RE: [ActiveDir][OT] Is there a way to force users to logon to domain?
I can't see them as well, OL2k3 into POP, provider is using ESMTP (Nemesis) and POP appears to be mimap12 (at least that's what telnetting against the pop tells me). Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Tuesday, May 16, 2006 2:33 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir][OT] Is there a way to force users to logon to domain? Interesting, for the O2K3 via POP3 what is the backend? I am doing O2K3 via POP3 backended into Exchange 2003 and getting the blanks. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ayers, DianeSent: Monday, May 15, 2006 8:28 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir][OT] Is there a way to force users to logon to domain? I'm getting the list at home and at work. Outlook 2K3 via POP3 is coming in fine. Outlook 2K3 via Exchange and MAPI is coming in blank. Both the non-SP standard builds of Outlook. Exchange is still @ E2K... Diane From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, May 15, 2006 4:36 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir][OT] Is there a way to force users to logon to domain? I just verified and OWA is also throwing garbage characters on the end of the message and when looking at the raw stream it is the list banner. How is O2K7 displaying it? Anyone understand what the full spec is for a message is and how to (or if you can) mix MIME with plain text? I expect either the plain text banner isn't allowed or the list software isn't modifying the header properly for it to tell the clients to expect it. joe Here is Al's message straight from POP without interpretation: retr 39+OKReceived: from mail.activedir.org ([12.168.66.190]) by mbx01.joeware.local with Microsoft SMTPSVC(6.0.3790.211); Mon, 15 May 2006 16:44:34 -0400Received: from wr-out-0506.google.com [64.233.184.234] by mail.activedir.org with ESMTP (SMTPD32-8.15) id A6B67EC012E; Mon, 15 May 2006 16:38:14 -0400Received: by wr-out-0506.google.com with SMTP id i30so871233wra for ActiveDir@mail.activedir.org; Mon, 15 May 2006 13:38:12 -0700 (PDT)DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=otNmqTOJtu6h3lzy946aXK9yGTM5JFr0xZLRCRvkC4134GXBlEVFGTm01oR6Q0alNwcgsKlCdGaf7Oc0P7XzMRmR5td5nR1iLsJQ+rx/bxz1c1RTzynDUZSfLeogbMBIzdfTwsmUbAV2+gfnxk19fHg0GT0mFn8dk97+KotFwWM=Received: by 10.64.10.15 with SMTP id 15mr2454953qbj; Mon, 15 May 2006 13:38:12 -0700 (PDT)Received: by 10.65.253.12 with HTTP; Mon, 15 May 2006 13:38:12 -0700 (PDT)Message-ID: [EMAIL PROTECTED]Date: Mon, 15 May 2006 16:38:12 -0400From: "Al Mulnick" [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Is there a way to force users to logon to domain?In-Reply-To: [EMAIL PROTECTED]MIME-Version: 1.0Content-Type: text/plain; charset=UTF-8; format=flowedContent-Transfer-Encoding: base64Content-Disposition: inlineReferences: [EMAIL PROTECTED]Precedence: bulkSender: [EMAIL PROTECTED]Reply-To: ActiveDir@mail.activedir.orgReturn-Path: [EMAIL PROTECTED]X-OriginalArrivalTime: 15 May 2006 20:44:34.0134 (UTC) FILETIME=[5F845760:01C67860] SSB0aGluayB5b3UndmUgc2VlbiBzZXZlcmFsIHdheXMgb2YgYWNoaWV2aW5nIHNvbWV0aGluZyBzaW1pbGFyIHRvCndoYXQgeW91J3ZlIGFza2VkIGZvci4gIEJ1dCBJJ20gY3VyaW91cyBhcyB0byB3aGF0IHlvdSByZWFsbHkgd2FudCB0bwphY2NvbXBsaXNoLiAgWW91J3ZlIHB1dCBzb21ldGhpbmcgdmVyeSBzcGVjaWZpYywgYnV0IHdoYXQgbWFrZXMgeW91CndhbnQgdG8gZm9yY2UgdGhlIGxvZ29uPyAgV2hhdCdzIHRoZSBiYWNrc3Rvcnk/CgpBbAoKT24gNS8xNS8wNiwgSm9lIExhZ3JlY2EgPGxhZ3JlY2FAZ21haWwuY29tPiB3cm90ZToKPiBJcyB0aGVyZSBhIHdheSB0byBmb3JjZSB1c2VycyB0byBsb2dvbiB0byBkb21haW4sIG9yIHRvIGRpc2FibGUgbG9naW5nIGludG8KPiBsb2NhbCBjb21wdXRlciBhY2NvdW50cyB2aWEgR1BPPwo+Cj4gVGhhbmtzLgo+Cg==List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: joe [mailto:[EMAIL PROTECTED] Sent: Monday, May 15, 2006 7:28 PMTo: 'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir][OT] Is there a way to force users to logon to domain? Al is sending from GMAIL. It appears that GMAIL is mime encoding the messages, and then the list attaches the plain text banner on it and the whole decodes
[ActiveDir] OT: Overriding local computer logon scripts - anyway to do it?
Title: OT: Overriding local computer logon scripts - anyway to do it? Hi all, I had just logged in one of a printserver in my remote site, out of my usual scope - but the point is that the server has some logon scripts (local) associated with it. Just concerned about the security aspect of it - what is stopping some server admins to put in some logon scripts that adds a certain account as enterprise admin (boobietrap). I know the usual rule was to not login to untrusted boxes... but is there a way to overcome such? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785
RE: [ActiveDir] GPO Software Deployment
Hi Guys, Thanks for the input but still no joy nothing is showing in the logs and I dont have the original package. The below is popping up in the event log though :- Event Type: Warning Event Source: MsiInstaller Event Category: None Event ID: 1001 Date: 16/05/2006 Time: 11:20:21 User: domain\username Computer: compname Description: Detection of product '{5C3FD7C5-92BD-47A1-B5EE-52E71A1C2B82}', feature 'WIFEAT0001' failed during request for component '{500ED4E4-1352-4AF6-8FE3-21EFFBC7B34D}' Does this jog any memories for anyone? I think Im just going to have to get the whole lot rebuilt. Woe is me. Cheers Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 15 May 2006 23:43 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GPO Software Deployment Rob Do you have access to the original MSI (it could be repackaged as an EXE)? msiexec /i file.msi /L*vx c:\path\to\logfile.txt That will dump out as much possible info about what is happening. If you need help debugging the output, let me know. Cheers Jon Austin [EMAIL PROTECTED] wrote on 16/05/2006 12:11:41 AM: From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Robert Rutherford Sent: Wednesday, May 10, 2006 3:05 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] GPO Software Deployment HI All, Strange one.. I have taken over the support of an organisation where the last organisation has made a bit of a pigs ear of the AD deployment. It appears upon discussion with staff that a software deployment of Acrobat reader has been put in at some point and then removed. I also found an old machine with a self built msi package on. Now, while the users are working away an msi installer window just flickers up on the screen and vanishes regularly. This is infuriating for the user base but I cant seem to nail it down as any reference has been removed from the registry. _ This e-mail has been scanned for viruses by MessageLabs.
RE: Re : [ActiveDir] Lag site- disabling auth on Lag DC.
Yann, How are you planning on protecting your lag site DCsfrom aforced replication? Regards, Iain | IT Services | Infrastructure From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of YannSent: 15 May 2006 21:49To: ActiveDir@mail.activedir.orgSubject: Re : [ActiveDir] Lag site- disabling auth on Lag DC. Understood ! We will followyour advices. Cheers, Yann- Message d'origine De : "Almeida Pinto, Jorge de" [EMAIL PROTECTED]À : ActiveDir@mail.activedir.orgEnvoyé le : Lundi, 15 Mai 2006, 10h21mn 54sObjet: RE: [ActiveDir] Lag site- disabling auth on Lag DC. SRV records* make sure the DC only registers the CNAME SRV record which is used for replication* don't assign the lag site DCs WINS servers, otherwise these will register the 1Ch record in WINS* make sure the site link cost between the main site and the lag are higher than any other site links that also links to the main sitefor the lag to work properly make sure you have at least one DC from each domain, because of eventual cross domain links (e.g. group memberships)Met vriendelijke groeten / Kind regards,Ing. Jorge de Almeida PintoSenior Infrastructure ConsultantMVP Windows Server - Directory ServicesLogicaCMG Nederland B.V. (BU RTINC Eindhoven)( Tel : +31-(0)40-29.57.777( Mobile : +31-(0)6-26.26.62.80* E-mail : see sender addressFrom: [EMAIL PROTECTED] on behalf of YannSent: Mon 2006-05-15 21:36To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Lag site- disabling auth on Lag DC.hello all,We are about to build a lag site for our AD recovery strategy.We schedule replication Prod Sites -Lag Sites one time a week.We have one forest with a Root and Child domain.The lag site will contain only one DC. We would like to disable clientsauth on this DC. So I found 2 ways to do this:1) Configuring the "DC Locator DNS Records" via a gpo.or2) Stop and disable the netlogon service.What will be the best choice ? 1) or 2) ?Shall i also disable the service server to avoid replication of sysvol too ?Thanks for input.This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. * This electronic message contains information from Hampshire Constabulary which may be legally privileged and confidential. Any opinions expressed may be those of the individual and not necessarily the Hampshire Constabulary. The information is intended to be for the use of the individual(s) or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message in error, please notify us by telephone +44 (0) 845 045 45 45 or email to [EMAIL PROTECTED] immediately. Please then delete this email and destroy any copies of it. All communications, including telephone calls and electronic messages to and from the Hampshire Constabulary may be subject to monitoring. Replies to this email may be seen by employees other than the intended recipient. *
RE: [ActiveDir][OT] Is there a way to force users to logon to domain?
