Monday, May 30, 2005 8:23 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] restructuring domain


Agreed, this is a sure recipe for failure and luckily Freddie's Boss can
point at someone as causing the issue...

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: Thursday, May 26, 2005 9:16 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] restructuring domain

Might I respectfully suggest that before a plan is drafted, precise
requirements be documented, with justification and therefore sponsorship.
Your project is doomed to failure without this scoping and "management
buy-in" from day one.


neil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Peter Jessop
Sent: 26 May 2005 13:37
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] restructuring domain


Freddie

This is really a worst case scenario. ¡A school! 
On this listing are many people who know better than I but I suggest.

Lower your boss's expectations. I don't think it is realistic in a week.

You will only clean up this environment when you reinstall the PCs. Applying
group policy on this setup may not be sufficient to obtain you expectation.

You also need antivirus, SUS server for patch update, user policy. Before
you start I would write down a plan and cost it in terms of money and person
hours.

I hope you don't have to give classes as well!

Good luck

Peter Jessop
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


==
This message is for the sole use of the intended recipient. If you received
this message in error please delete it and notify us. If this message was
misdirected, Credit Suisse, its subsidiaries and affiliates (CS) do not
waive any confidentiality or privilege. CS retains and monitors electronic
communications sent through its network. Instructions transmitted over this
system are not binding on CS until they are confirmed by us. Message
transmission is not guaranteed to be secure. 

==

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Way OT: FTP not working for certain files...

[Aaron Visser]

What is the Web Server/FTP Server? And what clients have been successful? I
would look into permissions due to the fact that you are unable to copy the
said files to a USB drive.


On 6/1/05 10:40 AM, "Lou Vega" <[EMAIL PROTECTED]> wrote:

> I thought it might be that too. The web server is a non-Windows one. I also
> attempted to take the existing files and copy them to a USB thumb drive
> which was FAT versus NTFS and the same files still did not copy. The file
> perms on the web server are set apparently correct since when I take them on
> a different computer they upload fine.
> 
> All virus/malware scans come up negative. I've run McAfee, Symantec and AVG
> all with the latest definitions and engines. Microsoft Spyware reports
> nothing, nor does any other spyware/malware program I've run (many at this
> point).
> 
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Peter Jessop
> Sent: Wednesday, June 01, 2005 1:18 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Way OT: FTP not working for certain files...
> 
> I think that you have to check the NTFS permissions on the current website
> files
> 
> Regards
> 
> Peter
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DC's not communicating with each other

[Jorge de Almeida Pinto]

Does the PDC FSMO or the other DCs have any events with errors can possibly
tell more about this issue?
#JORGE#

-Original Message-
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: 6/1/2005 6:39 PM
Subject: [ActiveDir] DC's not communicating with each other

I've talked about this a little before, but I dug in a littler further
and
found more info.
 
I have 4 domain controllers in 1 domain.
 
When I'm on one of the 3 DC's that is not the PDC and I try to connect
to
the PDC it tells me I'm not authorized.  I get this when trying to
connect
to the PDC's AD users and computers, DNS, or even a file share.  I can
however connect to any of these services using the IP address. This is
strange because all DC's can ping each other and resolve the IP
addresses
from the names just fine and I don't seem to be having any DNS issues.
The
3 DC's (not the PDC) can connect to each other just fine.

I'm pretty sure I'm going to need to remove 1 or more of the DC's from
the
domain and re-introduce them.  I'm just trying to figure out if I should
remove the PDC or remove the other 3 DCs.

Thanks,
--
Matt Brown
[ SELECT * FROM IT WHERE EyeContact=True ]
Information Technology System Specialist
Eastern Washington University



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Way OT: FTP not working for certain files...

[Lou Vega]

I thought it might be that too. The web server is a non-Windows one. I also
attempted to take the existing files and copy them to a USB thumb drive
which was FAT versus NTFS and the same files still did not copy. The file
perms on the web server are set apparently correct since when I take them on
a different computer they upload fine. 

All virus/malware scans come up negative. I've run McAfee, Symantec and AVG
all with the latest definitions and engines. Microsoft Spyware reports
nothing, nor does any other spyware/malware program I've run (many at this
point).



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Peter Jessop
Sent: Wednesday, June 01, 2005 1:18 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Way OT: FTP not working for certain files...

I think that you have to check the NTFS permissions on the current website
files

Regards

Peter
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Way OT: FTP not working for certain files...

[Peter Jessop]

I think that you have to check the NTFS permissions on the current website files

Regards

Peter
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DC's not communicating with each other

[Donavon Yelton]

I'm having the same problem today except I only have 2 DC's.  The
problem child on my domain is the PDC though and it won't let me demote
because it says it's not authorized and can't transfer FSMO roles, etc.
to the BDC.  I am trying to get a restore from backup for AD right now
and my last resort I guess will be to manually remove the PDC from the
domain and reintroduce it as a domain controller. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown
Sent: Wednesday, June 01, 2005 12:39 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DC's not communicating with each other

I've talked about this a little before, but I dug in a littler further
and found more info.
 
I have 4 domain controllers in 1 domain.
 
When I'm on one of the 3 DC's that is not the PDC and I try to connect
to the PDC it tells me I'm not authorized.  I get this when trying to
connect to the PDC's AD users and computers, DNS, or even a file share.
I can however connect to any of these services using the IP address.
This is strange because all DC's can ping each other and resolve the IP
addresses from the names just fine and I don't seem to be having any DNS
issues.  The
3 DC's (not the PDC) can connect to each other just fine.

I'm pretty sure I'm going to need to remove 1 or more of the DC's from
the domain and re-introduce them.  I'm just trying to figure out if I
should remove the PDC or remove the other 3 DCs.

Thanks,
--
Matt Brown
[ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System
Specialist Eastern Washington University



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] DC's not communicating with each other

[Matt Brown]

I've talked about this a little before, but I dug in a littler further and
found more info.
 
I have 4 domain controllers in 1 domain.
 
When I'm on one of the 3 DC's that is not the PDC and I try to connect to
the PDC it tells me I'm not authorized.  I get this when trying to connect
to the PDC's AD users and computers, DNS, or even a file share.  I can
however connect to any of these services using the IP address. This is
strange because all DC's can ping each other and resolve the IP addresses
from the names just fine and I don't seem to be having any DNS issues.  The
3 DC's (not the PDC) can connect to each other just fine.

I'm pretty sure I'm going to need to remove 1 or more of the DC's from the
domain and re-introduce them.  I'm just trying to figure out if I should
remove the PDC or remove the other 3 DCs.

Thanks,
--
Matt Brown
[ SELECT * FROM IT WHERE EyeContact=True ]
Information Technology System Specialist
Eastern Washington University



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] OT-Data ACLing

[Mark Parris]

The command I to perform the function was:

Subinacl /subdirectories X:\data\*.* 
/accountmigration=domain\existinguser=domain\newuser

This will append newuser to everywhere existinguser is and on all files and 
directories.

