RE: [ActiveDir] Getting better control over DHCP

[Brian Puhl]

At Microsoft we do not use 802.1x, so if you were to walk up to a port on
our corporate network and plug in, you would get an IP and have access to
"some" things.

What we do instead is "domain isolation" via IPSec, which means that
machines which are not joined to an MSIT managed domain (basically, our
production forests) cannot establish connections with machines that are in
our domains.

Rather than deploying 802.1x, we are in the process of implementing Network
Access Protection, which is a Longhorn/Vista feature.  Basically when a
machine connects to the network it is quarantined and must pass a "health
check" (think patches, AV, and any other config we want to mandate) before
they are released from quarantine.  We haven't deployed this widely, it's
still in an engineering phase, however this is the direction we're taking
our network controls.

The "connect to the network using plastic thingy with chip" would be our VPN
solution, which we implemented.  Effectively it's NAP as described above,
but requires smartcards (plastic thingys) for authentication and the VPN
client performs the health check.

Brian Puhl
Microsoft IT


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Friday, February 03, 2006 7:19 PM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Getting better control over DHCP

 
Microsoft uses 802.1x auth. I believe ... as do many.

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Friday, February 03, 2006 8:42 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Getting better control over DHCP

Can't this be done with ...what is MS using? Is it Ipsec and smartcard
authentication?

You go to Redmond, stick in a rj45 and unless you have a lovely plastic
thingy with a chip you don't get access on corpnet.



joe wrote:

> There is nothing you can do around a DHCP server that will really help 
> you as you point out. You simply need to plug into a port, enter any 
> IP address or let one of the 169 addresses kick in and turn on a 
> sniffer and you start seeing enough traffic to figure out where to 
> come up with a random IP address at. All the DHCP server is is a 
> helper, it doesn't give you network access, it helps you find it. This 
> type of thing needs to be controlled either at the network level where 
> the switches say, sorry you can't route packets anywhere but this 
> private secured network or you need to make all proper network traffic 
> secure with some kind of tunneling/vpn type tech. The later is quite 
> popular for companies with wireless, you get on the wireless network 
> and then have to VPN into the corporate network. That way anyone who 
> compromises the WAPs still doesn't get anything but a network and all 
> traffic from everyone properly on the network is encrypted. At best 
> the company may allow you to surf out to the internet, this is 
> especially good for companies who have visitors from other companies 
> dropping by their facilities or are in close vicinity to other 
> companies who may pick up their WAPs.
> You really want to start looking into Network Quarantine//Network 
> Access Protection/etc. It is not a simple whip out in an hour 
> solution, it will take forethought and possibly upgrades of network 
> infrastructure and your machines to do it correctly. But with it you 
> can set specific policy on who gets to get on the real network and who 
> doesn't, this includes things like domain membership as well as what 
> software is installed on machines and virus definition levels or OS 
> fix levels, etc. You write the policy that the clients have to meet or 
> else they don't get anything but a dead network.
> I would recommend going to google, typing in network quarantine and 
> hit enter. You will almost certainly see several hits on MS because 
> they have been spending a lot of time and energy the last 4 or so 
> years working on this stuff and getting all of the right hardware 
> people together to make a good solution. They had some preliminary 
> stuff done a couple of years ago that people were really interested in 
> but started redesigning some of it to make it more flexible/capable. I 
> expect most of what happens in this space will most likely fall out of 
> Cisco and Microsoft.
> joe
> --
> O'Reilly Active Directory Third Edition - 
> http://www.joeware.net/win/ad3e.htm
>
> 
> *From:* [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] *On Behalf Of *Edwin
> *Sent:* Friday, February 03, 2006 7:55 PM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* RE: [ActiveDir] Getting better control over DHCP
>
> Assigning IP's based off of MAC addresses would be a huge headache! 
> Besides, just as you said the "network savvy" person can easil

Re: [ActiveDir] Getting better control over DHCP

[Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]]

IT's Showtime:
http://www.microsoft.com/emea/itsshowtime/sessionh.aspx?videoid=9

If I remember right in this webcast Steve Riley discusses the issues 
with a wired 802.1x implementation.


Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote:

Not that I was told.. not on a wired connection as there is a security 
issue (see the other post)...it's IPsec that I'm aware of.


If the blue badges want to confirm or deny those links/info I'm sure 
one will chime in.


I've also seen that when a blue badge goes to a different LAN 
(whatever they call the difference between the Mothership Redmond 
(main ship) and Mothership Charlotte (CSS support)) they first have to 
log in to that network with a wired connection, gain creds, then they 
can use the wireless for access.


Not exactly sure the process behind that one...just know that's the 
process they do before wireless access is handed out.



Ken Schaefer wrote:

I was under the impression it was 802.1x. Your certificate is stored 
on the smartcard.
 
Cheers

Ken


*From:* [EMAIL PROTECTED] on behalf of Susan 
Bradley, CPA aka Ebitz - SBS Rocks [MVP]

*Sent:* Sat 2/4/2006 2:25 PM
*To:* ActiveDir@mail.activedir.org
*Subject:* Re: [ActiveDir] Getting better control over DHCP

Actually I don't think it was as there's a security issue with 802.1x
wired connections.. (wireless no, wired there's an issue that Slav and
Steve Riley have discussed)

Let me get a post

Dean Wells wrote:

>
>Microsoft uses 802.1x auth. I believe ... as do many.
>
>--
>Dean Wells
>MSEtechnology
>* Email: [EMAIL PROTECTED]
>http://msetechnology.com
>
>
>-Original Message-
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf Of Susan 
Bradley, CPA

>aka Ebitz - SBS Rocks [MVP]
>Sent: Friday, February 03, 2006 8:42 PM
>To: ActiveDir@mail.activedir.org
>Subject: Re: [ActiveDir] Getting better control over DHCP
>
>Can't this be done with ...what is MS using? Is it Ipsec and smartcard
>authentication?
>
>You go to Redmond, stick in a rj45 and unless you have a lovely plastic
>thingy with a chip you don't get access on corpnet.
>
>
>
>joe wrote:
>
> >
>>There is nothing you can do around a DHCP server that will really help
>>you as you point out. You simply need to plug into a port, enter any
>>IP address or let one of the 169 addresses kick in and turn on a
>>sniffer and you start seeing enough traffic to figure out where to
>>come up with a random IP address at. All the DHCP server is is a
>>helper, it doesn't give you network access, it helps you find it. This
>>type of thing needs to be controlled either at the network level where
>>the switches say, sorry you can't route packets anywhere but this
>>private secured network or you need to make all proper network traffic
>>secure with some kind of tunneling/vpn type tech. The later is quite
>>popular for companies with wireless, you get on the wireless network
>>and then have to VPN into the corporate network. That way anyone who
>>compromises the WAPs still doesn't get anything but a network and all
>>traffic from everyone properly on the network is encrypted. At best
>>the company may allow you to surf out to the internet, this is
>>especially good for companies who have visitors from other companies
>>dropping by their facilities or are in close vicinity to other
>>companies who may pick up their WAPs.
>>You really want to start looking into Network Quarantine//Network
>>Access Protection/etc. It is not a simple whip out in an hour
>>solution, it will take forethought and possibly upgrades of network
>>infrastructure and your machines to do it correctly. But with it you
>>can set specific policy on who gets to get on the real network and who
>>doesn't, this includes things like domain membership as well as what
>>software is installed on machines and virus definition levels or OS
>>fix levels, etc. You write the policy that the clients have to meet or
>>else they don't get anything but a dead network.
>>I would recommend going to google, typing in network quarantine and
>>hit enter. You will almost certainly see several hits on MS because
>>they have been spending a lot of time and energy the last 4 or so
>>years working on this stuff and getting all of the right hardware
>>people together to make a good solution. They had some preliminary
>>stuff done a couple of years ago that people were really interested in
>>but started redesigning some of it to make it more flexible/capable. I
>>expect most of what happens in this space will most likely fall out of
>>Cisco and Microsoft.
>>joe
>>--
>>O'Reilly Active Directory Third Edition -
>>http://www.joeware.net/win/ad3e.htm





--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Getting better control over DHCP

[Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]]

Not that I was told.. not on a wired connection as there is a security 
issue (see the other post)...it's IPsec that I'm aware of.


If the blue badges want to confirm or deny those links/info I'm sure one 
will chime in.


I've also seen that when a blue badge goes to a different LAN (whatever 
they call the difference between the Mothership Redmond (main ship) and 
Mothership Charlotte (CSS support)) they first have to log in to that 
network with a wired connection, gain creds, then they can use the 
wireless for access.


Not exactly sure the process behind that one...just know that's the 
process they do before wireless access is handed out.



Ken Schaefer wrote:

I was under the impression it was 802.1x. Your certificate is stored 
on the smartcard.
 
Cheers

Ken


*From:* [EMAIL PROTECTED] on behalf of Susan Bradley, 
CPA aka Ebitz - SBS Rocks [MVP]

*Sent:* Sat 2/4/2006 2:25 PM
*To:* ActiveDir@mail.activedir.org
*Subject:* Re: [ActiveDir] Getting better control over DHCP

Actually I don't think it was as there's a security issue with 802.1x
wired connections.. (wireless no, wired there's an issue that Slav and
Steve Riley have discussed)

Let me get a post

Dean Wells wrote:

>
>Microsoft uses 802.1x auth. I believe ... as do many.
>
>--
>Dean Wells
>MSEtechnology
>* Email: [EMAIL PROTECTED]
>http://msetechnology.com
>
>
>-Original Message-
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf Of Susan 
Bradley, CPA

>aka Ebitz - SBS Rocks [MVP]
>Sent: Friday, February 03, 2006 8:42 PM
>To: ActiveDir@mail.activedir.org
>Subject: Re: [ActiveDir] Getting better control over DHCP
>
>Can't this be done with ...what is MS using? Is it Ipsec and smartcard
>authentication?
>
>You go to Redmond, stick in a rj45 and unless you have a lovely plastic
>thingy with a chip you don't get access on corpnet.
>
>
>
>joe wrote:
>
> 
>

>>There is nothing you can do around a DHCP server that will really help
>>you as you point out. You simply need to plug into a port, enter any
>>IP address or let one of the 169 addresses kick in and turn on a
>>sniffer and you start seeing enough traffic to figure out where to
>>come up with a random IP address at. All the DHCP server is is a
>>helper, it doesn't give you network access, it helps you find it. This
>>type of thing needs to be controlled either at the network level where
>>the switches say, sorry you can't route packets anywhere but this
>>private secured network or you need to make all proper network traffic
>>secure with some kind of tunneling/vpn type tech. The later is quite
>>popular for companies with wireless, you get on the wireless network
>>and then have to VPN into the corporate network. That way anyone who
>>compromises the WAPs still doesn't get anything but a network and all
>>traffic from everyone properly on the network is encrypted. At best
>>the company may allow you to surf out to the internet, this is
>>especially good for companies who have visitors from other companies
>>dropping by their facilities or are in close vicinity to other
>>companies who may pick up their WAPs.
>>You really want to start looking into Network Quarantine//Network
>>Access Protection/etc. It is not a simple whip out in an hour
>>solution, it will take forethought and possibly upgrades of network
>>infrastructure and your machines to do it correctly. But with it you
>>can set specific policy on who gets to get on the real network and who
>>doesn't, this includes things like domain membership as well as what
>>software is installed on machines and virus definition levels or OS
>>fix levels, etc. You write the policy that the clients have to meet or
>>else they don't get anything but a dead network.
>>I would recommend going to google, typing in network quarantine and
>>hit enter. You will almost certainly see several hits on MS because
>>they have been spending a lot of time and energy the last 4 or so
>>years working on this stuff and getting all of the right hardware
>>people together to make a good solution. They had some preliminary
>>stuff done a couple of years ago that people were really interested in
>>but started redesigning some of it to make it more flexible/capable. I
>>expect most of what happens in this space will most likely fall out of
>>Cisco and Microsoft.
>>joe
>>--
>>O'Reilly Active Directory Third Edition -
>>http://www.joeware.net/win/ad3e.htm



--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Getting better control over DHCP

[Ken Schaefer]

Title: Re: [ActiveDir] Getting better control over DHCP






I was under the impression it 
was 802.1x. Your certificate is stored on the smartcard.
 
Cheers
Ken


From: [EMAIL PROTECTED] on 
behalf of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]Sent: Sat 
2/4/2006 2:25 PMTo: ActiveDir@mail.activedir.orgSubject: 
Re: [ActiveDir] Getting better control over DHCP

Actually I don't think it was as there's a security issue with 
802.1xwired connections.. (wireless no, wired there's an issue that Slav 
andSteve Riley have discussed)Let me get a postDean 
Wells wrote:>>Microsoft uses 802.1x auth. I believe ... as do 
many.>>-->Dean Wells>MSEtechnology>* Email: 
[EMAIL PROTECTED]>http://msetechnology.com>>>-Original 
Message->From: [EMAIL PROTECTED]>[mailto:[EMAIL PROTECTED]] 
On Behalf Of Susan Bradley, CPA>aka Ebitz - SBS Rocks [MVP]>Sent: 
Friday, February 03, 2006 8:42 PM>To: 
ActiveDir@mail.activedir.org>Subject: Re: [ActiveDir] Getting better 
control over DHCP>>Can't this be done with ...what is MS using? Is 
it Ipsec and smartcard>authentication?>>You go to Redmond, 
stick in a rj45 and unless you have a lovely plastic>thingy with a chip 
you don't get access on corpnet.joe 
wrote:>> >>>There is nothing you can do 
around a DHCP server that will really help>>you as you point out. You 
simply need to plug into a port, enter any>>IP address or let one of 
the 169 addresses kick in and turn on a>>sniffer and you start seeing 
enough traffic to figure out where to>>come up with a random IP 
address at. All the DHCP server is is a>>helper, it doesn't give you 
network access, it helps you find it. This>>type of thing needs to be 
controlled either at the network level where>>the switches say, sorry 
you can't route packets anywhere but this>>private secured network or 
you need to make all proper network traffic>>secure with some kind of 
tunneling/vpn type tech. The later is quite>>popular for companies 
with wireless, you get on the wireless network>>and then have to VPN 
into the corporate network. That way anyone who>>compromises the WAPs 
still doesn't get anything but a network and all>>traffic from 
everyone properly on the network is encrypted. At best>>the company 
may allow you to surf out to the internet, this is>>especially good 
for companies who have visitors from other companies>>dropping by 
their facilities or are in close vicinity to other>>companies who may 
pick up their WAPs.>>You really want to start looking into Network 
Quarantine//Network>>Access Protection/etc. It is not a simple whip 
out in an hour>>solution, it will take forethought and possibly 
upgrades of network>>infrastructure and your machines to do it 
correctly. But with it you>>can set specific policy on who gets to get 
on the real network and who>>doesn't, this includes things like domain 
membership as well as what>>software is installed on machines and 
virus definition levels or OS>>fix levels, etc. You write the policy 
that the clients have to meet or>>else they don't get anything but a 
dead network.>>I would recommend going to google, typing in network 
quarantine and>>hit enter. You will almost certainly see several hits 
on MS because>>they have been spending a lot of time and energy the 
last 4 or so>>years working on this stuff and getting all of the right 
hardware>>people together to make a good solution. They had some 
preliminary>>stuff done a couple of years ago that people were really 
interested in>>but started redesigning some of it to make it more 
flexible/capable. I>>expect most of what happens in this space will 
most likely fall out of>>Cisco and 
Microsoft.>>joe>>-->>O'Reilly Active Directory 
Third Edition ->>http://www.joeware.net/win/ad3e.htm

Re: [ActiveDir] Getting better control over DHCP

[Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]]

Yup not 802.1x for wired connections...wireless yes, but wired there's an issue.

Mitigating the Threats of Rogue Machines—802.1X or IPsec? -- TechNet Column - Security Management - August 2005: 
http://www.microsoft.com/technet/community/columns/secmgmt/sm0805.mspx


Article by the Blonde guy of the Northwest Riley clan

---

http://www.microsoft.com/technet/itsolutions/msit/default.mspx

This article talks about our IPsec implementation and has a short section on 
why we chose it over 802.1x:
http://www.microsoft.com/technet/itsolutions/msit/security/ipsecdomisolwp.mspx  


This article shows how we implemented wireless security using 802.1x EAP/TLS:
http://www.microsoft.com/technet/itsolutions/msit/security/secwlan.mspx  




Dean Wells wrote:



Microsoft uses 802.1x auth. I believe ... as do many.

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Friday, February 03, 2006 8:42 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Getting better control over DHCP

Can't this be done with ...what is MS using? Is it Ipsec and smartcard
authentication?

You go to Redmond, stick in a rj45 and unless you have a lovely plastic
thingy with a chip you don't get access on corpnet.



joe wrote:

 

There is nothing you can do around a DHCP server that will really help 
you as you point out. You simply need to plug into a port, enter any 
IP address or let one of the 169 addresses kick in and turn on a 
sniffer and you start seeing enough traffic to figure out where to 
come up with a random IP address at. All the DHCP server is is a 
helper, it doesn't give you network access, it helps you find it. This 
type of thing needs to be controlled either at the network level where 
the switches say, sorry you can't route packets anywhere but this 
private secured network or you need to make all proper network traffic 
secure with some kind of tunneling/vpn type tech. The later is quite 
popular for companies with wireless, you get on the wireless network 
and then have to VPN into the corporate network. That way anyone who 
compromises the WAPs still doesn't get anything but a network and all 
traffic from everyone properly on the network is encrypted. At best 
the company may allow you to surf out to the internet, this is 
especially good for companies who have visitors from other companies 
dropping by their facilities or are in close vicinity to other 
companies who may pick up their WAPs.
You really want to start looking into Network Quarantine//Network 
Access Protection/etc. It is not a simple whip out in an hour 
solution, it will take forethought and possibly upgrades of network 
infrastructure and your machines to do it correctly. But with it you 
can set specific policy on who gets to get on the real network and who 
doesn't, this includes things like domain membership as well as what 
software is installed on machines and virus definition levels or OS 
fix levels, etc. You write the policy that the clients have to meet or 
else they don't get anything but a dead network.
I would recommend going to google, typing in network quarantine and 
hit enter. You will almost certainly see several hits on MS because 
they have been spending a lot of time and energy the last 4 or so 
years working on this stuff and getting all of the right hardware 
people together to make a good solution. They had some preliminary 
stuff done a couple of years ago that people were really interested in 
but started redesigning some of it to make it more flexible/capable. I 
expect most of what happens in this space will most likely fall out of 
Cisco and Microsoft.

joe
--
O'Reilly Active Directory Third Edition - 
http://www.joeware.net/win/ad3e.htm



*From:* [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] *On Behalf Of *Edwin

*Sent:* Friday, February 03, 2006 7:55 PM
*To:* ActiveDir@mail.activedir.org
*Subject:* RE: [ActiveDir] Getting better control over DHCP

Assigning IP's based off of MAC addresses would be a huge headache! 
Besides, just as you said the "network savvy" person can easily find 
out the IP range if needed and assign them self an IP and spoof the 
MAC if needed.


If something like this is possible, I would like to have a more 
concrete solution.


But thank you very much for your reply.

Edwi



*From:* [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] *On Behalf Of *Marc A. 
Mapplebeck

*Sent:* Friday, February 03, 2006 7:38 PM
*To:* ActiveDir@mail.activedir.org
*Subject:* RE: [ActiveDir] Getting

Re: [ActiveDir] Getting better control over DHCP

[Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]]

Actually I don't think it was as there's a security issue with 802.1x 
wired connections.. (wireless no, wired there's an issue that Slav and 
Steve Riley have discussed)


Let me get a post

Dean Wells wrote:



Microsoft uses 802.1x auth. I believe ... as do many.

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Friday, February 03, 2006 8:42 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Getting better control over DHCP

Can't this be done with ...what is MS using? Is it Ipsec and smartcard
authentication?

You go to Redmond, stick in a rj45 and unless you have a lovely plastic
thingy with a chip you don't get access on corpnet.



joe wrote:

 

There is nothing you can do around a DHCP server that will really help 
you as you point out. You simply need to plug into a port, enter any 
IP address or let one of the 169 addresses kick in and turn on a 
sniffer and you start seeing enough traffic to figure out where to 
come up with a random IP address at. All the DHCP server is is a 
helper, it doesn't give you network access, it helps you find it. This 
type of thing needs to be controlled either at the network level where 
the switches say, sorry you can't route packets anywhere but this 
private secured network or you need to make all proper network traffic 
secure with some kind of tunneling/vpn type tech. The later is quite 
popular for companies with wireless, you get on the wireless network 
and then have to VPN into the corporate network. That way anyone who 
compromises the WAPs still doesn't get anything but a network and all 
traffic from everyone properly on the network is encrypted. At best 
the company may allow you to surf out to the internet, this is 
especially good for companies who have visitors from other companies 
dropping by their facilities or are in close vicinity to other 
companies who may pick up their WAPs.
You really want to start looking into Network Quarantine//Network 
Access Protection/etc. It is not a simple whip out in an hour 
solution, it will take forethought and possibly upgrades of network 
infrastructure and your machines to do it correctly. But with it you 
can set specific policy on who gets to get on the real network and who 
doesn't, this includes things like domain membership as well as what 
software is installed on machines and virus definition levels or OS 
fix levels, etc. You write the policy that the clients have to meet or 
else they don't get anything but a dead network.
I would recommend going to google, typing in network quarantine and 
hit enter. You will almost certainly see several hits on MS because 
they have been spending a lot of time and energy the last 4 or so 
years working on this stuff and getting all of the right hardware 
people together to make a good solution. They had some preliminary 
stuff done a couple of years ago that people were really interested in 
but started redesigning some of it to make it more flexible/capable. I 
expect most of what happens in this space will most likely fall out of 
Cisco and Microsoft.

joe
--
O'Reilly Active Directory Third Edition - 
http://www.joeware.net/win/ad3e.htm



*From:* [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] *On Behalf Of *Edwin

*Sent:* Friday, February 03, 2006 7:55 PM
*To:* ActiveDir@mail.activedir.org
*Subject:* RE: [ActiveDir] Getting better control over DHCP

Assigning IP's based off of MAC addresses would be a huge headache! 
Besides, just as you said the "network savvy" person can easily find 
out the IP range if needed and assign them self an IP and spoof the 
MAC if needed.


