RE: [ActiveDir][OT] Is there a way to force users to logon to domain?

[Ulf B. Simon-Weidner]

I 
can't see them as well, OL2k3 into POP, provider is using ESMTP (Nemesis) and 
POP appears to be mimap12 (at least that's what telnetting against the pop tells 
me).
Gruesse - 
Sincerely, 
Ulf B. 
Simon-Weidner 
 Profile 
 Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  joeSent: Tuesday, May 16, 2006 2:33 AMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir][OT] Is there a 
  way to force users to logon to domain?
  
  Interesting, for the O2K3 via POP3 what is the backend? I 
  am doing O2K3 via POP3 backended into Exchange 2003 and getting the blanks. 
  
  
  
  --
  O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
  
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Ayers, 
  DianeSent: Monday, May 15, 2006 8:28 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir][OT] Is there a 
  way to force users to logon to domain?
  
  I'm getting the list at home and at 
  work. Outlook 2K3 via POP3 is coming in fine. Outlook 2K3 via 
  Exchange and MAPI is coming in blank. Both the non-SP standard builds of 
  Outlook. Exchange is still @ E2K...
  
  Diane
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  joeSent: Monday, May 15, 2006 4:36 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir][OT] Is there a 
  way to force users to logon to domain?
  
  I just verified and OWA is also throwing garbage 
  characters on the end of the message and when looking at the raw stream it is 
  the list banner.
  
  How is O2K7 displaying it?
  
  Anyone understand what the full spec is for a message is 
  and how to (or if you can) mix MIME with plain text? I expect either the plain 
  text banner isn't allowed or the list software isn't modifying the header 
  properly for it to tell the clients to expect it.
  
   joe
  
  
  
  Here is Al's message straight from POP without 
  interpretation:
  
  
  retr 39+OKReceived: from 
  mail.activedir.org ([12.168.66.190]) by mbx01.joeware.local with Microsoft 
  SMTPSVC(6.0.3790.211); 
  Mon, 15 May 2006 16:44:34 -0400Received: from wr-out-0506.google.com 
  [64.233.184.234] by mail.activedir.org with ESMTP (SMTPD32-8.15) id 
  A6B67EC012E; Mon, 15 May 2006 16:38:14 -0400Received: by 
  wr-out-0506.google.com with SMTP id 
  i30so871233wra for ActiveDir@mail.activedir.org; Mon, 15 May 2006 13:38:12 -0700 
  (PDT)DomainKey-Signature: a=rsa-sha1; q=dns; 
  c=nofws; s=beta; 
  d=gmail.com; 
  h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; 
  b=otNmqTOJtu6h3lzy946aXK9yGTM5JFr0xZLRCRvkC4134GXBlEVFGTm01oR6Q0alNwcgsKlCdGaf7Oc0P7XzMRmR5td5nR1iLsJQ+rx/bxz1c1RTzynDUZSfLeogbMBIzdfTwsmUbAV2+gfnxk19fHg0GT0mFn8dk97+KotFwWM=Received: 
  by 10.64.10.15 with SMTP id 
  15mr2454953qbj; Mon, 15 May 2006 
  13:38:12 -0700 (PDT)Received: by 10.65.253.12 with HTTP; Mon, 15 May 2006 
  13:38:12 -0700 (PDT)Message-ID: [EMAIL PROTECTED]Date: Mon, 15 May 2006 16:38:12 
  -0400From: "Al Mulnick" [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Is there a way to 
  force users to logon to domain?In-Reply-To: [EMAIL PROTECTED]MIME-Version: 1.0Content-Type: 
  text/plain; charset=UTF-8; format=flowedContent-Transfer-Encoding: 
  base64Content-Disposition: inlineReferences: [EMAIL PROTECTED]Precedence: bulkSender: [EMAIL PROTECTED]Reply-To: ActiveDir@mail.activedir.orgReturn-Path: [EMAIL PROTECTED]X-OriginalArrivalTime: 15 May 2006 
  20:44:34.0134 (UTC) FILETIME=[5F845760:01C67860]
  
  SSB0aGluayB5b3UndmUgc2VlbiBzZXZlcmFsIHdheXMgb2YgYWNoaWV2aW5nIHNvbWV0aGluZyBzaW1pbGFyIHRvCndoYXQgeW91J3ZlIGFza2VkIGZvci4gIEJ1dCBJJ20gY3VyaW91cyBhcyB0byB3aGF0IHlvdSByZWFsbHkgd2FudCB0bwphY2NvbXBsaXNoLiAgWW91J3ZlIHB1dCBzb21ldGhpbmcgdmVyeSBzcGVjaWZpYywgYnV0IHdoYXQgbWFrZXMgeW91CndhbnQgdG8gZm9yY2UgdGhlIGxvZ29uPyAgV2hhdCdzIHRoZSBiYWNrc3Rvcnk/CgpBbAoKT24gNS8xNS8wNiwgSm9lIExhZ3JlY2EgPGxhZ3JlY2FAZ21haWwuY29tPiB3cm90ZToKPiBJcyB0aGVyZSBhIHdheSB0byBmb3JjZSB1c2VycyB0byBsb2dvbiB0byBkb21haW4sIG9yIHRvIGRpc2FibGUgbG9naW5nIGludG8KPiBsb2NhbCBjb21wdXRlciBhY2NvdW50cyB2aWEgR1BPPwo+Cj4gVGhhbmtzLgo+Cg==List 
  info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/.
  
  
  
  
  
  
  --
  O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
  
  
  
  
  From: joe [mailto:[EMAIL PROTECTED] 
  Sent: Monday, May 15, 2006 7:28 PMTo: 
  'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir][OT] Is there 
  a way to force users to logon to domain?
  
  Al is sending from GMAIL.
  
  It appears that GMAIL is mime encoding the messages, and 
  then the list attaches the plain text banner on it and the whole decodes 
  

[ActiveDir] OT: Overriding local computer logon scripts - anyway to do it?

[Freddy HARTONO]

Title: OT: Overriding local computer logon scripts - anyway to do it?





Hi all,


I had just logged in one of a printserver in my remote site, out of my usual scope - but the point is that the server has some logon scripts (local) associated with it.


Just concerned about the security aspect of it - what is stopping some server admins to put in some logon scripts that adds a certain account as enterprise admin (boobietrap).

I know the usual rule was to not login to untrusted boxes... but is there a way to overcome such?



Thank you and have a splendid day!
 
Kind Regards,
 
Freddy Hartono
Group Support Engineer
InternationalSOS Pte Ltd
mail: [EMAIL PROTECTED]
phone: (+65) 6330-9785
 

RE: [ActiveDir] GPO Software Deployment

[Robert Rutherford]

Hi Guys,



Thanks for the input but still no joy
nothing is showing in the logs and I dont have the original package. The
below is popping up in the event log though :-



Event Type: Warning

Event Source: MsiInstaller

Event Category: None

Event ID: 1001

Date: 16/05/2006

Time: 11:20:21

User: domain\username

Computer: compname

Description:

Detection of product
'{5C3FD7C5-92BD-47A1-B5EE-52E71A1C2B82}', feature 'WIFEAT0001' failed
during request for component '{500ED4E4-1352-4AF6-8FE3-21EFFBC7B34D}'



Does this jog any memories for anyone? I
think Im just going to have to get the whole lot rebuilt. Woe is
me.



Cheers








 
  
  
  Robert
   Rutherford
  QuoStar
  Solutions Limited
  
  
  
  
  
  
 
 
  
  The Enterprise
  Pavilion
  Fern Barrow
  Wallisdown
  Poole
Dorset
  BH12 5HH
  
  
  
  
  
  
  
  
  
   

T:


+44 (0) 8456 440
331

   
   

F:


+44 (0) 8456 440
332

   
   

M:


+44 (0) 7974 249
494

   
   

E:



[EMAIL PROTECTED]

   
   

W:



www.quostar.com

   
  
  
  
  
  
  
 
 
  
  
  
  
 
















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: 15 May 2006 23:43
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GPO
Software Deployment






Rob


Do you have
access to the original MSI (it could be repackaged as an EXE)?


msiexec /i
file.msi /L*vx c:\path\to\logfile.txt 

That will
dump out as much possible info about what is happening. If you need

help
debugging the output, let me know. 

Cheers


Jon Austin


[EMAIL PROTECTED]
wrote on 16/05/2006 12:11:41 AM:
 From: [EMAIL PROTECTED]
[mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of Robert Rutherford
 Sent: Wednesday, May 10, 2006 3:05 AM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] GPO Software Deployment

 HI All,

 

 Strange
one.. 
 

 I have
taken over the support of an organisation where the last 
 organisation has made a bit of a pigs ear of
the AD deployment. It 
 appears upon discussion with staff that a
software deployment of 
 Acrobat reader has been put in at some point
and then removed. I 
 also found an old machine with a self built
msi package on. 
 

 Now,
while the users are working away an msi installer window just 
 flickers up on the screen and vanishes
regularly. This is 
 infuriating for the user base but I
cant seem to nail it down as 
 any reference has been removed from the
registry. 

_ 
This e-mail has been scanned for viruses by MessageLabs.

RE: Re : [ActiveDir] Lag site- disabling auth on Lag DC.

[iain.mccall]

Yann,

How are you planning on protecting your lag site 
DCsfrom aforced replication?

Regards, 

Iain | IT Services | 
Infrastructure 


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  YannSent: 15 May 2006 21:49To: 
  ActiveDir@mail.activedir.orgSubject: Re : [ActiveDir] Lag site- 
  disabling auth on Lag DC.
  
  
  
  Understood !
  
  We will followyour advices.
  
  Cheers,
  
  Yann- Message d'origine De : "Almeida Pinto, Jorge 
  de" [EMAIL PROTECTED]À : 
  ActiveDir@mail.activedir.orgEnvoyé le : Lundi, 15 Mai 2006, 10h21mn 
  54sObjet: RE: [ActiveDir] Lag site- disabling auth on Lag 
  DC.
  SRV records* make sure the DC only registers the CNAME SRV 
  record which is used for replication* don't assign the lag site DCs WINS 
  servers, otherwise these will register the 1Ch record in WINS* make sure 
  the site link cost between the main site and the lag are higher than any other 
  site links that also links to the main sitefor the lag to work 
  properly make sure you have at least one DC from each domain, because of 
  eventual cross domain links (e.g. group memberships)Met vriendelijke 
  groeten / Kind regards,Ing. Jorge de Almeida PintoSenior 
  Infrastructure ConsultantMVP Windows Server - Directory 
  ServicesLogicaCMG Nederland B.V. (BU RTINC Eindhoven)( 
  Tel : +31-(0)40-29.57.777( Mobile : 
  +31-(0)6-26.26.62.80* E-mail : see sender 
  addressFrom: 
  [EMAIL PROTECTED] on behalf of YannSent: Mon 2006-05-15 
  21:36To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Lag site- 
  disabling auth on Lag DC.hello all,We are about to build a 
  lag site for our AD recovery strategy.We schedule replication Prod Sites 
  -Lag Sites one time a week.We have one forest with a Root and 
  Child domain.The lag site will contain only one DC. We would like to 
  disable clientsauth on this DC. So I found 2 ways to do 
  this:1) Configuring the "DC Locator DNS Records" via a gpo.or2) 
  Stop and disable the netlogon service.What will be the best choice ? 
  1) or 2) ?Shall i also disable the service server to avoid replication 
  of sysvol too ?Thanks for input.This e-mail and any 
  attachment is for authorised use by the intended recipient(s) only. It may 
  contain proprietary material, confidential information and/or be subject to 
  legal privilege. It should not be copied, disclosed to, retained or used by, 
  any other party. If you are not an intended recipient then please promptly 
  delete this e-mail and any attachment and all copies and inform the sender. 
  Thank you.
*
This electronic message contains information from Hampshire Constabulary which may be legally privileged and confidential. Any opinions expressed may be those of the individual and not necessarily the Hampshire Constabulary.
The information is intended to be for the use of the individual(s) or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message in error, please notify us by telephone 
+44 (0) 845 045 45 45 or email to [EMAIL PROTECTED] immediately. Please then delete this email and destroy any copies of it. 
All communications, including telephone calls and electronic messages 
to and from the Hampshire Constabulary may be subject to monitoring.  Replies to this email may be seen by employees other than the intended recipient.  
*

RE: [ActiveDir][OT] Is there a way to force users to logon to domain?

[Brian A. Cline]

I'm on O2K3 SP1 via E2K3 SP2, and the only blanks I've 
ever seen on this list were the long string ofintentionally 
blankemails. ;-) I did, however, see strange characters at the end 
of Al's last message, and what's interesting is they were different characters 
than the ones Susan forwarded.Brian 



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Monday 15 May 2006 20:33To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir][OT] Is there a 
way to force users to logon to domain?

Interesting, for the O2K3 via POP3 what is the backend? I 
am doing O2K3 via POP3 backended into Exchange 2003 and getting the blanks. 



--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Ayers, 
DianeSent: Monday, May 15, 2006 8:28 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir][OT] Is there a 
way to force users to logon to domain?

