Re: [ActiveDir] Sysvol and AV exclusions
The only product I have seen the full exclusion capabilities in, is Mcafee; from ePO this can all be configured centrally. With symantec, paths and file types can be excluded centrally, but the actual files have to be configured manually on every DC, thus leading to more donkey work and an increased scope for error. The only other quirk with symantec is that it does not allow for future files, that is if its not there, you can't exclude it. This was the case up until version 9, 10 I have yet to see. All that being said, there is an unsupported hack available from symantec to enable the centralised mgmt. Mark -Original Message- From: Tony Murray [EMAIL PROTECTED] Date: Thu, 15 Sep 2005 14:09:18 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Sysvol and AV exclusions Ah, you mean my expectations are too high. :-) As an illustration of the problem, I have attached a screenshot from CA's eTrust AV product. I'm not familiar with the product (nor do I wish to be), but from a quick look it does not appear possible to set the exclsions according to the 822158 article. Apart from the potential issue of only being able to specify a maximum of 16 paths for exclusion, the real problem is the inability to include subfolders of folders that have been excluded. I would imagine that a reasonable percentage of the installed base of AD uses CA's product. We're probably talking 10s of thousands of organisations worldwide. Our local CA representative was unable to provide a CA recommendation for the exclusion list and suggested we refer to Microsoft's best practices. I guess I'm going to have to come up with a best efforts compromise configuration, combining the recommendations in the 822158 article and the capabilities of the CA product. Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Thursday, 15 September 2005 10:07 a.m. To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Sysvol and AV exclusions You obviously haven't dealt with the Exchange Team enough. :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Wednesday, September 14, 2005 6:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Sysvol and AV exclusions Hi Brett Thanks for your detailed response. I see you've also managed to sort out the formatting of the table in the article. Oh, what power you wield! :-) The main issue I have is that the article introduces some new exclusions. I don't think I'm alone in thinking that the general approach before this article came out was, If your AV product is FRS-compliant then include SYSVOL in scans.. I am fully aware of the effects of a virus being replicated by SYSVOL, having seen it first-hand. SYSVOL does a great job of moving a virus around a network very quickly. :-) So it's important to scan SYSVOL (or at least parts thereof). Going back to the issue, the 822158 article sets out exclusions, but doesn't indicate why they should be exlcuded. In other words, what is the risk of including them? This is relevant for at least one major AV product vendor, which has a (somewhat stupid) low limit on the number of files and folders that can be excluded on any one server. I'm also not convinced that the AV product I'm thinking of can perform the level of granularity of inclusion/exclusion suggested in the table. I can sort of understand why the staging areas would be excluded (compressed files, possibility of locking), but why exclude %systemroot%\sysvol and %systemroot%\sysvol\sysvol? I can't see anything in my test environment that would pose any problems by scanning these folders. Call me a control freak, but I just don't like seeing a statement such as, Do not scan the following files and folders. with no additional explanation. Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Tuesday, 13 September 2005 10:47 p.m. To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Sysvol and AV exclusions The articles should not be inconsistent. The 822158 does mention 814263 (see bullet 2). 284947 - is how to detect and diagnose excessive FRS replication. Noting it might be caused by Anti-Virus software. And mentioning how to recover. It is not SYSVOL specific, it is FRS specific. But sincej SYSVOL is an FRS share, so it applies to SYSVOL, if this should happen to your SYSVOL. 814263 - is about Anti-Virus programs that are compatible with FRS from a generic sense. Againt not SYSVOL specific, FRS specific. You will want one of these programs to continue on with your configuration of your DC's Anti-Virus program with 822158. 822158 - Is the penultimate article for DCs and anti-virus software. You need to scroll over the very poorly formatted table, near the end. You'll note some part of the sysvol folder, are to be scanned and other parts are excluded.