If something like this is possible, I would like to have a more 
concrete solution.


But thank you very much for your reply.

Edwi



*From:* [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] *On Behalf Of *Marc A. 
Mapplebeck

*Sent:* Friday, February 03, 2006 7:38 PM
*To:* ActiveDir@mail.activedir.org
*Subject:* RE: [ActiveDir] Getting better control over DHCP

I'm not sure if it's the best way to do it, but you could set your 
entire scope to be in one exclusion range, then assign static DHCP to 
authorised MACs. After that, for added security, you could set a 
second scope to give out leases outside your network range so that 
unauth ppl will get a lease, but not be able to see anybody, only 
downside to that would be that the network savvy user could look under 
network settings and see what the IP of the DHCP server is and then 
assign a static IP within that range. HTH - Marc




*From:* [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] *On Behalf Of *Edwin

*Sent:* February 3, 2006 20:13
*To:* Activ

RE: [ActiveDir] Getting better control over DHCP

[Dean Wells]

 
Microsoft uses 802.1x auth. I believe ... as do many.

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Friday, February 03, 2006 8:42 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Getting better control over DHCP

Can't this be done with ...what is MS using? Is it Ipsec and smartcard
authentication?

You go to Redmond, stick in a rj45 and unless you have a lovely plastic
thingy with a chip you don't get access on corpnet.



joe wrote:

> There is nothing you can do around a DHCP server that will really help 
> you as you point out. You simply need to plug into a port, enter any 
> IP address or let one of the 169 addresses kick in and turn on a 
> sniffer and you start seeing enough traffic to figure out where to 
> come up with a random IP address at. All the DHCP server is is a 
> helper, it doesn't give you network access, it helps you find it. This 
> type of thing needs to be controlled either at the network level where 
> the switches say, sorry you can't route packets anywhere but this 
> private secured network or you need to make all proper network traffic 
> secure with some kind of tunneling/vpn type tech. The later is quite 
> popular for companies with wireless, you get on the wireless network 
> and then have to VPN into the corporate network. That way anyone who 
> compromises the WAPs still doesn't get anything but a network and all 
> traffic from everyone properly on the network is encrypted. At best 
> the company may allow you to surf out to the internet, this is 
> especially good for companies who have visitors from other companies 
> dropping by their facilities or are in close vicinity to other 
> companies who may pick up their WAPs.
> You really want to start looking into Network Quarantine//Network 
> Access Protection/etc. It is not a simple whip out in an hour 
> solution, it will take forethought and possibly upgrades of network 
> infrastructure and your machines to do it correctly. But with it you 
> can set specific policy on who gets to get on the real network and who 
> doesn't, this includes things like domain membership as well as what 
> software is installed on machines and virus definition levels or OS 
> fix levels, etc. You write the policy that the clients have to meet or 
> else they don't get anything but a dead network.
> I would recommend going to google, typing in network quarantine and 
> hit enter. You will almost certainly see several hits on MS because 
> they have been spending a lot of time and energy the last 4 or so 
> years working on this stuff and getting all of the right hardware 
> people together to make a good solution. They had some preliminary 
> stuff done a couple of years ago that people were really interested in 
> but started redesigning some of it to make it more flexible/capable. I 
> expect most of what happens in this space will most likely fall out of 
> Cisco and Microsoft.
> joe
> --
> O'Reilly Active Directory Third Edition - 
> http://www.joeware.net/win/ad3e.htm
>
> 
> *From:* [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] *On Behalf Of *Edwin
> *Sent:* Friday, February 03, 2006 7:55 PM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* RE: [ActiveDir] Getting better control over DHCP
>
> Assigning IP's based off of MAC addresses would be a huge headache! 
> Besides, just as you said the "network savvy" person can easily find 
> out the IP range if needed and assign them self an IP and spoof the 
> MAC if needed.
>
> If something like this is possible, I would like to have a more 
> concrete solution.
>
> But thank you very much for your reply.
>
> Edwi
>
> 
>
> *From:* [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] *On Behalf Of *Marc A. 
> Mapplebeck
> *Sent:* Friday, February 03, 2006 7:38 PM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* RE: [ActiveDir] Getting better control over DHCP
>
> I'm not sure if it's the best way to do it, but you could set your 
> entire scope to be in one exclusion range, then assign static DHCP to 
> authorised MACs. After that, for added security, you could set a 
> second scope to give out leases outside your network range so that 
> unauth ppl will get a lease, but not be able to see anybody, only 
> downside to that would be that the network savvy user could look under 
> network settings and see what the IP of the DHCP server is and then 
> assign a static IP within that range. HTH - Marc
>
> 
>
> *From:* [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] *On Behalf Of *Edwin
> *Sent:* February 3, 2006 20:13
> *To:* ActiveDir@mail.activedir.org
> *Subject:* [ActiveDir] Getting better cont

RE: [ActiveDir] Getting better control over DHCP

[Lucas, Bryan]

Joe, 

 

From what I understand of MS NAP, it only
helps if the machines belong to the domain, is that correct?  It doesn’t stop
someone from plugging in and hard coding an IP.  I get the impression it is
designed to be used in conjunction with Cisco’s CleanAccess product.

 



Bryan Lucas

Server Administrator

Texas Christian University

(817) 257-6971











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, February 03, 2006
7:37 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Getting
better control over DHCP



 

There is nothing you can do around a DHCP
server that will really help you as you point out. You simply need to plug into
a port, enter any IP address or let one of the 169 addresses kick in and turn
on a sniffer and you start seeing enough traffic to figure out where to come up
with a random IP address at. All the DHCP server is is a helper, it doesn't
give you network access, it helps you find it. This type of thing needs to be
controlled either at the network level where the switches say, sorry you can't
route packets anywhere but this private secured network or you need to make all
proper network traffic secure with some kind of tunneling/vpn type tech. The
later is quite popular for companies with wireless, you get on the wireless
network and then have to VPN into the corporate network. That way anyone who
compromises the WAPs still doesn't get anything but a network and all traffic
from everyone properly on the network is encrypted. At best the company may
allow you to surf out to the internet, this is especially good for companies
who have visitors from other companies dropping by their facilities or are in
close vicinity to other companies who may pick up their WAPs.

 

You really want to start looking into
Network Quarantine//Network Access Protection/etc. It is not a simple whip out
in an hour solution, it will take forethought and possibly upgrades of
network infrastructure and your machines to do it correctly. But with it you
can set specific policy on who gets to get on the real network and who doesn't,
this includes things like domain membership as well as what software is
installed on machines and virus definition levels or OS fix levels, etc. You
write the policy that the clients have to meet or else they don't get anything
but a dead network.

 

I would recommend going to google, typing
in network quarantine and hit enter. You will almost certainly see several hits
on MS because they have been spending a lot of time and energy the last 4 or so
years working on this stuff and getting all of the right hardware people
together to make a good solution. They had some preliminary stuff done a couple
of years ago that people were really interested in but started redesigning some
of it to make it more flexible/capable. I expect most of what happens in
this space will most likely fall out of Cisco and Microsoft.

 

  joe

 

--

O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 

 



 



 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin
Sent: Friday, February 03, 2006
7:55 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Getting
better control over DHCP

Assigning IP’s based off of MAC
addresses would be a huge headache!  Besides, just as you said the
“network savvy” person can easily find out the IP range if needed
and assign them self an IP and spoof the MAC if needed.

 

If something like this is possible, I
would like to have a more concrete solution.

 

But thank you very much for your reply.

 

Edwi

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marc A. Mapplebeck
Sent: Friday, February 03, 2006
7:38 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Getting
better control over DHCP



 

I'm not sure if it's the best way to do
it, but you could set your entire scope to be in one exclusion range, then
assign static DHCP to authorised MACs. After that, for added security, you
could set a second scope to give out leases outside your network range so that
unauth ppl will get a lease, but not be able to see anybody, only downside to
that would be that the network savvy user could look under network settings and
see what the IP of the DHCP server is and then assign a static IP within that
range. HTH - Marc

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin
Sent: February 3, 2006 20:13
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Getting
better control over DHCP

Is it possible within a domain on an authorized DHCP server
to restrict what machines get a DHCP IP Address?  For example, I want to
prevent someone from bringing in an unauthorized laptop and getting an IP
Address on the network.  I want it to be so that if the machine is not a
part of the domain, it does not get any network connectivity from the DHCP
server.

 

Thanks,

Edwin 

RE: [ActiveDir] Getting better control over DHCP

[joe]

Yeah that is the tunneling/vpn stuff I mentioned and pointed out wireless as
an example. You can do that with your regular network stuff too. 


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Friday, February 03, 2006 8:42 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Getting better control over DHCP

Can't this be done with ...what is MS using? Is it Ipsec and smartcard
authentication?

You go to Redmond, stick in a rj45 and unless you have a lovely plastic
thingy with a chip you don't get access on corpnet.



joe wrote:

> There is nothing you can do around a DHCP server that will really help 
> you as you point out. You simply need to plug into a port, enter any 
> IP address or let one of the 169 addresses kick in and turn on a 
> sniffer and you start seeing enough traffic to figure out where to 
> come up with a random IP address at. All the DHCP server is is a 
> helper, it doesn't give you network access, it helps you find it. This 
> type of thing needs to be controlled either at the network level where 
> the switches say, sorry you can't route packets anywhere but this 
> private secured network or you need to make all proper network traffic 
> secure with some kind of tunneling/vpn type tech. The later is quite 
> popular for companies with wireless, you get on the wireless network 
> and then have to VPN into the corporate network. That way anyone who 
> compromises the WAPs still doesn't get anything but a network and all 
> traffic from everyone properly on the network is encrypted. At best 
> the company may allow you to surf out to the internet, this is 
> especially good for companies who have visitors from other companies 
> dropping by their facilities or are in close vicinity to other 
> companies who may pick up their WAPs.
> You really want to start looking into Network Quarantine//Network 
> Access Protection/etc. It is not a simple whip out in an hour 
> solution, it will take forethought and possibly upgrades of network 
> infrastructure and your machines to do it correctly. But with it you 
> can set specific policy on who gets to get on the real network and who 
> doesn't, this includes things like domain membership as well as what 
> software is installed on machines and virus definition levels or OS 
> fix levels, etc. You write the policy that the clients have to meet or 
> else they don't get anything but a dead network.
> I would recommend going to google, typing in network quarantine and 
> hit enter. You will almost certainly see several hits on MS because 
> they have been spending a lot of time and energy the last 4 or so 
> years working on this stuff and getting all of the right hardware 
> people together to make a good solution. They had some preliminary 
> stuff done a couple of years ago that people were really interested in 
> but started redesigning some of it to make it more flexible/capable. I 
> expect most of what happens in this space will most likely fall out of 
> Cisco and Microsoft.
> joe
> --
> O'Reilly Active Directory Third Edition - 
> http://www.joeware.net/win/ad3e.htm
>
> 
> *From:* [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] *On Behalf Of *Edwin
> *Sent:* Friday, February 03, 2006 7:55 PM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* RE: [ActiveDir] Getting better control over DHCP
>
> Assigning IP's based off of MAC addresses would be a huge headache! 
> Besides, just as you said the "network savvy" person can easily find 
> out the IP range if needed and assign them self an IP and spoof the 
> MAC if needed.
>
> If something like this is possible, I would like to have a more 
> concrete solution.
>
> But thank you very much for your reply.
>
> Edwi
>
> 
>
> *From:* [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] *On Behalf Of *Marc A. 
> Mapplebeck
> *Sent:* Friday, February 03, 2006 7:38 PM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* RE: [ActiveDir] Getting better control over DHCP
>
> I'm not sure if it's the best way to do it, but you could set your 
> entire scope to be in one exclusion range, then assign static DHCP to 
> authorised MACs. After that, for added security, you could set a 
> second scope to give out leases outside your network range so that 
> unauth ppl will get a lease, but not be able to see anybody, only 
> downside to that would be that the network savvy user could look under 
> network settings and see what the IP of the DHCP server is and then 
> assign a static IP within that range. HTH - Marc
>
> 
>
> *From:* [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] *On Behalf Of *Edwin
> *Sent:* February 3, 2

Re: [ActiveDir] Getting better control over DHCP

[Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]]

Can't this be done with ...what is MS using? Is it Ipsec and smartcard 
authentication?


You go to Redmond, stick in a rj45 and unless you have a lovely plastic 
thingy with a chip you don't get access on corpnet.




joe wrote:

There is nothing you can do around a DHCP server that will really help 
you as you point out. You simply need to plug into a port, enter any 
IP address or let one of the 169 addresses kick in and turn on a 
sniffer and you start seeing enough traffic to figure out where to 
come up with a random IP address at. All the DHCP server is is a 
helper, it doesn't give you network access, it helps you find it. This 
type of thing needs to be controlled either at the network level where 
the switches say, sorry you can't route packets anywhere but this 
private secured network or you need to make all proper network traffic 
secure with some kind of tunneling/vpn type tech. The later is quite 
popular for companies with wireless, you get on the wireless network 
and then have to VPN into the corporate network. That way anyone who 
compromises the WAPs still doesn't get anything but a network and all 
traffic from everyone properly on the network is encrypted. At best 
the company may allow you to surf out to the internet, this is 
especially good for companies who have visitors from other companies 
dropping by their facilities or are in close vicinity to other 
companies who may pick up their WAPs.
You really want to start looking into Network Quarantine//Network 
Access Protection/etc. It is not a simple whip out in an hour 
solution, it will take forethought and possibly upgrades of network 
infrastructure and your machines to do it correctly. But with it you 
can set specific policy on who gets to get on the real network and who 
doesn't, this includes things like domain membership as well as what 
software is installed on machines and virus definition levels or OS 
fix levels, etc. You write the policy that the clients have to meet or 
else they don't get anything but a dead network.
I would recommend going to google, typing in network quarantine and 
hit enter. You will almost certainly see several hits on MS because 
they have been spending a lot of time and energy the last 4 or so 
years working on this stuff and getting all of the right hardware 
people together to make a good solution. They had some preliminary 
stuff done a couple of years ago that people were really interested in 
but started redesigning some of it to make it more flexible/capable. I 
expect most of what happens in this space will most likely fall out of 
Cisco and Microsoft.

joe
--
O'Reilly Active Directory Third Edition - 
http://www.joeware.net/win/ad3e.htm



*From:* [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] *On Behalf Of *Edwin

*Sent:* Friday, February 03, 2006 7:55 PM
*To:* ActiveDir@mail.activedir.org
*Subject:* RE: [ActiveDir] Getting better control over DHCP

Assigning IP’s based off of MAC addresses would be a huge headache! 
Besides, just as you said the “network savvy” person can easily find 
out the IP range if needed and assign them self an IP and spoof the 
MAC if needed.


If something like this is possible, I would like to have a more 
concrete solution.


But thank you very much for your reply.

Edwi



*From:* [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] *On Behalf Of *Marc A. 
Mapplebeck

*Sent:* Friday, February 03, 2006 7:38 PM
*To:* ActiveDir@mail.activedir.org
*Subject:* RE: [ActiveDir] Getting better control over DHCP

I'm not sure if it's the best way to do it, but you could set your 
entire scope to be in one exclusion range, then assign static DHCP to 
authorised MACs. After that, for added security, you could set a 
second scope to give out leases outside your network range so that 
unauth ppl will get a lease, but not be able to see anybody, only 
downside to that would be that the network savvy user could look under 
network settings and see what the IP of the DHCP server is and then 
assign a static IP within that range. HTH - Marc




*From:* [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] *On Behalf Of *Edwin

*Sent:* February 3, 2006 20:13
*To:* ActiveDir@mail.activedir.org
*Subject:* [ActiveDir] Getting better control over DHCP

Is it possible within a domain on an authorized DHCP server to 
restrict what machines get a DHCP IP Address? For example, I want to 
prevent someone from bringing in an unauthorized laptop and getting an 
IP Address on the network. I want it to be so that if the machine is 
not a part of the domain, it does not get any network connectivity 
from the DHCP server.


Thanks,

Edwin



--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com


List info   : http://www.activedir.org/List.aspx
List FAQ: htt

RE: [ActiveDir] Getting better control over DHCP

[joe]

There is nothing you can do around a DHCP server that will 
really help you as you point out. You simply need to plug into a port, enter any 
IP address or let one of the 169 addresses kick in and turn on a sniffer and you 
start seeing enough traffic to figure out where to come up with a random IP 
address at. All the DHCP server is is a helper, it doesn't give you network 
access, it helps you find it. This type of thing needs to be controlled either 
at the network level where the switches say, sorry you can't route packets 
anywhere but this private secured network or you need to make all proper network 
traffic secure with some kind of tunneling/vpn type tech. The later is quite 
popular for companies with wireless, you get on the wireless network and then 
have to VPN into the corporate network. That way anyone who compromises the WAPs 
still doesn't get anything but a network and all traffic from everyone properly 
on the network is encrypted. At best the company may allow you to surf out to 
the internet, this is especially good for companies who have visitors from other 
companies dropping by their facilities or are in close vicinity to other 
companies who may pick up their WAPs.
 
You really want to start looking into Network 
Quarantine//Network Access Protection/etc. It is not a simple whip out in an 
hour solution, it will take forethought and possibly upgrades of network 
infrastructure and your machines to do it correctly. But with it you can set 
specific policy on who gets to get on the real network and who doesn't, this 
includes things like domain membership as well as what software is installed on 
machines and virus definition levels or OS fix levels, etc. You write the policy 
that the clients have to meet or else they don't get anything but a dead 
network.
 
I would recommend going to google, typing in network 
quarantine and hit enter. You will almost certainly see several hits on MS 
because they have been spending a lot of time and energy the last 4 or so years 
working on this stuff and getting all of the right hardware people together to 
make a good solution. They had some preliminary stuff done a couple of years ago 
that people were really interested in but started redesigning some of it to make 
it more flexible/capable. I expect most of what happens in this space 
will most likely fall out of Cisco and Microsoft.
 
  joe
 

--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
EdwinSent: Friday, February 03, 2006 7:55 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Getting better 
control over DHCP


Assigning IP’s based 
off of MAC addresses would be a huge headache!  Besides, just as you said 
the “network savvy” person can easily find out the IP range if needed and assign 
them self an IP and spoof the MAC if needed.
 
If something like this 
is possible, I would like to have a more concrete 
solution.
 
But thank you very much 
for your reply.
 
Edwi
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Marc A. 
MapplebeckSent: Friday, 
February 03, 2006 7:38 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Getting better 
control over DHCP
 
I'm not sure if it's 
the best way to do it, but you could set your entire scope to be in one 
exclusion range, then assign static DHCP to authorised MACs. After that, for 
added security, you could set a second scope to give out leases outside your 
network range so that unauth ppl will get a lease, but not be able to see 
anybody, only downside to that would be that the network savvy user could look 
under network settings and see what the IP of the DHCP server is and then assign 
a static IP within that range. HTH - Marc
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of EdwinSent: February 3, 2006 20:13To: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Getting better control 
over DHCP
Is it possible within a domain on an 
authorized DHCP server to restrict what machines get a DHCP IP Address?  
For example, I want to prevent someone from bringing in an unauthorized laptop 
and getting an IP Address on the network.  I want it to be so that if the 
machine is not a part of the domain, it does not get any network connectivity 
from the DHCP server.
 
Thanks,
Edwin 

RE: [ActiveDir] Getting better control over DHCP

[Brian Desmond]

You’d have to go with DHCP reservations for each Mac you want to
authorize. Some of the NAC and NAP stuff that’s starting to come out from
MS and Cisco is also an option to consider. 

 



Thanks,
Brian Desmond

[EMAIL PROTECTED]

 

c -
312.731.3132

 

 













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin
Sent: Friday, February 03, 2006
7:13 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Getting
better control over DHCP



 

Is it possible within a domain on an authorized DHCP server
to restrict what machines get a DHCP IP Address?  For example, I want to
prevent someone from bringing in an unauthorized laptop and getting an IP
Address on the network.  I want it to be so that if the machine is not a
part of the domain, it does not get any network connectivity from the DHCP
server.

 

Thanks,

Edwin 

RE: [ActiveDir] Getting better control over DHCP

[Marc A. Mapplebeck]

Only other option would be to use managed switches and 
again, you would need MACs of all auth. machines as you would need to register 
each MAC for them to filter traffic. Unfortunately, other than that, not that 
easy. - Marc


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
EdwinSent: February 3, 2006 20:55To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Getting better 
control over DHCP


Assigning IP’s based 
off of MAC addresses would be a huge headache!  Besides, just as you said 
the “network savvy” person can easily find out the IP range if needed and assign 
them self an IP and spoof the MAC if needed.
 
If something like this 
is possible, I would like to have a more concrete 
solution.
 
But thank you very much 
for your reply.
 