I'm getting the list at home and at 
work. Outlook 2K3 via POP3 is coming in fine. Outlook 2K3 via 
Exchange and MAPI is coming in blank. Both the non-SP standard builds of 
Outlook. Exchange is still @ E2K...

Diane



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Monday, May 15, 2006 4:36 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir][OT] Is there a 
way to force users to logon to domain?

I just verified and OWA is also throwing garbage characters 
on the end of the message and when looking at the raw stream it is the list 
banner.

How is O2K7 displaying it?

Anyone understand what the full spec is for a message is 
and how to (or if you can) mix MIME with plain text? I expect either the plain 
text banner isn't allowed or the list software isn't modifying the header 
properly for it to tell the clients to expect it.

 joe



Here is Al's message straight from POP without 
interpretation:


retr 39+OKReceived: from 
mail.activedir.org ([12.168.66.190]) by mbx01.joeware.local with Microsoft 
SMTPSVC(6.0.3790.211); Mon, 
15 May 2006 16:44:34 -0400Received: from wr-out-0506.google.com 
[64.233.184.234] by mail.activedir.org with ESMTP (SMTPD32-8.15) id 
A6B67EC012E; Mon, 15 May 2006 16:38:14 -0400Received: by 
wr-out-0506.google.com with SMTP id 
i30so871233wra for ActiveDir@mail.activedir.org; Mon, 15 May 2006 13:38:12 -0700 
(PDT)DomainKey-Signature: a=rsa-sha1; q=dns; 
c=nofws; s=beta; 
d=gmail.com; 
h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; 
b=otNmqTOJtu6h3lzy946aXK9yGTM5JFr0xZLRCRvkC4134GXBlEVFGTm01oR6Q0alNwcgsKlCdGaf7Oc0P7XzMRmR5td5nR1iLsJQ+rx/bxz1c1RTzynDUZSfLeogbMBIzdfTwsmUbAV2+gfnxk19fHg0GT0mFn8dk97+KotFwWM=Received: 
by 10.64.10.15 with SMTP id 
15mr2454953qbj; Mon, 15 May 2006 
13:38:12 -0700 (PDT)Received: by 10.65.253.12 with HTTP; Mon, 15 May 2006 
13:38:12 -0700 (PDT)Message-ID: [EMAIL PROTECTED]Date: Mon, 15 May 2006 16:38:12 
-0400From: "Al Mulnick" [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Is there a way to 
force users to logon to domain?In-Reply-To: [EMAIL PROTECTED]MIME-Version: 1.0Content-Type: 
text/plain; charset=UTF-8; format=flowedContent-Transfer-Encoding: 
base64Content-Disposition: inlineReferences: [EMAIL PROTECTED]Precedence: bulkSender: [EMAIL PROTECTED]Reply-To: ActiveDir@mail.activedir.orgReturn-Path: [EMAIL PROTECTED]X-OriginalArrivalTime: 15 May 2006 
20:44:34.0134 (UTC) FILETIME=[5F845760:01C67860]

SSB0aGluayB5b3UndmUgc2VlbiBzZXZlcmFsIHdheXMgb2YgYWNoaWV2aW5nIHNvbWV0aGluZyBzaW1pbGFyIHRvCndoYXQgeW91J3ZlIGFza2VkIGZvci4gIEJ1dCBJJ20gY3VyaW91cyBhcyB0byB3aGF0IHlvdSByZWFsbHkgd2FudCB0bwphY2NvbXBsaXNoLiAgWW91J3ZlIHB1dCBzb21ldGhpbmcgdmVyeSBzcGVjaWZpYywgYnV0IHdoYXQgbWFrZXMgeW91CndhbnQgdG8gZm9yY2UgdGhlIGxvZ29uPyAgV2hhdCdzIHRoZSBiYWNrc3Rvcnk/CgpBbAoKT24gNS8xNS8wNiwgSm9lIExhZ3JlY2EgPGxhZ3JlY2FAZ21haWwuY29tPiB3cm90ZToKPiBJcyB0aGVyZSBhIHdheSB0byBmb3JjZSB1c2VycyB0byBsb2dvbiB0byBkb21haW4sIG9yIHRvIGRpc2FibGUgbG9naW5nIGludG8KPiBsb2NhbCBjb21wdXRlciBhY2NvdW50cyB2aWEgR1BPPwo+Cj4gVGhhbmtzLgo+Cg==List 
info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/.






--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: joe [mailto:[EMAIL PROTECTED] 
Sent: Monday, May 15, 2006 7:28 PMTo: 
'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir][OT] Is there a 
way to force users to logon to domain?

Al is sending from GMAIL.

It appears that GMAIL is mime encoding the messages, and 
then the list attaches the plain text banner on it and the whole decodes 
incorrectly. Outlook pre-2007 pukes (probably exceptions out of the rendering 
phase) and OWA, O2K7, and Thunderbird seem to read it fine but with the 
possibility of bad characters. If I had to guess, I would guess the bad 
characters are the plain text banner being decoded as MIME.


--

RE: [ActiveDir] OT: Overriding local computer logon scripts - anyway to do it?

[Crawford, Scott]

what is stopping some server admins to put in some logon scripts that adds a 
certain account as enterprise admin (boobietrap).
 
The same thing that prevents them from installing a keylogger or modifying any 
code on the system to do their nefarious deeds when a high level account runs 
them - absolutely nothing.  Login scripts are just one of many possible attack 
vectors.

The point is, if you don't trust the code on a box or the admins that can put 
code on a box, then you should NEVER use your high-level accounts for accessing 
that box.



From: [EMAIL PROTECTED] on behalf of Freddy HARTONO
Sent: Tue 5/16/2006 3:42 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: Overriding local computer logon scripts - anyway to do 
it?



Hi all, 

I had just logged in one of a printserver in my remote site, out of my usual 
scope - but the point is that the server has some logon scripts (local) 
associated with it.


Just concerned about the security aspect of it - what is stopping some server 
admins to put in some logon scripts that adds a certain account as enterprise 
admin (boobietrap).

I know the usual rule was to not login to untrusted boxes... but is there a way 
to overcome such? 


Thank you and have a splendid day! 
  
Kind Regards, 
  
Freddy Hartono 
Group Support Engineer 
InternationalSOS Pte Ltd 
mail: [EMAIL PROTECTED] 
phone: (+65) 6330-9785 
  

winmail.dat

RE: [ActiveDir][OT] Is there a way to force users to logon to domain?

[Ulf B. Simon-Weidner]

If 
all of those were intended I did get everything correct as well. Mainly one 
thread IIRC.
Gruesse - 
Sincerely, 
Ulf B. 
Simon-Weidner 
 Profile 
 Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Brian A. 
  ClineSent: Tuesday, May 16, 2006 2:13 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir][OT] Is there a 
  way to force users to logon to domain?
  
  I'm on O2K3 SP1 via E2K3 SP2, and the only blanks 
  I've ever seen on this list were the long string ofintentionally 
  blankemails. ;-) I did, however, see strange characters at the end 
  of Al's last message, and what's interesting is they were different characters 
  than the ones Susan forwarded.Brian 
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  joeSent: Monday 15 May 2006 20:33To: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir][OT] Is there a 
  way to force users to logon to domain?
  
  Interesting, for the O2K3 via POP3 what is the backend? I 
  am doing O2K3 via POP3 backended into Exchange 2003 and getting the blanks. 
  
  
  
  --
  O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
  
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Ayers, 
  DianeSent: Monday, May 15, 2006 8:28 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir][OT] Is there a 
  way to force users to logon to domain?
  
  I'm getting the list at home and at 
  work. Outlook 2K3 via POP3 is coming in fine. Outlook 2K3 via 
  Exchange and MAPI is coming in blank. Both the non-SP standard builds of 
  Outlook. Exchange is still @ E2K...
  
  Diane
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  joeSent: Monday, May 15, 2006 4:36 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir][OT] Is there a 
  way to force users to logon to domain?
  
  I just verified and OWA is also throwing garbage 
  characters on the end of the message and when looking at the raw stream it is 
  the list banner.
  
  How is O2K7 displaying it?
  
  Anyone understand what the full spec is for a message is 
  and how to (or if you can) mix MIME with plain text? I expect either the plain 
  text banner isn't allowed or the list software isn't modifying the header 
  properly for it to tell the clients to expect it.
  
   joe
  
  
  
  Here is Al's message straight from POP without 
  interpretation:
  
  
  retr 39+OKReceived: from 
  mail.activedir.org ([12.168.66.190]) by mbx01.joeware.local with Microsoft 
  SMTPSVC(6.0.3790.211); 
  Mon, 15 May 2006 16:44:34 -0400Received: from wr-out-0506.google.com 
  [64.233.184.234] by mail.activedir.org with ESMTP (SMTPD32-8.15) id 
  A6B67EC012E; Mon, 15 May 2006 16:38:14 -0400Received: by 
  wr-out-0506.google.com with SMTP id 
  i30so871233wra for ActiveDir@mail.activedir.org; Mon, 15 May 2006 13:38:12 -0700 
  (PDT)DomainKey-Signature: a=rsa-sha1; q=dns; 
  c=nofws; s=beta; 
  d=gmail.com; 
  h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; 
  b=otNmqTOJtu6h3lzy946aXK9yGTM5JFr0xZLRCRvkC4134GXBlEVFGTm01oR6Q0alNwcgsKlCdGaf7Oc0P7XzMRmR5td5nR1iLsJQ+rx/bxz1c1RTzynDUZSfLeogbMBIzdfTwsmUbAV2+gfnxk19fHg0GT0mFn8dk97+KotFwWM=Received: 
  by 10.64.10.15 with SMTP id 
  15mr2454953qbj; Mon, 15 May 2006 
  13:38:12 -0700 (PDT)Received: by 10.65.253.12 with HTTP; Mon, 15 May 2006 
  13:38:12 -0700 (PDT)Message-ID: [EMAIL PROTECTED]Date: Mon, 15 May 2006 16:38:12 
  -0400From: "Al Mulnick" [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Is there a way to 
  force users to logon to domain?In-Reply-To: [EMAIL PROTECTED]MIME-Version: 1.0Content-Type: 
  text/plain; charset=UTF-8; format=flowedContent-Transfer-Encoding: 
  base64Content-Disposition: inlineReferences: [EMAIL PROTECTED]Precedence: bulkSender: [EMAIL PROTECTED]Reply-To: ActiveDir@mail.activedir.orgReturn-Path: [EMAIL PROTECTED]X-OriginalArrivalTime: 15 May 2006 
  20:44:34.0134 (UTC) FILETIME=[5F845760:01C67860]
  
  SSB0aGluayB5b3UndmUgc2VlbiBzZXZlcmFsIHdheXMgb2YgYWNoaWV2aW5nIHNvbWV0aGluZyBzaW1pbGFyIHRvCndoYXQgeW91J3ZlIGFza2VkIGZvci4gIEJ1dCBJJ20gY3VyaW91cyBhcyB0byB3aGF0IHlvdSByZWFsbHkgd2FudCB0bwphY2NvbXBsaXNoLiAgWW91J3ZlIHB1dCBzb21ldGhpbmcgdmVyeSBzcGVjaWZpYywgYnV0IHdoYXQgbWFrZXMgeW91CndhbnQgdG8gZm9yY2UgdGhlIGxvZ29uPyAgV2hhdCdzIHRoZSBiYWNrc3Rvcnk/CgpBbAoKT24gNS8xNS8wNiwgSm9lIExhZ3JlY2EgPGxhZ3JlY2FAZ21haWwuY29tPiB3cm90ZToKPiBJcyB0aGVyZSBhIHdheSB0byBmb3JjZSB1c2VycyB0byBsb2dvbiB0byBkb21haW4sIG9yIHRvIGRpc2FibGUgbG9naW5nIGludG8KPiBsb2NhbCBjb21wdXRlciBhY2NvdW50cyB2aWEgR1BPPwo+Cj4gVGhhbmtzLgo+Cg==List 
  info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/.
  
  

Re: [ActiveDir] DHCP migration(OT)

[Matheesha Weerasinghe]

look into netsh. might be of use.

On 5/12/06, Tom Kern [EMAIL PROTECTED] wrote:


I want to migrate DHCP(scopes,scope options,leases) from one win2k box to
another.

My issue is, the target server is running DHCP with scopes,etc already
configured.

Is there anyway to migrate the source DHCP server to the target without
overwriting the target's settings?

I just want to merge the 2- move the source info over while keeping the
target DHCP info intack as well.

Is this possible?

Thanks

Re: [ActiveDir] DHCP migration(OT)

[Tom Kern]

Will netsh overwrite the scopes already exisitng on the target?

Also, does netsh migrate leases or just the scope and scope options?