I'm on O2K3 SP1 via E2K3 SP2, and the only blanks I've ever seen on this list were the long string ofintentionally blankemails. ;-) I did, however, see strange characters at the end of Al's last message, and what's interesting is they were different characters than the ones Susan forwarded.Brian From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday 15 May 2006 20:33To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir][OT] Is there a way to force users to logon to domain? Interesting, for the O2K3 via POP3 what is the backend? I am doing O2K3 via POP3 backended into Exchange 2003 and getting the blanks. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ayers, DianeSent: Monday, May 15, 2006 8:28 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir][OT] Is there a way to force users to logon to domain? I'm getting the list at home and at work. Outlook 2K3 via POP3 is coming in fine. Outlook 2K3 via Exchange and MAPI is coming in blank. Both the non-SP standard builds of Outlook. Exchange is still @ E2K... Diane From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, May 15, 2006 4:36 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir][OT] Is there a way to force users to logon to domain? I just verified and OWA is also throwing garbage characters on the end of the message and when looking at the raw stream it is the list banner. How is O2K7 displaying it? Anyone understand what the full spec is for a message is and how to (or if you can) mix MIME with plain text? I expect either the plain text banner isn't allowed or the list software isn't modifying the header properly for it to tell the clients to expect it. joe Here is Al's message straight from POP without interpretation: retr 39+OKReceived: from mail.activedir.org ([12.168.66.190]) by mbx01.joeware.local with Microsoft SMTPSVC(6.0.3790.211); Mon, 15 May 2006 16:44:34 -0400Received: from wr-out-0506.google.com [64.233.184.234] by mail.activedir.org with ESMTP (SMTPD32-8.15) id A6B67EC012E; Mon, 15 May 2006 16:38:14 -0400Received: by wr-out-0506.google.com with SMTP id i30so871233wra for ActiveDir@mail.activedir.org; Mon, 15 May 2006 13:38:12 -0700 (PDT)DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=otNmqTOJtu6h3lzy946aXK9yGTM5JFr0xZLRCRvkC4134GXBlEVFGTm01oR6Q0alNwcgsKlCdGaf7Oc0P7XzMRmR5td5nR1iLsJQ+rx/bxz1c1RTzynDUZSfLeogbMBIzdfTwsmUbAV2+gfnxk19fHg0GT0mFn8dk97+KotFwWM=Received: by 10.64.10.15 with SMTP id 15mr2454953qbj; Mon, 15 May 2006 13:38:12 -0700 (PDT)Received: by 10.65.253.12 with HTTP; Mon, 15 May 2006 13:38:12 -0700 (PDT)Message-ID: [EMAIL PROTECTED]Date: Mon, 15 May 2006 16:38:12 -0400From: "Al Mulnick" [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Is there a way to force users to logon to domain?In-Reply-To: [EMAIL PROTECTED]MIME-Version: 1.0Content-Type: text/plain; charset=UTF-8; format=flowedContent-Transfer-Encoding: base64Content-Disposition: inlineReferences: [EMAIL PROTECTED]Precedence: bulkSender: [EMAIL PROTECTED]Reply-To: ActiveDir@mail.activedir.orgReturn-Path: [EMAIL PROTECTED]X-OriginalArrivalTime: 15 May 2006 20:44:34.0134 (UTC) FILETIME=[5F845760:01C67860] SSB0aGluayB5b3UndmUgc2VlbiBzZXZlcmFsIHdheXMgb2YgYWNoaWV2aW5nIHNvbWV0aGluZyBzaW1pbGFyIHRvCndoYXQgeW91J3ZlIGFza2VkIGZvci4gIEJ1dCBJJ20gY3VyaW91cyBhcyB0byB3aGF0IHlvdSByZWFsbHkgd2FudCB0bwphY2NvbXBsaXNoLiAgWW91J3ZlIHB1dCBzb21ldGhpbmcgdmVyeSBzcGVjaWZpYywgYnV0IHdoYXQgbWFrZXMgeW91CndhbnQgdG8gZm9yY2UgdGhlIGxvZ29uPyAgV2hhdCdzIHRoZSBiYWNrc3Rvcnk/CgpBbAoKT24gNS8xNS8wNiwgSm9lIExhZ3JlY2EgPGxhZ3JlY2FAZ21haWwuY29tPiB3cm90ZToKPiBJcyB0aGVyZSBhIHdheSB0byBmb3JjZSB1c2VycyB0byBsb2dvbiB0byBkb21haW4sIG9yIHRvIGRpc2FibGUgbG9naW5nIGludG8KPiBsb2NhbCBjb21wdXRlciBhY2NvdW50cyB2aWEgR1BPPwo+Cj4gVGhhbmtzLgo+Cg==List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: joe [mailto:[EMAIL PROTECTED] Sent: Monday, May 15, 2006 7:28 PMTo: 'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir][OT] Is there a way to force users to logon to domain? Al is sending from GMAIL. It appears that GMAIL is mime encoding the messages, and then the list attaches the plain text banner on it and the whole decodes incorrectly. Outlook pre-2007 pukes (probably exceptions out of the rendering phase) and OWA, O2K7, and Thunderbird seem to read it fine but with the possibility of bad characters. If I had to guess, I would guess the bad characters are the plain text banner being decoded as MIME. --
RE: [ActiveDir] OT: Overriding local computer logon scripts - anyway to do it?
what is stopping some server admins to put in some logon scripts that adds a certain account as enterprise admin (boobietrap). The same thing that prevents them from installing a keylogger or modifying any code on the system to do their nefarious deeds when a high level account runs them - absolutely nothing. Login scripts are just one of many possible attack vectors. The point is, if you don't trust the code on a box or the admins that can put code on a box, then you should NEVER use your high-level accounts for accessing that box. From: [EMAIL PROTECTED] on behalf of Freddy HARTONO Sent: Tue 5/16/2006 3:42 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Overriding local computer logon scripts - anyway to do it? Hi all, I had just logged in one of a printserver in my remote site, out of my usual scope - but the point is that the server has some logon scripts (local) associated with it. Just concerned about the security aspect of it - what is stopping some server admins to put in some logon scripts that adds a certain account as enterprise admin (boobietrap). I know the usual rule was to not login to untrusted boxes... but is there a way to overcome such? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 winmail.dat
RE: [ActiveDir][OT] Is there a way to force users to logon to domain?
If all of those were intended I did get everything correct as well. Mainly one thread IIRC. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian A. ClineSent: Tuesday, May 16, 2006 2:13 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir][OT] Is there a way to force users to logon to domain? I'm on O2K3 SP1 via E2K3 SP2, and the only blanks I've ever seen on this list were the long string ofintentionally blankemails. ;-) I did, however, see strange characters at the end of Al's last message, and what's interesting is they were different characters than the ones Susan forwarded.Brian From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday 15 May 2006 20:33To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir][OT] Is there a way to force users to logon to domain? Interesting, for the O2K3 via POP3 what is the backend? I am doing O2K3 via POP3 backended into Exchange 2003 and getting the blanks. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ayers, DianeSent: Monday, May 15, 2006 8:28 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir][OT] Is there a way to force users to logon to domain? I'm getting the list at home and at work. Outlook 2K3 via POP3 is coming in fine. Outlook 2K3 via Exchange and MAPI is coming in blank. Both the non-SP standard builds of Outlook. Exchange is still @ E2K... Diane From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, May 15, 2006 4:36 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir][OT] Is there a way to force users to logon to domain? I just verified and OWA is also throwing garbage characters on the end of the message and when looking at the raw stream it is the list banner. How is O2K7 displaying it? Anyone understand what the full spec is for a message is and how to (or if you can) mix MIME with plain text? I expect either the plain text banner isn't allowed or the list software isn't modifying the header properly for it to tell the clients to expect it. joe Here is Al's message straight from POP without interpretation: retr 39+OKReceived: from mail.activedir.org ([12.168.66.190]) by mbx01.joeware.local with Microsoft SMTPSVC(6.0.3790.211); Mon, 15 May 2006 16:44:34 -0400Received: from wr-out-0506.google.com [64.233.184.234] by mail.activedir.org with ESMTP (SMTPD32-8.15) id A6B67EC012E; Mon, 15 May 2006 16:38:14 -0400Received: by wr-out-0506.google.com with SMTP id i30so871233wra for ActiveDir@mail.activedir.org; Mon, 15 May 2006 13:38:12 -0700 (PDT)DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=otNmqTOJtu6h3lzy946aXK9yGTM5JFr0xZLRCRvkC4134GXBlEVFGTm01oR6Q0alNwcgsKlCdGaf7Oc0P7XzMRmR5td5nR1iLsJQ+rx/bxz1c1RTzynDUZSfLeogbMBIzdfTwsmUbAV2+gfnxk19fHg0GT0mFn8dk97+KotFwWM=Received: by 10.64.10.15 with SMTP id 15mr2454953qbj; Mon, 15 May 2006 13:38:12 -0700 (PDT)Received: by 10.65.253.12 with HTTP; Mon, 15 May 2006 13:38:12 -0700 (PDT)Message-ID: [EMAIL PROTECTED]Date: Mon, 15 May 2006 16:38:12 -0400From: "Al Mulnick" [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Is there a way to force users to logon to domain?In-Reply-To: [EMAIL PROTECTED]MIME-Version: 1.0Content-Type: text/plain; charset=UTF-8; format=flowedContent-Transfer-Encoding: base64Content-Disposition: inlineReferences: [EMAIL PROTECTED]Precedence: bulkSender: [EMAIL PROTECTED]Reply-To: ActiveDir@mail.activedir.orgReturn-Path: [EMAIL PROTECTED]X-OriginalArrivalTime: 15 May 2006 20:44:34.0134 (UTC) FILETIME=[5F845760:01C67860] SSB0aGluayB5b3UndmUgc2VlbiBzZXZlcmFsIHdheXMgb2YgYWNoaWV2aW5nIHNvbWV0aGluZyBzaW1pbGFyIHRvCndoYXQgeW91J3ZlIGFza2VkIGZvci4gIEJ1dCBJJ20gY3VyaW91cyBhcyB0byB3aGF0IHlvdSByZWFsbHkgd2FudCB0bwphY2NvbXBsaXNoLiAgWW91J3ZlIHB1dCBzb21ldGhpbmcgdmVyeSBzcGVjaWZpYywgYnV0IHdoYXQgbWFrZXMgeW91CndhbnQgdG8gZm9yY2UgdGhlIGxvZ29uPyAgV2hhdCdzIHRoZSBiYWNrc3Rvcnk/CgpBbAoKT24gNS8xNS8wNiwgSm9lIExhZ3JlY2EgPGxhZ3JlY2FAZ21haWwuY29tPiB3cm90ZToKPiBJcyB0aGVyZSBhIHdheSB0byBmb3JjZSB1c2VycyB0byBsb2dvbiB0byBkb21haW4sIG9yIHRvIGRpc2FibGUgbG9naW5nIGludG8KPiBsb2NhbCBjb21wdXRlciBhY2NvdW50cyB2aWEgR1BPPwo+Cj4gVGhhbmtzLgo+Cg==List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/.
Re: [ActiveDir] DHCP migration(OT)
look into netsh. might be of use. On 5/12/06, Tom Kern [EMAIL PROTECTED] wrote: I want to migrate DHCP(scopes,scope options,leases) from one win2k box to another. My issue is, the target server is running DHCP with scopes,etc already configured. Is there anyway to migrate the source DHCP server to the target without overwriting the target's settings? I just want to merge the 2- move the source info over while keeping the target DHCP info intack as well. Is this possible? Thanks
Re: [ActiveDir] DHCP migration(OT)
Will netsh overwrite the scopes already exisitng on the target? Also, does netsh migrate leases or just the scope and scope options? Thanks On 5/16/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: look into netsh. might be of use.On 5/12/06, Tom Kern [EMAIL PROTECTED] wrote: I want to migrate DHCP(scopes,scope options,leases) from one win2k box to another. My issue is, the target server is running DHCP with scopes,etc already configured. Is there anyway to migrate the source DHCP server to the target without overwriting the target's settings? I just want to merge the 2- move the source info over while keeping the target DHCP info intack as well. Is this possible? Thanks
Re: [ActiveDir] DHCP migration(OT)
Havent played with it for a while so I cant answer unless I fire up a VM and start playing. Do you fancy letting me know your findings ;-) M@ On 5/16/06, Tom Kern [EMAIL PROTECTED] wrote: Will netsh overwrite the scopes already exisitng on the target? Also, does netsh migrate leases or just the scope and scope options? Thanks On 5/16/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: look into netsh. might be of use. On 5/12/06, Tom Kern [EMAIL PROTECTED] wrote: I want to migrate DHCP(scopes,scope options,leases) from one win2k box to another. My issue is, the target server is running DHCP with scopes,etc already configured. Is there anyway to migrate the source DHCP server to the target without overwriting the target's settings? I just want to merge the 2- move the source info over while keeping the target DHCP info intack as well. Is this possible? Thanks [EMAIL PROTECTED] ��V�r�y���-�÷¾4���i�b��b��
RE: [ActiveDir] [ActiveDir Digest]
Jeri, System ODBC DSN's are stored in the registry at HKLM\SOFTWARE\ODBC\ODBC.INI\DSN NAME. The DSN names themselves are listed as values in HKLM\SOFTWARE\ODBC\ODBC.INI\ODBC Data Sources If you create the DSN's you need by hand, then you can export them to a reg file and build a custom ADM file around it. Be aware that these are system DSN's, so they apply to the machine. If users from different OU's need the same DSN name, but with different parameters, then you will need to use user level DSN's, which are in the same location but in HKCU. Jef -Original Message- From: Bland, Jeri [mailto:[EMAIL PROTECTED] Sent: Monday, May 15, 2006 4:38 PM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] [ActiveDir Digest] Is there a way to set up Group Policy to direct two different OUs at login to connect to their respective system DSNs pointing to specific SQL databases running on the same terminal server? Am I even saying this right? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Is there a way to force users to logon to domain?