Edwi
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Marc A. 
MapplebeckSent: Friday, 
February 03, 2006 7:38 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Getting better 
control over DHCP
 
I'm not sure if it's 
the best way to do it, but you could set your entire scope to be in one 
exclusion range, then assign static DHCP to authorised MACs. After that, for 
added security, you could set a second scope to give out leases outside your 
network range so that unauth ppl will get a lease, but not be able to see 
anybody, only downside to that would be that the network savvy user could look 
under network settings and see what the IP of the DHCP server is and then assign 
a static IP within that range. HTH - Marc
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of EdwinSent: February 3, 2006 20:13To: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Getting better control 
over DHCP
Is it possible within a domain on an 
authorized DHCP server to restrict what machines get a DHCP IP Address?  
For example, I want to prevent someone from bringing in an unauthorized laptop 
and getting an IP Address on the network.  I want it to be so that if the 
machine is not a part of the domain, it does not get any network connectivity 
from the DHCP server.
 
Thanks,
Edwin 

RE: [ActiveDir] Getting better control over DHCP

[Edwin]

Assigning IP’s based off of MAC
addresses would be a huge headache!  Besides, just as you said the “network
savvy” person can easily find out the IP range if needed and assign them
self an IP and spoof the MAC if needed.

 

If something like this is possible, I
would like to have a more concrete solution.

 

But thank you very much for your reply.

 

Edwi

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marc A. Mapplebeck
Sent: Friday, February 03, 2006
7:38 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Getting
better control over DHCP



 

I'm not sure if it's the best way to do
it, but you could set your entire scope to be in one exclusion range, then
assign static DHCP to authorised MACs. After that, for added security, you
could set a second scope to give out leases outside your network range so that
unauth ppl will get a lease, but not be able to see anybody, only downside to
that would be that the network savvy user could look under network settings and
see what the IP of the DHCP server is and then assign a static IP within that
range. HTH - Marc

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin
Sent: February 3, 2006 20:13
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Getting
better control over DHCP

Is it possible within a domain on an authorized DHCP server
to restrict what machines get a DHCP IP Address?  For example, I want to
prevent someone from bringing in an unauthorized laptop and getting an IP
Address on the network.  I want it to be so that if the machine is not a
part of the domain, it does not get any network connectivity from the DHCP
server.

 

Thanks,

Edwin 

RE: [ActiveDir] Getting better control over DHCP

[Marc A. Mapplebeck]

I'm not sure if it's the best way to do it, but you could 
set your entire scope to be in one exclusion range, then assign static DHCP to 
authorised MACs. After that, for added security, you could set a second scope to 
give out leases outside your network range so that unauth ppl will get a lease, 
but not be able to see anybody, only downside to that would be that the network 
savvy user could look under network settings and see what the IP of the DHCP 
server is and then assign a static IP within that range. HTH - 
Marc


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
EdwinSent: February 3, 2006 20:13To: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Getting better 
control over DHCP


Is it possible within a domain on an 
authorized DHCP server to restrict what machines get a DHCP IP Address?  
For example, I want to prevent someone from bringing in an unauthorized laptop 
and getting an IP Address on the network.  I want it to be so that if the 
machine is not a part of the domain, it does not get any network connectivity 
from the DHCP server.
 
Thanks,
Edwin 

RE: [ActiveDir] Script to determine a machine's site

[joe]

Title: Script to determine a machine's site



 
Yeah I have been looking at the parameters nltest has, I 
would expect it would be able to do this too but I am not seeing something to do 
it directly.
 
As I sat here thinking of ways to do this in an unauth'ed 
manner I realized that a CLDAP ping will do it. The client site info is some of 
the info that is returned ASSUMING that the subnet the client is in is defined. 
There is a command that will do that ping for you... DsGetDCName which *is* 
wrapped by nltest... So a simple nltest /dsgetdc:domain will return the info. 
Just be prepared to catch the event that the client subnet isn't 
defined.
 
   joe
 

--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dean 
WellsSent: Friday, February 03, 2006 6:17 PMTo: Send - AD 
mailing listSubject: RE: [ActiveDir] Script to determine a machine's 
site

Nod, 
have since learned that ... my apologies.
 
I'm 
guessing there's a mean of achieving that with nltest (or perhaps a few 
iterations and some output parsing).
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Friday, February 03, 2006 5:47 PMTo: 'Send - 
AD mailing list'Subject: RE: [ActiveDir] Script to determine a 
machine's site

Yeah you could definitely get it to run but the /server 
switch is telling nltest to get the site for that machine specified, not for the 
machine running the command. So for instance, say I run that command against a 
couple of DCs in different sites
 
[Fri 02/03/2006 
17:25:57.72]F:\DEV\cpp\ATSN>nltest /dsgetsite 
/server:fastmofoMyMainSiteThe command completed 
successfully
 
[Fri 02/03/2006 
17:33:26.50]F:\DEV\cpp\ATSN>nltest /dsgetsite 
/server:2k3dc01MyMainSiteThe command completed 
successfully
 
[Fri 02/03/2006 
17:33:30.13]F:\DEV\cpp\ATSN>nltest /dsgetsite 
/server:2k3dc02VSiteThe command completed 
successfully
 
[Fri 02/03/2006 
17:33:31.43]F:\DEV\cpp\ATSN>nltest /dsgetsite 
/server:2k3dc10VSiteThe command completed 
successfully
 
Notice the different sites, those are the sites of the 
servers specified in /server switch. Running the nltest command without 
that switch on a machine that wasn't in a domain wouldn't be able to 
resolve to a site because it doesn't have a default DC to go to. You would get 
something like ERR_NO_SITE or something like that.
 
Now the atsn command has a -h host option that 
lets you specify what host to run the command against (versus what machine to 
get site info for like nltest) and you explicitely send the IP 
addresses you want resolved to a site/subnet. Whether the client is in that 
forest or not doesn't matter as long as it can auth (synced IDs or runas or net 
use) the rpc call. The remote server will then take the IP addresses specified 
and resolve to the sites/subnets that that AD has for the ipaddress. Note that 
if you have multiple forests with different subnet/site definitions you would 
obviously get different results asking DCs in the different forests. Most 
everyone here should understand that but I have been asked about it before so 
thought I would state it. Someone had used the command and accidently specified 
a DC in a different forest and felt that the program should know that he really 
meant his current forest since his machine was in that forest. 

 
As for running on WinPE, I don't know, never 
tried.
 
   joe
 
 
 
 

--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dean 
WellsSent: Friday, February 03, 2006 5:15 PMTo: Send - AD 
mailing listSubject: RE: [ActiveDir] Script to determine a machine's 
site

Per my 
previous post, I'd forced some creds. down the target DCs throat prior to 
executing NLTEST  ... and, no, my local creds. do not match those of the 
virtual domain in question ... 'cause that would be all kinds of just plain 
wrong :o)
 

--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, 
GuidoSent: Friday, February 03, 2006 4:56 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Script to 
determine a machine's site

Dean, let me guess: the name + pw 
of the local administrator of your unjoined workstation and the target domain's 
local admin account + pw are the same, and you're logged on to the client as 
local admin...
 
I get "DsGetSiteName failed: Status = 5 0x5 
ERROR_ACCESS_DENIED" without sufficient permissions... - or maybe I've just 
locked down my policies different from yours
 
/Guido



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dean 
WellsSent: Freitag, 3. Februar 2006 22:44To: Send - AD 
mailing listSubject: RE: [ActiveDir] Script to determine a machine's 
site

Indeed 
it does, tha

RE: [ActiveDir] Script to determine a machine's site

[joe]

The difficult with that is it only handles simple subnetting. If someone did
something more complicated such as multi-sized subnet masks or supernetting
and the logic would be very difficult to manage. Also obviously you would
need to keep the script up to date with new subnet/site mods since it isn't
actively getting the info from the directory. However, it is basic and easy
to troubleshoot and will work whether or not you can reach the DCs. 


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Friday, February 03, 2006 6:21 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Script to determine a machine's site

I don't have the script I wrote for this handy, but the logic I used is
this:
 
Get host's IP Address
Split it into whatever subnet mask use in your subnet/site configurations.
Do a CaseCase Else looking for a match.
If you get a match, that computer is in that site.
 
e.g. 
IP is 192.168.100.201
Subnet Mask is /16
192.168.100 = SiteA
192.168.101 = SiteB
192.168.102 = SiteC
192.168.103 = SiteC
 
So, you go
Select Case IPAddy
 Case "192.168.100" : strSiteName = "SiteA"
 Case "192.168.101" : strSiteName = "SiteB"
 Case "192.168.102", "192.168.103" : strSiteName = "SiteC"
.
 
Works in PE
 
HTH
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCT
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of joe
Sent: Fri 2/3/2006 2:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Script to determine a machine's site


Actually DsAddressToSiteNames will only take socket addresses
(PSOCKET_ADDRESS, type AF_INET) to translate, the parameter that takes the
dnshostname is the one to specify what DC you want to resolve the addresses
to subnet/sites on. 
 
Actually the previously mentioned ATSN[1] utiltity is a light wrapper over
this call.
 
  joe
 
 
 
 
[1]  Note the initials - I am not great with tool names. The best tool name
I have isn't even a name I thought up and I haven't made the tool yet. I
just know what I want it to do and what its name will be.
 
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm

 


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Greene, Adam S
Sent: Friday, February 03, 2006 3:54 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Script to determine a machine's site


The function call DsAddressToSiteNames will take a dnsHostName and give you
the site it belongs to. If you cannot implement that call, there are scripts
out there that do a brute force query of AD for sites and subnets to get you
the site name. Search for the function call and "DsAddressToSiteNames
vbscript" to find them on google. With a lot of sites and subnets, that
approach could get unwieldy though. If you can call a remote web service
from your vbscript or write a win32 implementation of the call, that would
be a better way to go. There is code out there on doing a C# version.
 
-Adam
 
 


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Friday, February 03, 2006 7:52 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Script to determine a machine's site



Does anyone have a script which can: 

 - Interrogate the local machine for its IP address and mask
 - Determine the subnet which the machine resides in
 - Determine the site that corresponds to the that subnet 

And all this must be possible on a machine which is not joined to a domain. 
Ideally, the script should work when WinPE is running, too, as the machine
is being built. 


Any ideas? 

neil 

PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sel

[ActiveDir] Getting better control over DHCP

[Edwin]

Is it possible within a domain on an authorized DHCP server
to restrict what machines get a DHCP IP Address?  For example, I want to
prevent someone from bringing in an unauthorized laptop and getting an IP
Address on the network.  I want it to be so that if the machine is not a part
of the domain, it does not get any network connectivity from the DHCP server.

 

Thanks,

Edwin 

RE: [ActiveDir] Script to determine a machine's site

[deji]

I don't have the script I wrote for this handy, but the logic I used is this:
 
Get host's IP Address
Split it into whatever subnet mask use in your subnet/site configurations.
Do a CaseCase Else looking for a match.
If you get a match, that computer is in that site.
 
e.g. 
IP is 192.168.100.201
Subnet Mask is /16
192.168.100 = SiteA
192.168.101 = SiteB
192.168.102 = SiteC
192.168.103 = SiteC
 
So, you go
Select Case IPAddy
 Case "192.168.100" : strSiteName = "SiteA"
 Case "192.168.101" : strSiteName = "SiteB"
 Case "192.168.102", "192.168.103" : strSiteName = "SiteC"
.
 
Works in PE
 
HTH
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCT
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of joe
Sent: Fri 2/3/2006 2:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Script to determine a machine's site


Actually DsAddressToSiteNames will only take socket addresses
(PSOCKET_ADDRESS, type AF_INET) to translate, the parameter that takes the
dnshostname is the one to specify what DC you want to resolve the addresses
to subnet/sites on. 
 
Actually the previously mentioned ATSN[1] utiltity is a light wrapper over
this call.
 
  joe
 
 
 
 
[1]  Note the initials - I am not great with tool names. The best tool name I
have isn't even a name I thought up and I haven't made the tool yet. I just
know what I want it to do and what its name will be.
 
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm

 


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Greene, Adam S
Sent: Friday, February 03, 2006 3:54 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Script to determine a machine's site


The function call DsAddressToSiteNames will take a dnsHostName and give you
the site it belongs to. If you cannot implement that call, there are scripts
out there that do a brute force query of AD for sites and subnets to get you
the site name. Search for the function call and "DsAddressToSiteNames
vbscript" to find them on google. With a lot of sites and subnets, that
approach could get unwieldy though. If you can call a remote web service from
your vbscript or write a win32 implementation of the call, that would be a
better way to go. There is code out there on doing a C# version.
 
-Adam
 
 


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Friday, February 03, 2006 7:52 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Script to determine a machine's site



Does anyone have a script which can: 

 - Interrogate the local machine for its IP address and mask 
 - Determine the subnet which the machine resides in 
 - Determine the site that corresponds to the that subnet 

And all this must be possible on a machine which is not joined to a domain. 
Ideally, the script should work when WinPE is running, too, as the machine is
being built. 


Any ideas? 

neil 

PLEASE READ: The information contained in this email is confidential and 
intended for the named recipient(s) only. If you are not an intended 
recipient of this email please notify the sender immediately and delete your 
copy from your system. You must not copy, distribute or take any further 
action in reliance on it. Email is not a secure method of communication and 
Nomura International plc ('NIplc') will not, to the extent permitted by law, 
accept responsibility or liability for (a) the accuracy or completeness of, 
or (b) the presence of any virus, worm or similar malicious or disabling 
code in, this message or any attachment(s) to it. If verification of this 
email is sought then please request a hard copy. Unless otherwise stated 
this email: (1) is not, and should not be treated or relied upon as, 
investment research; (2) contains views or opinions that are solely those of 
the author and do not necessarily represent those of NIplc; (3) is intended 
for informational purposes only and is not a recommendation, solicitation or 
offer to buy or sell securities or related financial instruments. NIplc 
does not provide investment services to private customers. Authorised and 
regulated by the Financial Services Authority. Registered in England 
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, 
London, EC1A 4NP. A member of the Nomura group of companies. 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Script to determine a machine's site

[Dean Wells]

Title: Script to determine a machine's site



Nod, 
have since learned that ... my apologies.
 
I'm 
guessing there's a mean of achieving that with nltest (or perhaps a few 
iterations and some output parsing).
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Friday, February 03, 2006 5:47 PMTo: 'Send - 
AD mailing list'Subject: RE: [ActiveDir] Script to determine a 
machine's site

Yeah you could definitely get it to run but the /server 
switch is telling nltest to get the site for that machine specified, not for the 
machine running the command. So for instance, say I run that command against a 
couple of DCs in different sites
 
[Fri 02/03/2006 
17:25:57.72]F:\DEV\cpp\ATSN>nltest /dsgetsite 
/server:fastmofoMyMainSiteThe command completed 
successfully
 
[Fri 02/03/2006 
17:33:26.50]F:\DEV\cpp\ATSN>nltest /dsgetsite 
/server:2k3dc01MyMainSiteThe command completed 
successfully
 
[Fri 02/03/2006 
17:33:30.13]F:\DEV\cpp\ATSN>nltest /dsgetsite 
/server:2k3dc02VSiteThe command completed 
successfully
 
[Fri 02/03/2006 
17:33:31.43]F:\DEV\cpp\ATSN>nltest /dsgetsite 
/server:2k3dc10VSiteThe command completed 
successfully
 
Notice the different sites, those are the sites of the 
servers specified in /server switch. Running the nltest command without 
that switch on a machine that wasn't in a domain wouldn't be able to 
resolve to a site because it doesn't have a default DC to go to. You would get 
something like ERR_NO_SITE or something like that.
 
Now the atsn command has a -h host option that 
lets you specify what host to run the command against (versus what machine to 
get site info for like nltest) and you explicitely send the IP 
addresses you want resolved to a site/subnet. Whether the client is in that 
forest or not doesn't matter as long as it can auth (synced IDs or runas or net 
use) the rpc call. The remote server will then take the IP addresses specified 
and resolve to the sites/subnets that that AD has for the ipaddress. Note that 
if you have multiple forests with different subnet/site definitions you would 
obviously get different results asking DCs in the different forests. Most 
everyone here should understand that but I have been asked about it before so 
thought I would state it. Someone had used the command and accidently specified 
a DC in a different forest and felt that the program should know that he really 
meant his current forest since his machine was in that forest. 

 
As for running on WinPE, I don't know, never 
tried.
 
   joe
 
 
 
 

--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dean 
WellsSent: Friday, February 03, 2006 5:15 PMTo: Send - AD 
mailing listSubject: RE: [ActiveDir] Script to determine a machine's 
site

Per my 
previous post, I'd forced some creds. down the target DCs throat prior to 
executing NLTEST  ... and, no, my local creds. do not match those of the 
virtual domain in question ... 'cause that would be all kinds of just plain 
wrong :o)
 

--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, 
GuidoSent: Friday, February 03, 2006 4:56 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Script to 
determine a machine's site

Dean, let me guess: the name + pw 
of the local administrator of your unjoined workstation and the target domain's 
local admin account + pw are the same, and you're logged on to the client as 
local admin...
 
I get "DsGetSiteName failed: Status = 5 0x5 
ERROR_ACCESS_DENIED" without sufficient permissions... - or maybe I've just 
locked down my policies different from yours
 
/Guido



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dean 
WellsSent: Freitag, 3. Februar 2006 22:44To: Send - AD 
mailing listSubject: RE: [ActiveDir] Script to determine a machine's 
site

Indeed 
it does, that's what I ran it on ...
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, 
GuidoSent: Friday, February 03, 2006 4:32 PMTo: 
ActiveDir@mail.activedir.org; Send - AD mailing listSubject: RE: 
[ActiveDir] Script to determine a machine's site

hmm - this won't work with non-domain joined clients 
though...


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dean 
WellsSent: Freitag, 3. Februar 2006 21:10To: Send - AD 
mailing listSubject: RE: [ActiveDir] Script to determine a machine's 
site

Does 
this suffice -
 
nltest 
/dsgetsite /server:
 
Haven't tried anything of this kind myself under Wimpy 
so I'm uncertain of its suitability.
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Beh

RE: [ActiveDir] OT: Roaming Profiles

[Bernard, Aric]

Disabling the use of roaming profiles and
instead requiring remote desktop is something I implemented at a
customer.  In their case, this satisfied the traveling user community
given the alternatives they saw: a) waiting for the profile download and logon
process to complete, b) buying notebooks for traveling users, or c) buying hardware
and setting up a replication process to ensure that all sites traveling users
visit have replicas of the users profile.

 

Another option implemented by a recent
customer (of which roaming profiles was just a part) included deploying the HP
EFS WAN Accelerator.  Once populated the appliance provided adequate logon
times for roaming users.  The problem of course was pre-populating the
roaming profile shares (a few dozen users) into the appliances cache.  I
believe that there was a tool available to assist with the population.

 

 

Aric

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Abagnale
Sent: Friday, February 03, 2006
2:28 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:
Roaming Profiles



 



Ulf & everyone,





 





thanks for your responses, roaming profiles are mandatory here, if
we were to take this away, all hell would break loose.





 





I guess educating them to store files elsewhere would be a good start.





 





thanks





 





Frank





 





Ulf - you are not the first to mention Carl Hanratty, you won't be
the last!

"Ulf B.
Simon-Weidner" <[EMAIL PROTECTED]> wrote:





Hi Frank,

 



with those large roaming profiles you
need to



1. educate your users

2. question the use of roaming profiles

 

In fact I've seen a lot of companies who
tend to stick to local only profiles in the recent past. Roaming profiles are
great - however I see them in infrastructures where people are moving around on
multiple computers a lot, and where they don't have that much individual
applications. I would use roaming profiles for the production workers who are
spending not a lot of time on the computer and might share a pool of computers,
however for the regular office worker and the board of directors I'd use local
profiles since they tend to work on the same computer a lot and also travel a
lot.

Educate them not to store their critical
data within the profile, and maybe a desktop backup software which is taking
care of their profile and data when connected comes in handy too.



 





Carl Hanratty



 





 







F rom:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Abagnale
Sent: Friday, February 03, 2006
10:51 AM
To: Active
Subject: [ActiveDir] OT: Roaming
Profiles



Hi all,





I have a question regarding Roaming Profiles. Our environment currently
have 3500 users which are all roaming profile enabled. Their profiles are
stored on the local site server. We have approx 56 sites which are all linked
by 256-1mb lines.





I like the concept of roaming profiles, however some of our users have
profiles ranging from 5mb - 200mb, some even with 1GB profiles. 





Because alot of our users log on to different computers at different
sites, we are finding issues with corrupted profiles and logon speeds. On a few
occasions, where a user has been added to a group, the permissions assign to
this group are not shown when the users is logged back on. Dele ting the
profile and recreating fixes this issue but it's quite a time consuming effort.





How does everyone deal with roaming profiles if used? sometimes there
are instances where users just want to logon to the PC without their roaming
profile so they can remote desktop to their PC. In this situation they have to
take their profile across which can take forever depending on the size of
profile and link.





Any creative ideas? how about using DFS to store the profiles? 





Thanks





Frank





 











Yahoo!
Mail - Helps protect you from nasty viruses.





 







Brings words and photos together (easily) with
PhotoMail
- it's free and works with Yahoo! Mail.

RE: [ActiveDir] OT: Roaming Profiles

[Ulf B. Simon-Weidner]

Sorry - wasn't sure if it's your real name. If I'd 
choose a fake name for a community yours is in the top10 
;-)
 
Hope you don't mind.
 
Ulf


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Frank 
  AbagnaleSent: Friday, February 03, 2006 11:28 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Roaming 
  Profiles
  
  Ulf & everyone,
   
  thanks for your responses, roaming profiles are mandatory here, if 
  we were to take this away, all hell would break loose.
   
