RE: [ActiveDir] Exchange relay(OT)
Let me answer what I can authoritatively. MAPI clients are totally different than pop3/imap. There is no virtual server or none of that. They submit their messages to the server over MAPI just like all their other traffic, and the then server handles the routing internally. You cannot disable mapi users from sending mail. They’re not relaying anything off an SMTP server. If you create an acme.com connector and uncheck the relay box, users will continue to be able to email to acme.com I’m not sure you understand what relaying means in the context of SMTP. Sending mail to the SMTP server’s native domain is not relaying. It’s what the SMTP server is there for. Submitting mail to the SMTP server for delivery to a remote smtp server is relaying. Usually you don’t think of your internal users sending outbound mail as relaying though I guess technically it is. A quick peek at the SMTP settings on a couple of the severs here indicates that they all have that allow computers which authenticate to relay box checked. Our outbound SMTP is locked down at the perimeter and inbound comes through a couple of iplanet boxes. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, September 20, 2005 9:01 PM To: activedirectory Subject: [ActiveDir] Exchange relay(OT) I'm confused about relaying on virtual servers and smtp connectors. I keep reading conflicting reports- In "Microsoft Exchange Server 2003 24seven" from Sybex, JMcBee writes in chapter 14 on page 584 that unchecking "Allow All Computers WHich Sucessfully Authenticate To Relay..", Exchange servers will not be able to send mail to one another. He states Exchange servers relay with each other in an Org all the time and unchecking this will break exchange. Jim McBee has stated this in both Exchange 2k and 2k3 verisons of the book. However in "Exchange Server Cookbook", recipe 7.19, they state to uncheck this value for security reasons and seem to imply that this is only for pop3/imap clients. Tony redmond in "MS Exchange Server 2003 with sp1" seems to agree as well. who's right? Also, I know the setting for relaying on an smtp connector over rides the virtual server connection setting, so say i create a connector with "acme.com" address space. If i uncheck the relay button on the connector, will users(mapi or pop3) be able to send mail to acme.com? or do i have to enable relaying for this to work on that connector? Finally, how does exchange view mapi users? are they lumped in with auth users like pop3/imap? what mechanism allows mapi users to relay? is there a setting that can disallow mapi clients from relaying like for pop3/imap clients? Thanks. alot of questions, i know. Exchange in some ways confuses the heck outta me. I find the sendmail.cf file easier than exchange sometimes. Thanks again!
[ActiveDir] Exchange relay(OT)
I'm confused about relaying on virtual servers and smtp connectors. I keep reading conflicting reports- In "Microsoft Exchange Server 2003 24seven" from Sybex, JMcBee writes in chapter 14 on page 584 that unchecking "Allow All Computers WHich Sucessfully Authenticate To Relay..", Exchange servers will not be able to send mail to one another. He states Exchange servers relay with each other in an Org all the time and unchecking this will break exchange. Jim McBee has stated this in both Exchange 2k and 2k3 verisons of the book. However in "Exchange Server Cookbook", recipe 7.19, they state to uncheck this value for security reasons and seem to imply that this is only for pop3/imap clients. Tony redmond in "MS Exchange Server 2003 with sp1" seems to agree as well. who's right? Also, I know the setting for relaying on an smtp connector over rides the virtual server connection setting, so say i create a connector with "acme.com" address space. If i uncheck the relay button on the connector, will users(mapi or pop3) be able to send mail to acme.com? or do i have to enable relaying for this to work on that connector? Finally, how does exchange view mapi users? are they lumped in with auth users like pop3/imap? what mechanism allows mapi users to relay? is there a setting that can disallow mapi clients from relaying like for pop3/imap clients? Thanks. alot of questions, i know. Exchange in some ways confuses the heck outta me. I find the sendmail.cf file easier than exchange sometimes. Thanks again!
[ActiveDir] Using Restricted Groups Policy (defining access on member servers)
Problem: large enterprise with multiple groups responsible for managing different applications, how to ensure proper access to local Administrators groups on the application servers? Possible Solution: all applications are group per OU type and use a GPO with a defined set of groups to have access to a particular application. Was also contemplating removing the Domain Admins group out of the local Administrators groups on servers ? Anyone else have any good ideas or have done something similar ? Thank You ! And have a nice day !