Yeah, disregard what I said about just leaving Admins on the allow logon locally setting, that's my bad. I guess best thing to do would be delete all existing local user accounts. -Sergio -Original Message- From: Joe Lagreca [mailto:[EMAIL PROTECTED] Sent: Monday, May 15, 2006 7:33 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Is there a way to force users to logon to domain? Al and others, We are retrofitting previously deployed workstations. Some have local logins, while others do not. I was just wondering if there is a way, via GPO, to force all users to log into the domain, instead of giving them the option to log into their local machine. I have been told that In a GPO set the cached logon setting to 0 and make sure allow logon locally is only set to Admins. will not work. However I still need to test this myself. I was told allow logon locally will make it so all unlisted users will not be able to login from that workstation, whether its locally or to the domain. I realize their profiles wouldn't copy, and we can deal with that afterwards. Thanks. Joe On 5/15/06, Al Mulnick [EMAIL PROTECTED] wrote: I think you've seen several ways of achieving something similar to what you've asked for. But I'm curious as to what you really want to accomplish. You've put something very specific, but what makes you want to force the logon? What's the backstory? Al On 5/15/06, Joe Lagreca [EMAIL PROTECTED] wrote: Is there a way to force users to logon to domain, or to disable loging into local computer accounts via GPO? Thanks. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DHCP migration(OT)
It will migrate the leases as well, but not sure if it will merge or overwrite though. Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Tuesday, May 16, 2006 9:36 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] DHCP migration(OT) Will netsh overwrite the scopes already exisitng on the target? Also, does netsh migrate leases or just the scope and scope options? Thanks On 5/16/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: look into netsh. might be of use.On 5/12/06, Tom Kern [EMAIL PROTECTED] wrote: I want to migrate DHCP(scopes,scope options,leases) from one win2k box to another. My issue is, the target server is running DHCP with scopes,etc already configured. Is there anyway to migrate the source DHCP server to the target without overwriting the target's settings? I just want to merge the 2- move the source info over while keeping the target DHCP info intack as well. Is this possible? Thanks
Re: [ActiveDir] Is there a way to force users to logon to domain?
On 16/05/06, Olivarez, Sergio J Mr CTNOSC/GD-NS [EMAIL PROTECTED] wrote: Yeah, disregard what I said about just leaving Admins on the allow logon locally setting, that's my bad. I guess best thing to do would be delete all existing local user accounts. Can you actually delete localhost\administrator on NT4/2K/XP workstations? -- AdamT A casual stroll through the lunatic asylum shows that faith does not prove anything. - Nietzsche List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GPO Software Deployment
So, I suspect what is happening here, based on that error, is the popup you're seeing is Windows Installer trying to repair the application but not finding the right files to do it. The Feature name, WIFEAT0001, tells me the package was created using WinInstall--not very interesting. I suspect that the registry still contains references to the package. I would search the registry by the Product GUID, below, and get rid of all instances of it. Alternatively, you could try downloading and running the Installer Cleanup tool, found at http://support.microsoft.com/kb/290301/ Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert RutherfordSent: Tuesday, May 16, 2006 3:26 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] GPO Software Deployment Hi Guys, Thanks for the input but still no joy nothing is showing in the logs and I dont have the original package. The below is popping up in the event log though :- Event Type: Warning Event Source: MsiInstaller Event Category: None Event ID: 1001 Date: 16/05/2006 Time: 11:20:21 User: domain\username Computer: compname Description: Detection of product '{5C3FD7C5-92BD-47A1-B5EE-52E71A1C2B82}', feature 'WIFEAT0001' failed during request for component '{500ED4E4-1352-4AF6-8FE3-21EFFBC7B34D}' Does this jog any memories for anyone? I think Im just going to have to get the whole lot rebuilt. Woe is me. Cheers Robert RutherfordQuoStar Solutions Limited The Enterprise PavilionFern BarrowWallisdownPooleDorsetBH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: 15 May 2006 23:43To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] GPO Software Deployment Rob Do you have access to the original MSI (it could be repackaged as an EXE)? msiexec /i file.msi /L*vx c:\path\to\logfile.txt That will dump out as much possible info about what is happening. If you need help debugging the output, let me know. Cheers Jon Austin [EMAIL PROTECTED] wrote on 16/05/2006 12:11:41 AM: From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Robert Rutherford Sent: Wednesday, May 10, 2006 3:05 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] GPO Software Deployment HI All,Strange one..I have taken over the support of an organisation where the last organisation has made a bit of a pigs ear of the AD deployment. It appears upon discussion with staff that a software deployment of Acrobat reader has been put in at some point and then removed. I also found an old machine with a self built msi package on. Now, while the users are working away an msi installer window just flickers up on the screen and vanishes regularly. This is infuriating for the user base but I cant seem to nail it down as any reference has been removed from the registry. _ This e-mail has been scanned for viruses by MessageLabs.
Re: [ActiveDir] Is there a way to force users to logon to domain?
Sergio, That is the approach we are going to take. Write a script to run at start up to delete all local accounts, except administrator, which only we should know the password for. Do you have any ideas on how to change local account passwords via GPO or remotely? We would like to change the administrator passwords initially, and probably like to change it on a continual basis. Thank you. Joe On 5/16/06, Olivarez, Sergio J Mr CTNOSC/GD-NS [EMAIL PROTECTED] wrote: Yeah, disregard what I said about just leaving Admins on the allow logon locally setting, that's my bad. I guess best thing to do would be delete all existing local user accounts. -Sergio -Original Message- From: Joe Lagreca [mailto:[EMAIL PROTECTED] Sent: Monday, May 15, 2006 7:33 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Is there a way to force users to logon to domain? Al and others, We are retrofitting previously deployed workstations. Some have local logins, while others do not. I was just wondering if there is a way, via GPO, to force all users to log into the domain, instead of giving them the option to log into their local machine. I have been told that In a GPO set the cached logon setting to 0 and make sure allow logon locally is only set to Admins. will not work. However I still need to test this myself. I was told allow logon locally will make it so all unlisted users will not be able to login from that workstation, whether its locally or to the domain. I realize their profiles wouldn't copy, and we can deal with that afterwards. Thanks. Joe On 5/15/06, Al Mulnick [EMAIL PROTECTED] wrote: I think you've seen several ways of achieving something similar to what you've asked for. But I'm curious as to what you really want to accomplish. You've put something very specific, but what makes you want to force the logon? What's the backstory? Al On 5/15/06, Joe Lagreca [EMAIL PROTECTED] wrote: Is there a way to force users to logon to domain, or to disable loging into local computer accounts via GPO? Thanks. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Is there a way to force users to logon to domain?
Even if that is possible by any means - what are you going to do if the computer falls out of the domain. Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AdamT Sent: Tuesday, May 16, 2006 11:26 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Is there a way to force users to logon to domain? On 16/05/06, Olivarez, Sergio J Mr CTNOSC/GD-NS [EMAIL PROTECTED] wrote: Yeah, disregard what I said about just leaving Admins on the allow logon locally setting, that's my bad. I guess best thing to do would be delete all existing local user accounts. Can you actually delete localhost\administrator on NT4/2K/XP workstations? -- AdamT A casual stroll through the lunatic asylum shows that faith does not prove anything. - Nietzsche List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Is there a way to force users to logon to domain?
No, and I always find it a relief to have a local admin account in a failure situation. Robert Rutherford QuoStar Solutions Limited -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AdamT Sent: 16 May 2006 16:26 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Is there a way to force users to logon to domain? On 16/05/06, Olivarez, Sergio J Mr CTNOSC/GD-NS [EMAIL PROTECTED] wrote: Yeah, disregard what I said about just leaving Admins on the allow logon locally setting, that's my bad. I guess best thing to do would be delete all existing local user accounts. Can you actually delete localhost\administrator on NT4/2K/XP workstations? -- AdamT A casual stroll through the lunatic asylum shows that faith does not prove anything. - Nietzsche List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
OT: Corrupt messages (was RE: [ActiveDir][OT] Is there a way to force users to logon to domain?)
