Re: [ActiveDir] OT: QuickBooks 2005 permissions

[J B]

Oh, it will still be replaced once we need another license (we're using 5 
now and have no intentions of buying more), but this "fix" for shoddy 
programming and planning on the part of Intuit means that I can sleep a bit 
more soundly at night knowing that our Finance users no longer have local 
admin rights.


- Original Message - 
From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" 
<[EMAIL PROTECTED]>

To: 
Sent: Wednesday, October 26, 2005 3:47 PM
Subject: Re: [ActiveDir] OT: QuickBooks 2005 permissions


OH PLEASE don't reconsider thinking about not replacing it just because of 
this hack up issue.


It's OLD code and this is just a sign that they DON'T CARE about security.

It's when the Marketplace cares is when they will make changes.

I can crack passwords on that database in nothin' flat.

The fact that it requires admin/power user is just the tip of the iceburg 
regarding the lack of security that is built into that program.


J B wrote:
Thank you SO much for posting the QB info.  We were looking at replacing 
QB Premium because of this single issue (requiring full local Admin 
rights just to run it).  I made the appropriate changes in a GPO and was 
able to remove local admin rights from our Finance users w/o any 
problems.  :)


Thanks!

- Original Message - From: "Crawford, Scott" 
<[EMAIL PROTECTED]>

To: 
Sent: Wednesday, October 26, 2005 1:57 PM
Subject: RE: [ActiveDir] OT: QuickBooks 2005 permissions


Yea, I saw that part, but I'm not interested in users being able to
update the program themselves.  That's MY job :)

It really kinda makes me grit my teeth in anger that they haven't fixed
this yet.  Especially when it seems like it would be so easy.  At the
very least, they could make the perm changes automatically.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Wednesday, October 26, 2005 2:47 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: QuickBooks 2005 permissions

If you scroll down a little farther on that page you'll find a post on
how to get it to also update as non admin.

Part one last night [just getting it to run] worked even on the 2006
version with the new SQL backend [Sybase SQLanywhere mind you]

But yes, even in 2006 it still requires admin /power user rights.

Crawford, Scott wrote:

Actually, it was just pointed out to me that I copied and pasted
correctly, but when I was applying the perm to
HKLM\Software\Classes\CLSID\{E53C85D6-E6D9-4BCF-A632-72062A99AA7F},

that

key didn't exist and I instead applied it to
HKLM\Software\Classes\CLSID\{E53C85D6-E6D9-4BCF-A623-72062A99AA7F}

(just

change A632 to A623.  Apparently that's the difference between
QuickBooks Pro and QuickBooks Premium.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan

Bradley,

CPA aka Ebitz - SBS Rocks [MVP]
Sent: Tuesday, October 25, 2005 7:29 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: QuickBooks 2005 permissions

I will have to try that on the 2006 beta.  The last time I tried to do



'just' certain Classes roots that I saw in filemon/regmon it would not
load.

I also had to do \common files\Intuit

If it works I'll update the instructions
http://www.sbslinks.com/lua2.htm


Crawford, Scott wrote:


A few weeks ago, there was some mention of the required permissions

to

run Quickbooks as a non-admin user.  According to this site:
http://www.quickbooksgroup.com/webx/[EMAIL PROTECTED]@ the
perms needed are Users:W to the following locations:
HKLM\Software\Intuit
HKLM\Software\Classes\QuickBooks.CoLocator.1
HKLM\Software\Classes\CLSID\{E53C85D6-E6D9-4BCF-A632-72062A99AA7F}
C:\Program Files\Intuit

Whenever I've tracked these things down, I just give users full


control


to the needed locations instead of trying to determine the exact

perms

needed.  Furthermore, I generally apply the perms to the root of the
apps folder.  For example, I'll grant the perms at the root Intuit
folder instead of chasing down the one or two files that actually

need

to be modified.  This tends to eliminate future problems when

somebody

uses some new function of the app that hasn't been tested and it

needs

to write to a different file.  Anyway, I thought some of you might be
interested.  I just tried it here and all seems good.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:


http://www.mail-archive.com/activedir%40mail.activedir.org/











--
Letting your vendors set your risk analysis these days? 
http://www.threatcode.com


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activ

Re: [ActiveDir] OT: QuickBooks 2005 permissions

[Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]]

OH PLEASE don't reconsider thinking about not replacing it just because 
of this hack up issue.


It's OLD code and this is just a sign that they DON'T CARE about security.

It's when the Marketplace cares is when they will make changes.

I can crack passwords on that database in nothin' flat.

The fact that it requires admin/power user is just the tip of the 
iceburg regarding the lack of security that is built into that program.


J B wrote:
Thank you SO much for posting the QB info.  We were looking at 
replacing QB Premium because of this single issue (requiring full 
local Admin rights just to run it).  I made the appropriate changes in 
a GPO and was able to remove local admin rights from our Finance users 
w/o any problems.  :)


Thanks!

- Original Message - From: "Crawford, Scott" 
<[EMAIL PROTECTED]>

To: 
Sent: Wednesday, October 26, 2005 1:57 PM
Subject: RE: [ActiveDir] OT: QuickBooks 2005 permissions


Yea, I saw that part, but I'm not interested in users being able to
update the program themselves.  That's MY job :)

It really kinda makes me grit my teeth in anger that they haven't fixed
this yet.  Especially when it seems like it would be so easy.  At the
very least, they could make the perm changes automatically.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Wednesday, October 26, 2005 2:47 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: QuickBooks 2005 permissions

If you scroll down a little farther on that page you'll find a post on
how to get it to also update as non admin.

Part one last night [just getting it to run] worked even on the 2006
version with the new SQL backend [Sybase SQLanywhere mind you]

But yes, even in 2006 it still requires admin /power user rights.

Crawford, Scott wrote:

Actually, it was just pointed out to me that I copied and pasted
correctly, but when I was applying the perm to
HKLM\Software\Classes\CLSID\{E53C85D6-E6D9-4BCF-A632-72062A99AA7F},

that

key didn't exist and I instead applied it to
HKLM\Software\Classes\CLSID\{E53C85D6-E6D9-4BCF-A623-72062A99AA7F}

(just

change A632 to A623.  Apparently that's the difference between
QuickBooks Pro and QuickBooks Premium.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan

Bradley,

CPA aka Ebitz - SBS Rocks [MVP]
Sent: Tuesday, October 25, 2005 7:29 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: QuickBooks 2005 permissions

I will have to try that on the 2006 beta.  The last time I tried to do



'just' certain Classes roots that I saw in filemon/regmon it would not
load.

I also had to do \common files\Intuit

If it works I'll update the instructions
http://www.sbslinks.com/lua2.htm


Crawford, Scott wrote:


A few weeks ago, there was some mention of the required permissions

to

run Quickbooks as a non-admin user.  According to this site:
http://www.quickbooksgroup.com/webx/[EMAIL PROTECTED]@ the
perms needed are Users:W to the following locations:
HKLM\Software\Intuit
HKLM\Software\Classes\QuickBooks.CoLocator.1
HKLM\Software\Classes\CLSID\{E53C85D6-E6D9-4BCF-A632-72062A99AA7F}
C:\Program Files\Intuit

Whenever I've tracked these things down, I just give users full


control


to the needed locations instead of trying to determine the exact

perms

needed.  Furthermore, I generally apply the perms to the root of the
apps folder.  For example, I'll grant the perms at the root Intuit
folder instead of chasing down the one or two files that actually

need

to be modified.  This tends to eliminate future problems when

somebody

uses some new function of the app that hasn't been tested and it

needs

to write to a different file.  Anyway, I thought some of you might be
interested.  I just tried it here and all seems good.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:


http://www.mail-archive.com/activedir%40mail.activedir.org/











--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] OT: QuickBooks 2005 permissions

[J B]

Thank you SO much for posting the QB info.  We were looking at replacing QB 
Premium because of this single issue (requiring full local Admin rights just 
to run it).  I made the appropriate changes in a GPO and was able to remove 
local admin rights from our Finance users w/o any problems.  :)


Thanks!

- Original Message - 
From: "Crawford, Scott" <[EMAIL PROTECTED]>

To: 
Sent: Wednesday, October 26, 2005 1:57 PM
Subject: RE: [ActiveDir] OT: QuickBooks 2005 permissions


Yea, I saw that part, but I'm not interested in users being able to
update the program themselves.  That's MY job :)

It really kinda makes me grit my teeth in anger that they haven't fixed
this yet.  Especially when it seems like it would be so easy.  At the
very least, they could make the perm changes automatically.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Wednesday, October 26, 2005 2:47 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: QuickBooks 2005 permissions

If you scroll down a little farther on that page you'll find a post on
how to get it to also update as non admin.

Part one last night [just getting it to run] worked even on the 2006
version with the new SQL backend [Sybase SQLanywhere mind you]

But yes, even in 2006 it still requires admin /power user rights.

Crawford, Scott wrote:

Actually, it was just pointed out to me that I copied and pasted
correctly, but when I was applying the perm to
HKLM\Software\Classes\CLSID\{E53C85D6-E6D9-4BCF-A632-72062A99AA7F},

that

key didn't exist and I instead applied it to
HKLM\Software\Classes\CLSID\{E53C85D6-E6D9-4BCF-A623-72062A99AA7F}

(just

change A632 to A623.  Apparently that's the difference between
QuickBooks Pro and QuickBooks Premium.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan

Bradley,

CPA aka Ebitz - SBS Rocks [MVP]
Sent: Tuesday, October 25, 2005 7:29 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: QuickBooks 2005 permissions

I will have to try that on the 2006 beta.  The last time I tried to do



'just' certain Classes roots that I saw in filemon/regmon it would not
load.

I also had to do \common files\Intuit

If it works I'll update the instructions
http://www.sbslinks.com/lua2.htm


Crawford, Scott wrote:


A few weeks ago, there was some mention of the required permissions

to

run Quickbooks as a non-admin user.  According to this site:
http://www.quickbooksgroup.com/webx/[EMAIL PROTECTED]@ the
perms needed are Users:W to the following locations:
HKLM\Software\Intuit
HKLM\Software\Classes\QuickBooks.CoLocator.1
HKLM\Software\Classes\CLSID\{E53C85D6-E6D9-4BCF-A632-72062A99AA7F}
C:\Program Files\Intuit

Whenever I've tracked these things down, I just give users full


control


to the needed locations instead of trying to determine the exact

perms

needed.  Furthermore, I generally apply the perms to the root of the
apps folder.  For example, I'll grant the perms at the root Intuit
folder instead of chasing down the one or two files that actually

need

to be modified.  This tends to eliminate future problems when

somebody

uses some new function of the app that hasn't been tested and it

needs

to write to a different file.  Anyway, I thought some of you might be
interested.  I just tried it here and all seems good.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:


http://www.mail-archive.com/activedir%40mail.activedir.org/









--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] AD Lag Site -> solves the groups memberships issue ?

[Almeida Pinto, Jorge de]

Good question...
 
The same problem still applies... although a difference exists in which Forest 
Functional Level you are at and it also depends if you are using W2K3SP1 or not
 
Why?
 
Assuming that in both occasions the lag site DCs are also GC
 
OCCASION 1: Forest Functional Level = Windows 2000
When an object gets deleted that is a member of one or more groups the version 
number of the member attribute is not changed. (only the object deletion 
increases the USN on each DC, not the removal of the membership)
So in the "other sites" you have a tombstone and groups (the object was a 
member of) where the object is not a member of anymore.
In the lag site you have DCs with the object still alive and when you auth. 
restore it, the object gets a higher version (and the USN on that DC is also 
increased). The groups still contain the object in its member attribute with 
the same version number (but the USN is not increased for this). So when you 
force replication the object will replicate in to the other sites and as the 
group version (or member attribute in fact) still has the same version you will 
have inconsistent membership across DCs. To resolve this you also need to auth. 
restore the groups the object was a member of (so the version is increased and 
the USN on the DCs). For this you can look at the "member of" attribute and see 
the memberships of the object in its own domain (global, universal and domain 
local) and universal groups in other domains. You will however not be able to 
see its memberships in domain local groups in other domains than the object 
itself. For those groups (in its own domain) you can remove the object and 
re-add it. For the other domains you can query the group where the user is a 
member of and do the same (remove and re-add) (using the lag site DCs of the 
other domains). This way the object is re-introduced including its memberships.
 
If the DCs are W2K3 SP1 you will have additional functionality provided by 
NTDSUTIL. During the auth. restore of the objects it spits out some LDIF files 
by looking at the "member of" attribute of the object (and other back-links 
like directreports and managedobjects). These LDIF files contain information to 
remove the object from the groups in its own domain and all universal groups 
and after that re-add them again. After auth. restoring the object you need to 
import each LDIF file at its corresponding domain (for its own domain for all 
group types and for other domains only for the universal groups)
That still does not solve the problem for domain local groups in other domains 
than the object itself. For that NTDSUTIL spits out another file that contains 
the restored objects. For each other domain than the restored object you use 
NTDSUTIL at a corresponding DC and tell NTDSUTIL to create a LDIF file from 
that file containing the restored objects. After doing that you can import that 
file into the corresponding domain.
 