RE: [ActiveDir] Magazines(OT)
An IT Pro subscription is $49 / year. The $129 is probably a newsletter cost. (So high because there’s no advertising to defray it.) https://store.pentontech.com/index.cfm?s=1&cid=28&promotionid=34 -Sean From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Friday, September 16, 2005 11:14 AM To: activedirectory Subject: [ActiveDir] Magazines(OT) Anyone read Windows IT Pro magazine and can recomend it? also, anyone know anything about Exchange and Outlook Administrator mag? Why is it so pricey? Is it really worth the $129 a year? seems like a lot for 12 issues. Thanks. I know this is really irrelevant, so thanks in advance for anyone for responding
[ActiveDir] Domain Controller Security
I have a contractor in a remote site. There is only 1 server in that site which is a DC. He needs to administer that server. -Create shares -Make file/share permissions -Change user passwords in the User OU for that site. He is not allowed to log on to any other server is the domain. When I make him a "Server Operator" he can logon to any server in the domain. Any idea on how to lock him down to that one server and then how to lock him down on that one OU where he should only be allowed to change the passwords of the users. Thanks! Fred
RE: [ActiveDir] Kerberos Delegation
Hi Carlos As I said, I'm just starting to look at Kerberos delegation, so take everything I say with a large pinch of salt. :-) Anyway, here's the logic I was following. If I've understood it correctly, you want the server hosting SharePoint to authenticate to the ISA server as the end user. Assuming you want to use constrained delegation (which is normal) then you need to specify the ISA Server somewhere in the configuration, because you are limiting (constraining) the scope of the delegation to the ISA Server. If you look at the Delegation tab of an object in ADUC, you will see the section labeled "Services to which this account can present delegated credentials:" It would seem logical to me to have to specify the ISA here. Now whether you need to do configure this setting in ADUC on the account being used for the identity of the application pool, or the SharePoint server itself I don't know. Cheers Tony PS. See you next week :-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos MagalhaesSent: Wednesday, 21 September 2005 1:38 a.m.To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos Delegation Hey Tony, Well can you explain “but wouldn't you also need an SPN for the web service on the ISA Server?” I don’t understand why, the ISA server is the server that is needing the authentication to allow the web server to browse the internet. So to elaborate: I have a Share Point site it has a RSS feed web part, this web part is requesting a RSS feed for example http://www.dirteam.com/blogs/carlos/default.aspx now I monitor on the ISA 2004 server and I see the web server trying to access the internet the user specified = Anonymous. The delegation is so that the user viewing the Share Point site (hence calling the RSS web part) will be the user credentials passed to the ISA server to be able to browse the internet. That’s why I don’t see why we need to register a SPN for the ISA server? ThanksC From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony MurraySent: 20 September 2005 01:17 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos Delegation Hi Carlos I'm just starting to look at Kerberos delegation for something myself, but wouldn't you also need an SPN for the web service on the ISA Server? And then specify that serviced in the delegation tab on the user object? Cheers Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos MagalhaesSent: Tuesday, 20 September 2005 9:31 a.m.To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Kerberos Delegation Hey all, Ok late at night here and I’ve hit a mental block (don’t laugh Dean). I have set this up like a gazillion times but this time cant get it to work. Environment: Windows 2003 Native Forest Mode – All clients Windows XP SP2 and above Single forest single domain setup Web Server – Windows Server 2003 Web Edition Share Point Team Services installed. That site has a web part that requires Kerb delegation for access to a ISA firewall in order to stream RSS feeds. I can see on the ISA server that when ever any user hits the site the HTTP request is sent as ANONYMOUS. So what I have done: I have - Set webserver for delegation (Kerb Only) I have - Created username in AD and set for Delegation (Kerb Only) I have - Set the Share Point Portal Application Pools (IIS 6.0) to use the AD user mentioned above for the Identity of the App Pool (rebooted IIS server) a. Purged all tickets as well. I have - registerd a SPN for the -A HTTP DOMAIN\User mentioned Above Still get Anonymous access on the ISA box, and using some normal .net code can see that its not delegating the creds correctly, can anyone see what I am doing wrong or what I should be doing? Thanks I appreciate the help so late in my night J Carlos This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal at Gen-i This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal at Gen-i
[ActiveDir] Folder Redirection & Offline Files
