RE: [ActiveDir] Ports during authentication/logons...

[Rick Kingslan]

I would really suspect that this is soon
not going to be true – and may not be at this point (don’t know –
haven’t asked yet…).

 

Think of it this way – NAP (Network
Access Protection) is going to have one heck of a time working if DC <->
Member isn’t a supported scenario.

 

As to the 135 traffic on AuthN – I’d
happily take a look at the trace.  I’ll have a few minutes tomorrow.

 

Rick

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner
Sent: Wednesday, August 24, 2005
11:11 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Ports
during authentication/logons...



 

I would normally look at the IPSec route,
too, but it's not (as far as I know) supported by MS between domain members and
DC's.  It's supposed member<->member and DC<->DC, but not
members<->DC's.  At least, not if Kerberos is used.  Not sure
how they feel about certs.  Shared keys just wouldn't be an option.

 

Specifically, though, they have their
backs up with 135.  Do you know what's using it during a logon/GPO
process/??

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Wednesday, August 24, 2005
10:51 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Ports
during authentication/logons...

David,

 

If you really, really want to use the
absolute minimum ports through a firewall, use IPSec tunnel mode. 
However, your Network Engineers (or whoever manages your Firewalls) may not
like it.  Reason?  Likely the same reason that I got when I suggested
this at a previous employer:

 

“Well, if you put it in IPSec
tunnels, then we won’t be able to see or sniff it.”

 

My question:  “Why do you need
to sniff or see it?”

 

No answer….

 

Rick

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner
Sent: Wednesday, August 24, 2005
10:31 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Ports during
authentication/logons...



 



It's been
a few weeks, so time for another question on ports. MS's whitepaper that
discusses how to setup AD to communicate through a firewall (the one that
focuses primarily on DC to DC communication) lists the following ports needed
to service "User Login and Authentication" and "Computer Login
and Authentication":

445
TCP/UDP

88
TCP/UDP

389 UDP

53
TCP/UDP

(I would
add ICMP for GPO processing.)

Most
people who normally respond to "what ports are needed..." include
135.

I just
ran a Netmon trace during a logon from an XP machine and do see some traffic
hitting 135. I also see traffic hitting 137 and 139.

I'm not good
at reading traces so I don't really know what's happening besides the basic
traffic flow. Does anyone know what 135 (and 139 I

suppose)
are being used for? And if they're blocked does it totally break everything or
just limit certain functions? I am not worried about DC to DC communication.
The scenario is member systems separated from DC's with a firewall and the
network folks want to allow the absolute minimum ports.

Thx

 

RE: [ActiveDir] GPO on XP & 2000 Pro

[Darren Mar-Elia]

Title: RE: [ActiveDir] GPO on XP & 2000 Pro



Actually my point was less around the initial organization 
of AD than around changing an AD design to accomodate short-term requirements. I 
am all for the approach you've described below if it meets the administrative 
and business needs of an organization.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
RMSent: Wednesday, August 24, 2005 9:03 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] GPO on XP & 
2000 Pro

On Wed, 24 Aug 2005 20:45:07 -0400, [1]"Robert Bobel"<[EMAIL PROTECTED]> 
said:> I'm pretty much with Darren on this one. Keeping it 
organizadover the> long term may end up being a lot of trouble 
especially if theenvironment of a fairly large size.It's easy when 
not every Tom, Dick, and Harry can createcomputer accounts.  If 
your org is really that large, you likelyalready have OU's that either 
follow geographic lines orhierarchical lines.  Sub OU's would contain 
servers or workstations.
I cringe at the thought of a Fortune 500 with 30,000 computer accounts in one 
OU.  Do companies really run that way?
RM

RE: [ActiveDir] Move Computer Permissions

[Brian Desmond]

Moving a computer requires the following two steps:

Delete the object from the source OU
Create the object in the destination OU

There is no such thing as a "move" right.

So, given you grant the create right for computer objects in the destination
OU to this group, and the delete right for computer objects in the source
OU.

Thanks,
Brian Desmond
[EMAIL PROTECTED]
 
c - 312.731.3132
 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mills, Wallace
Sent: Thursday, August 25, 2005 12:32 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Move Computer Permissions

Would appreciate some directions/assistance in resolving this problem.
We have a couple of users to whom we wish to give permissions to allow
them to createand delete computer accounts and also able to move said
computers between Ous in the AD. Currently we have a security group set
up with the permissions set to Special Permissions and clicking on
Advanced Security Settings set the create/delete computers plus given
them create/delete child objects.
This has still not allowed them to move computers, they can
create/delete computers but not move.
Has anyone any suggestions as to what to try next?
Thanks in advance.

Wallace 

DISCLAIMER
The information contained in the above e-mail message or messages 
(which includes any attachments) is confidential and may be legally 
privileged.  It is intended only for the use of the person or entity 
to which it is addressed.  If you are not the addressee any form of 
disclosure, copying, modification, distribution or any action taken 
or omitted in reliance on the information is unauthorised.  Opinions 
contained in the message(s) do not necessarily reflect the opinions 
of the Queensland Government and its authorities.  If you received 
this communication in error, please notify the sender immediately and 
delete it from your computer system network. 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Move Computer Permissions

[Mills, Wallace]

Would appreciate some directions/assistance in resolving this problem.
We have a couple of users to whom we wish to give permissions to allow
them to createand delete computer accounts and also able to move said
computers between Ous in the AD. Currently we have a security group set
up with the permissions set to Special Permissions and clicking on
Advanced Security Settings set the create/delete computers plus given
them create/delete child objects.
This has still not allowed them to move computers, they can
create/delete computers but not move.
Has anyone any suggestions as to what to try next?
Thanks in advance.

Wallace 

DISCLAIMER
The information contained in the above e-mail message or messages 
(which includes any attachments) is confidential and may be legally 
privileged.  It is intended only for the use of the person or entity 
to which it is addressed.  If you are not the addressee any form of 
disclosure, copying, modification, distribution or any action taken 
or omitted in reliance on the information is unauthorised.  Opinions 
contained in the message(s) do not necessarily reflect the opinions 
of the Queensland Government and its authorities.  If you received 
this communication in error, please notify the sender immediately and 
delete it from your computer system network. 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Ports during authentication/logons...

[David Adner]

I hadn't noticed that section that specifically talks about 
GP.  Thanks for the pointer.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Tony 
MurraySent: Wednesday, August 24, 2005 11:48 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ports during 
authentication/logons...

Actually, there's some information on Group Policy and port 
usage in this article:
 
http://support.microsoft.com/default.aspx?scid=kb;en-us;832017
 
To successfully apply 
Group Policy, a client must be able to contact a domain controller over the 
DCOM, ICMP, LDAP, SMB, and RPC protocols. If any one of these protocols are 
unavailable or blocked between the client and a relevant domain controller, 
policy will not apply or refresh.
 
So it looks like this is the culprit for Port 
135.
 
Tony


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Tony 
MurraySent: Thursday, 25 August 2005 4:39 p.m.To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ports during 
authentication/logons...

Yes, member server to DC using IPSec is not 
supported.  Well at least it wasn't in Windows 2000:
 
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q254949
 
Not sure why port 135 would be required for logon.  
Just a thought in additional to port 3268, the information held in the 
GC is made available via NSPI.  Access to NSPI would be via the 
RPC end point mapper (port 135).  So perhaps Outlook clients on the XP 
machines are generating the traffic on port 135?
 
Tony


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of David 
AdnerSent: Thursday, 25 August 2005 4:11 p.m.To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ports during 
authentication/logons...

I would normally look at the IPSec route, too, but it's not 
(as far as I know) supported by MS between domain members and DC's.  It's 
supposed member<->member and DC<->DC, but not 
members<->DC's.  At least, not if Kerberos is used.  Not sure 
how they feel about certs.  Shared keys just wouldn't be an 
option.
 
Specifically, though, they have their backs up with 
135.  Do you know what's using it during a logon/GPO 
process/??


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Rick 
KingslanSent: Wednesday, August 24, 2005 10:51 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ports during 
authentication/logons...


David,
 
If you really, really 
want to use the absolute minimum ports through a firewall, use IPSec tunnel 
mode.  However, your Network Engineers (or whoever manages your Firewalls) 
may not like it.  Reason?  Likely the same reason that I got when I 
suggested this at a previous employer:
 
“Well, if you put it in 
IPSec tunnels, then we won’t be able to see or sniff 
it.”
 
My question:  “Why 
do you need to sniff or see it?”
 
No 
answer….
 
Rick
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of David 
AdnerSent: Wednesday, August 
24, 2005 10:31 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Ports during 
authentication/logons...
 

It's been a 
few weeks, so time for another question on ports. MS's whitepaper that discusses 
how to setup AD to communicate through a firewall (the one that focuses 
primarily on DC to DC communication) lists the following ports needed to service 
"User Login and Authentication" and "Computer Login and 
Authentication":
445 
TCP/UDP
88 
TCP/UDP
389 
UDP
53 
TCP/UDP
(I would 
add ICMP for GPO processing.)
Most people 
who normally respond to "what ports are needed..." include 
135.
I just ran 
a Netmon trace during a logon from an XP machine and do see some traffic hitting 
135. I also see traffic hitting 137 and 139.
I'm not 
good at reading traces so I don't really know what's happening besides the basic 
traffic flow. Does anyone know what 135 (and 139 I
suppose) 
are being used for? And if they're blocked does it totally break everything or 
just limit certain functions? I am not worried about DC to DC communication. The 
scenario is member systems separated from DC's with a firewall and the network 
folks want to allow the absolute minimum ports.
Thx
 

This e-mail message has been scanned for Viruses and Content and cleared by 
NetIQ MailMarshal at Gen-i Limited 




This e-mail message has been scanned for Viruses and Content and cleared by 
NetIQ MailMarshal at Gen-i Limited 

RE: [ActiveDir] Ports during authentication/logons...

[Tony Murray]

Actually, there's some information on Group Policy and port 
usage in this article:
 
http://support.microsoft.com/default.aspx?scid=kb;en-us;832017
 
To successfully apply 
Group Policy, a client must be able to contact a domain controller over the 
DCOM, ICMP, LDAP, SMB, and RPC protocols. If any one of these protocols are 
unavailable or blocked between the client and a relevant domain controller, 
policy will not apply or refresh.
 
So it looks like this is the culprit for Port 
135.
 
Tony


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Tony 
MurraySent: Thursday, 25 August 2005 4:39 p.m.To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ports during 
authentication/logons...

Yes, member server to DC using IPSec is not 
supported.  Well at least it wasn't in Windows 2000:
 
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q254949
 
Not sure why port 135 would be required for logon.  
Just a thought in additional to port 3268, the information held in the 
GC is made available via NSPI.  Access to NSPI would be via the 
RPC end point mapper (port 135).  So perhaps Outlook clients on the XP 
machines are generating the traffic on port 135?
 
Tony


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of David 
AdnerSent: Thursday, 25 August 2005 4:11 p.m.To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ports during 
authentication/logons...

I would normally look at the IPSec route, too, but it's not 
(as far as I know) supported by MS between domain members and DC's.  It's 
supposed member<->member and DC<->DC, but not 
members<->DC's.  At least, not if Kerberos is used.  Not sure 
how they feel about certs.  Shared keys just wouldn't be an 
option.
 
Specifically, though, they have their backs up with 
135.  Do you know what's using it during a logon/GPO 
process/??


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Rick 
KingslanSent: Wednesday, August 24, 2005 10:51 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ports during 
authentication/logons...


David,
 
If you really, really 
want to use the absolute minimum ports through a firewall, use IPSec tunnel 
mode.  However, your Network Engineers (or whoever manages your Firewalls) 
may not like it.  Reason?  Likely the same reason that I got when I 
suggested this at a previous employer:
 
“Well, if you put it in 
IPSec tunnels, then we won’t be able to see or sniff 
it.”
 
My question:  “Why 
do you need to sniff or see it?”
 
No 
answer….
 
Rick
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of David 
AdnerSent: Wednesday, August 
24, 2005 10:31 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Ports during 
authentication/logons...
 

It's been a 
few weeks, so time for another question on ports. MS's whitepaper that discusses 
how to setup AD to communicate through a firewall (the one that focuses 
primarily on DC to DC communication) lists the following ports needed to service 
"User Login and Authentication" and "Computer Login and 
Authentication":
445 
TCP/UDP
88 
TCP/UDP
389 
UDP
53 
TCP/UDP
(I would 
add ICMP for GPO processing.)
Most people 
who normally respond to "what ports are needed..." include 
135.
I just ran 
a Netmon trace during a logon from an XP machine and do see some traffic hitting 
135. I also see traffic hitting 137 and 139.
I'm not 
good at reading traces so I don't really know what's happening besides the basic 
traffic flow. Does anyone know what 135 (and 139 I
suppose) 
are being used for? And if they're blocked does it totally break everything or 
just limit certain functions? I am not worried about DC to DC communication. The 
scenario is member systems separated from DC's with a firewall and the network 
folks want to allow the absolute minimum ports.
Thx
 

This e-mail message has been scanned for Viruses and Content and cleared by 
NetIQ MailMarshal at Gen-i Limited 




This e-mail message has been scanned for Viruses and Content and cleared by 
NetIQ MailMarshal at Gen-i Limited 

RE: [ActiveDir] Ports during authentication/logons...

[Tony Murray]

Yes, member server to DC using IPSec is not 
supported.  Well at least it wasn't in Windows 2000:
 
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q254949
 
Not sure why port 135 would be required for logon.  
Just a thought in additional to port 3268, the information held in the 
GC is made available via NSPI.  Access to NSPI would be via the 
RPC end point mapper (port 135).  So perhaps Outlook clients on the XP 
machines are generating the traffic on port 135?
 
Tony


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of David 
AdnerSent: Thursday, 25 August 2005 4:11 p.m.To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ports during 
authentication/logons...

I would normally look at the IPSec route, too, but it's not 
(as far as I know) supported by MS between domain members and DC's.  It's 
supposed member<->member and DC<->DC, but not 
members<->DC's.  At least, not if Kerberos is used.  Not sure 
how they feel about certs.  Shared keys just wouldn't be an 
option.
 
Specifically, though, they have their backs up with 
135.  Do you know what's using it during a logon/GPO 
process/??


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Rick 
KingslanSent: Wednesday, August 24, 2005 10:51 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ports during 
authentication/logons...


David,
 
If you really, really 
want to use the absolute minimum ports through a firewall, use IPSec tunnel 
mode.  However, your Network Engineers (or whoever manages your Firewalls) 
may not like it.  Reason?  Likely the same reason that I got when I 
suggested this at a previous employer:
 
“Well, if you put it in 
IPSec tunnels, then we won’t be able to see or sniff 
it.”
 
My question:  “Why 
do you need to sniff or see it?”
 
No 
answer….
 
Rick
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of David 
AdnerSent: Wednesday, August 
24, 2005 10:31 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Ports during 
authentication/logons...
 