Thanks
On 5/16/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote:
look into netsh. might be of use.On 5/12/06, Tom Kern [EMAIL PROTECTED]
 wrote: I want to migrate DHCP(scopes,scope options,leases) from one win2k box to another. My issue is, the target server is running DHCP with scopes,etc already configured.
 Is there anyway to migrate the source DHCP server to the target without overwriting the target's settings? I just want to merge the 2- move the source info over while keeping the
 target DHCP info intack as well. Is this possible? Thanks

Re: [ActiveDir] DHCP migration(OT)

[Matheesha Weerasinghe]

Havent played with it for a while so I cant answer unless I fire up a
VM and start playing. Do you fancy letting me know your findings ;-)

M@

On 5/16/06, Tom Kern [EMAIL PROTECTED] wrote:


Will netsh overwrite the scopes already exisitng on the target?

Also, does netsh migrate leases or just the scope and scope options?

Thanks



On 5/16/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote:
 look into netsh. might be of use.

 On 5/12/06, Tom Kern [EMAIL PROTECTED]  wrote:
 
  I want to migrate DHCP(scopes,scope options,leases) from one win2k box
to
  another.
 
  My issue is, the target server is running DHCP with scopes,etc already
  configured.
 
  Is there anyway to migrate the source DHCP server to the target without
  overwriting the target's settings?
 
  I just want to merge the 2- move the source info over while keeping the
  target DHCP info intack as well.
 
  Is this possible?
 
  Thanks
 
 




[EMAIL PROTECTED]   ��V�r�y���-�÷Š¾4���i�b��b��

RE: [ActiveDir] [ActiveDir Digest]

[jkleyheeg]

Jeri,

System ODBC DSN's are stored in the registry at
HKLM\SOFTWARE\ODBC\ODBC.INI\DSN NAME.
The DSN names themselves are listed as values in
HKLM\SOFTWARE\ODBC\ODBC.INI\ODBC Data Sources

If you create the DSN's you need by hand, then you can export them to a reg
file and build a custom ADM file around it.

Be aware that these are system DSN's, so they apply to the machine.
If users from different OU's need the same DSN name, but with different
parameters, then you will need to use user level DSN's, which are in the
same location but in HKCU.

Jef



-Original Message-
From: Bland, Jeri [mailto:[EMAIL PROTECTED] 
Sent: Monday, May 15, 2006 4:38 PM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] [ActiveDir Digest]

Is there a way to set up Group Policy to direct two different OUs at login
to connect to their respective system DSNs pointing to specific SQL
databases running on the same terminal server?  Am I even saying this right?


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Is there a way to force users to logon to domain?

[Olivarez, Sergio J Mr CTNOSC/GD-NS]

Yeah, disregard what I said about just leaving Admins on the allow logon
locally setting, that's my bad.  I guess best thing to do would be delete
all existing local user accounts.

-Sergio 
-Original Message-
From: Joe Lagreca [mailto:[EMAIL PROTECTED] 
Sent: Monday, May 15, 2006 7:33 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Is there a way to force users to logon to domain?

Al and others,

We are retrofitting previously deployed workstations.  Some have local
logins, while others do not.  I was just wondering if there is a way,
via GPO, to force all users to log into the domain, instead of giving
them the option to log into their local machine.

I have been told that In a GPO set the cached logon setting to 0
and make sure allow logon locally is only set to Admins. will not
work.  However I still need to test this myself.  I was told allow
logon locally will make it so all unlisted users will not be able to
login from that workstation, whether its locally or to the domain.

I realize their profiles wouldn't copy, and we can deal with that
afterwards.

Thanks.

Joe


On 5/15/06, Al Mulnick [EMAIL PROTECTED] wrote:
 I think you've seen several ways of achieving something similar to
 what you've asked for.  But I'm curious as to what you really want to
 accomplish.  You've put something very specific, but what makes you
 want to force the logon?  What's the backstory?

 Al

 On 5/15/06, Joe Lagreca [EMAIL PROTECTED] wrote:
  Is there a way to force users to logon to domain, or to disable loging
into
  local computer accounts via GPO?
 
  Thanks.
 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DHCP migration(OT)

[Freddy HARTONO]

It will migrate the leases as well, but not sure if it will 
merge or overwrite though.


Thank you and have a splendid 
day!

Kind Regards,

Freddy Hartono
Group Support 
Engineer
InternationalSOS Pte Ltd
mail: 
[EMAIL PROTECTED]
phone: (+65) 
6330-9785




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Tom 
KernSent: Tuesday, May 16, 2006 9:36 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] DHCP 
migration(OT)

Will netsh overwrite the scopes already exisitng on the target?

Also, does netsh migrate leases or just the scope and scope options?

Thanks
On 5/16/06, Matheesha 
Weerasinghe [EMAIL PROTECTED] wrote: 
look 
  into netsh. might be of use.On 5/12/06, Tom Kern [EMAIL PROTECTED]  
  wrote: I want to migrate DHCP(scopes,scope options,leases) 
  from one win2k box to another. My issue is, the target 
  server is running DHCP with scopes,etc already configured. 
   Is there anyway to migrate the source DHCP server to the 
  target without overwriting the target's settings? I 
  just want to merge the 2- move the source info over while keeping the 
  target DHCP info intack as well. Is this 
  possible? 
Thanks

Re: [ActiveDir] Is there a way to force users to logon to domain?

[AdamT]

On 16/05/06, Olivarez, Sergio J Mr CTNOSC/GD-NS
[EMAIL PROTECTED] wrote:

Yeah, disregard what I said about just leaving Admins on the allow logon
locally setting, that's my bad.  I guess best thing to do would be delete
all existing local user accounts.


Can you actually delete localhost\administrator on NT4/2K/XP workstations?

--
AdamT
A casual stroll through the lunatic asylum shows that faith does not
prove anything. - Nietzsche
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] GPO Software Deployment

[Darren Mar-Elia]

So, I suspect what is happening here, based on that error, 
is the popup you're seeing is Windows Installer trying to repair the application 
but not finding the right files to do it. The Feature name, WIFEAT0001, tells me the package 
was created using WinInstall--not very interesting. I suspect that the registry 
still contains references to the package. I would search the registry by the 
Product GUID, below, and get rid of all instances of it. Alternatively, you 
could try downloading and running the Installer Cleanup tool, found at http://support.microsoft.com/kb/290301/

Darren


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Robert 
RutherfordSent: Tuesday, May 16, 2006 3:26 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] GPO Software 
Deployment


Hi 
Guys,

Thanks for the input 
but still no joy nothing is showing in the logs and I dont have the original 
package. The below is popping up in the event log though 
:-

Event 
Type: Warning
Event 
Source: MsiInstaller
Event 
Category: 
None
Event 
ID: 
1001
Date: 
16/05/2006
Time: 
11:20:21
User: 
domain\username
Computer: 
compname
Description:
Detection of product 
'{5C3FD7C5-92BD-47A1-B5EE-52E71A1C2B82}', feature 'WIFEAT0001' failed during 
request for component 
'{500ED4E4-1352-4AF6-8FE3-21EFFBC7B34D}'

Does this jog any 
memories for anyone? I think Im just going to have to get the whole lot 
rebuilt. Woe is me.

Cheers




  
  

  
  Robert 
  RutherfordQuoStar 
  Solutions Limited

  
  

  The Enterprise PavilionFern 
  BarrowWallisdownPooleDorsetBH12 5HH

  
  
  

  


  
T:
  
+44 (0) 
8456 440 331

  
F:
  
+44 (0) 
8456 440 332

  
M:
  
+44 (0) 
7974 249 494

  
E: 

  
[EMAIL PROTECTED]

  
W: 

  
www.quostar.com
  

  
  









From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: 15 May 2006 23:43To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] GPO Software 
Deployment

Rob Do you have access to 
the original MSI (it could be repackaged as an EXE)? 
msiexec /i file.msi /L*vx 
c:\path\to\logfile.txt That will dump out as much possible info 
about what is happening. If you need help debugging the 
output, let me know. Cheers Jon 
Austin [EMAIL PROTECTED] wrote on 16/05/2006 
12:11:41 AM: From: [EMAIL PROTECTED] 
[mailto:ActiveDir- 
[EMAIL PROTECTED] On Behalf Of Robert 
Rutherford 
Sent: Wednesday, May 10, 2006 3:05 AM To: 
ActiveDir@mail.activedir.org 
Subject: [ActiveDir] GPO Software Deployment 
 HI 
All,Strange 
one..I have taken over 
the support of an organisation where the last  organisation has made a bit of a pigs ear of the AD 
deployment. It  appears upon 
discussion with staff that a software deployment of  Acrobat reader has been put in at some point and then 
removed. I  also found an old 
machine with a self built msi package on. 
 
  Now, while the users are working away an msi 
installer window just  flickers up on the screen and vanishes regularly. This 
is  infuriating for the user 
base but I cant seem to nail it down as  any reference has been removed from the 
registry. 
_ 
This e-mail has been scanned for viruses by 
MessageLabs.

Re: [ActiveDir] Is there a way to force users to logon to domain?

[Joe Lagreca]

Sergio,

That is the approach we are going to take.  Write a script to run at
start up to delete all local accounts, except administrator, which
only we should know the password for.

Do you have any ideas on how to change local account passwords via GPO
or remotely?  We would like to change the administrator passwords
initially, and probably like to change it on a continual basis.

Thank you.

Joe


On 5/16/06, Olivarez, Sergio J Mr CTNOSC/GD-NS
[EMAIL PROTECTED] wrote:

Yeah, disregard what I said about just leaving Admins on the allow logon
locally setting, that's my bad.  I guess best thing to do would be delete
all existing local user accounts.

-Sergio
-Original Message-
From: Joe Lagreca [mailto:[EMAIL PROTECTED]
Sent: Monday, May 15, 2006 7:33 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Is there a way to force users to logon to domain?

Al and others,

We are retrofitting previously deployed workstations.  Some have local
logins, while others do not.  I was just wondering if there is a way,
via GPO, to force all users to log into the domain, instead of giving
them the option to log into their local machine.

I have been told that In a GPO set the cached logon setting to 0
and make sure allow logon locally is only set to Admins. will not
work.  However I still need to test this myself.  I was told allow
logon locally will make it so all unlisted users will not be able to
login from that workstation, whether its locally or to the domain.

I realize their profiles wouldn't copy, and we can deal with that
afterwards.

Thanks.

Joe


On 5/15/06, Al Mulnick [EMAIL PROTECTED] wrote:
 I think you've seen several ways of achieving something similar to
 what you've asked for.  But I'm curious as to what you really want to
 accomplish.  You've put something very specific, but what makes you
 want to force the logon?  What's the backstory?

 Al

 On 5/15/06, Joe Lagreca [EMAIL PROTECTED] wrote:
  Is there a way to force users to logon to domain, or to disable loging
into
  local computer accounts via GPO?
 
  Thanks.
 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Is there a way to force users to logon to domain?

[Freddy HARTONO]

Even if that is possible by any means - what are you going to do if the
computer falls out of the domain.


Thank you and have a splendid day!
 
Kind Regards,
 
Freddy Hartono
Group Support Engineer
InternationalSOS Pte Ltd
mail: [EMAIL PROTECTED]
phone: (+65) 6330-9785
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of AdamT
Sent: Tuesday, May 16, 2006 11:26 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Is there a way to force users to logon to domain?

On 16/05/06, Olivarez, Sergio J Mr CTNOSC/GD-NS
[EMAIL PROTECTED] wrote:
 Yeah, disregard what I said about just leaving Admins on the allow 
 logon locally setting, that's my bad.  I guess best thing to do would 
 be delete all existing local user accounts.

Can you actually delete localhost\administrator on NT4/2K/XP workstations?

--
AdamT
A casual stroll through the lunatic asylum shows that faith does not prove
anything. - Nietzsche
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Is there a way to force users to logon to domain?

[Robert Rutherford]

No, and I always find it a relief to have a local admin account in a
failure situation.

 
 
Robert Rutherford
QuoStar Solutions Limited

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of AdamT
Sent: 16 May 2006 16:26
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Is there a way to force users to logon to
domain?

On 16/05/06, Olivarez, Sergio J Mr CTNOSC/GD-NS
[EMAIL PROTECTED] wrote:
 Yeah, disregard what I said about just leaving Admins on the allow
logon
 locally setting, that's my bad.  I guess best thing to do would be
delete
 all existing local user accounts.

Can you actually delete localhost\administrator on NT4/2K/XP
workstations?

-- 
AdamT
A casual stroll through the lunatic asylum shows that faith does not
prove anything. - Nietzsche
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

OT: Corrupt messages (was RE: [ActiveDir][OT] Is there a way to force users to logon to domain?)

[Michael B. Smith]

Ive seen O2007 display it both ways, and I think its
much more Exchange dependent (whether its been promoted to MAPI format
or continues in Internet format).



The list software should not append a plain text footer to a
base64 message without encapsulating the original message and rewriting the
message to multipart. Im certain, without tracking the RFC down, that not
doing so is an RFC violation.



Exchange 2003 sp2 had some changes to its handling of bad
MIME as well, which could be playing a role with the various experiences
being seen by difference people.











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, May 15, 2006 7:36 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir][OT] Is there a way to force users to logon to
domain?





I
just verified and OWA is also throwing garbage characters on the end of the
message and when looking at the raw stream it is the list banner.