The recent question on offline files & Folder redirection reminded me of a related situation that I suspect others are dealing with: We have several users who wouldn't normally travel, so they are given desktops. Say this user does travel to a location that has typical T1 WAN connectivity back to the server where their "My Documents" are stored. They log onto another user's pc - twice. Upon the second logon, XP happily pulls their "MyDocs" across the WAN, causing the network folks to dislike XP. Since this happens before logon completes, a user with a large "MyDocs" ends up thinking the pc is hung, and they have no way to stop the process. If only Microsoft would provide a Group Policy to enable a "cancel" button or a button labeled "Click here if you are using this pc temporarily" while folder redirection is coping all their data when they log onto a pc. Even better would be to disable the local copying for future logins for that user. Does anyone have a solution for this? Some things we have come up with are: * Identify folks who travel infrequently, make sure they have laptops ($$) * Provide hotel pcs at each location that has offline files disabled for all users $$ * Write some sort of script that disables offline files whenever a user from another ad-site logs in. Problem is when the primary user logs back in, it may have to re-sync. Any thoughts? Thanks, RP
Re: [ActiveDir] SBS migration (was SBS Server Question)
Transition pack or www.sbsmigration.com Transition pack is the best way however lets you keep the Remote web workplace and monitoring email even after you break away from SBSland. [EMAIL PROTECTED] wrote: OK, since the topic came up: I'm trying to figure out how to migrate off SBS2003. Scenario is a recent acquisition where we want to migrate from company SBS to corporate AD (standard 2003 domain). Trusts are out. Hack is both dangerous and illegal. MS offers a Transition Pack (for a cost) to upgrade the SBS2003 to normal AD. Is there any other way? LDIF export? Thanks, AL Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com -- "Cry 'Havoc!' and let slip the dogs of war" - Anthony, in Julius Caesar III i. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, September 14, 2005 12:06 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] SBS Server Question Nope. No trusts, no forests. We're the spoiled only PDC that must hold all the FSMO roles. We can do some funky stuff with pass through authentication, but no trusts. US versus THEM: http://www.sbslinks.com/Us_v_them.htm In SBS 2000/2003 the 'correct' terminology is Yes, an 'additional domain controller' is supported and not calling it a BDC. Member servers are covered by the SBS cals but last I read in the PUR the additional DC would need server cals. [that's my interpretation anyway but I get a headache reading that doc in the first place] Honestly ...keep in mind that with XPs, they will used cached credentials and you can log into that profile even if the network is down. Now comes the fun... who's doing the DHCP? The recommended way is to have the SBS box to do that...so you still have fun. If the SBS box goes down, I normally have ways around the temporarily failure [and even then I can count on one hand the time my network has been affected power mostly, then NICs, then switches, and one harddrive falling off a RAID. Get good equipment [and honestly either reinstall those OEMs and stay away from those preinstalled versions] and we do just fine. Medeiros, Jose wrote: Hi Susan, Since we have an SBS MVP on the Active Dir list, let me ask a question. Can I now make an SBS 2003 server a child domain in an AD 2003 forest? Before you ask why, some one asked me this recently at a Linux users group meeting, as his company has several remote offices using SBS 2003. Also on SBS 4.5, one could have a BDC as a backup, can this also be done with a DC or are you " Sh.T out of luck " when a box fails? Jose List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] SBS migration (was SBS Server Question)
OK, since the topic came up: I'm trying to figure out how to migrate off SBS2003. Scenario is a recent acquisition where we want to migrate from company SBS to corporate AD (standard 2003 domain). Trusts are out. Hack is both dangerous and illegal. MS offers a Transition Pack (for a cost) to upgrade the SBS2003 to normal AD. Is there any other way? LDIF export? Thanks, AL Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com -- "Cry 'Havoc!' and let slip the dogs of war" - Anthony, in Julius Caesar III i. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, September 14, 2005 12:06 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] SBS Server Question Nope. No trusts, no forests. We're the spoiled only PDC that must hold all the FSMO roles. We can do some funky stuff with pass through authentication, but no trusts. US versus THEM: http://www.sbslinks.com/Us_v_them.htm In SBS 2000/2003 the 'correct' terminology is Yes, an 'additional domain controller' is supported and not calling it a BDC. Member servers are covered by the SBS cals but last I read in the PUR the additional DC would need server cals. [that's my interpretation anyway but I get a headache reading that doc in the first place] Honestly ...keep in mind that with XPs, they will used cached credentials and you can log into that profile even if the network is down. Now comes the fun... who's doing the DHCP? The recommended way is to have the SBS box to do that...so you still have fun. If the SBS box goes down, I normally have ways around the temporarily failure [and even then I can count on one hand the time my network has been affected power mostly, then NICs, then switches, and one harddrive falling off a RAID. Get good equipment [and honestly either reinstall those OEMs and stay away from those preinstalled versions] and we do just fine. Medeiros, Jose wrote: >Hi Susan, > >Since we have an SBS MVP on the Active Dir list, let me ask a question. > >Can I now make an SBS 2003 server a child domain in an AD 2003 forest? > >Before you ask why, some one asked me this recently at a Linux users group >meeting, as his company has several remote offices using SBS 2003. > >Also on SBS 4.5, one could have a BDC as a backup, can this also be done with >a DC or are you " Sh.T out of luck " when a box fails? > >Jose > > >List info : http://www.activedir.org/List.aspx >List FAQ: http://www.activedir.org/ListFAQ.aspx >List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Is it possible to have Multiple UPN domains?