OCCASION 2: Forest Functional Level = Windows 2003 or Interim
As you may know FFL W2K3 introduces LVR. When a group is created or a NEW 
member is added to a group after enabling LVR (increasing FFL to W2K3 or 
interim) it also keeps versions on the member attribute and when a member is 
removed from a group it also tombstones the membership in the member attribute 
of the group. In that case you will only need to restore the object where its 
memberships in groups in its own doman will be revived again and getting a 
higher version (and USN increase on the DC) which makes it replicate to other 
DCs in the same domain. For the other domains the problem still applies and you 
need to do the same as in occasion 1 depending if you have W2K3 SP1 or not!
For groups that were created before enabling LVR, these groups still behave 
after enabling LVR as before enabling LVR. The issues apply as in occasion 1. 
To remedy this for recovery purposes and thus enabling LVR fully for all the 
members in those groups you could remove all members and re-add them again.
Concerning this see: 
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/1465d773-b763-45ec-b971-c23cdc27400e.mspx
 and search for "Effect of Raising the Forest Functional Level on Existing 
Linked, Multivalued Attributes"
 
I hope I have explained it correctly as this is a difficult one (at least to 
explain it correctly).
 
For more info on NTDSUTIL in SP1 (for restoring objects) see:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/690730c7-83ce-4475-b9b4-46f76c9c7c90.mspx
 (and sub levels!)
http://support.microsoft.com/?id=840001
 
Cheers,
Jorge
 



From: [EMAIL PROTECTED] on behalf of TIROA YANN
Sent: Wed 10/26/2005 10:14 PM
To: ActiveDir@mail.activedir.org
Subject: RE : [ActiveDir] AD Lag Site -> solves the groups memberships issue ?


Hi,
 
A question comes to me
 
Can the lag site strategy solve the issue concerning the auth restore of the 
group m

RE : [ActiveDir] AD Lag Site -> solves the g roups memberships issue ?

[TIROA YANN]

Oooh ! I didn't know that w2k3 sp1 has this ability natively. I get used using 
the Groupadd.exe command-line utility.

Thanks for your input Ulf :)

Yann



De: [EMAIL PROTECTED] de la part de Ulf B. Simon-Weidner
Date: mer. 26/10/2005 23:13
À: ActiveDir@mail.activedir.org
Objet : RE: [ActiveDir] AD Lag Site -> solves the groups memberships issue ?



Hello Tiroa,
 
I believe the lag site will help you here, since you are increasing version 
numbers on existing objects. The issues with the authoritative restore was that 
you were restoring groups and their members didn't yet exist (or users and 
their managers didn't yet exist, ...). So the lag site restore shouldn't have 
any issues with that.
 
Another thing to mention: With Windows Server 2003 SP1 you don't have those 
issues as you had before, ntdsutil produces the ldif-files to clean up the 
linked attributes after the authoritative restore.
 
Ulf




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA 
YANN
Sent: Wednesday, October 26, 2005 10:15 PM
To: ActiveDir@mail.activedir.org
Subject: RE : [ActiveDir] AD Lag Site -> solves the groups memberships 
issue ?


Hi,
 
A question comes to me
 
Can the lag site strategy solve the issue concerning the auth restore 
of the group memberships information for the deleted users and computers 
accounts from AD ?
 
Or do we still need to follow the directives as stated in the "How to 
restore deleted user accounts and their group memberships in Active Directory"  
(see http://support.microsoft.com/default.aspx?scid=kb;en-us;840001 
 ) in order to 
repopulate the group memberships information (member and memberof attributes).
 
Yann



De: [EMAIL PROTECTED] de la part de Ulf B. Simon-Weidner
Date: mer. 26/10/2005 21:35
À: ActiveDir@mail.activedir.org
Objet : RE: [ActiveDir] AD Lag Site 



Keep in mind that Lag-Sites are not intended for the "I did something 
wrong
some weeks ago" errors, they are only for "Uups - I just deleted 
something".
And to make sure that you are able to "undelete" every object no matter 
when
you made the mistake (e.g. one minute before replication to the 
lag-site)
the idea of two or more lag-sites with different schedules jump in. 
Like the
examples I provided with two sitelinks replicating once a week but half 
a
week apart make sure that you have at least a 3.5 old version of the 
object
in one of the lag sites.

Ulf

|-Original Message-
|From: [EMAIL PROTECTED]
|[mailto:[EMAIL PROTECTED] On Behalf Of
|Almeida Pinto, Jorge de
|Sent: Wednesday, October 26, 2005 8:08 PM
|To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
|Subject: RE: [ActiveDir] AD Lag Site
|
|yes... IF the detection of the deletion is BEFORE the
|replication window to the lag site. Otherwise the tombstone
|will replicate to the lag site also. It is just a extra
|opportunity for you to make a deletion undone without doing a
|non-auth restore!
|
|As the object and its metadata still exists on the replica of
|the DC, there is no need to do a non-auth restore. Therefore
|you need to do only an auth restore so the version becomes
|higher than then deleted object and the deletion is undone.
|Of course you will still need to do a non-auth restore
|followed by a auth restore if the detection of the deletion is
|after the replication window to the lag site
|
|Jorge
|
|
|
|From: [EMAIL PROTECTED] on behalf of TIROA YANN
|Sent: Wed 10/26/2005 4:12 PM
|To: ActiveDir@mail.activedir.org
|Subject: RE: [ActiveDir] AD Lag Site
|
|
|..if i understand correctly what Activedir gurus explained
|to me earlier,
|-> Without a lag site, you must do a non-auth restore followed
|by a auth restore.
|-> With a lag site, you  only need to do a auth restore.
|
|I'm right ? :)
|
|Yann
|
|
|
|De : [EMAIL PROTECTED]
|[mailto:[EMAIL PROTECTED] De la part de
|CHIANESE, DAVID Envoyé : mercredi 26 octobre 2005 15:59 À :
|ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] AD Lag Site
|
|
|More so for deletion of objects so you wouldn't have to do an
|authoritative restore from a backup.
|
|
|David Chiane

RE: [ActiveDir] AD Lag Site -> solves the groups memberships issue ?

[Ulf B. Simon-Weidner]

Hello Tiroa,
 
I believe the lag site will help you here, since you are increasing version
numbers on existing objects. The issues with the authoritative restore was
that you were restoring groups and their members didn't yet exist (or users
and their managers didn't yet exist, ...). So the lag site restore shouldn't
have any issues with that.
 
Another thing to mention: With Windows Server 2003 SP1 you don't have those
issues as you had before, ntdsutil produces the ldif-files to clean up the
linked attributes after the authoritative restore.
 
Ulf


  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: Wednesday, October 26, 2005 10:15 PM
To: ActiveDir@mail.activedir.org
Subject: RE : [ActiveDir] AD Lag Site -> solves the groups memberships issue
?


Hi,
 
A question comes to me
 
Can the lag site strategy solve the issue concerning the auth restore of the
group memberships information for the deleted users and computers accounts
from AD ?
 
Or do we still need to follow the directives as stated in the "How to
restore deleted user accounts and their group memberships in Active
Directory"  (see

http://support.microsoft.com/default.aspx?scid=kb;en-us;840001) in order to
repopulate the group memberships information (member and memberof
attributes).
 
Yann

  _  

De: [EMAIL PROTECTED] de la part de Ulf B. Simon-Weidner
Date: mer. 26/10/2005 21:35
À: ActiveDir@mail.activedir.org
Objet : RE: [ActiveDir] AD Lag Site 



Keep in mind that Lag-Sites are not intended for the "I did something wrong
some weeks ago" errors, they are only for "Uups - I just deleted something".
And to make sure that you are able to "undelete" every object no matter when
you made the mistake (e.g. one minute before replication to the lag-site)
the idea of two or more lag-sites with different schedules jump in. Like the
examples I provided with two sitelinks replicating once a week but half a
week apart make sure that you have at least a 3.5 old version of the object
in one of the lag sites.

Ulf

|-Original Message-
|From: [EMAIL PROTECTED]
|[mailto:[EMAIL PROTECTED] On Behalf Of
|Almeida Pinto, Jorge de
|Sent: Wednesday, October 26, 2005 8:08 PM
|To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
|Subject: RE: [ActiveDir] AD Lag Site
|
|yes... IF the detection of the deletion is BEFORE the
|replication window to the lag site. Otherwise the tombstone
|will replicate to the lag site also. It is just a extra
|opportunity for you to make a deletion undone without doing a
|non-auth restore!
|
|As the object and its metadata still exists on the replica of
|the DC, there is no need to do a non-auth restore. Therefore
|you need to do only an auth restore so the version becomes
|higher than then deleted object and the deletion is undone.
|Of course you will still need to do a non-auth restore
|followed by a auth restore if the detection of the deletion is
|after the replication window to the lag site
|
|Jorge
|
|
|
|From: [EMAIL PROTECTED] on behalf of TIROA YANN
|Sent: Wed 10/26/2005 4:12 PM
|To: ActiveDir@mail.activedir.org
|Subject: RE: [ActiveDir] AD Lag Site
|
|
|..if i understand correctly what Activedir gurus explained
|to me earlier,
|-> Without a lag site, you must do a non-auth restore followed
|by a auth restore.
|-> With a lag site, you  only need to do a auth restore.
|
|I'm right ? :)
|
|Yann
|
|
|
|De : [EMAIL PROTECTED]
|[mailto:[EMAIL PROTECTED] De la part de
|CHIANESE, DAVID Envoyé : mercredi 26 octobre 2005 15:59 À :
|ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] AD Lag Site
|
|
|More so for deletion of objects so you wouldn't have to do an
|authoritative restore from a backup.
|
|
|David Chianese
|
|
|
|
|From: [EMAIL PROTECTED]
|[mailto:[EMAIL PROTECTED] On Behalf Of Etts, Russell
|Sent: Wednesday, October 26, 2005 9:23 AM
|To: ActiveDir@mail.activedir.org
|Subject: RE: [ActiveDir] AD Lag Site
|
|
|I'm sorry if I sound ignorant, but what is the purpose of a
|"lag site"?  Is it a site that you don't replicate for a
|specific period of time in so if there is a disaster, you can
|get the data from the lag site?? 
|
|Thanks
|
|Russ
|
|
|
|From: [EMAIL PROTECTED]
|[mailto:[EMAIL PROTECTED] On Behalf Of Ulf
|B. Simon-Weidner
|Sent: Tuesday, October 25, 2005 5:00 PM
|To: ActiveDir@mail.activedir.org
|Subject: RE: [ActiveDir] AD Lag Site
|
|
|I did those too, and some other things to consider were:
|* Putting them inside a virtual machine with faked Subnetting
|in AD: Take a class C Network and split it in AD Sites and
|Services, not TCP/IP, then you can spare the router
|* Assign the site membership for the host via GPO if it is in
|one of the virtual subnets of the virtual lag-dcs (depending
|on the subnetting possibilities you have)
|* Configure a firewall between

RE: Re: [ActiveDir]Group Policy Administrative Templates

[Darren Mar-Elia]

Yes, the PolicyMaker extension absolutely gets you out of the business
of having to write custom .ADMs. However note that you do have to deploy
the client side extension DLL that comes with it to all of your clients
in order to use this. 

Darren 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jerold Schulman
Sent: Wednesday, October 26, 2005 11:08 AM
To: ActiveDir@mail.activedir.org
Subject: Re: Re: [ActiveDir]Group Policy Administrative Templates


The PolicyMaker(tm) Registry Extension freeware works great.

On Wed, 26 Oct 2005 23:20:41 +0530, you wrote:

>I found this free registry GP CSE
>
>at http://www.desktopstandard.com/PolicyMakerRegistryExtension.aspx
>
>some of the feature it touts are
>** Full control over tattooing ( i.e. means each setting becomes a 
>policy and not preference)
>* **Registry Wizard for settings import**
>* Per-setting filtering
>* integration with GPMC
>*
>I will be testing this extension, :)
>
>--
>Kamlesh
>
>On 10/26/05, Darren Mar-Elia <[EMAIL PROTECTED]> wrote:
>>
>> There's a few free and for pay tools to do it. Check out the
following:
>>  *RegtoADM*: turns .reg files into ADMs. Free tool that is part of 
>> the NUTS utilities at http://yizhar.mvps.org/  *ADM TEmplate Editor*:

>> This is a for pay tool found at 
>> http://www.sysprosoft.com/adm_summary.shtml
>>  *Policy Template Editor*: a for pay tool at 
>> http://www.tools4ever.com/products/utilities/policytemplateeditor/
>>
>>  --
>> *From:* [EMAIL PROTECTED] [mailto:
>> [EMAIL PROTECTED] *On Behalf Of *Sadovskiy Artem 
>> Nikolaevich
>> *Sent:* Tuesday, October 25, 2005 7:28 PM
>> *To:* ActiveDir@mail.activedir.org
>> *Subject:* [ActiveDir]Group Policy Administrative Templates
>>
>>  Hi!
>>
>>  Are there any tools that can assist me to create .ADM (Group Policy 
>> Administrative Templates) files?
>>
>> If anybody knows, please send me a link.
>>
>>  Regards.
>>
>>

Jerold Schulman
Windows Server MVP
JSI, Inc.
http://www.jsiinc.com
http://www.jsifaq.com
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: QuickBooks 2005 permissions

[Crawford, Scott]

Yea, I saw that part, but I'm not interested in users being able to
update the program themselves.  That's MY job :)

It really kinda makes me grit my teeth in anger that they haven't fixed
this yet.  Especially when it seems like it would be so easy.  At the
very least, they could make the perm changes automatically.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Wednesday, October 26, 2005 2:47 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: QuickBooks 2005 permissions

If you scroll down a little farther on that page you'll find a post on 
how to get it to also update as non admin.