How
is O2K7 displaying it?



Anyone
understand what the full spec is for a message is and how to (or if you can)
mix MIME with plain text? I expect either the plain text banner isn't allowed
or the list software isn't modifying the header properly for it to tell the
clients to expect it.




joe







Here
is Al's message straight from POP without interpretation:





retr 39
+OK
Received: from mail.activedir.org ([12.168.66.190]) by mbx01.joeware.local with
Microsoft SMTPSVC(6.0.3790.211);
 Mon, 15 May 2006 16:44:34
-0400
Received: from wr-out-0506.google.com [64.233.184.234] by mail.activedir.org
with ESMTP
 (SMTPD32-8.15) id A6B67EC012E; Mon, 15 May 2006 16:38:14 -0400
Received: by wr-out-0506.google.com with SMTP id i30so871233wra
 for ActiveDir@mail.activedir.org; Mon, 15
May 2006 13:38:12 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
 s=beta; d=gmail.com;

h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;

b=otNmqTOJtu6h3lzy946aXK9yGTM5JFr0xZLRCRvkC4134GXBlEVFGTm01oR6Q0alNwcgsKlCdGaf7Oc0P7XzMRmR5td5nR1iLsJQ+rx/bxz1c1RTzynDUZSfLeogbMBIzdfTwsmUbAV2+gfnxk19fHg0GT0mFn8dk97+KotFwW
M=
Received: by 10.64.10.15 with SMTP id 15mr2454953qbj;
 Mon, 15 May 2006 13:38:12 -0700
(PDT)
Received: by 10.65.253.12 with HTTP; Mon, 15 May 2006 13:38:12 -0700 (PDT)
Message-ID: [EMAIL PROTECTED]
Date: Mon, 15 May 2006 16:38:12 -0400
From: Al Mulnick [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Subject:
Re: [ActiveDir] Is there a way to force users to logon to domain?
In-Reply-To: [EMAIL PROTECTED]
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: base64
Content-Disposition: inline
References: [EMAIL PROTECTED]
Precedence: bulk
Sender: [EMAIL PROTECTED]
Reply-To:
ActiveDir@mail.activedir.org
Return-Path:
[EMAIL PROTECTED]
X-OriginalArrivalTime:
15 May 2006 20:44:34.0134 (UTC) FILETIME=[5F845760:01C67860]







SSB0aGluayB5b3UndmUgc2VlbiBzZXZlcmFsIHdheXMgb2YgYWNoaWV2aW5nIHNvbWV0aGluZyBz
aW1pbGFyIHRvCndoYXQgeW91J3ZlIGFza2VkIGZvci4gIEJ1dCBJJ20gY3VyaW91cyBhcyB0byB3
aGF0IHlvdSByZWFsbHkgd2FudCB0bwphY2NvbXBsaXNoLiAgWW91J3ZlIHB1dCBzb21ldGhpbmcg
dmVyeSBzcGVjaWZpYywgYnV0IHdoYXQgbWFrZXMgeW91CndhbnQgdG8gZm9yY2UgdGhlIGxvZ29u
PyAgV2hhdCdzIHRoZSBiYWNrc3Rvcnk/CgpBbAoKT24gNS8xNS8wNiwgSm9lIExhZ3JlY2EgPGxh
Z3JlY2FAZ21haWwuY29tPiB3cm90ZToKPiBJcyB0aGVyZSBhIHdheSB0byBmb3JjZSB1c2VycyB0
byBsb2dvbiB0byBkb21haW4sIG9yIHRvIGRpc2FibGUgbG9naW5nIGludG8KPiBsb2NhbCBjb21w
dXRlciBhY2NvdW50cyB2aWEgR1BPPwo+Cj4gVGhhbmtzLgo+Cg==
List info : http://www.activedir.org/List.aspx
List
FAQ : http://www.activedir.org/ListFAQ.aspx
List
archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
.















--

O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm

















From: joe [mailto:[EMAIL PROTECTED] 
Sent: Monday, May 15, 2006 7:28 PM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir][OT] Is there a way to force users to logon to
domain?

Al
is sending from GMAIL.



It
appears that GMAIL is mime encoding the messages, and then the list attaches
the plain text banner on it and the whole decodes incorrectly. Outlook pre-2007
pukes (probably exceptions out of the rendering phase) and OWA, O2K7, and
Thunderbird seem to read it fine but with the possibility of bad characters. If
I had to guess, I would guess the bad characters are the plain text banner
being decoded as MIME.







--

O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm

















From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B.
Simon-Weidner
Sent: Monday, May 15, 2006 6:39 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is there a way to force users to logon to domain?



What
about the origin - are they created using OL2k7? If so must be a new bug - I
was using a bit older version for quite a while (and everything was readable),
but it almost corupted my mailstore - so I switched 

RE: [ActiveDir] Is there a way to force users to logon to domain?

[Olivarez, Sergio J Mr CTNOSC/GD-NS]

Yeah make sure you leave all administrative accounts alone and disable the
guest account. 

As for changing the password, you can always connect to it remotely via
Computer management (compmgmt.msc) or script it.   

-Sergio
 

-Original Message-
From: Joe Lagreca [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, May 16, 2006 8:31 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Is there a way to force users to logon to domain?

Sergio,

That is the approach we are going to take.  Write a script to run at
start up to delete all local accounts, except administrator, which
only we should know the password for.

Do you have any ideas on how to change local account passwords via GPO
or remotely?  We would like to change the administrator passwords
initially, and probably like to change it on a continual basis.

Thank you.

Joe


On 5/16/06, Olivarez, Sergio J Mr CTNOSC/GD-NS
[EMAIL PROTECTED] wrote:
 Yeah, disregard what I said about just leaving Admins on the allow logon
 locally setting, that's my bad.  I guess best thing to do would be delete
 all existing local user accounts.

 -Sergio
 -Original Message-
 From: Joe Lagreca [mailto:[EMAIL PROTECTED]
 Sent: Monday, May 15, 2006 7:33 PM
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] Is there a way to force users to logon to domain?

 Al and others,

 We are retrofitting previously deployed workstations.  Some have local
 logins, while others do not.  I was just wondering if there is a way,
 via GPO, to force all users to log into the domain, instead of giving
 them the option to log into their local machine.

 I have been told that In a GPO set the cached logon setting to 0
 and make sure allow logon locally is only set to Admins. will not
 work.  However I still need to test this myself.  I was told allow
 logon locally will make it so all unlisted users will not be able to
 login from that workstation, whether its locally or to the domain.

 I realize their profiles wouldn't copy, and we can deal with that
 afterwards.

 Thanks.

 Joe


 On 5/15/06, Al Mulnick [EMAIL PROTECTED] wrote:
  I think you've seen several ways of achieving something similar to
  what you've asked for.  But I'm curious as to what you really want to
  accomplish.  You've put something very specific, but what makes you
  want to force the logon?  What's the backstory?
 
  Al
 
  On 5/15/06, Joe Lagreca [EMAIL PROTECTED] wrote:
   Is there a way to force users to logon to domain, or to disable loging
 into
   local computer accounts via GPO?
  
   Thanks.
  
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Is there a way to force users to logon to domain?

[Za Vue]

I have over 100 randomly generated local admin passwords. If I forget
the password and the account gets corrupted in AD than I just hack the
local admin password. No one logs on locally period!

-Z.V.


Robert Rutherford wrote:

  No, and I always find it a relief to have a local admin account in a
failure situation.

 
 
Robert Rutherford
QuoStar Solutions Limited

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of AdamT
Sent: 16 May 2006 16:26
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Is there a way to force users to logon to
domain?

On 16/05/06, Olivarez, Sergio J Mr CTNOSC/GD-NS
[EMAIL PROTECTED] wrote:
  
  
Yeah, disregard what I said about just leaving Admins on the "allow

  
  logon
  
  
locally" setting, that's my bad.  I guess best thing to do would be

  
  delete
  
  
all existing local user accounts.


  
  Can you actually delete localhost\administrator on NT4/2K/XP
workstations?

  

RE: [ActiveDir] Is there a way to force users to logon to domain?

[Dave Wade]

You can set the password in the startup script, but it's a bit open to
hacking. You can use an encrypted VB Script but those are pretty easy to
decrypt. There is also a tool around that will let you do it remotely.
You could also assign the logon locally rights to say domain users 
administrator.  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe Lagreca
Sent: 16 May 2006 16:31
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Is there a way to force users to logon to
domain?

Sergio,

That is the approach we are going to take.  Write a script to run at
start up to delete all local accounts, except administrator, which only
we should know the password for.

Do you have any ideas on how to change local account passwords via GPO
or remotely?  We would like to change the administrator passwords
initially, and probably like to change it on a continual basis.

Thank you.

Joe


On 5/16/06, Olivarez, Sergio J Mr CTNOSC/GD-NS
[EMAIL PROTECTED] wrote:
 Yeah, disregard what I said about just leaving Admins on the allow 
 logon locally setting, that's my bad.  I guess best thing to do would

 be delete all existing local user accounts.

 -Sergio
 -Original Message-
 From: Joe Lagreca [mailto:[EMAIL PROTECTED]
 Sent: Monday, May 15, 2006 7:33 PM
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] Is there a way to force users to logon to
domain?

 Al and others,

 We are retrofitting previously deployed workstations.  Some have local

 logins, while others do not.  I was just wondering if there is a way, 
 via GPO, to force all users to log into the domain, instead of giving 
 them the option to log into their local machine.

 I have been told that In a GPO set the cached logon setting to 0
 and make sure allow logon locally is only set to Admins. will not 
 work.  However I still need to test this myself.  I was told allow 
 logon locally will make it so all unlisted users will not be able to 
 login from that workstation, whether its locally or to the domain.

 I realize their profiles wouldn't copy, and we can deal with that 
 afterwards.

 Thanks.

 Joe


 On 5/15/06, Al Mulnick [EMAIL PROTECTED] wrote:
  I think you've seen several ways of achieving something similar to 
  what you've asked for.  But I'm curious as to what you really want 
  to accomplish.  You've put something very specific, but what makes 
  you want to force the logon?  What's the backstory?
 
  Al
 
  On 5/15/06, Joe Lagreca [EMAIL PROTECTED] wrote:
   Is there a way to force users to logon to domain, or to disable 
   loging
 into
   local computer accounts via GPO?
  
   Thanks.
  
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: 
 http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/



**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this 
email,  or any response to it,  under the Freedom of Information Act 2000, 
unless the information in it is covered by one of the exemptions in the Act. 

If you receive this email in error please notify Stockport e-Services via 
[EMAIL PROTECTED] and then permanently remove it from your system. 

Thank you.

http://www.stockport.gov.uk
**

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DHCP migration(OT)

[Conrad, Daniel C Mr. Nortel Government Solutions]

Past experience, 
 
NETSH will migrate the scopes but you use the backup/restore process for the 
leases (if you want them).
 
D



From: [EMAIL PROTECTED] on behalf of Matheesha Weerasinghe
Sent: Tue 5/16/2006 8:43 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] DHCP migration(OT)



Havent played with it for a while so I cant answer unless I fire up a
VM and start playing. Do you fancy letting me know your findings ;-)

M@

On 5/16/06, Tom Kern [EMAIL PROTECTED] wrote:

 Will netsh overwrite the scopes already exisitng on the target?

 Also, does netsh migrate leases or just the scope and scope options?

 Thanks



 On 5/16/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote:
  look into netsh. might be of use.
 
  On 5/12/06, Tom Kern [EMAIL PROTECTED]  wrote:
  
   I want to migrate DHCP(scopes,scope options,leases) from one win2k box
 to
   another.
  
   My issue is, the target server is running DHCP with scopes,etc already
   configured.
  
   Is there anyway to migrate the source DHCP server to the target without
   overwriting the target's settings?
  
   I just want to merge the 2- move the source info over while keeping the
   target DHCP info intack as well.
  
   Is this possible?
  
   Thanks
  
  
 


[EMAIL PROTECTED]  Vry-4ibb 

winmail.dat

RE: [ActiveDir] Is there a way to force users to logon to domain?

[Riley, Devin]

You can use the following script as a startup script to change the local
Admin password. There is an obvious security issue with this, since you
will be storing the script in a Sysvol share for machines to read. You
can prevent users from browsing to and opening the file by restricting
access to Domain Computers and relevant IT Admin staff.

The script works even if the local Admin account name has been changed.

I don't recall where I got the original copy of the script.

Devin


=
Option Explicit

Dim objShell, objNet, sNewPassword, sComputer, sAdminName, oUserAccounts
Dim oUser

On Error Resume Next

Set objShell = WScript.CreateObject(WScript.Shell)
Set objNet = CreateObject(WScript.Network)

sNewPassword = PutSomeReallyLongPasswordHere

sComputer = objNet.ComputerName
sAdminName = GetAdministratorName

Set oUser = GetObject(WinNT://  sComputer  /  sAdminName 
,user)
oUser.SetPassword sNewPassword
oUser.SetInfo
On Error Goto 0

objShell.LogEvent 4, LP startup script LP04 run record.