Regards

Mark


-Original Message-
From: "Dean Wells" <[EMAIL PROTECTED]>
Date: Wed, 1 Jun 2005 11:18:54 
To:"Send - AD mailing list" <[EMAIL PROTECTED]>
Subject: RE: [ActiveDir] OT-Data ACLing

Interesting, I was under the impression that subinacl replaced the ACEs ... I 
assume I'm incorrect?  Can you elaborate on what you did for my own purposes?

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Wednesday, June 01, 2005 11:12 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT-Data ACLing

Thanks Dean, mad day here,

The SubInACL tool has done the job.

Regards,

Mark

-Original Message-
From: "Dean Wells" <[EMAIL PROTECTED]>
Date: Wed, 1 Jun 2005 10:58:28
To:"Send - AD mailing list" <[EMAIL PROTECTED]>
Subject: RE: [ActiveDir] OT-Data ACLing

The reason I asked the question earlier was to determine the requirement you've 
noted below, aside from the unknown-to-me tool I mentioned earlier, I don't 
believe any of the command line ACL tools will do this out-of-the-box.  That 
said, the script to achieve the desired end result is not overly complex 
(assuming the permission requirements for the new ACE are either static or 
derived in a non-complex manner)?

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Wednesday, June 01, 2005 10:45 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT-Data ACLing

It is domain users and the data is incorrectly permissioned with the group.
-Original Message-
From: <[EMAIL PROTECTED]>
Date: Wed, 1 Jun 2005 06:45:25
To:
Subject: RE: [ActiveDir] OT-Data ACLing

Why not simply add the new group to the existing group that already has perm?
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
 -anon



From: [EMAIL PROTECTED] on behalf of Mark Parris
Sent: Wed 6/1/2005 5:20 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT-Data ACLing



All,

Does anyone know of a utility that can look at a directory and identify where 
data is permissioned by a certain group and then append another group to that 
location to enable the new group to be permissioned on that data too.

Example: D: is permissioned with Domain users in multiple directories but Not 
in every directory, I wish to search the directories and where Domain Users 
appears and append another group to that location.

I hope this is clear.

Regards

Mark
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

.Š†ÿÁŠŠƒ²§²B§Ã¶v®Š
§²rz§ÃŠryýŠŠ™i½®


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

.+w֧B+v*
rzVryi˽箊


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[EMAIL PROTECTED]   ��V�r�y4���i�

RE: [ActiveDir] OT-Data ACLing

[Jorge de Almeida Pinto]

 Try:
* SUBINACL with the /accountmigration option
(http://www.microsoft.com/downloads/details.aspx?FamilyID=E8BA3E56-D8FE-4A91
-93CF-ED6985E3927B&displaylang=en & http://www.analogduck.com/main/subinacl)
* SETACL with the -cpytrst option (TrusteeAction)
(http://sourceforge.net/project/showfiles.php?group_id=69165 &
http://setacl.sourceforge.net/html/doc-reference.html)

I think its better to use SETACL (have not tried it myself) as SUBINACL also
changes the owner and the primary group. See the documentation for the
details

Cheers
#JORGE#

-Original Message-
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: 6/1/2005 2:20 PM
Subject: [ActiveDir] OT-Data ACLing

All,

Does anyone know of a utility that can look at a directory and identify
where data is permissioned by a certain group and then append another
group to that location to enable the new group to be permissioned on
that data too. 

Example: D: is permissioned with Domain users in multiple directories
but 
Not in every directory, I wish to search the directories and where
Domain Users appears and append another group to that location.

I hope this is clear.

Regards

Mark
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT-Data ACLing

[Dean Wells]

Interesting, I was under the impression that subinacl replaced the ACEs ... I 
assume I'm incorrect?  Can you elaborate on what you did for my own purposes?

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Wednesday, June 01, 2005 11:12 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT-Data ACLing

Thanks Dean, mad day here,

The SubInACL tool has done the job.

Regards,

Mark

-Original Message-
From: "Dean Wells" <[EMAIL PROTECTED]>
Date: Wed, 1 Jun 2005 10:58:28
To:"Send - AD mailing list" <[EMAIL PROTECTED]>
Subject: RE: [ActiveDir] OT-Data ACLing

The reason I asked the question earlier was to determine the requirement you've 
noted below, aside from the unknown-to-me tool I mentioned earlier, I don't 
believe any of the command line ACL tools will do this out-of-the-box.  That 
said, the script to achieve the desired end result is not overly complex 
(assuming the permission requirements for the new ACE are either static or 
derived in a non-complex manner)?

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Wednesday, June 01, 2005 10:45 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT-Data ACLing

It is domain users and the data is incorrectly permissioned with the group.
-Original Message-
From: <[EMAIL PROTECTED]>
Date: Wed, 1 Jun 2005 06:45:25
To:
Subject: RE: [ActiveDir] OT-Data ACLing

Why not simply add the new group to the existing group that already has perm?
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
 -anon



From: [EMAIL PROTECTED] on behalf of Mark Parris
Sent: Wed 6/1/2005 5:20 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT-Data ACLing



All,

Does anyone know of a utility that can look at a directory and identify where 
data is permissioned by a certain group and then append another group to that 
location to enable the new group to be permissioned on that data too.

Example: D: is permissioned with Domain users in multiple directories but Not 
in every directory, I wish to search the directories and where Domain Users 
appears and append another group to that location.

I hope this is clear.

Regards

Mark
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

.Š†ÿÁŠŠƒ²§²B§Ã¶v®Š
§²rz§ÃŠryýŠŠ™i½®


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

.+w֧B+v*
rzVryi˽箊


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] OT-Data ACLing

[Mark Parris]

Thanks Dean, mad day here,

The SubInACL tool has done the job.

Regards,

Mark

-Original Message-
From: "Dean Wells" <[EMAIL PROTECTED]>
Date: Wed, 1 Jun 2005 10:58:28 
To:"Send - AD mailing list" <[EMAIL PROTECTED]>
Subject: RE: [ActiveDir] OT-Data ACLing

The reason I asked the question earlier was to determine the requirement you've 
noted below, aside from the unknown-to-me tool I mentioned earlier, I don't 
believe any of the command line ACL tools will do this out-of-the-box.  That 
said, the script to achieve the desired end result is not overly complex 
(assuming the permission requirements for the new ACE are either static or 
derived in a non-complex manner)?

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Wednesday, June 01, 2005 10:45 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT-Data ACLing

It is domain users and the data is incorrectly permissioned with the group.
-Original Message-
From: <[EMAIL PROTECTED]>
Date: Wed, 1 Jun 2005 06:45:25
To:
Subject: RE: [ActiveDir] OT-Data ACLing

Why not simply add the new group to the existing group that already has perm?
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
 -anon



From: [EMAIL PROTECTED] on behalf of Mark Parris
Sent: Wed 6/1/2005 5:20 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT-Data ACLing



All,

Does anyone know of a utility that can look at a directory and identify where 
data is permissioned by a certain group and then append another group to that 
location to enable the new group to be permissioned on that data too.

Example: D: is permissioned with Domain users in multiple directories but Not 
in every directory, I wish to search the directories and where Domain Users 
appears and append another group to that location.

I hope this is clear.