  I guess educating them to store files elsewhere would be a good 
  start.
   
  thanks
   
  Frank
   
  Ulf - you are not the first to mention Carl Hanratty, you won't be 
  the last!"Ulf B. Simon-Weidner" 
  <[EMAIL PROTECTED]> wrote:
  

Hi Frank,
 
with those large roaming profiles you need 
to
1. educate your users
2. question the use of roaming 
profiles
 
In fact I've seen a lot of companies who tend to 
stick to local only profiles in the recent past. Roaming profiles are great 
- however I see them in infrastructures where people are moving around on 
multiple computers a lot, and where they don't have that much individual 
applications. I would use roaming profiles for the production workers who 
are spending not a lot of time on the computer and might share a pool of 
computers, however for the regular office worker and the board of directors 
I'd use local profiles since they tend to work on the same computer a lot 
and also travel a lot.
Educate them not to store their critical data 
within the profile, and maybe a desktop backup software which is taking care 
of their profile and data when connected comes in handy 
too.
 
Carl 
Hanratty

 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Frank 
  AbagnaleSent: Friday, February 03, 2006 10:51 AMTo: 
  ActiveSubject: [ActiveDir] OT: Roaming 
  Profiles
  
  Hi all,
  I have a question regarding Roaming Profiles. Our environment 
  currently have 3500 users which are all roaming profile enabled. Their 
  profiles are stored on the local site server. We have approx 56 sites 
  which are all linked by 256-1mb lines.
  I like the concept of roaming profiles, however some of our users 
  have profiles ranging from 5mb - 200mb, some even with 1GB profiles. 

  Because alot of our users log on to different computers at different 
  sites, we are finding issues with corrupted profiles and logon speeds. On 
  a few occasions, where a user has been added to a group, the permissions 
  assign to this group are not shown when the users is logged back on. 
  Deleting the profile and recreating fixes this issue but it's quite a time 
  consuming effort.
  How does everyone deal with roaming profiles if used? sometimes there 
  are instances where users just want to logon to the PC without their 
  roaming profile so they can remote desktop to their PC. In this situation 
  they have to take their profile across which can take forever depending on 
  the size of profile and link.
  Any creative ideas? how about using DFS to store the profiles? 
  Thanks
  Frank
   
  
  
  Yahoo! 
  Mail - Helps protect you from nasty 
  viruses.
  
  
  Brings words and photos together (easily) withPhotoMail 
  - it's free and works with Yahoo! Mail.

RE: [ActiveDir] Problem in assigning permissions to the user in parent domain over the shared folder in child domain

[joe]

Yeah, that is the next question I would have asked. Sounds like the issues
are bigger than that one thing.


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Friday, February 03, 2006 9:41 AM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Problem in assigning permissions to the user in
parent domain over the shared folder in child domain

Is replication functioning?

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of V Lakshmi
Sent: Friday, February 03, 2006 12:44 AM
To: [EMAIL PROTECTED]; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Problem in assigning permissions to the user in
parent domain over the shared folder in child domain

 
 No I am not able to see any users or groups from the workstation in the
child domain, when I  selected the parent domain, while assigning rights to
the shared folder in the child domain. When I selected advanced button while
assigning rights and searched for the user name existing in parent domain ,
it displayed an error message saying Server not operational.  The DNS in the
parent domain controller is up and running. 

What might be the problem?
>>> [EMAIL PROTECTED] 02/03/06 10:24 am >>>
Can you see any users or groups from the parent domain from the child
domain?  


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

- Original Message-
From: ActiveDir- [EMAIL PROTECTED]
[mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of lakshmi venkat
Sent: Wednesday, February 01, 2006 3:44 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Problem in assigning permissions to the user in parent
domain over the shared folder in child domain

Hi,

We are presently working on the Parent , child setup of active directory.

The setup which were trying is as follows:

1-  We have a parent domain and a workstation as a part of parent domain. 

2-  We have one more domain which is a child domain of the previously
mentioned domain. A workstation is added to the child domain and there is a
shared folder in the work station belonging to the child domain.

We login to the workstation in the parent domain as a user in the parent
domain and try to map the fileshare present in the workstation in the child
domain. This operation fails saying access denied.

We are unable to give permissions to the user in parent domain to the file
share in child domain as it does not allow to add the user, in both
permissions and security of the properties of the shared folder.

We are able to select the parent domain in the locations field of the
"Select users or groups"
dialog. But when we enter the username in the object name field, we get an
error that the object name cannot be found.

Any help will be appreciated.



Thanks
Lakshmi

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-
archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-
archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Custom date/time attributes in AD/ADAM schema

[joe]

FUN!
 
The int8 attributes don't have anything to mark them as 
time stamps or time deltas, you have to hardcode the attribute names into the 
applications. That is how adfind does it for those and how LDP does it for those 
as well as GUIDs and other attributes[1].
 
In terms of working with internally, that is by far the 
easiest format in my opinion, just keep it UTC. For people to read it isn't so 
nice. In that case you may want to instead use a Generalized-Time syntax 
(attribsyntax 2.5.5.11 / OMsyntax 24) which can be read by a human without too 
much pain. It is the ZULU format that you see with whenChanged, whenCreated, etc 
and programs that want to translate it can easily recognize it. It just has to 
always specify a time, it can't be an offset like the int8's are used to do like 
with the domain policy values, etc. Oh searching for a range of values is a 
little easier (or maybe I should just say more intuitive) with int8 as well 
versus searching Generalized-Time.
 
   joe
 
 
[1] I figured out a generic way to handle GUIDs that 
usually correct.  
 

--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mr 
OteeceSent: Friday, February 03, 2006 2:27 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Custom date/time 
attributes in AD/ADAM schema
Any recommendations out there for storing a custom timestamp in 
AD/ADAM? I created an attribute with the same syntax as the existing time 
formats (e.g. pwdLastSet), and I can recover the date/time easily enough in 
code. However, LDP doesn't show the new attribute as a date/time, just as the 
large integer. Is there any way to specify how that attribute should be 
interpreted or are those just built into LDP? Or do people just use a string 
format? 

RE: [ActiveDir] Script to determine a machine's site

[joe]

Title: Script to determine a machine's site



Actually DsAddressToSiteNames will only take socket 
addresses (PSOCKET_ADDRESS, type AF_INET) to translate, the parameter that takes 
the dnshostname is the one to specify what DC you want to resolve the addresses 
to subnet/sites on. 
 
Actually the previously mentioned ATSN[1] utiltity is a 
light wrapper over this call.
 
  joe
 
 
 
 
[1]  Note the initials - I am not great with tool 
names. The best tool name I have isn't even a name I thought up and I haven't 
made the tool yet. I just know what I want it to do and what its name will 
be.
 

--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Greene, Adam 
SSent: Friday, February 03, 2006 3:54 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Script to 
determine a machine's site

The function call DsAddressToSiteNames will take a 
dnsHostName and give you the site it belongs to. If you cannot implement that 
call, there are scripts out there that do a brute force query of AD for sites 
and subnets to get you the site name. Search for the function call and 
"DsAddressToSiteNames  _vbscript_" to find them on google. With a lot of 
sites and subnets, that approach could get unwieldy though. If you can call a 
remote web service from your _vbscript_ or 
write a win32 implementation of the call, that would be a better way to go. 
There is code out there on doing a C# version.
 
-Adam
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Friday, February 03, 2006 7:52 
AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
Script to determine a machine's site

Does anyone have a script which can: 
 - Interrogate the local machine for its IP 
address and mask  - Determine the subnet 
which the machine resides in  - 
Determine the site that corresponds to the that subnet 
And all this must be possible on a machine which is 
not joined to a domain. Ideally, the script 
should work when WinPE is running, too, as the machine is being built. 

Any ideas? 
neil 
PLEASE READ: The 
information contained in this email is confidential and 
intended for the 
named recipient(s) only. If you are not an intended 
recipient of this 
email please notify the sender immediately and delete your 
copy from your 
system. You must not copy, distribute or take any further 
action in reliance 
on it. Email is not a secure method of communication and 
Nomura International 
plc ('NIplc') will not, to the extent permitted by law, 
accept 
responsibility or liability for (a) the accuracy or completeness of, 

or (b) the presence 
of any virus, worm or similar malicious or disabling 
code in, this 
message or any attachment(s) to it. If verification of this 
email is sought then 
please request a hard copy. Unless otherwise stated 
this email: (1) is 
not, and should not be treated or relied upon as, 
investment research; 
(2) contains views or opinions that are solely those of 
the author and do 
not necessarily represent those of NIplc; (3) is intended 
for informational 
purposes only and is not a recommendation, solicitation or 
offer to buy or sell 
securities or related financial instruments. NIplc 
does not provide 
investment services to private customers. Authorised and 
regulated by the 
Financial Services Authority. Registered in England 
no. 1550505 VAT No. 
447 2492 35. Registered Office: 1 St Martin's-le-Grand, 
London, EC1A 4NP. A 
member of the Nomura group of companies. 

RE: [ActiveDir] Script to determine a machine's site

[joe]

Title: Script to determine a machine's site



Yeah you could definitely get it to run but the /server 
switch is telling nltest to get the site for that machine specified, not for the 
machine running the command. So for instance, say I run that command against a 
couple of DCs in different sites
 
[Fri 02/03/2006 
17:25:57.72]F:\DEV\cpp\ATSN>nltest /dsgetsite 
/server:fastmofoMyMainSiteThe command completed 
successfully
 
[Fri 02/03/2006 
17:33:26.50]F:\DEV\cpp\ATSN>nltest /dsgetsite 
/server:2k3dc01MyMainSiteThe command completed 
successfully
 
[Fri 02/03/2006 
17:33:30.13]F:\DEV\cpp\ATSN>nltest /dsgetsite 
/server:2k3dc02VSiteThe command completed 
successfully
 
[Fri 02/03/2006 
17:33:31.43]F:\DEV\cpp\ATSN>nltest /dsgetsite 
/server:2k3dc10VSiteThe command completed 
successfully
 
Notice the different sites, those are the sites of the 
servers specified in /server switch. Running the nltest command without 
that switch on a machine that wasn't in a domain wouldn't be able to 
resolve to a site because it doesn't have a default DC to go to. You would get 
something like ERR_NO_SITE or something like that.
 
Now the atsn command has a -h host option that 
lets you specify what host to run the command against (versus what machine to 
get site info for like nltest) and you explicitely send the IP 
addresses you want resolved to a site/subnet. Whether the client is in that 
forest or not doesn't matter as long as it can auth (synced IDs or runas or net 
use) the rpc call. The remote server will then take the IP addresses specified 
and resolve to the sites/subnets that that AD has for the ipaddress. Note that 
if you have multiple forests with different subnet/site definitions you would 
obviously get different results asking DCs in the different forests. Most 
everyone here should understand that but I have been asked about it before so 
thought I would state it. Someone had used the command and accidently specified 
a DC in a different forest and felt that the program should know that he really 
meant his current forest since his machine was in that forest. 

 
As for running on WinPE, I don't know, never 
tried.
 
   joe
 
 
 
 

--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dean 
WellsSent: Friday, February 03, 2006 5:15 PMTo: Send - AD 
mailing listSubject: RE: [ActiveDir] Script to determine a machine's 
site

Per my 
previous post, I'd forced some creds. down the target DCs throat prior to 
executing NLTEST  ... and, no, my local creds. do not match those of the 
virtual domain in question ... 'cause that would be all kinds of just plain 
wrong :o)
 

--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, 
GuidoSent: Friday, February 03, 2006 4:56 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Script to 
determine a machine's site

Dean, let me guess: the name + pw 
of the local administrator of your unjoined workstation and the target domain's 
local admin account + pw are the same, and you're logged on to the client as 
local admin...
 
I get "DsGetSiteName failed: Status = 5 0x5 
ERROR_ACCESS_DENIED" without sufficient permissions... - or maybe I've just 
locked down my policies different from yours
 
/Guido



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dean 
WellsSent: Freitag, 3. Februar 2006 22:44To: Send - AD 
mailing listSubject: RE: [ActiveDir] Script to determine a machine's 
site

Indeed 
it does, that's what I ran it on ...
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, 
GuidoSent: Friday, February 03, 2006 4:32 PMTo: 
ActiveDir@mail.activedir.org; Send - AD mailing listSubject: RE: 
[ActiveDir] Script to determine a machine's site

hmm - this won't work with non-domain joined clients 
though...


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dean 
WellsSent: Freitag, 3. Februar 2006 21:10To: Send - AD 
mailing listSubject: RE: [ActiveDir] Script to determine a machine's 
site

Does 
this suffice -
 
nltest 
/dsgetsite /server:
 
Haven't tried anything of this kind myself under Wimpy 
so I'm uncertain of its suitability.
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Friday, February 03, 2006 10:52 
AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
Script to determine a machine's site

Does anyone have a script which can: 
 - Interrogate the local machine for its IP 
address and mask  - Determine the subnet 
which the machine resides in  - 
Determine the site that corresponds to the that subnet 
And all this must be possible on a machine which is 
not joined to a domain. Ide

Re: [ActiveDir] OT: Roaming Profiles

[Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]]

Just a friendly reminder to those supporting SBS servers... SBS servers 
do not get the benefit of the DFS upgrades in R2.  Member servers can 
get the R2 bits but not the SBS/DC itself.  (yeah yeah I know... we 
shouldn't be using as a file server in the first place...but ...hey)


Grillenmeier, Guido wrote:


and pls. make use of redirecting your documents folder (and many other
things as well, such as Desktop) to a server share.

DFS is ok to use for many profile scenarios - but it won't be of much
help if the profiles get too large (still needs to be loaded by the
client, even if the source is now closer by). DFS-Replication has been
improved a lot in R2, but I'd still recommend to reduce what you keep in
your profile.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Navroz Shariff
Sent: Freitag, 3. Februar 2006 22:16
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Roaming Profiles

I would highly discourage against using cached mode for roaming
profiles. Just imagine the network resources they would be hogging up
when they log onto a different computer and not to mention HDD space. We
definitely have disable cached mode for roaming profiles. 

-Nav 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Danny
Sent: Friday, February 03, 2006 3:43 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: Roaming Profiles

I agree... but what about OST files - Outlook cached mode.  Is anyone
excluding the OST from the roaming profile?  If so, a new OST will need
to be downloaded at each computer the user logs into.  Most are
100-300MB.  Which is the lesser evil. :)

...D

On 2/3/06, Thommes, Michael M. <[EMAIL PROTECTED]> wrote:
 

As just another piece of this, users sometimes just throw stuff on 
their "desktop" since they don't know any better or because that might
   



 

be the first location that shows up during a save operation.  The 
desktop is obviously included as part of the profile, leading to
   


bloated sizes.
 



Mike Thommes








-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Molkentin, 
Steve

Sent: Friday, February 03, 2006 8:45 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Roaming Profiles



I too am a fan of local profile, but I do not think that directly 
addresses Frank's issues...




A couple of jobs ago at a school we used roaming profiles exclusively 
- made sense in our scenario. There was still at least 3-4 staff on a 
bad day that needed their profile reconfig-ed (all students used a
   


mandatory profile).
 

Bottom line - use GPO's to limit the size of the user "dumping" 
grounds, and/or redirect them. It's amazing how your profile shrink 
dramatically when you don't allow users to store their files as a part
   



 


of their profile, you don't copy their IE cache, and redirect a couple
   


of other folders.
 



I feel for you Frank, as with users with profiles in excess of, say, 
20 MB - with your links speeds, I am amazed that you do not experience
   



 


more problems (but then I am sure it is only the ones that moves sites
   



 

that cause the issues... give them a laptop and make them have local 
profiles!).  ;)




My $0.02 inc GST...



themolk.








From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Krenceski, 
William

Sent: Friday, 3 February 2006 10:54 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Roaming Profiles

I personally avoid roaming and mandatory roaming like the plague. One 
thing you can do is create a DFS Root for the profiles of the users 
that move around replicate to all of the sites that they visit. I 
would not recommend doing it for everyone else. I would actually stop 
using roaming for everyone else that does not roam. there are many 
alternatives to roaming using Group Policies because no matter how you
   



 


look at it you are slowing down the user logon and the network
   


especially with that many users.
 



JMTC



Bill





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Frank 
Abagnale

Sent: Friday, February 03, 2006 4:51 AM
To: Active
Subject: [ActiveDir] OT: Roaming Profiles


Hi all,


I have a question regarding Roaming Profiles. Our environment 
currently have 3500 users which are all roaming profile enabled. Their
   



 

profiles are stored on the local site server. We have approx 56 sites 
which are all linked by 256-1mb lines.



I like the concept of roaming profiles, however some of our users have
   



 


profiles ranging from 5mb - 200mb, some even with 1GB profiles.


Because alot of our users log on to different computers at different 
sites, we are finding issues with corrupted profiles and logon speeds.
   



 

On a few occasions, where a user has been added to a group, the 
permissions assign to this group are

RE: [ActiveDir] OT: Roaming Profiles

[Frank Abagnale]

Ulf & everyone,     thanks for your responses, roaming profiles are mandatory here, if we were to take this away, all hell would break loose.     I guess educating them to store files elsewhere would be a good start.     thanks     Frank     Ulf - you are not the first to mention Carl Hanratty, you won't be the last!"Ulf B. Simon-Weidner" <[EMAIL PROTECTED]> wrote:  Hi Frank,     with those large roaming profiles you need to  1. educate your users  2. question the use of roaming profiles     In fact I've seen a lot of companies who tend to stick to local only profiles in the recent past. Roaming profiles are great - however I see them in infrastructures where people are moving around on multiple computers a lot, and where they don't have that much individual applications. I would use roaming profiles for the production workers who are spending
 not a lot of time on the computer and might share a pool of computers, however for the regular office worker and the board of directors I'd use local profiles since they tend to work on the same computer a lot and also travel a lot.  Educate them not to store their critical data within the profile, and maybe a desktop backup software which is taking care of their profile and data when connected comes in handy too.     Carl Hanratty From:
 [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank AbagnaleSent: Friday, February 03, 2006 10:51 AMTo: ActiveSubject: [ActiveDir] OT: Roaming ProfilesHi all,  I have a question regarding Roaming Profiles. Our environment currently have 3500 users which are all roaming profile enabled. Their profiles are stored on the local site server. We have approx 56 sites which are all linked by 256-1mb lines.  I like the concept of roaming profiles, however some of our users have profiles ranging from 5mb - 200mb, some even with 1GB profiles.   Because alot of our users log on to different computers at different sites, we are finding issues with corrupted profiles and logon speeds. On a few occasions, where a user has been added to a group, the permissions assign to this group are not shown when the users is logged back on. Deleting the
 profile and recreating fixes this issue but it's quite a time consuming effort.  How does everyone deal with roaming profiles if used? sometimes there are instances where users just want to logon to the PC without their roaming profile so they can remote desktop to their PC. In this situation they have to take their profile across which can take forever depending on the size of profile and link.  Any creative ideas? how about using DFS to store the profiles?   Thanks  Frank     Yahoo! Mail - Helps protect you from nasty viruses.
		Brings words and photos together (easily) with 
PhotoMail  - it's free and works with Yahoo! Mail.

RE: [ActiveDir] OT: Roaming Profiles

[Grillenmeier, Guido]

and pls. make use of redirecting your documents folder (and many other
things as well, such as Desktop) to a server share.

DFS is ok to use for many profile scenarios - but it won't be of much
help if the profiles get too large (still needs to be loaded by the
client, even if the source is now closer by). DFS-Replication has been
improved a lot in R2, but I'd still recommend to reduce what you keep in
your profile.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Navroz Shariff
Sent: Freitag, 3. Februar 2006 22:16
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Roaming Profiles

I would highly discourage against using cached mode for roaming
profiles. Just imagine the network resources they would be hogging up
when they log onto a different computer and not to mention HDD space. We
definitely have disable cached mode for roaming profiles. 

-Nav 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Danny
Sent: Friday, February 03, 2006 3:43 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: Roaming Profiles

I agree... but what about OST files - Outlook cached mode.  Is anyone
excluding the OST from the roaming profile?  If so, a new OST will need
to be downloaded at each computer the user logs into.  Most are
100-300MB.  Which is the lesser evil. :)

...D

On 2/3/06, Thommes, Michael M. <[EMAIL PROTECTED]> wrote:
>
>
> As just another piece of this, users sometimes just throw stuff on 
> their "desktop" since they don't know any better or because that might

> be the first location that shows up during a save operation.  The 
> desktop is obviously included as part of the profile, leading to
bloated sizes.
>
>
>
> Mike Thommes
>
>
>
>
>
>
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Molkentin, 
> Steve
> Sent: Friday, February 03, 2006 8:45 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] OT: Roaming Profiles
>
>
>
> I too am a fan of local profile, but I do not think that directly 
> addresses Frank's issues...
>
>
>
> A couple of jobs ago at a school we used roaming profiles exclusively 
> - made sense in our scenario. There was still at least 3-4 staff on a 
> bad day that needed their profile reconfig-ed (all students used a
mandatory profile).
> Bottom line - use GPO's to limit the size of the user "dumping" 
> grounds, and/or redirect them. It's amazing how your profile shrink 
> dramatically when you don't allow users to store their files as a part

> of their profile, you don't copy their IE cache, and redirect a couple
of other folders.
>
>
>
> I feel for you Frank, as with users with profiles in excess of, say, 
> 20 MB - with your links speeds, I am amazed that you do not experience

> more problems (but then I am sure it is only the ones that moves sites

> that cause the issues... give them a laptop and make them have local 
> profiles!).  ;)
>
>
>
> My $0.02 inc GST...
>
>
>
> themolk.
>
>
>
>
>
> 
>
>
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Krenceski, 
> William
> Sent: Friday, 3 February 2006 10:54 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] OT: Roaming Profiles
>
> I personally avoid roaming and mandatory roaming like the plague. One 
> thing you can do is create a DFS Root for the profiles of the users 
> that move around replicate to all of the sites that they visit. I 
> would not recommend doing it for everyone else. I would actually stop 
> using roaming for everyone else that does not roam. there are many 
> alternatives to roaming using Group Policies because no matter how you

> look at it you are slowing down the user logon and the network
especially with that many users.
>
>
>
> JMTC
>
>
>
> Bill
>
>
> 
>
>
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Frank 
> Abagnale
> Sent: Friday, February 03, 2006 4:51 AM
> To: Active
> Subject: [ActiveDir] OT: Roaming Profiles
>
>
> Hi all,
>
>
> I have a question regarding Roaming Profiles. Our environment 
> currently have 3500 users which are all roaming profile enabled. Their

> profiles are stored on the local site server. We have approx 56 sites 
> which are all linked by 256-1mb lines.
>
>
> I like the concept of roaming profiles, however some of our users have

> profiles ranging from 5mb - 200mb, some even with 1GB profiles.
>
>
> Because alot of our users log on to different computers at different 
> sites, we are finding issues with corrupted profiles and logon speeds.