RE: [ActiveDir] Offline Files Question
Hi Noah.. I have not tested with SP2, but the hotfix is part of SP2. I did test it on SP1 with the patch. The patch did not create the keys either. You need to do it manually. All of what they said I did find to work correctly with the additon of the reg keys. It still isn't close to being perfect, but it will help some. Makes it a bit more usable. John Noah Eiger [EMAIL PROTECTED] com To Sent by: ActiveDir@mail.activedir.org [EMAIL PROTECTED] cc ail.activedir.org Subject RE: [ActiveDir] Offline Files 09/14/2005 03:48 Question PM Please respond to [EMAIL PROTECTED] tivedir.org Hi - Re: SP2. The hotfix does not run against SP2 machines. The KB says the issues were resolved in SP2 (hence, no need for the hotfix). However, I found that the NetCache subkeys ExclusionErrorSuppressionList do not seem to exist. I am able to create the other keys mentioned in the KB (for primary users and admin pinning). Has anyone gotten the suprression list working in SP2? Do you just create those subkeys? -- nme -Original Message- From: Steve Patrick [mailto:[EMAIL PROTECTED] Sent: Friday, September 09, 2005 5:08 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Offline Files Question Oh very nice -- thanks for the info! steve - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, September 09, 2005 5:53 AM Subject: Re: [ActiveDir] Offline Files Question You can work around it, not really an easy fix though. http://support.microsoft.com/default.aspx?scid=kb;en-us;811660 steve patrick [EMAIL PROTECTED] st.net To Sent by: ActiveDir@mail.activedir.org [EMAIL PROTECTED] cc ail.activedir.org Subject Re: [ActiveDir] Offline Files 09/08/2005 10:52 Question PM Please respond to [EMAIL PROTECTED] tivedir.org This is by design (albeit bad IMO) IIRC this wont occur if 3 or fewer profiles sync , due to design. steve - Original Message - From: Noah Eiger To: ActiveDir@mail.activedir.org Sent: Thursday, September 08, 2005 6:24 PM Subject: [ActiveDir] Offline Files Question Hi - Configuraiton: All users have their My Documents redirected to network shares. All XP (and most 2000) users have My Documents set to synchronize Offline Files. All are set to synchronize at log on and log off. Many users have complained that when they log off, they see not only their files synchronize but also the files of other users who have user profiles on that machine. Often they will get permissions errors on the other users' files since the home directories are secured as per MSKB 274443. This is a hassle because it stalls at the end of the sync (waiting to have someone acknowledge the error) and because it takes so long. Is this behaviour as expected? Why is it synchronizing other users' files? Is there a way to prevent this? Thanks. -- nme List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive:
[ActiveDir] Root Domain on W2K3 SP1 and Child not
First off thanks for all the info Ive soaked in. Ive hung in the background for a few years and have tried to soak it all intried I said! Quick question = we are running Function level W2K3 with a root domain and 2 child domains. We have yet to install SP1 but plan on it this weekend. With 1 of the child domains we see the possibility of some problems due to old HW so we want to postpone SP1 on that child until we refresh the 9 DCs with new HW. We should have this done in the next 30 days or so. In the meantime we are still planning to roll out SP1 to the other child and to the root. I dont see any problems with this plan and have found nothing in MY searches to scare us off. Can there be issues with this config? I know it is not optimal but any big issues to worry about? I appreciate any feedback I can get. Once again thanks! PaulA Simpsen IT - Infrastructure Services Team University of Oklahoma Health Sciences Center 800 NE 15th St. Suite 620 Oklahoma City, OK. 73104 (405)271-2262 x 50230 Fax (405)271-2181 CONFIDENTIALITY NOTICE: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please destroy all copies of this communication and any attachments.