Regards

Mark
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

.Š†ÿÁŠŠƒ²§²B§Ã¶v®Š
§²rz§ÃŠryýŠŠ™i½®


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] OT-Data ACLing

[Mark Parris]

Thanks this has done the job,

Regards

Mark
-Original Message-
From: "Cace, Andrew" <[EMAIL PROTECTED]>
Date: Wed, 1 Jun 2005 08:54:38 
To:
Subject: RE: [ActiveDir] OT-Data ACLing

Subinacl.exe from Microsoft will do what you are looking for.  You can
download subinacl.exe from
http://www.microsoft.com/downloads/details.aspx?FamilyID=E8BA3E56-D8FE-4A91-
93CF-ED6985E3927B&displaylang=en.  The version of subinacl.exe that is
included in the Windows 2003 Resource Kit is bugged.  

Syntax: 
subinacl /file c:\*.* /accountmigration=domain\currentuser=domain\newuser

-Andrew

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Wednesday, June 01, 2005 8:24 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT-Data ACLing

Cacls does not appear to perform this function either,

Many thanks.

Mark
-Original Message-
From: "Mark Parris" <[EMAIL PROTECTED]>
Date: Wed, 1 Jun 2005 13:18:39
To:ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT-Data ACLing

I did no know calcs did this, been looking at xcacls ans scacls but no joy,
will try, many thanks.

Mark
-Original Message-
From: "Adams, Kenneth W \(Ken\)" <[EMAIL PROTECTED]>
Date: Wed, 1 Jun 2005 08:59:24
To:
Subject: RE: [ActiveDir] OT-Data ACLing

There is a built-in utility called cacls that can do this for you.
Another utility is a commercial product called Security Explorer by Small
Wonders Software.

Ken Adams



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Wednesday, June 01, 2005 8:20 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT-Data ACLing


All,

Does anyone know of a utility that can look at a directory and identify
where data is permissioned by a certain group and then append another group
to that location to enable the new group to be permissioned on that data
too. 

Example: D: is permissioned with Domain users in multiple directories but
Not in every directory, I wish to search the directories and where Domain
Users appears and append another group to that location.

I hope this is clear.

Regards

Mark
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT-Data ACLing

[Dean Wells]

The reason I asked the question earlier was to determine the requirement you've 
noted below, aside from the unknown-to-me tool I mentioned earlier, I don't 
believe any of the command line ACL tools will do this out-of-the-box.  That 
said, the script to achieve the desired end result is not overly complex 
(assuming the permission requirements for the new ACE are either static or 
derived in a non-complex manner)?

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Wednesday, June 01, 2005 10:45 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT-Data ACLing

It is domain users and the data is incorrectly permissioned with the group.
-Original Message-
From: <[EMAIL PROTECTED]>
Date: Wed, 1 Jun 2005 06:45:25
To:
Subject: RE: [ActiveDir] OT-Data ACLing

Why not simply add the new group to the existing group that already has perm?
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
 -anon



From: [EMAIL PROTECTED] on behalf of Mark Parris
Sent: Wed 6/1/2005 5:20 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT-Data ACLing



All,

Does anyone know of a utility that can look at a directory and identify where 
data is permissioned by a certain group and then append another group to that 
location to enable the new group to be permissioned on that data too.

Example: D: is permissioned with Domain users in multiple directories but Not 
in every directory, I wish to search the directories and where Domain Users 
appears and append another group to that location.

I hope this is clear.

Regards

Mark
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

.Š†ÿÁŠŠƒ²§²B§Ã¶v®Š
§²rz§ÃŠryýŠŠ™i½®


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Way OT: FTP not working for certain files...

[Lou Vega]

Hi list - I know this is woefully OT, but I'm really looking for a solution
and haven't been able to find one. Here's the situation - I have a group of
3 Windows XP Pro computers which will not FTP current website files using
any of several FTP programs to include WS_FTP, SmartFTP, CuteFTP and
BlazeFTP as well as the built-in Windows FTP folders. 

If I create a brand new file, it will upload just fine using any of those
programs. If I take the current existing files and put them on another
computer they upload fine using the same network connection (which ruled out
an obscure Linksys router issue). 

Has anyone run into a similar situation in the past? I had thought it to be
a Windows XP Home issue at first (so Google suggested) so I bought 3 upgrade
copies of Windows XP Pro and upgraded each of them over the weekend to no
avail.



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] OT-Data ACLing

[Mark Parris]

It is domain users and the data is incorrectly permissioned with the group.
-Original Message-
From: <[EMAIL PROTECTED]>
Date: Wed, 1 Jun 2005 06:45:25 
To:
Subject: RE: [ActiveDir] OT-Data ACLing

Why not simply add the new group to the existing group that already has perm?
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Mark Parris
Sent: Wed 6/1/2005 5:20 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT-Data ACLing



All,

Does anyone know of a utility that can look at a directory and identify where
data is permissioned by a certain group and then append another group to that
location to enable the new group to be permissioned on that data too.

Example: D: is permissioned with Domain users in multiple directories but
Not in every directory, I wish to search the directories and where Domain
Users appears and append another group to that location.

I hope this is clear.

Regards

Mark
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] OT-Data ACLing

[Mark Parris]

I wish to clone and append.

Domain users is a common SID so it cannot be used for cross domain acling, so I 
need to clone domain users and append another group everywhere domain users 
appears.

So the directory and files will have two groups ACL'd on it Domain users and 
new "group" and both sets of permissions can be utilised.

I hope this is clearer.

Mark

-Original Message-
From: "Dean Wells" <[EMAIL PROTECTED]>
Date: Wed, 1 Jun 2005 09:39:07 
To:"Send - AD mailing list" <[EMAIL PROTECTED]>
Subject: RE: [ActiveDir] OT-Data ACLing

My guess is you're missing what most are saying (with perhaps the exception
of the 'Security Explorer' tool mentioned earlier as I'm not familiar with
it), this can be done but likely requires an element of scripting.

Are you trying to replace the existing ACE with a new security principal
with identical permission or merely add a new ACE with some fixed permission
or  ?

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Wednesday, June 01, 2005 9:24 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT-Data ACLing

Cacls does not appear to perform this function either,

Many thanks.

Mark
-Original Message-
From: "Mark Parris" <[EMAIL PROTECTED]>
Date: Wed, 1 Jun 2005 13:18:39
To:ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT-Data ACLing

I did no know calcs did this, been looking at xcacls ans scacls but no joy,
will try, many thanks.

Mark
-Original Message-
From: "Adams, Kenneth W \(Ken\)" <[EMAIL PROTECTED]>
Date: Wed, 1 Jun 2005 08:59:24
To:
Subject: RE: [ActiveDir] OT-Data ACLing

There is a built-in utility called cacls that can do this for you.
Another utility is a commercial product called Security Explorer by Small
Wonders Software.

Ken Adams



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Wednesday, June 01, 2005 8:20 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT-Data ACLing


All,

Does anyone know of a utility that can look at a directory and identify
where data is permissioned by a certain group and then append another group
to that location to enable the new group to be permissioned on that data
too. 

Example: D: is permissioned with Domain users in multiple directories but
Not in every directory, I wish to search the directories and where Domain
Users appears and append another group to that location.

I hope this is clear.