Ive seen O2007 display it both ways, and I think its much more Exchange dependent (whether its been promoted to MAPI format or continues in Internet format). The list software should not append a plain text footer to a base64 message without encapsulating the original message and rewriting the message to multipart. Im certain, without tracking the RFC down, that not doing so is an RFC violation. Exchange 2003 sp2 had some changes to its handling of bad MIME as well, which could be playing a role with the various experiences being seen by difference people. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, May 15, 2006 7:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir][OT] Is there a way to force users to logon to domain? I just verified and OWA is also throwing garbage characters on the end of the message and when looking at the raw stream it is the list banner. How is O2K7 displaying it? Anyone understand what the full spec is for a message is and how to (or if you can) mix MIME with plain text? I expect either the plain text banner isn't allowed or the list software isn't modifying the header properly for it to tell the clients to expect it. joe Here is Al's message straight from POP without interpretation: retr 39 +OK Received: from mail.activedir.org ([12.168.66.190]) by mbx01.joeware.local with Microsoft SMTPSVC(6.0.3790.211); Mon, 15 May 2006 16:44:34 -0400 Received: from wr-out-0506.google.com [64.233.184.234] by mail.activedir.org with ESMTP (SMTPD32-8.15) id A6B67EC012E; Mon, 15 May 2006 16:38:14 -0400 Received: by wr-out-0506.google.com with SMTP id i30so871233wra for ActiveDir@mail.activedir.org; Mon, 15 May 2006 13:38:12 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=otNmqTOJtu6h3lzy946aXK9yGTM5JFr0xZLRCRvkC4134GXBlEVFGTm01oR6Q0alNwcgsKlCdGaf7Oc0P7XzMRmR5td5nR1iLsJQ+rx/bxz1c1RTzynDUZSfLeogbMBIzdfTwsmUbAV2+gfnxk19fHg0GT0mFn8dk97+KotFwW M= Received: by 10.64.10.15 with SMTP id 15mr2454953qbj; Mon, 15 May 2006 13:38:12 -0700 (PDT) Received: by 10.65.253.12 with HTTP; Mon, 15 May 2006 13:38:12 -0700 (PDT) Message-ID: [EMAIL PROTECTED] Date: Mon, 15 May 2006 16:38:12 -0400 From: Al Mulnick [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Is there a way to force users to logon to domain? In-Reply-To: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: base64 Content-Disposition: inline References: [EMAIL PROTECTED] Precedence: bulk Sender: [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 15 May 2006 20:44:34.0134 (UTC) FILETIME=[5F845760:01C67860] SSB0aGluayB5b3UndmUgc2VlbiBzZXZlcmFsIHdheXMgb2YgYWNoaWV2aW5nIHNvbWV0aGluZyBz aW1pbGFyIHRvCndoYXQgeW91J3ZlIGFza2VkIGZvci4gIEJ1dCBJJ20gY3VyaW91cyBhcyB0byB3 aGF0IHlvdSByZWFsbHkgd2FudCB0bwphY2NvbXBsaXNoLiAgWW91J3ZlIHB1dCBzb21ldGhpbmcg dmVyeSBzcGVjaWZpYywgYnV0IHdoYXQgbWFrZXMgeW91CndhbnQgdG8gZm9yY2UgdGhlIGxvZ29u PyAgV2hhdCdzIHRoZSBiYWNrc3Rvcnk/CgpBbAoKT24gNS8xNS8wNiwgSm9lIExhZ3JlY2EgPGxh Z3JlY2FAZ21haWwuY29tPiB3cm90ZToKPiBJcyB0aGVyZSBhIHdheSB0byBmb3JjZSB1c2VycyB0 byBsb2dvbiB0byBkb21haW4sIG9yIHRvIGRpc2FibGUgbG9naW5nIGludG8KPiBsb2NhbCBjb21w dXRlciBhY2NvdW50cyB2aWEgR1BPPwo+Cj4gVGhhbmtzLgo+Cg== List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ . -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: joe [mailto:[EMAIL PROTECTED] Sent: Monday, May 15, 2006 7:28 PM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir][OT] Is there a way to force users to logon to domain? Al is sending from GMAIL. It appears that GMAIL is mime encoding the messages, and then the list attaches the plain text banner on it and the whole decodes incorrectly. Outlook pre-2007 pukes (probably exceptions out of the rendering phase) and OWA, O2K7, and Thunderbird seem to read it fine but with the possibility of bad characters. If I had to guess, I would guess the bad characters are the plain text banner being decoded as MIME. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Monday, May 15, 2006 6:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is there a way to force users to logon to domain? What about the origin - are they created using OL2k7? If so must be a new bug - I was using a bit older version for quite a while (and everything was readable), but it almost corupted my mailstore - so I switched
RE: [ActiveDir] Is there a way to force users to logon to domain?
Yeah make sure you leave all administrative accounts alone and disable the guest account. As for changing the password, you can always connect to it remotely via Computer management (compmgmt.msc) or script it. -Sergio -Original Message- From: Joe Lagreca [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 16, 2006 8:31 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Is there a way to force users to logon to domain? Sergio, That is the approach we are going to take. Write a script to run at start up to delete all local accounts, except administrator, which only we should know the password for. Do you have any ideas on how to change local account passwords via GPO or remotely? We would like to change the administrator passwords initially, and probably like to change it on a continual basis. Thank you. Joe On 5/16/06, Olivarez, Sergio J Mr CTNOSC/GD-NS [EMAIL PROTECTED] wrote: Yeah, disregard what I said about just leaving Admins on the allow logon locally setting, that's my bad. I guess best thing to do would be delete all existing local user accounts. -Sergio -Original Message- From: Joe Lagreca [mailto:[EMAIL PROTECTED] Sent: Monday, May 15, 2006 7:33 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Is there a way to force users to logon to domain? Al and others, We are retrofitting previously deployed workstations. Some have local logins, while others do not. I was just wondering if there is a way, via GPO, to force all users to log into the domain, instead of giving them the option to log into their local machine. I have been told that In a GPO set the cached logon setting to 0 and make sure allow logon locally is only set to Admins. will not work. However I still need to test this myself. I was told allow logon locally will make it so all unlisted users will not be able to login from that workstation, whether its locally or to the domain. I realize their profiles wouldn't copy, and we can deal with that afterwards. Thanks. Joe On 5/15/06, Al Mulnick [EMAIL PROTECTED] wrote: I think you've seen several ways of achieving something similar to what you've asked for. But I'm curious as to what you really want to accomplish. You've put something very specific, but what makes you want to force the logon? What's the backstory? Al On 5/15/06, Joe Lagreca [EMAIL PROTECTED] wrote: Is there a way to force users to logon to domain, or to disable loging into local computer accounts via GPO? Thanks. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Is there a way to force users to logon to domain?
I have over 100 randomly generated local admin passwords. If I forget the password and the account gets corrupted in AD than I just hack the local admin password. No one logs on locally period! -Z.V. Robert Rutherford wrote: No, and I always find it a relief to have a local admin account in a failure situation. Robert Rutherford QuoStar Solutions Limited -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of AdamT Sent: 16 May 2006 16:26 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Is there a way to force users to logon to domain? On 16/05/06, Olivarez, Sergio J Mr CTNOSC/GD-NS [EMAIL PROTECTED] wrote: Yeah, disregard what I said about just leaving Admins on the "allow logon locally" setting, that's my bad. I guess best thing to do would be delete all existing local user accounts. Can you actually delete localhost\administrator on NT4/2K/XP workstations?
RE: [ActiveDir] Is there a way to force users to logon to domain?
You can set the password in the startup script, but it's a bit open to hacking. You can use an encrypted VB Script but those are pretty easy to decrypt. There is also a tool around that will let you do it remotely. You could also assign the logon locally rights to say domain users administrator. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Lagreca Sent: 16 May 2006 16:31 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Is there a way to force users to logon to domain? Sergio, That is the approach we are going to take. Write a script to run at start up to delete all local accounts, except administrator, which only we should know the password for. Do you have any ideas on how to change local account passwords via GPO or remotely? We would like to change the administrator passwords initially, and probably like to change it on a continual basis. Thank you. Joe On 5/16/06, Olivarez, Sergio J Mr CTNOSC/GD-NS [EMAIL PROTECTED] wrote: Yeah, disregard what I said about just leaving Admins on the allow logon locally setting, that's my bad. I guess best thing to do would be delete all existing local user accounts. -Sergio -Original Message- From: Joe Lagreca [mailto:[EMAIL PROTECTED] Sent: Monday, May 15, 2006 7:33 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Is there a way to force users to logon to domain? Al and others, We are retrofitting previously deployed workstations. Some have local logins, while others do not. I was just wondering if there is a way, via GPO, to force all users to log into the domain, instead of giving them the option to log into their local machine. I have been told that In a GPO set the cached logon setting to 0 and make sure allow logon locally is only set to Admins. will not work. However I still need to test this myself. I was told allow logon locally will make it so all unlisted users will not be able to login from that workstation, whether its locally or to the domain. I realize their profiles wouldn't copy, and we can deal with that afterwards. Thanks. Joe On 5/15/06, Al Mulnick [EMAIL PROTECTED] wrote: I think you've seen several ways of achieving something similar to what you've asked for. But I'm curious as to what you really want to accomplish. You've put something very specific, but what makes you want to force the logon? What's the backstory? Al On 5/15/06, Joe Lagreca [EMAIL PROTECTED] wrote: Is there a way to force users to logon to domain, or to disable loging into local computer accounts via GPO? Thanks. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. Thank you. http://www.stockport.gov.uk ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DHCP migration(OT)
Past experience, NETSH will migrate the scopes but you use the backup/restore process for the leases (if you want them). D From: [EMAIL PROTECTED] on behalf of Matheesha Weerasinghe Sent: Tue 5/16/2006 8:43 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DHCP migration(OT) Havent played with it for a while so I cant answer unless I fire up a VM and start playing. Do you fancy letting me know your findings ;-) M@ On 5/16/06, Tom Kern [EMAIL PROTECTED] wrote: Will netsh overwrite the scopes already exisitng on the target? Also, does netsh migrate leases or just the scope and scope options? Thanks On 5/16/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: look into netsh. might be of use. On 5/12/06, Tom Kern [EMAIL PROTECTED] wrote: I want to migrate DHCP(scopes,scope options,leases) from one win2k box to another. My issue is, the target server is running DHCP with scopes,etc already configured. Is there anyway to migrate the source DHCP server to the target without overwriting the target's settings? I just want to merge the 2- move the source info over while keeping the target DHCP info intack as well. Is this possible? Thanks [EMAIL PROTECTED] Vry-4ibb winmail.dat
RE: [ActiveDir] Is there a way to force users to logon to domain?
You can use the following script as a startup script to change the local Admin password. There is an obvious security issue with this, since you will be storing the script in a Sysvol share for machines to read. You can prevent users from browsing to and opening the file by restricting access to Domain Computers and relevant IT Admin staff. The script works even if the local Admin account name has been changed. I don't recall where I got the original copy of the script. Devin = Option Explicit Dim objShell, objNet, sNewPassword, sComputer, sAdminName, oUserAccounts Dim oUser On Error Resume Next Set objShell = WScript.CreateObject(WScript.Shell) Set objNet = CreateObject(WScript.Network) sNewPassword = PutSomeReallyLongPasswordHere sComputer = objNet.ComputerName sAdminName = GetAdministratorName Set oUser = GetObject(WinNT:// sComputer / sAdminName ,user) oUser.SetPassword sNewPassword oUser.SetInfo On Error Goto 0 objShell.LogEvent 4, LP startup script LP04 run record. '=== === ' Get Admin Account Name '=== === Function GetAdministratorName() Dim sUserSID, objNet, oUserAccount Set objNet = CreateObject(WScript.Network) Set oUserAccounts = GetObject( _ winmgmts:// objNet.ComputerName /root/cimv2) _ .ExecQuery(Select Name, SID from Win32_UserAccount _ WHERE Domain = ' objNet.ComputerName ') On Error Resume Next For Each oUserAccount In oUserAccounts If Left(oUserAccount.SID, 9) = S-1-5-21- And _ Right(oUserAccount.SID, 4) = -500 Then GetAdministratorName = oUserAccount.Name Exit For End if Next End Function -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Lagreca Sent: Tuesday, May 16, 2006 8:31 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Is there a way to force users to logon to domain? Sergio, That is the approach we are going to take. Write a script to run at start up to delete all local accounts, except administrator, which only we should know the password for. Do you have any ideas on how to change local account passwords via GPO or remotely? We would like to change the administrator passwords initially, and probably like to change it on a continual basis. Thank you. Joe On 5/16/06, Olivarez, Sergio J Mr CTNOSC/GD-NS [EMAIL PROTECTED] wrote: Yeah, disregard what I said about just leaving Admins on the allow logon locally setting, that's my bad. I guess best thing to do would be delete all existing local user accounts. -Sergio -Original Message- From: Joe Lagreca [mailto:[EMAIL PROTECTED] Sent: Monday, May 15, 2006 7:33 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Is there a way to force users to logon to domain? Al and others, We are retrofitting previously deployed workstations. Some have local logins, while others do not. I was just wondering if there is a way, via GPO, to force all users to log into the domain, instead of giving them the option to log into their local machine. I have been told that In a GPO set the cached logon setting to 0 and make sure allow logon locally is only set to Admins. will not work. However I still need to test this myself. I was told allow logon locally will make it so all unlisted users will not be able to login from that workstation, whether its locally or to the domain. I realize their profiles wouldn't copy, and we can deal with that afterwards. Thanks. Joe On 5/15/06, Al Mulnick [EMAIL PROTECTED] wrote: I think you've seen several ways of achieving something similar to what you've asked for. But I'm curious as to what you really want to accomplish. You've put something very specific, but what makes you want to force the logon? What's the backstory? Al On 5/15/06, Joe Lagreca [EMAIL PROTECTED] wrote: Is there a way to force users to logon to domain, or to disable loging into local computer accounts via GPO? Thanks. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Is there a way to force users to logon to domain?