[ActiveDir] Publish ldap externally
We are an edu and have an outside entity requesting access to our exchange 2003 address book. I was thinking about creating a proxy user and giving it limited search rights in AD (name, email, phone, dept) and acl'ing 389 to the other orgs network. Is this possible? Thanks, Paul List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Publish ldap externally
It is, but have you considered an alternate method? Maybe a secured web page vs. 389 access to the network?? A web service? What are the risks that you see in your organization and are trying to mitigate vs. the rewards? How real-time does this need to be? Allowing access is easy. Doing it in a way that meets your risk tolerance and return on time spent is different and requires a better understanding of your goals and environmental factors. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wehner, Paul (wehnerpl) Sent: Thursday, September 15, 2005 9:35 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Publish ldap externally We are an edu and have an outside entity requesting access to our exchange 2003 address book. I was thinking about creating a proxy user and giving it limited search rights in AD (name, email, phone, dept) and acl'ing 389 to the other orgs network. Is this possible? Thanks, Paul List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Root Domain on W2K3 SP1 and Child not
2K3 and 2K3 SP1 DC's should interoperate with no issues besides the potential list of known issues with SP1 in general. ie: SP1 includes the original version of MS05-019. So if that patch caused you grief then you could potentially see communication issues between the DC's unless you installed the updated version of the patch. SP1 also includes changes in RPC that cause some firewalls to drop the packets until they're patched. Assuming you've done your testing and due diligence and either aren't affected by the known issues or have addressed them then there should be nothing inherently wrong with RTM and SP1 side by side, even within the same Domain. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Simpsen, Paul A. (HSC)Sent: Thursday, September 15, 2005 8:01 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Root Domain on W2K3 SP1 and Child not First off thanks for all the info Ive soaked in. Ive hung in the background for a few years and have tried to soak it all intried I said! Quick question = we are running Function level W2K3 with a root domain and 2 child domains. We have yet to install SP1 but plan on it this weekend. With 1 of the child domains we see the possibility of some problems due to old HW so we want to postpone SP1 on that child until we refresh the 9 DCs with new HW. We should have this done in the next 30 days or so. In the meantime we are still planning to roll out SP1 to the other child and to the root. I dont see any problems with this plan and have found nothing in MY searches to scare us off. Can there be issues with this config? I know it is not optimal but any big issues to worry about? I appreciate any feedback I can get. Once again thanks! PaulA Simpsen IT - Infrastructure Services Team University of Oklahoma Health Sciences Center 800 NE 15th St. Suite 620 Oklahoma City, OK. 73104 (405)271-2262 x 50230 Fax (405)271-2181 CONFIDENTIALITY NOTICE: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please destroy all copies of this communication and any attachments.
RE: [ActiveDir] Publish ldap externally
ADAM in a DMZ, perhaps ? Allowing LDAP queries into your domain sounds risky to me. Proxying into your own AD gives me the chills, quite frankly :P Another option might be to extract the data periodically through a script and publish it to a secure webpage, like Al suggests. Bit more work, but also much more secure imho. Regards, Paul. From: [EMAIL PROTECTED] on behalf of Al Mulnick Sent: Thu 9/15/2005 3:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Publish ldap externally It is, but have you considered an alternate method? Maybe a secured web page vs. 389 access to the network?? A web service? What are the risks that you see in your organization and are trying to mitigate vs. the rewards? How real-time does this need to be? Allowing access is easy. Doing it in a way that meets your risk tolerance and return on time spent is different and requires a better understanding of your goals and environmental factors. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wehner, Paul (wehnerpl) Sent: Thursday, September 15, 2005 9:35 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Publish ldap externally We are an edu and have an outside entity requesting access to our exchange 2003 address book. I was thinking about creating a proxy user and giving it limited search rights in AD (name, email, phone, dept) and acl'ing 389 to the other orgs network. Is this possible? Thanks, Paul List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. inline: winmail.dat
RE: [ActiveDir] Networking rights...