Part one last night [just getting it to run] worked even on the 2006 
version with the new SQL backend [Sybase SQLanywhere mind you]

But yes, even in 2006 it still requires admin /power user rights.

Crawford, Scott wrote:
> Actually, it was just pointed out to me that I copied and pasted
> correctly, but when I was applying the perm to
> HKLM\Software\Classes\CLSID\{E53C85D6-E6D9-4BCF-A632-72062A99AA7F},
that
> key didn't exist and I instead applied it to
> HKLM\Software\Classes\CLSID\{E53C85D6-E6D9-4BCF-A623-72062A99AA7F}
(just
> change A632 to A623.  Apparently that's the difference between
> QuickBooks Pro and QuickBooks Premium.
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Susan
Bradley,
> CPA aka Ebitz - SBS Rocks [MVP]
> Sent: Tuesday, October 25, 2005 7:29 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] OT: QuickBooks 2005 permissions
>
> I will have to try that on the 2006 beta.  The last time I tried to do

> 'just' certain Classes roots that I saw in filemon/regmon it would not
> load.
>
> I also had to do \common files\Intuit
>
> If it works I'll update the instructions
> http://www.sbslinks.com/lua2.htm
>
>
> Crawford, Scott wrote:
>   
>> A few weeks ago, there was some mention of the required permissions
to
>> run Quickbooks as a non-admin user.  According to this site:
>> http://www.quickbooksgroup.com/webx/[EMAIL PROTECTED]@ the
>> perms needed are Users:W to the following locations:
>> HKLM\Software\Intuit 
>> HKLM\Software\Classes\QuickBooks.CoLocator.1 
>> HKLM\Software\Classes\CLSID\{E53C85D6-E6D9-4BCF-A632-72062A99AA7F}
>> C:\Program Files\Intuit
>>
>> Whenever I've tracked these things down, I just give users full
>> 
> control
>   
>> to the needed locations instead of trying to determine the exact
perms
>> needed.  Furthermore, I generally apply the perms to the root of the
>> apps folder.  For example, I'll grant the perms at the root Intuit
>> folder instead of chasing down the one or two files that actually
need
>> to be modified.  This tends to eliminate future problems when
somebody
>> uses some new function of the app that hasn't been tested and it
needs
>> to write to a different file.  Anyway, I thought some of you might be
>> interested.  I just tried it here and all seems good.
>> List info   : http://www.activedir.org/List.aspx
>> List FAQ: http://www.activedir.org/ListFAQ.aspx
>> List archive:
>> 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>   
>>   
>> 
>
>   

-- 
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE : [ActiveDir] AD Lag Site -> solves the g roups memberships issue ?

[TIROA YANN]

Hi,
 
A question comes to me
 
Can the lag site strategy solve the issue concerning the auth restore of the 
group memberships information for the deleted users and computers accounts from 
AD ?
 
Or do we still need to follow the directives as stated in the "How to restore 
deleted user accounts and their group memberships in Active Directory"  (see 
http://support.microsoft.com/default.aspx?scid=kb;en-us;840001 
 ) in order to 
repopulate the group memberships information (member and memberof attributes).
 
Yann



De: [EMAIL PROTECTED] de la part de Ulf B. Simon-Weidner
Date: mer. 26/10/2005 21:35
À: ActiveDir@mail.activedir.org
Objet : RE: [ActiveDir] AD Lag Site 



Keep in mind that Lag-Sites are not intended for the "I did something wrong
some weeks ago" errors, they are only for "Uups - I just deleted something".
And to make sure that you are able to "undelete" every object no matter when
you made the mistake (e.g. one minute before replication to the lag-site)
the idea of two or more lag-sites with different schedules jump in. Like the
examples I provided with two sitelinks replicating once a week but half a
week apart make sure that you have at least a 3.5 old version of the object
in one of the lag sites.

Ulf

|-Original Message-
|From: [EMAIL PROTECTED]
|[mailto:[EMAIL PROTECTED] On Behalf Of
|Almeida Pinto, Jorge de
|Sent: Wednesday, October 26, 2005 8:08 PM
|To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
|Subject: RE: [ActiveDir] AD Lag Site
|
|yes... IF the detection of the deletion is BEFORE the
|replication window to the lag site. Otherwise the tombstone
|will replicate to the lag site also. It is just a extra
|opportunity for you to make a deletion undone without doing a
|non-auth restore!
|
|As the object and its metadata still exists on the replica of
|the DC, there is no need to do a non-auth restore. Therefore
|you need to do only an auth restore so the version becomes
|higher than then deleted object and the deletion is undone.
|Of course you will still need to do a non-auth restore
|followed by a auth restore if the detection of the deletion is
|after the replication window to the lag site
|
|Jorge
|
|
|
|From: [EMAIL PROTECTED] on behalf of TIROA YANN
|Sent: Wed 10/26/2005 4:12 PM
|To: ActiveDir@mail.activedir.org
|Subject: RE: [ActiveDir] AD Lag Site
|
|
|..if i understand correctly what Activedir gurus explained
|to me earlier,
|-> Without a lag site, you must do a non-auth restore followed
|by a auth restore.
|-> With a lag site, you  only need to do a auth restore.
|
|I'm right ? :)
|
|Yann
|
|
|
|De : [EMAIL PROTECTED]
|[mailto:[EMAIL PROTECTED] De la part de
|CHIANESE, DAVID Envoyé : mercredi 26 octobre 2005 15:59 À :
|ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] AD Lag Site
|
|
|More so for deletion of objects so you wouldn't have to do an
|authoritative restore from a backup.
|
|
|David Chianese
|
|
|
|
|From: [EMAIL PROTECTED]
|[mailto:[EMAIL PROTECTED] On Behalf Of Etts, Russell
|Sent: Wednesday, October 26, 2005 9:23 AM
|To: ActiveDir@mail.activedir.org
|Subject: RE: [ActiveDir] AD Lag Site
|
|
|I'm sorry if I sound ignorant, but what is the purpose of a
|"lag site"?  Is it a site that you don't replicate for a
|specific period of time in so if there is a disaster, you can
|get the data from the lag site?? 
|
|Thanks
|
|Russ
|
|
|
|From: [EMAIL PROTECTED]
|[mailto:[EMAIL PROTECTED] On Behalf Of Ulf
|B. Simon-Weidner
|Sent: Tuesday, October 25, 2005 5:00 PM
|To: ActiveDir@mail.activedir.org
|Subject: RE: [ActiveDir] AD Lag Site
|
|
|I did those too, and some other things to consider were:
|* Putting them inside a virtual machine with faked Subnetting
|in AD: Take a class C Network and split it in AD Sites and
|Services, not TCP/IP, then you can spare the router
|* Assign the site membership for the host via GPO if it is in
|one of the virtual subnets of the virtual lag-dcs (depending
|on the subnetting possibilities you have)
|* Configure a firewall between the sites to make sure the
|machienes only talk to the ones they are supposed to (if available)
|* Use scripting to shut down virtual networks if available in
|the times they are not supposed to replicate
|* Make sure that you configure replication that it runs a
|couple times during the allowed timeframe
|* Configure terminal services access on the lag DCs
|* Configure boot.ini to be able to boot into DSRM by changing
|the default without querying for the boot.ini parameter when necessary.
|
|For the replication I usually configured replication every 15
|minutes (the Lag-Sites were on the same LAN), Site 1
|replicates Tuesday 10pm to Wednesday 2am, Site 2 replicates
|Saturday 10am to 2pm (each 4 hrs, exactly 1/2 Week apart).
|
|Ulf
|
|
|_

RE: [ActiveDir] AD Lag Site

[Tony Murray]

There are also two other potential uses for a lag site:

1. It can be used for cleanly inserting and then removing a DC from a 
production forest for use as a seed for a lab environment.
2. It can be used for safely introducing schema changes (after testing in a lab 
environment).

See FAQ #22 for details: http://www.activedir.org/FAQ.aspx

Tony

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. 
Simon-Weidner
Sent: Thursday, 27 October 2005 8:36 a.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Lag Site 

Keep in mind that Lag-Sites are not intended for the "I did something wrong
some weeks ago" errors, they are only for "Uups - I just deleted something".
And to make sure that you are able to "undelete" every object no matter when
you made the mistake (e.g. one minute before replication to the lag-site)
the idea of two or more lag-sites with different schedules jump in. Like the
examples I provided with two sitelinks replicating once a week but half a
week apart make sure that you have at least a 3.5 old version of the object
in one of the lag sites.

Ulf

|-Original Message-
|From: [EMAIL PROTECTED] 
|[mailto:[EMAIL PROTECTED] On Behalf Of 
|Almeida Pinto, Jorge de
|Sent: Wednesday, October 26, 2005 8:08 PM
|To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
|Subject: RE: [ActiveDir] AD Lag Site 
|
|yes... IF the detection of the deletion is BEFORE the 
|replication window to the lag site. Otherwise the tombstone 
|will replicate to the lag site also. It is just a extra 
|opportunity for you to make a deletion undone without doing a 
|non-auth restore!
| 
|As the object and its metadata still exists on the replica of 
|the DC, there is no need to do a non-auth restore. Therefore 
|you need to do only an auth restore so the version becomes 
|higher than then deleted object and the deletion is undone.
|Of course you will still need to do a non-auth restore 
|followed by a auth restore if the detection of the deletion is 
|after the replication window to the lag site
| 
|Jorge
|
|
|
|From: [EMAIL PROTECTED] on behalf of TIROA YANN
|Sent: Wed 10/26/2005 4:12 PM
|To: ActiveDir@mail.activedir.org
|Subject: RE: [ActiveDir] AD Lag Site 
|
|
|..if i understand correctly what Activedir gurus explained 
|to me earlier, 
|-> Without a lag site, you must do a non-auth restore followed 
|by a auth restore.
|-> With a lag site, you  only need to do a auth restore.
| 
|I'm right ? :)
| 
|Yann
|
|
|
|De : [EMAIL PROTECTED] 
|[mailto:[EMAIL PROTECTED] De la part de 
|CHIANESE, DAVID Envoyé : mercredi 26 octobre 2005 15:59 À : 
|ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] AD Lag Site 
|
|
|More so for deletion of objects so you wouldn't have to do an 
|authoritative restore from a backup.
| 
|
|David Chianese 
|
|
|
|
|From: [EMAIL PROTECTED] 
|[mailto:[EMAIL PROTECTED] On Behalf Of Etts, Russell
|Sent: Wednesday, October 26, 2005 9:23 AM
|To: ActiveDir@mail.activedir.org
|Subject: RE: [ActiveDir] AD Lag Site 
|
|
|I'm sorry if I sound ignorant, but what is the purpose of a 
|"lag site"?  Is it a site that you don't replicate for a 
|specific period of time in so if there is a disaster, you can 
|get the data from the lag site??  
| 
|Thanks
|
|Russ
|
|
|
|From: [EMAIL PROTECTED] 
|[mailto:[EMAIL PROTECTED] On Behalf Of Ulf 
|B. Simon-Weidner
|Sent: Tuesday, October 25, 2005 5:00 PM
|To: ActiveDir@mail.activedir.org
|Subject: RE: [ActiveDir] AD Lag Site 
|
|
|I did those too, and some other things to consider were:
|* Putting them inside a virtual machine with faked Subnetting 
|in AD: Take a class C Network and split it in AD Sites and 
|Services, not TCP/IP, then you can spare the router
|* Assign the site membership for the host via GPO if it is in 
|one of the virtual subnets of the virtual lag-dcs (depending 
|on the subnetting possibilities you have)
|* Configure a firewall between the sites to make sure the 
|machienes only talk to the ones they are supposed to (if available)
|* Use scripting to shut down virtual networks if available in 
|the times they are not supposed to replicate
|* Make sure that you configure replication that it runs a 
|couple times during the allowed timeframe
|* Configure terminal services access on the lag DCs
|* Configure boot.ini to be able to boot into DSRM by changing 
|the default without querying for the boot.ini parameter when necessary.
| 
|For the replication I usually configured replication every 15 
|minutes (the Lag-Sites were on the same LAN), Site 1 
|replicates Tuesday 10pm to Wednesday 2am, Site 2 replicates 
|Saturday 10am to 2pm (each 4 hrs, exactly 1/2 Week apart).
| 
|Ulf
|
|
|
|
|   From: [EMAIL PROTECTED] 
|[mailto:[EMAIL PROTECTED] On Behalf Of 
|Almeida Pinto, Jorge de
|   Sent: Tuesday, October 25, 2005 3:

Re: [ActiveDir] OT: QuickBooks 2005 permissions

[Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]]

If you scroll down a little farther on that page you'll find a post on 
how to get it to also update as non admin.