You could give everyone a domain controller? Seriously though, we have a custom application that sits on the client and when it joins the domain, it generates a random 16 character password which it writes to a SQL database. From then on the sql database owns the computer, if you need to regenerate a new password just push the button on a web front end and it resets it and writes it to the database. Mark -Original Message- From: Dave Wade [EMAIL PROTECTED] Date: Tue, 16 May 2006 17:28:29 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is there a way to force users to logon to domain? You can set the password in the startup script, but it's a bit open to hacking. You can use an encrypted VB Script but those are pretty easy to decrypt. There is also a tool around that will let you do it remotely. You could also assign the logon locally rights to say domain users administrator. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Lagreca Sent: 16 May 2006 16:31 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Is there a way to force users to logon to domain? Sergio, That is the approach we are going to take. Write a script to run at start up to delete all local accounts, except administrator, which only we should know the password for. Do you have any ideas on how to change local account passwords via GPO or remotely? We would like to change the administrator passwords initially, and probably like to change it on a continual basis. Thank you. Joe On 5/16/06, Olivarez, Sergio J Mr CTNOSC/GD-NS [EMAIL PROTECTED] wrote: Yeah, disregard what I said about just leaving Admins on the allow logon locally setting, that's my bad. I guess best thing to do would be delete all existing local user accounts. -Sergio -Original Message- From: Joe Lagreca [mailto:[EMAIL PROTECTED] Sent: Monday, May 15, 2006 7:33 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Is there a way to force users to logon to domain? Al and others, We are retrofitting previously deployed workstations. Some have local logins, while others do not. I was just wondering if there is a way, via GPO, to force all users to log into the domain, instead of giving them the option to log into their local machine. I have been told that In a GPO set the cached logon setting to 0 and make sure allow logon locally is only set to Admins. will not work. However I still need to test this myself. I was told allow logon locally will make it so all unlisted users will not be able to login from that workstation, whether its locally or to the domain. I realize their profiles wouldn't copy, and we can deal with that afterwards. Thanks. Joe On 5/15/06, Al Mulnick [EMAIL PROTECTED] wrote: I think you've seen several ways of achieving something similar to what you've asked for. But I'm curious as to what you really want to accomplish. You've put something very specific, but what makes you want to force the logon? What's the backstory? Al On 5/15/06, Joe Lagreca [EMAIL PROTECTED] wrote: Is there a way to force users to logon to domain, or to disable loging into local computer accounts via GPO? Thanks. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. Thank you. http://www.stockport.gov.uk ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] [OU] ASP.Net 2.0 Impersonation
Title: [OU] ASP.Net 2.0 Impersonation This is way off topic, but I need a sanity check and the only other place to turn is the wall left of me. Background: Writing lots of tools in ASP.Net 2.0 on a R2 Enterprise Server. For my website I turn off Anonymous Access and enable Windows Authentication. After that I ACL the website directory with the appropriate administrator group that uses these tools. Issue: I keep getting operational failures when I go to execute any directory query. IIS has the user credential, unlike classic ASP you now need to either enable impersonation in your web.config or manually change thread context when needed. I've verified that its getting the correct Windows Principal, but it only executes correctly if I hardcode that ID into my web.config. Something is fishy here...Here is a tidbit of code that fails and my web.config btw- Anyone know a good IIS forum that has the same level of masterminds that ActiveDir has? -Brandon Code behind snippet try { DirectoryEntry objOU = new DirectoryEntry(LDAP:// m_strFullOUDN); DirectoryEntry objComputer = objOU.Children.Add(String.Concat(CN=, m_strComputerName), computer); objComputer.Properties[samAccountName].Add(String.Concat(m_strComputerName, $)); objComputer.CommitChanges(); objComputer.Close(); objComputer.Dispose(); } catch (System.Runtime.InteropServices.COMException ex) { //grabbing lots of stuff to see who I really am TextBox1.Text = TextBox1.Text Error Message: ex.Message.ToString(); TextBox1.Text = TextBox1.Text \n Error Code: ex.ErrorCode.ToString(); TextBox1.Text = TextBox1.Text \n \n Stack Dump: ex.StackDump.ToString(); TextBox1.Text = TextBox1.Text \n \n User Type : System.Security.Principal.WindowsIdentity.GetCurrent().ImpersonationLevel.ToString(); TextBox1.Text = TextBox1.Text \n Current Windows Principal : System.Security.Principal.WindowsIdentity.GetCurrent().Name; TextBox1.Text = TextBox1.Text \n Current HTTP Identity : HttpContext.Current.User.Identity.Name.ToString(); TextBox1.Text = TextBox1.Text \n Is Anonymous : System.Security.Principal.WindowsIdentity.GetCurrent().IsAnonymous; TextBox1.Text = TextBox1.Text \n Auth Mech : System.Security.Principal.WindowsIdentity.GetCurrent().AuthenticationType; } Web.config configuration xmlns=http://schemas.microsoft.com/.NetConfiguration/v2.0 system.web authentication mode=Windows/ identity impersonate=true/ customErrors mode=Off/ compilation defaultLanguage=c# debug=true urlLinePragmas=true /compilation /system.web /configuration
RE: [ActiveDir] DHCP migration(OT)
Tom, next time, try something like move dhcp or move dhcp site:microsoft.com on google. See http://www.google.com/intl/en/help/cheatsheet.html for Google-Fu basics. See KB325473 for the solution to your question. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Tue 5/16/2006 6:35 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DHCP migration(OT) Will netsh overwrite the scopes already exisitng on the target? Also, does netsh migrate leases or just the scope and scope options? Thanks On 5/16/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: look into netsh. might be of use. On 5/12/06, Tom Kern [EMAIL PROTECTED] wrote: I want to migrate DHCP(scopes,scope options,leases) from one win2k box to another. My issue is, the target server is running DHCP with scopes,etc already configured. Is there anyway to migrate the source DHCP server to the target without overwriting the target's settings? I just want to merge the 2- move the source info over while keeping the target DHCP info intack as well. Is this possible? Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DHCP migration(OT)
Title: Re: [ActiveDir] DHCP migration(OT) I agree with Daniel – I believe that netsh will do a fine job of migrating scopes and scope options but not leases. However, leases should not be too much of an issue so long as you instruct the DHCP server to perform conflict detection (assumes that ICMP is not blocked on your network). A set of commands something like the following perform the migration for you. From a command prompt on the existing DHCP server: Netsh dhcp server \\existing_dhcp_server export c:\dhcp_info.txt all From a command prompt on the new DHCP server: Netsh dhcp server \\existing_dhcp_server import \\existing_dhcp_server\c$\dhcp_info.txt all Now keep in mind that this will export everything and import everything. I would suggest ensuring that the new DHCP server is at the time of import not authorized in the AD or at least in a state that no clients will attempt to use it. After the import you can retrofit any of the imported data as necessary, such as altering or removing scopes or options. If you need to be more selective about what you export from the existing server, you will want to use the dump command instead and the massage the output so that you can use the add command on the new DHCP server. HTH Aric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Conrad, Daniel C Mr. Nortel Government Solutions Sent: Tuesday, May 16, 2006 9:50 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DHCP migration(OT) Past experience, NETSH will migrate the scopes but you use the backup/restore process for the leases (if you want them). D From: [EMAIL PROTECTED] on behalf of Matheesha Weerasinghe Sent: Tue 5/16/2006 8:43 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DHCP migration(OT) Havent played with it for a while so I cant answer unless I fire up a VM and start playing. Do you fancy letting me know your findings ;-) M@ On 5/16/06, Tom Kern [EMAIL PROTECTED] wrote: Will netsh overwrite the scopes already exisitng on the target? Also, does netsh migrate leases or just the scope and scope options? Thanks On 5/16/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: look into netsh. might be of use. On 5/12/06, Tom Kern [EMAIL PROTECTED] wrote: I want to migrate DHCP(scopes,scope options,leases) from one win2k box to another. My issue is, the target server is running DHCP with scopes,etc already configured. Is there anyway to migrate the source DHCP server to the target without overwriting the target's settings? I just want to merge the 2- move the source info over while keeping the target DHCP info intack as well. Is this possible? Thanks .+-wi0-+֬[EMAIL PROTECTED]֫rzm Vry-4ibb
RE: [ActiveDir] Is there a way to force users to logon to domain?