Regards

Mark
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT-Data ACLing

[Cace, Andrew]

Subinacl.exe from Microsoft will do what you are looking for.  You can
download subinacl.exe from
http://www.microsoft.com/downloads/details.aspx?FamilyID=E8BA3E56-D8FE-4A91-
93CF-ED6985E3927B&displaylang=en.  The version of subinacl.exe that is
included in the Windows 2003 Resource Kit is bugged.  

Syntax: 
subinacl /file c:\*.* /accountmigration=domain\currentuser=domain\newuser

-Andrew

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Wednesday, June 01, 2005 8:24 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT-Data ACLing

Cacls does not appear to perform this function either,

Many thanks.

Mark
-Original Message-
From: "Mark Parris" <[EMAIL PROTECTED]>
Date: Wed, 1 Jun 2005 13:18:39
To:ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT-Data ACLing

I did no know calcs did this, been looking at xcacls ans scacls but no joy,
will try, many thanks.

Mark
-Original Message-
From: "Adams, Kenneth W \(Ken\)" <[EMAIL PROTECTED]>
Date: Wed, 1 Jun 2005 08:59:24
To:
Subject: RE: [ActiveDir] OT-Data ACLing

There is a built-in utility called cacls that can do this for you.
Another utility is a commercial product called Security Explorer by Small
Wonders Software.

Ken Adams



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Wednesday, June 01, 2005 8:20 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT-Data ACLing


All,

Does anyone know of a utility that can look at a directory and identify
where data is permissioned by a certain group and then append another group
to that location to enable the new group to be permissioned on that data
too. 

Example: D: is permissioned with Domain users in multiple directories but
Not in every directory, I wish to search the directories and where Domain
Users appears and append another group to that location.

I hope this is clear.

Regards

Mark
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


smime.p7s
Description: S/MIME cryptographic signature

Re: [ActiveDir] NOVELL and WINDOWS 2003 AD

[Chandra Burra]

Apologies for the delay...i was away on vacation...Thanks a lot for
all your inputs..


Thanks and Regards,




On 5/23/05, Medeiros, Jose <[EMAIL PROTECTED]> wrote:
> Hi Chadra,
> 
> I am forwarding you the response from our Netware Consultant,
> 
> " I'm assuming that by 'Novell' we mean 'NetWare' as Novell has different O/S 
> platforms with different DNS servers.
> 
> The newer NetWare DNS in NetWare 6.5 will support AD: 
> http://support.novell.com/cgi-bin/search/searchtid.cgi?/10093063.htm
> 
> eDirectory TREE name does not need to be a DNS record as we have other 
> resolvers (SLP) in use for that lookup. "
> 
> Matthew Culver
> Sr. Network Engineer
> Novell Inc
> 
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Chandra Burra
> Sent: Monday, May 23, 2005 7:47 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] NOVELL and WINDOWS 2003 AD
> 
> 
> All,
> 
> Quick one please.client wants to have same domain name for the
> existing Novell directory  and new Windows2003 AD as the same...ex;
> xxx.com
> 
> Can this be done ...if yes, then what are the implications...and also
> they wanted to stay on the Novell DNS...
> 
> Thanks you for inputs.
> 
> 
> Chandra
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT-Data ACLing

[deji]

Why not simply add the new group to the existing group that already has perm?
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Mark Parris
Sent: Wed 6/1/2005 5:20 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT-Data ACLing



All,

Does anyone know of a utility that can look at a directory and identify where
data is permissioned by a certain group and then append another group to that
location to enable the new group to be permissioned on that data too.

Example: D: is permissioned with Domain users in multiple directories but
Not in every directory, I wish to search the directories and where Domain
Users appears and append another group to that location.

I hope this is clear.

Regards

Mark
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT-Data ACLing

[Dean Wells]

My guess is you're missing what most are saying (with perhaps the exception
of the 'Security Explorer' tool mentioned earlier as I'm not familiar with
it), this can be done but likely requires an element of scripting.

Are you trying to replace the existing ACE with a new security principal
with identical permission or merely add a new ACE with some fixed permission
or  ?

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Wednesday, June 01, 2005 9:24 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT-Data ACLing

Cacls does not appear to perform this function either,

Many thanks.

Mark
-Original Message-
From: "Mark Parris" <[EMAIL PROTECTED]>
Date: Wed, 1 Jun 2005 13:18:39
To:ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT-Data ACLing

I did no know calcs did this, been looking at xcacls ans scacls but no joy,
will try, many thanks.

Mark
-Original Message-
From: "Adams, Kenneth W \(Ken\)" <[EMAIL PROTECTED]>
Date: Wed, 1 Jun 2005 08:59:24
To:
Subject: RE: [ActiveDir] OT-Data ACLing

There is a built-in utility called cacls that can do this for you.
Another utility is a commercial product called Security Explorer by Small
Wonders Software.

Ken Adams



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Wednesday, June 01, 2005 8:20 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT-Data ACLing


All,

Does anyone know of a utility that can look at a directory and identify
where data is permissioned by a certain group and then append another group
to that location to enable the new group to be permissioned on that data
too. 

Example: D: is permissioned with Domain users in multiple directories but
Not in every directory, I wish to search the directories and where Domain
Users appears and append another group to that location.

I hope this is clear.

Regards

Mark
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] OT-Data ACLing

[Mark Parris]

Cacls does not appear to perform this function either,

Many thanks.

Mark
-Original Message-
From: "Mark Parris" <[EMAIL PROTECTED]>
Date: Wed, 1 Jun 2005 13:18:39 
To:ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT-Data ACLing

I did no know calcs did this, been looking at xcacls ans scacls but no joy, 
will try, many thanks.

Mark
-Original Message-
From: "Adams, Kenneth W \(Ken\)" <[EMAIL PROTECTED]>
Date: Wed, 1 Jun 2005 08:59:24 
To:
Subject: RE: [ActiveDir] OT-Data ACLing

There is a built-in utility called cacls that can do this for you.
Another utility is a commercial product called Security Explorer by
Small Wonders Software.

Ken Adams



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Wednesday, June 01, 2005 8:20 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT-Data ACLing


All,

Does anyone know of a utility that can look at a directory and identify
where data is permissioned by a certain group and then append another
group to that location to enable the new group to be permissioned on
that data too. 

Example: D: is permissioned with Domain users in multiple directories
but 
Not in every directory, I wish to search the directories and where
Domain Users appears and append another group to that location.

I hope this is clear.

Regards

Mark
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Enhancement Question

[James_Day]

Hi Charles

We had a similar question once and our answer was:
We can use group policy to provide better help desk support through
application upgrades, blocking of bad applications (ie. known spyware exe),
and remote administration.  For the end user this will mean help desk calls
will reduce, and no longer involve a 4 hour drive across town and up to 3
weeks to see somebody - they can now generally be handled either via. chat
or over the phone using remote administration.

Albeit, very little of this requires AD but without AD at some locations,
patching, updating software, and turning on remote desktop / turning off
the firewall to allow remote desktop and assistance take weeks to set up -
which to the user means weeks that he is unable to get something fixed, get
help, get support, or even get the latest software update.

The explanation - highlighting reduced time to support - seems to have made
the users in that location very happy.