Yep, that is possible. What you are talking about are UPN suffixes. See" http://support.microsoft.com/?kbid=243629 Also remember: A UPN can be implicitly or explicitly defined. An implicit UPN is of the form [EMAIL PROTECTED] An implicit UPN is always associated with the user's account, even if an explicit UPN is not defined. An explicit UPN is of the form [EMAIL PROTECTED], where both the name and suffix strings are explicitly defined by the administrator. Cheers, Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Schofield Sent: Tuesday, September 20, 2005 17:50 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Is it possible to have Multiple UPN domains? Hi, Is it possible to manually add more UPN domain names (@domain2.com) in the dropdown box for a user? Currently there is only one '@domain.com' listed in the 'Account Tab' under user properties. Steve Schofield [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Is it possible to have Multiple UPN domains?
Hi, Is it possible to manually add more UPN domain names (@domain2.com) in the dropdown box for a user? Currently there is only one '@domain.com' listed in the 'Account Tab' under user properties. Steve Schofield [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] only 1 GPO not applying...
Hi,
I'm activating the logging with verbose... do you think it's
enough?
Here is a part of whats in there.
USERENV(210.214) 11:22:59:390 CUserProfile::CleanupUserProfile: Ref
Count is not 0
USERENV(210.1a0) 01:34:18:174 ProcessGPOs: GetGPOInfo failed.
USERENV(208.608) 10:15:07:406 ReadMembershipList: Group
S-1-5-21-1785794336-1158417043-4547331-2117 not in current list of token
groups
USERENV(208.144) 10:15:09:937 PolicyChangedThread: UpdateUser failed
with 0.
USERENV(208.b6c) 13:52:56:848 PolicyChangedThread: UpdateUser failed
with 6.
Here is the complete configuration of the policy that I'm testing with:
ScreenSaver_User
General
Details
Domain Domain
Owner Domain\Domain Admins
Created 15/09/2005 9:07:24 AM
Modified 19/09/2005 3:28:06 PM
User Revisions 10 (AD), 10 (sysvol)
Computer Revisions 1 (AD), 1 (sysvol)
Unique ID {356D9C9D-53A3-49CD-ABB5-}
GPO Status Enabled
Links
LocationEnforced Link Status
Technique No Enabled
Usagers_direction No Enabled
Usagers_inventorieesNo Enabled
Usagers_portables No Enabled
Usagers_portables_valides No Enabled
Usagers_valideesNo Enabled
This list only includes links in the domain of the GPO.
Security Filtering
The settings in this GPO can only apply to the following groups, users,
and computers:
NT AUTHORITY\Authenticated Users
Domain\Domain Users
WMI Filtering
WMI Filter Name None
Description Not applicable
Delegation
These groups and users have the specified permission for this GPOName
Allowed Permissions
Inherited
Everyone Read (from Security Filtering) No
NT AUTHORITY\Authenticated Users Read (from Security Filtering) No
NT AUTHORITY\SYSTEM Edit settings, delete, modify security No
DOMAIN\Domain Admins Edit settings, delete, modify security No
DOMAIN\Domain Users Read (from Security Filtering) No
DOMAIN\Enterprise Admins Edit settings, delete, modify security No
Computer Configuration (Enabled)
Administrative Templates
System/Logon
Policy Setting
Always wait for the network at computer startup and logon Enabled
User Configuration (Enabled)
Administrative Templates
Control Panel/Display
Policy Setting
Hide Screen Saver tab Enabled
Password protect the screen saver Enabled
Screen Saver Enabled
Screen Saver executable name Enabled
Screen Saver executable name %systemroot%\system32\ssmarque.scr
Policy Setting
Screen Saver timeout Enabled
Number of seconds to wait to enable the Screen Saver
Seconds: 600
Thanks for your help!