Hello, Don't know if there is already an answer to your question, butin order to have the domain useradministrative rights over its own computer, you need to put him into the local adminitrators group onhis computer. Cordialement,Yann TIROACentre de Ressources Informatique.Campus Scientifique de la DOUA.Bât. Gabriel Lippmann - 2 ème étage - salle 238.43, Bd du 11 Novembre 1918.69622 Villeurbanne Cedex. De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Kasper SørensenEnvoyé: mercredi 31 août 2005 09:13À: ActiveDir@mail.activedir.orgObjet: [ActiveDir] Networking rights... Hm, i know it isnt anything with AD.. But i don't know where to look.. Hoping you could answer... I have a computer that connects to a domain. The only problem is, the work on the local computer can not be modified... The "owner" of the local files and folders are the local account.. But now we use the domain, and they dont have access to their own folders, and files.. because they were made with the local user.. The problem is, the user on the domain needs administrative rights over its own computer, but not the domain.. how?!-- Best RegardsKasper Sørensenwww.mewe.dk
[ActiveDir] quick poll on directory authentication
Hey all- So, I am doing a quick poll of the list to gather some data points. I am interested in hearing from folks who are using either ADAM or Sun's Directory for their directory-enabled apps. I'm interested in hearing what authentication mechanisms (e.g. SSL, plain text, SASL, other, etc.)you are using to access these directories. If you're interested in helping me collect some data, please email me off list at [EMAIL PROTECTED]with your authentication mechanism of choice. The data will not be used for anythingother thana statistical sampling. Thanks Darren Darren Mar-Elia CTO, Windows Management Microsoft MVP, Windows Server-Group Policy Quest Software +1 (415) 342-4185 [EMAIL PROTECTED] http://www.quest.com Quick recovery from everyday disasters. Recover Active Directory in minutes not hours! Find out more in our AD Recovery white paper.
RE: [ActiveDir] quick poll on directory authentication
Hi Darren, Do you have a web page we can fill out your survey on? Or some time of form in Word? Sincerely, Jose Medeiros Former Vice President and Postmaster NTEA MCP+I, MCSE, NT4 MCT www.ntea.net www.tvnug.org www.sfntug.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Darren Mar-Elia Sent: Thursday, September 15, 2005 9:52 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] quick poll on directory authentication Hey all- So, I am doing a quick poll of the list to gather some data points. I am interested in hearing from folks who are using either ADAM or Sun's Directory for their directory-enabled apps. I'm interested in hearing what authentication mechanisms (e.g. SSL, plain text, SASL, other, etc.) you are using to access these directories. If you're interested in helping me collect some data, please email me off list at [EMAIL PROTECTED] with your authentication mechanism of choice. The data will not be used for anything other than a statistical sampling. Thanks Darren Darren Mar-Elia CTO, Windows Management Microsoft MVP, Windows Server-Group Policy Quest Software +1 (415) 342-4185 [EMAIL PROTECTED] http://www.quest.com Quick recovery from everyday disasters. Recover Active Directory in minutes not hours! Find out more in our AD Recovery white paper. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Administrator on one DC Cannot browse the others
That looks like it. See http://support.microsoft.com/?id=883268 for troubleshooting. Any event log errors? Cheers Jorge From: [EMAIL PROTECTED] on behalf of Lloyd Williams Sent: Thu 9/15/2005 5:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Administrator on one DC Cannot browse the others Object from one DC do end up on other DC's. When I run DCDiag /v I get this error Event String: The kerberos subsystem encountered a PAC verification failure. This indicates that the PAC from the client SERVER$ in realm DOMAIN had a PAC which failed to verify or was modified. Contact your system administrator. Could this be causing the problem Lloyd From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Wednesday, September 14, 2005 3:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Administrator on one DC Cannot browse the others lloyd, How do you know that one replicates OK? And the others? If you create an object on each DC, do those objects end up on all DCs? Any event log errors? What does DCDIAG /V say when on that problem DC? Cheers Jorge From: [EMAIL PROTECTED] on behalf of Lloyd Williams Sent: Wed 9/14/2005 7:57 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Administrator on one DC Cannot browse the others I have the following problem with one of my Active Directory Domain controllers. I have 6 domain controllers. They can all replicate OK. However one controller has the following problem. When I log in as administrator it cannot access the others through network neighborhood, or to map a drive. If I try and access any of the other DC it prompts me for my user name and password. If I enter DOMAIN\administrator it tells my I am already logged in as that and does not give access to the DC On each of the 6 DC I can log in OK as administrator so the passwords work locally but across the network this one DC is cut off from all the others. However it still replicates OK which seems strange. Anyone have any ideas what could cause this Thanks Lloyd This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. inline: winmail.dat