Regards;

James R. Day
Active Directory Core Team
Office of the Chief Information Officer
National Park Service
(202) 354-1464 (direct)
(202) 371-1549 (fax)
[EMAIL PROTECTED]


|-+-->
| |   "joe"  |
| |   <[EMAIL PROTECTED]> |
| |   Sent by:   |
| |   [EMAIL PROTECTED]|
| |   tivedir.org|
| |  |
| |  |
| |   06/01/2005 09:06 AM AST|
| |   Please respond to  |
| |   ActiveDir  |
|-+-->
  
>--|
  | 
 |
  |   To: 
 |
  |   cc:   (bcc: James Day/Contractor/NPS) 
 |
  |   Subject:  RE: [ActiveDir] Enhancement Question
 |
  
>--|




I would be a bit concerned about the manager's approach. Playing up to the
end users is not the proper way to run the infrastructure. If the users
gripe about what is being done, the answer is simply we are doing these
upgrades to be in a position to better support the environment with
increased security, stability, and availability.

End users should be concerned with their end user job, not what IT is
doing.

   joe

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles
Sent: Wednesday, June 01, 2005 8:54 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Enhancement Question

Neil,

We deployed AD based on a very serious and well defined business case.
However, when we argued for this it was indicated that the end-user would
not feel any effects and all of the enhancements would be on the management
and stability side.  Since then, however, we have a new network manager who
would like us to show the end-user what the new benefits are from the
upgrade.  However, telling an end-user we can not manage your PC more
effectively, well, they just don't care about that.  So now I'm stuck
looking for a way to show them how great AD is.

I would like to thank everyone for their responses.

Thanks,

Charlie

-Original Message-
From: Ruston, Neil [mailto:[EMAIL PROTECTED]
Sent: Wednesday, June 01, 2005 4:21 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Enhancement Question


It's funny how people approach AD this way - i.e. deploy and look to
justify
its existence thereafter :)

When AD was designed and a business case was created, what were the
perceived benefits back then? Why not try to create additional benefit
along
those lines? We all have different reasons for deploying AD - to some it's
simply an upgrade, to others it's seen as a way to simplify / improve the
Windows environment in many different ways. Identify your initial reasons
for deploying AD and then build from there.

For the record, I would argue that the end user need not see real, tangible
benefits in order that AD be seen to benefit the business itself. The real
benefits are normally less tangible.

neil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles
Sent: 31 May 2005 16:05
To: 'ActiveDir@mail.activedir.org'
Subject: [ActiveDir] Enhancement Question


This is an odd question.

We have just about finished up rolling out AD 2003 (from an NT domain) and
I
have been charged with finding "severa

[ActiveDir] _msdcs question

[Rimmerman, Russ]

The outgoing trust was successfully validated.

The secure channel (SC) reset on domain controller
\\nfhouvds01.theircompany.com of domain theircompany.com to domain
ccc.ourcompany.com failed with error: There are currently no logon
servers available to service the logon request.

This is the only remaining thing I'm battling.  I've set up WINS
replication per suggestions, but still no-go.

~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] OT-Data ACLing

[Mark Parris]

I did no know calcs did this, been looking at xcacls ans scacls but no joy, 
will try, many thanks.

Mark
-Original Message-
From: "Adams, Kenneth W \(Ken\)" <[EMAIL PROTECTED]>
Date: Wed, 1 Jun 2005 08:59:24 
To:
Subject: RE: [ActiveDir] OT-Data ACLing

There is a built-in utility called cacls that can do this for you.
Another utility is a commercial product called Security Explorer by
Small Wonders Software.

Ken Adams



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Wednesday, June 01, 2005 8:20 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT-Data ACLing


All,

Does anyone know of a utility that can look at a directory and identify
where data is permissioned by a certain group and then append another
group to that location to enable the new group to be permissioned on
that data too. 

Example: D: is permissioned with Domain users in multiple directories
but 
Not in every directory, I wish to search the directories and where
Domain Users appears and append another group to that location.

I hope this is clear.

Regards

Mark
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Enhancement Question

[joe]

I would be a bit concerned about the manager's approach. Playing up to the
end users is not the proper way to run the infrastructure. If the users
gripe about what is being done, the answer is simply we are doing these
upgrades to be in a position to better support the environment with
increased security, stability, and availability. 

End users should be concerned with their end user job, not what IT is doing.

   joe 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles
Sent: Wednesday, June 01, 2005 8:54 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Enhancement Question

Neil,

We deployed AD based on a very serious and well defined business case.
However, when we argued for this it was indicated that the end-user would
not feel any effects and all of the enhancements would be on the management
and stability side.  Since then, however, we have a new network manager who
would like us to show the end-user what the new benefits are from the
upgrade.  However, telling an end-user we can not manage your PC more
effectively, well, they just don't care about that.  So now I'm stuck
looking for a way to show them how great AD is.

I would like to thank everyone for their responses.

Thanks, 

Charlie

-Original Message-
From: Ruston, Neil [mailto:[EMAIL PROTECTED]
Sent: Wednesday, June 01, 2005 4:21 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Enhancement Question


It's funny how people approach AD this way - i.e. deploy and look to justify
its existence thereafter :)

When AD was designed and a business case was created, what were the
perceived benefits back then? Why not try to create additional benefit along
those lines? We all have different reasons for deploying AD - to some it's
simply an upgrade, to others it's seen as a way to simplify / improve the
Windows environment in many different ways. Identify your initial reasons
for deploying AD and then build from there.

For the record, I would argue that the end user need not see real, tangible
benefits in order that AD be seen to benefit the business itself. The real
benefits are normally less tangible.

neil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles
Sent: 31 May 2005 16:05
To: 'ActiveDir@mail.activedir.org'
Subject: [ActiveDir] Enhancement Question


This is an odd question.

We have just about finished up rolling out AD 2003 (from an NT domain) and I
have been charged with finding "several ways to utilize Active Directory to
optimize the management of our applications and infrastructure.  At least
one of the solutions should enhance functionality directly for the user
community."

I'm having problems of finding ways to enhance functionally for the
end-users.  Besides tying the AD into a one of our outsourced web based
applications to reduce their password count I'm stretching.  

I know of a number of management and infrastructure enhancements that could
be made but none enhance the functionality of our end-users to a point where
they will notice it and say "Wow, now that's cool".  

Does anyone know of a location where I can get ideas on this topic?  

Increased security, stability, management.  These core things are not seen
by the end-user even though they directly affect them. I need to find
something that the end-users will like to see and something that benefits
them.  I'm just coming up blank on this.  In the past, I have always been
instructions to use AD in ways that the end-user doesn't notice but
increases the functionality.

Thanks,

Charlie
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


==
This message is for the sole use of the intended recipient. If you received
this message in error please delete it and notify us. If this message was
misdirected, Credit Suisse, its subsidiaries and affiliates (CS) do not
waive any confidentiality or privilege. CS retains and monitors electronic
communications sent through its network. Instructions transmitted over this
system are not binding on CS until they are confirmed by us. Message
transmission is not guaranteed to be secure. 