Darren: I can send you the result file for the userenv log. It's about
200KB.
You can contact me offlist at mbruyere at gmail dot com.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: September 19, 2005 4:45 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] only 1 GPO not applying...
Ok, so in the RSOP report, does it show the setting being applied to the
user? If not, then the next step is to enable userenv logging and see
what it shows when it enumerates the GPOs to process for the user. These
kinds of problems typically break down into:
--infrastructure problems (e.g. DNS, FRS, etc. which usually means no
GPOs apply)
--Configuration problems (e.g. GPO linked wrong, filtered wrong or
blocked by some config. error)
--Client problems (e.g. Required client services not running, issues
with client communicating with DC, etc.)
In your case it sounds like either a config. problem or a client
problem--probably the latter. One thing to double-check--sometimes a
setting gets applied but the client doesn't behave as expected. Look in
the system.adm file and determine what registry value should be set for
that screen saver policy then confirm on the client that it indeed is
not being set. That way you know that it's a problem of not processing
the GPO correctly rather than a problem of the policy not responding the
way you expect.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel
Sent: Monday, September 19, 2005 1:20 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] only 1 GPO not applying...
Hi,
I thought that this could be a problem... I added domain users
and everyone in the permissions to test things out... still no go.
The gpresult message does not report any filtering (except for the
computers GPOs that have the users section disabled, but the reason
listed is "disabled" which is normal).
Still in the dark ...
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: September 19, 2005 4:00 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDi
RE: [ActiveDir] only 1 GPO not applying...
There is no errors, only this Event Type: Success Audit Event Source: Security Event Category: Policy Change Event ID: 806 Date: 19/09/2005 Time: 3:36:07 PM User: AUTORITE NT\SYSTEM Computer: Computername Description: Per User Audit Policy was refreshed. Number of elements: 0 Policy ID: (0x0,0xB72C) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of DeStefano, Dan Sent: September 19, 2005 5:19 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] only 1 GPO not applying... So setting that policy enabled the computer policy to apply, but the user policy still isn't? are you getting any errors in the event logs? Usually when a group policy does not apply you will get some. Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: Monday, September 19, 2005 3:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] only 1 GPO not applying... Hi, I found that only computer policies applies ;/ The user only policy do not apply, still searching but will appreciate any inputs. It may be permissions issue, I' looking this way. Thanks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: September 19, 2005 2:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] only 1 GPO not applying... Hi, I have a little problem applying a GPO. SETUP: windows 2k native domain with XPsp2 ADM files. All stations are WinXP sp2. I had a GPO the pushed a screen saver configuration and some other restrictions. I had to split the GPO in 2 because I needed to deploy the Screensaver without the other restrictions. There is a problem woth this new GPO because it just do not apply to any machine/user. I used GMPC on a winXP sp2 with 2k3 adminpak to define and link the GPOs. Note: all other Policies are applied correctly and the one that do not apply isn't listed in the " The following GPOs were not applied because they were filtered out" section... Any ideas? Thanks for your time! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ NOTICE: The information contained in this transmission is privileged, confidential, and intended only for the use of the individual or entity named above. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or the taking of any action in reliance on the contents of this transmission is strictly prohibited. If you have received this transmission in error, please notify Eze Castle Integration, Inc. by e-mail and destroy the original message and all copies. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] only 1 GPO not applying...
No, its only XP SP2 adm settings, there is only one object push IE config. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: September 19, 2005 5:14 PM To: ActiveDir.org Subject: Re: [ActiveDir] only 1 GPO not applying... Are you deploying any IE branding/customisation in the GPO, if so you will need a hotfix to enable the application of GPO's Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] only 1 GPO not applying...