> On a few occasions, where a user has been added to a group, the 
> permissions assign to this group are not shown when the users is 
> logged back on. Deleting the profile and recreating fixes this issue 
> but it's quite a time consuming effort.
>
>
> How does everyone deal with roaming profiles if used? sometimes there 
> are instances where users jus

RE: [ActiveDir] Script to determine a machine's site

[Dean Wells]

Title: Script to determine a machine's site



Per my 
previous post, I'd forced some creds. down the target DCs throat prior to 
executing NLTEST  ... and, no, my local creds. do not match those of the 
virtual domain in question ... 'cause that would be all kinds of just plain 
wrong :o)
 

--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, 
GuidoSent: Friday, February 03, 2006 4:56 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Script to 
determine a machine's site

Dean, let me guess: the name + pw 
of the local administrator of your unjoined workstation and the target domain's 
local admin account + pw are the same, and you're logged on to the client as 
local admin...
 
I get "DsGetSiteName failed: Status = 5 0x5 
ERROR_ACCESS_DENIED" without sufficient permissions... - or maybe I've just 
locked down my policies different from yours
 
/Guido



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dean 
WellsSent: Freitag, 3. Februar 2006 22:44To: Send - AD 
mailing listSubject: RE: [ActiveDir] Script to determine a machine's 
site

Indeed 
it does, that's what I ran it on ...
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, 
GuidoSent: Friday, February 03, 2006 4:32 PMTo: 
ActiveDir@mail.activedir.org; Send - AD mailing listSubject: RE: 
[ActiveDir] Script to determine a machine's site

hmm - this won't work with non-domain joined clients 
though...


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dean 
WellsSent: Freitag, 3. Februar 2006 21:10To: Send - AD 
mailing listSubject: RE: [ActiveDir] Script to determine a machine's 
site

Does 
this suffice -
 
nltest 
/dsgetsite /server:
 
Haven't tried anything of this kind myself under Wimpy 
so I'm uncertain of its suitability.
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Friday, February 03, 2006 10:52 
AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
Script to determine a machine's site

Does anyone have a script which can: 
 - Interrogate the local machine for its IP 
address and mask  - Determine the subnet 
which the machine resides in  - 
Determine the site that corresponds to the that subnet 
And all this must be possible on a machine which is 
not joined to a domain. Ideally, the script 
should work when WinPE is running, too, as the machine is being built. 

Any ideas? 
neil 
PLEASE READ: The 
information contained in this email is confidential and 
intended for the 
named recipient(s) only. If you are not an intended 
recipient of this 
email please notify the sender immediately and delete your 
copy from your 
system. You must not copy, distribute or take any further 
action in reliance 
on it. Email is not a secure method of communication and 
Nomura International 
plc ('NIplc') will not, to the extent permitted by law, 
accept 
responsibility or liability for (a) the accuracy or completeness of, 

or (b) the presence 
of any virus, worm or similar malicious or disabling 
code in, this 
message or any attachment(s) to it. If verification of this 
email is sought then 
please request a hard copy. Unless otherwise stated 
this email: (1) is 
not, and should not be treated or relied upon as, 
investment research; 
(2) contains views or opinions that are solely those of 
the author and do 
not necessarily represent those of NIplc; (3) is intended 
for informational 
purposes only and is not a recommendation, solicitation or 
offer to buy or sell 
securities or related financial instruments. NIplc 
does not provide 
investment services to private customers. Authorised and 
regulated by the 
Financial Services Authority. Registered in England 
no. 1550505 VAT No. 
447 2492 35. Registered Office: 1 St Martin's-le-Grand, 
London, EC1A 4NP. A 
member of the Nomura group of companies. 

RE: [ActiveDir] OT: Roaming Profiles

[Ulf B. Simon-Weidner]

Hi Frank,
 
with those large roaming profiles you need 
to
1. educate your users
2. question the use of roaming 
profiles
 
In fact I've seen a lot of companies who tend to stick 
to local only profiles in the recent past. Roaming profiles are great - however 
I see them in infrastructures where people are moving around on multiple 
computers a lot, and where they don't have that much individual applications. I 
would use roaming profiles for the production workers who are spending not a lot 
of time on the computer and might share a pool of computers, however for the 
regular office worker and the board of directors I'd use local profiles since 
they tend to work on the same computer a lot and also travel a 
lot.
Educate them not to store their critical data within 
the profile, and maybe a desktop backup software which is taking care of their 
profile and data when connected comes in handy too.
 
Carl 
Hanratty

 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Frank 
  AbagnaleSent: Friday, February 03, 2006 10:51 AMTo: 
  ActiveSubject: [ActiveDir] OT: Roaming 
Profiles
  
  Hi all,
  I have a question regarding Roaming Profiles. Our environment currently 
  have 3500 users which are all roaming profile enabled. Their profiles are 
  stored on the local site server. We have approx 56 sites which are all linked 
  by 256-1mb lines.
  I like the concept of roaming profiles, however some of our users have 
  profiles ranging from 5mb - 200mb, some even with 1GB profiles. 
  Because alot of our users log on to different computers at different 
  sites, we are finding issues with corrupted profiles and logon speeds. On a 
  few occasions, where a user has been added to a group, the permissions assign 
  to this group are not shown when the users is logged back on. Deleting the 
  profile and recreating fixes this issue but it's quite a time consuming 
  effort.
  How does everyone deal with roaming profiles if used? sometimes there are 
  instances where users just want to logon to the PC without their roaming 
  profile so they can remote desktop to their PC. In this situation they have to 
  take their profile across which can take forever depending on the size of 
  profile and link.
  Any creative ideas? how about using DFS to store the profiles? 
  Thanks
  Frank
   
  
  
  Yahoo! 
  Mail - Helps protect you from nasty viruses.

RE: [ActiveDir] Script to determine a machine's site

[Grillenmeier, Guido]

Title: Script to determine a machine's site



Dean, let me guess: the name + pw 
of the local administrator of your unjoined workstation and the target domain's 
local admin account + pw are the same, and you're logged on to the client as 
local admin...
 
I get "DsGetSiteName failed: Status = 5 0x5 
ERROR_ACCESS_DENIED" without sufficient permissions... - or maybe I've just 
locked down my policies different from yours
 
/Guido



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dean 
WellsSent: Freitag, 3. Februar 2006 22:44To: Send - AD 
mailing listSubject: RE: [ActiveDir] Script to determine a machine's 
site

Indeed 
it does, that's what I ran it on ...
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, 
GuidoSent: Friday, February 03, 2006 4:32 PMTo: 
ActiveDir@mail.activedir.org; Send - AD mailing listSubject: RE: 
[ActiveDir] Script to determine a machine's site

hmm - this won't work with non-domain joined clients 
though...


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dean 
WellsSent: Freitag, 3. Februar 2006 21:10To: Send - AD 
mailing listSubject: RE: [ActiveDir] Script to determine a machine's 
site

Does 
this suffice -
 
nltest 
/dsgetsite /server:
 
Haven't tried anything of this kind myself under Wimpy 
so I'm uncertain of its suitability.
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Friday, February 03, 2006 10:52 
AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
Script to determine a machine's site

Does anyone have a script which can: 
 - Interrogate the local machine for its IP 
address and mask  - Determine the subnet 
which the machine resides in  - 
Determine the site that corresponds to the that subnet 
And all this must be possible on a machine which is 
not joined to a domain. Ideally, the script 
should work when WinPE is running, too, as the machine is being built. 

Any ideas? 
neil 
PLEASE READ: The 
information contained in this email is confidential and 
intended for the 
named recipient(s) only. If you are not an intended 
recipient of this 
email please notify the sender immediately and delete your 
copy from your 
system. You must not copy, distribute or take any further 
action in reliance 
on it. Email is not a secure method of communication and 
Nomura International 
plc ('NIplc') will not, to the extent permitted by law, 
accept 
responsibility or liability for (a) the accuracy or completeness of, 

or (b) the presence 
of any virus, worm or similar malicious or disabling 
code in, this 
message or any attachment(s) to it. If verification of this 
email is sought then 
please request a hard copy. Unless otherwise stated 
this email: (1) is 
not, and should not be treated or relied upon as, 
investment research; 
(2) contains views or opinions that are solely those of 
the author and do 
not necessarily represent those of NIplc; (3) is intended 
for informational 
purposes only and is not a recommendation, solicitation or 
offer to buy or sell 
securities or related financial instruments. NIplc 
does not provide 
investment services to private customers. Authorised and 
regulated by the 
Financial Services Authority. Registered in England 
no. 1550505 VAT No. 
447 2492 35. Registered Office: 1 St Martin's-le-Grand, 
London, EC1A 4NP. A 
member of the Nomura group of companies. 

RE: [ActiveDir] Script to determine a machine's site

[Dean Wells]

Title: Script to determine a machine's site



... to 
be clear, it does require that some level of credential first be established 
but, nonetheless, it functions.
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dean 
WellsSent: Friday, February 03, 2006 4:44 PMTo: Send - AD 
mailing listSubject: RE: [ActiveDir] Script to determine a machine's 
site

Indeed 
it does, that's what I ran it on ...
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, 
GuidoSent: Friday, February 03, 2006 4:32 PMTo: 
ActiveDir@mail.activedir.org; Send - AD mailing listSubject: RE: 
[ActiveDir] Script to determine a machine's site

hmm - this won't work with non-domain joined clients 
though...


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dean 
WellsSent: Freitag, 3. Februar 2006 21:10To: Send - AD 
mailing listSubject: RE: [ActiveDir] Script to determine a machine's 
site

Does 
this suffice -
 
nltest 
/dsgetsite /server:
 
Haven't tried anything of this kind myself under Wimpy 
so I'm uncertain of its suitability.
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Friday, February 03, 2006 10:52 
AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
Script to determine a machine's site

Does anyone have a script which can: 
 - Interrogate the local machine for its IP 
address and mask  - Determine the subnet 
which the machine resides in  - 
Determine the site that corresponds to the that subnet 
And all this must be possible on a machine which is 
not joined to a domain. Ideally, the script 
should work when WinPE is running, too, as the machine is being built. 

Any ideas? 
neil 
PLEASE READ: The 
information contained in this email is confidential and 
intended for the 
named recipient(s) only. If you are not an intended 
recipient of this 
email please notify the sender immediately and delete your 
copy from your 
system. You must not copy, distribute or take any further 
action in reliance 
on it. Email is not a secure method of communication and 
Nomura International 
plc ('NIplc') will not, to the extent permitted by law, 
accept 
responsibility or liability for (a) the accuracy or completeness of, 

or (b) the presence 
of any virus, worm or similar malicious or disabling 
code in, this 
message or any attachment(s) to it. If verification of this 
email is sought then 
please request a hard copy. Unless otherwise stated 
this email: (1) is 
not, and should not be treated or relied upon as, 
investment research; 
(2) contains views or opinions that are solely those of 
the author and do 
not necessarily represent those of NIplc; (3) is intended 
for informational 
purposes only and is not a recommendation, solicitation or 
offer to buy or sell 
securities or related financial instruments. NIplc 
does not provide 
investment services to private customers. Authorised and 
regulated by the 
Financial Services Authority. Registered in England 
no. 1550505 VAT No. 
447 2492 35. Registered Office: 1 St Martin's-le-Grand, 
London, EC1A 4NP. A 
member of the Nomura group of companies. 

Re: [ActiveDir] Problem in assigning permissions to the user in parent domain over the shared folder in child domain

[Laura E. Hunter]

Dean (actually one of his cohorts due to scheduling difficulties)
taught one of said publicly-available courses for my office back in
the fall.  I  highly (HIGHLY) recommend it.  :-)

- L

On 2/3/06, Dean Wells <[EMAIL PROTECTED]> wrote:
> Hey Deji,
>
> Not at all.
>
> Hmmm ... I'm not certain how you, as a partner, would go about that.  Were
> you an end-user with a TAM, I'd say simply start there.
>
> I thought you aware (but I'm guessing otherwise based on your question) that
> we're now able to deliver some of these classes externally (based on minor
> sanitizing-edits only).  If you're interested, let me know and I'll provide
> you with availability and rates ... they're cost effective at a minimum of
> ~4+ students.
>
> Kindest regards.
>
> Deano
>
> --
> Dean Wells
> MSEtechnology
> * Email: [EMAIL PROTECTED]
> http://msetechnology.com
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
> Sent: Friday, February 03, 2006 1:50 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Problem in assigning permissions to the user in
> parent domain over the shared folder in child domain
>
> Dean,
>
> I hope you don't mind me asking you this. If you do, please forgive me. I'll
> ask anyway :-p
>
> Considering that I work for a Microsoft Gold Partner (Unisys), what do I
> need to do to get into one of the "internal" trainings you do for MS folks?
> I know that MS was thinking about introducing an "AD Ranger" type of
> training last year, something similar to the intensive Exchange Ranger
> program. I don't know what happened to that plan, but I am thinking that the
> type of training that you do for MS is along this line in terms of intensity
> and technical contents.
>
> Could you please let me know if it's possible for a Partner to get into
> these trainings? If yours is not what I'm looking for, do you happen to know
> where a Partner can find relevant trainings that are much more than the
> normal "introducing AD" trainings?
>
> Thanks.
>
>
> Sincerely,
>
> Dèjì Akómöláfé, MCSE+M MCSA+M MCT
> Microsoft MVP - Directory Services
> www.readymaids.com - we know IT
> www.akomolafe.com
> Do you now realize that Today is the Tomorrow you were worried about
> Yesterday?  -anon
>
> 
>
> From: [EMAIL PROTECTED] on behalf of Dean Wells
> Sent: Fri 2/3/2006 6:41 AM
> To: Send - AD mailing list
> Subject: RE: [ActiveDir] Problem in assigning permissions to the user in
> parent domain over the shared folder in child domain
>
>
>
> Is replication functioning?
>
> --
> Dean Wells
> MSEtechnology
> * Email: [EMAIL PROTECTED]
> http://msetechnology.com
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of V Lakshmi
> Sent: Friday, February 03, 2006 12:44 AM
> To: [EMAIL PROTECTED]; ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Problem in assigning permissions to the user in
> parent domain over the shared folder in child domain
>
>
>  No I am not able to see any users or groups from the workstation in the
> child domain, when I  selected the parent domain, while assigning rights to
> the shared folder in the child domain. When I selected advanced button while
> assigning rights and searched for the user name existing in parent domain ,
> it displayed an error message saying Server not operational.  The DNS in the
> parent domain controller is up and running.
>
> What might be the problem?
> >>> [EMAIL PROTECTED] 02/03/06 10:24 am >>>
> Can you see any users or groups from the parent domain from the child
> domain?
>
>
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
> - Original Message-
> From: ActiveDir- [EMAIL PROTECTED]
> [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of lakshmi venkat
> Sent: Wednesday, February 01, 2006 3:44 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Problem in assigning permissions to the user in parent
> domain over the shared folder in child domain
>
> Hi,
>
> We are presently working on the Parent , child setup of active directory.
>
> The setup which were trying is as follows:
>
> 1-  We have a parent domain and a workstation as a part of parent domain.
>
> 2-  We have one more domain which is a child domain of the previously
> mentioned domain. A workstation is added to the child domain and there is a
> shared folder in the work station belonging to the child domain.
>
> We login to the workstation in the parent domain as a user in the parent
> domain and try to map the fileshare present in the workstation in the child
> domain. This operation fails saying access denied.
>
> We are unable to give permissions to the user in parent domain to the file
> share in child domain as it does not allow to add the user, in both
> permissions and security of the properties of the shared folder.
>
> We are able to select the parent domain in the locations field of the
> "Select 

RE: [ActiveDir] Script to determine a machine's site

[Dean Wells]

Title: Script to determine a machine's site



Indeed 
it does, that's what I ran it on ...
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, 
GuidoSent: Friday, February 03, 2006 4:32 PMTo: 
ActiveDir@mail.activedir.org; Send - AD mailing listSubject: RE: 
[ActiveDir] Script to determine a machine's site

hmm - this won't work with non-domain joined clients 
though...


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dean 
WellsSent: Freitag, 3. Februar 2006 21:10To: Send - AD 
mailing listSubject: RE: [ActiveDir] Script to determine a machine's 
site

Does 
this suffice -
 
nltest 
/dsgetsite /server:
 
Haven't tried anything of this kind myself under Wimpy 
so I'm uncertain of its suitability.
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Friday, February 03, 2006 10:52 
AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
Script to determine a machine's site

Does anyone have a script which can: 
 - Interrogate the local machine for its IP 
address and mask  - Determine the subnet 
which the machine resides in  - 
Determine the site that corresponds to the that subnet 
And all this must be possible on a machine which is 
not joined to a domain. Ideally, the script 
should work when WinPE is running, too, as the machine is being built. 

Any ideas? 
neil 
PLEASE READ: The 
information contained in this email is confidential and 
intended for the 
named recipient(s) only. If you are not an intended 
recipient of this 
email please notify the sender immediately and delete your 
copy from your 
system. You must not copy, distribute or take any further 
action in reliance 
on it. Email is not a secure method of communication and 
Nomura International 
plc ('NIplc') will not, to the extent permitted by law, 
accept 
responsibility or liability for (a) the accuracy or completeness of, 

or (b) the presence 
of any virus, worm or similar malicious or disabling 
code in, this 
message or any attachment(s) to it. If verification of this 
email is sought then 
please request a hard copy. Unless otherwise stated 
this email: (1) is 
not, and should not be treated or relied upon as, 
investment research; 
(2) contains views or opinions that are solely those of 
the author and do 
not necessarily represent those of NIplc; (3) is intended 
for informational 
purposes only and is not a recommendation, solicitation or 
offer to buy or sell 
securities or related financial instruments. NIplc 
does not provide 
investment services to private customers. Authorised and 
regulated by the 
Financial Services Authority. Registered in England 
no. 1550505 VAT No. 
447 2492 35. Registered Office: 1 St Martin's-le-Grand, 
London, EC1A 4NP. A 
member of the Nomura group of companies. 

RE: [ActiveDir] Script to determine a machine's site

[Grillenmeier, Guido]

Title: Script to determine a machine's site



hmm - this won't work with non-domain joined clients 
though...


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dean 
WellsSent: Freitag, 3. Februar 2006 21:10To: Send - AD 
mailing listSubject: RE: [ActiveDir] Script to determine a machine's 
site

Does 
this suffice -
 
nltest 
/dsgetsite /server:
 
Haven't tried anything of this kind myself under Wimpy 
so I'm uncertain of its suitability.
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Friday, February 03, 2006 10:52 
AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
Script to determine a machine's site

Does anyone have a script which can: 
 - Interrogate the local machine for its IP 
address and mask  - Determine the subnet 
which the machine resides in  - 
Determine the site that corresponds to the that subnet 
And all this must be possible on a machine which is 
not joined to a domain. Ideally, the script 
should work when WinPE is running, too, as the machine is being built. 

Any ideas? 
neil 
PLEASE READ: The 
information contained in this email is confidential and 
intended for the 
named recipient(s) only. If you are not an intended 
recipient of this 
email please notify the sender immediately and delete your 
copy from your 
system. You must not copy, distribute or take any further 
action in reliance 
on it. Email is not a secure method of communication and 
Nomura International 
plc ('NIplc') will not, to the extent permitted by law, 
accept 
responsibility or liability for (a) the accuracy or completeness of, 

or (b) the presence 
of any virus, worm or similar malicious or disabling 
code in, this 
message or any attachment(s) to it. If verification of this 
email is sought then 
please request a hard copy. Unless otherwise stated 
this email: (1) is 
not, and should not be treated or relied upon as, 
investment research; 
(2) contains views or opinions that are solely those of 
the author and do 
not necessarily represent those of NIplc; (3) is intended 
for informational 
purposes only and is not a recommendation, solicitation or 
offer to buy or sell 
securities or related financial instruments. NIplc 
does not provide 
investment services to private customers. Authorised and 
regulated by the 
Financial Services Authority. Registered in England 
no. 1550505 VAT No. 
447 2492 35. Registered Office: 1 St Martin's-le-Grand, 
London, EC1A 4NP. A 
member of the Nomura group of companies. 

RE: [ActiveDir] OT: Roaming Profiles

[Navroz Shariff]

I would highly discourage against using cached mode for roaming
profiles. Just imagine the network resources they would be hogging up
when they log onto a different computer and not to mention HDD space. We
definitely have disable cached mode for roaming profiles. 