It's been a 
few weeks, so time for another question on ports. MS's whitepaper that discusses 
how to setup AD to communicate through a firewall (the one that focuses 
primarily on DC to DC communication) lists the following ports needed to service 
"User Login and Authentication" and "Computer Login and 
Authentication":
445 
TCP/UDP
88 
TCP/UDP
389 
UDP
53 
TCP/UDP
(I would 
add ICMP for GPO processing.)
Most people 
who normally respond to "what ports are needed..." include 
135.
I just ran 
a Netmon trace during a logon from an XP machine and do see some traffic hitting 
135. I also see traffic hitting 137 and 139.
I'm not 
good at reading traces so I don't really know what's happening besides the basic 
traffic flow. Does anyone know what 135 (and 139 I
suppose) 
are being used for? And if they're blocked does it totally break everything or 
just limit certain functions? I am not worried about DC to DC communication. The 
scenario is member systems separated from DC's with a firewall and the network 
folks want to allow the absolute minimum ports.
Thx
 

This e-mail message has been scanned for Viruses and Content and cleared by 
NetIQ MailMarshal at Gen-i Limited 

RE: [ActiveDir] Non-domain access to files on windows 2003

[Jason Benway]

No I did not enable the guest account, is that what I'm missing? Usernames
should be unique. The Ad names (dns and netbios) are different. So the
universal names will be unique.

jb

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan
Sent: Wednesday, August 24, 2005 10:55 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Non-domain access to files on windows 2003


Two questions:

1) Did you enable the guest account?
2) Are the usernames unique in both forests?

Thanks,

-Steve

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jason Benway
Sent: Wednesday, August 24, 2005 9:48 PM
To: 'ActiveDir@mail.activedir.org'
Subject: [ActiveDir] Non-domain access to files on windows 2003

I'm in the process of setting up a windows 2003 file server.
I'm trying to create a folder where users from our other company can
come
onsite with their computers and use this one folder to pass files
between
our company and theirs. These two companies are part of two different AD
forests. This site only has one server.

I've giving write access to the anonymous group. But the users still get
prompted for a username and password when they try to access the share.

Ideas? I have 2 days left in China to get this project done.

Thanks,jb
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Ports during authentication/logons...

[David Adner]

I would normally look at the IPSec route, too, but it's not 
(as far as I know) supported by MS between domain members and DC's.  It's 
supposed member<->member and DC<->DC, but not 
members<->DC's.  At least, not if Kerberos is used.  Not sure 
how they feel about certs.  Shared keys just wouldn't be an 
option.
 
Specifically, though, they have their backs up with 
135.  Do you know what's using it during a logon/GPO 
process/??


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Rick 
KingslanSent: Wednesday, August 24, 2005 10:51 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ports during 
authentication/logons...


David,
 
If you really, really 
want to use the absolute minimum ports through a firewall, use IPSec tunnel 
mode.  However, your Network Engineers (or whoever manages your Firewalls) 
may not like it.  Reason?  Likely the same reason that I got when I 
suggested this at a previous employer:
 
“Well, if you put it in 
IPSec tunnels, then we won’t be able to see or sniff 
it.”
 
My question:  “Why 
do you need to sniff or see it?”
 
No 
answer….
 
Rick
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of David 
AdnerSent: Wednesday, August 
24, 2005 10:31 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Ports during 
authentication/logons...
 

It's been a 
few weeks, so time for another question on ports. MS's whitepaper that discusses 
how to setup AD to communicate through a firewall (the one that focuses 
primarily on DC to DC communication) lists the following ports needed to service 
"User Login and Authentication" and "Computer Login and 
Authentication":
445 
TCP/UDP
88 
TCP/UDP
389 
UDP
53 
TCP/UDP
(I would 
add ICMP for GPO processing.)
Most people 
who normally respond to "what ports are needed..." include 
135.
I just ran 
a Netmon trace during a logon from an XP machine and do see some traffic hitting 
135. I also see traffic hitting 137 and 139.
I'm not 
good at reading traces so I don't really know what's happening besides the basic 
traffic flow. Does anyone know what 135 (and 139 I
suppose) 
are being used for? And if they're blocked does it totally break everything or 
just limit certain functions? I am not worried about DC to DC communication. The 
scenario is member systems separated from DC's with a firewall and the network 
folks want to allow the absolute minimum ports.
Thx
 

RE: [ActiveDir] Ports during authentication/logons...

[Brian Desmond]

Yeah I got that answer too. I asked that question you asked too. I got
the “well uh….” Response. 

 



Thanks,
Brian
Desmond

[EMAIL PROTECTED]

 

c -
312.731.3132

 

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Wednesday, August 24, 2005
10:51 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Ports
during authentication/logons...



 

David,

 

If you really, really want to use the
absolute minimum ports through a firewall, use IPSec tunnel mode. 
However, your Network Engineers (or whoever manages your Firewalls) may not
like it.  Reason?  Likely the same reason that I got when I suggested
this at a previous employer:

 

“Well, if you put it in IPSec
tunnels, then we won’t be able to see or sniff it.”

 

My question:  “Why do you need
to sniff or see it?”

 

No answer….

 

Rick

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner
Sent: Wednesday, August 24, 2005
10:31 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Ports during
authentication/logons...



 



It's been
a few weeks, so time for another question on ports. MS's whitepaper that
discusses how to setup AD to communicate through a firewall (the one that
focuses primarily on DC to DC communication) lists the following ports needed
to service "User Login and Authentication" and "Computer Login
and Authentication":

445
TCP/UDP

88
TCP/UDP

389 UDP

53
TCP/UDP

(I would
add ICMP for GPO processing.)

Most
people who normally respond to "what ports are needed..." include
135.

I just
ran a Netmon trace during a logon from an XP machine and do see some traffic
hitting 135. I also see traffic hitting 137 and 139.

I'm not
good at reading traces so I don't really know what's happening besides the
basic traffic flow. Does anyone know what 135 (and 139 I

suppose)
are being used for? And if they're blocked does it totally break everything or
just limit certain functions? I am not worried about DC to DC communication.
The scenario is member systems separated from DC's with a firewall and the
network folks want to allow the absolute minimum ports.

Thx

 

RE: [ActiveDir] GPO on XP & 2000 Pro

[RM]

Title: RE: [ActiveDir] GPO on XP & 2000 Pro


  
  
On Wed, 24 Aug 2005 20:45:07 -0400, [1]"Robert Bobel"<[EMAIL PROTECTED]> said:> I'm pretty much with Darren on this one. Keeping it organizadover the> long term may end up being a lot of trouble especially if theenvironment of a fairly large size.It's easy when not every Tom, Dick, and Harry can createcomputer accounts.  If your org is really that large, you likelyalready have OU's that either follow geographic lines orhierarchical lines.  Sub OU's would contain servers or workstations.I cringe at the thought of a Fortune 500 with 30,000 computer accounts in one OU.  Do companies really run that way?RM
  

RE: [ActiveDir] Ports during authentication/logons...

[Rick Kingslan]

You’ve likely seen this, but it does
describe ports needed for REPLICATION……  However, Steve does
talk about the benefits of using IPSec through a firewall……

 

Rick

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner
Sent: Wednesday, August 24, 2005
10:31 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Ports during
authentication/logons...



 



It's been
a few weeks, so time for another question on ports. MS's whitepaper that
discusses how to setup AD to communicate through a firewall (the one that
focuses primarily on DC to DC communication) lists the following ports needed
to service "User Login and Authentication" and "Computer Login
and Authentication":

445
TCP/UDP

88
TCP/UDP

389 UDP

53
TCP/UDP

(I would
add ICMP for GPO processing.)

Most
people who normally respond to "what ports are needed..." include
135.

I just
ran a Netmon trace during a logon from an XP machine and do see some traffic
hitting 135. I also see traffic hitting 137 and 139.

I'm not
good at reading traces so I don't really know what's happening besides the
basic traffic flow. Does anyone know what 135 (and 139 I

suppose)
are being used for? And if they're blocked does it totally break everything or
just limit certain functions? I am not worried about DC to DC communication.
The scenario is member systems separated from DC's with a firewall and the
network folks want to allow the absolute minimum ports.

Thx

 

RE: [ActiveDir] Ports during authentication/logons...

[Rick Kingslan]

David,

 

If you really, really want to use the
absolute minimum ports through a firewall, use IPSec tunnel mode. 
However, your Network Engineers (or whoever manages your Firewalls) may not
like it.  Reason?  Likely the same reason that I got when I suggested
this at a previous employer:

 

“Well, if you put it in IPSec tunnels,
then we won’t be able to see or sniff it.”

 

My question:  “Why do you need
to sniff or see it?”

 

No answer….

 

Rick

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner
Sent: Wednesday, August 24, 2005
10:31 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Ports during
authentication/logons...



 



It's been
a few weeks, so time for another question on ports. MS's whitepaper that
discusses how to setup AD to communicate through a firewall (the one that
focuses primarily on DC to DC communication) lists the following ports needed
to service "User Login and Authentication" and "Computer Login
and Authentication":

445
TCP/UDP

88
TCP/UDP

389 UDP

53
TCP/UDP

(I would
add ICMP for GPO processing.)

Most
people who normally respond to "what ports are needed..." include
135.

I just
ran a Netmon trace during a logon from an XP machine and do see some traffic
hitting 135. I also see traffic hitting 137 and 139.

I'm not
good at reading traces so I don't really know what's happening besides the
basic traffic flow. Does anyone know what 135 (and 139 I

suppose)
are being used for? And if they're blocked does it totally break everything or
just limit certain functions? I am not worried about DC to DC communication.
The scenario is member systems separated from DC's with a firewall and the
network folks want to allow the absolute minimum ports.

Thx

 

[ActiveDir] Ports during authentication/logons...

[David Adner]

It's been a few weeks, so time for another question on ports. MS's whitepaper 
that discusses how to setup AD to communicate through a firewall (the one that 
focuses primarily on DC to DC communication) lists the following ports needed to 
service "User Login and Authentication" and "Computer Login and 
Authentication":

445 TCP/UDP
88 TCP/UDP
389 UDP
53 TCP/UDP
(I would add ICMP for GPO processing.)

Most people who normally respond to "what ports are needed..." include 
135.
I just ran a Netmon trace during a logon from an XP machine and do see some 
traffic hitting 135. I also see traffic hitting 137 and 139.

I'm not good at reading traces so I don't really know what's happening 
besides the basic traffic flow. Does anyone know what 135 (and 139 I
suppose) are being used for? And if they're blocked does it totally break 
everything or just limit certain functions? I am not worried about DC to DC 
communication. The scenario is member systems separated from DC's with a 
firewall and the network folks want to allow the absolute minimum ports.

Thx
 

RE: [ActiveDir] Removing SidHistory from a group object- help

[Steve Linehan]

Here is a sample VBS script that can do
this: http://support.microsoft.com/default.aspx?scid=kb;en-us;295758

 

Thanks,

 

-Steve

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, August 24, 2005
10:02 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Removing
SidHistory from a group object- help



 


I have a problem: some of our support staff migrated
Domain Admin Sids from some NT4 domains to our main Active Directory User
domain Domain Admins group: thus allow the Active Directory Domain Admins group
to be able to access many of our NT4 domains without requesting access. 

I
have tried to delete the sidhistory using ADSI edit, but get access denied. I
have full control of the object, so I believe that the DSA is telling me no.


Anyone
have a good method to remove sidhistory attibutes ? 

Thank You ! And have a nice day !

[ActiveDir] Removing SidHistory from a group object- help

[Mark . H . Lunsford]

I have a problem: some of our support
staff migrated Domain Admin Sids from some NT4 domains to our main Active
Directory User domain Domain Admins group: thus allow the Active Directory
Domain Admins group to be able to access many of our NT4 domains without
requesting access. 

I have tried to delete the sidhistory
using ADSI edit, but get access denied. I have full control of the object,
so I believe that the DSA is telling me no.

Anyone have a good method to remove
sidhistory attibutes ?

Thank You ! And have a nice day !

RE: [ActiveDir] Non-domain access to files on windows 2003

[Steve Linehan]

Two questions:

1) Did you enable the guest account?
2) Are the usernames unique in both forests?

Thanks,

-Steve

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jason Benway
Sent: Wednesday, August 24, 2005 9:48 PM
To: 'ActiveDir@mail.activedir.org'
Subject: [ActiveDir] Non-domain access to files on windows 2003

I'm in the process of setting up a windows 2003 file server.
I'm trying to create a folder where users from our other company can
come
onsite with their computers and use this one folder to pass files
between
our company and theirs. These two companies are part of two different AD
forests. This site only has one server.

I've giving write access to the anonymous group. But the users still get
prompted for a username and password when they try to access the share.

Ideas? I have 2 days left in China to get this project done.

Thanks,jb
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Non-domain access to files on windows 2003

[Jason Benway]

I'm in the process of setting up a windows 2003 file server.
I'm trying to create a folder where users from our other company can come
onsite with their computers and use this one folder to pass files between
our company and theirs. These two companies are part of two different AD
forests. This site only has one server.

I've giving write access to the anonymous group. But the users still get
prompted for a username and password when they try to access the share.

Ideas? I have 2 days left in China to get this project done.

Thanks,jb
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] GPO on XP & 2000 Pro

[freddy_hartono]

Title: RE: [ActiveDir] GPO on XP & 2000 Pro








You can always make a conflicting GPOs and
get those to work (but with limitation)

 

Example WMI Filter: OS=XP and OS=NON XP

 

Settings    Result   Result

GPO 1  WMI
Filter OS=XP     Settings
Hide Recycle Bin = no  2000
show    XP hide

GPO 2      WMI
Filter OS=NON-XP     Hide
Recycle Bin = yes  2000
hide  not processed

    

 

Final result =     Win2000
Hide Recycle Bin = Yes

    WinXP
Hide Recycle Bin = No

 

Limitation = you cant set conflicting for
something that you want to be set as NOT DEFINED.

 

Hope that helps

 



Thank you and have a splendid day!

 

Kind Regards,

 

Freddy Hartono

Windows Administrator (ADSM/NT Security)

Spherion Technology Group, Singapore

For Agilent Technologies

E-mail: [EMAIL PROTECTED]



 









From: Robert Bobel
[mailto:[EMAIL PROTECTED] On
Behalf Of Robert Bobel
Sent: Thursday, August 25, 2005
8:45 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GPO on XP
& 2000 Pro



 





I'm pretty much with Darren on this one.
Keeping it organizad over the long term may end up being a lot of trouble
especially if the envionment of a fairly large size.







 







From:
[EMAIL PROTECTED] on behalf of RM
Sent: Wed 8/24/2005 6:56 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GPO on XP
& 2000 Pro





On Wed,
24 Aug 2005 15:47:10 -0700, "Darren
Mar-Elia"
<[EMAIL PROTECTED]> said:

> I suppose its just me but in general I'm opposed to modifying an AD
> structure strictly to meet a single need such as this. If there are
> overwhelming business reasons to have those machines there in the first
> place, then moving them around to accommodate a particular GP problem is
> probably not a good idea, because, as we all know, there will be a new
> problem that will come along that will have a different set of
> requirements.

I can
think of plenty of reasons to have a different OU for servers and no good
reasons to not
have this OU.  If I were tasked with the job of admin for this
environment, creating and populating a servers OU would be one of my first
tasks.

The
second would be installing GPMC on my PC.  :-)

RM

RE: [ActiveDir] SUS & Active Directory

[Lee Jessup]

Return Receipt


Your document:
RE: [ActiveDir] SUS & Active Directory


was received by:
Lee Jessup/Greensboro/IBM


at:
08/24/2005 20:59:23 EDT

Re: [ActiveDir] DSN(No, this is not a typo!)

[Aaron Visser]

This might help you out, got it off of:

http://www.experts-exchange.com/Databases/Q_21032275.html

The best way to deploy your new DSN is to create a GPO and apply it to the
Active Directory OU for workstations. This GPO will release the registry
export (ie .reg) at the next boot of your clients.