Part one last night [just getting it to run] worked even on the 2006 
version with the new SQL backend [Sybase SQLanywhere mind you]


But yes, even in 2006 it still requires admin /power user rights.

Crawford, Scott wrote:

Actually, it was just pointed out to me that I copied and pasted
correctly, but when I was applying the perm to
HKLM\Software\Classes\CLSID\{E53C85D6-E6D9-4BCF-A632-72062A99AA7F}, that
key didn't exist and I instead applied it to
HKLM\Software\Classes\CLSID\{E53C85D6-E6D9-4BCF-A623-72062A99AA7F} (just
change A632 to A623.  Apparently that's the difference between
QuickBooks Pro and QuickBooks Premium.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Tuesday, October 25, 2005 7:29 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: QuickBooks 2005 permissions

I will have to try that on the 2006 beta.  The last time I tried to do 
'just' certain Classes roots that I saw in filemon/regmon it would not

load.

I also had to do \common files\Intuit

If it works I'll update the instructions
http://www.sbslinks.com/lua2.htm


Crawford, Scott wrote:
  

A few weeks ago, there was some mention of the required permissions to
run Quickbooks as a non-admin user.  According to this site:
http://www.quickbooksgroup.com/webx/[EMAIL PROTECTED]@ the
perms needed are Users:W to the following locations:
HKLM\Software\Intuit 
HKLM\Software\Classes\QuickBooks.CoLocator.1 
HKLM\Software\Classes\CLSID\{E53C85D6-E6D9-4BCF-A632-72062A99AA7F}

C:\Program Files\Intuit

Whenever I've tracked these things down, I just give users full


control
  

to the needed locations instead of trying to determine the exact perms
needed.  Furthermore, I generally apply the perms to the root of the
apps folder.  For example, I'll grant the perms at the root Intuit
folder instead of chasing down the one or two files that actually need
to be modified.  This tends to eliminate future problems when somebody
uses some new function of the app that hasn't been tested and it needs
to write to a different file.  Anyway, I thought some of you might be
interested.  I just tried it here and all seems good.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:


http://www.mail-archive.com/activedir%40mail.activedir.org/
  
  



  


--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: QuickBooks 2005 permissions

[Crawford, Scott]

Actually, it was just pointed out to me that I copied and pasted
correctly, but when I was applying the perm to
HKLM\Software\Classes\CLSID\{E53C85D6-E6D9-4BCF-A632-72062A99AA7F}, that
key didn't exist and I instead applied it to
HKLM\Software\Classes\CLSID\{E53C85D6-E6D9-4BCF-A623-72062A99AA7F} (just
change A632 to A623.  Apparently that's the difference between
QuickBooks Pro and QuickBooks Premium.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Tuesday, October 25, 2005 7:29 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: QuickBooks 2005 permissions

I will have to try that on the 2006 beta.  The last time I tried to do 
'just' certain Classes roots that I saw in filemon/regmon it would not
load.

I also had to do \common files\Intuit

If it works I'll update the instructions
http://www.sbslinks.com/lua2.htm


Crawford, Scott wrote:
> A few weeks ago, there was some mention of the required permissions to
> run Quickbooks as a non-admin user.  According to this site:
> http://www.quickbooksgroup.com/webx/[EMAIL PROTECTED]@ the
> perms needed are Users:W to the following locations:
> HKLM\Software\Intuit 
> HKLM\Software\Classes\QuickBooks.CoLocator.1 
> HKLM\Software\Classes\CLSID\{E53C85D6-E6D9-4BCF-A632-72062A99AA7F}
> C:\Program Files\Intuit
>
> Whenever I've tracked these things down, I just give users full
control
> to the needed locations instead of trying to determine the exact perms
> needed.  Furthermore, I generally apply the perms to the root of the
> apps folder.  For example, I'll grant the perms at the root Intuit
> folder instead of chasing down the one or two files that actually need
> to be modified.  This tends to eliminate future problems when somebody
> uses some new function of the app that hasn't been tested and it needs
> to write to a different file.  Anyway, I thought some of you might be
> interested.  I just tried it here and all seems good.
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>   

-- 
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] AD Lag Site

[Ulf B. Simon-Weidner]

Keep in mind that Lag-Sites are not intended for the "I did something wrong
some weeks ago" errors, they are only for "Uups - I just deleted something".
And to make sure that you are able to "undelete" every object no matter when
you made the mistake (e.g. one minute before replication to the lag-site)
the idea of two or more lag-sites with different schedules jump in. Like the
examples I provided with two sitelinks replicating once a week but half a
week apart make sure that you have at least a 3.5 old version of the object
in one of the lag sites.

Ulf

|-Original Message-
|From: [EMAIL PROTECTED] 
|[mailto:[EMAIL PROTECTED] On Behalf Of 
|Almeida Pinto, Jorge de
|Sent: Wednesday, October 26, 2005 8:08 PM
|To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
|Subject: RE: [ActiveDir] AD Lag Site 
|
|yes... IF the detection of the deletion is BEFORE the 
|replication window to the lag site. Otherwise the tombstone 
|will replicate to the lag site also. It is just a extra 
|opportunity for you to make a deletion undone without doing a 
|non-auth restore!
| 
|As the object and its metadata still exists on the replica of 
|the DC, there is no need to do a non-auth restore. Therefore 
|you need to do only an auth restore so the version becomes 
|higher than then deleted object and the deletion is undone.
|Of course you will still need to do a non-auth restore 
|followed by a auth restore if the detection of the deletion is 
|after the replication window to the lag site
| 
|Jorge
|
|
|
|From: [EMAIL PROTECTED] on behalf of TIROA YANN
|Sent: Wed 10/26/2005 4:12 PM
|To: ActiveDir@mail.activedir.org
|Subject: RE: [ActiveDir] AD Lag Site 
|
|
|..if i understand correctly what Activedir gurus explained 
|to me earlier, 
|-> Without a lag site, you must do a non-auth restore followed 
|by a auth restore.
|-> With a lag site, you  only need to do a auth restore.
| 
|I'm right ? :)
| 
|Yann
|
|
|
|De : [EMAIL PROTECTED] 
|[mailto:[EMAIL PROTECTED] De la part de 
|CHIANESE, DAVID Envoyé : mercredi 26 octobre 2005 15:59 À : 
|ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] AD Lag Site 
|
|
|More so for deletion of objects so you wouldn't have to do an 
|authoritative restore from a backup.
| 
|
|David Chianese 
|
|
|
|
|From: [EMAIL PROTECTED] 
|[mailto:[EMAIL PROTECTED] On Behalf Of Etts, Russell
|Sent: Wednesday, October 26, 2005 9:23 AM
|To: ActiveDir@mail.activedir.org
|Subject: RE: [ActiveDir] AD Lag Site 
|
|
|I'm sorry if I sound ignorant, but what is the purpose of a 
|"lag site"?  Is it a site that you don't replicate for a 
|specific period of time in so if there is a disaster, you can 
|get the data from the lag site??  
| 
|Thanks
|
|Russ
|
|
|
|From: [EMAIL PROTECTED] 
|[mailto:[EMAIL PROTECTED] On Behalf Of Ulf 
|B. Simon-Weidner
|Sent: Tuesday, October 25, 2005 5:00 PM
|To: ActiveDir@mail.activedir.org
|Subject: RE: [ActiveDir] AD Lag Site 
|
|
|I did those too, and some other things to consider were:
|* Putting them inside a virtual machine with faked Subnetting 
|in AD: Take a class C Network and split it in AD Sites and 
|Services, not TCP/IP, then you can spare the router
|* Assign the site membership for the host via GPO if it is in 
|one of the virtual subnets of the virtual lag-dcs (depending 
|on the subnetting possibilities you have)
|* Configure a firewall between the sites to make sure the 
|machienes only talk to the ones they are supposed to (if available)
|* Use scripting to shut down virtual networks if available in 
|the times they are not supposed to replicate
|* Make sure that you configure replication that it runs a 
|couple times during the allowed timeframe
|* Configure terminal services access on the lag DCs
|* Configure boot.ini to be able to boot into DSRM by changing 
|the default without querying for the boot.ini parameter when necessary.
| 
|For the replication I usually configured replication every 15 
|minutes (the Lag-Sites were on the same LAN), Site 1 
|replicates Tuesday 10pm to Wednesday 2am, Site 2 replicates 
|Saturday 10am to 2pm (each 4 hrs, exactly 1/2 Week apart).
| 
|Ulf
|
|
|
|
|   From: [EMAIL PROTECTED] 
|[mailto:[EMAIL PROTECTED] On Behalf Of 
|Almeida Pinto, Jorge de
|   Sent: Tuesday, October 25, 2005 3:57 PM
|   To: ActiveDir@mail.activedir.org
|   Subject: RE: [ActiveDir] AD Lag Site 
|   
|   
|   Hi,
|   Guido and Gil wrote a great ebook about recovery 
|whereas information about lagsites is included
|   Take a look at: 
|http://www.netpro.com/events/adrecovery/index.cfm (registration needed)
|
|   For starters some tips:
|   * Place at least on DC for each domain in the lag site
|   * Allow the DCs in the lag site to register only the 
|replication record (CNAME) in the DNS zone _MSDCS.FORESTROOT
|   * Don't ass

RE: [ActiveDir] AD Lag Site

[Almeida Pinto, Jorge de]

yes... IF the detection of the deletion is BEFORE the replication window to the 
lag site. Otherwise the tombstone will replicate to the lag site also. It is 
just a extra opportunity for you to make a deletion undone without doing a 
non-auth restore!
 
As the object and its metadata still exists on the replica of the DC, there is 
no need to do a non-auth restore. Therefore you need to do only an auth restore 
so the version becomes higher than then deleted object and the deletion is 
undone.
Of course you will still need to do a non-auth restore followed by a auth 
restore if the detection of the deletion is after the replication window to the 
lag site
 
Jorge



From: [EMAIL PROTECTED] on behalf of TIROA YANN
Sent: Wed 10/26/2005 4:12 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Lag Site 


..if i understand correctly what Activedir gurus explained to me earlier, 
-> Without a lag site, you must do a non-auth restore followed by a auth 
restore.
-> With a lag site, you  only need to do a auth restore.
 
I'm right ? :)
 
Yann



De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de CHIANESE, DAVID
Envoyé : mercredi 26 octobre 2005 15:59
À : ActiveDir@mail.activedir.org
Objet : RE: [ActiveDir] AD Lag Site 


More so for deletion of objects so you wouldn't have to do an authoritative 
restore from a backup.
 

David Chianese 




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Etts, Russell
Sent: Wednesday, October 26, 2005 9:23 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Lag Site 


I'm sorry if I sound ignorant, but what is the purpose of a "lag site"?  Is it 
a site that you don't replicate for a specific period of time in so if there is 
a disaster, you can get the data from the lag site??  
 
Thanks

Russ



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. 
Simon-Weidner
Sent: Tuesday, October 25, 2005 5:00 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Lag Site 


I did those too, and some other things to consider were:
* Putting them inside a virtual machine with faked Subnetting in AD: Take a 
class C Network and split it in AD Sites and Services, not TCP/IP, then you can 
spare the router
* Assign the site membership for the host via GPO if it is in one of the 
virtual subnets of the virtual lag-dcs (depending on the subnetting 
possibilities you have)
* Configure a firewall between the sites to make sure the machienes only talk 
to the ones they are supposed to (if available)
* Use scripting to shut down virtual networks if available in the times they 
are not supposed to replicate
* Make sure that you configure replication that it runs a couple times during 
the allowed timeframe
* Configure terminal services access on the lag DCs
* Configure boot.ini to be able to boot into DSRM by changing the default 
without querying for the boot.ini parameter when necessary.
 
For the replication I usually configured replication every 15 minutes (the 
Lag-Sites were on the same LAN), Site 1 replicates Tuesday 10pm to Wednesday 
2am, Site 2 replicates Saturday 10am to 2pm (each 4 hrs, exactly 1/2 Week 
apart).
 