Hi, That's the first thing I checked ;) they have the read and apply perms. I also added domain users in the perms (with read and apply) just to be sure. Still no go. Thanks for the thought! ;) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: September 19, 2005 4:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] only 1 GPO not applying... One other thing to look at in the filtering permissions... The user account/group must actually have two rights. It must have the right to read the policy object and the right to apply the policy object. FWIW - Frank -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: Monday, September 19, 2005 4:20 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] only 1 GPO not applying... Hi, I thought that this could be a problem... I added domain users and everyone in the permissions to test things out... still no go. The gpresult message does not report any filtering (except for the computers GPOs that have the users section disabled, but the reason listed is "disabled" which is normal). Still in the dark ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: September 19, 2005 4:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] only 1 GPO not applying... The filtering message you got from RSOP indicates that either security group filtering or WMI filtering may be getting in the way of this. How have you configured security on that GPO? By default, Authenticated Users (meaning all users and computers in the domain) will process a GPO. So if you removed the Authenticated Users ACE you need to replace that with a user group that contains all the users you wish to receive that GPO. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: Monday, September 19, 2005 12:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] only 1 GPO not applying... Hi, I found that only computer policies applies ;/ The user only policy do not apply, still searching but will appreciate any inputs. It may be permissions issue, I' looking this way. Thanks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: September 19, 2005 2:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] only 1 GPO not applying... Hi, I have a little problem applying a GPO. SETUP: windows 2k native domain with XPsp2 ADM files. All stations are WinXP sp2. I had a GPO the pushed a screen saver configuration and some other restrictions. I had to split the GPO in 2 because I needed to deploy the Screensaver without the other restrictions. There is a problem woth this new GPO because it just do not apply to any machine/user. I used GMPC on a winXP sp2 with 2k3 adminpak to define and link the GPOs. Note: all other Policies are applied correctly and the one that do not apply isn't listed in the " The following GPOs were not applied because they were filtered out" section... Any ideas? Thanks for your time! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] SQL 2000 SP
You don't... Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: Tuesday, September 20, 2005 8:15 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] SQL 2000 SP I have integrated many times, fixes and service packs into the OS, but does anyone know how to integrated SQL 2000 SP4? -Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Kerberos Delegation
Hey Tony, Well can you explain “but wouldn't you also need an SPN for the web service on the ISA Server?” I don’t understand why, the ISA server is the server that is needing the authentication to allow the web server to browse the internet. So to elaborate: I have a Share Point site it has a RSS feed web part, this web part is requesting a RSS feed for example http://www.dirteam.com/blogs/carlos/default.aspx now I monitor on the ISA 2004 server and I see the web server trying to access the internet the user specified = Anonymous. The delegation is so that the user viewing the Share Point site (hence calling the RSS web part) will be the user credentials passed to the ISA server to be able to browse the internet. That’s why I don’t see why we need to register a SPN for the ISA server? Thanks C From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: 20 September 2005 01:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Hi Carlos I'm just starting to look at Kerberos delegation for something myself, but wouldn't you also need an SPN for the web service on the ISA Server? And then specify that serviced in the delegation tab on the user object? Cheers Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes Sent: Tuesday, 20 September 2005 9:31 a.m. To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Kerberos Delegation Hey all, Ok late at night here and I’ve hit a mental block (don’t laugh Dean). I have set this up like a gazillion times but this time cant get it to work. Environment: Windows 2003 Native Forest Mode – All clients Windows XP SP2 and above Single forest single domain setup Web Server – Windows Server 2003 Web Edition Share Point Team Services installed. That site has a web part that requires Kerb delegation for access to a ISA firewall in order to stream RSS feeds. I can see on the ISA server that when ever any user hits the site the HTTP request is sent as ANONYMOUS. So what I have done: I have - Set webserver for delegation (Kerb Only) I have - Created username in AD and set for Delegation (Kerb Only) I have - Set the Share Point Portal Application Pools (IIS 6.0) to use the AD user mentioned above for the Identity of the App Pool (rebooted IIS server) a. Purged all tickets as well. I have - registerd a SPN for the -A HTTP DOMAIN\User mentioned Above Still get Anonymous access on the ISA box, and using some normal .net code can see that its not delegating the creds correctly, can anyone see what I am doing wrong or what I should be doing? Thanks I appreciate the help so late in my night J Carlos This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal at Gen-i
[ActiveDir] SQL 2000 SP
I have integrated many times, fixes and service packs into the OS, but does anyone know how to integrated SQL 2000 SP4? -Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] [ActiveDir Digest]
If you use the dom admin account in that way, then yes - but of course you use
service accounts instead, whose passwords are managed and changed periodically,
don't you :-^
neil
---
Neil Ruston
Nomura International Plc
Tel: 020 7521 3481
[EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Bland, Jeri
Sent: 19 September 2005 22:33
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] [ActiveDir Digest]
If I change the domain admin password in AD, do I also have to change it in
all the Services accounts? Do I have to change it anywhere else?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
Sent: Sunday, September 18, 2005 11:16 PM
Subject: [ActiveDir Digest]
-
Subject: [ActiveDir] AD & Websense
Date: Sun, 18 Sep 2005 14:25:49 +0300
From: "Saleem, Mohamed Yunus" <[EMAIL PROTECTED]>
Reply-To: ActiveDir@mail.activedir.org
This is a multi-part message in MIME format.