You'll find the DSN informations in your registry (Start -> Run -> regedit)
at :

HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBC.INI for a system DSN
HKEY_CURRENT_USER (or HKEY_USERS\{user SID}) \SOFTWARE\ODBC\ODBC.INI for a
user one

Simply export the key and create the GPO, and AD will deploy it for you.

Again not sure about this just got it from the site above

Aaron


On 8/24/05 5:43 PM, "Marc A. Mapplebeck" <[EMAIL PROTECTED]> wrote:

> Hi everyone, I am having a problem here, and Google wants to keep asking me
> if I mean DNS and screws up my search. I need to install a DSN for an SQL
> server on all machines in my domain, but I am not aware of an easy way to do
> this i.e. GPO. Is there a script out there to install a data source on many
> machines? Any help would be appreciated. - Marc
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DSN(No, this is not a typo!)

[Jennifer Fountain]

Title: RE: [ActiveDir] DSN(No, this is not a typo!)







This works for me.  I put the machines I need to add the DSN in a txt file and it connects to each machine via remote registry (so you need to be an admin of the box for this to work).

HTH
Jenn

-Original Message-
From:   [EMAIL PROTECTED] on behalf of Marc A. Mapplebeck
Sent:   Wed 8/24/2005 8:43 PM
To: ActiveDir@mail.activedir.org
Cc:
Subject:    [ActiveDir] DSN(No, this is not a typo!)
Hi everyone, I am having a problem here, and Google wants to keep asking me
if I mean DNS and screws up my search. I need to install a DSN for an SQL
server on all machines in my domain, but I am not aware of an easy way to do
this i.e. GPO. Is there a script out there to install a data source on many
machines? Any help would be appreciated. - Marc

List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/








*
The information transmitted is intended only for the person or entity to which
it is addressed and may contain confidential and/or privileged material.  Any
review, retransmission, dissemination or other use of, or taking of any action
in reliance upon, this information by persons or entities other than the intended
recipient is prohibited. If you received this in error, please contact the sender
and delete the material from any computer





Option Explicit
'Constants
Const HKEY_CLASSES_ROOT = &H8000
Const HKEY_CURRENT_USER = &H8001
Const HKEY_LOCAL_MACHINE= &H8002
Const HKEY_USERS= &H8003
Const HKEY_CURRENT_CONFIG   = &H8005

'Variables
On Error resume next
Dim DataSourceName
Dim DatabaseName
Dim Description
Dim DriverPath
Dim LastUser
Dim Server
Dim Trusted_connection
Dim DriverName
Dim InputFile
Dim iFSO
Dim ifile
Dim sComputer
Dim sPath

'Value assignment

DataSourceName = "Name"
DatabaseName = "Name"
DriverPath = "%WINDIR%\System32\sqlsrv32.dll"
LastUser="sa"
Server="sqlserver"
Trusted_connection="Yes"
Description="ODBC DSN for the Database: " & DatabaseName
DriverName="SQL Server"
InputFile="C:\pclist.txt"
Set iFSO = CreateObject("Scripting.FilesyStemObject")
Set ifile = iFSO.OpenTextFile(inputfile)  
sPath   = "SOFTWARE\ODBC\ODBC.INI\" & DataSourceName 

'Read and loop through the input file
Do until ifile.AtEndOfLine
sComputer   = ifile.ReadLine
If (0 = CreateRegKey(sComputer, HKEY_LOCAL_MACHINE, sPath)) Then
SetRegKeyStrValue sComputer, HKEY_LOCAL_MACHINE, sPath, "Database", DatabaseName
SetRegKeyStrValue sComputer, HKEY_LOCAL_MACHINE, sPath, "Description", 
Description
SetRegKeyStrValue sComputer, HKEY_LOCAL_MACHINE, sPath, "Driver", DriverPath
SetRegKeyStrValue sComputer, HKEY_LOCAL_MACHINE, sPath, "LastUser",LastUser
SetRegKeyStrValue sComputer, HKEY_LOCAL_MACHINE, sPath, "Server",Server
SetRegKeyStrValue sComputer, HKEY_LOCAL_MACHINE, sPath, 
"Trusted_Connection",Trusted_connection
Else
Exit Do 
End If  
'Write in "ODBC Data Sources" Key to allow ODBC Manager list & manage the new 
DSN
SetRegKeyStrValue sComputer, HKEY_LOCAL_MACHINE,  "SOFTWARE\ODBC\ODBC.INI\ODBC 
Data Sources", DataSourceName , DriverName
Wscript.Echo (sComputer & " DONE!")
 Loop 
 ifile.Close
 Set ifile = Nothing
 Set iFSO = Nothing

'Create RegKey Function

 Function CreateRegKey (sComputer, hTree, sKey)
Dim oRegistry
Dim lResult 
Set oRegistry   = GetObject("winmgmts:{impersonationLevel=impersonate}//" & 
sComputer & "/root/default:StdRegProv")
lResult = oRegistry.CreateKey(hTree, sPath)
If (lResult = 0) And (Err.Number = 0) Then
CreateRegKey = 0
Else
CreateRegKey = 1
Wscript.Echo("Create Key " & sKey & " Failed")
End If
Set oRegistry = Nothing
End Function

'set RegKey Function

 Function SetRegKeyStrValue (sComputer, hTree, sKey, sValueName, sValue)
Dim oRegistry
Dim lResult 
Set oRegistry   = GetObject("winmgmts:{impersonationLevel=impersonate}//" & 
sComputer & "/root/default:StdRegProv")
lResult = oRegistry.SetStringValue(hTree,   sKey,  sValueName,  sValue)
If (lResult = 0) And (Err.Number = 0) Then
SetRegKeyStrValue = 0
Else
SetRegKeyStrValue = 1
Wscript.Echo("Set Value for " & sKey & " Failed")
End If
Set oRegistry = Nothing
End Function

RE: [ActiveDir] DSN(No, this is not a typo!)

[Tony Murray]

Is this script any good to you?

http://www.databasejournal.com/features/mssql/article.php/2238221

Tony 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Marc A.
Mapplebeck
Sent: Thursday, 25 August 2005 12:43 p.m.
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DSN(No, this is not a typo!)

Hi everyone, I am having a problem here, and Google wants to keep asking
me if I mean DNS and screws up my search. I need to install a DSN for an
SQL server on all machines in my domain, but I am not aware of an easy
way to do this i.e. GPO. Is there a script out there to install a data
source on many machines? Any help would be appreciated. - Marc

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/



This e-mail message has been scanned for Viruses and Content and cleared
by NetIQ MailMarshal at Gen-i Limited



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] GPO on XP & 2000 Pro

[Robert Bobel]

I'm pretty much with Darren on this one. Keeping it organizad over the long 
term may end up being a lot of trouble especially if the envionment of a fairly 
large size.



From: [EMAIL PROTECTED] on behalf of RM
Sent: Wed 8/24/2005 6:56 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GPO on XP & 2000 Pro



On Wed, 24 Aug 2005 15:47:10 -0700, "Darren Mar-Elia"
<[EMAIL PROTECTED]>   said:

> I suppose its just me but in general I'm opposed to modifying an AD
> structure strictly to meet a single need such as this. If there are
> overwhelming business reasons to have those machines there in the first
> place, then moving them around to accommodate a particular GP problem is
> probably not a good idea, because, as we all know, there will be a new
> problem that will come along that will have a different set of
> requirements.


I can think of plenty of reasons to have a different OU for servers and no good 
reasons to not have this OU.  If I were tasked with the job of admin for this 
environment, creating and populating a servers OU would be one of my first 
tasks.

The second would be installing GPMC on my PC.  :-)

RM

<>

[ActiveDir] DSN(No, this is not a typo!)

[Marc A. Mapplebeck]

Hi everyone, I am having a problem here, and Google wants to keep asking me
if I mean DNS and screws up my search. I need to install a DSN for an SQL
server on all machines in my domain, but I am not aware of an easy way to do
this i.e. GPO. Is there a script out there to install a data source on many
machines? Any help would be appreciated. - Marc

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: HP disk upgrade..

[Brian Desmond]

I'm with Jose on this, and in any case, I think you'd be better off not
taking the huge hit that rebuilding a RAID5 of this size is going to take,
and risking a disk crapping out on you during rebuild and losing it all
anyway. 

Thanks,
Brian Desmond
[EMAIL PROTECTED]
 
c - 312.731.3132
 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jose Medeiros
Sent: Wednesday, August 24, 2005 11:21 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: HP disk upgrade..

Hi David,

Since you fail to mention which MSA your running ( MSA500, MSA1000, 
MSA1500 ) it is difficyult for me to tell you if this will work as I have 
only implemented and supported a MSA500 and a MSA 1000. We just ordered a 
new MSA1500, but it has not arrived yet.

My understanding of HP's RAID controllers is, you can add the 300gb drives 
if you add them to the existing array, you will only rebuild them utilizing 
the same drive capacity as the drives you are replacing.

Therefore unless HP has implemented a new feature that I am not aware of, 
you will have to clear your RAID config from the controllers NVRAM, and 
recreate the Array using the 4 300gb drives. Or if you have 4 available 
slots, you should be able to create a second array of the 4 new drives 
virtually, and move your data between both RAID array's.


Jose :-)


--
- Original Message - 
From: David Cliffe
To: ActiveDir@mail.activedir.org
Sent: Wednesday, August 24, 2005 3:52 AM
Subject: RE: [ActiveDir] OT: HP disk upgrade..


I didn't see mention of RAID controller or O/S version, but do they support 
logical drive extension?  If so, how about this?  (though probably not much 
faster!)

- Backup data (if important enough...as you said this already is a backup)
- Remove one physical drive from the enclosure
- Replace it with a 300GB drive and let it rebuild completely
- Repeat this sequence 3 more times until all drives are 300GB
- Extend logical drive to full capacity via array config. utility
- Do same under O/S (Win 2003 "dispart" utility is good for this)

Just a thought.

-DaveC
Reuters IS&T Service Delivery




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Tuesday, August 23, 2005 8:18 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: HP disk upgrade..


I believe that since they are backups, you have some flexibility.  For one 
thing, you can move the data around and store it on just one disk if you 
wanted to ([EMAIL PROTECTED] ~216GB vs. one 300GB disk) and then after the 
upgrade, move it back.  I'm sure there are other variations.

It would seem a little odd to backup a backup in order to accomplish this. 
You pretty much just need some temporary space while you do this.



Al



From: [EMAIL PROTECTED] on behalf of Frank Abagnale
Sent: Tue 8/23/2005 4:04 AM
To: Active
Subject: [ActiveDir] OT: HP disk upgrade..


Hi,
Sorry for the OT, I have a HP server with an MSA enclosure attached which is

complete with 14 x 72gb disks. The enclosure uses 4 x 72gb disks in a RAID5 
set which are used to store backups. I need to upgrade these 4 disks with 
new 300gb disks. The disks are not used for any other purpose besides 
storing backups.

My initial thought was to do the following:

Backup the drive
Break the array
Remove existing disks
Insert new disks
Create new Array

Is there a better way to do it, or should this method work?

thanks
 - Frank
__
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com


-
Visit our Internet site at http://www.reuters.com

To find out more about Reuters Products and Services visit 
http://www.reuters.com/productinfo

Any views expressed in this message are those of the individual
sender, except where the sender specifically states them to be
the views of Reuters Ltd. 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] SUS & Active Directory

[Siscar, Emerson E.]

Hello,

It should not be that way. You should apply your active directory group
policy on the OU where your machines are located. In your case, you must
have put your policy on the users OU instead. You can check if the
machine successfully updated by looking into the event viewer of the
machine or by looking into the windows update.log file. At the end of
this file, you will notice that the machine gets the update files in the
SUS server. 

Thanks 

Emer 

-Original Message-
From: Christine Allen [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, August 23, 2005 10:42 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] SUS & Active Directory

Hello,

I'm running windows 2000 ad sp4 and I use SUS to deploy my patches.  I
have enabled the "No Auto-Restart for scheduled automatic updates
installation", however it seems to only give admins to their local
machine the option to delay the reboot.  Is this a function by design or
am I doing something wrong.

Many thanks.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Enterprise Domain Controllers

[joe]

I expect more than one person is confused by Dean's post since he is
responding to comments I sent to him offline... But since he brought it up
here, I guess will respond here. :o)

BTW, the basics of the items brought up offline were...

1. The FSPs are for LDAP I think more than the DB underpinnings.

2. As an aside, if you had to guess, what do you think the query ANR=* gets
you. Don't look until you make your guess.


So now that you know the previous responses, Dean's response may make more
sense. Now on to my responses to Dean's responses to my offline responses.
;o)


1. We certainly could use something other than DNs to represent membership
in groups. The questions up of what? SIDs may, on the surface, seem like a
good answer. However I think there are three major failings to using SIDS.

A. This is an underpinning issue so I will let Dean/Brett and possibly ~Eric
duke it out, but the MV attributes that can contain the most values are
Linked-Value attributes. Those attributes currently need to be DN based.
This would mean if using SIDs you could put far less members in any given
group. Actually that goes for any attribute syntax other than the DN based
attribute syntaxes.  

B. Not every object you want to put in a group has a SID, do we then start
sticking SIDs on everything? That would seem to be a step backwards. Not
because SIDs are bad, but because MS doesn't seem to be really going forward
with them. Specifically, as a realistic example right now, think of contacts
in a mailenabled group. Further think of the future when people really start
using groups, say for example I want to group some OUs together for password
complexity but don't want to have them hierarchical or have to specify each
individually to the password filter I could add all of the OUs to a group.
The fact that member is a DN attribute makes that possible. If it were a
SID, then I couldn't do it because an OU doesn't have a SID. Already I have
seen several LDAP based applications that are used for security though not
for Windows Security. Windows security wouldn't touch the groups because the
groups aren't security enabled and have all sorts of different objects but
they are still used for security within the app. 

C. This isn't specifically against SIDs again like A, but I think the
defacto standard for LDAP representation of group members is DN based. 


I guess another mechanism that could be used is a unicode string attribute
where each value has a prefix like keywords are used for ADAM SCPs or each
value is a whole XML record which can be broken out. But at that point I
think we are adding confusion to applications and people looking at the
results. Of course you also have the problem outlines in 1A still. 

I am not saying that it can't be done, but I think it would take
considerable work to get there from where we are now and the first thing we
would need to do is decide if we were willing to break with the LDAP
"standard" for representing group membership.




2. The query of (ANR=*) is converted by AD into (FALSE). I agree that that
is probably in some way related to the fact that the query is converted to
some invalid value and bounced or the directory is tossing it out on its own
merit. For those not familiar with ANR, normally an ANR query will get
expanded to something a bit larger prior to the actual search, for instance
in my test forest that has Exchange in it (where ANR is used quite a bit)
the query (ANR=joe) gets converted to

(|
  (displayName=joe*)
  (mail=joe*)
  (givenName=joe*)
  (legacyExchangeDN=joe)
  (msDS-AdditionalSamAccountName=joe*)
  (mailNickname=joe*)
  (physicalDeliveryOfficeName=joe*)
  (proxyAddresses=joe*)
  (name=joe*)
  (sAMAccountName=joe*)
  (sn=joe*)
)

In ADAM that gets converted to

(|
  (displayName=joe*)
  (physicalDeliveryOfficeName=joe*)
  (proxyAddresses=joe*)
  (name=joe*)
)


So at a guess, anr=* gets converted to anr=** which is an invalid query.
Interestingly enough though, anr=joe* doesn't get converted to anr=joe** and
thrown out... Also interesting is that anr=*joe gets converted to
(). 

joe


 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Wednesday, August 24, 2005 1:24 PM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Enterprise Domain Controllers

Interesting conversation ... I'd certainly agree with Joe's assessment of
well-known membership in that the SIDs denote something that you are by
virtue of what you're doing as opposed to something that you are an
explicitly configured member of.