Ulf




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida 
Pinto, Jorge de
Sent: Tuesday, October 25, 2005 3:57 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Lag Site 


Hi,
Guido and Gil wrote a great ebook about recovery whereas information 
about lagsites is included
Take a look at: http://www.netpro.com/events/adrecovery/index.cfm 
(registration needed)
 
For starters some tips:
* Place at least on DC for each domain in the lag site
* Allow the DCs in the lag site to register only the replication record 
(CNAME) in the DNS zone _MSDCS.FORESTROOT
* Don't assign WINS server IP addresses for the DCs in the lag sites
* Make sure the site link between the lag site and the hub site has a 
higher cost than all other site links that connect the hub site and other sites 
(reason: Exchange AD topology discovery for the out-of-site list of DCs/GCs)
*You might want to use lag sites (e.g. 2) that replicate in steps (1st 
site replicates like each 3 days and the other each week) whereas the second 
lag site is connected to the first and the first is connected to the second and 
the hub site
 
This might be expensive though and you also might have a look at 
objectrecovery tools available by third party vendors
 
Cheers,
Jorge



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shawn 
Hayes
Sent: Tuesday, October 25, 2005 15:31
To: ActiveDir@mail.activedir.org
Subject: 

Re: Re: [ActiveDir]Group Policy Administrative Templates

[Jerold Schulman]

The PolicyMaker™ Registry Extension freeware works great.

On Wed, 26 Oct 2005 23:20:41 +0530, you wrote:

>I found this free registry GP CSE
>
>at http://www.desktopstandard.com/PolicyMakerRegistryExtension.aspx
>
>some of the feature it touts are
>** Full control over tattooing ( i.e. means each setting becomes a policy
>and not preference)
>* **Registry Wizard for settings import**
>* Per-setting filtering
>* integration with GPMC
>*
>I will be testing this extension, :)
>
>--
>Kamlesh
>
>On 10/26/05, Darren Mar-Elia <[EMAIL PROTECTED]> wrote:
>>
>> There's a few free and for pay tools to do it. Check out the following:
>>  *RegtoADM*: turns .reg files into ADMs. Free tool that is part of the
>> NUTS utilities at http://yizhar.mvps.org/
>>  *ADM TEmplate Editor*: This is a for pay tool found at
>> http://www.sysprosoft.com/adm_summary.shtml
>>  *Policy Template Editor*: a for pay tool at
>> http://www.tools4ever.com/products/utilities/policytemplateeditor/
>>
>>  --
>> *From:* [EMAIL PROTECTED] [mailto:
>> [EMAIL PROTECTED] *On Behalf Of *Sadovskiy Artem
>> Nikolaevich
>> *Sent:* Tuesday, October 25, 2005 7:28 PM
>> *To:* ActiveDir@mail.activedir.org
>> *Subject:* [ActiveDir]Group Policy Administrative Templates
>>
>>  Hi!
>>
>>  Are there any tools that can assist me to create .ADM (Group Policy
>> Administrative Templates) files?
>>
>> If anybody knows, please send me a link.
>>
>>  Regards.
>>
>>

Jerold Schulman
Windows Server MVP
JSI, Inc.
http://www.jsiinc.com
http://www.jsifaq.com
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir]Group Policy Administrative Templates

[Kamlesh Parmar]

I found this free registry GP CSE 

at http://www.desktopstandard.com/PolicyMakerRegistryExtension.aspx

some of the feature it touts are
* Full control over tattooing  ( i.e. means each setting becomes a policy and not preference)
* Registry Wizard for settings import
* Per-setting filtering 
* integration with GPMC

I will be testing this extension, :)

--
Kamlesh
On 10/26/05, Darren Mar-Elia <[EMAIL PROTECTED]> wrote:







There's a few free and for pay tools to do it. Check out 
the following:
 
RegtoADM: turns .reg files into ADMs. Free 
tool that is part of the NUTS utilities at http://yizhar.mvps.org/
 
ADM TEmplate Editor: This is a for pay 
tool found at http://www.sysprosoft.com/adm_summary.shtml

 
Policy Template Editor: a for pay tool at 
http://www.tools4ever.com/products/utilities/policytemplateeditor/

 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]] On Behalf Of Sadovskiy Artem 
NikolaevichSent: Tuesday, October 25, 2005 7:28 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir]Group Policy 
Administrative Templates


Hi!
 
Are there any tools that can assist 
me to create .ADM (Group Policy Administrative Templates) 
files?
If anybody knows, please send me a 
link.
 
Regards.
 

-- ~~~"Fortune and Love befriend the bold"~~~

RE: [ActiveDir] OT: Are MS Sharepoint CAL's good for multiple portals?

[Tim Vander Kooi]

That is correct.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of J 
BSent: Wednesday, October 26, 2005 12:17 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: Are MS 
Sharepoint CAL's good for multiple portals?

So back to my original question (we got off on a 
little tangent):  Will Sharepoint CAL's cover multiple portals from a 
single sharepoint server?
 
From the responses, I'd infer that, yes, they will 
since they are connecting to the same server (regardless of which portal is 
used), but I just want to be sure.
 
Thanks!

  - Original Message - 
  From: 
  Tim Vander 
  Kooi 
  To: ActiveDir@mail.activedir.org 
  
  Sent: Wednesday, October 26, 2005 9:56 
  AM
  Subject: RE: [ActiveDir] OT: Are MS 
  Sharepoint CAL's good for multiple portals?
  
  In that case, you are really just running 2 different 
  intranets, and yes the 30 CALs in your "hypothetical" would be 
  sufficient.
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of J 
  BSent: Wednesday, October 26, 2005 11:49 AMTo: ActiveDir@mail.activedir.orgSubject: 
  Re: [ActiveDir] OT: Are MS Sharepoint CAL's good for multiple 
  portals?
  
  For the few extranet users we have, they do have 
  login accounts in an AD domain on our network.
   
  I appreciate all the info so far.
  
- Original Message - 
From: 
Tim Vander 
Kooi 
To: ActiveDir@mail.activedir.org 

Sent: Wednesday, October 26, 2005 7:19 
AM
Subject: RE: [ActiveDir] OT: Are MS 
Sharepoint CAL's good for multiple portals?

You are correct, and in this case anonymous access 
refers to anyone not being authenticated by your servers. So if JB truly has 
an extranet where the people using it are outside of their control 
(regardless of whether their names and numbers are known) an EC is required. 
Running an extranet without it is not valid. If JB was to talk with MS 
licensing they might make an exception if the use can be proved, but without 
that in writing the site is not legal. I stand by my original statement, 
CALs for intranet (users authenticating to your servers), EC for extranet 
(users not authenticating to your servers). It may not be the cheapest or 
easiest way to go, but it is the correct way to do 
it.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Brian 
DesmondSent: Tuesday, October 25, 2005 6:06 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Are MS 
Sharepoint CAL's good for multiple portals?


My 
interpretation is that you need an EC for anonymous availability and cals 
for authenticated users – one SPS cal per authenticated user enterprise wide 
is I think how it works. The best thing to do would be to call your MS 
licensing person and ask them.
 

Thanks,Brian 
Desmond
[EMAIL PROTECTED]
 
c - 
312.731.3132
 
 




From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of J BSent: Tuesday, October 25, 2005 6:46 
PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: Are MS 
Sharepoint CAL's good for multiple 
portals?
 

Right, but the extranet isn't 
publicly available.  It's only available to a select few clients.  
We'd rather purchase individual CAL's for the few extranet users at ~$71 
each rather than $30K for an unlimited number.  The licensing didn't 
stipulate that the individual CAL's could not be used for external 
users.  The External Connector License option seemed to be geared 
toward a public sharepoint portal where you don't know how many users might 
be connecting to it, or would have enough connecting that would make 
purchasing individual CAL's 
unrealistic.

http://www.microsoft.com/office/sharepoint/howtobuy/default.mspx

 

Regardless, I should 
clarify.  Suppose we have 20 employees, a license for Sharepoint 
and 30 CAL's.  We run an extranet portal for sharepoint, which those 
employees access, as well as say, 5 clients.  Without buying more 
CAL's, can 
we run an intranet portal for our employees using that Sharepoint 
server?

 

Thanks!

  
  - Original Message - 
  
  
  From: Tim Vander 
  Kooi 
  
  To: ActiveDir@mail.activedir.org 
  
  
  Sent: 
  Tuesday, October 25, 2005 3:27 PM
  
  Subject: RE: 
  [ActiveDir] OT: Are MS Sharepoint CAL's good for multiple 
  portals?
  
   
  For your 
  described situation a CAL would not cover both portals. Then 
  again, if you are using it for an Extranet with CALs you are incorrectly 
  licensed as is. An Extranet setup would require an External Connector 
  license, as the people connecting to it are not employees of your company. 
 

[ActiveDir] Tripwire gets into auditing AD

[Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]]

Tripwire - Press Room - Press Releases - TRIPWIRE INTRODUCES CHANGE 
AUDITING FOR MICROSOFT ACTIVE DIRECTORY AND SUN ONE DIRECTORY SERVER:

http://www.tripwire.com/press/press_release/pr.cfm?prid=274&djinn=2146

*Enhanced security:* Tripwire Enterprise enhances security by notifying 
of undesired changes, according to severity. In addition to who made the 
change, Tripwire Enterprise can show for Active Directory what, when, 
and how changes were made.


--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] OT: Are MS Sharepoint CAL's good for multiple portals?

[J B]

So back to my original question (we got off on a 
little tangent):  Will Sharepoint CAL's cover multiple portals from a 
single sharepoint server?
 
From the responses, I'd infer that, yes, they will 
since they are connecting to the same server (regardless of which portal is 
used), but I just want to be sure.
 
Thanks!

  - Original Message - 
  From: 
  Tim Vander 
  Kooi 
  To: ActiveDir@mail.activedir.org 
  
  Sent: Wednesday, October 26, 2005 9:56 
  AM
  Subject: RE: [ActiveDir] OT: Are MS 
  Sharepoint CAL's good for multiple portals?
  
  In that case, you are really just running 2 different 
  intranets, and yes the 30 CALs in your "hypothetical" would be 
  sufficient.
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of J 
  BSent: Wednesday, October 26, 2005 11:49 AMTo: ActiveDir@mail.activedir.orgSubject: 
  Re: [ActiveDir] OT: Are MS Sharepoint CAL's good for multiple 
  portals?
  
  For the few extranet users we have, they do have 
  login accounts in an AD domain on our network.
   
  I appreciate all the info so far.
  
- Original Message - 
From: 
Tim Vander 
Kooi 
To: ActiveDir@mail.activedir.org 

Sent: Wednesday, October 26, 2005 7:19 
AM
Subject: RE: [ActiveDir] OT: Are MS 
Sharepoint CAL's good for multiple portals?

You are correct, and in this case anonymous access 
refers to anyone not being authenticated by your servers. So if JB truly has 
an extranet where the people using it are outside of their control 
(regardless of whether their names and numbers are known) an EC is required. 
Running an extranet without it is not valid. If JB was to talk with MS 
licensing they might make an exception if the use can be proved, but without 
that in writing the site is not legal. I stand by my original statement, 
CALs for intranet (users authenticating to your servers), EC for extranet 
(users not authenticating to your servers). It may not be the cheapest or 
easiest way to go, but it is the correct way to do 
it.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Brian 
DesmondSent: Tuesday, October 25, 2005 6:06 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Are MS 
Sharepoint CAL's good for multiple portals?


My 
interpretation is that you need an EC for anonymous availability and cals 
for authenticated users – one SPS cal per authenticated user enterprise wide 
is I think how it works. The best thing to do would be to call your MS 
licensing person and ask them.
 

Thanks,Brian 
Desmond
[EMAIL PROTECTED]
 
c - 
312.731.3132
 
 




From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of J BSent: Tuesday, October 25, 2005 6:46 
PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: Are MS 
Sharepoint CAL's good for multiple 
portals?
 

Right, but the extranet isn't 
publicly available.  It's only available to a select few clients.  
We'd rather purchase individual CAL's for the few extranet users at ~$71 
each rather than $30K for an unlimited number.  The licensing didn't 
stipulate that the individual CAL's could not be used for external 
users.  The External Connector License option seemed to be geared 
toward a public sharepoint portal where you don't know how many users might 
be connecting to it, or would have enough connecting that would make 
purchasing individual CAL's 
unrealistic.

http://www.microsoft.com/office/sharepoint/howtobuy/default.mspx

 

Regardless, I should 
clarify.  Suppose we have 20 employees, a license for Sharepoint 
and 30 CAL's.  We run an extranet portal for sharepoint, which those 
employees access, as well as say, 5 clients.  Without buying more 
CAL's, can 
we run an intranet portal for our employees using that Sharepoint 
server?

 

Thanks!

  
  - Original Message - 
  
  
  From: Tim Vander 
  Kooi 
  
  To: ActiveDir@mail.activedir.org 
  
  
  Sent: 
  Tuesday, October 25, 2005 3:27 PM
  
  Subject: RE: 
  [ActiveDir] OT: Are MS Sharepoint CAL's good for multiple 
  portals?
  