I got converted. I used to be a strong proponent of setting a common password for the local admin account on all clients. The logic is that it enables helpdesk people to log into desktops easily for support tasks. I used to hardcode the passwords into a login script, and I used to justify the security implication by saying that whoever can read the hardcoded password knows too much already. So, I got converted. Now, I set the password randomly to something long and obnoxious that nobody knows. The password is generated on the fly and not written anywhere. If a helpdesk support person needs to log into a client computer as local admin, the passwords first reset remotely, and a flag file is deleted from the computer. The absence of the flag file will force the computer to process the password generating script again upon a reboot. If the password can not be reset remotely, there is a WinPE rescue disk, or BartPE or Sysinternal's locksmith. The point of all of this is that you do not HAVE to hardcode passwords into your startup scripts. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Riley, Devin Sent: Tue 5/16/2006 9:56 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is there a way to force users to logon to domain? You can use the following script as a startup script to change the local Admin password. There is an obvious security issue with this, since you will be storing the script in a Sysvol share for machines to read. You can prevent users from browsing to and opening the file by restricting access to Domain Computers and relevant IT Admin staff. The script works even if the local Admin account name has been changed. I don't recall where I got the original copy of the script. Devin = Option Explicit Dim objShell, objNet, sNewPassword, sComputer, sAdminName, oUserAccounts Dim oUser On Error Resume Next Set objShell = WScript.CreateObject(WScript.Shell) Set objNet = CreateObject(WScript.Network) sNewPassword = PutSomeReallyLongPasswordHere sComputer = objNet.ComputerName sAdminName = GetAdministratorName Set oUser = GetObject(WinNT:// sComputer / sAdminName ,user) oUser.SetPassword sNewPassword oUser.SetInfo On Error Goto 0 objShell.LogEvent 4, LP startup script LP04 run record. '=== === ' Get Admin Account Name '=== === Function GetAdministratorName() Dim sUserSID, objNet, oUserAccount Set objNet = CreateObject(WScript.Network) Set oUserAccounts = GetObject( _ winmgmts:// objNet.ComputerName /root/cimv2) _ .ExecQuery(Select Name, SID from Win32_UserAccount _ WHERE Domain = ' objNet.ComputerName ') On Error Resume Next For Each oUserAccount In oUserAccounts If Left(oUserAccount.SID, 9) = S-1-5-21- And _ Right(oUserAccount.SID, 4) = -500 Then GetAdministratorName = oUserAccount.Name Exit For End if Next End Function -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Lagreca Sent: Tuesday, May 16, 2006 8:31 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Is there a way to force users to logon to domain? Sergio, That is the approach we are going to take. Write a script to run at start up to delete all local accounts, except administrator, which only we should know the password for. Do you have any ideas on how to change local account passwords via GPO or remotely? We would like to change the administrator passwords initially, and probably like to change it on a continual basis. Thank you. Joe On 5/16/06, Olivarez, Sergio J Mr CTNOSC/GD-NS [EMAIL PROTECTED] wrote: Yeah, disregard what I said about just leaving Admins on the allow logon locally setting, that's my bad. I guess best thing to do would be delete all existing local user accounts. -Sergio -Original Message- From: Joe Lagreca [mailto:[EMAIL PROTECTED] Sent: Monday, May 15, 2006 7:33 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Is there a way to force users to logon to domain? Al and others, We are retrofitting previously deployed workstations. Some have local logins, while others do not. I was just wondering if there is a way, via GPO, to force all users to log into the domain, instead of giving them the option to log
[ActiveDir] OID For A New Attribute
Does anyone know how to request one from MS? I used OIDGEN for my test environment, however for production I was advised to use a real one to avoid a possible collision. Andrew Feigin - AIG
RE: [ActiveDir] OID For A New Attribute
Get them from http://www.iana.org/cgi-bin/enterprise.pl From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Feigin, AndrewSent: Tuesday, May 16, 2006 12:18 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OID For A New Attribute Does anyone know how to request one from MS? I used OIDGEN for my test environment, however for production I was advised to use a real one to avoid a possible collision. Andrew Feigin - AIG
RE: [ActiveDir] OID For A New Attribute
http://msdn.microsoft.com/certification/ad-registration.asp http://msdn.microsoft.com/library/default.asp?url=""> Don't forget to request a prefix and if you need linkids to get those as well. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Feigin, AndrewSent: Tuesday, May 16, 2006 3:18 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OID For A New Attribute Does anyone know how to request one from MS? I used OIDGEN for my test environment, however for production I was advised to use a real one to avoid a possible collision. Andrew Feigin - AIG
RE: [ActiveDir] OID For A New Attribute
Thanks! Andrew Feigin - AIG From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, May 16, 2006 3:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OID For A New Attribute http://msdn.microsoft.com/certification/ad-registration.asp http://msdn.microsoft.com/library/default.asp?url=""> Don't forget to request a prefix and if you need linkids to get those as well. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Feigin, Andrew Sent: Tuesday, May 16, 2006 3:18 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OID For A New Attribute Does anyone know how to request one from MS? I used OIDGEN for my test environment, however for production I was advised to use a real one to avoid a possible collision. Andrew Feigin - AIG
RE: RE: [ActiveDir] [OT] Group Name (Pre-Win2k) - Is it important
Interesting that your address is being used for SPAM, I haven't seen that, usually the addresses are randomly generated. I tried to contact the postmaster at mcmathlaw.com to comment on their SPAM filter and say that I thought it was a joke and would feel bad to be one of their users because who knows how much email they aren't seeing and interestingly enough I get back... [EMAIL PROTECTED]: host mail.mcmathlaw.com[64.139.70.12] said: 550 [EMAIL PROTECTED], Recipient unknown (in reply to RCPT TO command) So they are spoofing an address on the responses to alleged SPAM. Cracks me up. That puts them in the category of SPAM IMO. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Derek Harris Sent: Monday, May 15, 2006 2:28 PM To: ActiveDir@mail.activedir.org Subject: RE: RE: [ActiveDir] [OT] Group Name (Pre-Win2k) - Is it important I've been getting a lot of bounces lately from spam with forged headers, and I report them all as spam. I have my spam settings pretty loose, and block most with RBLs static, in-house blacklists. I get very few false-positives, and most of those end up in my quarantine, where I can add them to a whitelist. It's extra work for me, but still better than spamming other innocent people, and ending up blacklisted. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, May 15, 2006 10:49 AM To: ActiveDir@mail.activedir.org Subject: RE: RE: [ActiveDir] [OT] Group Name (Pre-Win2k) - Is it important I think for SPAM this is probably good because if it isn't SPAM, the headers weren't forged and it may be nice to know that someone didn't get the message. For instance, say you were sending some fairly important message and you know that RR was disabled on their mail system, you would have to assume they got it or worse, call them to ask if they got it - Yeah... I just sent you an email, did you get it... derrr. For AV stuff, yes, I absolutely agree, do not send messages back saying the message I sent had a virus. I hate that because I know I didn't send a message with a virus but some numbskull who happens to have my email address in their contacts sent it. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Derek Harris Sent: Monday, May 15, 2006 12:28 PM To: ActiveDir@mail.activedir.org Subject: RE: RE: [ActiveDir] [OT] Group Name (Pre-Win2k) - Is it important Setting spam filters to send a reply is, IMHO, totally irresponsible, since the From: headers on spam are ALWAYS forged. The admins at these organizations then complain about getting listed on RBLs, because they are effectively relaying spam. Sorry about the soapbox speech -- just a bit of a pet peeve... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, May 15, 2006 9:19 AM To: ActiveDir@mail.activedir.org Subject: RE: RE: [ActiveDir] [OT] Group Name (Pre-Win2k) - Is it important LOL. The previously attached EML kicked off even more SPAM filters, 11 at last count. That just cracks me right up. A society in fear of SPAM and viruses -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, May 15, 2006 10:35 AM To: ActiveDir@mail.activedir.org Subject: FW: RE: [ActiveDir] Group Name (Pre-Win2k) - Is it important Looks like MCMATHLAW.COM has their SPAM filter (MDaemon) set a little on the sensitive side I would hate to be behind that filter, can't imagine how much mail they are missing. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, May 15, 2006 10:00 AM To: [EMAIL PROTECTED] Subject: RE: RE: [ActiveDir] Group Name (Pre-Win2k) - Is it important MDaemon has identified your message as spam. It will not be delivered. From : [EMAIL PROTECTED] To: SOMERANDOMPERSON@mcmathlaw.com Subject : RE: [ActiveDir] Group Name (Pre-Win2k) - Is it important Message-ID: [EMAIL PROTECTED] Yes, score=3.1 required=3.0 tests=BAYES_60,HTML_50_60, HTML_MESSAGE autolearn=no version=3.1.0 *** * 0.1 HTML_50_60 BODY: Message is 50% to 60% HTML * 3.0 BAYES_60 BODY: Bayesian spam probability is 60 to 80% * [score: 0.6164] * 0.0 HTML_MESSAGE BODY: HTML included in message : Message contains [1] file attachments List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List
[ActiveDir] [Exchange] Full Mailbox Directory Name holds wrong Administrative Group name
We are in the middle of a migration from Exchange 2000 to Exchange 2003. We have 2 Administrative Groups in ESM. one of them is named: First Administrative Group(this namewas left default at the time of the installation of the first server). The other has been given a new name.The First Administrative Group holds the Exchange 2000 servers, the other holds the Exchange 2003 servers. In the end only one Administrative Group will exist, the new one. Recently I moved a couple of hundred of mailboxes to a different server in a different Administrative Group. When looking at those mailboxes from withing ESM (by clicking the mailboxes node under the servers node), I can see that a mostof those mailboxes still have the name of the Administrative Group they were in, in their Full Mailbox Directory Name (this is a column that can be added in ESM). Themailboxes were on a server which was intheFirst Administrative Group and have been moved to another server which sits in another Administrative Group. I am asking this because when after all the mailboxes have been moved (a few are still on that old server), I am planning to delete the First AdministrativeGroup in time. My question is why does the Full Mailbox Directory Name still have the First Administrative Group in it, even if the mailbox is no longer in the First Administrative Group? Do I need to fix this before I will delete the First Administrative Group? Thanks in advance for the help.
Re: [ActiveDir] DHCP migration(OT)
I don't want to seem rude, but in my post i was primarily concerned with overwriting the exisitng scopes on the target server. I never asked about how to migrate dhcp but rather how to migrate a source dhcp to a target dhcp server which has exisitng scopes on it. I read those articles before posting. they never answered my concern. I may deserve a heap of sarcasm for other various other posts I made but not this one :) Thanks On 5/16/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Tom,next time, try something like move dhcp or move dhcp site: microsoft.comon google. See http://www.google.com/intl/en/help/cheatsheet.html forGoogle-Fu basics.See KB325473 for the solution to your question. Sincerely,_(, /|/) /) /) /---| (/___ ___// _ //_) /|_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)(/ Microsoft MVP - Directory Serviceswww.readymaids.com http://www.readymaids.com- we know IT www.akomolafe.com http://www.akomolafe.comDo you now realize that Today is the Tomorrow you were worried aboutYesterday? -anon From: [EMAIL PROTECTED] on behalf of Tom KernSent: Tue 5/16/2006 6:35 AMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DHCP migration(OT)Will netsh overwrite the scopes already exisitng on the target?Also, does netsh migrate leases or just the scope and scope options?Thanks On 5/16/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: look into netsh. might be of use. On 5/12/06, Tom Kern [EMAIL PROTECTED] wrote: I want to migrate DHCP(scopes,scope options,leases) from one win2kbox to another. My issue is, the target server is running DHCP with scopes,etc already configured. Is there anyway to migrate the source DHCP server to the targetwithout overwriting the target's settings? I just want to merge the 2- move the source info over while keeping the target DHCP info intack as well. Is this possible? Thanks List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: Re : [ActiveDir] Lag site- disabling auth on Lag DC.