Assuming I understand you (Joe) correctly, you're saying that LDAP needs the
FSP (or FPO[1])  to maintain foreign domain membership since no object
reference exists locally?  If that understanding is correct, I would wonder
if you've (Joe) not been blinkered by the way we're doing it at present :o)


If I adopt the role of the devil's advocate for a second; who says that
group membership has to be maintaine

[ActiveDir] OT: ISA FW Client

[Aaron Visser]

I need to make it so that when a user logs into a computer they do not see
the FW icon in the tray. all I have been able to come up with is this info
from isaserver.org
http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=27;t=000313

I tried the method of placing the following in the All Users\Application
Data\Microsoft\Firewall Client 2004 then Common.ini
[TrayIcon]
TrayIconVisualState=1

But this does not seem to do anything I even tried restarting after this and
still no luck so then I tried it in the Management.ini and no luck there
either. So anyways I am getting frustrated and I am hoping that someone here
may have some insight to this. Also is there anyway to configure the client
so that it cannot be disabled? Is there any GPO's for this stuff?

Thanks,
Aaron Visser

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] GPO on XP & 2000 Pro

[RM]

Title: RE: [ActiveDir] GPO on XP & 2000 Pro


  
  
On Wed, 24 Aug 2005 15:47:10 -0700, "Darren Mar-Elia"<[EMAIL PROTECTED]> said:> I suppose its just me but in general I'm opposed to modifying an AD> structure strictly to meet a single need such as this. If there are> overwhelming business reasons to have those machines there in the first> place, then moving them around to accommodate a particular GP problem is> probably not a good idea, because, as we all know, there will be a new> problem that will come along that will have a different set of> requirements.I can think of plenty of reasons to have a different OU for servers and no good reasons to not have this OU.  If I were tasked with the job of admin for this environment, creating and populating a servers OU would be one of my first tasks.The second would be installing GPMC on my PC.  :-)RM
  

RE: [ActiveDir] GPO on XP & 2000 Pro

[Dean Wells]

Since you now know WMI filters are ignored by 2000, as I see it you have 3
options ... all of which have been suggested in one form or another -

1. Place the Servers in a group and use security filtration to prevent the
GP's application against the group's members

2. Split the workstations and servers into separate OUs

3. Script the application of the policy contents (may or may not be doable
dependent upon what it is the policy in question does)

Isolating the computer accounts from one another by placing them in separate
OUs is my preference since it offers a long-term ease-of-management
advantage ... placing them in security groups will also work perfectly well.
Scripting either of these approaches is not a difficult exercise and could
even be done using 'Saved Queries' and the GUI should you have any uplevel
clients with an uplevel ADMINPAK.

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon
Sent: Wednesday, August 24, 2005 5:40 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] GPO on XP & 2000 Pro

How can I get a GPO to only run on all Windows XP and 2000 Pro. machines in
a domain?  WMI Filter is applied to 2000 machines so it'll run on 2000
server if I filter by OS type.

Devon Harding
Windows Systems Engineer
Southern Wine & Spirits - BSG
954-602-2469


-
__
This message and any attachments are solely for the intended recipient and
may contain confidential or privileged information.  If you are not the
intended recipient, any disclosure, copying, use or distribution of the
information included in the message and any attachments is prohibited.  If
you have received this communication in error, please notify us by reply
e-mail and immediately and permanently delete this message and any
attachments.  Thank You.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] GPO on XP & 2000 Pro

[Darren Mar-Elia]

I suppose its just me but in general I'm opposed to modifying an AD
structure strictly to meet a single need such as this. If there are
overwhelming business reasons to have those machines there in the first
place, then moving them around to accommodate a particular GP problem is
probably not a good idea, because, as we all know, there will be a new
problem that will come along that will have a different set of
requirements. That being said, if you have no particular rhyme or reason
for having computers in the Computers container, then it is very common
to create OUs by machine role, since roles like Server vs. Workstation
typically don't change over time-again, assuming that it meets your
larger business/security/delegation/management requirements. 

That is why my first recommendation in this case is to use something
like security group filtering so that you don't have to muck with the
organization of AD.

Darren

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Aaron Visser
Sent: Wednesday, August 24, 2005 3:35 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GPO on XP & 2000 Pro

Why not just move the servers to a new OU called Servers? and then move
the remaining computers into a new OU called Workstations?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Harding, Devon
Sent: Wednesday, August 24, 2005 3:04 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GPO on XP & 2000 Pro


I have over 2000 machines in my computers containers.  Is there any
other way?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Wednesday, August 24, 2005 5:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GPO on XP & 2000 Pro

WMI filters aren't processed by Win2K so that won't work on that
platform. Your best bet is probably to put all the XP & win2k machines
in one security group and then security filter the GPO based on that
group (i.e. remove the Authenticated Users ACE from the sec. filter on
that GPO and add the new group with Read and Apply GP permissions).

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon
Sent: Wednesday, August 24, 2005 2:40 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] GPO on XP & 2000 Pro

How can I get a GPO to only run on all Windows XP and 2000 Pro. machines
in a domain?  WMI Filter is applied to 2000 machines so it'll run on
2000 server if I filter by OS type.

Devon Harding
Windows Systems Engineer
Southern Wine & Spirits - BSG
954-602-2469


-
__
This message and any attachments are solely for the intended recipient
and may contain confidential or privileged information.  If you are not
the intended recipient, any disclosure, copying, use or distribution of
the information included in the message and any attachments is
prohibited.  If you have received this communication in error, please
notify us by reply e-mail and immediately and permanently delete this
message and any attachments.  Thank You.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] GPO on XP & 2000 Pro

[Aaron Visser]

Why not just move the servers to a new OU called Servers? and then move the
remaining computers into a new OU called Workstations?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Harding, Devon
Sent: Wednesday, August 24, 2005 3:04 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GPO on XP & 2000 Pro


I have over 2000 machines in my computers containers.  Is there any
other way?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Wednesday, August 24, 2005 5:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GPO on XP & 2000 Pro

WMI filters aren't processed by Win2K so that won't work on that
platform. Your best bet is probably to put all the XP & win2k machines
in one security group and then security filter the GPO based on that
group (i.e. remove the Authenticated Users ACE from the sec. filter on
that GPO and add the new group with Read and Apply GP permissions).

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon
Sent: Wednesday, August 24, 2005 2:40 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] GPO on XP & 2000 Pro

How can I get a GPO to only run on all Windows XP and 2000 Pro. machines
in a domain?  WMI Filter is applied to 2000 machines so it'll run on
2000 server if I filter by OS type.

Devon Harding
Windows Systems Engineer
Southern Wine & Spirits - BSG
954-602-2469


-
__
This message and any attachments are solely for the intended recipient
and may contain confidential or privileged information.  If you are not
the intended recipient, any disclosure, copying, use or distribution of
the information included in the message and any attachments is
prohibited.  If you have received this communication in error, please
notify us by reply e-mail and immediately and permanently delete this
message and any attachments.  Thank You.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] GPO on XP & 2000 Pro

[Coleman, Hunter]

I'd create the Workstations OU and the Servers OU. Then write a script
that looks at each of the machines in the computers container, and based
on what you find in the operatingSystem attribute have the script move
the object to the appropriate OU.

I'd also not leave new computer objects in the computers container. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon
Sent: Wednesday, August 24, 2005 4:04 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GPO on XP & 2000 Pro

I have over 2000 machines in my computers containers.  Is there any
other way?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Wednesday, August 24, 2005 5:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GPO on XP & 2000 Pro

WMI filters aren't processed by Win2K so that won't work on that
platform. Your best bet is probably to put all the XP & win2k machines
in one security group and then security filter the GPO based on that
group (i.e. remove the Authenticated Users ACE from the sec. filter on
that GPO and add the new group with Read and Apply GP permissions). 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon
Sent: Wednesday, August 24, 2005 2:40 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] GPO on XP & 2000 Pro

How can I get a GPO to only run on all Windows XP and 2000 Pro. machines
in a domain?  WMI Filter is applied to 2000 machines so it'll run on
2000 server if I filter by OS type.

Devon Harding
Windows Systems Engineer
Southern Wine & Spirits - BSG
954-602-2469


-
__
This message and any attachments are solely for the intended recipient
and may contain confidential or privileged information.  If you are not
the intended recipient, any disclosure, copying, use or distribution of
the information included in the message and any attachments is
prohibited.  If you have received this communication in error, please
notify us by reply e-mail and immediately and permanently delete this
message and any attachments.  Thank You.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] GPO on XP & 2000 Pro

[RM]

On Wed, 24 Aug 2005 18:04:13 -0400, "Harding, Devon"
<[EMAIL PROTECTED]> said:
> I have over 2000 machines in my computers containers.  Is there any
> other way?

It shouldn't take long to pull the servers out by hand and put them into
their own OU.  How many servers do you have?

RM
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] GPO on XP & 2000 Pro

[Harding, Devon]

I have over 2000 machines in my computers containers.  Is there any
other way?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Wednesday, August 24, 2005 5:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GPO on XP & 2000 Pro

WMI filters aren't processed by Win2K so that won't work on that
platform. Your best bet is probably to put all the XP & win2k machines
in one security group and then security filter the GPO based on that
group (i.e. remove the Authenticated Users ACE from the sec. filter on
that GPO and add the new group with Read and Apply GP permissions). 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon
Sent: Wednesday, August 24, 2005 2:40 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] GPO on XP & 2000 Pro

How can I get a GPO to only run on all Windows XP and 2000 Pro. machines
in a domain?  WMI Filter is applied to 2000 machines so it'll run on
2000 server if I filter by OS type.

Devon Harding
Windows Systems Engineer
Southern Wine & Spirits - BSG
954-602-2469


-
__
This message and any attachments are solely for the intended recipient
and may contain confidential or privileged information.  If you are not
the intended recipient, any disclosure, copying, use or distribution of
the information included in the message and any attachments is
prohibited.  If you have received this communication in error, please
notify us by reply e-mail and immediately and permanently delete this
message and any attachments.  Thank You.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] GPO on XP & 2000 Pro

[Tony Murray]

Is there any reason why you can't put the workstations and servers in
separate OUs and then link the GPO to the OU that contains the
workstations?  If this is not possible then you might consider group
filtering, i.e. put all servers in a group and exclude them from the
policy.

Tony

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon
Sent: Thursday, 25 August 2005 9:40 a.m.
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] GPO on XP & 2000 Pro

How can I get a GPO to only run on all Windows XP and 2000 Pro. machines
in a domain?  WMI Filter is applied to 2000 machines so it'll run on
2000 server if I filter by OS type.

Devon Harding
Windows Systems Engineer
Southern Wine & Spirits - BSG
954-602-2469


-
__
This message and any attachments are solely for the intended recipient
and may contain confidential or privileged information.  If you are not
the intended recipient, any disclosure, copying, use or distribution of
the information included in the message and any attachments is
prohibited.  If you have received this communication in error, please
notify us by reply e-mail and immediately and permanently delete this
message and any attachments.  Thank You.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


This e-mail message has been scanned for Viruses and Content and cleared
by NetIQ MailMarshal at Gen-i Limited



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] GPO on XP & 2000 Pro

[Ken Cornetet]

WMI filters don't work for windows 2000 (server or professional). Create
separate Ous  for your servers and for your workstations. Link your GP
to the workstation OU.  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon
Sent: Wednesday, August 24, 2005 4:40 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] GPO on XP & 2000 Pro

How can I get a GPO to only run on all Windows XP and 2000 Pro. machines
in a domain?  WMI Filter is applied to 2000 machines so it'll run on
2000 server if I filter by OS type.

Devon Harding
Windows Systems Engineer
Southern Wine & Spirits - BSG
954-602-2469


-
__
This message and any attachments are solely for the intended recipient
and may contain confidential or privileged information.  If you are not
the intended recipient, any disclosure, copying, use or distribution of
the information included in the message and any attachments is
prohibited.  If you have received this communication in error, please
notify us by reply e-mail and immediately and permanently delete this
message and any attachments.  Thank You.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] GPO on XP & 2000 Pro

[Darren Mar-Elia]

WMI filters aren't processed by Win2K so that won't work on that
platform. Your best bet is probably to put all the XP & win2k machines
in one security group and then security filter the GPO based on that
group (i.e. remove the Authenticated Users ACE from the sec. filter on
that GPO and add the new group with Read and Apply GP permissions). 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon
Sent: Wednesday, August 24, 2005 2:40 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] GPO on XP & 2000 Pro

How can I get a GPO to only run on all Windows XP and 2000 Pro. machines
in a domain?  WMI Filter is applied to 2000 machines so it'll run on
2000 server if I filter by OS type.

Devon Harding
Windows Systems Engineer
Southern Wine & Spirits - BSG
954-602-2469


-
__
This message and any attachments are solely for the intended recipient
and may contain confidential or privileged information.  If you are not
the intended recipient, any disclosure, copying, use or distribution of
the information included in the message and any attachments is
prohibited.  If you have received this communication in error, please
notify us by reply e-mail and immediately and permanently delete this
message and any attachments.  Thank You.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] GPO on XP & 2000 Pro

[Harding, Devon]

How can I get a GPO to only run on all Windows XP and 2000 Pro. machines
in a domain?  WMI Filter is applied to 2000 machines so it'll run on
2000 server if I filter by OS type.

Devon Harding
Windows Systems Engineer
Southern Wine & Spirits - BSG
954-602-2469


-
__
This message and any attachments are solely for the intended recipient
and may contain confidential or privileged information.  If you are not
the intended recipient, any disclosure, copying, use or distribution of
the information included in the message and any attachments is
prohibited.  If you have received this communication in error, please
notify us by reply e-mail and immediately and permanently delete this
message and any attachments.  Thank You.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Win2k3 SP1 vs. W32Time

[Free, Bob]

We have some apps  that did. What we did was establish a CNAME
imaginatively named AD :-)

We tell the developers that want to point to a DC for such things to use
the CNAME instead of hardcoding a DC and flip it to a different DC
before we reboot the one it is usually pointed to.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jose Medeiros
Sent: Wednesday, August 24, 2005 12:24 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Win2k3 SP1 vs. W32Time

Point well taken.. come to think of it, I did work at a startup several 
years back that had a Java based web app using a specific DC for user 
authentication via LDAP. Thanks for pointing that out.

Jose
- Original Message - 
From: "Phil Renouf" <[EMAIL PROTECTED]>
To: 
Sent: Wednesday, August 24, 2005 11:09 AM
Subject: Re: [ActiveDir] Win2k3 SP1 vs. W32Time


If you do something like this then you want to be 100% sure that there
are no applications out there using your DC name specifically for
authentication or LDAP queries and that there are no clients with
LMHOSTS file entries etc.