'===
===
' Get Admin Account Name
'===
===

Function GetAdministratorName()
Dim sUserSID, objNet, oUserAccount
Set objNet = CreateObject(WScript.Network)
Set oUserAccounts = GetObject( _
 winmgmts://  objNet.ComputerName  /root/cimv2) _
 .ExecQuery(Select Name, SID from Win32_UserAccount _
 WHERE Domain = '  objNet.ComputerName  ')

On Error Resume Next
For Each oUserAccount In oUserAccounts
  If Left(oUserAccount.SID, 9) = S-1-5-21- And _
 Right(oUserAccount.SID, 4) = -500 Then
GetAdministratorName = oUserAccount.Name
Exit For
  End if
Next
End Function


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe Lagreca
Sent: Tuesday, May 16, 2006 8:31 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Is there a way to force users to logon to
domain?

Sergio,

That is the approach we are going to take.  Write a script to run at
start up to delete all local accounts, except administrator, which only
we should know the password for.

Do you have any ideas on how to change local account passwords via GPO
or remotely?  We would like to change the administrator passwords
initially, and probably like to change it on a continual basis.

Thank you.

Joe


On 5/16/06, Olivarez, Sergio J Mr CTNOSC/GD-NS
[EMAIL PROTECTED] wrote:
 Yeah, disregard what I said about just leaving Admins on the allow 
 logon locally setting, that's my bad.  I guess best thing to do would

 be delete all existing local user accounts.

 -Sergio
 -Original Message-
 From: Joe Lagreca [mailto:[EMAIL PROTECTED]
 Sent: Monday, May 15, 2006 7:33 PM
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] Is there a way to force users to logon to
domain?

 Al and others,

 We are retrofitting previously deployed workstations.  Some have local

 logins, while others do not.  I was just wondering if there is a way, 
 via GPO, to force all users to log into the domain, instead of giving 
 them the option to log into their local machine.

 I have been told that In a GPO set the cached logon setting to 0
 and make sure allow logon locally is only set to Admins. will not 
 work.  However I still need to test this myself.  I was told allow 
 logon locally will make it so all unlisted users will not be able to 
 login from that workstation, whether its locally or to the domain.

 I realize their profiles wouldn't copy, and we can deal with that 
 afterwards.

 Thanks.

 Joe


 On 5/15/06, Al Mulnick [EMAIL PROTECTED] wrote:
  I think you've seen several ways of achieving something similar to 
  what you've asked for.  But I'm curious as to what you really want 
  to accomplish.  You've put something very specific, but what makes 
  you want to force the logon?  What's the backstory?
 
  Al
 
  On 5/15/06, Joe Lagreca [EMAIL PROTECTED] wrote:
   Is there a way to force users to logon to domain, or to disable 
   loging
 into
   local computer accounts via GPO?
  
   Thanks.
  
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: 
 http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Is there a way to force users to logon to domain?

[Mark Parris]

You could give everyone a domain controller?

Seriously though, we have a custom application that sits on the client and when 
it joins the domain, it generates a random 16 character password which it 
writes to a SQL database. From then on the sql database owns the computer, if 
you need to regenerate a new password just push the button on a web front end 
and it resets it and writes it to the database.


Mark
-Original Message-
From: Dave Wade [EMAIL PROTECTED]
Date: Tue, 16 May 2006 17:28:29 
To:ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is there a way to force users to logon to domain?

You can set the password in the startup script, but it's a bit open to
hacking. You can use an encrypted VB Script but those are pretty easy to
decrypt. There is also a tool around that will let you do it remotely.
You could also assign the logon locally rights to say domain users 
administrator.  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe Lagreca
Sent: 16 May 2006 16:31
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Is there a way to force users to logon to
domain?

Sergio,

That is the approach we are going to take.  Write a script to run at
start up to delete all local accounts, except administrator, which only
we should know the password for.

Do you have any ideas on how to change local account passwords via GPO
or remotely?  We would like to change the administrator passwords
initially, and probably like to change it on a continual basis.

Thank you.

Joe


On 5/16/06, Olivarez, Sergio J Mr CTNOSC/GD-NS
[EMAIL PROTECTED] wrote:
 Yeah, disregard what I said about just leaving Admins on the allow 
 logon locally setting, that's my bad.  I guess best thing to do would

 be delete all existing local user accounts.

 -Sergio
 -Original Message-
 From: Joe Lagreca [mailto:[EMAIL PROTECTED]
 Sent: Monday, May 15, 2006 7:33 PM
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] Is there a way to force users to logon to
domain?

 Al and others,

 We are retrofitting previously deployed workstations.  Some have local

 logins, while others do not.  I was just wondering if there is a way, 
 via GPO, to force all users to log into the domain, instead of giving 
 them the option to log into their local machine.

 I have been told that In a GPO set the cached logon setting to 0
 and make sure allow logon locally is only set to Admins. will not 
 work.  However I still need to test this myself.  I was told allow 
 logon locally will make it so all unlisted users will not be able to 
 login from that workstation, whether its locally or to the domain.

 I realize their profiles wouldn't copy, and we can deal with that 
 afterwards.

 Thanks.

 Joe


 On 5/15/06, Al Mulnick [EMAIL PROTECTED] wrote:
  I think you've seen several ways of achieving something similar to 
  what you've asked for.  But I'm curious as to what you really want 
  to accomplish.  You've put something very specific, but what makes 
  you want to force the logon?  What's the backstory?
 
  Al
 
  On 5/15/06, Joe Lagreca [EMAIL PROTECTED] wrote:
   Is there a way to force users to logon to domain, or to disable 
   loging
 into
   local computer accounts via GPO?
  
   Thanks.
  
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: 
 http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/



**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this 
email,  or any response to it,  under the Freedom of Information Act 2000, 
unless the information in it is covered by one of the exemptions in the Act. 

If you receive this email in error please notify Stockport e-Services via 
[EMAIL PROTECTED] and then permanently remove it from your system. 

Thank you.

http://www.stockport.gov.uk
**

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] [OU] ASP.Net 2.0 Impersonation

[Bernier, Brandon \(.\)]

Title: [OU] ASP.Net 2.0 Impersonation






This is way off topic, but I need a sanity check and the only other place to turn is the wall left of me.


Background: Writing lots of tools in ASP.Net 2.0 on a R2 Enterprise Server. For my website I turn off Anonymous Access and enable Windows Authentication. After that I ACL the website directory with the appropriate administrator group that uses these tools.

Issue: I keep getting operational failures when I go to execute any directory query. IIS has the user credential, unlike classic ASP you now need to either enable impersonation in your web.config or manually change thread context when needed. I've verified that its getting the correct Windows Principal, but it only executes correctly if I hardcode that ID into my web.config. Something is fishy here...Here is a tidbit of code that fails and my web.config


btw- Anyone know a good IIS forum that has the same level of masterminds that ActiveDir has?


-Brandon




Code behind snippet


try

 {

 DirectoryEntry objOU = new DirectoryEntry(LDAP://  m_strFullOUDN);

 

 DirectoryEntry objComputer = objOU.Children.Add(String.Concat(CN=, m_strComputerName), computer);


 objComputer.Properties[samAccountName].Add(String.Concat(m_strComputerName, $));

 objComputer.CommitChanges();


 objComputer.Close();

 objComputer.Dispose();

 }


catch (System.Runtime.InteropServices.COMException ex)

 {

 //grabbing lots of stuff to see who I really am

 TextBox1.Text = TextBox1.Text  Error Message:   ex.Message.ToString();

 TextBox1.Text = TextBox1.Text  \n Error Code:   ex.ErrorCode.ToString();

 TextBox1.Text = TextBox1.Text  \n \n Stack Dump:   ex.StackDump.ToString();

 TextBox1.Text = TextBox1.Text  \n \n User Type :   System.Security.Principal.WindowsIdentity.GetCurrent().ImpersonationLevel.ToString();

 TextBox1.Text = TextBox1.Text  \n Current Windows Principal :   System.Security.Principal.WindowsIdentity.GetCurrent().Name;

 TextBox1.Text = TextBox1.Text  \n Current HTTP Identity :   HttpContext.Current.User.Identity.Name.ToString();

 TextBox1.Text = TextBox1.Text  \n Is Anonymous :   System.Security.Principal.WindowsIdentity.GetCurrent().IsAnonymous;

 TextBox1.Text = TextBox1.Text  \n Auth Mech :   System.Security.Principal.WindowsIdentity.GetCurrent().AuthenticationType;

 }

 



Web.config


configuration xmlns=http://schemas.microsoft.com/.NetConfiguration/v2.0

 system.web

  authentication mode=Windows/

  identity impersonate=true/

  customErrors mode=Off/

  compilation defaultLanguage=c# debug=true urlLinePragmas=true

  /compilation

 /system.web

/configuration

RE: [ActiveDir] DHCP migration(OT)

[deji]

Tom,
 
next time, try something like move dhcp or move dhcp site:microsoft.com
on google. See http://www.google.com/intl/en/help/cheatsheet.html for
Google-Fu basics.
 
See KB325473 for the solution to your question.
 

Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.readymaids.com http://www.readymaids.com  - we know IT
www.akomolafe.com http://www.akomolafe.com 
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
 



From: [EMAIL PROTECTED] on behalf of Tom Kern
Sent: Tue 5/16/2006 6:35 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] DHCP migration(OT)


Will netsh overwrite the scopes already exisitng on the target?
 
Also, does netsh migrate leases or just the scope and scope options?
 
Thanks

 
On 5/16/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: 

look into netsh. might be of use.

On 5/12/06, Tom Kern [EMAIL PROTECTED]  wrote:

 I want to migrate DHCP(scopes,scope options,leases) from one win2k
box to
 another.

 My issue is, the target server is running DHCP with scopes,etc
already
 configured. 

 Is there anyway to migrate the source DHCP server to the target
without
 overwriting the target's settings?

 I just want to merge the 2- move the source info over while keeping
the
 target DHCP info intack as well.

 Is this possible?

 Thanks





List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DHCP migration(OT)

[Bernard, Aric]

Title: Re: [ActiveDir] DHCP migration(OT)








I agree with Daniel – I believe that netsh
will do a fine job of migrating scopes and scope options but not leases. 
However, leases should not be too much of an issue so long as you instruct the
DHCP server to perform conflict detection (assumes that ICMP is not blocked on
your network).



A set of commands something like the
following perform the migration for you.



From a command prompt on the existing DHCP
server:

Netsh  dhcp  server  \\existing_dhcp_server  export  c:\dhcp_info.txt
  all



From a command prompt on the new DHCP
server:

Netsh  dhcp  server  \\existing_dhcp_server  import  \\existing_dhcp_server\c$\dhcp_info.txt
  all



Now keep in mind that this will export
everything and import everything.  I would suggest ensuring that the new DHCP
server is at the time of import not authorized in the AD or at least in a state
that no clients will attempt to use it.  After the import you can retrofit any
of the imported data as necessary, such as altering or removing scopes or
options.



If you need to be more selective about
what you export from the existing server, you will want to use the dump command
instead and the massage the output so that you can use the add command on the
new DHCP server.



HTH



Aric















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Conrad, Daniel C Mr. Nortel
Government Solutions
Sent: Tuesday, May 16, 2006 9:50
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DHCP
migration(OT)









Past experience, 











NETSH will migrate the scopes but you use the backup/restore
process for the leases (if you want them).











D















From:
[EMAIL PROTECTED] on behalf of Matheesha Weerasinghe
Sent: Tue 5/16/2006 8:43 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] DHCP
migration(OT)





Havent
played with it for a while so I cant answer unless I fire up a
VM and start playing. Do you fancy letting me know your findings ;-)

M@

On 5/16/06, Tom Kern [EMAIL PROTECTED] wrote:

 Will netsh overwrite the scopes already exisitng on the target?

 Also, does netsh migrate leases or just the scope and scope options?

 Thanks



 On 5/16/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote:
  look into netsh. might be of use.
 
  On 5/12/06, Tom Kern [EMAIL PROTECTED]  wrote:
  
   I want to migrate DHCP(scopes,scope options,leases) from one
win2k box
 to
   another.
  
   My issue is, the target server is running DHCP with scopes,etc
already
   configured.
  
   Is there anyway to migrate the source DHCP server to the target
without
   overwriting the target's settings?
  
   I just want to merge the 2- move the source info over while
keeping the
   target DHCP info intack as well.
  
   Is this possible?
  
   Thanks
  
  
 


.+-wi0-+֬[EMAIL PROTECTED]֫rzm Vry-4ibb 

RE: [ActiveDir] Is there a way to force users to logon to domain?

[deji]

I got converted. I used to be a strong proponent of setting a common password
for the local admin account on all clients. The logic is that it enables
helpdesk people to log into desktops easily for support tasks. I used to
hardcode the passwords into a login script, and I used to justify the
security implication by saying that whoever can read the hardcoded password
knows too much already.
 