hi Iain,Unfortunately, i have no way to avoid this but enabling my NIC card *ONLY* during the replication windows scheduled . The other time, my NIC card will be disable.I don't know right now how to do this. I was thinking about scheduling (AT)a script (via netsh ??)that will enable my NIC when my replication windows starts and then will disbale my NIC when the replication stops.Yann [EMAIL PROTECTED] a écrit: Yann,How are you planning on protecting your lag site DCsfrom aforced replication?Regards, Iain | IT Services | Infrastructure From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of YannSent: 15 May 2006 21:49To: ActiveDir@mail.activedir.orgSubject: Re : [ActiveDir] Lag site- disabling auth on Lag DC.Understood !We will followyour advices.Cheers,Yann- Message d'origine De : "Almeida Pinto, Jorge de" [EMAIL PROTECTED]À : ActiveDir@mail.activedir.orgEnvoyé le : Lundi, 15 Mai 2006, 10h21mn 54sObjet: RE: [ActiveDir] Lag site- disabling auth on Lag DC. SRV records* make sure the DC only registers the CNAME SRV record which is used for replication* don't assign the lag site DCs WINS servers, otherwise these will register the 1Ch record in WINS* make sure the site link cost between the main site and the lag are higher than any other site links that also links to the main sitefor the lag to work properly make sure you have at least one DC from each domain, because of eventual cross domain links (e.g. group memberships)Met vriendelijke groeten / Kind regards,Ing. Jorge de Almeida PintoSenior Infrastructure ConsultantMVP Windows Server - Directory ServicesLogicaCMG Nederland B.V. (BU RTINC Eindhoven)( Tel : +31-(0)40-29.57.777( Mobile : +31-(0)6-26.26.62.80* E-mail : see sender addressFrom: [EMAIL PROTECTED] on behalf of YannSent: Mon 2006-05-15 21:36To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Lag site- disabling auth on Lag DC.hello all,We are about to build a lag site for our AD recovery strategy.We schedule replication Prod Sites -Lag Sites one time a week.We have one forest with a Root and Child domain.The lag site will contain only one DC. We would like to disable clientsauth on this DC. So I found 2 ways to do this:1) Configuring the "DC Locator DNS Records" via a gpo.or2) Stop and disable the netlogon service.What will be the best choice ? 1) or 2) ?Shall i also disable the service server to avoid replication of sysvol too ?Thanks for input.This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. * This electronic message contains information from Hampshire Constabulary which may be legally privileged and confidential. Any opinions expressed may be those of the individual and not necessarily the Hampshire Constabulary. The information is intended to be for the use of the individual(s) or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message in error, please notify us by telephone +44 (0) 845 045 45 45 or email to [EMAIL PROTECTED] immediately. Please then delete this email and destroy any copies of it. All communications, including telephone calls and electronic messages to and from the Hampshire Constabulary may be subject to monitoring. Replies to this email may be seen by employees other than the intended recipient. * Faites de Yahoo! votre page d'accueil sur le web pour retrouver directement vos services préférés : vérifiez vos nouveaux mails, lancez vos recherches et suivez l'actualité en temps réel. Cliquez ici.
RE: RE: [ActiveDir] [OT] Group Name (Pre-Win2k) - Is it important
Not my address, but my users' addresses, and many random addresses @ my domain. Failure to accept mail as postmaster is a violation of RFC2821: (I know, so is failure to send NDRs...) 4.5.1 Minimum Implementation In order to make SMTP workable, the following minimum implementation is required for all receivers. ... Any system that includes an SMTP server supporting mail relaying or delivery MUST support the reserved mailbox postmaster as a case- insensitive local name. This postmaster address is not strictly necessary if the server always returns 554 on connection opening (as described in section 3.1). The requirement to accept mail for postmaster implies that RCPT commands which specify a mailbox for postmaster at any of the domains for which the SMTP server provides mail service, as well as the special case of RCPT TO:Postmaster (with no domain specification), MUST be supported. SMTP systems are expected to make every reasonable effort to accept mail directed to Postmaster from any other system on the Internet. In extreme cases --such as to contain a denial of service attack or other breach of security-- an SMTP server may block mail directed to Postmaster. However, such arrangements SHOULD be narrowly tailored so as to avoid blocking messages which are not part of such attacks. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, May 16, 2006 1:49 PM To: ActiveDir@mail.activedir.org Subject: RE: RE: [ActiveDir] [OT] Group Name (Pre-Win2k) - Is it important Interesting that your address is being used for SPAM, I haven't seen that, usually the addresses are randomly generated. I tried to contact the postmaster at mcmathlaw.com to comment on their SPAM filter and say that I thought it was a joke and would feel bad to be one of their users because who knows how much email they aren't seeing and interestingly enough I get back... [EMAIL PROTECTED]: host mail.mcmathlaw.com[64.139.70.12] said: 550 [EMAIL PROTECTED], Recipient unknown (in reply to RCPT TO command) So they are spoofing an address on the responses to alleged SPAM. Cracks me up. That puts them in the category of SPAM IMO. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Derek Harris Sent: Monday, May 15, 2006 2:28 PM To: ActiveDir@mail.activedir.org Subject: RE: RE: [ActiveDir] [OT] Group Name (Pre-Win2k) - Is it important I've been getting a lot of bounces lately from spam with forged headers, and I report them all as spam. I have my spam settings pretty loose, and block most with RBLs static, in-house blacklists. I get very few false-positives, and most of those end up in my quarantine, where I can add them to a whitelist. It's extra work for me, but still better than spamming other innocent people, and ending up blacklisted. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, May 15, 2006 10:49 AM To: ActiveDir@mail.activedir.org Subject: RE: RE: [ActiveDir] [OT] Group Name (Pre-Win2k) - Is it important I think for SPAM this is probably good because if it isn't SPAM, the headers weren't forged and it may be nice to know that someone didn't get the message. For instance, say you were sending some fairly important message and you know that RR was disabled on their mail system, you would have to assume they got it or worse, call them to ask if they got it - Yeah... I just sent you an email, did you get it... derrr. For AV stuff, yes, I absolutely agree, do not send messages back saying the message I sent had a virus. I hate that because I know I didn't send a message with a virus but some numbskull who happens to have my email address in their contacts sent it. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Derek Harris Sent: Monday, May 15, 2006 12:28 PM To: ActiveDir@mail.activedir.org Subject: RE: RE: [ActiveDir] [OT] Group Name (Pre-Win2k) - Is it important Setting spam filters to send a reply is, IMHO, totally irresponsible, since the From: headers on spam are ALWAYS forged. The admins at these organizations then complain about getting listed on RBLs, because they are effectively relaying spam. Sorry about the soapbox speech -- just a bit of a pet peeve... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, May 15, 2006 9:19 AM To: ActiveDir@mail.activedir.org Subject: RE: RE: [ActiveDir] [OT] Group Name (Pre-Win2k) - Is it important LOL. The previously attached EML kicked off even more SPAM filters, 11 at last count. That just cracks me right up. A society in fear of SPAM and viruses -- O'Reilly Active Directory Third Edition -
RE: [ActiveDir] DHCP migration(OT)
There was no sarcasm intended in my response. I am sorry that it appeared so to you. I am sorry that you are not able to see the answer to how to migrate a source dhcp to a target dhcp server which has exisitng scopes on it in that article. I am sorry that I replied to you at all. It won't happen again. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Tue 5/16/2006 1:52 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DHCP migration(OT) I don't want to seem rude, but in my post i was primarily concerned with overwriting the exisitng scopes on the target server. I never asked about how to migrate dhcp but rather how to migrate a source dhcp to a target dhcp server which has exisitng scopes on it. I read those articles before posting. they never answered my concern. I may deserve a heap of sarcasm for other various other posts I made but not this one :) Thanks On 5/16/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Tom, next time, try something like move dhcp or move dhcp site: microsoft.com http://microsoft.com on google. See http://www.google.com/intl/en/help/cheatsheet.html for Google-Fu basics. See KB325473 for the solution to your question. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Tue 5/16/2006 6:35 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DHCP migration(OT) Will netsh overwrite the scopes already exisitng on the target? Also, does netsh migrate leases or just the scope and scope options? Thanks On 5/16/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: look into netsh. might be of use. On 5/12/06, Tom Kern [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: I want to migrate DHCP(scopes,scope options,leases) from one win2k box to another. My issue is, the target server is running DHCP with scopes,etc already configured. Is there anyway to migrate the source DHCP server to the target without overwriting the target's settings? I just want to merge the 2- move the source info over while keeping the target DHCP info intack as well. Is this possible? Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] User Object Attribute mismatches on different DC's
Evenin' All, Had the pleasure of jumping into warm waters at work today with a client where an authoritative restore was performed a few weeks ago following an OU being mistakenly deleted. Under this OU were a number of users whom have yet to be wholly migrated to AD but are still using their legacy NT4 accounts to access Exchange 2003 (i.e. disabled user in AD) before they are fully migrated to AD (Windows XP)... all DCs are running Win2K3SP1 ... I've discovered a number of mismatches between certain attributes of thes user objects according to the DC you query... plug For example, if I use the infamous ADFIND tool /plug Using the following syntax I query the homeMDB attribute on each DC Syntax: for /f %%a in (mydclist.txt) do adfind -h %%a:389 -b OU=RestoredOU,DC=MYAD,DC=ACME,DC=COM -c -u ACME\admin -sort name dn -f (objectClass=user)(!(homeMDB=*)) The following information is returned (paraphrased) AdFind V01.30.01cpp Joe Richards ([EMAIL PROTECTED]) January 2006 Using server: gbsrv01.myad.acme.com:389 Directory: Windows Server 2003 1804 Objects returned Using server: gbsrv002.myad.acme.com:389 Directory: Windows Server 2003 1804 Objects returned Using server: ussrv001.myad.acme.com:389 Directory: Windows Server 2003 2669 Objects returned Using server: itsrv001.myad.acme.com:389 Directory: Windows Server 2003 1804 Objects returned Using server: nlbek31w3ls001.myad.acme.com:389 Directory: Windows Server 2003 4260 Objects returned Using server: ussrv002.myad.acme.com:389 Directory: Windows Server 2003 2670 Objects returned Using server: essrv001.myad.acme.com:389 Directory: Windows Server 2003 4146 Objects returned Using server: sesrv001.myad.acme.com:389 Directory: Windows Server 2003 1804 Objects returned Using server: frsrv001.myad.acme.com:389 Directory: Windows Server 2003 4090 Objects returned etc... Interestingly, in certain cases, particular servers, not necessarily in the same site, return the same value of objects (not 1804) Given that the query is looking for user IDs with empty homeMDB, less is good and given that 1804 objects returned (seems) to indicate that these are the DCs with the correctly populated homeMDB attributes, my questions are thus: (1) Is a USN problem associated with the restore a possible cause here? (2) Given that a REPADMIN /showutdvec on all DC's reveals no USN inconsistencies as such, and that replication is working correctly, how was this situation likely to come about? (3) What's preventing successful update of these attributes (dumb question maybe but I want to be certain) (4) (Big If) but can I force replication from my suspected good entries to overcome this issue Granted, there's a paucity of information to go on... but I'll try and elaborate as the night goes along :-) Many thanks, Mylo List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GPO Software Deployment
Good assessment. When you have the machines cleaned up, Adobe supplies a deployment preparation tool for this exact purpose. You will have to do a bit of Googling for it. NEVER edit or repackage an existing MSI (not possible in every case). Always create a transform which can be applied against the original MSI. Buy a proper suite such as Wise Application Studio for enterprise software deployment. Cheers Jon Austin [EMAIL PROTECTED] wrote on 17/05/2006 01:26:55 AM: So, I suspect what is happening here, based on that error, is the popup you're seeing is Windows Installer trying to repair the application but not finding the right files to do it. The Feature name, WIFEAT0001, tells me the package was created using WinInstall-- not very interesting. I suspect that the registry still contains references to the package. I would search the registry by the Product GUID, below, and get rid of all instances of it. Alternatively, you could try downloading and running the Installer Cleanup tool, found at http://support.microsoft.com/kb/290301/ _ This e-mail has been scanned for viruses by MessageLabs.