Phil

On 8/24/05, Jose Medeiros <[EMAIL PROTECTED]> wrote:
> Hi David,
>
> I just wanted to let you know that we upgraded one of our domain's to
AD
> 2003 with sp1 several month's ago and have not seen the issue that you
are
> having.
>
> Also the reason why you have multiple DC's is so if one goes down, the
> other's can still authenticate the clients, so unless you are also
using
> your DC's as file and print servers, rebooting one during the day
would
> hardly be noticeable ( rebooting them during a lunch break is probably
> best ). I am sure that others on the list may have an argument to 
> challenge
> what I just stated, however I would love to hear it.
>
> Jose :-)
>
>
> - Original Message -
> From: "David Aragon" <[EMAIL PROTECTED]>
> To: 
> Sent: Tuesday, August 23, 2005 7:26 PM
> Subject: RE: [ActiveDir] Win2k3 SP1 vs. W32Time
>
>
> > David,
> >
> > Yes, I tried them both, step by step, exactly as the KB described
the
> > first
> > on DC1, the second on DC2, and both on DC3.  Each time with no joy).
> > There
> > was nothing about rebooting in the article, but I did restart Net
Logon
> > Service after each workaround was attempted.  I won't be able to
reboot
> > any
> > of the DC's for several more hours.
> >
> > David Aragon
> >
> >> -Original Message-
> >> From: [EMAIL PROTECTED]
> >> [mailto:[EMAIL PROTECTED] On Behalf Of David
Adner
> >> Sent: Tuesday, August 23, 2005 6:02 PM
> >> To: ActiveDir@mail.activedir.org
> >> Subject: RE: [ActiveDir] Win2k3 SP1 vs. W32Time
> >>
> >> *cough*  That's the KB he referenced.  :)
> >>
> >> David, did you try both workarounds or just one of them?  Did
> >> you try rebooting after making the changes?  Can you
> >> described the exact things you did?
> >>
> >> -Original Message-
> >> From: [EMAIL PROTECTED]
> >> [mailto:[EMAIL PROTECTED] On Behalf Of
> >> Thommes, Michael M.
> >> Sent: Tuesday, August 23, 2005 7:29 PM
> >> To: ActiveDir@mail.activedir.org
> >> Subject: RE: [ActiveDir] Win2k3 SP1 vs. W32Time
> >>
> >> see http://support.microsoft.com/?kbid=892501&SD=tech
> >>
> >> Mike Thommes
> >>
> >> 
> >>
> >> From: [EMAIL PROTECTED] on behalf of David Aragon
> >> Sent: Tue 8/23/2005 6:40 PM
> >> To: ActiveDir@mail.activedir.org
> >> Subject: [ActiveDir] Win2k3 SP1 vs. W32Time
> >>
> >>
> >>
> >> We just upgraded our 2k3 DC's to SP1 this last weekend after
> >> several months of testing and re-testing.  Shortly afterwards
> >> I noticed that the time service was stopped with error ID
> >> 7023 & 46 (see below).  I went through the steps listed in
> >> kb892501 but to no avail.  This issue did not appear in any
> >> of our test setups, however all our production DC's exhibit
> >> the behavior.
> >> Does anyone have any suggestions or ideas?
> >>
> >> David Aragon
> >>
> >> Event Type: Error
> >> Event Source:   Service Control Manager
> >> Event Category: None
> >> Event ID:   7023
> >> Date:   8/23/2005
> >> Time:   3:58:47 PM
> >> User:   N/A
> >> Description:
> >> The Windows Time service terminated with the following error:
> >> Not all privileges referenced are assigned to the caller.
> >>
> >> Event Type: Error
> >> Event Source:   W32Time
> >> Event Category: None
> >> Event ID:   46
> >> Date:   8/23/2005
> >> Time:   3:58:47 PM
> >> User:   N/A
> >> Description:
> >> The time service encountered an error and was forced to shut down.
> >> The error was: 0x80070514: Not all privileges referenced are
> >> assigned to the caller.
> >>
> >> List info   : http://www.activedir.org/List.aspx
> >> List FAQ: http://www.activedir.org/ListFAQ.aspx
> >> List archive:
> >> http://www.mail-archive.com/activedir%40mail.activedir.org/
> >>
> >>
> >>
> >> List info   : http://www.activedir.org/List.aspx
> >> List FAQ: http://www.activedir.org/ListFA

Re: [ActiveDir] Win2k3 SP1 vs. W32Time

[Jose Medeiros]

Point well taken.. come to think of it, I did work at a startup several 
years back that had a Java based web app using a specific DC for user 
authentication via LDAP. Thanks for pointing that out.


Jose
- Original Message - 
From: "Phil Renouf" <[EMAIL PROTECTED]>

To: 
Sent: Wednesday, August 24, 2005 11:09 AM
Subject: Re: [ActiveDir] Win2k3 SP1 vs. W32Time


If you do something like this then you want to be 100% sure that there
are no applications out there using your DC name specifically for
authentication or LDAP queries and that there are no clients with
LMHOSTS file entries etc.

Phil

On 8/24/05, Jose Medeiros <[EMAIL PROTECTED]> wrote:

Hi David,

I just wanted to let you know that we upgraded one of our domain's to AD
2003 with sp1 several month's ago and have not seen the issue that you are
having.

Also the reason why you have multiple DC's is so if one goes down, the
other's can still authenticate the clients, so unless you are also using
your DC's as file and print servers, rebooting one during the day would
hardly be noticeable ( rebooting them during a lunch break is probably
best ). I am sure that others on the list may have an argument to 
challenge

what I just stated, however I would love to hear it.

Jose :-)


- Original Message -
From: "David Aragon" <[EMAIL PROTECTED]>
To: 
Sent: Tuesday, August 23, 2005 7:26 PM
Subject: RE: [ActiveDir] Win2k3 SP1 vs. W32Time


> David,
>
> Yes, I tried them both, step by step, exactly as the KB described the
> first
> on DC1, the second on DC2, and both on DC3.  Each time with no joy).
> There
> was nothing about rebooting in the article, but I did restart Net Logon
> Service after each workaround was attempted.  I won't be able to reboot
> any
> of the DC's for several more hours.
>
> David Aragon
>
>> -Original Message-
>> From: [EMAIL PROTECTED]
>> [mailto:[EMAIL PROTECTED] On Behalf Of David Adner
>> Sent: Tuesday, August 23, 2005 6:02 PM
>> To: ActiveDir@mail.activedir.org
>> Subject: RE: [ActiveDir] Win2k3 SP1 vs. W32Time
>>
>> *cough*  That's the KB he referenced.  :)
>>
>> David, did you try both workarounds or just one of them?  Did
>> you try rebooting after making the changes?  Can you
>> described the exact things you did?
>>
>> -Original Message-
>> From: [EMAIL PROTECTED]
>> [mailto:[EMAIL PROTECTED] On Behalf Of
>> Thommes, Michael M.
>> Sent: Tuesday, August 23, 2005 7:29 PM
>> To: ActiveDir@mail.activedir.org
>> Subject: RE: [ActiveDir] Win2k3 SP1 vs. W32Time
>>
>> see http://support.microsoft.com/?kbid=892501&SD=tech
>>
>> Mike Thommes
>>
>> 
>>
>> From: [EMAIL PROTECTED] on behalf of David Aragon
>> Sent: Tue 8/23/2005 6:40 PM
>> To: ActiveDir@mail.activedir.org
>> Subject: [ActiveDir] Win2k3 SP1 vs. W32Time
>>
>>
>>
>> We just upgraded our 2k3 DC's to SP1 this last weekend after
>> several months of testing and re-testing.  Shortly afterwards
>> I noticed that the time service was stopped with error ID
>> 7023 & 46 (see below).  I went through the steps listed in
>> kb892501 but to no avail.  This issue did not appear in any
>> of our test setups, however all our production DC's exhibit
>> the behavior.
>> Does anyone have any suggestions or ideas?
>>
>> David Aragon
>>
>> Event Type: Error
>> Event Source:   Service Control Manager
>> Event Category: None
>> Event ID:   7023
>> Date:   8/23/2005
>> Time:   3:58:47 PM
>> User:   N/A
>> Description:
>> The Windows Time service terminated with the following error:
>> Not all privileges referenced are assigned to the caller.
>>
>> Event Type: Error
>> Event Source:   W32Time
>> Event Category: None
>> Event ID:   46
>> Date:   8/23/2005
>> Time:   3:58:47 PM
>> User:   N/A
>> Description:
>> The time service encountered an error and was forced to shut down.
>> The error was: 0x80070514: Not all privileges referenced are
>> assigned to the caller.
>>
>> List info   : http://www.activedir.org/List.aspx
>> List FAQ: http://www.activedir.org/ListFAQ.aspx
>> List archive:
>> http://www.mail-archive.com/activedir%40mail.activedir.org/
>>
>>
>>
>> List info   : http://www.activedir.org/List.aspx
>> List FAQ: http://www.activedir.org/ListFAQ.aspx
>> List archive:
>> http://www.mail-archive.com/activedir%40mail.activedir.org/
>>
>> List info   : http://www.activedir.org/List.aspx
>> List FAQ: http://www.activedir.org/ListFAQ.aspx
>> List archive:
>> http://www.mail-archive.com/activedir%40mail.activedir.org/
>>
>
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir

Re: [ActiveDir] Win2k3 SP1 vs. W32Time

[Phil Renouf]

If you do something like this then you want to be 100% sure that there
are no applications out there using your DC name specifically for
authentication or LDAP queries and that there are no clients with
LMHOSTS file entries etc.

Phil

On 8/24/05, Jose Medeiros <[EMAIL PROTECTED]> wrote:
> Hi David,
> 
> I just wanted to let you know that we upgraded one of our domain's to AD
> 2003 with sp1 several month's ago and have not seen the issue that you are
> having.
> 
> Also the reason why you have multiple DC's is so if one goes down, the
> other's can still authenticate the clients, so unless you are also using
> your DC's as file and print servers, rebooting one during the day would be
> hardly be noticeable ( rebooting them during a lunch break is probably
> best ). I am sure that others on the list may have an argument to challenge
> what I just stated, however I would love to hear it.
> 
> Jose :-)
> 
> 
> - Original Message -
> From: "David Aragon" <[EMAIL PROTECTED]>
> To: 
> Sent: Tuesday, August 23, 2005 7:26 PM
> Subject: RE: [ActiveDir] Win2k3 SP1 vs. W32Time
> 
> 
> > David,
> >
> > Yes, I tried them both, step by step, exactly as the KB described the
> > first
> > on DC1, the second on DC2, and both on DC3.  Each time with no joy).
> > There
> > was nothing about rebooting in the article, but I did restart Net Logon
> > Service after each workaround was attempted.  I won't be able to reboot
> > any
> > of the DC's for several more hours.
> >
> > David Aragon
> >
> >> -Original Message-
> >> From: [EMAIL PROTECTED]
> >> [mailto:[EMAIL PROTECTED] On Behalf Of David Adner
> >> Sent: Tuesday, August 23, 2005 6:02 PM
> >> To: ActiveDir@mail.activedir.org
> >> Subject: RE: [ActiveDir] Win2k3 SP1 vs. W32Time
> >>
> >> *cough*  That's the KB he referenced.  :)
> >>
> >> David, did you try both workarounds or just one of them?  Did
> >> you try rebooting after making the changes?  Can you
> >> described the exact things you did?
> >>
> >> -Original Message-
> >> From: [EMAIL PROTECTED]
> >> [mailto:[EMAIL PROTECTED] On Behalf Of
> >> Thommes, Michael M.
> >> Sent: Tuesday, August 23, 2005 7:29 PM
> >> To: ActiveDir@mail.activedir.org
> >> Subject: RE: [ActiveDir] Win2k3 SP1 vs. W32Time
> >>
> >> see http://support.microsoft.com/?kbid=892501&SD=tech
> >>
> >> Mike Thommes
> >>
> >> 
> >>
> >> From: [EMAIL PROTECTED] on behalf of David Aragon
> >> Sent: Tue 8/23/2005 6:40 PM
> >> To: ActiveDir@mail.activedir.org
> >> Subject: [ActiveDir] Win2k3 SP1 vs. W32Time
> >>
> >>
> >>
> >> We just upgraded our 2k3 DC's to SP1 this last weekend after
> >> several months of testing and re-testing.  Shortly afterwards
> >> I noticed that the time service was stopped with error ID
> >> 7023 & 46 (see below).  I went through the steps listed in
> >> kb892501 but to no avail.  This issue did not appear in any
> >> of our test setups, however all our production DC's exhibit
> >> the behavior.
> >> Does anyone have any suggestions or ideas?
> >>
> >> David Aragon
> >>
> >> Event Type: Error
> >> Event Source:   Service Control Manager
> >> Event Category: None
> >> Event ID:   7023
> >> Date:   8/23/2005
> >> Time:   3:58:47 PM
> >> User:   N/A
> >> Description:
> >> The Windows Time service terminated with the following error:
> >> Not all privileges referenced are assigned to the caller.
> >>
> >> Event Type: Error
> >> Event Source:   W32Time
> >> Event Category: None
> >> Event ID:   46
> >> Date:   8/23/2005
> >> Time:   3:58:47 PM
> >> User:   N/A
> >> Description:
> >> The time service encountered an error and was forced to shut down.
> >> The error was: 0x80070514: Not all privileges referenced are
> >> assigned to the caller.
> >>
> >> List info   : http://www.activedir.org/List.aspx
> >> List FAQ: http://www.activedir.org/ListFAQ.aspx
> >> List archive:
> >> http://www.mail-archive.com/activedir%40mail.activedir.org/
> >>
> >>
> >>
> >> List info   : http://www.activedir.org/List.aspx
> >> List FAQ: http://www.activedir.org/ListFAQ.aspx
> >> List archive:
> >> http://www.mail-archive.com/activedir%40mail.activedir.org/
> >>
> >> List info   : http://www.activedir.org/List.aspx
> >> List FAQ: http://www.activedir.org/ListFAQ.aspx
> >> List archive:
> >> http://www.mail-archive.com/activedir%40mail.activedir.org/
> >>
> >
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: HP disk upgrade..

[Jeff Green]

Hi Frank,


I believe this (or very a question) has been answered in
the HP Support Forums.

I suggest you go to www.hp.com and go from there, search for MSA1000.

The MSA 1000 does not support full dynamic logical volume expansion
business, etc, you need
an ESA for that (rumoured in a "future firmware update").

Apparently you can replace each disk in a raid set individually, allow
the rebuild
to take place and then replace the next. Can take a long time (depends
on how busy the controller(s)
Is/are), but you can then use the extra space. I believe you can only
expand the last logical volume
or use the space to create a new logical volume.

There are issues to do with redundancy whilst the volume is rebuilding,
depends whether you have
RAID-5 or RAID-ADV(6) and standbys, etc.

You need to do a full backup before you do anything of course.


Regards,
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jose Medeiros
Sent: 24 August 2005 17:21
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: HP disk upgrade..

Hi David,

Since you fail to mention which MSA your running ( MSA500, MSA1000,
MSA1500 ) it is difficyult for me to tell you if this will work as I
have only implemented and supported a MSA500 and a MSA 1000. We just
ordered a new MSA1500, but it has not arrived yet.

My understanding of HP's RAID controllers is, you can add the 300gb
drives if you add them to the existing array, you will only rebuild them
utilizing the same drive capacity as the drives you are replacing.

Therefore unless HP has implemented a new feature that I am not aware
of, you will have to clear your RAID config from the controllers NVRAM,
and recreate the Array using the 4 300gb drives. Or if you have 4
available slots, you should be able to create a second array of the 4
new drives virtually, and move your data between both RAID array's.