-Nav 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Danny
Sent: Friday, February 03, 2006 3:43 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: Roaming Profiles

I agree... but what about OST files - Outlook cached mode.  Is anyone
excluding the OST from the roaming profile?  If so, a new OST will need
to be downloaded at each computer the user logs into.  Most are
100-300MB.  Which is the lesser evil. :)

...D

On 2/3/06, Thommes, Michael M. <[EMAIL PROTECTED]> wrote:
>
>
> As just another piece of this, users sometimes just throw stuff on 
> their "desktop" since they don't know any better or because that might

> be the first location that shows up during a save operation.  The 
> desktop is obviously included as part of the profile, leading to
bloated sizes.
>
>
>
> Mike Thommes
>
>
>
>
>
>
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Molkentin, 
> Steve
> Sent: Friday, February 03, 2006 8:45 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] OT: Roaming Profiles
>
>
>
> I too am a fan of local profile, but I do not think that directly 
> addresses Frank's issues...
>
>
>
> A couple of jobs ago at a school we used roaming profiles exclusively 
> - made sense in our scenario. There was still at least 3-4 staff on a 
> bad day that needed their profile reconfig-ed (all students used a
mandatory profile).
> Bottom line - use GPO's to limit the size of the user "dumping" 
> grounds, and/or redirect them. It's amazing how your profile shrink 
> dramatically when you don't allow users to store their files as a part

> of their profile, you don't copy their IE cache, and redirect a couple
of other folders.
>
>
>
> I feel for you Frank, as with users with profiles in excess of, say, 
> 20 MB - with your links speeds, I am amazed that you do not experience

> more problems (but then I am sure it is only the ones that moves sites

> that cause the issues... give them a laptop and make them have local 
> profiles!).  ;)
>
>
>
> My $0.02 inc GST...
>
>
>
> themolk.
>
>
>
>
>
> 
>
>
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Krenceski, 
> William
> Sent: Friday, 3 February 2006 10:54 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] OT: Roaming Profiles
>
> I personally avoid roaming and mandatory roaming like the plague. One 
> thing you can do is create a DFS Root for the profiles of the users 
> that move around replicate to all of the sites that they visit. I 
> would not recommend doing it for everyone else. I would actually stop 
> using roaming for everyone else that does not roam. there are many 
> alternatives to roaming using Group Policies because no matter how you

> look at it you are slowing down the user logon and the network
especially with that many users.
>
>
>
> JMTC
>
>
>
> Bill
>
>
> 
>
>
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Frank 
> Abagnale
> Sent: Friday, February 03, 2006 4:51 AM
> To: Active
> Subject: [ActiveDir] OT: Roaming Profiles
>
>
> Hi all,
>
>
> I have a question regarding Roaming Profiles. Our environment 
> currently have 3500 users which are all roaming profile enabled. Their

> profiles are stored on the local site server. We have approx 56 sites 
> which are all linked by 256-1mb lines.
>
>
> I like the concept of roaming profiles, however some of our users have

> profiles ranging from 5mb - 200mb, some even with 1GB profiles.
>
>
> Because alot of our users log on to different computers at different 
> sites, we are finding issues with corrupted profiles and logon speeds.

> On a few occasions, where a user has been added to a group, the 
> permissions assign to this group are not shown when the users is 
> logged back on. Deleting the profile and recreating fixes this issue 
> but it's quite a time consuming effort.
>
>
> How does everyone deal with roaming profiles if used? sometimes there 
> are instances where users just want to logon to the PC without their 
> roaming profile so they can remote desktop to their PC. In this 
> situation they have to take their profile across which can take 
> forever depending on the size of profile and link.
>
>
> Any creative ideas? how about using DFS to store the profiles?
>
>
> Thanks
>
>
> Frank
>
>
>
> 
>
>
> Yahoo! Mail - Helps protect you from nasty viruses.
>
> Confidentiality Notice: The information contained in this message may 
> be legally privileged and confidential information intended only for 
> the use of the individual or entity named above. If the reader of this

>

RE: [ActiveDir] Problem in assigning permissions to the user in parent domain over the shared folder in child domain

[Dean Wells]

Hey Deji,

Not at all.  

Hmmm ... I'm not certain how you, as a partner, would go about that.  Were
you an end-user with a TAM, I'd say simply start there.

I thought you aware (but I'm guessing otherwise based on your question) that
we're now able to deliver some of these classes externally (based on minor
sanitizing-edits only).  If you're interested, let me know and I'll provide
you with availability and rates ... they're cost effective at a minimum of
~4+ students.

Kindest regards.

Deano

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Friday, February 03, 2006 1:50 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Problem in assigning permissions to the user in
parent domain over the shared folder in child domain

Dean,
 
I hope you don't mind me asking you this. If you do, please forgive me. I'll
ask anyway :-p
 
Considering that I work for a Microsoft Gold Partner (Unisys), what do I
need to do to get into one of the "internal" trainings you do for MS folks?
I know that MS was thinking about introducing an "AD Ranger" type of
training last year, something similar to the intensive Exchange Ranger
program. I don't know what happened to that plan, but I am thinking that the
type of training that you do for MS is along this line in terms of intensity
and technical contents.
 
Could you please let me know if it's possible for a Partner to get into
these trainings? If yours is not what I'm looking for, do you happen to know
where a Partner can find relevant trainings that are much more than the
normal "introducing AD" trainings?
 
Thanks.
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCT
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Dean Wells
Sent: Fri 2/3/2006 6:41 AM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Problem in assigning permissions to the user in
parent domain over the shared folder in child domain



Is replication functioning?

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of V Lakshmi
Sent: Friday, February 03, 2006 12:44 AM
To: [EMAIL PROTECTED]; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Problem in assigning permissions to the user in
parent domain over the shared folder in child domain


 No I am not able to see any users or groups from the workstation in the
child domain, when I  selected the parent domain, while assigning rights to
the shared folder in the child domain. When I selected advanced button while
assigning rights and searched for the user name existing in parent domain ,
it displayed an error message saying Server not operational.  The DNS in the
parent domain controller is up and running.

What might be the problem?
>>> [EMAIL PROTECTED] 02/03/06 10:24 am >>>
Can you see any users or groups from the parent domain from the child
domain? 


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm


- Original Message-
From: ActiveDir- [EMAIL PROTECTED]
[mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of lakshmi venkat
Sent: Wednesday, February 01, 2006 3:44 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Problem in assigning permissions to the user in parent
domain over the shared folder in child domain

Hi,

We are presently working on the Parent , child setup of active directory.

The setup which were trying is as follows:

1-  We have a parent domain and a workstation as a part of parent domain.

2-  We have one more domain which is a child domain of the previously
mentioned domain. A workstation is added to the child domain and there is a
shared folder in the work station belonging to the child domain.

We login to the workstation in the parent domain as a user in the parent
domain and try to map the fileshare present in the workstation in the child
domain. This operation fails saying access denied.

We are unable to give permissions to the user in parent domain to the file
share in child domain as it does not allow to add the user, in both
permissions and security of the properties of the shared folder.

We are able to select the parent domain in the locations field of the
"Select users or groups"
dialog. But when we enter the username in the object name field, we get an
error that the object name cannot be found.

Any help will be appreciated.



Thanks
Lakshmi

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.ma

RE: [ActiveDir] Script to determine a machine's site

[Greene, Adam S]

Title: Script to determine a machine's site



The function call DsAddressToSiteNames will take a 
dnsHostName and give you the site it belongs to. If you cannot implement that 
call, there are scripts out there that do a brute force query of AD for sites 
and subnets to get you the site name. Search for the function call and 
"DsAddressToSiteNames  _vbscript_" to find them on google. With a lot of 
sites and subnets, that approach could get unwieldy though. If you can call a 
remote web service from your _vbscript_ or 
write a win32 implementation of the call, that would be a better way to go. 
There is code out there on doing a C# version.
 
-Adam
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Friday, February 03, 2006 7:52 
AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
Script to determine a machine's site

Does anyone have a script which can: 
 - Interrogate the local machine for its IP 
address and mask  - Determine the subnet 
which the machine resides in  - 
Determine the site that corresponds to the that subnet 
And all this must be possible on a machine which is 
not joined to a domain. Ideally, the script 
should work when WinPE is running, too, as the machine is being built. 

Any ideas? 
neil 
PLEASE READ: The 
information contained in this email is confidential and 
intended for the 
named recipient(s) only. If you are not an intended 
recipient of this 
email please notify the sender immediately and delete your 
copy from your 
system. You must not copy, distribute or take any further 
action in reliance 
on it. Email is not a secure method of communication and 
Nomura International 
plc ('NIplc') will not, to the extent permitted by law, 
accept 
responsibility or liability for (a) the accuracy or completeness of, 

or (b) the presence 
of any virus, worm or similar malicious or disabling 
code in, this 
message or any attachment(s) to it. If verification of this 
email is sought then 
please request a hard copy. Unless otherwise stated 
this email: (1) is 
not, and should not be treated or relied upon as, 
investment research; 
(2) contains views or opinions that are solely those of 
the author and do 
not necessarily represent those of NIplc; (3) is intended 
for informational 
purposes only and is not a recommendation, solicitation or 
offer to buy or sell 
securities or related financial instruments. NIplc 
does not provide 
investment services to private customers. Authorised and 
regulated by the 
Financial Services Authority. Registered in England 
no. 1550505 VAT No. 
447 2492 35. Registered Office: 1 St Martin's-le-Grand, 
London, EC1A 4NP. A 
member of the Nomura group of companies. 

Re: [ActiveDir] OT: Roaming Profiles

[Danny]

I agree... but what about OST files - Outlook cached mode.  Is anyone
excluding the OST from the roaming profile?  If so, a new OST will
need to be downloaded at each computer the user logs into.  Most are
100-300MB.  Which is the lesser evil. :)

...D

On 2/3/06, Thommes, Michael M. <[EMAIL PROTECTED]> wrote:
>
>
> As just another piece of this, users sometimes just throw stuff on their
> "desktop" since they don't know any better or because that might be the
> first location that shows up during a save operation.  The desktop is
> obviously included as part of the profile, leading to bloated sizes.
>
>
>
> Mike Thommes
>
>
>
>
>
>
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> Molkentin, Steve
> Sent: Friday, February 03, 2006 8:45 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] OT: Roaming Profiles
>
>
>
> I too am a fan of local profile, but I do not think that directly addresses
> Frank's issues...
>
>
>
> A couple of jobs ago at a school we used roaming profiles exclusively - made
> sense in our scenario. There was still at least 3-4 staff on a bad day that
> needed their profile reconfig-ed (all students used a mandatory profile).
> Bottom line - use GPO's to limit the size of the user "dumping" grounds,
> and/or redirect them. It's amazing how your profile shrink dramatically when
> you don't allow users to store their files as a part of their profile, you
> don't copy their IE cache, and redirect a couple of other folders.
>
>
>
> I feel for you Frank, as with users with profiles in excess of, say, 20 MB -
> with your links speeds, I am amazed that you do not experience more problems
> (but then I am sure it is only the ones that moves sites that cause the
> issues... give them a laptop and make them have local profiles!).  ;)
>
>
>
> My $0.02 inc GST...
>
>
>
> themolk.
>
>
>
>
>
> 
>
>
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> Krenceski, William
> Sent: Friday, 3 February 2006 10:54 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] OT: Roaming Profiles
>
> I personally avoid roaming and mandatory roaming like the plague. One thing
> you can do is create a DFS Root for the profiles of the users that move
> around replicate to all of the sites that they visit. I would not recommend
> doing it for everyone else. I would actually stop using roaming for everyone
> else that does not roam. there are many alternatives to roaming using Group
> Policies because no matter how you look at it you are slowing down the user
> logon and the network especially with that many users.
>
>
>
> JMTC
>
>
>
> Bill
>
>
> 
>
>
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> Frank Abagnale
> Sent: Friday, February 03, 2006 4:51 AM
> To: Active
> Subject: [ActiveDir] OT: Roaming Profiles
>
>
> Hi all,
>
>
> I have a question regarding Roaming Profiles. Our environment currently have
> 3500 users which are all roaming profile enabled. Their profiles are stored
> on the local site server. We have approx 56 sites which are all linked by
> 256-1mb lines.
>
>
> I like the concept of roaming profiles, however some of our users have
> profiles ranging from 5mb - 200mb, some even with 1GB profiles.
>
>
> Because alot of our users log on to different computers at different sites,
> we are finding issues with corrupted profiles and logon speeds. On a few
> occasions, where a user has been added to a group, the permissions assign to
> this group are not shown when the users is logged back on. Deleting the
> profile and recreating fixes this issue but it's quite a time consuming
> effort.
>
>
> How does everyone deal with roaming profiles if used? sometimes there are
> instances where users just want to logon to the PC without their roaming
> profile so they can remote desktop to their PC. In this situation they have
> to take their profile across which can take forever depending on the size of
> profile and link.
>
>
> Any creative ideas? how about using DFS to store the profiles?
>
>
> Thanks
>
>
> Frank
>
>
>
> 
>
>
> Yahoo! Mail - Helps protect you from nasty viruses.
>
> Confidentiality Notice: The information contained in this message may be
> legally privileged and confidential information intended only for the use of
> the individual or entity named above. If the reader of this message is not
> the intended recipient, or the employee or agent responsible to deliver it
> to the intended recipient, you are hereby notified that any release,
> dissemination, distribution, or copying of this communication is strictly
> prohibited. If you have received this communication in error please notify
> the author immediately by replying to this message and deleting the original
> message. Thank you.


--
CPDE - Certified Petroleum Distribution Engineer
CCBC - Certified Canadian Beer Consumer
List info   : http:/

RE: [ActiveDir] Script to determine a machine's site

[Dean Wells]

Title: Script to determine a machine's site



Does 
this suffice -
 
nltest 
/dsgetsite /server:
 
Haven't tried anything of this kind myself under Wimpy 
so I'm uncertain of its suitability.
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Friday, February 03, 2006 10:52 
AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
Script to determine a machine's site

Does anyone have a script which can: 
 - Interrogate the local machine for its IP 
address and mask  - Determine the subnet 
which the machine resides in  - 
Determine the site that corresponds to the that subnet 
And all this must be possible on a machine which is 
not joined to a domain. Ideally, the script 
should work when WinPE is running, too, as the machine is being built. 

Any ideas? 
neil 
PLEASE READ: The 
information contained in this email is confidential and 
intended for the 
named recipient(s) only. If you are not an intended 
recipient of this 
email please notify the sender immediately and delete your 
copy from your 
system. You must not copy, distribute or take any further 
action in reliance 
on it. Email is not a secure method of communication and 
Nomura International 
plc ('NIplc') will not, to the extent permitted by law, 
accept 
responsibility or liability for (a) the accuracy or completeness of, 

or (b) the presence 
of any virus, worm or similar malicious or disabling 
code in, this 
message or any attachment(s) to it. If verification of this 
email is sought then 
please request a hard copy. Unless otherwise stated 
this email: (1) is 
not, and should not be treated or relied upon as, 
investment research; 
(2) contains views or opinions that are solely those of 
the author and do 
not necessarily represent those of NIplc; (3) is intended 
for informational 
purposes only and is not a recommendation, solicitation or 
offer to buy or sell 
securities or related financial instruments. NIplc 
does not provide 
investment services to private customers. Authorised and 
regulated by the 
Financial Services Authority. Registered in England 
no. 1550505 VAT No. 
447 2492 35. Registered Office: 1 St Martin's-le-Grand, 
London, EC1A 4NP. A 
member of the Nomura group of companies. 

[ActiveDir] Custom date/time attributes in AD/ADAM schema

[Mr Oteece]

Any recommendations out there for storing a custom timestamp in AD/ADAM? I created an attribute with the same syntax as the existing time formats (e.g. pwdLastSet), and I can recover the date/time easily enough in code. However, LDP doesn't show the new attribute as a date/time, just as the large integer. Is there any way to specify how that attribute should be interpreted or are those just built into LDP? Or do people just use a string format?

RE: [ActiveDir] Problem in assigning permissions to the user in parent domain over the shared folder in child domain

[deji]

Dean,
 
I hope you don't mind me asking you this. If you do, please forgive me. I'll
ask anyway :-p
 
Considering that I work for a Microsoft Gold Partner (Unisys), what do I need
to do to get into one of the "internal" trainings you do for MS folks? I know
that MS was thinking about introducing an "AD Ranger" type of training last
year, something similar to the intensive Exchange Ranger program. I don't
know what happened to that plan, but I am thinking that the type of training
that you do for MS is along this line in terms of intensity and technical
contents.
 
Could you please let me know if it's possible for a Partner to get into these
trainings? If yours is not what I'm looking for, do you happen to know where
a Partner can find relevant trainings that are much more than the normal
"introducing AD" trainings?
 
Thanks.
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCT
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Dean Wells
Sent: Fri 2/3/2006 6:41 AM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Problem in assigning permissions to the user in
parent domain over the shared folder in child domain



Is replication functioning?

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of V Lakshmi
Sent: Friday, February 03, 2006 12:44 AM
To: [EMAIL PROTECTED]; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Problem in assigning permissions to the user in
parent domain over the shared folder in child domain


 No I am not able to see any users or groups from the workstation in the
child domain, when I  selected the parent domain, while assigning rights to
the shared folder in the child domain. When I selected advanced button while
assigning rights and searched for the user name existing in parent domain ,
it displayed an error message saying Server not operational.  The DNS in the
parent domain controller is up and running.

What might be the problem?
>>> [EMAIL PROTECTED] 02/03/06 10:24 am >>>
Can you see any users or groups from the parent domain from the child
domain? 


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm


- Original Message-
From: ActiveDir- [EMAIL PROTECTED]
[mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of lakshmi venkat
Sent: Wednesday, February 01, 2006 3:44 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Problem in assigning permissions to the user in parent
domain over the shared folder in child domain

Hi,

We are presently working on the Parent , child setup of active directory.

The setup which were trying is as follows:

1-  We have a parent domain and a workstation as a part of parent domain.

2-  We have one more domain which is a child domain of the previously
mentioned domain. A workstation is added to the child domain and there is a
shared folder in the work station belonging to the child domain.

We login to the workstation in the parent domain as a user in the parent
domain and try to map the fileshare present in the workstation in the child
domain. This operation fails saying access denied.

We are unable to give permissions to the user in parent domain to the file
share in child domain as it does not allow to add the user, in both
permissions and security of the properties of the shared folder.

We are able to select the parent domain in the locations field of the
"Select users or groups"
dialog. But when we enter the username in the object name field, we get an
error that the object name cannot be found.

Any help will be appreciated.



Thanks
Lakshmi

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-
archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-
archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Transferring records from one ADAM server to a new ADAM server

[Greg Nims]

We are looking to transfer all of our records from one server to a new 
server.  We took this time to clean up the schema to remove some dead 
attributes.  What is a good way to transfer all the records?
We used ldifde to create an LDIF file, but it includes a lot of attributes 
like PwdLastSet that we aren't sure will come over correctly.


Any pointers would be great.

Thanks,

Greg

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Script to determine a machine's site

[Presley, Steven]

Title: Script to determine a machine's site



Have you looked at ATSN (http://www.joeware.net/win/free/tools/atsn.htm)?  
Not sure it it will work for a machine that is not a member of the domain 
though.  But finding the local IP and then feeding it to ATSN should not be 
that big of a deal and the output of ATSN will return the 
site.

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  [EMAIL PROTECTED]Sent: Friday, February 03, 2006 7:52 
  AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
  Script to determine a machine's site
  
  Does anyone have a script which can: 
   - Interrogate the local machine for its IP 
  address and mask  - Determine the 
  subnet which the machine resides in  - 
  Determine the site that corresponds to the that subnet 
  And all this must be possible on a machine which is 
  not joined to a domain. Ideally, the script 
  should work when WinPE is running, too, as the machine is being built. 
  
  Any ideas? 
  neil 
  PLEASE READ: The 
  information contained in this email is confidential and 
  intended for the 
  named recipient(s) only. If you are not an intended 
  recipient of this 
  email please notify the sender immediately and delete your 

  copy from your 
  system. You must not copy, distribute or take any further 
  action in reliance 
  on it. Email is not a secure method of communication and 
  Nomura 
  International plc ('NIplc') will not, to the extent permitted by law, 
  
  accept 
  responsibility or liability for (a) the accuracy or completeness of, 
  
  or (b) the 
  presence of any virus, worm or similar malicious or disabling 
  
  code in, this 
  message or any attachment(s) to it. If verification of this 
  
  email is sought 
  then please request a hard copy. Unless otherwise stated 
  this email: (1) is 
  not, and should not be treated or relied upon as, 
  investment 
  research; (2) contains views or opinions that are solely those of 
  
  the author and do 
  not necessarily represent those of NIplc; (3) is intended 
  for informational 
  purposes only and is not a recommendation, solicitation or 

  offer to buy or 
  sell securities or related financial instruments. NIplc 
  does not provide 
  investment services to private customers. Authorised and 
  regulated by the 
  Financial Services Authority. Registered in England 
  no. 1550505 VAT 
  No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, 
  
  London, EC1A 4NP. 
  A member of the Nomura group of companies. 

RE: [ActiveDir] My Docs Redirection

[Shannon Coleman]

User folder direction is a User Group Policy. Is it perhaps 
possible that your laptop users have a different policy from desktop users? Also 
laptops could be configured not to use offline files. Just a few things that 
come to mind.
 