RE: [ActiveDir] quick poll on directory authentication
Jose- No, unfortunately this is very informal so I haven't done anything like a web form. If you're interested in being more anonymous than email, you can go to my www.gpoguy.com website and post it on the feedback form there, which does not require any identifying info and should suffice for this. Thanks! Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Thursday, September 15, 2005 10:41 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] quick poll on directory authentication Hi Darren, Do you have a web page we can fill out your survey on? Or some time of form in Word? Sincerely, Jose Medeiros Former Vice President and Postmaster NTEA MCP+I, MCSE, NT4 MCT www.ntea.net www.tvnug.org www.sfntug.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Darren Mar-Elia Sent: Thursday, September 15, 2005 9:52 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] quick poll on directory authentication Hey all- So, I am doing a quick poll of the list to gather some data points. I am interested in hearing from folks who are using either ADAM or Sun's Directory for their directory-enabled apps. I'm interested in hearing what authentication mechanisms (e.g. SSL, plain text, SASL, other, etc.) you are using to access these directories. If you're interested in helping me collect some data, please email me off list at [EMAIL PROTECTED] with your authentication mechanism of choice. The data will not be used for anything other than a statistical sampling. Thanks Darren Darren Mar-Elia CTO, Windows Management Microsoft MVP, Windows Server-Group Policy Quest Software +1 (415) 342-4185 [EMAIL PROTECTED] http://www.quest.com Quick recovery from everyday disasters. Recover Active Directory in minutes not hours! Find out more in our AD Recovery white paper. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] OT: Outsourcing OS Patching
Group, Odd question. I just got out of a meeting with a consulting group that wants us to outsource the patching of our servers that are not in our data center (we have a number of servers that are at our remote locations and our staff is struggling with our patching cycle on these for one reason or another). Does anyone know of an outsourcing group that will only do the MS patchiness on the servers and let the owners of the boxes do everything else? We are looking for a basis of comparison and this consultant said that they don't have any competitors in this field. Either people outsource all of their servers, all of the services or they don't outsource at all. They don't know of anyone who only outsourcers the patching and monitoring of the boxes. Thanks, Charlie List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Script for deleting files from shared folder
Hello all, I have an Win2k AD env with 200 users. I was wondering if anyone has a script that will delete a specific file from several locations automatically? What I'm trying to do is delete a specific file from each users home folder. We have over 200 hundred users, any advice is appreciated. Kind rgds, Ahmed List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] REPOST DFS Permissions
I see you've still not received a reply... yep - the described solution should work fine. I assume you want to use nested groups to grant admins from different domains to add users from their domain. Otherwise you could also use a single UG to reach your goal and manage this group centrally. The reason you can't use DLGs is quite simple: their scope is _local_ to the domain they're hosted in. While you can actually use them to grant rights to the FS (and they'll also be replicated), they are not valid on any of the DFS link-targets outside of the originating domain. Compare this with permissions on AD objects in a multi-domain forest using local groups = they also don't work on GCs in other domains... (there was a recent discussion about this on this list) /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Mittwoch, 14. September 2005 19:01 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] REPOST DFS Permissions Since I did not get any responses, I thought I might repost this message If I am using a DFS share that has copies of that share between child domains am I not able to use Domain Local Groups in conjunction with Global and Universal groups