Jose :-)


--
- Original Message -
From: David Cliffe
To: ActiveDir@mail.activedir.org
Sent: Wednesday, August 24, 2005 3:52 AM
Subject: RE: [ActiveDir] OT: HP disk upgrade..


I didn't see mention of RAID controller or O/S version, but do they
support 
logical drive extension?  If so, how about this?  (though probably not
much 
faster!)

- Backup data (if important enough...as you said this already is a
backup)
- Remove one physical drive from the enclosure
- Replace it with a 300GB drive and let it rebuild completely
- Repeat this sequence 3 more times until all drives are 300GB
- Extend logical drive to full capacity via array config. utility
- Do same under O/S (Win 2003 "dispart" utility is good for this)

Just a thought.

-DaveC
Reuters IS&T Service Delivery




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Tuesday, August 23, 2005 8:18 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: HP disk upgrade..


I believe that since they are backups, you have some flexibility.  For
one 
thing, you can move the data around and store it on just one disk if you

wanted to ([EMAIL PROTECTED] ~216GB vs. one 300GB disk) and then after the 
upgrade, move it back.  I'm sure there are other variations.

It would seem a little odd to backup a backup in order to accomplish
this. 
You pretty much just need some temporary space while you do this.



Al



From: [EMAIL PROTECTED] on behalf of Frank Abagnale
Sent: Tue 8/23/2005 4:04 AM
To: Active
Subject: [ActiveDir] OT: HP disk upgrade..


Hi,
Sorry for the OT, I have a HP server with an MSA enclosure attached
which is 
complete with 14 x 72gb disks. The enclosure uses 4 x 72gb disks in a
RAID5 
set which are used to store backups. I need to upgrade these 4 disks
with 
new 300gb disks. The disks are not used for any other purpose besides 
storing backups.

My initial thought was to do the following:

Backup the drive
Break the array
Remove existing disks
Insert new disks
Create new Array

Is there a better way to do it, or should this method work?

thanks
 - Frank
__
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com


-
Visit our Internet site at http://www.reuters.com

To find out more about Reuters Products and Services visit 
http://www.reuters.com/productinfo

Any views expressed in this message are those of the individual
sender, except where the sender specifically states them to be
the views of Reuters Ltd. 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Enterprise Domain Controllers

[Dean Wells]

Interesting conversation ... I'd certainly agree with Joe's assessment of
well-known membership in that the SIDs denote something that you are by
virtue of what you're doing as opposed to something that you are an
explicitly configured member of.

Assuming I understand you (Joe) correctly, you're saying that LDAP needs the
FSP (or FPO[1])  to maintain foreign domain membership since no object
reference exists locally?  If that understanding is correct, I would wonder
if you've (Joe) not been blinkered by the way we're doing it at present :o)


If I adopt the role of the devil's advocate for a second; who says that
group membership has to be maintained using a pair of database-local objects
(or rows if we're to expand the terminology) ... that was intended as a
rhetorical question but please feel free to offer up an opinion.  I
certainly that the current approach offers many advantages and that its
absence would likely cause an array of potentially painful scenarios but
when used within the context of foreign membership, such justifications
don't apply IMO ... for example, why not merely maintain the members SID in
those instances where the member exists in a foreign forest or are
well-known?  Maybe because this single property wasn't designed to (or
can't) work in a way requiring 2 distinct behaviors and FSPs are a means of
'making it fit' the behavior that we do have.  That's nothing more than a
hypothesis since I'm not aware of the motivation behind such design
decisions.  Anyway, with all of that said, I remain unconvinced that FSPs
should be deemed a requirement of LDAP.

Regarding your earlier ANR question; that's interesting, I'd expected far
more than an empty result set.  It appears to be using the generic dn index
(i.e. the index that it reverts to when a non-existent property is specified
within the filter).  I suppose this may indicate that the ANR behaviors are
not triggered when wildcarding the entire value ... possibly because ANR
uses an implicitly wildcarded query which is mis-generated and dismissed
when it results in a double asterisk (**) or because it is designed to
ignore silly queries ?? :o)

[1] FSP vs. FPO - that specific piece of terminology seems to depend on
whether you're an aging Borg or just a familiar.

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, August 24, 2005 12:48 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Enterprise Domain Controllers

I would stay the course and say there is no membership. 

There are security principals that could have the SID added to their token
which I agree is most likely controlled by userAccountControl & 8192.
However it is a state of being authenticated coupled with being a domain
controller that controls what objects have that SID at any given moment. 

It is like an authenticated user, what is the membership? Given the idea
stated below, authenticated users are any security principal that can be
authenticated, but wait, if someone isn't logged on, how could they be
"authenticated"? We know that authenticated users are only the users that
are currently authenticated and have the authenticated users SID in their
token. 

Now for a group which has real membership. You can look at an attribute and
it tells you who is at this exact moment a member of the group. State of
authentication has no bearing. For instance, if you have Exchange,
mailenable and send an email to some random group you have in your domain.
Then try the same with Enterprise Domain Controllers. 

Those are some of the reasons why I say there is no membership to list,
there are only principals that occasionally have the SID in their token. If
you want, I guess you could consider it a dynamic group with the membership,
if I were to admit it had membership, completely dependent on the state of
being both a domain controller (or at least flagged in a way in the
directory to indicate such) and authenticated.


:o)


   joe



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
Sent: Wednesday, August 24, 2005 11:48 AM
To: ActiveDir@mail.activedir.org
Cc: Send - AD mailing list
Subject: RE: [ActiveDir] Enterprise Domain Controllers


After reading joe's description, which sounds accurate to a non-expert like
myself, I am willing to raise my confidence in my answer from a measly 12%
to a full 17%.

Well, I agree with most of what joe said, except for the part about not
being able to "look" at the membership, you _sort of_ can as I alluded to in
my mail, just not via the typical member attribute as joe was pointing out.

Cheers,
Brett

On Wed, 24 Aug 2005, Dean Wells wrote:

>  
> To further clarify Joe's point; the subset of 
> foreignSecurityPrincipals within the domain NC under the 
> ForeignSecurityPrincipals container (many [or all] of which will be 
> well-known secur

RE: [ActiveDir] Win2k3 SP1 vs. W32Time

[Kitchens Arthur E]

Title: RE: [ActiveDir] Win2k3 SP1 vs. W32Time





NT AUTHORITY\LOCAL SERVICE needs read perms on netlogon service.  Least that seems to have addressed the issue for us. 


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of David Aragon
Sent: Tuesday, August 23, 2005 10:27 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Win2k3 SP1 vs. W32Time


David,


Yes, I tried them both, step by step, exactly as the KB described the first on DC1, the second on DC2, and both on DC3.  Each time with no joy).  There was nothing about rebooting in the article, but I did restart Net Logon Service after each workaround was attempted.  I won't be able to reboot any of the DC's for several more hours.

David Aragon  


> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]] On Behalf Of David Adner
> Sent: Tuesday, August 23, 2005 6:02 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Win2k3 SP1 vs. W32Time
> 
> *cough*  That's the KB he referenced.  :)
> 
> David, did you try both workarounds or just one of them?  Did you try 
> rebooting after making the changes?  Can you described the exact 
> things you did?
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]] On Behalf Of Thommes, 
> Michael M.
> Sent: Tuesday, August 23, 2005 7:29 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Win2k3 SP1 vs. W32Time
> 
> see http://support.microsoft.com/?kbid=892501&SD=tech
>  
> Mike Thommes
> 
> 
> 
> From: [EMAIL PROTECTED] on behalf of David Aragon
> Sent: Tue 8/23/2005 6:40 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Win2k3 SP1 vs. W32Time
> 
> 
> 
> We just upgraded our 2k3 DC's to SP1 this last weekend after several 
> months of testing and re-testing.  Shortly afterwards I noticed that 
> the time service was stopped with error ID
> 7023 & 46 (see below).  I went through the steps listed in
> kb892501 but to no avail.  This issue did not appear in any of our 
> test setups, however all our production DC's exhibit the behavior.
> Does anyone have any suggestions or ideas?
> 
> David Aragon
> 
> Event Type: Error
> Event Source:   Service Control Manager
> Event Category: None
> Event ID:   7023
> Date:   8/23/2005
> Time:   3:58:47 PM
> User:   N/A
> Description:
> The Windows Time service terminated with the following error:
> Not all privileges referenced are assigned to the caller.
> 
> Event Type: Error
> Event Source:   W32Time
> Event Category: None
> Event ID:   46
> Date:   8/23/2005
> Time:   3:58:47 PM
> User:   N/A
> Description:
> The time service encountered an error and was forced to shut down.
> The error was: 0x80070514: Not all privileges referenced are assigned 
> to the caller.
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ    : http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ    : http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ    : http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 


List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Enterprise Domain Controllers

[joe]

I would stay the course and say there is no membership. 

There are security principals that could have the SID added to their token
which I agree is most likely controlled by userAccountControl & 8192.
However it is a state of being authenticated coupled with being a domain
controller that controls what objects have that SID at any given moment. 

It is like an authenticated user, what is the membership? Given the idea
stated below, authenticated users are any security principal that can be
authenticated, but wait, if someone isn't logged on, how could they be
"authenticated"? We know that authenticated users are only the users that
are currently authenticated and have the authenticated users SID in their
token. 

Now for a group which has real membership. You can look at an attribute and
it tells you who is at this exact moment a member of the group. State of
authentication has no bearing. For instance, if you have Exchange,
mailenable and send an email to some random group you have in your domain.
Then try the same with Enterprise Domain Controllers. 

Those are some of the reasons why I say there is no membership to list,
there are only principals that occasionally have the SID in their token. If
you want, I guess you could consider it a dynamic group with the membership,
if I were to admit it had membership, completely dependent on the state of
being both a domain controller (or at least flagged in a way in the
directory to indicate such) and authenticated.


:o)


   joe



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
Sent: Wednesday, August 24, 2005 11:48 AM
To: ActiveDir@mail.activedir.org
Cc: Send - AD mailing list
Subject: RE: [ActiveDir] Enterprise Domain Controllers


After reading joe's description, which sounds accurate to a non-expert like
myself, I am willing to raise my confidence in my answer from a measly 12%
to a full 17%.

Well, I agree with most of what joe said, except for the part about not
being able to "look" at the membership, you _sort of_ can as I alluded to in
my mail, just not via the typical member attribute as joe was pointing out.

Cheers,
Brett

On Wed, 24 Aug 2005, Dean Wells wrote:

>  
> To further clarify Joe's point; the subset of 
> foreignSecurityPrincipals within the domain NC under the 
> ForeignSecurityPrincipals container (many [or all] of which will be 
> well-known security principals) are present there because of a
relationship with another object within that partition.
> 
> The foreignSecurityPrincipals within the config. NC serve as a 
> template and represent the well-known security principals listed by 
> the object picker when, for example, editing an ACL (do not test this 
> by deleting one, unless it's a sandpit, since recreating them can be
problematic).
> 
> As a general rule of thumb, and as far as I can recollect, foreign 
> security principals are created to represent any security principal 
> that cannot be resolved by a forest-local GC, e.g. users from a 
> foreign forest's domain or well-known security principals ... 
>  and are necessary because of the archaic underlying database 
> engine we continue to insist on using :o) .
> 
> --
> Dean Wells
> MSEtechnology
> * Email: [EMAIL PROTECTED]
> http://msetechnology.com
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of joe
> Sent: Wednesday, August 24, 2005 9:01 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Enterprise Domain Controllers
> 
> It isn't an actual group. 
> 
> It is a Well-Known security principal (SID=S-1-5-9) like Authenticated 
> Users or Everyone or Terminal Server User. You don't have the ability 
> to look at the membership, let alone modify it. When a token for a 
> domain controller is built, the SID is simply added to it.
> 
> It is represented in the directory as a foreignSecurityPrincipal so it 
> can be added to groups and ACEs like Everyone is. As Tom indicated, it 
> is maintained in the Wellknown Security Principals container of the 
> configuration partition with other Well Known Security Principals.
> 
> Here is a quick listing of all the FSPs listed in that container
> 
> Anonymous Logon
> Authenticated Users
> Batch
> Creator Group
> Creator Owner
> Dialup
> Digest Authentication
> Enterprise Domain Controllers
> Everyone
> Interactive
> Local Service
> Network
> Network Service
> NTLM Authentication
> Other Organization
> Proxy
> Remote Interactive Logon
> Restricted
> SChannel Authentication
> Self
> Service
> Terminal Server User
> This Organization
> Well-Known-Security-Id-System
> WellKnown Security Principals
> 
> 
> joe
> 
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad
> Sent: Wednesday, August 24, 2005 5:17 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Enterprise Domain Controllers
> 
> Hey All,
> 
> Can anyone tell me where this group is store

Re: [ActiveDir] Win2k3 SP1 vs. W32Time

[Jose Medeiros]

Hi David,

I just wanted to let you know that we upgraded one of our domain's to AD 
2003 with sp1 several month's ago and have not seen the issue that you are 
having.


Also the reason why you have multiple DC's is so if one goes down, the 
other's can still authenticate the clients, so unless you are also using 
your DC's as file and print servers, rebooting one during the day would be 
hardly be noticeable ( rebooting them during a lunch break is probably 
best ). I am sure that others on the list may have an argument to challenge 
what I just stated, however I would love to hear it.


Jose :-)


- Original Message - 
From: "David Aragon" <[EMAIL PROTECTED]>

To: 
Sent: Tuesday, August 23, 2005 7:26 PM
Subject: RE: [ActiveDir] Win2k3 SP1 vs. W32Time



David,

Yes, I tried them both, step by step, exactly as the KB described the 
first
on DC1, the second on DC2, and both on DC3.  Each time with no joy). 
There

was nothing about rebooting in the article, but I did restart Net Logon
Service after each workaround was attempted.  I won't be able to reboot 
any

of the DC's for several more hours.

David Aragon


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Adner
Sent: Tuesday, August 23, 2005 6:02 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Win2k3 SP1 vs. W32Time

*cough*  That's the KB he referenced.  :)

David, did you try both workarounds or just one of them?  Did
you try rebooting after making the changes?  Can you
described the exact things you did?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Thommes, Michael M.
Sent: Tuesday, August 23, 2005 7:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Win2k3 SP1 vs. W32Time

see http://support.microsoft.com/?kbid=892501&SD=tech

Mike Thommes



From: [EMAIL PROTECTED] on behalf of David Aragon
Sent: Tue 8/23/2005 6:40 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Win2k3 SP1 vs. W32Time



We just upgraded our 2k3 DC's to SP1 this last weekend after
several months of testing and re-testing.  Shortly afterwards
I noticed that the time service was stopped with error ID
7023 & 46 (see below).  I went through the steps listed in
kb892501 but to no avail.  This issue did not appear in any
of our test setups, however all our production DC's exhibit
the behavior.
Does anyone have any suggestions or ideas?

David Aragon

Event Type: Error
Event Source:   Service Control Manager
Event Category: None
Event ID:   7023
Date:   8/23/2005
Time:   3:58:47 PM
User:   N/A
Description:
The Windows Time service terminated with the following error:
Not all privileges referenced are assigned to the caller.