Shannon


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of George 
ArezinaSent: Friday, February 03, 2006 7:56 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] My Docs 
Redirection


Hi 
all,
Has anyone run into a 
similar problem with folder redirection? Let me explain the scenario. I have 
configured the domain policy to redirect my docs into the users home folder, it 
works well and it’s great because we perform nightly backups of the users home 
folder and in this way the backup the user’s my docs folder on tape. However, on 
company laptops, it is not working. Can someone suggest why it may not be 
working?
Thanks 

 
George
 Informacija 
sa Stedionica Opportunity International A.D. Novi Sad putem e-maila je bez 
garancije. Zakljucivanje pravnih poslova putem ovog medija nije dozvoljeno. Ovaj 
e-mail moze sadrzati poverljive i/ili povlascene informacije. Ukoliko ste ovaj 
e-mail primili greskom, ovim putem vas obavestavamo da je svako otkrivanje, 
kopiranje, distribucija ili preduzimanje bilo kakvih aktivnosti u vezi njegovog 
sadrzaja strogo zabranjeno i moze biti nezakonito. Ukoliko ste e-mail primili 
greskom, molimo Vas da nas odmah obavestite tako sto cete odgovoriti na ovaj 
email, a zatim ga izbrisite iz vaseg 
sistema.The 
exchange of messages with Stedionica Opportunity International A.D. Novi Sad via 
e-mail is not binding. Declarations regarding legal transactions must not be 
exchanged via this medium. The information contained in this e-mail message is 
confidential and intended exclusively for the addressee. Persons receiving this 
e-mail message who are not the named addressee (or his/her co-workers, or 
persons authorized to take delivery) must not use, forward or reproduce its 
contents. If you have received this e-mail message by mistake, please contact us 
immediately and delete this email message beyond retrieval.All outgoing and incoming e-mails are electronically archived and subject to review and/or disclosure.Taylor-Morley, Inc.17107 Chesterfield Airport RoadChesterfield, MO 63005

[ActiveDir] Script to determine a machine's site

[neil.ruston]

Title: Script to determine a machine's site






Does anyone have a script which can:


 - Interrogate the local machine for its IP address and mask

 - Determine the subnet which the machine resides in

 - Determine the site that corresponds to the that subnet


And all this must be possible on a machine which is not joined to a domain.

Ideally, the script should work when WinPE is running, too, as the machine is being built.



Any ideas?


neil


PLEASE READ: The information contained in this email is confidential and

intended for the named recipient(s) only. If you are not an intended

recipient of this email please notify the sender immediately and delete your

copy from your system. You must not copy, distribute or take any further

action in reliance on it. Email is not a secure method of communication and

Nomura International plc ('NIplc') will not, to the extent permitted by law,

accept responsibility or liability for (a) the accuracy or completeness of,

or (b) the presence of any virus, worm or similar malicious or disabling

code in, this message or any attachment(s) to it. If verification of this

email is sought then please request a hard copy. Unless otherwise stated

this email: (1) is not, and should not be treated or relied upon as,

investment research; (2) contains views or opinions that are solely those of

the author and do not necessarily represent those of NIplc; (3) is intended

for informational purposes only and is not a recommendation, solicitation or

offer to buy or sell securities or related financial instruments.  NIplc

does not provide investment services to private customers.  Authorised and

regulated by the Financial Services Authority.  Registered in England

no. 1550505 VAT No. 447 2492 35.  Registered Office: 1 St Martin's-le-Grand,

London, EC1A 4NP.  A member of the Nomura group of companies.

RE: [ActiveDir] User Account Lifecyle -- Best Practices

[Tim Sutton]

I think, to become a proof you have to publish so many papers and be
invited into the position by a university. Well, that's what a friend of
mine who's a Doc in geology said anyway :) 




For Troup Bywaters + Anders 

Tim Sutton  

T: +44 (0) 113 243 2241
F: +44 (0) 113 242 4024 
E: [EMAIL PROTECTED]
W: www.TBandA.com   

Eastgate House
10 Eastgate 
Leeds
LS2 7JL
Office Location Map 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams
Sent: 02 February 2006 17:15
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] User Account Lifecyle -- Best Practices

Yeah, here in the UK a PhD or however you write it means you have done
your B.Sc (degree) (or equivalent), your M.Sc (masters degree) and then
you do your PhD - which makes you a doc.  Not sure how you then become a
professor.  Something to do with rank in the university I think...
 
PhD doesn't mean a specific discipline - you can do it in any subject
that your university "does", and you usually specialise in an area of
that subject.  
 

- Original Message - 
From: Brian Desmond   
To: ActiveDir@mail.activedir.org 
Sent: Thursday, February 02, 2006 3:57 PM
Subject: RE: [ActiveDir] User Account Lifecyle -- Best Practices


Well here, phd means anyone that's done post masters degree work
- usually it goes BS MS PhD. I know a Doctor of Library Science ... just
have to find a university that's accredited to make you a doctor of
whatever.

 

 

Thanks,
Brian Desmond

[EMAIL PROTECTED]  

 

c - 312.731.3132

 

 





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, February 02, 2006 10:01 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] User Account Lifecyle -- Best Practices

 

Dr J (PhD - means what exactly?)

- Doctor of Psychology. In short, the guy took a 3 year degree
and then took a 3 year post grad PhD course (doesn't matter what the
subject matter was). He is therefore known as *Dr* Jesper J.

 

What is the equiv over your side of the pond?

 

 

neil

 





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: 02 February 2006 14:02
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] User Account Lifecyle -- Best Practices

This is fun :)

 

Dr J (PhD - means what exactly?)

 

I think you're referring to this section of the paper in the
first link 


Why You Should Not Use Account Lockout


Even though the guide recommends configuring account lockout at
50 tries, I urge you not to configure account lockout. First, as the
initial article of this series described, the chances that an attacker
will guess a reasonable password are so remote as to not justify this
option. Second, an attacker is highly likely to take your account
lockout setting and convert it to a denial-of-service attack by locking
out every account on the system. Third, most vulnerability assessment
tools will lock out all the accounts on your domain. In the end, whether
you use account lockout is a matter of your security policy, and debate
whether it provides value. Keep in mind, however, that account lockout
problems represent some of the most frequent technical support issues
with Microsoft support services, and resetting an account costs an
average of $70 per incident. If your security policy is so stringent
that you believe these numbers are acceptable, and your policy cannot
enforce reasonable passwords, you might still choose to configure
account lockout. If not, do your Help Desk and budget a favor, and avoid
it. 

I see the point.  I disagree with the assertion that seems to
have been throttled back for public consumption.  I also would say that
if your vulnerability assessment tool locks out your accounts after 50
tries, you're using the wrong vulnerability tool.  Microsoft should
consider using automated reset tools if it costs them that much  

 

No, in the end I'm a believer that if your user can't get the
password right after x number of tries (in this case, 50 is the
recommended) then they SHOULD call the helpdesk because 
knows that they need it at this point. No question in my mind.  And that
type of support incident is exactly what a help desk is for: silly user
tricks.  Does that apply to SBS?  In my opinion it should.  If you can't
remember your password after 10 tries, odds are you aren't going to.
Write it down and paste it und

RE: [ActiveDir] OT: Roaming Profiles

[Thommes, Michael M.]

As just another piece of this, users
sometimes just throw stuff on their “desktop” since they don’t
know any better or because that might be the first location that shows up
during a save operation.  The desktop is obviously included as part of the
profile, leading to bloated sizes.

 

Mike Thommes

 

 

 

-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Molkentin, Steve
Sent: Friday, February 03, 2006
8:45 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:
Roaming Profiles

 

I too am a fan of local
profile, but I do not think that directly addresses Frank's issues...

 

A couple of jobs ago at a
school we used roaming profiles exclusively - made sense in our scenario. There
was still at least 3-4 staff on a bad day that needed their profile reconfig-ed
(all students used a mandatory profile). Bottom line - use GPO's to limit the
size of the user "dumping" grounds, and/or redirect them. It's
amazing how your profile shrink dramatically when you don't allow users to store
their files as a part of their profile, you don't copy their IE
cache, and redirect a couple of other folders.

 

I feel for you Frank, as
with users with profiles in excess of, say, 20 MB - with your links speeds, I
am amazed that you do not experience more problems (but then I am sure it is
only the ones that moves sites that cause the issues... give them a laptop and
make them have local profiles!).  ;)

 

My $0.02 inc GST...

 

themolk.

 



 







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Krenceski, William
Sent: Friday, 3 February 2006
10:54 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:
Roaming Profiles

I personally avoid
roaming and mandatory roaming like the plague. One thing you can do is create a
DFS Root for the profiles of the users that move around replicate to all of the
sites that they visit. I would not recommend doing it for everyone else. I
would actually stop using roaming for everyone else that does not roam. there
are many alternatives to roaming using Group Policies because no matter how you
look at it you are slowing down the user logon and the network especially with
that many users. 

 

JMTC

 

Bill

 







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Frank Abagnale
Sent: Friday, February 03, 2006
4:51 AM
To: Active
Subject: [ActiveDir] OT: Roaming
Profiles



Hi all,





I have a question regarding Roaming Profiles. Our
environment currently have 3500 users which are all roaming profile enabled.
Their profiles are stored on the local site server. We have approx 56 sites
which are all linked by 256-1mb lines.





I like the concept of roaming profiles, however some
of our users have profiles ranging from 5mb - 200mb, some even with 1GB
profiles. 





Because alot of our users log on to different
computers at different sites, we are finding issues with corrupted profiles and
logon speeds. On a few occasions, where a user has been added to a group, the
permissions assign to this group are not shown when the users is logged back
on. Deleting the profile and recreating fixes this issue but it's quite a time
consuming effort.





How does everyone deal with roaming profiles if used?
sometimes there are instances where users just want to logon to the PC without
their roaming profile so they can remote desktop to their PC. In this situation
they have to take their profile across which can take forever depending on the
size of profile and link.





Any creative ideas? how about using DFS to store the
profiles? 





Thanks





Frank





 









Yahoo!
Mail - Helps protect you from nasty viruses. 

Confidentiality Notice:
The information contained in this message may be legally privileged and
confidential information intended only for the use of the individual or entity
named above. If the reader of this message is not the intended recipient, or
the employee or agent responsible to deliver it to the intended recipient, you
are hereby notified that any release, dissemination, distribution, or copying
of this communication is strictly prohibited. If you have received this
communication in error please notify the author immediately by replying to this
message and deleting the original message. Thank you.

RE: [ActiveDir] OT: Roaming Profiles

[Molkentin, Steve]

I too am a fan of local profile, but I do not think that 
directly addresses Frank's issues...
 
A couple of jobs ago at a school we used roaming profiles 
exclusively - made sense in our scenario. There was still at least 3-4 staff on 
a bad day that needed their profile reconfig-ed (all students used a mandatory 
profile). Bottom line - use GPO's to limit the size of the user "dumping" 
grounds, and/or redirect them. It's amazing how your profile shrink dramatically 
when you don't allow users to store their files as a part of their profile, 
you don't copy their IE cache, and redirect a couple of other 
folders.
 
I feel for you Frank, as with users with profiles in excess 
of, say, 20 MB - with your links speeds, I am amazed that you do not experience 
more problems (but then I am sure it is only the ones that moves sites that 
cause the issues... give them a laptop and make them have local 
profiles!).  ;)
 
My $0.02 inc GST...
 
themolk.
 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Krenceski, 
  WilliamSent: Friday, 3 February 2006 10:54 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Roaming 
  Profiles
  
  I personally avoid roaming and mandatory roaming like the plague. One 
  thing you can do is create a DFS Root for the profiles of the users that move 
  around replicate to all of the sites that they visit. I would not recommend 
  doing it for everyone else. I would actually stop using roaming for everyone 
  else that does not roam. there are many alternatives to roaming using Group 
  Policies because no matter how you look at it you are slowing down the user 
  logon and the network especially with that many users. 
   
  JMTC
   
  Bill
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Frank 
  AbagnaleSent: Friday, February 03, 2006 4:51 AMTo: 
  ActiveSubject: [ActiveDir] OT: Roaming 
Profiles
  
  Hi all,
  I have a question regarding Roaming Profiles. Our environment currently 
  have 3500 users which are all roaming profile enabled. Their profiles are 
  stored on the local site server. We have approx 56 sites which are all linked 
  by 256-1mb lines.
  I like the concept of roaming profiles, however some of our users have 
  profiles ranging from 5mb - 200mb, some even with 1GB profiles. 
  Because alot of our users log on to different computers at different 
  sites, we are finding issues with corrupted profiles and logon speeds. On a 
  few occasions, where a user has been added to a group, the permissions assign 
  to this group are not shown when the users is logged back on. Deleting the 
  profile and recreating fixes this issue but it's quite a time consuming 
  effort.
  How does everyone deal with roaming profiles if used? sometimes there are 
  instances where users just want to logon to the PC without their roaming 
  profile so they can remote desktop to their PC. In this situation they have to 
  take their profile across which can take forever depending on the size of 
  profile and link.
  Any creative ideas? how about using DFS to store the profiles? 
  Thanks
  Frank
   
  
  
  Yahoo! 
  Mail - Helps protect you from nasty viruses.
  Confidentiality 
  Notice: The information contained in this message may be legally privileged 
  and confidential information intended only for the use of the individual or 
  entity named above. If the reader of this message is not the intended 
  recipient, or the employee or agent responsible to deliver it to the intended 
  recipient, you are hereby notified that any release, dissemination, 
  distribution, or copying of this communication is strictly prohibited. If you 
  have received this communication in error please notify the author immediately 
  by replying to this message and deleting the original message. Thank 
  you.

RE: [ActiveDir] Problem in assigning permissions to the user in parent domain over the shared folder in child domain

[Dean Wells]

Is replication functioning?

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of V Lakshmi
Sent: Friday, February 03, 2006 12:44 AM
To: [EMAIL PROTECTED]; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Problem in assigning permissions to the user in
parent domain over the shared folder in child domain

 
 No I am not able to see any users or groups from the workstation in the
child domain, when I  selected the parent domain, while assigning rights to
the shared folder in the child domain. When I selected advanced button while
assigning rights and searched for the user name existing in parent domain ,
it displayed an error message saying Server not operational.  The DNS in the
parent domain controller is up and running. 

What might be the problem?
>>> [EMAIL PROTECTED] 02/03/06 10:24 am >>>
Can you see any users or groups from the parent domain from the child
domain?  


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

- Original Message-
From: ActiveDir- [EMAIL PROTECTED]
[mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of lakshmi venkat
Sent: Wednesday, February 01, 2006 3:44 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Problem in assigning permissions to the user in parent
domain over the shared folder in child domain

Hi,

We are presently working on the Parent , child setup of active directory.

The setup which were trying is as follows:

1-  We have a parent domain and a workstation as a part of parent domain. 

2-  We have one more domain which is a child domain of the previously
mentioned domain. A workstation is added to the child domain and there is a
shared folder in the work station belonging to the child domain.

We login to the workstation in the parent domain as a user in the parent
domain and try to map the fileshare present in the workstation in the child
domain. This operation fails saying access denied.

We are unable to give permissions to the user in parent domain to the file
share in child domain as it does not allow to add the user, in both
permissions and security of the properties of the shared folder.

We are able to select the parent domain in the locations field of the
"Select users or groups"
dialog. But when we enter the username in the object name field, we get an
error that the object name cannot be found.

Any help will be appreciated.



Thanks
Lakshmi

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-
archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-
archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] DNS memory leak?

[Rich Milburn]

I’ll preface this by saying this is
on a lab server, not production, and I almost never do anything to it or with
it, and it has been up and running (no reboots) for 7118156 or so seconds…
there is no urgency here…

 

W2K3, SP1, all available Hotfixes, AD
(SFSD, 1 DC), DNS, SQLE2005, WSUS, 1 member computer (Vista), maybe 20 user
accounts, Dell Prec340 2.4 P4, 512MB RAM… and when I checked the
Performance tab of Task Manager, I had a commit charge of 1.2 GB.  DNS.exe
was showing 250 MB or so.  I restarted the DNS service and now I’m down
to 339 MB commit charge.  

 

Hmmm.

 



---
Rich Milburn
MCSE, Microsoft MVP -
Directory Services
Sr Network Analyst, Field Platform Development
Applebee's International, Inc.
4551 W. 107th St
Overland Park, KS 66207
913-967-2819
--
”I love the smell
of red herrings in the morning” - anonymous







---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- 
PRIVILEGED / 
CONFIDENTIAL INFORMATION may be contained in this message or any attachments. 
This information is strictly confidential and may be subject to attorney-client 
privilege. This message is intended only for the use of the named addressee. If 
you are not the intended recipient of this message, unauthorized forwarding, 
printing, copying, distribution, or using such information is strictly 
prohibited and may be unlawful. If you have received this in error, you should 
kindly notify the sender by reply e-mail and immediately destroy this message. 
Unauthorized interception of this e-mail is a violation of federal criminal law. 
Applebee's International, Inc. reserves the right to monitor and review the 
content of all messages sent to and from this e-mail address. Messages sent to 
or from this e-mail address may be stored on the Applebee's International, Inc. 
e-mail system.

Re: [ActiveDir] My Docs Redirection

[Mark Parris]

If you have customised the IE browser you sometimes need a hotfix to get this 
working.

Not able to give KB number at moment but the man from the Parks usually follows 
up with it. :-)

Mark

-Original Message-
From: "George Arezina" <[EMAIL PROTECTED]>
Date: Fri, 3 Feb 2006 14:55:33 
To:
Subject: [ActiveDir] My Docs Redirection

Hi all,
 
Has anyone run into a similar problem with folder redirection? Let me explain 
the scenario. I have configured the domain policy to redirect my docs into the 
users home folder, it works well and its great because we perform nightly 
backups of the users home folder and in this way the backup the users my docs 
folder on tape. However, on company laptops, it is not working. Can someone 
suggest why it may not be working?
 
Thanks 
 
 
 
George
 
 
 
Informacija sa Stedionica Opportunity International A.D. Novi Sad putem e-maila 
je bez garancije. Zakljucivanje pravnih poslova putem ovog medija nije 
dozvoljeno. Ovaj e-mail moze sadrzati poverljive i/ili povlascene informacije. 
Ukoliko ste ovaj e-mail primili greskom, ovim putem vas obavestavamo da je 
svako otkrivanje, kopiranje, distribucija ili preduzimanje bilo kakvih 
aktivnosti u vezi njegovog sadrzaja strogo zabranjeno i moze biti nezakonito. 
Ukoliko ste e-mail primili greskom, molimo Vas da nas odmah obavestite tako sto 
cete odgovoriti na ovaj email, a zatim ga izbrisite iz vaseg sistema.
 
 
 
 The exchange of messages with Stedionica Opportunity International A.D. Novi 
Sad via e-mail is not binding. Declarations regarding legal transactions must 
not be exchanged via this medium. The information contained in this e-mail 
message is confidential and intended exclusively for the addressee. Persons 
receiving this e-mail message who are not the named addressee (or his/her 
co-workers, or persons authorized to take delivery) must not use, forward or 
reproduce its contents. If you have received this e-mail message by mistake, 
please contact us immediately and delete this email message beyond retrieval.
 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] distributing large service pack files

[Rich Milburn]

I'm not certain, but SQL 2005 Express (a.k.a. MSDE 2005), seems to be
running faster than I'm used to MSDE running, for my test WSUS server.
But I don't have a lot of clients on it, in fact I only have 4... but I
don't see a performance hit on it at all.  I heard it was faster...
setting it up and loading WSUS on it was simple, but I didn't try
migrating to it, I installed fresh on it.

---
Rich Milburn
MCSE, Microsoft MVP - Directory Services
Sr Network Analyst, Field Platform Development
Applebee's International, Inc.
4551 W. 107th St
Overland Park, KS 66207
913-967-2819
--
"I love the smell of red herrings in the morning" - anonymous
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Thursday, February 02, 2006 7:47 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] distributing large service pack files

MSDE has a bad habit of RAM "chew"

Have you tried putting a throttle on the instance?