==

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] lastlogontimestamp-

[Garello, Kenneth]

David,

After researching, I was unable to decipher what a "remote NTLM
Authentication" is.  Can you give me an example of this?
I am trying to come up with an effective account deletion policy in a
school with high turnover.


Thanks,

Ken

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Adner
Sent: Friday, May 27, 2005 6:02 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lastlogontimestamp- 

In 2003 RTM lastLogonTimeStamp gets updated during Kerberos
authentications
and interactive NTLM authentications.  Remote NTLM auths do not cause it
to
be updated.  There was talk to get this changed in SP1.

> -Original Message-
> To make matters worse, there is a fix out there somewhere 
> that causes ntlm auth to actually update this field (or am I 
> just dreaming it? :)

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Enhancement Question

[joe]

At the widget company that I converted from NT4 to 2K the reason was simply
self-preservation. The NT4 architecture was ready to blow at any second due
to size, we were running with 80k users in a single domain, 75k users in
another, 60k in yet another. Obviously the domain structures were ready to
collapse at any time.

However once done, the automatic benefits of additional stability and
delegation were well worth the move on their own even if the users didn't
have anything to point at besides a possibly perceived stability
increase[1].

Basically I am saying I agree with Neal. Users shouldn't even be aware of
the underlying infrastructure let alone being sold on the benefits. In
infrastructure ops positions I tend to say that the better things run, the
less people know you and the things you work on exist. 

It isn't usually necessary to "invent" ways to use AD, things will crop up.
Some ideas though:

The first thing I would do is start ripping away native permissions from
everyone but a couple of Ent Admins (say 3 or 4 tops) and everyone else gets
by with delegated permissions, much easier to start that way versus trying
to clean it up later. Goal, better security and enterprise stability. A
strong step towards change control

The next thing would be to start populating AD with object lifecycle
management information. This includes object owners, review dates on when
the owner has to say the object is still in use, expiration dates on when
objects should be removed, etc. Again much easier to start that early versus
later. Goal, a cleaner happier NOS Directory without baggage.

Populate the organizational managament structures, location info, contact
info, etc and set up a web site to allow creation of org charts and display
user info. Don't store the pics in the directory, store them in a SQL Server
or someplace else. Alternatively, stick all this info into AD/AM and
leverage AD Auth to access the info. Check to see if the Polyarchy stuff
ever made into a production setup in MIIS, that is an amazing way to display
that info.

If you have multiple platforms look to start using kerberos on them so you
can have single sign on. Users should really notice this if they don't have
it.

Look at how or even if GPOs should be used for controlling machines and user
experience.

Publish printer and shared folder information.

Set up a web based self password reset unlock system. See MIIS functionality
or MTEC's PSYNCH. This could be done under NT4 as well but more secure I
think under AD due to giving out delegated rights to do the work.

Deploy Exchange 2003. 


  joe



[1] It couldn't be anything but perceived on the users side unless they were
monitoring availability and performance which would be a stretch for those
users. 



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: Wednesday, June 01, 2005 5:21 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Enhancement Question

It's funny how people approach AD this way - i.e. deploy and look to justify
its existence thereafter :)

When AD was designed and a business case was created, what were the
perceived benefits back then? Why not try to create additional benefit along
those lines? We all have different reasons for deploying AD - to some it's
simply an upgrade, to others it's seen as a way to simplify / improve the
Windows environment in many different ways. Identify your initial reasons
for deploying AD and then build from there.

For the record, I would argue that the end user need not see real, tangible
benefits in order that AD be seen to benefit the business itself. The real
benefits are normally less tangible.

neil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles
Sent: 31 May 2005 16:05
To: 'ActiveDir@mail.activedir.org'
Subject: [ActiveDir] Enhancement Question


This is an odd question.

We have just about finished up rolling out AD 2003 (from an NT domain) and I
have been charged with finding "several ways to utilize Active Directory to
optimize the management of our applications and infrastructure.  At least
one of the solutions should enhance functionality directly for the user
community."

I'm having problems of finding ways to enhance functionally for the
end-users.  Besides tying the AD into a one of our outsourced web based
applications to reduce their password count I'm stretching.  

I know of a number of management and infrastructure enhancements that could
be made but none enhance the functionality of our end-users to a point where
they will notice it and say "Wow, now that's cool".  

Does anyone know of a location where I can get ideas on this topic?  

Increased security, stability, management.  These core things are not seen
by the end-user even though they directly affect them. I need to find
something that the end-users will like to see and something that benefits
them.  I'm just coming up blank on 

RE: [ActiveDir] OT-Data ACLing

[Adams, Kenneth W \(Ken\)]

There is a built-in utility called cacls that can do this for you.
Another utility is a commercial product called Security Explorer by
Small Wonders Software.

Ken Adams



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Wednesday, June 01, 2005 8:20 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT-Data ACLing


All,

Does anyone know of a utility that can look at a directory and identify
where data is permissioned by a certain group and then append another
group to that location to enable the new group to be permissioned on
that data too. 

Example: D: is permissioned with Domain users in multiple directories
but 
Not in every directory, I wish to search the directories and where
Domain Users appears and append another group to that location.

I hope this is clear.

Regards

Mark
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Enhancement Question

[Carerros, Charles]

Neil,

We deployed AD based on a very serious and well defined business case.
However, when we argued for this it was indicated that the end-user would
not feel any effects and all of the enhancements would be on the management
and stability side.  Since then, however, we have a new network manager who
would like us to show the end-user what the new benefits are from the
upgrade.  However, telling an end-user we can not manage your PC more
effectively, well, they just don't care about that.  So now I'm stuck
looking for a way to show them how great AD is.

I would like to thank everyone for their responses.

Thanks, 

Charlie

-Original Message-
From: Ruston, Neil [mailto:[EMAIL PROTECTED]
Sent: Wednesday, June 01, 2005 4:21 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Enhancement Question


It's funny how people approach AD this way - i.e. deploy and look to justify
its existence thereafter :)

When AD was designed and a business case was created, what were the
perceived benefits back then? Why not try to create additional benefit along
those lines? We all have different reasons for deploying AD - to some it's
simply an upgrade, to others it's seen as a way to simplify / improve the
Windows environment in many different ways. Identify your initial reasons
for deploying AD and then build from there.

For the record, I would argue that the end user need not see real, tangible
benefits in order that AD be seen to benefit the business itself. The real
benefits are normally less tangible.

neil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles
Sent: 31 May 2005 16:05
To: 'ActiveDir@mail.activedir.org'
Subject: [ActiveDir] Enhancement Question


This is an odd question.

We have just about finished up rolling out AD 2003 (from an NT domain) and I
have been charged with finding "several ways to utilize Active Directory to
optimize the management of our applications and infrastructure.  At least
one of the solutions should enhance functionality directly for the user
community."

I'm having problems of finding ways to enhance functionally for the
end-users.  Besides tying the AD into a one of our outsourced web based
applications to reduce their password count I'm stretching.  

I know of a number of management and infrastructure enhancements that could
be made but none enhance the functionality of our end-users to a point where
they will notice it and say "Wow, now that's cool".  

Does anyone know of a location where I can get ideas on this topic?  