Event Type: Error
Event Source:   W32Time
Event Category: None
Event ID:   46
Date:   8/23/2005
Time:   3:58:47 PM
User:   N/A
Description:
The time service encountered an error and was forced to shut down.
The error was: 0x80070514: Not all privileges referenced are
assigned to the caller.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ 


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] File Replication

[Joseph B. Luptak]

Thanks…

 

Luptak, Joseph B.Information Resources Group,Advanced Technology Program[EMAIL PROTECTED](301) 975-3940

 

-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, August 24, 2005
12:11 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] File
Replication

 

We use robocopy if that’s any
indicator.  I won’t consider going to FRS again without R2 code.

 



:m:dsm:cci:mvp 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joseph B. Luptak
Sent: Tuesday, August 23, 2005
6:49 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] File
Replication



 

Has anybody had issues with using the File Replication
Service associated with DFS? We have tried to replicate certain DFS directories
and our users ran into issues when two people would try to open / update files
in these directories at the same time. Any advice?

 

Thanks in advance,

 

 

Luptak, Joseph B.Information Resources Group,Advanced Technology Program[EMAIL PROTECTED](301) 975-3940

 

Re: [ActiveDir] OT: HP disk upgrade..

[Jose Medeiros]

Hi David,

Since you fail to mention which MSA your running ( MSA500, MSA1000, 
MSA1500 ) it is difficyult for me to tell you if this will work as I have 
only implemented and supported a MSA500 and a MSA 1000. We just ordered a 
new MSA1500, but it has not arrived yet.


My understanding of HP's RAID controllers is, you can add the 300gb drives 
if you add them to the existing array, you will only rebuild them utilizing 
the same drive capacity as the drives you are replacing.


Therefore unless HP has implemented a new feature that I am not aware of, 
you will have to clear your RAID config from the controllers NVRAM, and 
recreate the Array using the 4 300gb drives. Or if you have 4 available 
slots, you should be able to create a second array of the 4 new drives 
virtually, and move your data between both RAID array's.



Jose :-)

--
- Original Message - 
From: David Cliffe

To: ActiveDir@mail.activedir.org
Sent: Wednesday, August 24, 2005 3:52 AM
Subject: RE: [ActiveDir] OT: HP disk upgrade..


I didn't see mention of RAID controller or O/S version, but do they support 
logical drive extension?  If so, how about this?  (though probably not much 
faster!)


- Backup data (if important enough...as you said this already is a backup)
- Remove one physical drive from the enclosure
- Replace it with a 300GB drive and let it rebuild completely
- Repeat this sequence 3 more times until all drives are 300GB
- Extend logical drive to full capacity via array config. utility
- Do same under O/S (Win 2003 "dispart" utility is good for this)

Just a thought.

-DaveC
Reuters IS&T Service Delivery




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick

Sent: Tuesday, August 23, 2005 8:18 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: HP disk upgrade..


I believe that since they are backups, you have some flexibility.  For one 
thing, you can move the data around and store it on just one disk if you 
wanted to ([EMAIL PROTECTED] ~216GB vs. one 300GB disk) and then after the 
upgrade, move it back.  I'm sure there are other variations.


It would seem a little odd to backup a backup in order to accomplish this. 
You pretty much just need some temporary space while you do this.




Al



From: [EMAIL PROTECTED] on behalf of Frank Abagnale
Sent: Tue 8/23/2005 4:04 AM
To: Active
Subject: [ActiveDir] OT: HP disk upgrade..


Hi,
Sorry for the OT, I have a HP server with an MSA enclosure attached which is 
complete with 14 x 72gb disks. The enclosure uses 4 x 72gb disks in a RAID5 
set which are used to store backups. I need to upgrade these 4 disks with 
new 300gb disks. The disks are not used for any other purpose besides 
storing backups.


My initial thought was to do the following:

Backup the drive
Break the array
Remove existing disks
Insert new disks
Create new Array

Is there a better way to do it, or should this method work?

thanks
- Frank
__
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com


-
Visit our Internet site at http://www.reuters.com

To find out more about Reuters Products and Services visit 
http://www.reuters.com/productinfo


Any views expressed in this message are those of the individual
sender, except where the sender specifically states them to be
the views of Reuters Ltd. 


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] File Replication

[Marcus.Oh]

We use robocopy if that’s any
indicator.  I won’t consider going to FRS again without R2 code.

 



:m:dsm:cci:mvp 











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Joseph B. Luptak
Sent: Tuesday, August 23, 2005
6:49 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] File
Replication



 

Has anybody had issues with using the File Replication
Service associated with DFS? We have tried to replicate certain DFS directories
and our users ran into issues when two people would try to open / update files in
these directories at the same time. Any advice?

 

Thanks in advance,

 

 

Luptak, Joseph B.Information Resources Group,Advanced Technology Program[EMAIL PROTECTED](301) 975-3940

 

RE: [ActiveDir] Enterprise Domain Controllers

[Brett Shirley]

After reading joe's description, which sounds accurate to a non-expert
like myself, I am willing to raise my confidence in my answer from a
measly 12% to a full 17%.

Well, I agree with most of what joe said, except for the part about not
being able to "look" at the membership, you _sort of_ can as I alluded to
in my mail, just not via the typical member attribute as joe was pointing
out.

Cheers,
Brett

On Wed, 24 Aug 2005, Dean Wells wrote:

>  
> To further clarify Joe's point; the subset of foreignSecurityPrincipals
> within the domain NC under the ForeignSecurityPrincipals container (many [or
> all] of which will be well-known security principals) are present there
> because of a relationship with another object within that partition.  
> 
> The foreignSecurityPrincipals within the config. NC serve as a template and
> represent the well-known security principals listed by the object picker
> when, for example, editing an ACL (do not test this by deleting one, unless
> it's a sandpit, since recreating them can be problematic).
> 
> As a general rule of thumb, and as far as I can recollect, foreign security
> principals are created to represent any security principal that cannot be
> resolved by a forest-local GC, e.g. users from a foreign forest's domain or
> well-known security principals ...  and are necessary because of
> the archaic underlying database engine we continue to insist on using :o)
> .
> 
> --
> Dean Wells
> MSEtechnology
> * Email: [EMAIL PROTECTED]
> http://msetechnology.com
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of joe
> Sent: Wednesday, August 24, 2005 9:01 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Enterprise Domain Controllers
> 
> It isn't an actual group. 
> 
> It is a Well-Known security principal (SID=S-1-5-9) like Authenticated Users
> or Everyone or Terminal Server User. You don't have the ability to look at
> the membership, let alone modify it. When a token for a domain controller is
> built, the SID is simply added to it. 
> 
> It is represented in the directory as a foreignSecurityPrincipal so it can
> be added to groups and ACEs like Everyone is. As Tom indicated, it is
> maintained in the Wellknown Security Principals container of the
> configuration partition with other Well Known Security Principals. 
> 
> Here is a quick listing of all the FSPs listed in that container
> 
> Anonymous Logon
> Authenticated Users
> Batch
> Creator Group
> Creator Owner
> Dialup
> Digest Authentication
> Enterprise Domain Controllers
> Everyone
> Interactive
> Local Service
> Network
> Network Service
> NTLM Authentication
> Other Organization
> Proxy
> Remote Interactive Logon
> Restricted
> SChannel Authentication
> Self
> Service
> Terminal Server User
> This Organization
> Well-Known-Security-Id-System
> WellKnown Security Principals
> 
> 
> joe
> 
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad
> Sent: Wednesday, August 24, 2005 5:17 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Enterprise Domain Controllers
> 
> Hey All,
> 
> Can anyone tell me where this group is stored?  It isn't in the directory,
> and it isn't a local group...any ideas on how to check it's membership list
> is correct?
> 
> TIA,
> 
> 
> Brad
> 
> 
> This email and any attached files are confidential and copyright protected.
> If you are not the addressee, any dissemination of this communication is
> strictly prohibited. Unless otherwise expressly agreed in writing, nothing
> stated in this communication shall be legally binding.
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] User SIDs...

[Smith, Brad]

Just incase anyone else is still following this I thought I'd post an
(unfortuantely useless) update.   The problem I am experiencing is not due
to large group memberships, and is an intermittent problem at best.
Creating a user account with *much* less groups doesn't correct the problem.
I will have to get the developer to add in some extra debug info me thinks.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad
Sent: 22 August 2005 15:31
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] User SIDs...

That is a good idea, and in my case, would mean re-training (or in some
cases, training for the first time) a team of ppl, and going through various
hoops and jumps.  I am taking that approach as well as "attempting" to
troble shoot this problem.

One thing I would like to clarify for those still following, does the
MaxToken setting of 12000 Vs the MaxToken (complete context) 1790 value mean
that Group membership is not causing a problem here ?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: 22 August 2005 14:48
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] User SIDs...

It sounds like you may want to consider changing your group/access strategy
as well.  If it takes this long to troubleshoot, I think it's worthwhile to
see if it can be done better/more simply for future use. 

My $0.04 anyway.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad
Sent: Monday, August 22, 2005 6:32 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] User SIDs...


I am going to duplicate the users account (can't really be bothering them
much more :-) and then remove half the groups they are in and trouble shoot
from there.   There are about 4 groups they have to be in to get this test
working (ie log on locally perms etc) so Starting with one group isn't the
easiest route forward.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: 21 August 2005 18:46
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] User SIDs...

Well to rule out number of groups or the nesting, start with a single group
and see if it works that way and then slowly back up to what you have that
is failing. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad
Sent: Friday, August 19, 2005 12:19 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] User SIDs...

Sorry Ppl.  Contributors to this list are so helpful that I forget that they
aren't quite smart enough to read my mind, they have been able to do
everything else ;-)

The problem is thus: I have a user in a group, which through 4 levels of
nesting is a member of the local administrators group on a server (no
restricted groups or anything, just plain simple addition of the group the
user is in to the local Administrators group).  Call this ServerA.  The
local administrators group is configured in the setting "Impersonate a
client after authentication".  I have set up a web page in IIS (on ServerB)
that attaches to ServerA to perform some folder manipulation (profile and
home directory changes and the like).  It does this using kerberos to pass
the authentication through.  The page fails, because their kerberos
authentication fails.  I have added the same user explicity to the
"Impersonate a client after authentication" setting on ServerA, and presto,
it works.  Just to reiterate,  The user is in less than 50 groups, including
netsing results. ServerA and ServerB are both Win2k3.  The domain is all
Win2K DC's, SP3.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: 19 August 2005 16:36
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] User SIDs...

As Dean keeps saying, how about describing the actual problem as you
see/experience it.  Could be something totally different. I'll bet somebody
here would be helpful if they knew what to help with. :)

Al

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad
Sent: Friday, August 19, 2005 10:49 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] User SIDs...


Looks like the PAC is intact, and all SIDs are well within the limit.  This
is done from the user account that is exhibiting the problem.  I am at a
loss on this one now

Tokensz Results:

Name: Kerberos Comment: Microsoft Kerberos V1.0 Current
PackageInfo->MaxToken: 12000

QueryKeyInfo:
Signature algorithm =
Encrypt algorithm = RSADSI RC4-HMAC
KeySize = 128
Flags = 2081e
Signature Algorithm = -138
Encrypt Algorithm = 23
   Start:8/19/2005 16:19:12
  Expiry:8/20/2005 2:16:44
Current Time: 8/19/2005 16:19:15
MaxToken (complete context)  1790 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: 19 August 2005 14:56
To: Send -

RE: [ActiveDir] Enterprise Domain Controllers

[Smith, Brad]

Dean, Joe and all, thanks again for clearing up something that the net
didn't easily reveal. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: 24 August 2005 14:43
To: Send - AD mailing list
Subject: RE: [ActiveDir] Enterprise Domain Controllers

 
To further clarify Joe's point; the subset of foreignSecurityPrincipals
within the domain NC under the ForeignSecurityPrincipals container (many [or
all] of which will be well-known security principals) are present there
because of a relationship with another object within that partition.  

The foreignSecurityPrincipals within the config. NC serve as a template and
represent the well-known security principals listed by the object picker
when, for example, editing an ACL (do not test this by deleting one, unless
it's a sandpit, since recreating them can be problematic).

As a general rule of thumb, and as far as I can recollect, foreign security
principals are created to represent any security principal that cannot be
resolved by a forest-local GC, e.g. users from a foreign forest's domain or
well-known security principals ...  and are necessary because of
the archaic underlying database engine we continue to insist on using :o)
.

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, August 24, 2005 9:01 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Enterprise Domain Controllers

It isn't an actual group. 

It is a Well-Known security principal (SID=S-1-5-9) like Authenticated Users
or Everyone or Terminal Server User. You don't have the ability to look at
the membership, let alone modify it. When a token for a domain controller is
built, the SID is simply added to it. 

It is represented in the directory as a foreignSecurityPrincipal so it can
be added to groups and ACEs like Everyone is. As Tom indicated, it is
maintained in the Wellknown Security Principals container of the
configuration partition with other Well Known Security Principals. 

Here is a quick listing of all the FSPs listed in that container

Anonymous Logon
Authenticated Users
Batch
Creator Group
Creator Owner
Dialup
Digest Authentication
Enterprise Domain Controllers
Everyone
Interactive
Local Service
Network
Network Service
NTLM Authentication
Other Organization
Proxy
Remote Interactive Logon
Restricted
SChannel Authentication
Self
Service
Terminal Server User
This Organization
Well-Known-Security-Id-System
WellKnown Security Principals


joe



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad
Sent: Wednesday, August 24, 2005 5:17 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Enterprise Domain Controllers

Hey All,

Can anyone tell me where this group is stored?  It isn't in the directory,
and it isn't a local group...any ideas on how to check it's membership list
is correct?

TIA,


Brad


This email and any attached files are confidential and copyright protected.
If you are not the addressee, any dissemination of this communication is
strictly prohibited. Unless otherwise expressly agreed in writing, nothing
stated in this communication shall be legally binding.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


This message has been scanned for viruses by MailControl - (see
http://bluepages.wsatkins.co.uk/?4318150)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Printer Permissions

[Burkes, Jeremy [Contractor]]

Everyone,

    I
want to give our help desk the ability to manage print queues in our Active
Directory environment.  Is there a way to give them permissions to the
printers without having to touch each one?  Print Operators gives them to
many permissions.  Thanks.

 

Jeremy



---
Jeremy Burkes
Strategic Systems Programs
Management Information Systems
Help Desk: 202-764-1442
   Work: 202-764-1270
|     Fax: 202-764-1503
[EMAIL PROTECTED]



 

RE: [ActiveDir] Enterprise Domain Controllers

[Dean Wells]

 
To further clarify Joe's point; the subset of foreignSecurityPrincipals
within the domain NC under the ForeignSecurityPrincipals container (many [or
all] of which will be well-known security principals) are present there
because of a relationship with another object within that partition.  

The foreignSecurityPrincipals within the config. NC serve as a template and
represent the well-known security principals listed by the object picker
when, for example, editing an ACL (do not test this by deleting one, unless
it's a sandpit, since recreating them can be problematic).

As a general rule of thumb, and as far as I can recollect, foreign security
principals are created to represent any security principal that cannot be
resolved by a forest-local GC, e.g. users from a foreign forest's domain or
well-known security principals ...  and are necessary because of
the archaic underlying database engine we continue to insist on using :o)
.

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, August 24, 2005 9:01 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Enterprise Domain Controllers

It isn't an actual group. 

It is a Well-Known security principal (SID=S-1-5-9) like Authenticated Users
or Everyone or Terminal Server User. You don't have the ability to look at
the membership, let alone modify it. When a token for a domain controller is
built, the SID is simply added to it. 