to grant permissions? I noticed that I cannot choose Domain Local groups from the list. Here is what I am trying to do DFSshare Servers participating in share are: serverA.parent ServerB.child1.parent ServerC.child2.parent ServerD.child3.parent Users in Parent, Child1, Child2 and Child3 all need to be able to access and potentially edit files. How would you recommend that I setup the permissions? I was thinking Parent DFS Share Workgroup Global - Member of DFS Share Workgroup Universal in Parent DFS Share Workgroup Universal - Granted rights to files and folders Child 1 DFS Share Workgroup Global - Member of DFS Share Workgroup Universal in Parent Child 2 DFS Share Workgroup Global - Member of DFS Share Workgroup Universal in Parent Child 3 DFS Share Workgroup Global - Member of DFS Share Workgroup Universal in Parent I could use this same methodology to grant permissions to different kinds of users and folders as needed. What do you think Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 646.505.3681 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Outsourcing OS Patching
Why wouldn't any decent consulting group do whatever you want them to do for their fee? Xerox for example, IBM also. I know we have them both doing work for us on various platforms. We just agree on the services provided, and that's that. What do they mean no competitors?, or maybe I'm misunderstanding One thought though - I think I'd still want the control to say do this patch, but not that service pack yet, etc. I would think you want to maintain control to make sure that your applications are tested before a SP is introduced, right? mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Thursday, September 15, 2005 4:22 PM To: 'ActiveDir@mail.activedir.org' Subject: [ActiveDir] OT: Outsourcing OS Patching Group, Odd question. I just got out of a meeting with a consulting group that wants us to outsource the patching of our servers that are not in our data center (we have a number of servers that are at our remote locations and our staff is struggling with our patching cycle on these for one reason or another). Does anyone know of an outsourcing group that will only do the MS patchiness on the servers and let the owners of the boxes do everything else? We are looking for a basis of comparison and this consultant said that they don't have any competitors in this field. Either people outsource all of their servers, all of the services or they don't outsource at all. They don't know of anyone who only outsourcers the patching and monitoring of the boxes. Thanks, Charlie List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] OT: Outsourcing OS Patching
Title: Re: [ActiveDir] OT: Outsourcing OS Patching How many boxes/sites are we talking about? Are they WAN-connected to your site? It sounds like a bad idea for several reasons and I don't understand why the patch management cannot be centralized within your org. Managing the outsourcer's access to the systems will probably be more difficult than just doing the patches.RMOn Thu, 15 Sep 2005 15:22:26 -0500, Carerros, Charles[EMAIL PROTECTED] said: Does anyone know of an outsourcing group that will only do the MS patchiness on the servers and let the owners of the boxes do everything else? We are looking for a basis of comparison and this consultant said that they don't have any competitors in this field. Either people outsource all of their servers, all of the services or they don't outsource at all. They don't know of anyone who only outsourcers the patching and monitoring of the boxes.
RE: [ActiveDir] Script for deleting files from shared folder
If the files are on one or two servers - how about using search and delete? It works for me every time. Mark -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ahmed Al-Awah Sent: 15 September 2005 20:21 To: 'ActiveDir@mail.activedir.org' Subject: [ActiveDir] Script for deleting files from shared folder Hello all, I have an Win2k AD env with 200 users. I was wondering if anyone has a script that will delete a specific file from several locations automatically? What I'm trying to do is delete a specific file from each users home folder. We have over 200 hundred users, any advice is appreciated. Kind rgds, Ahmed List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Script for deleting files from shared folder
Go to the root of that drive. type DEL blahblah.exe /s It will delete that file down the entire tree. -ASB FAST, CHEAP, SECURE: Pick Any TWO http://www.ultratech-llc.com/KB/ On 9/15/05, Ahmed Al-Awah [EMAIL PROTECTED] wrote: Hello all,I have an Win2k AD env with 200 users. I was wondering if anyone has ascript that will delete a specific file from several locations automatically? What I'm trying to do is delete a specific file from eachusers home folder. We have over 200 hundred users, any advice isappreciated.Kind rgds,Ahmed
[ActiveDir] User attribute manipulation via vbscript question.