--_=_NextPart_001_01C5BC43.E1588686
Content-Type: text/plain;
charset="us-ascii"
MIME Non-Text Attachment Skipped *
MIME Non-Text Attachment Skipped *
-
From: "joe" <[EMAIL PROTECTED]>
Subject: RE: [ActiveDir] Magazines(OT)
Date: Sun, 18 Sep 2005 10:52:20 -0400
Reply-To: ActiveDir@mail.activedir.org
This is a multi-part message in MIME format.
--=_NextPart_000_0357_01C5BC3F.0BA37370
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
I used to like and read Windows NT Mag which became Windows 2000 Mag which
became Windows .NET Mag which became Windows IT Pro. I stopped subscribing
several years ago when the price start going through the roof as did the
ratio of advertising to good content. Now I will stop by a book store
occasionally and look at the magazine and if it has something I see that is
useful (or if there is a writeup on one of the joeware tools) I will buy it.
I used to send in little pieces to them as well but I also stopped that when
they published one of my pieces in their security newsletter instead of in
the main mag. The reason I wrote it up was to get it into the main mag so
people could read it and use it, the security newsletter was not just
overpriced, it was ridiculously overpriced.
_
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Friday, September 16, 2005 2:14 PM
To: activedirectory
Subject: [ActiveDir] Magazines(OT)
Anyone read Windows IT Pro magazine and can recomend it?
also, anyone know anything about Exchange and Outlook Administrator mag?
Why is it so pricey? Is it really worth the $129 a year? seems like a lot
for 12 issues.
Thanks. I know this is really irrelevant, so thanks in advance for anyone
for responding
--=_NextPart_000_0357_01C5BC3F.0BA37370
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
I used to like and read Windows NT Mag which =
became Windows=20
2000 Mag which became Windows .NET Mag which became Windows IT Pro. I =
stopped=20
subscribing several years ago when the price start going through the =
roof as did=20
the ratio of advertising to good content. Now I will stop by a book =
store=20
occasionally and look at the magazine and if it has something I see that =
is=20
useful (or if there is a writeup on one of the joeware tools) I =
will buy=20
it. I used to send in little pieces to them as well but I also stopped =
that when=20
they published one of my pieces in their security newsletter instead of =
in the=20
main mag. The reason I wrote it up was to get it into the main mag so =
people=20
could read it and use it, the security newsletter was not just =
overpriced, it=20
was ridiculously overpriced.
From: =
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom=20
KernSent: Friday, September 16, 2005 2:14 PMTo:=20
activedirectorySubject: [ActiveDir]=20
Magazines(OT)
Anyone read Windows IT Pro magazine and can recomend it?
also, anyone know anything about Exchange and Outlook Administrator =
mag?
Why is it so pricey? Is it really worth the $129 a year? seems like =
a lot=20
for 12 issues.
Thanks. I know this is really irrelevant, so thanks in advance for =
anyone=20
for responding
--=_NextPart_000_0357_01C5BC3F.0BA37370--
-
From: "joe" <[EMAIL PROTECTED]>
Subject: RE: [ActiveDir] User attribute manipulation via vbscript question.
Date: Sun, 18 Sep 2005 11:00:16 -0400
Reply-To: ActiveDir@mail.activedir.org
Yep, just populate that attribute with the proper string format of a =
GUID, I
call it Active Directory GUID format 3. The first GUID format is =
actually
the binary GUID like you see with objectGUID, the second GUID format is =
the
string format sans braces ({}) like you see with the righ