Phillip Partipilo wrote:

>I also find that the server gets a good hammering by WSUS when
synchronizing
>with MS.  I also have an old machine acting as the server,
800-something mhz
>HP netserver, and it will start running realy slw.  The MSDE
>instance seems to be what eats up so much CPU. Wonder why kind of
queries
>its busy processing.
>
>
> 
>Phillip Partipilo
>Parametric Solutions Inc.
>Jupiter, Florida
>(561) 747-6107
> 
> 
>
>-Original Message-
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
>Sent: Thursday, February 02, 2006 3:57 PM
>To: ActiveDir@mail.activedir.org
>Subject: RE: [ActiveDir] distributing large service pack files
>
>Hmm. That's an answer I didn't expect. Good info. Thanks Susan. I know
I
>need to play more with WSUS.
>The only place I have installed it was in a 20 node network with an
older
>server hosting WSUS only, and it killed the performance on the server.
So I
>(not very scientifically I admit) extrapolated that it would be a
disaster
>in a large corporate environment. No, I didn't install all languages
:-) I'm
>sure I did something wrong, just haven't gone back to revisit it yet.
>
>
>-Original Message-
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA
>aka Ebitz - SBS Rocks [MVP]
>Sent: Thursday, February 02, 2006 3:50 PM
>To: ActiveDir@mail.activedir.org
>Subject: Re: [ActiveDir] distributing large service pack files
>
>Not to mention it's my understanding that it's not legal to distribute
>service packs "outside" the MS cloud and host MS code like service
>packs/hotfixes like that.
>
>This is why universities cannot hand out SP cdroms and some such
things.
>
>Since the Department of Justice... it's been my impression that MS
tends to
>want to control the bits so they can yank parts if need be [see recent
SP
>update notifications for Office due to stupid lawsuit between guy and
MS on
>Access]
>
>WSUS had to get some eula's rewritten to allow the geeks to do allow
>consultants to do patching and what not.
>
>Molkentin, Steve wrote:
>
>  
>
>>Mark,
>>WSUS (and SMS for that matter) uses the "Background Intelligent 
>>Transfer Service" (that's what it's called) to do just this on large 
>>files, in that it is smart enough to recognise downtime on your 
>>network to send files, and manages the resumption of large files if it

>>had to stop transferring them. It is pretty seamless in my experience
>>- all our links are less than T1 (except for the internet pipe into 
>>our head office), and we manage to push a lot of stuff around using 
>>WSUS quite well with no interruption to business.
>>It's not hard to setup an older PC as a local WSUS cache - it needs 
>>little in the way of processor and RAM (really), and will get over any

>>cost issue and give you the ability to distribute, etc. Additionally, 
>>it takes away all the responsibility of the staff member to 
>>install/connect/download the service pack (and don't start me on the 
>>fact that they shouldn't have admin rights to install it in the first 
>>place).
>>My $0.02 inc GST...
>>themolk.
>>
>>
>>
>>
>---
-
>  
>
>>*From:* [EMAIL PROTECTED]
>>[mailto:[EMAIL PROTECTED] *On Behalf Of
>>*Creamer, Mark
>>*Sent:* Friday, 3 February 2006 6:18 AM
>>*To:* ActiveDir@mail.activedir.org
>>*Subject:* [ActiveDir] distributing large service pack files
>>
>>The structure of our WAN is such that we have lots of small
>>offices all over the country, each with a few to a hundred or so
>>PCs, connected by not-so-fast links. The biggest locations have
>>T1s, but many don't. Keeping these things patched is a nightmare.
>>We do not have distributed servers, and really nothing except the
>>PCs themselves to cache 

[ActiveDir] My Docs Redirection

[George Arezina]

Hi all,

Has anyone run into a similar problem with
folder redirection? Let me explain the scenario. I have configured the domain
policy to redirect my docs into the users home folder, it works well and it’s
great because we perform nightly backups of the users home folder and in this
way the backup the user’s my docs folder on tape. However, on company
laptops, it is not working. Can someone suggest why it may not be working?

Thanks 

 

George

 



Informacija sa Stedionica Opportunity International A.D. Novi Sad putem e-maila je bez garancije. Zakljucivanje pravnih poslova putem ovog medija nije dozvoljeno. Ovaj e-mail moze sadrzati poverljive i/ili povlascene informacije. Ukoliko ste ovaj e-mail primili greskom, ovim putem vas obavestavamo da je svako otkrivanje, kopiranje, distribucija ili preduzimanje bilo kakvih aktivnosti u vezi njegovog sadrzaja strogo zabranjeno i moze biti nezakonito. Ukoliko ste e-mail primili greskom, molimo Vas da nas odmah obavestite tako sto cete odgovoriti na ovaj email, a zatim ga izbrisite iz vaseg sistema.



The exchange of messages with Stedionica Opportunity International A.D. Novi Sad via e-mail is not binding. Declarations regarding legal transactions must not be exchanged via this medium. The information contained in this e-mail message is confidential and intended exclusively for the addressee. Persons receiving this e-mail message who are not the named addressee (or his/her co-workers, or persons authorized to take delivery) must not use, forward or reproduce its contents. If you have received this e-mail message by mistake, please contact us immediately and delete this email message beyond retrieval.

RE: [ActiveDir] DNS vs NETBIOS name? Or something else?

[Douglas M. Long]

The Winlogon offers localmachine, DOMINT, and DOMAIN. 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams
Sent: Thursday, February 02, 2006 2:51 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] DNS vs NETBIOS name? Or something else?

What are the options in the Winlogon box?  You should only have the choice 
of the NetBIOS domain name or the local box (and any trusted domains).

To use the DNS name you need to use a UPN.


--Paul

- Original Message - 
From: "Douglas M. Long" <[EMAIL PROTECTED]>
To: 
Sent: Thursday, February 02, 2006 6:04 PM
Subject: RE: [ActiveDir] DNS vs NETBIOS name? Or something else?


> Ok, I am revisiting this because it is bugging the crap out of me.
>
> 2003 domain upgraded from NT 4.0
> NetBIOS name: DOMINT
> DNS Domain name: domain.com
>
>
> Users can logon to the machine with DOMINT, but not DOMAIN from the drop
> down. There are no NeutralizeNT4Emulator or NT4Emulator keys on either the
> DCs or the clients. Shouldn't that allow them to login with the DNS name? 
> I
> actually want them to be able to login with either from the drop down 
> list.
>
> Any ideas? Is this easier than I think? What am I overlooking?
>
>
>
>
>
>
>
>
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: Roaming Profiles

[Krenceski, William]

I personally avoid roaming and mandatory roaming like the 
plague. One thing you can do is create a DFS Root for the profiles of the users 
that move around replicate to all of the sites that they visit. I would not 
recommend doing it for everyone else. I would actually stop using roaming for 
everyone else that does not roam. there are many alternatives to roaming using 
Group Policies because no matter how you look at it you are slowing down the 
user logon and the network especially with that many users. 
 
JMTC
 
Bill


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Frank 
AbagnaleSent: Friday, February 03, 2006 4:51 AMTo: 
ActiveSubject: [ActiveDir] OT: Roaming Profiles

Hi all,
I have a question regarding Roaming Profiles. Our environment currently 
have 3500 users which are all roaming profile enabled. Their profiles are stored 
on the local site server. We have approx 56 sites which are all linked by 
256-1mb lines.
I like the concept of roaming profiles, however some of our users have 
profiles ranging from 5mb - 200mb, some even with 1GB profiles. 
Because alot of our users log on to different computers at different sites, 
we are finding issues with corrupted profiles and logon speeds. On a few 
occasions, where a user has been added to a group, the permissions assign to 
this group are not shown when the users is logged back on. Deleting the profile 
and recreating fixes this issue but it's quite a time consuming effort.
How does everyone deal with roaming profiles if used? sometimes there are 
instances where users just want to logon to the PC without their roaming profile 
so they can remote desktop to their PC. In this situation they have to take 
their profile across which can take forever depending on the size of profile and 
link.
Any creative ideas? how about using DFS to store the profiles? 
Thanks
Frank
 


Yahoo! 
Mail - Helps protect you from nasty viruses.Confidentiality Notice: The information contained in this message may be legally privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any release, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error please notify the author immediately by replying to this message and deleting the original message. Thank you.

RE: [ActiveDir] OT: Roaming Profiles

[Bahta, Nathaniel V Contractor NASIC/SCNA]

Frank,
 
Holy cow!  Are you serious? 1GB profiles?  Are 
you sure you dont mean Home Directories? 
 
 
Q)  If you have a 265mb link and a 1GB profile and a 
100 Mbps connection, how long does it take to download a profile during peak 
usage (i.e. first thing in the morning)?
(I am in a Math 102 class right now)
 
A)  If the user has 25.6Mbps available to his/herself 
at the time it would take 86 hrs 48 mins and 20 seconds to download their 
profile (with zero utilization).
 
Source http://www.numion.com/Calculators/Time.html
 
Why do you not restrict the amount of data allowable in the 
profile based upon industry standards, taking into account your site level 
connection speed?
 
Like most organizations, we deal with them by restricting 
the size.
 
Nate
 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Frank 
AbagnaleSent: Friday, February 03, 2006 4:51 AMTo: 
ActiveSubject: [ActiveDir] OT: Roaming Profiles

Hi all,
I have a question regarding Roaming Profiles. Our environment currently 
have 3500 users which are all roaming profile enabled. Their profiles are stored 
on the local site server. We have approx 56 sites which are all linked by 
256-1mb lines.
I like the concept of roaming profiles, however some of our users have 
profiles ranging from 5mb - 200mb, some even with 1GB profiles. 
Because alot of our users log on to different computers at different sites, 
we are finding issues with corrupted profiles and logon speeds. On a few 
occasions, where a user has been added to a group, the permissions assign to 
this group are not shown when the users is logged back on. Deleting the profile 
and recreating fixes this issue but it's quite a time consuming effort.
How does everyone deal with roaming profiles if used? sometimes there are 
instances where users just want to logon to the PC without their roaming profile 
so they can remot! e desktop to their PC. In this situation they have to take 
their profile across which can take forever depending on the size of profile and 
link.
Any creative ideas? how about using DFS to store the profiles? 
Thanks
Frank
 


Yahoo! 
Mail - Helps protect you from nasty viruses.

RE: [ActiveDir] Need Script.

[neil.ruston]

LOL. I'd be a rich man if that ploy worked and MS et al 
gave me a cut each time I recommended their solutions.
 
neil


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Jitendra 
KalyankarSent: 03 February 2006 09:18To: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Need 
Script.

If at all if you write a special invoice please make sure to give me 
some
percentage in that! ;-) I have been marketing them whole heartedly! 
 
Sincerely,
J 
On 2/3/06, joe <[EMAIL PROTECTED]> wrote: 

  What I 
  really need to do is start kicking out tools I charge for. 
  :o)
   
   
  I wouldn't 
  mind getting to a point where enough income was coming in that I could just 
  play around working out new tools all day. 
   
  
  --
  O'Reilly 
  Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
   
   
  
  
  From: [EMAIL PROTECTED] [mailto: 
  [EMAIL PROTECTED]] On Behalf Of Noah 
  EigerSent: Friday, February 03, 2006 12:12 AM 
  To: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] Need Script. 
  
  
  
  Joe, maybe you should 
  write a special invoice for Jitendra's company ;-) 
  
   
  
  
  
  
  
  From: joe 
  [mailto: [EMAIL PROTECTED]] 
  Sent: Thursday, February 02, 
  2006 8:38 PM To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Need 
  Script.
   
  Quite honestly this 
  isn't the first time I have heard this. Many companies have an unnatural 
  aversion to products that are free. They want to know what the catch is and 
  they think that just because they pay for something they are getting better 
  support. Of course that simply means they aren't really reading those EULAs. 
  :) 
  
   
  --
  O'Reilly Active 
  Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
   
  
   
   
  
  
  
  From: [EMAIL PROTECTED] [mailto: 
  [EMAIL PROTECTED]] On 
  Behalf Of [EMAIL PROTECTED] Sent: Thursday, February 02, 2006 6:51 
  AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Need 
  Script.
  So Joe's excellent 
  utilities are banned yet you're able to accept a script from someone else??? 
  How does that work?? Which options offers the highest risk and which offers 
  robustness and maturity? You choose :) 
   
  neil
  
  
  
  From: [EMAIL PROTECTED] [mailto: 
  [EMAIL PROTECTED]] On 
  Behalf Of Jitendra KalyankarSent: 02 February 2006 11:31To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Need 
  Script.
  
  Good 
  Morning guys! 
  
  I need a 
  script to locate bulk users from a text file and put it in a csv 
  file
  
  I know 
  that Joe's tool would do this, but as I mentioned in my 
  earlier
  
  mails it 
  can not be used in my organisation. 
  
   
  
  :-(
  
   
  
  Have a 
  wonderful Thursday! 
  
  Sincerely,
  
  J
  
  PLEASE READ: The information 
  contained in this email is confidential and 
  
  intended for the named 
  recipient(s) only. If you are not an intended 
  
  recipient of this email please 
  notify the sender immediately and delete your 
  
  copy from your system. You must 
  not copy, distribute or take any further 
  
  action in reliance on it. Email is 
  not a secure method of communication and 
  
  Nomura International plc ('NIplc') 
  will not, to the extent permitted by law, 
  
  accept responsibility or liability 
  for (a) the accuracy or completeness of, 
  
  or (b) the presence of any virus, 
  worm or similar malicious or disabling 
  
  code in, this message or any 
  attachment(s) to it. If verification of this 
  
  email is sought then please 
  request a hard copy. Unless otherwise stated 
  
  this email: (1) is not, and should 
  not be treated or relied upon as, 
  
  investment research; (2) contains 
  views or opinions that are solely those of 
  
  the author and do not necessarily 
  represent those of NIplc; (3) is intended 
  
  for informational purposes only 
  and is not a recommendation, solicitation or 
  
  offer to buy or sell securities or 
  related financial instruments. NIplc 
  
  does not provide investment 
  services to private customers. Authorised and 
  
  regulated by the Financial 
  Services Authority. Registered in England 
  
  no. 1550505 VAT No. 447 2492 35. 
  Registered Office: 1 St Martin's-le-Grand, 
  
  London, EC1A 
  4NP . A member of the Nomura group of 
  companies. 
  --No virus found in this incoming message.Checked by 
  AVG Free Edition.Version: 7.1.375 / Virus Database: 267.14.25/247 - 
  Release Date: 1/31/2006
  --No virus found in this outgoing message.Checked by 
  AVG Free Edition.Version: 7.1.375 / Virus Database: 267.14.25/247 - 
  Release Date: 1/31/2006PLEASE READ: The information contained in this email is confidential and

intended for the named recipient(s) only. If you are not an intended

recipient of this email please notify the sender immediately and delete your

copy from your system. You must not copy, distribute or take any further

action in reliance on it. Email is not a secure method of communica

[ActiveDir] OT: Roaming Profiles

[Frank Abagnale]

Hi all,  I have a question regarding Roaming Profiles. Our environment currently have 3500 users which are all roaming profile enabled. Their profiles are stored on the local site server. We have approx 56 sites which are all linked by 256-1mb lines.  I like the concept of roaming profiles, however some of our users have profiles ranging from 5mb - 200mb, some even with 1GB profiles.   Because alot of our users log on to different computers at different sites, we are finding issues with corrupted profiles and logon speeds. On a few occasions, where a user has been added to a group, the permissions assign to this group are not shown when the users is logged back on. Deleting the profile and recreating fixes this issue but it's quite a time consuming effort.  How does everyone deal with roaming profiles if used? sometimes there are instances where users just want to logon to the PC without their roaming profile so they can remote desktop
 to their PC. In this situation they have to take their profile across which can take forever depending on the size of profile and link.  Any creative ideas? how about using DFS to store the profiles?   Thanks  Frank   
	
		 Yahoo! Mail - Helps protect you from nasty viruses.

Re: [ActiveDir] Need Script.

[Jitendra Kalyankar]

If at all if you write a special invoice please make sure to give me some
percentage in that! ;-) I have been marketing them whole heartedly! 
 
Sincerely,
J 
On 2/3/06, joe <[EMAIL PROTECTED]> wrote:

What I really need to do is start kicking out tools I charge for. :o)
 
 
I wouldn't mind getting to a point where enough income was coming in that I could just play around working out new tools all day. 

 

--
O'Reilly Active Directory Third Edition - 
http://www.joeware.net/win/ad3e.htm 
 
 


From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Noah EigerSent: Friday, February 03, 2006 12:12 AM 
To: ActiveDir@mail.activedir.orgSubject:
 RE: [ActiveDir] Need Script. 



Joe, maybe you should write a special invoice for 
Jitendra's company ;-) 
 





From: joe [mailto:
[EMAIL PROTECTED]] Sent: Thursday, February 02, 2006 8:38 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Need Script.
 
Quite honestly this isn't the first time I have heard this. Many companies have an unnatural aversion to products that are free. They want to know what the catch is and they think that just because they pay for something they are getting better support. Of course that simply means they aren't really reading those EULAs. :)


 
--
O'Reilly Active Directory Third Edition - 
http://www.joeware.net/win/ad3e.htm 
 

 
 



From:
 [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED]
Sent: Thursday, February 02, 2006 6:51 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Need Script.
So Joe's excellent utilities are banned yet you're able to accept a script from someone else??? How does that work?? Which options offers the highest risk and which offers robustness and maturity? You choose :)

 
neil



From:
 [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Jitendra KalyankarSent: 02 February 2006 11:31
To: ActiveDir@mail.activedir.orgSubject:
 [ActiveDir] Need Script.

Good Morning guys! 

I need a script to locate bulk users from a text file and put it in a csv file

I know that Joe's tool would do this, but as I mentioned in my earlier

mails it can not be used in my organisation. 

 

:-(

 

Have a wonderful Thursday! 

Sincerely,

J

PLEASE READ: The information contained in this email is confidential and 

intended for the named recipient(s) only. If you are not an intended 

recipient of this email please notify the sender immediately and delete your 

copy from your system. You must not copy, distribute or take any further 

action in reliance on it. Email is not a secure method of communication and 

Nomura International plc ('NIplc') will not, to the extent permitted by law, 

accept responsibility or liability for (a) the accuracy or completeness of, 

or (b) the presence of any virus, worm or similar malicious or disabling 

code in, this message or any attachment(s) to it. If verification of this 

email is sought then please request a hard copy. Unless otherwise stated 

this email: (1) is not, and should not be treated or relied upon as, 

investment research; (2) contains views or opinions that are solely those of 

the author and do not necessarily represent those of NIplc; (3) is intended 

for informational purposes only and is not a recommendation, solicitation or 

offer to buy or sell securities or related financial instruments. NIplc 

does not provide investment services to private customers. Authorised and 

regulated by the Financial Services Authority. Registered in England 

no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, 

London, EC1A 4NP
. A member of the Nomura group of companies. 
--No virus found in this incoming message.Checked by AVG Free Edition.Version: 7.1.375 / Virus Database: 267.14.25/247 - Release Date: 1/31/2006
--No virus found in this outgoing message.Checked by AVG Free Edition.Version: 7.1.375 / Virus Database: 267.14.25/247 - Release Date: 1/31/2006

RE: [ActiveDir] Exchange - ESM - "All Address Lists" and "All Global Address Lists" disappeared

[TIROA YANN]

Hi Victor,
 
I just had this 
issue last week !
The All Address Lists has disapeared from ESM 
!!!
 
In fact "someone" 
(saw in security event log of my DC) who has the full exchange admin on the 
organisation has made an error and deleted the "All Address Lists", then he 
tried to recreate it but could not due to some replication issues, and a 
collision occured !
 
So i wanted to 
confirm this by  I opening ADSIEDIT, go to 
"CN=LostAndFoundConfig,CN=Configuration,DC=mydomain,,DC=fr", i saw that the List 
was there but suffixed with a CNF as this:
"CN=All Address 
ListsCNF;feffgee", same as all chid lists and my personnal @ 
lists.
 
So that telling 
that the lists was duped, and due replication issue, a collision 
occured.
 
So I deleted 
the the duped lists, ran forestprep, and the "All Address Lists" appeared 
in ESM.
 
For your issue, you 
have also lost the GAL, so do not forget to check:
1) that the GAL is 
associated to the Offline GAL in ESM.
2) rebuild the 
Offline GAL.
 

One issue i had is 
for Outlook 2k3 in cache mode:
1) For those 
clients that are configured in cache mode (.ost and .oab), you must force your 
client to download the GAL + All Address Lists +GAL.
2) For those that 
are configured in cache mode (only .ost), you also must to force the download of 
the GAL.
 
Hope that 
helps.
 
Yann


De : [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] De la part de Victor 
W.Envoyé : vendredi 3 février 2006 09:11À : 
ActiveDir@mail.activedir.orgObjet : RE: [ActiveDir] Exchange - 
ESM - "All Address Lists" and "All Global Address Lists" 
disappeared

Thanks Michael and Tony, I will try it and will let you 
know the outcome.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Michael B. 
SmithSent: vrijdag 3 februari 2006 2:04To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exchange - ESM - 
"All Address Lists" and "All Global Address Lists" 
disappeared

As Tony said, if they are deleted and you need the specific 
contents back, an authoritative restore is your appropriate 
response.
 
If the defaults work for you, you might just try rerunning 
forestprep and domainprep, then touching each store setting the GAL for the 
store.
 
I have seen security changes make them "appear" to 
disappear. adsiedit.msc is where you go to deal with that(although, again, 
rerunning forestprep and domainprep will probably take care of it for 
you)


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Victor 
W.Sent: Thursday, February 02, 2006 4:26 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Exchange - ESM - 
"All Address Lists" and "All Global Address Lists" 
disappeared

What if the 
containers mentioned in the subject title are 'suddenly' missing in 
ESM?
I have not checked 
(via adsiedit) if they are still in the Config.Nam.Context cause I just heard 
this and have not had the chance to actually look at it.
 
If they are gone 
from the conf.nam.cont. how can I get these folders back and what if they are 
visible there but not in ESM.
 
Any help is greatly 
appreciated.
 
 

RE: [ActiveDir] Exchange - ESM - "All Address Lists" and "All Global Address Lists" disappeared

[Victor W.]

Thanks Michael and Tony, I will try it and will let you 
know the outcome.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Michael B. 
SmithSent: vrijdag 3 februari 2006 2:04To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exchange - ESM - 
"All Address Lists" and "All Global Address Lists" 
disappeared

As Tony said, if they are deleted and you need the specific 
contents back, an authoritative restore is your appropriate 
response.
 
If the defaults work for you, you might just try rerunning 
forestprep and domainprep, then touching each store setting the GAL for the 
store.
 
I have seen security changes make them "appear" to 
disappear. adsiedit.msc is where you go to deal with that(although, again, 
rerunning forestprep and domainprep will probably take care of it for 
you)


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Victor 
W.Sent: Thursday, February 02, 2006 4:26 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Exchange - ESM - 
"All Address Lists" and "All Global Address Lists" 
disappeared

What if the 
containers mentioned in the subject title are 'suddenly' missing in 
ESM?
I have not checked 
(via adsiedit) if they are still in the Config.Nam.Context cause I just heard 
this and have not had the chance to actually look at it.
 
If they are gone 
from the conf.nam.cont. how can I get these folders back and what if they are 
visible there but not in ESM.
 
Any help is greatly 
appreciated.