Can anyone tell me which attribute of a user object stores the value for Automatically update e-mail addresses based on recipient policy in a 2003 AD and 2003 Exchange org? Or at least point out documentation on how that value is stored in AD and manipulated via vbscript? Thanks Clyde Burns - This message is confidential, intended only for the named recipient(s) and may contain information that is privileged or exempt from disclosure under applicable law. Any patient health information must be delivered immediately to intended recipient(s). If you are not the intended recipient(s), you are notified that the dissemination, distribution or copying of this message is strictly prohibited. If you receive this message in error, or are not the named recipient(s), please notify the sender at either the e-mail address or telephone number above and discard this e-mail. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Sysvol and AV exclusions
Trend Micro's products are fairly robust there too. Roger Seielstad E-mail Geek -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Wednesday, September 14, 2005 11:40 PM To: ActiveDir.org Subject: Re: [ActiveDir] Sysvol and AV exclusions The only product I have seen the full exclusion capabilities in, is Mcafee; from ePO this can all be configured centrally. With symantec, paths and file types can be excluded centrally, but the actual files have to be configured manually on every DC, thus leading to more donkey work and an increased scope for error. The only other quirk with symantec is that it does not allow for future files, that is if its not there, you can't exclude it. This was the case up until version 9, 10 I have yet to see. All that being said, there is an unsupported hack available from symantec to enable the centralised mgmt. Mark -Original Message- From: Tony Murray [EMAIL PROTECTED] Date: Thu, 15 Sep 2005 14:09:18 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Sysvol and AV exclusions Ah, you mean my expectations are too high. :-) As an illustration of the problem, I have attached a screenshot from CA's eTrust AV product. I'm not familiar with the product (nor do I wish to be), but from a quick look it does not appear possible to set the exclsions according to the 822158 article. Apart from the potential issue of only being able to specify a maximum of 16 paths for exclusion, the real problem is the inability to include subfolders of folders that have been excluded. I would imagine that a reasonable percentage of the installed base of AD uses CA's product. We're probably talking 10s of thousands of organisations worldwide. Our local CA representative was unable to provide a CA recommendation for the exclusion list and suggested we refer to Microsoft's best practices. I guess I'm going to have to come up with a best efforts compromise configuration, combining the recommendations in the 822158 article and the capabilities of the CA product. Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Thursday, 15 September 2005 10:07 a.m. To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Sysvol and AV exclusions You obviously haven't dealt with the Exchange Team enough. :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Wednesday, September 14, 2005 6:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Sysvol and AV exclusions Hi Brett Thanks for your detailed response. I see you've also managed to sort out the formatting of the table in the article. Oh, what power you wield! :-) The main issue I have is that the article introduces some new exclusions. I don't think I'm alone in thinking that the general approach before this article came out was, If your AV product is FRS-compliant then include SYSVOL in scans.. I am fully aware of the effects of a virus being replicated by SYSVOL, having seen it first-hand. SYSVOL does a great job of moving a virus around a network very quickly. :-) So it's important to scan SYSVOL (or at least parts thereof). Going back to the issue, the 822158 article sets out exclusions, but doesn't indicate why they should be exlcuded. In other words, what is the risk of including them? This is relevant for at least one major AV product vendor, which has a (somewhat stupid) low limit on the number of files and folders that can be excluded on any one server. I'm also not convinced that the AV product I'm thinking of can perform the level of granularity of inclusion/exclusion suggested in the table. I can sort of understand why the staging areas would be excluded (compressed files, possibility of locking), but why exclude %systemroot%\sysvol and %systemroot%\sysvol\sysvol? I can't see anything in my test environment that would pose any problems by scanning these folders. Call me a control freak, but I just don't like seeing a statement such as, Do not scan the following files and folders. with no additional explanation. Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Tuesday, 13 September 2005 10:47 p.m. To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Sysvol and AV exclusions The articles should not be inconsistent. The 822158 does mention 814263 (see bullet 2). 284947 - is how to detect and diagnose excessive FRS replication. Noting it might be caused by Anti-Virus software. And mentioning how to recover. It is not SYSVOL specific, it is FRS specific. But sincej SYSVOL is an FRS share, so it applies to SYSVOL, if this should happen to your SYSVOL. 814263 - is about Anti-Virus programs that are compatible with FRS from a generic sense. Againt not SYSVOL specific, FRS specific. You will want one of these programs to continue on with