   
  For your 
  described situation a CAL would not cover both portals. Then 
  again, if you are using it for an Extranet with CALs you are incorrectly 
  licensed as is. An Extranet setup would require an External Connector 
  license, as the people connecting to it are not employees of your company. 
  Using SharePoint Portal Server for an Intranet would require either user 
  or device CALs, just like Windows Server 
  does.
   
  
  
  
  From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Beh

RE: [ActiveDir] OT: Are MS Sharepoint CAL's good for multiple portals?

[Tim Vander Kooi]

In that case, you are really just running 2 different 
intranets, and yes the 30 CALs in your "hypothetical" would be 
sufficient.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of J 
BSent: Wednesday, October 26, 2005 11:49 AMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: Are MS 
Sharepoint CAL's good for multiple portals?

For the few extranet users we have, they do have 
login accounts in an AD domain on our network.
 
I appreciate all the info so far.

  - Original Message - 
  From: 
  Tim Vander 
  Kooi 
  To: ActiveDir@mail.activedir.org 
  
  Sent: Wednesday, October 26, 2005 7:19 
  AM
  Subject: RE: [ActiveDir] OT: Are MS 
  Sharepoint CAL's good for multiple portals?
  
  You are correct, and in this case anonymous access refers 
  to anyone not being authenticated by your servers. So if JB truly has an 
  extranet where the people using it are outside of their control (regardless of 
  whether their names and numbers are known) an EC is required. Running an 
  extranet without it is not valid. If JB was to talk with MS licensing they 
  might make an exception if the use can be proved, but without that in writing 
  the site is not legal. I stand by my original statement, CALs for intranet 
  (users authenticating to your servers), EC for extranet (users not 
  authenticating to your servers). It may not be the cheapest or easiest way to 
  go, but it is the correct way to do it.
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Brian 
  DesmondSent: Tuesday, October 25, 2005 6:06 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Are MS 
  Sharepoint CAL's good for multiple portals?
  
  
  My 
  interpretation is that you need an EC for anonymous availability and cals for 
  authenticated users – one SPS cal per authenticated user enterprise wide is I 
  think how it works. The best thing to do would be to call your MS licensing 
  person and ask them.
   
  
  Thanks,Brian 
  Desmond
  [EMAIL PROTECTED]
   
  c - 
  312.731.3132
   
   
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of J BSent: Tuesday, October 25, 2005 6:46 
  PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: Are MS 
  Sharepoint CAL's good for multiple portals?
   
  
  Right, but the extranet isn't 
  publicly available.  It's only available to a select few clients.  
  We'd rather purchase individual CAL's for the few extranet users at ~$71 
  each rather than $30K for an unlimited number.  The licensing didn't 
  stipulate that the individual CAL's could not be used for external 
  users.  The External Connector License option seemed to be geared toward 
  a public sharepoint portal where you don't know how many users might be 
  connecting to it, or would have enough connecting that would make purchasing 
  individual CAL's 
  unrealistic.
  
  http://www.microsoft.com/office/sharepoint/howtobuy/default.mspx
  
   
  
  Regardless, I should 
  clarify.  Suppose we have 20 employees, a license for Sharepoint and 
  30 CAL's.  We run an extranet portal for sharepoint, which those 
  employees access, as well as say, 5 clients.  Without buying more 
  CAL's, can 
  we run an intranet portal for our employees using that Sharepoint 
  server?
  
   
  
  Thanks!
  

- Original Message - 


From: Tim Vander 
Kooi 

To: ActiveDir@mail.activedir.org 


Sent: 
Tuesday, October 25, 2005 3:27 PM

Subject: RE: 
[ActiveDir] OT: Are MS Sharepoint CAL's good for multiple 
portals?

 
For your described 
situation a CAL would not cover both portals. Then 
again, if you are using it for an Extranet with CALs you are incorrectly 
licensed as is. An Extranet setup would require an External Connector 
license, as the people connecting to it are not employees of your company. 
Using SharePoint Portal Server for an Intranet would require either user or 
device CALs, just like Windows Server 
does.
 



From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of J BSent: Tuesday, October 25, 2005 5:14 
PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Are MS 
Sharepoint CAL's good for multiple portals?

I tried this question on the Sharepoint Newsgroup 
with no luck on responses.  I'd like to know if MS Sharepoint 
CAL's will cover multiple portals on sharepoint.  We are thinking of 
using sharepoint for our company intranet (we already use it for an 
extranet) and want to make sure we are covered if we go that 
route.  Does anyone 
  know?

Re: [ActiveDir] OT: Are MS Sharepoint CAL's good for multiple portals?

[J B]

For the few extranet users we have, they do have 
login accounts in an AD domain on our network.
 
I appreciate all the info so far.

  - Original Message - 
  From: 
  Tim Vander 
  Kooi 
  To: ActiveDir@mail.activedir.org 
  
  Sent: Wednesday, October 26, 2005 7:19 
  AM
  Subject: RE: [ActiveDir] OT: Are MS 
  Sharepoint CAL's good for multiple portals?
  
  You are correct, and in this case anonymous access refers 
  to anyone not being authenticated by your servers. So if JB truly has an 
  extranet where the people using it are outside of their control (regardless of 
  whether their names and numbers are known) an EC is required. Running an 
  extranet without it is not valid. If JB was to talk with MS licensing they 
  might make an exception if the use can be proved, but without that in writing 
  the site is not legal. I stand by my original statement, CALs for intranet 
  (users authenticating to your servers), EC for extranet (users not 
  authenticating to your servers). It may not be the cheapest or easiest way to 
  go, but it is the correct way to do it.
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Brian 
  DesmondSent: Tuesday, October 25, 2005 6:06 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Are MS 
  Sharepoint CAL's good for multiple portals?
  
  
  My 
  interpretation is that you need an EC for anonymous availability and cals for 
  authenticated users – one SPS cal per authenticated user enterprise wide is I 
  think how it works. The best thing to do would be to call your MS licensing 
  person and ask them.
   
  
  Thanks,Brian 
  Desmond
  [EMAIL PROTECTED]
   
  c - 
  312.731.3132
   
   
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of J BSent: Tuesday, October 25, 2005 6:46 
  PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: Are MS 
  Sharepoint CAL's good for multiple portals?
   
  
  Right, but the extranet isn't 
  publicly available.  It's only available to a select few clients.  
  We'd rather purchase individual CAL's for the few extranet users at ~$71 
  each rather than $30K for an unlimited number.  The licensing didn't 
  stipulate that the individual CAL's could not be used for external 
  users.  The External Connector License option seemed to be geared toward 
  a public sharepoint portal where you don't know how many users might be 
  connecting to it, or would have enough connecting that would make purchasing 
  individual CAL's 
  unrealistic.
  
  http://www.microsoft.com/office/sharepoint/howtobuy/default.mspx
  
   
  
  Regardless, I should 
  clarify.  Suppose we have 20 employees, a license for Sharepoint and 
  30 CAL's.  We run an extranet portal for sharepoint, which those 
  employees access, as well as say, 5 clients.  Without buying more 
  CAL's, can 
  we run an intranet portal for our employees using that Sharepoint 
  server?
  
   
  
  Thanks!
  

- Original Message - 


From: Tim Vander 
Kooi 

To: ActiveDir@mail.activedir.org 


Sent: 
Tuesday, October 25, 2005 3:27 PM

Subject: RE: 
[ActiveDir] OT: Are MS Sharepoint CAL's good for multiple 
portals?

 
For your described 
situation a CAL would not cover both portals. Then 
again, if you are using it for an Extranet with CALs you are incorrectly 
licensed as is. An Extranet setup would require an External Connector 
license, as the people connecting to it are not employees of your company. 
Using SharePoint Portal Server for an Intranet would require either user or 
device CALs, just like Windows Server 
does.
 



From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of J BSent: Tuesday, October 25, 2005 5:14 
PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Are MS 
Sharepoint CAL's good for multiple portals?

I tried this question on the Sharepoint Newsgroup 
with no luck on responses.  I'd like to know if MS Sharepoint 
CAL's will cover multiple portals on sharepoint.  We are thinking of 
using sharepoint for our company intranet (we already use it for an 
extranet) and want to make sure we are covered if we go that 
route.  Does anyone 
  know?

RE: [ActiveDir] script to check the "inheritance" from the security Tab...

[Bruyere, Michel]

Yes, it has been solved. If you want to come back on this, just mail me off 
list. 


Thanks



> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of TIROA YANN
> Sent: Wednesday, October 26, 2005 9:39 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] script to check the "inheritance" from the
> security Tab...
> 
> Hi Michel,
> 
> If i can permit, have u solved your pb concerning this thread "[ActiveDir]
> only 1 GPO not applying..." u posted earlier in this list ? Here is your
> post
> 
> "Subject: [ActiveDir] only 1 GPO not applying...
> 
> Hi,
> I have a little problem applying a GPO.
> SETUP: windows 2k native domain with XPsp2 ADM files. All stations are
> WinXP sp2.
> 
> I had a GPO the pushed a screen saver configuration and some other
> restrictions. I had to split the GPO in 2 because I needed to deploy the
> Screensaver without the other restrictions. There is a problem woth this
> new GPO because it just do not apply to any machine/user.
> 
> I used GMPC on a winXP sp2 with 2k3 adminpak to define and link the
> GPOs.
> 
> Note: all other Policies are applied correctly and the one that do not
> apply isn't listed in the " The following GPOs were not applied because
> they were filtered out" section...
> 
> Any ideas?
> 
> Thanks for your time!"
> 
> I would be interested about your resolution :)
> 
> Thank u for input and have a nice day.
> 
> Yann
> 
> -Message d'origine-
> De : [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] De la part de Bruyere, Michel
> Envoyé : mercredi 26 octobre 2005 14:32
> À : ActiveDir@mail.activedir.org
> Objet : RE: [ActiveDir] script to check the "inheritance" from the
> security Tab...
> 
> Thanks for the input, Problem solved.
> 
> Thanks to Yann too!
> 
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:ActiveDir-
> > [EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner
> > Sent: Wednesday, October 26, 2005 2:32 AM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] script to check the "inheritance" from the
> > security Tab...
> >
> > Hallo Michel,
> >
> > Look a the VB-Script in KB 817433 (
> > http://support.microsoft.com/?id=817433
> > ), especially the SetInheritanceFlag-Function.
> >
> > Ulf
> >
> > |-Original Message-
> > |From: [EMAIL PROTECTED]
> > |[mailto:[EMAIL PROTECTED] On Behalf Of Bruyere,
> > |Michel
> > |Sent: Wednesday, October 26, 2005 12:48 AM
> > |To: ActiveDir@mail.activedir.org
> > |Subject: [ActiveDir] script to check the "inheritance" from the
> > |security Tab...
> > |
> > |Hi,
> > |   I would like to make sure that all the following check boxe is
> > |checked:
> > |Inherit from parent the permissions entries that apply to child
> object.
> > |
> > |I would like to do this as a batch job, without having to go manually
> > |to each user objects.
> > |
> > |
> > |Anyone has an idea on scripts or tools (freeware) that can allow me
> > |to reset these?
> > |
> > |
> > |Thanks!
> > |
> > |
> > |
> > |
> > |List info   : http://www.activedir.org/List.aspx
> > |List FAQ: http://www.activedir.org/ListFAQ.aspx
> > |List archive:
> > |http://www.mail-archive.com/activedir%40mail.activedir.org/
> > |
> >
> >
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] OT: Are MS Sharepoint CAL's good for multiple portals?

[Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]]

In SBSland for our little Sharepoint services, the rule we have followed 
is [and there are some who argue that DotNetNuke stuff should follow 
this rule as well], you get into that AD structure such that you are 
setting up usernames and passwords [you authenticate against AD] you 
need a CAL.


Our SQL license for WSS is such that if we allow anon access to 
Sharepoint, we do not need a WSS or SQL external connector [whatever the 
external license is for SQL -- I think you can do it with a processor 
license but I don't keep track of the SQL nuances in licensing].


If you can't host it in a legal [and let's face it cheap] way on your 
own box, the way we do it is recommend external outsourcers... like... 
for example the Microsoft site of www.mssmallbiz.com is an externally 
hosted Sharepoint that allows for authentication [aka passwords]


I was once in a presentation at a CPA tech conference and the guy 
presenting was basically advocating 'oh it doesn't matter, Microsoft 
doesn't care' on licensing Sharepoint Portal Serverneedless to say 
the chair I was sitting in probably had fingernail marks in the bottom 
of it as I whiteknuckled that presentation.




Tim Vander Kooi wrote:
You are correct, and in this case anonymous access refers to anyone 
not being authenticated by your servers. So if JB truly has an 
extranet where the people using it are outside of their control 
(regardless of whether their names and numbers are known) an EC is 
required. Running an extranet without it is not valid. If JB was to 
talk with MS licensing they might make an exception if the use can be 
proved, but without that in writing the site is not legal. I stand by 
my original statement, CALs for intranet (users authenticating to your 
servers), EC for extranet (users not authenticating to your servers). 
It may not be the cheapest or easiest way to go, but it is the correct 
way to do it.