So, I got converted. Now, I set the password randomly to something long and
obnoxious that nobody knows. The password is generated on the fly and not
written anywhere. If a helpdesk support person needs to log into a client
computer as local admin, the passwords first reset remotely, and a flag
file is deleted from the computer. The absence  of the flag file will force
the computer to process the password generating script again upon a reboot.
 
If the password can not be reset remotely, there is a WinPE rescue disk, or
BartPE or Sysinternal's locksmith.
 
The point of all of this is that you do not HAVE to hardcode passwords into
your startup scripts.
 

Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.readymaids.com http://www.readymaids.com  - we know IT
www.akomolafe.com http://www.akomolafe.com 
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
 



From: [EMAIL PROTECTED] on behalf of Riley, Devin
Sent: Tue 5/16/2006 9:56 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is there a way to force users to logon to domain?



You can use the following script as a startup script to change the local
Admin password. There is an obvious security issue with this, since you
will be storing the script in a Sysvol share for machines to read. You
can prevent users from browsing to and opening the file by restricting
access to Domain Computers and relevant IT Admin staff.

The script works even if the local Admin account name has been changed.

I don't recall where I got the original copy of the script.

Devin


=
Option Explicit

Dim objShell, objNet, sNewPassword, sComputer, sAdminName, oUserAccounts
Dim oUser

On Error Resume Next

Set objShell = WScript.CreateObject(WScript.Shell)
Set objNet = CreateObject(WScript.Network)

sNewPassword = PutSomeReallyLongPasswordHere

sComputer = objNet.ComputerName
sAdminName = GetAdministratorName

Set oUser = GetObject(WinNT://  sComputer  /  sAdminName 
,user)
oUser.SetPassword sNewPassword
oUser.SetInfo
On Error Goto 0

objShell.LogEvent 4, LP startup script LP04 run record.

'===
===
' Get Admin Account Name
'===
===

Function GetAdministratorName()
Dim sUserSID, objNet, oUserAccount
Set objNet = CreateObject(WScript.Network)
Set oUserAccounts = GetObject( _
 winmgmts://  objNet.ComputerName  /root/cimv2) _
 .ExecQuery(Select Name, SID from Win32_UserAccount _
 WHERE Domain = '  objNet.ComputerName  ')

On Error Resume Next
For Each oUserAccount In oUserAccounts
  If Left(oUserAccount.SID, 9) = S-1-5-21- And _
 Right(oUserAccount.SID, 4) = -500 Then
GetAdministratorName = oUserAccount.Name
Exit For
  End if
Next
End Function


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe Lagreca
Sent: Tuesday, May 16, 2006 8:31 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Is there a way to force users to logon to
domain?

Sergio,

That is the approach we are going to take.  Write a script to run at
start up to delete all local accounts, except administrator, which only
we should know the password for.

Do you have any ideas on how to change local account passwords via GPO
or remotely?  We would like to change the administrator passwords
initially, and probably like to change it on a continual basis.

Thank you.

Joe


On 5/16/06, Olivarez, Sergio J Mr CTNOSC/GD-NS
[EMAIL PROTECTED] wrote:
 Yeah, disregard what I said about just leaving Admins on the allow
 logon locally setting, that's my bad.  I guess best thing to do would

 be delete all existing local user accounts.

 -Sergio
 -Original Message-
 From: Joe Lagreca [mailto:[EMAIL PROTECTED]
 Sent: Monday, May 15, 2006 7:33 PM
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] Is there a way to force users to logon to
domain?

 Al and others,

 We are retrofitting previously deployed workstations.  Some have local

 logins, while others do not.  I was just wondering if there is a way,
 via GPO, to force all users to log into the domain, instead of giving
 them the option to log 

[ActiveDir] OID For A New Attribute

[Feigin, Andrew]

Does anyone know how to request one from MS? 

I used OIDGEN for my test environment, however for
production I was advised to use a real one to avoid a possible collision.



Andrew Feigin - AIG

RE: [ActiveDir] OID For A New Attribute

[Hutchins, Mike]

Get them from http://www.iana.org/cgi-bin/enterprise.pl


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Feigin, 
AndrewSent: Tuesday, May 16, 2006 12:18 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] OID For A New 
Attribute


Does anyone know how to request one 
from MS? 
I used OIDGEN for my test 
environment, however for production I was advised to use a real one to avoid a 
possible collision.

Andrew 
Feigin - AIG

RE: [ActiveDir] OID For A New Attribute

[joe]

http://msdn.microsoft.com/certification/ad-registration.asp

http://msdn.microsoft.com/library/default.asp?url="">


Don't forget to request a prefix and if you need 
linkids to get those as well.




--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Feigin, 
AndrewSent: Tuesday, May 16, 2006 3:18 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] OID For A New 
Attribute


Does anyone know how to request one 
from MS? 
I used OIDGEN for my test 
environment, however for production I was advised to use a real one to avoid a 
possible collision.

Andrew 
Feigin - AIG

RE: [ActiveDir] OID For A New Attribute

[Feigin, Andrew]

Thanks!




Andrew Feigin - AIG











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, May 16, 2006 3:32
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OID For A
New Attribute





http://msdn.microsoft.com/certification/ad-registration.asp



http://msdn.microsoft.com/library/default.asp?url="">





Don't forget to request a prefix and if
you need linkids to get those as well.











--

O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm

















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Feigin, Andrew
Sent: Tuesday, May 16, 2006 3:18
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OID For A New
Attribute

Does anyone know how to request one from MS? 

I used OIDGEN for my test environment, however for
production I was advised to use a real one to avoid a possible collision.



Andrew Feigin - AIG

RE: RE: [ActiveDir] [OT] Group Name (Pre-Win2k) - Is it important

[joe]

Interesting that your address is being used for SPAM, I haven't seen that,
usually the addresses are randomly generated. 

I tried to contact the postmaster at mcmathlaw.com to comment on their SPAM
filter and say that I thought it was a joke and would feel bad to be one of
their users because who knows how much email they aren't seeing and
interestingly enough I get back...


[EMAIL PROTECTED]: host mail.mcmathlaw.com[64.139.70.12] said: 550
[EMAIL PROTECTED], Recipient unknown (in reply to RCPT TO
command)


So they are spoofing an address on the responses to alleged SPAM. Cracks me
up. That puts them in the category of SPAM IMO. 



--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Derek Harris
Sent: Monday, May 15, 2006 2:28 PM
To: ActiveDir@mail.activedir.org
Subject: RE: RE: [ActiveDir] [OT] Group Name (Pre-Win2k) - Is it important

I've been getting a lot of bounces lately from spam with forged headers, and
I report them all as spam. I have my spam settings pretty loose, and block
most with RBLs  static, in-house blacklists. I get very few
false-positives, and most of those end up in my quarantine, where I can add
them to a whitelist. It's extra work for me, but still better than spamming
other innocent people, and ending up blacklisted.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, May 15, 2006 10:49 AM
To: ActiveDir@mail.activedir.org
Subject: RE: RE: [ActiveDir] [OT] Group Name (Pre-Win2k) - Is it important

I think for SPAM this is probably good because if it isn't SPAM, the headers
weren't forged and it may be nice to know that someone didn't get the
message.  For instance, say you were sending some fairly important message
and you know that RR was disabled on their mail system, you would have to
assume they got it or worse, call them to ask if they got it - Yeah... I
just sent you an email, did you get it...
derrr. 

For AV stuff, yes, I absolutely agree, do not send messages back saying the
message I sent had a virus. I hate that because I know I didn't send a
message with a virus but some numbskull who happens to have my email address
in their contacts sent it. 



--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Derek Harris
Sent: Monday, May 15, 2006 12:28 PM
To: ActiveDir@mail.activedir.org
Subject: RE: RE: [ActiveDir] [OT] Group Name (Pre-Win2k) - Is it important

Setting spam filters to send a reply is, IMHO, totally irresponsible, since
the From: headers on spam are ALWAYS forged. The admins at these
organizations then complain about getting listed on RBLs, because they are
effectively relaying spam. Sorry about the soapbox speech -- just a bit of a
pet peeve...

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, May 15, 2006 9:19 AM
To: ActiveDir@mail.activedir.org
Subject: RE: RE: [ActiveDir] [OT] Group Name (Pre-Win2k) - Is it important

LOL. The previously attached EML kicked off even more SPAM filters, 11 at
last count. That just cracks me right up. A society in fear of SPAM and
viruses


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, May 15, 2006 10:35 AM
To: ActiveDir@mail.activedir.org
Subject: FW: RE: [ActiveDir] Group Name (Pre-Win2k) - Is it important

Looks like MCMATHLAW.COM has their SPAM filter (MDaemon) set a little on the
sensitive side I would hate to be behind that filter, can't imagine how
much mail they are missing.


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Monday, May 15, 2006 10:00 AM
To: [EMAIL PROTECTED]
Subject: RE: RE: [ActiveDir] Group Name (Pre-Win2k) - Is it important

MDaemon has identified your message as spam.  It will not be delivered.

From  : [EMAIL PROTECTED]
To: SOMERANDOMPERSON@mcmathlaw.com
Subject   : RE: [ActiveDir] Group Name (Pre-Win2k) - Is it important
Message-ID: [EMAIL PROTECTED]

Yes, score=3.1 required=3.0 tests=BAYES_60,HTML_50_60, HTML_MESSAGE
autolearn=no version=3.1.0
***
*  0.1 HTML_50_60 BODY: Message is 50% to 60% HTML *  3.0 BAYES_60 BODY:
Bayesian spam probability is 60 to 80% *  [score: 0.6164] *  0.0
HTML_MESSAGE BODY: HTML included in message

: Message contains [1] file attachments

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List 

[ActiveDir] [Exchange] Full Mailbox Directory Name holds wrong Administrative Group name

[Victor W.]

We are in the middle 
of a migration from Exchange 2000 to Exchange 2003. We have 2 Administrative 
Groups in ESM. one of them is named: First Administrative Group(this 
namewas left default at the time of the installation of the first server). 
The other has been given a new name.The First Administrative Group holds 
the Exchange 2000 servers, the other holds the Exchange 2003 
servers.

In the end only one 
Administrative Group will exist, the new one.

Recently I moved a 
couple of hundred of mailboxes to a different server in a different 
Administrative Group.
When looking at 
those mailboxes from withing ESM (by clicking the mailboxes node under the 
servers node), I can see that a mostof those mailboxes still have the name 
of the Administrative Group they were in, in their Full Mailbox Directory Name 
(this is a column that can be added in ESM).

Themailboxes 
were on a server which was intheFirst Administrative Group and have 
been moved to another server which sits in another Administrative 
Group.

I am asking this 
because when after all the mailboxes have been moved (a few are still on that 
old server), I am planning to delete the First AdministrativeGroup in 
time.

My question is why 
does the Full Mailbox Directory Name still have the First Administrative Group 
in it, even if the mailbox is no longer in the First Administrative 
Group?
Do I need to fix 
this before I will delete the First Administrative Group?

Thanks in advance 
for the help.

Re: [ActiveDir] DHCP migration(OT)

[Tom Kern]

I don't want to seem rude, but in my post i was primarily concerned with overwriting the exisitng scopes on the target server.
I never asked about how to migrate dhcp but rather how to migrate a source dhcp to a target dhcp server which has exisitng scopes on it.

I read those articles before posting. they never answered my concern.

I may deserve a heap of sarcasm for other various other posts I made but not this one :)

Thanks
On 5/16/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
Tom,next time, try something like move dhcp or move dhcp site:
microsoft.comon google. See http://www.google.com/intl/en/help/cheatsheet.html forGoogle-Fu basics.See KB325473 for the solution to your question.
Sincerely,_(, /|/) /) /) /---| (/___ ___// _ //_) /|_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)(/
Microsoft MVP - Directory Serviceswww.readymaids.com http://www.readymaids.com- we know IT
www.akomolafe.com http://www.akomolafe.comDo you now realize that Today is the Tomorrow you were worried aboutYesterday? -anon
From: [EMAIL PROTECTED] on behalf of Tom KernSent: Tue 5/16/2006 6:35 AMTo: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] DHCP migration(OT)Will netsh overwrite the scopes already exisitng on the target?Also, does netsh migrate leases or just the scope and scope options?Thanks
On 5/16/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: look into netsh. might be of use. On 5/12/06, Tom Kern 
[EMAIL PROTECTED]  wrote:   I want to migrate DHCP(scopes,scope options,leases) from one win2kbox to  another.   My issue is, the target server is running DHCP with scopes,etc
already  configured.   Is there anyway to migrate the source DHCP server to the targetwithout  overwriting the target's settings?   I just want to merge the 2- move the source info over while keeping
the  target DHCP info intack as well.   Is this possible?   Thanks  List info : 
http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: Re : [ActiveDir] Lag site- disabling auth on Lag DC.