RE: [ActiveDir] OT: Outsourcing OS Patching
Why not run something like WSUS (Windows Software Update Services) and manage it yourselves Seems kinda silly to outsource that piece Roger Seielstad E-mail Geek -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Thursday, September 15, 2005 1:22 PM To: 'ActiveDir@mail.activedir.org' Subject: [ActiveDir] OT: Outsourcing OS Patching Group, Odd question. I just got out of a meeting with a consulting group that wants us to outsource the patching of our servers that are not in our data center (we have a number of servers that are at our remote locations and our staff is struggling with our patching cycle on these for one reason or another). Does anyone know of an outsourcing group that will only do the MS patchiness on the servers and let the owners of the boxes do everything else? We are looking for a basis of comparison and this consultant said that they don't have any competitors in this field. Either people outsource all of their servers, all of the services or they don't outsource at all. They don't know of anyone who only outsourcers the patching and monitoring of the boxes. Thanks, Charlie List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] User attribute manipulation via vbscript question.
http://support.microsoft.com/default.aspx?scid=kb;en-us;318072 ADModify would also do this, and joeware is likely to do this as well. Al From: [EMAIL PROTECTED] on behalf of Burns, Clyde Sent: Thu 9/15/2005 8:18 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User attribute manipulation via vbscript question. Can anyone tell me which attribute of a user object stores the value for Automatically update e-mail addresses based on recipient policy in a 2003 AD and 2003 Exchange org? Or at least point out documentation on how that value is stored in AD and manipulated via vbscript? Thanks Clyde Burns - This message is confidential, intended only for the named recipient(s) and may contain information that is privileged or exempt from disclosure under applicable law. Any patient health information must be delivered immediately to intended recipient(s). If you are not the intended recipient(s), you are notified that the dissemination, distribution or copying of this message is strictly prohibited. If you receive this message in error, or are not the named recipient(s), please notify the sender at either the e-mail address or telephone number above and discard this e-mail. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ winmail.dat
RE: [ActiveDir] User attribute manipulation via vbscript question.
Title: [ActiveDir] User attribute manipulation via vbscript question. This particular attribute is a bit of a PITA and most sample programs don't handle it properly (which doesn't imply that joeware doesn't). :-) There may be multiple policies or a single policy or no policy. The variable type is dependent on which of those is true. Further, if there is a policy (or more than one), then there can be multiple related policies in the policy-value, comma-separated. In VBS this is somewhat lengthy to code. But certainly doable. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Thursday, September 15, 2005 9:24 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] User attribute manipulation via _vbscript_ question. http://support.microsoft.com/default.aspx?scid=kb;en-us;318072 ADModify would also do this, and joeware is likely to do this as well. Al From: [EMAIL PROTECTED] on behalf of Burns, ClydeSent: Thu 9/15/2005 8:18 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] User attribute manipulation via _vbscript_ question. Can anyone tell me which attribute of a user object stores the value for"Automatically update e-mail addresses based on recipient policy" in a2003 AD and 2003 Exchange org? Or at least point out documentation onhow that value is stored in AD and manipulated via _vbscript_?ThanksClyde Burns-This message is confidential, intended only for the named recipient(s)and may contain information that is privileged or exempt fromdisclosure under applicable law. Any patient health information must bedelivered immediately to intended recipient(s). If you are not theintended recipient(s), you are notified that the dissemination,distribution or copying of this message is strictly prohibited. If youreceive this message in error, or are not the named recipient(s),please notify the sender at either the e-mail address or telephonenumber above and discard this e-mail. Thank you.List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/