*From:* [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] *On Behalf Of *Brian Desmond

*Sent:* Tuesday, October 25, 2005 6:06 PM
*To:* ActiveDir@mail.activedir.org
*Subject:* RE: [ActiveDir] OT: Are MS Sharepoint CAL's good for 
multiple portals?


*My interpretation is that you need an EC for anonymous availability 
and cals for authenticated users – one SPS cal per authenticated user 
enterprise wide is I think how it works. The best thing to do would be 
to call your MS licensing person and ask them.*


* *

**Thanks,***
**Brian Desmond***

[EMAIL PROTECTED] 

**c - 312.731.3132**



*From:* [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] *On Behalf Of *J B

*Sent:* Tuesday, October 25, 2005 6:46 PM
*To:* ActiveDir@mail.activedir.org
*Subject:* Re: [ActiveDir] OT: Are MS Sharepoint CAL's good for 
multiple portals?


Right, but the extranet isn't publicly available. It's only available 
to a select few clients. We'd rather purchase individual CAL's for the 
few extranet users at ~$71 each rather than $30K for an unlimited 
number. The licensing didn't stipulate that the individual CAL's could 
not be used for external users. The External Connector License option 
seemed to be geared toward a public sharepoint portal where you don't 
know how many users might be connecting to it, or would have enough 
connecting that would make purchasing individual CAL's unrealistic.


http://www.microsoft.com/office/sharepoint/howtobuy/default.mspx

Regardless, I should clarify. Suppose we have 20 employees, a license 
for Sharepoint and 30 CAL's. We run an extranet portal for sharepoint, 
which those employees access, as well as say, 5 clients. Without 
buying more CAL's, can we run an intranet portal for our employees 
using that Sharepoint server?


Thanks!

- Original Message -

*From:* Tim Vander Kooi 

*To:* ActiveDir@mail.activedir.org


*Sent:* Tuesday, October 25, 2005 3:27 PM

*Subject:* RE: [ActiveDir] OT: Are MS Sharepoint CAL's good for
multiple portals?

For your described situation a CAL would not cover both portals.
Then again, if you are using it for an Extranet with CALs you are
incorrectly licensed as is. An Extranet setup would require an
External Connector license, as the people connecting to it are not
employees of your company. Using SharePoint Portal Server for an
Intranet would require either user or device CALs, just like
Windows Server does.



*From:* [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] *On Behalf Of *J B
*Sent:* Tuesday, October 25, 2005 5:14 PM
*To:* ActiveDir@mail.activedir.org
*Subject:* [ActiveDir] OT: Are MS Sharepoint CAL's good for
multiple portals?

I tried this question on the Sharepoint Newsgroup with no lu

RE: [ActiveDir] OT: Are MS Sharepoint CAL's good for multiple portals?

[Tim Vander Kooi]

You are correct, and in this case anonymous access refers 
to anyone not being authenticated by your servers. So if JB truly has an 
extranet where the people using it are outside of their control (regardless of 
whether their names and numbers are known) an EC is required. Running an 
extranet without it is not valid. If JB was to talk with MS licensing they might 
make an exception if the use can be proved, but without that in writing the site 
is not legal. I stand by my original statement, CALs for intranet (users 
authenticating to your servers), EC for extranet (users not authenticating to 
your servers). It may not be the cheapest or easiest way to go, but it is the 
correct way to do it.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Brian 
DesmondSent: Tuesday, October 25, 2005 6:06 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Are MS 
Sharepoint CAL's good for multiple portals?


My 
interpretation is that you need an EC for anonymous availability and cals for 
authenticated users – one SPS cal per authenticated user enterprise wide is I 
think how it works. The best thing to do would be to call your MS licensing 
person and ask them.
 

Thanks,Brian 
Desmond
[EMAIL PROTECTED]
 
c - 
312.731.3132
 
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of J BSent: Tuesday, October 25, 2005 6:46 
PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: Are MS 
Sharepoint CAL's good for multiple portals?
 

Right, but the extranet isn't 
publicly available.  It's only available to a select few clients.  
We'd rather purchase individual CAL's for the few extranet users at ~$71 each 
rather than $30K for an unlimited number.  The licensing didn't stipulate 
that the individual CAL's could not be used for external 
users.  The External Connector License option seemed to be geared toward a 
public sharepoint portal where you don't know how many users might be connecting 
to it, or would have enough connecting that would make purchasing individual 
CAL's 
unrealistic.

http://www.microsoft.com/office/sharepoint/howtobuy/default.mspx

 

Regardless, I should 
clarify.  Suppose we have 20 employees, a license for Sharepoint and 
30 CAL's.  We run an extranet portal for sharepoint, which those employees 
access, as well as say, 5 clients.  Without buying more CAL's, can we run an 
intranet portal for our employees using that Sharepoint 
server?

 

Thanks!

  
  - Original Message - 
  
  
  From: Tim Vander 
  Kooi 
  
  To: ActiveDir@mail.activedir.org 
  
  
  Sent: Tuesday, 
  October 25, 2005 3:27 PM
  
  Subject: RE: 
  [ActiveDir] OT: Are MS Sharepoint CAL's good for multiple 
  portals?
  
   
  For your described 
  situation a CAL would not cover both portals. Then 
  again, if you are using it for an Extranet with CALs you are incorrectly 
  licensed as is. An Extranet setup would require an External Connector license, 
  as the people connecting to it are not employees of your company. Using 
  SharePoint Portal Server for an Intranet would require either user or device 
  CALs, just like Windows Server does.
   
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of J BSent: Tuesday, October 25, 2005 5:14 
  PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Are MS 
  Sharepoint CAL's good for multiple portals?
  
  I tried this question on the Sharepoint Newsgroup with 
  no luck on responses.  I'd like to know if MS Sharepoint CAL's will 
  cover multiple portals on sharepoint.  We are thinking of using 
  sharepoint for our company intranet (we already use it for an extranet) 
  and want to make sure we are covered if we go that route.  Does 
  anyone know?

RE: [ActiveDir] AD Lag Site

[TIROA YANN]

..if i understand correctly what Activedir gurus 
explained to me earlier, 
-> Without a lag site, you must do a non-auth 
restore followed by a auth restore.
-> With a lag site, you  only need to do a auth 
restore.
 
I'm right ? :)
 
Yann


De : [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] De la part de CHIANESE, 
DAVIDEnvoyé : mercredi 26 octobre 2005 15:59À : 
ActiveDir@mail.activedir.orgObjet : RE: [ActiveDir] AD Lag Site 


More so for deletion of objects so you wouldn't have to do 
an authoritative restore from a backup.
 
David 
Chianese 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Etts, 
RussellSent: Wednesday, October 26, 2005 9:23 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Lag Site 


I'm sorry if I sound ignorant, but what is the purpose of a 
"lag site"?  Is it a site that you don't replicate for a specific period of 
time in so if there is a disaster, you can get the data from the lag 
site??  
 
Thanks
Russ


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. 
Simon-WeidnerSent: Tuesday, October 25, 2005 5:00 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Lag Site 


I did those too, and some other things to consider 
were:
* Putting them inside a virtual machine with faked Subnetting in AD: Take 
a class C Network and split it in AD Sites and Services, not TCP/IP, then you 
can spare the router
* Assign the site membership for the host via GPO if it is in one of the 
virtual subnets of the virtual lag-dcs (depending on the subnetting 
possibilities you have)
* Configure a firewall between the sites to make sure the machienes only 
talk to the ones they are supposed to (if available)
* Use scripting to shut down virtual networks if available in the times 
they are not supposed to replicate
* Make sure that you configure replication that it runs a couple times 
during the allowed timeframe
* Configure terminal services access on the lag DCs
* Configure boot.ini to be able to boot into DSRM by changing the default 
without querying for the boot.ini parameter when necessary.
 
For the replication I usually configured replication every 15 minutes 
(the Lag-Sites were on the same LAN), Site 1 replicates Tuesday 10pm to 
Wednesday 2am, Site 2 replicates Saturday 10am to 2pm (each 4 hrs, exactly 1/2 
Week apart).
 
Ulf

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, 
  Jorge deSent: Tuesday, October 25, 2005 3:57 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Lag Site 
  
  
  Hi,
  Guido and Gil wrote a great 
  ebook about recovery whereas information about lagsites is 
  included
  Take a look at: http://www.netpro.com/events/adrecovery/index.cfm (registration 
  needed)
   
  For starters some 
  tips:
  * Place at least on DC for 
  each domain in the lag site
  * Allow the DCs in the lag 
  site to register only the replication record (CNAME) in the DNS zone 
  _MSDCS.FORESTROOT
  * Don't assign WINS server IP 
  addresses for the DCs in the lag sites
  * Make sure the site link 
  between the lag site and the hub site has a higher cost than all other 
  site links that connect the hub site and other sites (reason: Exchange AD 
  topology discovery for the out-of-site list of DCs/GCs)
  *You might want to use lag 
  sites (e.g. 2) that replicate in steps (1st site replicates like each 3 days 
  and the other each week) whereas the second lag site is connected to the first 
  and the first is connected to the second and the hub site
   
  This might be expensive though 
  and you also might have a look at objectrecovery tools available by third 
  party vendors
   
  Cheers,
  Jorge
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Shawn 
  HayesSent: Tuesday, October 25, 2005 15:31To: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD Lag Site 
  
  
  Anyone have any 
  pointers (documentation or real life experience) on setting up an AD Lag 
  Site?
   
  Thanks in 
  advance,
   
  Shawn
   
  This e-mail and any 
  attachment is for authorised use by the intended recipient(s) only. It may 
  contain proprietary material, confidential information and/or be subject to 
  legal privilege. It should not be copied, disclosed to, retained or used by, 
  any other party. If you are not an intended recipient then please promptly 
  delete this e-mail and any attachment and all copies and inform the sender. 
  Thank you.

RE: [ActiveDir] AD Lag Site

[CHIANESE, DAVID]

More so for deletion of objects so you wouldn't have to do 
an authoritative restore from a backup.
 
David 
Chianese 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Etts, 
RussellSent: Wednesday, October 26, 2005 9:23 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Lag Site 


I'm sorry if I sound ignorant, but what is the purpose of a 
"lag site"?  Is it a site that you don't replicate for a specific period of 
time in so if there is a disaster, you can get the data from the lag 
site??  
 
Thanks
Russ


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. 
Simon-WeidnerSent: Tuesday, October 25, 2005 5:00 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Lag Site 


I did those too, and some other things to consider 
were:
* Putting them inside a virtual machine with faked Subnetting in AD: Take 
a class C Network and split it in AD Sites and Services, not TCP/IP, then you 
can spare the router
* Assign the site membership for the host via GPO if it is in one of the 
virtual subnets of the virtual lag-dcs (depending on the subnetting 
possibilities you have)
* Configure a firewall between the sites to make sure the machienes only 
talk to the ones they are supposed to (if available)
* Use scripting to shut down virtual networks if available in the times 
they are not supposed to replicate
* Make sure that you configure replication that it runs a couple times 
during the allowed timeframe
* Configure terminal services access on the lag DCs
* Configure boot.ini to be able to boot into DSRM by changing the default 
without querying for the boot.ini parameter when necessary.
 
For the replication I usually configured replication every 15 minutes 
(the Lag-Sites were on the same LAN), Site 1 replicates Tuesday 10pm to 
Wednesday 2am, Site 2 replicates Saturday 10am to 2pm (each 4 hrs, exactly 1/2 
Week apart).
 
Ulf

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, 
  Jorge deSent: Tuesday, October 25, 2005 3:57 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Lag Site 
  
  
  Hi,
  Guido and Gil wrote a great 
  ebook about recovery whereas information about lagsites is 
  included
  Take a look at: http://www.netpro.com/events/adrecovery/index.cfm (registration 
  needed)
   
  For starters some 
  tips:
  * Place at least on DC for 
  each domain in the lag site
  * Allow the DCs in the lag 
  site to register only the replication record (CNAME) in the DNS zone 
  _MSDCS.FORESTROOT
  * Don't assign WINS server IP 
  addresses for the DCs in the lag sites
  * Make sure the site link 
  between the lag site and the hub site has a higher cost than all other 
  site links that connect the hub site and other sites (reason: Exchange AD 
  topology discovery for the out-of-site list of DCs/GCs)
  *You might want to use lag 
  sites (e.g. 2) that replicate in steps (1st site replicates like each 3 days 
  and the other each week) whereas the second lag site is connected to the first 
  and the first is connected to the second and the hub site
   
  This might be expensive though 
  and you also might have a look at objectrecovery tools available by third 
  party vendors
   
  Cheers,
  Jorge
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Shawn 
  HayesSent: Tuesday, October 25, 2005 15:31To: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD Lag Site 
  
  
  Anyone have any 
  pointers (documentation or real life experience) on setting up an AD Lag 
  Site?
   