[Yann]

hi Iain,Unfortunately, i have no way to avoid this but enabling my NIC card *ONLY* during the replication windows scheduled . The other time, my NIC card will be disable.I don't know right now how to do this. I was thinking about scheduling (AT)a script (via netsh ??)that will enable my NIC when my replication windows starts and then will disbale my NIC when the replication stops.Yann  [EMAIL PROTECTED] a écrit:  Yann,How are you planning on protecting your lag site DCsfrom aforced replication?Regards,   Iain | IT Services | Infrastructure   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of YannSent: 15 May 2006 21:49To: ActiveDir@mail.activedir.orgSubject: Re : [ActiveDir] Lag site- disabling auth on Lag DC.Understood !We will followyour advices.Cheers,Yann- Message d'origine De : "Almeida Pinto, Jorge de" [EMAIL PROTECTED]À : ActiveDir@mail.activedir.orgEnvoyé le : Lundi, 15 Mai 2006, 10h21mn 54sObjet: RE: [ActiveDir] Lag site- disabling auth on Lag DC. 
 SRV records* make sure the DC only registers the CNAME SRV record which is used for replication* don't assign the lag site DCs WINS servers, otherwise these will register the 1Ch record in WINS* make sure the site link cost between the main site and the lag are higher than any other site links that also links to the main sitefor the lag to work properly make sure you have at least one DC from each domain, because of eventual cross domain links (e.g. group memberships)Met vriendelijke groeten / Kind regards,Ing. Jorge de Almeida PintoSenior Infrastructure ConsultantMVP Windows Server - Directory ServicesLogicaCMG Nederland B.V. (BU RTINC Eindhoven)( Tel : +31-(0)40-29.57.777( Mobile : +31-(0)6-26.26.62.80* E-mail : see sender addressFrom: [EMAIL PROTECTED] on behalf of
 YannSent: Mon 2006-05-15 21:36To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Lag site- disabling auth on Lag DC.hello all,We are about to build a lag site for our AD recovery strategy.We schedule replication Prod Sites -Lag Sites one time a week.We have one forest with a Root and Child domain.The lag site will contain only one DC. We would like to disable clientsauth on this DC. So I found 2 ways to do this:1) Configuring the "DC Locator DNS Records" via a gpo.or2) Stop and disable the netlogon service.What will be the best choice ? 1) or 2) ?Shall i also disable the service server to avoid replication of sysvol too ?Thanks for input.This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed
 to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.  *  This electronic message contains information from Hampshire Constabulary which may be legally privileged and confidential. Any opinions expressed may be those of the individual and not necessarily the Hampshire Constabulary.  The information is intended to be for the use of the individual(s) or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this
 electronic message in error, please notify us by telephone   +44 (0) 845 045 45 45 or email to [EMAIL PROTECTED] immediately. Please then delete this email and destroy any copies of it.   All communications, including telephone calls and electronic messages   to and from the Hampshire Constabulary may be subject to monitoring. Replies to this email may be seen by employees other than the intended recipient.   *  
		 
Faites de Yahoo! votre page d'accueil sur le web pour retrouver directement vos services préférés : vérifiez vos nouveaux mails, lancez vos recherches et suivez l'actualité en temps réel. Cliquez ici.

RE: RE: [ActiveDir] [OT] Group Name (Pre-Win2k) - Is it important

[Derek Harris]

Not my address, but my users' addresses, and many random addresses @ my
domain. Failure to accept mail as postmaster is a violation of
RFC2821: (I know, so is failure to send NDRs...)

4.5.1 Minimum Implementation

   In order to make SMTP workable, the following minimum implementation
   is required for all receivers.  ...

   Any system that includes an SMTP server supporting mail relaying or
   delivery MUST support the reserved mailbox postmaster as a case-
   insensitive local name.  This postmaster address is not strictly
   necessary if the server always returns 554 on connection opening (as
   described in section 3.1).  The requirement to accept mail for
   postmaster implies that RCPT commands which specify a mailbox for
   postmaster at any of the domains for which the SMTP server provides
   mail service, as well as the special case of RCPT TO:Postmaster
   (with no domain specification), MUST be supported.

   SMTP systems are expected to make every reasonable effort to accept
   mail directed to Postmaster from any other system on the Internet.
   In extreme cases --such as to contain a denial of service attack or
   other breach of security-- an SMTP server may block mail directed to
   Postmaster.  However, such arrangements SHOULD be narrowly tailored
   so as to avoid blocking messages which are not part of such attacks.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, May 16, 2006 1:49 PM
To: ActiveDir@mail.activedir.org
Subject: RE: RE: [ActiveDir] [OT] Group Name (Pre-Win2k) - Is it
important

Interesting that your address is being used for SPAM, I haven't seen
that, usually the addresses are randomly generated. 

I tried to contact the postmaster at mcmathlaw.com to comment on their
SPAM filter and say that I thought it was a joke and would feel bad to
be one of their users because who knows how much email they aren't
seeing and interestingly enough I get back...


[EMAIL PROTECTED]: host mail.mcmathlaw.com[64.139.70.12] said:
550
[EMAIL PROTECTED], Recipient unknown (in reply to RCPT TO
command)


So they are spoofing an address on the responses to alleged SPAM. Cracks
me up. That puts them in the category of SPAM IMO. 



--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Derek Harris
Sent: Monday, May 15, 2006 2:28 PM
To: ActiveDir@mail.activedir.org
Subject: RE: RE: [ActiveDir] [OT] Group Name (Pre-Win2k) - Is it
important

I've been getting a lot of bounces lately from spam with forged headers,
and I report them all as spam. I have my spam settings pretty loose, and
block most with RBLs  static, in-house blacklists. I get very few
false-positives, and most of those end up in my quarantine, where I can
add them to a whitelist. It's extra work for me, but still better than
spamming other innocent people, and ending up blacklisted.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, May 15, 2006 10:49 AM
To: ActiveDir@mail.activedir.org
Subject: RE: RE: [ActiveDir] [OT] Group Name (Pre-Win2k) - Is it
important

I think for SPAM this is probably good because if it isn't SPAM, the
headers weren't forged and it may be nice to know that someone didn't
get the message.  For instance, say you were sending some fairly
important message and you know that RR was disabled on their mail
system, you would have to assume they got it or worse, call them to ask
if they got it - Yeah... I just sent you an email, did you get it...
derrr. 

For AV stuff, yes, I absolutely agree, do not send messages back saying
the message I sent had a virus. I hate that because I know I didn't send
a message with a virus but some numbskull who happens to have my email
address in their contacts sent it. 



--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Derek Harris
Sent: Monday, May 15, 2006 12:28 PM
To: ActiveDir@mail.activedir.org
Subject: RE: RE: [ActiveDir] [OT] Group Name (Pre-Win2k) - Is it
important

Setting spam filters to send a reply is, IMHO, totally irresponsible,
since the From: headers on spam are ALWAYS forged. The admins at these
organizations then complain about getting listed on RBLs, because they
are effectively relaying spam. Sorry about the soapbox speech -- just a
bit of a pet peeve...

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, May 15, 2006 9:19 AM
To: ActiveDir@mail.activedir.org
Subject: RE: RE: [ActiveDir] [OT] Group Name (Pre-Win2k) - Is it
important

LOL. The previously attached EML kicked off even more SPAM filters, 11
at last count. That just cracks me right up. A society in fear of SPAM
and viruses


--
O'Reilly Active Directory Third Edition -

RE: [ActiveDir] DHCP migration(OT)

[deji]

There  was no sarcasm intended in my response.
 
I am sorry that it appeared so to you.
I am sorry that you are not able to see the answer to how to migrate a
source dhcp to a target dhcp server which has exisitng scopes on it in that
article.
I am sorry that I replied to you at all.
It won't happen again.
 

Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.readymaids.com http://www.readymaids.com  - we know IT
www.akomolafe.com http://www.akomolafe.com 
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
 



From: [EMAIL PROTECTED] on behalf of Tom Kern
Sent: Tue 5/16/2006 1:52 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] DHCP migration(OT)


I don't want to seem rude, but in my post i was primarily concerned with
overwriting the exisitng scopes on the target server.
I never asked about how to migrate dhcp but rather how to migrate a source
dhcp to a target dhcp server which has exisitng scopes on it.
 
I read those articles before posting. they never answered my concern.
 
I may deserve a heap of sarcasm for other various other posts I made but not
this one :)
 
Thanks

 
On 5/16/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: 

Tom,

next time, try something like move dhcp or move dhcp site:
microsoft.com http://microsoft.com 
on google. See http://www.google.com/intl/en/help/cheatsheet.html for
Google-Fu basics.

See KB325473 for the solution to your question. 


Sincerely,
  _
(, /  |  /)   /) /)
   /---| (/_  __   ___// _   //  _
) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
  (/ 
Microsoft MVP - Directory Services
www.readymaids.com http://www.readymaids.com  - we know IT
www.akomolafe.com http://www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon


 

From: [EMAIL PROTECTED] on behalf of Tom Kern
Sent: Tue 5/16/2006 6:35 AM
To: ActiveDir@mail.activedir.org 
Subject: Re: [ActiveDir] DHCP migration(OT)


Will netsh overwrite the scopes already exisitng on the target?

Also, does netsh migrate leases or just the scope and scope options?

Thanks


On 5/16/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote:

   look into netsh. might be of use.

   On 5/12/06, Tom Kern  [EMAIL PROTECTED]
mailto:[EMAIL PROTECTED]   wrote:
   
I want to migrate DHCP(scopes,scope options,leases) from one
win2k
box to
another.
   
My issue is, the target server is running DHCP with
scopes,etc 
already
configured.
   
Is there anyway to migrate the source DHCP server to the
target
without
overwriting the target's settings?
   
I just want to merge the 2- move the source info over while
keeping 
the
target DHCP info intack as well.
   
Is this possible?
   
Thanks
   
   



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] User Object Attribute mismatches on different DC's

[Mylo]

Evenin' All,

Had the pleasure of jumping into warm waters at work today with a client 
where an authoritative restore was performed a few weeks ago following 
an OU being mistakenly deleted. Under this OU were a number of users 
whom have yet to be wholly migrated to AD but are still using their 
legacy NT4 accounts to access Exchange 2003 (i.e. disabled user in AD) 
before they are fully migrated to AD (Windows XP)... all DCs are running 
Win2K3SP1 ... I've discovered  a number of mismatches between certain 
attributes of thes user objects according to the DC you query...


plug  For example,  if I use the infamous ADFIND tool /plug

Using the following syntax I query the homeMDB attribute on each DC

Syntax:
for /f %%a in (mydclist.txt) do adfind -h %%a:389 -b 
OU=RestoredOU,DC=MYAD,DC=ACME,DC=COM -c -u ACME\admin -sort name dn 
-f (objectClass=user)(!(homeMDB=*))


The following information is returned (paraphrased)

AdFind V01.30.01cpp Joe Richards ([EMAIL PROTECTED]) January 2006
Using server: gbsrv01.myad.acme.com:389
Directory: Windows Server 2003
1804 Objects returned

Using server: gbsrv002.myad.acme.com:389
Directory: Windows Server 2003
1804 Objects returned

Using server: ussrv001.myad.acme.com:389
Directory: Windows Server 2003
2669 Objects returned

Using server: itsrv001.myad.acme.com:389
Directory: Windows Server 2003
1804 Objects returned

Using server: nlbek31w3ls001.myad.acme.com:389
Directory: Windows Server 2003
4260 Objects returned

Using server: ussrv002.myad.acme.com:389
Directory: Windows Server 2003
2670 Objects returned

Using server: essrv001.myad.acme.com:389
Directory: Windows Server 2003
4146 Objects returned

Using server: sesrv001.myad.acme.com:389
Directory: Windows Server 2003
1804 Objects returned

Using server: frsrv001.myad.acme.com:389
Directory: Windows Server 2003
4090 Objects returned

etc...

Interestingly, in certain cases, particular servers, not necessarily in 
the same site, return the same value of objects (not 1804)
Given that the query is looking for user IDs with empty homeMDB, less is 
good and given that 1804 objects returned (seems) to indicate that 
these are the DCs with the correctly populated homeMDB attributes, my 
questions are thus:


(1) Is a USN problem associated with the restore a possible cause here?
(2) Given that a REPADMIN /showutdvec on all DC's reveals no USN 
inconsistencies as such, and that replication is working correctly, how 
was this situation likely to come about?
(3) What's preventing successful update of these attributes (dumb 
question maybe but I want to be certain)
(4) (Big If) but can I force replication from my suspected good entries 
to overcome this issue


Granted, there's a paucity of information to go on... but I'll try and 
elaborate as the night goes along :-)


Many thanks,
Mylo




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] GPO Software Deployment

[Jonathon . Austin]

Good assessment.

When you have the machines cleaned up,
Adobe supplies a deployment preparation tool for this exact purpose. You
will have to do a bit of Googling for it.

NEVER edit or repackage an existing
MSI (not possible in every case). Always create a transform which can be
applied against the original MSI. Buy a proper suite such as Wise Application
Studio for enterprise software deployment.