It is represented in the directory as a foreignSecurityPrincipal so it can
be added to groups and ACEs like Everyone is. As Tom indicated, it is
maintained in the Wellknown Security Principals container of the
configuration partition with other Well Known Security Principals. 

Here is a quick listing of all the FSPs listed in that container

Anonymous Logon
Authenticated Users
Batch
Creator Group
Creator Owner
Dialup
Digest Authentication
Enterprise Domain Controllers
Everyone
Interactive
Local Service
Network
Network Service
NTLM Authentication
Other Organization
Proxy
Remote Interactive Logon
Restricted
SChannel Authentication
Self
Service
Terminal Server User
This Organization
Well-Known-Security-Id-System
WellKnown Security Principals


joe



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad
Sent: Wednesday, August 24, 2005 5:17 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Enterprise Domain Controllers

Hey All,

Can anyone tell me where this group is stored?  It isn't in the directory,
and it isn't a local group...any ideas on how to check it's membership list
is correct?

TIA,


Brad


This email and any attached files are confidential and copyright protected.
If you are not the addressee, any dissemination of this communication is
strictly prohibited. Unless otherwise expressly agreed in writing, nothing
stated in this communication shall be legally binding.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] MSSQL and AD

[deji]

Sure. But there will be no relationship between them. You would need to know
how to script. You will need to script reading the names from SQL and feeding
each name into AD as new user using "net user", "CSVDE", "straight LDAP",
etc.
 
It's all free, except for time investment.
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of MeWe
Sent: Wed 8/24/2005 1:52 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] MSSQL and AD


Hey guys...
Is it possible to copy users from a MSSQL 2000 server to Active Desktop with
FREE! microsoft tools? or other free tools!?

thanks
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DHCP Issue

[Carerros, Charles]

Title: RE: [ActiveDir] DHCP Issue



Well,
 
After 
waiting on the phone with Microsoft about this issue for a very long time. 

 
It 
turns out that our name resolution using GPOs was working, its just that 
NSLOOKUP in Windows XP prior to SP2 is broke.
 
Once 
we got the hot fix for NSLOOKUP all of our domain suffix search orders 
work.
 
Interesting, KB327361.
 
http://support.microsoft.com/?kbid=327361
 
Thanks 
for everyones input.
 
Charlie

  -Original Message-From: Al Mulnick 
  [mailto:[EMAIL PROTECTED]Sent: Tuesday, August 23, 2005 9:32 
  PMTo: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] DHCP Issue
  
  Who's had time to upgrade 
  to something as new as XP?  ;)
   
  Trust you?  Hmm 
   
  Thanks for the correction.  I 
  suppose I'm sometimes too focused on solutions that will work cross platform 
  that I forget that the new stuff can be different. 
   
  Can't wait for the next rev and a whole 
  new support matrix to keep after 
   
  -ajm
  
  
  From: [EMAIL PROTECTED] on 
  behalf of [EMAIL PROTECTED]Sent: Tue 8/23/2005 9:52 
  PMTo: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] DHCP Issue
  
  Al,GPO will indeed set it, but only XP clients can 
  leverage it through GPO. Thescript option is for pre-XP clients only. 
  Trust me - I work for thegovernment (wellnot really. but trust me 
  anyway ;))Sincerely,Dèjì Akómöláfé, MCSE+M MCSA+M 
  MCP+IMicrosoft MVP - Directory Serviceswww.readymaids.com - we know 
  ITwww.akomolafe.comDo you now realize that Today is the Tomorrow you 
  were worried aboutYesterday?  
  -anonFrom: 
  [EMAIL PROTECTED] on behalf of Al MulnickSent: Tue 
  8/23/2005 5:05 PMTo: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] DHCP IssueLast I checked, Group Policy won't set this 
  either. FWIW, I usually suggest using a DNS structure that allows 
  your clients tofind all hosts.  Suffix search order is an expensive 
  way to get nameresolution for non-primary domains and if it's short name, 
  I'm thinking acname is a better way to go.FYI, you also can't 
  use netsh to set this :)  Script is the best way and Dejiwas nice 
  enough to post a sample.    
  -Original Message-    From: 
  [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] 
  On Behalf Of RM    Sent: Tuesday, 
  August 23, 2005 7:05 PM    To: 
  ActiveDir@mail.activedir.org    
  Subject: Re: [ActiveDir] DHCP 
  Issue  
  I've never gotten that DHCP option tag to 
  work.    I'd recommend using 
  Group Policy (which does work) or else creatingCNAMEs for the "foreign" 
  servers.  It's OK for CNAMEs to point to another 
  DNSdomain.    
  RM   
  > -Original Message-    
  > From: Carerros, Charles [mailto:[EMAIL PROTECTED]]    
  > Sent: Tuesday, August 23, 2005 9:33 
  AM    > To: 
  'ActiveDir@mail.activedir.org'    
  > Subject: RE: [ActiveDir] Bulk 
  users    
  >    
  >    > Hey 
  all,    
  >    > I'm having issues with 
  my DHCP scope on a Windows 2003 
  Standardserver.    
  >    > I'm trying to push out 
  a domain suffix search order however 
  thatoption    > doesn't seem 
  to be available on my server and I can't make it 
  showup.    
  >    > I'm working with a 
  freshly installed copy of Windows 2003 that 
  Ifully    > patched minus 
  SP1.    
  >    > I joined it to the 
  domain and authorized the DHCP server and 
  setupthe    > 
  rest    > of the scope 
  information (IP range, DNS server, WINS server, 
  etc).    > 
  However    > when I tried to add 
  the suffix order the 135 option doesn't 
  showup.    
  >    > I have tried this like 
  three times and had one of my 
  colleaguesreview    > 
  what    > I did and we can't 
  figure it out.    
  >    > Any 
  suggestions??    
  >    > 
  Thanks,    
  >    > 
  Charlie    > List 
  info   : 
  www.activedir.org/List.aspx    > 
  List FAQ    : 
  www.activedir.org/ListFAQ.aspx    
  > List archive: 
  www.mail-archive.com/activedir%40mail.activedir.org/    
  > List info   : 
  www.activedir.org/List.aspx    > 
  List FAQ    : 
  www.activedir.org/ListFAQ.aspx    
  > List archive: 
  www.mail-archive.com/activedir%40mail.activedir.org/   List 
  info   : http://www.activedir.org/List.aspxList 
  FAQ    : http://www.activedir.org/ListFAQ.aspxList 
  archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Enterprise Domain Controllers

[joe]

It isn't an actual group. 

It is a Well-Known security principal (SID=S-1-5-9) like Authenticated Users
or Everyone or Terminal Server User. You don't have the ability to look at
the membership, let alone modify it. When a token for a domain controller is
built, the SID is simply added to it. 

It is represented in the directory as a foreignSecurityPrincipal so it can
be added to groups and ACEs like Everyone is. As Tom indicated, it is
maintained in the Wellknown Security Principals container of the
configuration partition with other Well Known Security Principals. 

Here is a quick listing of all the FSPs listed in that container

Anonymous Logon
Authenticated Users
Batch
Creator Group
Creator Owner
Dialup
Digest Authentication
Enterprise Domain Controllers
Everyone
Interactive
Local Service
Network
Network Service
NTLM Authentication
Other Organization
Proxy
Remote Interactive Logon
Restricted
SChannel Authentication
Self
Service
Terminal Server User
This Organization
Well-Known-Security-Id-System
WellKnown Security Principals


joe



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad
Sent: Wednesday, August 24, 2005 5:17 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Enterprise Domain Controllers

Hey All,

Can anyone tell me where this group is stored?  It isn't in the directory,
and it isn't a local group...any ideas on how to check it's membership list
is correct?

TIA,


Brad


This email and any attached files are confidential and copyright protected.
If you are not the addressee, any dissemination of this communication is
strictly prohibited. Unless otherwise expressly agreed in writing, nothing
stated in this communication shall be legally binding.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Enterprise Domain Controllers

[Tom Kern]

Its in the "well known security principals" container in the config NC
of the forest root.
you can see it with adsiedit.msc

On 8/24/05, Smith, Brad <[EMAIL PROTECTED]> wrote:
> Hey All,
> 
> Can anyone tell me where this group is stored?  It isn't in the directory,
> and it isn't a local group...any ideas on how to check it's membership list
> is correct?
> 
> TIA,
> 
> 
> Brad
> 
> 
> This email and any attached files are confidential and copyright protected. 
> If you are not the addressee, any dissemination of this communication is 
> strictly prohibited. Unless otherwise expressly agreed in writing, nothing 
> stated in this communication shall be legally binding.
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Enterprise Domain Controllers

[Peter Johnson]

Oops. Completely miss read the question. I'm going to explain by stating
I was trying to build my first ISA Server at the time and the brain task
switching crapped out. I will now slink away and change my name to Homer
Simpson :( :( 

Doh! 

Sorry to all!

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
Sent: 24 August 2005 13:11
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Enterprise Domain Controllers

I don't think that's right at all ...  he's talking AD EDC group,
nothing
to do with Exchange.

I'm just going to make this up* ... it's a piece of data on the DC's
computer account object that helps SAM determine if you deserve the EDC
group in your token.  Maybe it is a bit in the userAccountControl.

* I don't know what I'm talking about, I really did pretty much make
that
up, because it sounded vaguely familiar, sooo I'm like only 12% sure of
all that stuff I just said.

Cheers,
BrettSh
G-Door Operator #7

Posting is provided "AS IS", and confers no rights or warranties ...



On Wed, 24 Aug 2005, Peter Johnson wrote:

> Hi Brad
> 
> It's in the User's container by default. One of the things that
dsaccess
> does, except on frontend machines IIRC, is verify that the server is
in
> the Exchange Domain Servers which is a member of Exchange Enterprise
> Servers. 
> 
> Regards
> Peter Johnson
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad
> Sent: 24 August 2005 11:17
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Enterprise Domain Controllers
> 
> Hey All,
> 
> Can anyone tell me where this group is stored?  It isn't in the
> directory,
> and it isn't a local group...any ideas on how to check it's membership
> list
> is correct?
> 
> TIA,
> 
> 
> Brad
> 
> 
> This email and any attached files are confidential and copyright
> protected. If you are not the addressee, any dissemination of this
> communication is strictly prohibited. Unless otherwise expressly
agreed
> in writing, nothing stated in this communication shall be legally
> binding.
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Enterprise Domain Controllers

[Brett Shirley]

I don't think that's right at all ...  he's talking AD EDC group, nothing
to do with Exchange.

I'm just going to make this up* ... it's a piece of data on the DC's
computer account object that helps SAM determine if you deserve the EDC
group in your token.  Maybe it is a bit in the userAccountControl.

* I don't know what I'm talking about, I really did pretty much make that
up, because it sounded vaguely familiar, sooo I'm like only 12% sure of
all that stuff I just said.

Cheers,
BrettSh
G-Door Operator #7

Posting is provided "AS IS", and confers no rights or warranties ...



On Wed, 24 Aug 2005, Peter Johnson wrote:

> Hi Brad
> 
> It's in the User's container by default. One of the things that dsaccess
> does, except on frontend machines IIRC, is verify that the server is in
> the Exchange Domain Servers which is a member of Exchange Enterprise
> Servers. 
> 
> Regards
> Peter Johnson
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad
> Sent: 24 August 2005 11:17
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Enterprise Domain Controllers
> 
> Hey All,
> 
> Can anyone tell me where this group is stored?  It isn't in the
> directory,
> and it isn't a local group...any ideas on how to check it's membership
> list
> is correct?
> 
> TIA,
> 
> 
> Brad
> 
> 
> This email and any attached files are confidential and copyright
> protected. If you are not the addressee, any dissemination of this
> communication is strictly prohibited. Unless otherwise expressly agreed
> in writing, nothing stated in this communication shall be legally
> binding.
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Enterprise Domain Controllers

[Peter Johnson]

Hi Brad

It's in the User's container by default. One of the things that dsaccess
does, except on frontend machines IIRC, is verify that the server is in
the Exchange Domain Servers which is a member of Exchange Enterprise
Servers. 

Regards
Peter Johnson

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad
Sent: 24 August 2005 11:17
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Enterprise Domain Controllers

Hey All,

Can anyone tell me where this group is stored?  It isn't in the
directory,
and it isn't a local group...any ideas on how to check it's membership
list
is correct?

TIA,


Brad


This email and any attached files are confidential and copyright
protected. If you are not the addressee, any dissemination of this
communication is strictly prohibited. Unless otherwise expressly agreed
in writing, nothing stated in this communication shall be legally
binding.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: HP disk upgrade..

[David Cliffe]

I 
didn't see mention of RAID controller or O/S version, but do they support 
logical drive extension?  If so, how about this?  (though probably not 
much faster!)
 
- 
Backup data (if important enough...as you said this already is a 
backup)
- 
Remove one physical drive from the enclosure
- 
Replace it with a 300GB drive and let it rebuild 
completely
- 
Repeat this sequence 3 more times until all drives are 300GB
- 
Extend logical drive to full capacity via array config. 
utility
- 
Do same under O/S (Win 2003 "dispart" utility is good for 
this)
 
Just a thought.
 
-DaveC
Reuters IS&T Service 
Delivery


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Al 
MulnickSent: Tuesday, August 23, 2005 8:18 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: HP disk 
upgrade..


I believe that since they are backups, you 
have some flexibility.  For one thing, you can move the data around and 
store it on just one disk if you wanted to ([EMAIL PROTECTED] ~216GB vs. one 300GB disk) and then 
after the upgrade, move it back.  I'm sure there are other 
variations.
 
It would seem a little odd to backup a 
backup in order to accomplish this.  You pretty much just need some 
temporary space while you do this. 
 
 
 
Al


From: [EMAIL PROTECTED] on 
behalf of Frank AbagnaleSent: Tue 8/23/2005 4:04 AMTo: 
ActiveSubject: [ActiveDir] OT: HP disk upgrade..

Hi,
Sorry for the OT, I have a HP server with an MSA enclosure attached which 
is complete with 14 x 72gb disks. The enclosure uses 4 x 
72gb disks in a RAID5 set which are used to store backups. I need to 
upgrade these 4 disks with new 300gb disks. The disks are not used for any 
other purpose besides storing backups.
 
My initial thought was to do the following:
 
Backup the drive
Break the array
Remove existing disks
Insert new disks
Create new Array
 
Is there a better way to do it, or should this method work?
 
thanks
 - Frank
__Do You Yahoo!?Tired 
of spam? Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

-
Visit our Internet site at http://www.reuters.com

To find out more about Reuters Products and Services visit http://www.reuters.com/productinfo 

Any views expressed in this message are those of  the  individual
sender,  except  where  the sender specifically states them to be
the views of Reuters Ltd.

[ActiveDir] Enterprise Domain Controllers

[Smith, Brad]

Hey All,

Can anyone tell me where this group is stored?  It isn't in the directory,
and it isn't a local group...any ideas on how to check it's membership list
is correct?

TIA,


Brad


This email and any attached files are confidential and copyright protected. If 
you are not the addressee, any dissemination of this communication is strictly 
prohibited. Unless otherwise expressly agreed in writing, nothing stated in 
this communication shall be legally binding.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] MSSQL and AD

[MeWe]

Hey guys...
Is it possible to copy users from a MSSQL 2000 server to Active Desktop with FREE! microsoft tools? or other free tools!?
thanks