  Thanks in 
  advance,
   
  Shawn
   
  This e-mail and any 
  attachment is for authorised use by the intended recipient(s) only. It may 
  contain proprietary material, confidential information and/or be subject to 
  legal privilege. It should not be copied, disclosed to, retained or used by, 
  any other party. If you are not an intended recipient then please promptly 
  delete this e-mail and any attachment and all copies and inform the sender. 
  Thank you.

RE: [ActiveDir] script to check the "inheritance" from the security Tab...

[TIROA YANN]

Hi Michel,

If i can permit, have u solved your pb concerning this thread "[ActiveDir] only 
1 GPO not applying..." u posted earlier in this list ? Here is your post

"Subject: [ActiveDir] only 1 GPO not applying...

Hi,
I have a little problem applying a GPO.
SETUP: windows 2k native domain with XPsp2 ADM files. All stations are
WinXP sp2.

I had a GPO the pushed a screen saver configuration and some other
restrictions. I had to split the GPO in 2 because I needed to deploy the
Screensaver without the other restrictions. There is a problem woth this
new GPO because it just do not apply to any machine/user.

I used GMPC on a winXP sp2 with 2k3 adminpak to define and link the
GPOs.

Note: all other Policies are applied correctly and the one that do not
apply isn't listed in the " The following GPOs were not applied because
they were filtered out" section...

Any ideas?

Thanks for your time!"

I would be interested about your resolution :)

Thank u for input and have a nice day.

Yann

-Message d'origine-
De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Bruyere, Michel
Envoyé : mercredi 26 octobre 2005 14:32
À : ActiveDir@mail.activedir.org
Objet : RE: [ActiveDir] script to check the "inheritance" from the security 
Tab...

Thanks for the input, Problem solved. 

Thanks to Yann too! 

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir- 
> [EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner
> Sent: Wednesday, October 26, 2005 2:32 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] script to check the "inheritance" from the 
> security Tab...
> 
> Hallo Michel,
> 
> Look a the VB-Script in KB 817433 (
> http://support.microsoft.com/?id=817433
> ), especially the SetInheritanceFlag-Function.
> 
> Ulf
> 
> |-Original Message-
> |From: [EMAIL PROTECTED]
> |[mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, 
> |Michel
> |Sent: Wednesday, October 26, 2005 12:48 AM
> |To: ActiveDir@mail.activedir.org
> |Subject: [ActiveDir] script to check the "inheritance" from the 
> |security Tab...
> |
> |Hi,
> | I would like to make sure that all the following check boxe is
> |checked:
> |Inherit from parent the permissions entries that apply to child
object.
> |
> |I would like to do this as a batch job, without having to go manually 
> |to each user objects.
> |
> |
> |Anyone has an idea on scripts or tools (freeware) that can allow me 
> |to reset these?
> |
> |
> |Thanks!
> |
> |
> |
> |
> |List info   : http://www.activedir.org/List.aspx
> |List FAQ: http://www.activedir.org/ListFAQ.aspx
> |List archive:
> |http://www.mail-archive.com/activedir%40mail.activedir.org/
> |
> 
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] secure subnet; no sharing of files or internet access

[Phil Renouf]

What Brian was getting at was that it would be best to only open those ports to the DC's specifically and not a whole subnet.
 
Phil 
On 10/26/05, sdgesa gaeharth <[EMAIL PROTECTED]> wrote:
subnet ports are opened to the dmz, not to each other.Am i going the rght way or is there a better solution?
thanks--- Brian Desmond <[EMAIL PROTECTED]> wrote:> Are you opening the ports between the subnets or> between the subnet and the
> dc host IPs? If you do the latter, the only place> your users could drop> files and what have you is on the DCs and they'd> need to be domain admins or> someone has to create a share on the DC that they
> can access. You'll need to> trust your admins or take away their privs.>> Your firewall rules should be permitting the traffic> from the secure subnet> to host objects for the DCs not from the secure
> subnet to the subnet with> the DCs on them.>> Thanks,> Brian Desmond> [EMAIL PROTECTED]>> c - 312.731.3132>
>>> -Original Message-> From: [EMAIL PROTECTED]> [mailto:
[EMAIL PROTECTED]] On> Behalf Of sdgesa gaeharth> Sent: Tuesday, October 25, 2005 9:31 PM> To: ActiveDir@mail.activedir.org> Subject: [ActiveDir] secure subnet; no sharing of
> files or internet access>> We have a single office with a single domain.  Our> physical network consists of a firewall with a set> of> managed switches behind it.  I have partitioned the
> network into multiple subnets using vlans.>> Vlan 1:10.0.1.0/24: internal dmz(AD, DNS, DHCP)> Vlan 2:10.0.2.0/24: accounting
> Vlan 3:10.0.3.0/24: business development> Vlan 4:10.0.4.0/24: secured vlan>> We need to restrict the Vlan 4, "secured vlan" so no
> confidential files can get out. No Internet , no> file> sharing with the other subnets, no printers, etc.>> I opened dns, dhcp, and AD ports from Vlan 4 to Vlan> 1> in order to facilitate authenticationa ganist the
> DC.>> However, I am still worried that users could> possible> be able to get files out.  For example, it seems> port> 445 is needed for authentication and file sharing.
>> Does anyone have any hints except the obvious one of> separating the subnet physically which is not an> option?>> thanks> __
> Yahoo! Mail - PC Magazine Editors' Choice 2005> http://mail.yahoo.com> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx> List archive:>http://www.mail-archive.com/activedir%40mail.activedir.org/
>> List info   : http://www.activedir.org/List.aspx> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:>http://www.mail-archive.com/activedir%40mail.activedir.org/>__
Start your day with Yahoo! - Make it your home page!http://www.yahoo.com/r/hsList info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] secure subnet; no sharing of files or internet access

[sdgesa gaeharth]

subnet ports are opened to the dmz, not to each other.
Am i going the rght way or is there a better solution?

thanks

--- Brian Desmond <[EMAIL PROTECTED]> wrote:

> Are you opening the ports between the subnets or
> between the subnet and the
> dc host IPs? If you do the latter, the only place
> your users could drop
> files and what have you is on the DCs and they'd
> need to be domain admins or
> someone has to create a share on the DC that they
> can access. You'll need to
> trust your admins or take away their privs.
> 
> Your firewall rules should be permitting the traffic
> from the secure subnet
> to host objects for the DCs not from the secure
> subnet to the subnet with
> the DCs on them. 
> 
> Thanks,
> Brian Desmond
> [EMAIL PROTECTED]
>  
> c - 312.731.3132
>  
>  
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On
> Behalf Of sdgesa gaeharth
> Sent: Tuesday, October 25, 2005 9:31 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] secure subnet; no sharing of
> files or internet access
> 
> We have a single office with a single domain.  Our
> physical network consists of a firewall with a set
> of
> managed switches behind it.  I have partitioned the
> network into multiple subnets using vlans.
> 
> Vlan 1:10.0.1.0/24: internal dmz(AD, DNS, DHCP)
> Vlan 2:10.0.2.0/24: accounting
> Vlan 3:10.0.3.0/24: business development
> Vlan 4:10.0.4.0/24: secured vlan
> 
> We need to restrict the Vlan 4, "secured vlan" so no
> confidential files can get out. No Internet , no
> file
> sharing with the other subnets, no printers, etc.
> 
> I opened dns, dhcp, and AD ports from Vlan 4 to Vlan
> 1
> in order to facilitate authenticationa ganist the
> DC.
> 
> However, I am still worried that users could
> possible
> be able to get files out.  For example, it seems
> port
> 445 is needed for authentication and file sharing.
> 
> Does anyone have any hints except the obvious one of
> separating the subnet physically which is not an
> option?
> 
> thanks
> 
> 
>   
>   
> __ 
> Yahoo! Mail - PC Magazine Editors' Choice 2005 
> http://mail.yahoo.com
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
>
http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
>
http://www.mail-archive.com/activedir%40mail.activedir.org/
> 




__ 
Start your day with Yahoo! - Make it your home page! 
http://www.yahoo.com/r/hs
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] AD Lag Site

[Etts, Russell]

I'm sorry if I sound ignorant, but what is the purpose of a 
"lag site"?  Is it a site that you don't replicate for a specific period of 
time in so if there is a disaster, you can get the data from the lag 
site??  
 
Thanks
Russ


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. 
Simon-WeidnerSent: Tuesday, October 25, 2005 5:00 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Lag Site 


I did those too, and some other things to consider 
were:
* Putting them inside a virtual machine with faked Subnetting in AD: Take 
a class C Network and split it in AD Sites and Services, not TCP/IP, then you 
can spare the router
* Assign the site membership for the host via GPO if it is in one of the 
virtual subnets of the virtual lag-dcs (depending on the subnetting 
possibilities you have)
* Configure a firewall between the sites to make sure the machienes only 
talk to the ones they are supposed to (if available)
* Use scripting to shut down virtual networks if available in the times 
they are not supposed to replicate
* Make sure that you configure replication that it runs a couple times 
during the allowed timeframe
* Configure terminal services access on the lag DCs
* Configure boot.ini to be able to boot into DSRM by changing the default 
without querying for the boot.ini parameter when necessary.
 
For the replication I usually configured replication every 15 minutes 
(the Lag-Sites were on the same LAN), Site 1 replicates Tuesday 10pm to 
Wednesday 2am, Site 2 replicates Saturday 10am to 2pm (each 4 hrs, exactly 1/2 
Week apart).
 
Ulf

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, 
  Jorge deSent: Tuesday, October 25, 2005 3:57 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Lag Site 
  
  
  Hi,
  Guido and Gil wrote a great 
  ebook about recovery whereas information about lagsites is 
  included
  Take a look at: http://www.netpro.com/events/adrecovery/index.cfm (registration 
  needed)
   
  For starters some 
  tips:
  * Place at least on DC for 
  each domain in the lag site
  * Allow the DCs in the lag 
  site to register only the replication record (CNAME) in the DNS zone 
  _MSDCS.FORESTROOT
  * Don't assign WINS server IP 
  addresses for the DCs in the lag sites
  * Make sure the site link 
  between the lag site and the hub site has a higher cost than all other 
  site links that connect the hub site and other sites (reason: Exchange AD 
  topology discovery for the out-of-site list of DCs/GCs)
  *You might want to use lag 
  sites (e.g. 2) that replicate in steps (1st site replicates like each 3 days 
  and the other each week) whereas the second lag site is connected to the first 
  and the first is connected to the second and the hub site
   
  This might be expensive though 
  and you also might have a look at objectrecovery tools available by third 
  party vendors
   
  Cheers,
  Jorge
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Shawn 
  HayesSent: Tuesday, October 25, 2005 15:31To: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD Lag Site 
  
  
  Anyone have any 
  pointers (documentation or real life experience) on setting up an AD Lag 
  Site?
   
  Thanks in 
  advance,
   
  Shawn
   
  This e-mail and any 
  attachment is for authorised use by the intended recipient(s) only. It may 
  contain proprietary material, confidential information and/or be subject to 
  legal privilege. It should not be copied, disclosed to, retained or used by, 
  any other party. If you are not an intended recipient then please promptly 
  delete this e-mail and any attachment and all copies and inform the sender. 
  Thank you.

RE: [ActiveDir] script to check the "inheritance" from the security Tab...

[Bruyere, Michel]

Thanks for the input, Problem solved. 

Thanks to Yann too! 

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner
> Sent: Wednesday, October 26, 2005 2:32 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] script to check the "inheritance" from the
> security Tab...
> 
> Hallo Michel,
> 
> Look a the VB-Script in KB 817433 (
> http://support.microsoft.com/?id=817433
> ), especially the SetInheritanceFlag-Function.
> 
> Ulf
> 
> |-Original Message-
> |From: [EMAIL PROTECTED]
> |[mailto:[EMAIL PROTECTED] On Behalf Of
> |Bruyere, Michel
> |Sent: Wednesday, October 26, 2005 12:48 AM
> |To: ActiveDir@mail.activedir.org
> |Subject: [ActiveDir] script to check the "inheritance" from
> |the security Tab...
> |
> |Hi,
> | I would like to make sure that all the following check boxe is
> |checked:
> |Inherit from parent the permissions entries that apply to child
object.
> |
> |I would like to do this as a batch job, without having to go
> |manually to each user objects.
> |
> |
> |Anyone has an idea on scripts or tools (freeware) that can
> |allow me to reset these?
> |
> |
> |Thanks!
> |
> |
> |
> |
> |List info   : http://www.activedir.org/List.aspx
> |List FAQ: http://www.activedir.org/ListFAQ.aspx
> |List archive:
> |http://www.mail-archive.com/activedir%40mail.activedir.org/
> |
> 
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/