RE: [ActiveDir] OT - W2K/E2K upgrade to W2K3/E2K3
When are you planning on increasing the functional levels of the domain and the forest? There are several features of Windows 2003 AD that you do not get even if you've upgraded the DCs unless you also bump up the functional levels. When you bump the forest functional level, I believe there will be a PAS expansion at that point since I recall there being some settings that are deferred until then. Wook -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Friday, May 12, 2006 2:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT - W2K/E2K upgrade to W2K3/E2K3 I suggested doing AD, then Exchange = that's not the same as saying Windows, then Exchange... Means that you can do all the schema/domain mods basically at once and upgrade all DCs to W2k3. The Exchange 2000 server itself can't be upgraded to W2k3 - that is correct, but it runs just fine in a Win2k3 AD domain/forest. But your routine will also work fine. I'd probably upgrade the OWA front-end to W2k3 right after step iv) so that you don't have to touch the box again in step xii). As long as this isn't a DC, this won't be a problem. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jonathan Watts Sent: Freitag, 12. Mai 2006 10:10 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT - W2K/E2K upgrade to W2K3/E2K3 Thanks. My plan so far is this: i) Install W2K3 on new hardware and join to domain as member server ii) Run E2K3 ForestPrep on Schema Master iii) Run E2K3 DomainPrep iv) Upgrade OWA front-end to E2K3 v) Install E2K3 to newly built server vi) Migrate mailboxes and Public Folders, using Move Mailbox wizard, to newly built server vii) Uninstall E2K from existing server viii) Run W2K3 ForestPrep on Schema Master ix) Run W2K3 DomainPrep on Inf. Master x) Upgrade PDC Emulator to W2K3 xi) Upgrade other DCs to W2K3 xii) Upgrade OWA Front End to W2K3 So this should leave me with 3 W2K3 DCs, 1 W2K3/E2K3 member server and 1 W2K3/E2K3 OWA front-end server. Guido, we don't have any legacy clients to worry about, but is my sequence wrong as regards upgrading Exchange THEN Windows as you have suggested doing Windows THEN Exchange? I thought W2K3 with E2K wasn't supported? Jon ** Jonathan Watts Network Admin St Catherine's School ** -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: 11 May 2006 16:38 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT - W2K/E2K upgrade to W2K3/E2K3 Why don't you post your procedure here and we'll comment on it :) Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: Re : [ActiveDir] Lag site- disabling auth on Lag DC.
That will trigger most tools/scripts for replication errors wouldnt it. Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of YannSent: Wednesday, May 17, 2006 4:55 AMTo: ActiveDir@mail.activedir.orgSubject: RE: Re : [ActiveDir] Lag site- disabling auth on Lag DC. hi Iain, Unfortunately, i have no way to avoid this but enabling my NIC card *ONLY* during the replication windows scheduled . The other time, my NIC card will be disable. I don't know right now how to do this. I was thinking about scheduling (AT)a script (via netsh ??)that will enable my NIC when my replication windows starts and then will disbale my NIC when the replication stops. Yann [EMAIL PROTECTED] a écrit: Yann, How are you planning on protecting your lag site DCsfrom aforced replication? Regards, Iain | IT Services | Infrastructure From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of YannSent: 15 May 2006 21:49To: ActiveDir@mail.activedir.orgSubject: Re : [ActiveDir] Lag site- disabling auth on Lag DC. Understood ! We will followyour advices. Cheers, Yann- Message d'origine De : "Almeida Pinto, Jorge de" [EMAIL PROTECTED]À : ActiveDir@mail.activedir.orgEnvoyé le : Lundi, 15 Mai 2006, 10h21mn 54sObjet: RE: [ActiveDir] Lag site- disabling auth on Lag DC. SRV records* make sure the DC only registers the CNAME SRV record which is used for replication* don't assign the lag site DCs WINS servers, otherwise these will register the 1Ch record in WINS* make sure the site link cost between the main site and the lag are higher than any other site links that also links to the main sitefor the lag to work properly make sure you have at least one DC from each domain, because of eventual cross domain links (e.g. group memberships)Met vriendelijke groeten / Kind regards,Ing. Jorge de Almeida PintoSenior Infrastructure ConsultantMVP Windows Server - Directory ServicesLogicaCMG Nederland B.V. (BU RTINC Eindhoven)( Tel : +31-(0)40-29.57.777( Mobile : +31-(0)6-26.26.62.80* E-mail : see sender addressFrom: [EMAIL PROTECTED] on behalf of YannSent: Mon 2006-05-15 21:36To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Lag site- disabling auth on Lag DC.hello all,We are about to build a lag site for our AD recovery strategy.We schedule replication Prod Sites -Lag Sites one time a week.We have one forest with a Root and Child domain.The lag site will contain only one DC. We would like to disable clientsauth on this DC. So I found 2 ways to do this:1) Configuring the "DC Locator DNS Records" via a gpo.or2) Stop and disable the netlogon service.What will be the best choice ? 1) or 2) ?Shall i also disable the service server to avoid replication of sysvol too ?Thanks for input.This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. * This electronic message contains information from Hampshire Constabulary which may be legally privileged and confidential. Any opinions expressed may be those of the individual and not necessarily the Hampshire Constabulary. The information is intended to be for the use of the individual(s) or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message in error, please notify us by telephone +44 (0) 845 045 45 45 or email to [EMAIL PROTECTED] immediately. Please then delete this email and destroy any copies of it. All communications, including telephone calls and electronic messages to and from the Hampshire Constabulary may be subject to monitoring. Replies to this email may be seen by employees other than the intended recipient. * Faites de Yahoo! votre page d'accueil sur le web pour retrouver directement vos services préférés : vérifiez vos nouveaux mails, lancez vos recherches et suivez l'actualité en temps réel. Cliquez ici.
[ActiveDir] How to Determine Who Has Authenticated Against DC
Hello: Sorry for what might be an obvious question: Is it possible to determine who has authenticated against a particular DC over a period of time? (And if so how?) I suspect that some machines in one site are authenticating against a DC in another. Without checking each workstation, how can I see where they are authenticating? Thanks. -- nme P.S. Not sure if it is related, but the DC in question reports that it cant provide some time service to machines in the remote site. (Sorry, not looking at the exact warning message right now.) -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.392 / Virus Database: 268.5.6/340 - Release Date: 5/15/2006
RE: [ActiveDir] DHCP migration(OT)
Tom, You got me wondering myself to I VMed it. Heres what I did. Built scopeA with a bunch of configs Exported the configs w/Netsh all Deleted scopeA Built scopeB with different configs Imported the config file from the old scope with the /all switch. Results: After refreshing the console a couple of times, the imported scope was added to the existing list. Note: NETSH will not export or import the current leases. They must be backed up and restored. In the NETSH/DHCP/Server prompt you can use import /? to get the syntax to import individual scopes, but based on this test it doesnt seem necessary. Hope this helps, Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, May 16, 2006 3:53 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DHCP migration(OT) I don't want to seem rude, but in my post i was primarily concerned with overwriting the exisitng scopes on the target server. I never asked about how to migrate dhcp but rather how to migrate a source dhcp to a target dhcp server which has exisitng scopes on it. I read those articles before posting. they never answered my concern. I may deserve a heap of sarcasm for other various other posts I made but not this one :) Thanks On 5/16/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Tom, next time, try something like move dhcp or move dhcp site: microsoft.com on google. See http://www.google.com/intl/en/help/cheatsheet.html for Google-Fu basics. See KB325473 for the solution to your question. Sincerely, _ (, /|/) /) /) /---| (/___ ___// _ //_ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com- we know IT www.akomolafe.com http://www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Tue 5/16/2006 6:35 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DHCP migration(OT) Will netsh overwrite the scopes already exisitng on the target? Also, does netsh migrate leases or just the scope and scope options? Thanks On 5/16/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: look into netsh. might be of use. On 5/12/06, Tom Kern [EMAIL PROTECTED] wrote: I want to migrate DHCP(scopes,scope options,leases) from one win2k box to another. My issue is, the target server is running DHCP with scopes,etc already configured. Is there anyway to migrate the source DHCP server to the target without overwriting the target's settings? I just want to merge the 2- move the source info over while keeping the target DHCP info intack as well. Is this possible? Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DHCP migration(OT)
Tom, I dont want to seem rude, but this is something that would take you 5 minutes to test yourself (e.g. in a VM). You could even report your results back to the list. Cheers Ken -- My IIS Blog: www.adOpenStatic.com/cs/blogs/ken Tech.Ed Boston 2006 See you there: Everything the web administrator needs to know about MOM 2005 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Wednesday, 17 May 2006 6:53 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DHCP migration(OT) I don't want to seem rude, but in my post i was primarily concerned with overwriting the exisitng scopes on the target server. I never asked about how to migrate dhcp but rather how to migrate a source dhcp to a target dhcp server which has exisitng scopes on it. I read those articles before posting. they never answered my concern. I may deserve a heap of sarcasm for other various other posts I made but not this one :) Thanks On 5/16/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Tom, next time, try something like move dhcp or move dhcp site: microsoft.com on google. See http://www.google.com/intl/en/help/cheatsheet.html for Google-Fu basics. See KB325473 for the solution to your question. Sincerely, _ (, /|/) /) /) /---| (/___ ___// _ //_ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com- we know IT www.akomolafe.com http://www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Tue 5/16/2006 6:35 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DHCP migration(OT) Will netsh overwrite the scopes already exisitng on the target? Also, does netsh migrate leases or just the scope and scope options? Thanks On 5/16/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: look into netsh. might be of use. On 5/12/06, Tom Kern [EMAIL PROTECTED] wrote: I want to migrate DHCP(scopes,scope options,leases) from one win2k box to another. My issue is, the target server is running DHCP with scopes,etc already configured. Is there anyway to migrate the source DHCP server to the target without overwriting the target's settings? I just want to merge the 2- move the source info over while keeping the target DHCP info intack as well. Is this possible? Thanks
RE: [ActiveDir] How to Determine Who Has Authenticated Against DC
Noah- Yes, any authentications to a DC are logged in the security event log (assuming Logon auditing is enabled). User logons should show up as 528 events. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah EigerSent: Tuesday, May 16, 2006 7:30 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] How to Determine Who Has Authenticated Against DC Hello: Sorry for what might be an obvious question: Is it possible to determine who has authenticated against a particular DC over a period of time? (And if so how?) I suspect that some machines in one site are authenticating against a DC in another. Without checking each workstation, how can I see where they are authenticating? Thanks. -- nme P.S. Not sure if it is related, but the DC in question reports that it cant provide some time service to machines in the remote site. (Sorry, not looking at the exact warning message right now.) --No virus found in this outgoing message.Checked by AVG Free Edition.Version: 7.1.392 / Virus Database: 268.5.6/340 - Release Date: 5/15/2006
[ActiveDir] how to find DNS servers in a forest?
If I have a list of DCs in windows 2003 forest, I just want to verify if they have Microsoft-DNS installed on them? Where this information stored in AD? Or I want to find how many DCs have DNS Installed. Thanks, Manjeet