Increased security, stability, management.  These core things are not seen
by the end-user even though they directly affect them. I need to find
something that the end-users will like to see and something that benefits
them.  I'm just coming up blank on this.  In the past, I have always been
instructions to use AD in ways that the end-user doesn't notice but
increases the functionality.

Thanks,

Charlie
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


==
This message is for the sole use of the intended recipient. If you received 
this message in error please delete it and notify us. If this message was 
misdirected, Credit Suisse, its subsidiaries and affiliates (CS) do not 
waive any confidentiality or privilege. CS retains and monitors electronic 
communications sent through its network. Instructions transmitted over this
system are not binding on CS until they are confirmed by us. Message 
transmission is not guaranteed to be secure. 

==

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] OT-Data ACLing

[Mark Parris]

All,

Does anyone know of a utility that can look at a directory and identify where 
data is permissioned by a certain group and then append another group to that 
location to enable the new group to be permissioned on that data too. 

Example: D: is permissioned with Domain users in multiple directories but 
Not in every directory, I wish to search the directories and where Domain Users 
appears and append another group to that location.

I hope this is clear.

Regards

Mark
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Home Directories

[Ellis, Debbie]

This is correct. It appears to have changed since NT. I found this out by
checking permissions when I was troubleshooting a problem with home
directories.  You  go to the security tab then choose advanced then
highlight the account and choose edit. It will detail the permissions in
effect. The effective permissions tab is very good too, because it allows
you to see the impact of all group memberships and the impact on
permissions.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dryden, Karen
Sent: Tuesday, May 31, 2005 6:47 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Home Directories

Modify rights doesn't give them the ability to delete files/folders.  You
have to go to the Advanced tab on permissions and edit their rights and
check the box to enable them to delete their own home drive files/folders

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Rochford
Sent: Tuesday, May 31, 2005 5:10 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Home Directories


The trouble is that Microsoft's idea of "locked down" and my idea of "locked
down" don't match...

I work in a college (and I think Debbie works in a similar environment) and
there's no way I'd give users full control over even their own folders - the
most they get is "modify" on everything in their user area. (Giving full
allows them to change permissions - most will do this accidentally and
manage to remove themselves from the list or they will give access to other
users. In a work environment this may be a good thing - it allows users to
share work on an ad-hoc basis. For students, it's typically a way to move
"pirate" material around...)

There's also a problem in that if users can create folders in the root share
then they will - again, some will do this accidentally and lose work in that
way; others will do it maliciously. Whichever, when you have 14,000 folders
to worry about you don't want odd ones sneaking in
:-)

The downside of this is that you can't then have the folder created by the
redirection process as the user logs on; no big deal - we script the user
creation so we also create the home folder with the permissions we want
(admins, system - full; user - modify)

On a regular basis we also force the permissions and ownership back to what
they should be - I've found setacl (http://setacl.sourceforge.net) to be
easier to use for this than subinacl.

Steve

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Dan Holme
> Sent: 27 May 2005 16:14
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Home Directories
> 
> The best practice permissions for the ROOT SHARE (for home
> directories, roaming profiles & folder redirection) are 
> listed below.  There is a lot of confusion about these perms, 
> b/c there are inconsistencies in MS doc.
> I've tested these to make sure they work and (as you'll see) 
> they're pretty well locked down.
> 
> The root share
> ==
> ACL
> Users*:Allow:List Folder & Create Folders
> 
>   Inheritance: This folder only ( THIS IS TRICKY AND
> IS NOT THE DEFAULT  Set "Apply onto" to "THIS FOLDER ONLY")
> 
>   *Or another group that includes users who will have
> folders under this root
> 
> Creator Owner:Allow:Full
>   Inheritance: Subfolders & files only
> 
> System:Allow:Full
>   Inheritance: This folder, subfolders & files
> 
> Administrators: 
>   Set based on Enterprise information security policy
> 
> Share
>   Hidden share name (sharename$)
>   Share permissions: Everyone:Allow:Full
> 
> ** Do not create individual user folders ** How folders are
> created === Home folders: created & 
> perm'd automatically 
> 
> Redirected folders: created, perm'd, user owner
> 
>   SUBINACL on Res Kit to change ownership if you must
> create folder in advance. (Be sure to download newest patched 
> version of SubInACL from MS web site)
> 
> Profiles: created & perm'd automatically
> 
> 
> Hope this helps
> 
> Dan
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> [EMAIL PROTECTED]
> Sent: Friday, May 27, 2005 8:00 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Home Directories
> 
> Yes, make sure that the top level home folder that your share
> is pointing to does not have rights for those users to make 
> changes.  They should only have rights at their individual folder.
> 
> For instance:
> 
> Share Level Perms
> \\server\home1 is your home folder share which has the
> following perms:
>   Administrators - FC
>   Domain Users - C
> 
> NTFS Perms
> That folder maps to h:\home1 on your server.  Home1 should have the
> following:
>   Administrators - FC
> 
> There's a user folder under home1 that exists under home1
> that maps to JohnDoe such as h:\home1\johndoe.
> 
> At the johndoe folder, you want to m

Re: [ActiveDir] group policy adm files

[Dibs]

Hii,
I guess your solution of disabling firewall via GPO
lies in this link.
http://msmvps.com/kwsupport/archive/2004/08/27/12477.aspx

Dibendoo




--- tech <[EMAIL PROTECTED]> wrote:

> Hello,
> 
>  
> 
> I wanted to know where the template files (.adm)
> files of default domain
> group policy is in windows 2000 advance server. Can
> any one help?
> 
>  
> 
>  
> 
>  
> 
> Yours truly,
> 
> Roseta Radfar
> 
>  
> 
> 





__ 
Do you Yahoo!? 
Yahoo! Mail - You care about security. So do we. 
http://promotions.yahoo.com/new_mail
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] group policy adm files

[Peter Jessop]

>From Group Policy Editor, drill down to administrative templates and
then right click. Select Add or remove administrative templates


Regards

Peter
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Enhancement Question

[Ruston, Neil]

It's funny how people approach AD this way - i.e. deploy and look to justify 
its existence thereafter :)

When AD was designed and a business case was created, what were the perceived 
benefits back then? Why not try to create additional benefit along those lines? 
We all have different reasons for deploying AD - to some it's simply an 
upgrade, to others it's seen as a way to simplify / improve the Windows 
environment in many different ways. Identify your initial reasons for deploying 
AD and then build from there.

For the record, I would argue that the end user need not see real, tangible 
benefits in order that AD be seen to benefit the business itself. The real 
benefits are normally less tangible.

neil


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles
Sent: 31 May 2005 16:05
To: 'ActiveDir@mail.activedir.org'
Subject: [ActiveDir] Enhancement Question


This is an odd question.

We have just about finished up rolling out AD 2003 (from an NT domain) and I 
have been charged with finding "several ways to utilize Active Directory to 
optimize the management of our applications and infrastructure.  At least one 
of the solutions should enhance functionality directly for the user community."

I'm having problems of finding ways to enhance functionally for the end-users.  
Besides tying the AD into a one of our outsourced web based applications to 
reduce their password count I'm stretching.  

I know of a number of management and infrastructure enhancements that could be 
made but none enhance the functionality of our end-users to a point where they 
will notice it and say "Wow, now that's cool".  

Does anyone know of a location where I can get ideas on this topic?  

Increased security, stability, management.  These core things are not seen by 
the end-user even though they directly affect them. I need to find something 
that the end-users will like to see and something that benefits them.  I'm just 
coming up blank on this.  In the past, I have always been instructions to use 
AD in ways that the end-user doesn't notice but increases the functionality.

Thanks,

Charlie
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

==
This message is for the sole use of the intended recipient. If you received 
this message in error please delete it and notify us. If this message was 
misdirected, Credit Suisse, its subsidiaries and affiliates (CS) do not 
waive any confidentiality or privilege. CS retains and monitors electronic 
communications sent through its network. Instructions transmitted over this
system are not binding on CS until they are confirmed by us. Message 
transmission is not guaranteed to be secure. 
==

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Enhancement Question

[Dan Holme]

Charlie:

This is a question I'm getting from a LOT of my clients these days.  I'd
be happy to chat through some ideas with you, but it's too much to type
out.  Give me a shout and I'll spend a bit of time talking you through
some "ooh-ahh-wow" things you can do with AD.   888.381.6956.

Dan Holme
Intelliem


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Tuesday, May 31, 2005 1:10 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Enhancement Question

You could look at pre-populating the location field for printer
searches.
This is quite a nice feature that uses the IP subnet of the workstation
the
user is logged on to to locate the nearest printer.  There's a few tasks
you
need to do to enable this, but it can be worth the effort, especially in
distributed organisations.  See the following whitepaper for more
information on this.

http://www.microsoft.com/windows2000/technologies/fileandprint/print/add
eplo
y.asp 

As you suggest, there are not a huge number of benefits that are
directly
visible to the end user.  

Tony

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carerros,
Charles
Sent: Wednesday, 1 June 2005 3:05 a.m.
To: 'ActiveDir@mail.activedir.org'
Subject: [ActiveDir] Enhancement Question

This is an odd question.

We have just about finished up rolling out AD 2003 (from an NT domain)
and I
have been charged with finding "several ways to utilize Active Directory
to
optimize the management of our applications and infrastructure.  At
least
one of the solutions should enhance functionality directly for the user
community."

I'm having problems of finding ways to enhance functionally for the
end-users.  Besides tying the AD into a one of our outsourced web based
applications to reduce their password count I'm stretching.  

I know of a number of management and infrastructure enhancements that
could
be made but none enhance the functionality of our end-users to a point
where
they will notice it and say "Wow, now that's cool".  

Does anyone know of a location where I can get ideas on this topic?  

Increased security, stability, management.  These core things are not
seen
by the end-user even though they directly affect them. I need to find
something that the end-users will like to see and something that
benefits
them.  I'm just coming up blank on this.  In the past, I have always
been
instructions to use AD in ways that the end-user doesn't notice but
increases the functionality.

Thanks,

Charlie
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Home Directories

[Dan Holme]

Modify permission on an NTFS ACL *does* include DELETE.

Anyway, what Steve suggests is simply not possible to achieve without
workarounds such as 'resetting the acl' regularly.  Here's why, and a
suggestion.

1) The CREATOR/OWNER of a file or folder ALWAYS can change permission on
that file or folder.  There's no way to prevent that.  In other words,
if you let a user save a file, they CAN change permission.

2) The only workaround I've heard for this (and I've not tested it
myself but it is on good authority) is to set a SHARE permission of
MODIFY (not Full Control).  The lack of full control on a share
apparently prohibits anyone (including the owner) from changing an
ACL... cool assuming it's true, though managing share permissions is a
whole other can of worms, and PLEASE don't go there with this thread.
It's a solution, not a perfect one (and there isn't a perfect solution
given Steve's requirements).

3) You can *always* "provision" anything in windows.  Go bananas with a
script or process that creates the folder for the user with the right
permissions on that user's folder, and then of course you can restrict
the root more.  The permissions I listed are the minimum required
permissions for out-of-box Windows functionality.

Hope this helps.

D



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, May 31, 2005 4:35 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Home Directories

Are you sure about that? 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dryden, Karen
Sent: Tuesday, May 31, 2005 6:47 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Home Directories

Modify rights doesn't give them the ability to delete files/folders.
You
have to go to the Advanced tab on permissions and edit their rights and
check the box to enable them to delete their own home drive
files/folders

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Rochford
Sent: Tuesday, May 31, 2005 5:10 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Home Directories


The trouble is that Microsoft's idea of "locked down" and my idea of
"locked
down" don't match...

I work in a college (and I think Debbie works in a similar environment)
and
there's no way I'd give users full control over even their own folders -
the
most they get is "modify" on everything in their user area. (Giving full
allows them to change permissions - most will do this accidentally and
manage to remove themselves from the list or they will give access to
other
users. In a work environment this may be a good thing - it allows users
to
share work on an ad-hoc basis. For students, it's typically a way to
move
"pirate" material around...)

There's also a problem in that if users can create folders in the root
share
then they will - again, some will do this accidentally and lose work in
that
way; others will do it maliciously. Whichever, when you have 14,000
folders
to worry about you don't want odd ones sneaking in
:-)

The downside of this is that you can't then have the folder created by
the
redirection process as the user logs on; no big deal - we script the
user
creation so we also create the home folder with the permissions we want
(admins, system - full; user - modify)

On a regular basis we also force the permissions and ownership back to
what
they should be - I've found setacl (http://setacl.sourceforge.net) to be
easier to use for this than subinacl.

Steve

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Dan Holme
> Sent: 27 May 2005 16:14
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Home Directories
> 
> The best practice permissions for the ROOT SHARE (for home 
> directories, roaming profiles & folder redirection) are listed below.

> There is a lot of confusion about these perms, b/c there are 
> inconsistencies in MS doc.
> I've tested these to make sure they work and (as you'll see) they're 
> pretty well locked down.
> 
> The root share
> ==
> ACL
> Users*:Allow:List Folder & Create Folders
> 
>   Inheritance: This folder only ( THIS IS TRICKY AND IS NOT
THE 
> DEFAULT  Set "Apply onto" to "THIS FOLDER ONLY")
> 
>   *Or another group that includes users who will have folders
under 
> this root
> 
> Creator Owner:Allow:Full
>   Inheritance: Subfolders & files only
> 
> System:Allow:Full
>   Inheritance: This folder, subfolders & files
> 
> Administrators: 
>   Set based on Enterprise information security policy
> 
> Share
>   Hidden share name (sharename$)
>   Share permissions: Everyone:Allow:Full
> 
> ** Do not create individual user folders ** How folders are created 
> === Home folders: created & perm'd automatically
> 
> Redirected folders: created, perm'd, user owner
> 
>   SUBINACL on Res Kit to change ownership if you must cr

RE: [ActiveDir] group policy adm files

[tech]

I replaced the files I have downloaded from microsoft but no use. Do you
know why? Is there any thing else I should do?

Thanks 
roseta

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Peter Jessop
Sent: Wednesday, June 01, 2005 10:24 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] group policy adm files

Roseta

.adm files are found in 
%systemroot%\inf

Regards

Peter
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/