Cheers

Jon Austin

[EMAIL PROTECTED] wrote on 17/05/2006
01:26:55 AM:
 So, I suspect what is happening here, based on that error, is the

 popup you're seeing is Windows Installer trying to repair the 
 application but not finding the right files to do it. The Feature
name, 
 WIFEAT0001, tells me the package was created using WinInstall--
 not very interesting. I suspect that the registry still contains 
 references to the package. I would search the registry by the 
 Product GUID, below, and get rid of all instances of it. 
 Alternatively, you could try downloading and running the Installer

 Cleanup tool, found at http://support.microsoft.com/kb/290301/



_ 
This e-mail has been scanned for viruses by MessageLabs.

RE: [ActiveDir] OT - W2K/E2K upgrade to W2K3/E2K3

[Lee, Wook]

When are you planning on increasing the functional levels of the domain
and the forest? There are several features of Windows 2003 AD that you
do not get even if you've upgraded the DCs unless you also bump up the
functional levels.

When you bump the forest functional level, I believe there will be a PAS
expansion at that point since I recall there being some settings that
are deferred until then.

Wook

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier,
Guido
Sent: Friday, May 12, 2006 2:12 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT - W2K/E2K upgrade to W2K3/E2K3

I suggested doing AD, then Exchange = that's not the same as saying
Windows, then Exchange...

Means that you can do all the schema/domain mods basically at once and
upgrade all DCs to W2k3. The Exchange 2000 server itself can't be
upgraded to W2k3 - that is correct, but it runs just fine in a Win2k3 AD
domain/forest.  

But your routine will also work fine.  I'd probably upgrade the OWA
front-end to W2k3 right after step iv) so that you don't have to touch
the box again in step xii).  As long as this isn't a DC, this won't be a
problem.

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jonathan Watts
Sent: Freitag, 12. Mai 2006 10:10
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT - W2K/E2K upgrade to W2K3/E2K3

Thanks. My plan so far is this:

i) Install W2K3 on new hardware and join to domain as member server
ii) Run E2K3 ForestPrep on Schema Master
iii) Run E2K3 DomainPrep
iv) Upgrade OWA front-end to E2K3
v) Install E2K3 to newly built server
vi) Migrate mailboxes and Public Folders, using Move Mailbox wizard, to
newly built server
vii) Uninstall E2K from existing server
viii) Run W2K3 ForestPrep on Schema Master
ix) Run W2K3 DomainPrep on Inf. Master
x) Upgrade PDC Emulator to W2K3
xi) Upgrade other DCs to W2K3
xii) Upgrade OWA Front End to W2K3

So this should leave me with 3 W2K3 DCs, 1 W2K3/E2K3 member server and 1
W2K3/E2K3 OWA front-end server. 

Guido, we don't have any legacy clients to worry about, but is my
sequence wrong as regards upgrading Exchange THEN Windows as you have
suggested doing Windows THEN Exchange? I thought W2K3 with E2K wasn't
supported?

Jon
**
Jonathan Watts
Network Admin
St Catherine's School
**

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of Brian Desmond
 Sent: 11 May 2006 16:38
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] OT - W2K/E2K upgrade to W2K3/E2K3
 
 Why don't you post your procedure here and we'll comment on it :)
 
 Thanks,
 Brian Desmond
 [EMAIL PROTECTED]
 
 c - 312.731.3132
 
 


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: Re : [ActiveDir] Lag site- disabling auth on Lag DC.

[Freddy HARTONO]

That will trigger most tools/scripts for replication errors 
wouldnt it.


Thank you and have a splendid 
day!

Kind Regards,

Freddy Hartono
Group Support 
Engineer
InternationalSOS Pte Ltd
mail: 
[EMAIL PROTECTED]
phone: (+65) 
6330-9785




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
YannSent: Wednesday, May 17, 2006 4:55 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: Re : [ActiveDir] Lag site- 
disabling auth on Lag DC.

hi Iain,

Unfortunately, i have no way to avoid this but enabling my NIC card *ONLY* 
during the replication windows scheduled . The other time, my NIC card will be 
disable.

I don't know right now how to do this. I was thinking about scheduling 
(AT)a script (via netsh ??)that will enable my NIC when my replication windows 
starts and then will disbale my NIC when the replication stops.

Yann


[EMAIL PROTECTED] 
a écrit:

  

  
  Yann,
  
  How are you planning on protecting your lag site 
  DCsfrom aforced replication?
  
  Regards, 
  Iain | IT Services | 
  Infrastructure 
  
  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
YannSent: 15 May 2006 21:49To: 
ActiveDir@mail.activedir.orgSubject: Re : [ActiveDir] Lag site- 
disabling auth on Lag DC.



Understood !

We will followyour advices.

Cheers,

Yann- Message d'origine De : "Almeida Pinto, Jorge 
de" [EMAIL PROTECTED]À : 
ActiveDir@mail.activedir.orgEnvoyé le : Lundi, 15 Mai 2006, 10h21mn 
54sObjet: RE: [ActiveDir] Lag site- disabling auth on Lag 
DC.
SRV records* make sure the DC only registers the CNAME SRV 
record which is used for replication* don't assign the lag site DCs WINS 
servers, otherwise these will register the 1Ch record in WINS* make sure 
the site link cost between the main site and the lag are higher than any 
other site links that also links to the main sitefor the lag to work 
properly make sure you have at least one DC from each domain, because of 
eventual cross domain links (e.g. group memberships)Met vriendelijke 
groeten / Kind regards,Ing. Jorge de Almeida PintoSenior 
Infrastructure ConsultantMVP Windows Server - Directory 
ServicesLogicaCMG Nederland B.V. (BU RTINC 
Eindhoven)( Tel : 
+31-(0)40-29.57.777( Mobile : 
+31-(0)6-26.26.62.80* E-mail : see sender 
addressFrom: 
[EMAIL PROTECTED] on behalf of YannSent: Mon 2006-05-15 
21:36To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Lag site- 
disabling auth on Lag DC.hello all,We are about to build 
a lag site for our AD recovery strategy.We schedule replication Prod 
Sites -Lag Sites one time a week.We have one forest with a Root 
and Child domain.The lag site will contain only one DC. We would like to 
disable clientsauth on this DC. So I found 2 ways to do 
this:1) Configuring the "DC Locator DNS Records" via a gpo.or2) 
Stop and disable the netlogon service.What will be the best choice ? 
1) or 2) ?Shall i also disable the service server to avoid 
replication of sysvol too ?Thanks for input.This 
e-mail and any attachment is for authorised use by the intended recipient(s) 
only. It may contain proprietary material, confidential information and/or 
be subject to legal privilege. It should not be copied, disclosed to, 
retained or used by, any other party. If you are not an intended recipient 
then please promptly delete this e-mail and any attachment and all copies 
and inform the sender. Thank you.
  *
  This electronic 
  message contains information from Hampshire Constabulary which may be legally 
  privileged and confidential. Any opinions expressed may be those of the 
  individual and not necessarily the Hampshire Constabulary.
  The information is 
  intended to be for the use of the individual(s) or entity named above. If you 
  are not the intended recipient, be aware that any disclosure, copying, 
  distribution or use of the contents of the information is prohibited. If you 
  have received this electronic message in error, please notify us by telephone 
  
  +44 (0) 845 045 45 45 
  or email to [EMAIL PROTECTED] immediately. Please then delete 
  this email and destroy any copies of it. 
  All communications, 
  including telephone calls and electronic messages 
  to and from the 
  Hampshire Constabulary may be subject to monitoring. Replies to this email may 
  be seen by employees other than the intended recipient. 
  *
  


Faites de Yahoo! votre page d'accueil sur le web pour retrouver 
directement vos services préférés : vérifiez vos nouveaux mails, lancez vos 
recherches et suivez l'actualité en temps réel. Cliquez ici.

[ActiveDir] How to Determine Who Has Authenticated Against DC

[Noah Eiger]

Hello:



Sorry
for what might be an obvious question: Is it possible to determine who has
authenticated against a particular DC over a period of time? (And if so how?) I
suspect that some machines in one site are authenticating against a DC in
another. Without checking each workstation, how can I see where they are
authenticating? 



Thanks.



--
nme



P.S.
Not sure if it is related, but the DC in question reports that it cant
provide some time service to machines in the remote site. (Sorry, not looking
at the exact warning message right now.)








--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.392 / Virus Database: 268.5.6/340 - Release Date: 5/15/2006
 

RE: [ActiveDir] DHCP migration(OT)

[Conrad, Daniel C Mr. Nortel Government Solutions]

Tom,



You got me wondering myself to I VMed it.
Heres what I did.



Built scopeA with a bunch of configs

Exported the configs w/Netsh all

Deleted scopeA

Built scopeB with different configs

Imported the config file from the old
scope with the /all switch.



Results: After refreshing the
console a couple of times, the imported scope was added to the existing
list. 



Note: NETSH will not export or
import the current leases. They must be backed up and restored.



In the NETSH/DHCP/Server prompt you can
use import /? to get the syntax to import individual scopes, but based on this
test it doesnt seem necessary.



Hope this helps,



Dan











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Tuesday, May 16, 2006 3:53
PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] DHCP
migration(OT)







I don't want to seem rude, but in my post i was primarily concerned
with overwriting the exisitng scopes on the target server.





I never asked about how to migrate dhcp but rather how
to migrate a source dhcp to a target dhcp server which has exisitng scopes on
it.











I read those articles before posting. they never answered my concern.











I may deserve a heap of sarcasm for other various other posts I made
but not this one :)











Thanks







On 5/16/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:


Tom,

next time, try something like move dhcp or move dhcp site: microsoft.com
on google. See http://www.google.com/intl/en/help/cheatsheet.html
for
Google-Fu basics.

See KB325473 for the solution to your question. 


Sincerely,
_
(, /|/)
/) /)
 /---| (/___ ___// _
//_
) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/
/)
(/

Microsoft MVP - Directory Services
www.readymaids.com http://www.readymaids.com-
we know IT
www.akomolafe.com http://www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon


 

From: [EMAIL PROTECTED]
on behalf of Tom Kern
Sent: Tue 5/16/2006 6:35 AM
To: ActiveDir@mail.activedir.org 
Subject: Re: [ActiveDir] DHCP migration(OT)


Will netsh overwrite the scopes already exisitng on the target?

Also, does netsh migrate leases or just the scope and scope options?

Thanks


On 5/16/06, Matheesha Weerasinghe [EMAIL PROTECTED]
wrote:

 look into netsh. might be of use.

 On 5/12/06, Tom Kern  [EMAIL PROTECTED]  wrote:
 
  I want to migrate DHCP(scopes,scope
options,leases) from one win2k
box to
  another.
 
  My issue is, the target server is
running DHCP with scopes,etc 
already
  configured.
 
  Is there anyway to migrate the source
DHCP server to the target
without
  overwriting the target's settings?
 
  I just want to merge the 2- move the
source info over while keeping 
the
  target DHCP info intack as well.
 
  Is this possible?
 
  Thanks
 
 



List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DHCP migration(OT)

[Ken Schaefer]

Tom,



I dont want to seem rude, but this is something that
would take you 5 minutes to test yourself (e.g. in a VM). You could even
report your results back to the list.



Cheers

Ken



--

My
IIS Blog: www.adOpenStatic.com/cs/blogs/ken

Tech.Ed
Boston 2006 See you there: Everything the web administrator needs to know about
MOM 2005













From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Wednesday, 17 May 2006 6:53 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] DHCP migration(OT)







I don't want to seem rude, but in my post i was primarily
concerned with overwriting the exisitng scopes on the target server.





I never asked about how to migrate dhcp but
rather how to migrate a source dhcp to a target dhcp server which has
exisitng scopes on it.











I read those articles before posting. they never answered my
concern.











I may deserve a heap of sarcasm for other various other
posts I made but not this one :)











Thanks







On 5/16/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: 

Tom,

next time, try something like move dhcp or move dhcp site: microsoft.com
on google. See http://www.google.com/intl/en/help/cheatsheet.html
for
Google-Fu basics.

See KB325473 for the solution to your question. 


Sincerely,
_
(,
/|/)
/) /)
 /---| (/___ ___// _
//_
) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/
/)
(/

Microsoft MVP - Directory Services
www.readymaids.com http://www.readymaids.com-
we know IT
www.akomolafe.com http://www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon


 

From: [EMAIL PROTECTED]
on behalf of Tom Kern
Sent: Tue 5/16/2006 6:35 AM
To: ActiveDir@mail.activedir.org 
Subject: Re: [ActiveDir] DHCP migration(OT)


Will netsh overwrite the scopes already exisitng on the target?

Also, does netsh migrate leases or just the scope and scope options?

Thanks


On 5/16/06, Matheesha Weerasinghe [EMAIL PROTECTED]
wrote:

 look into netsh. might be of use.

 On 5/12/06, Tom Kern  [EMAIL PROTECTED]  wrote:
 
  I want to migrate DHCP(scopes,scope
options,leases) from one win2k
box to
  another.
 
  My issue is, the target server is
running DHCP with scopes,etc 
already
  configured.
 
  Is there anyway to migrate the source
DHCP server to the target
without
  overwriting the target's settings?
 
  I just want to merge the 2- move the
source info over while keeping 
the
  target DHCP info intack as well.
 
  Is this possible?
 
  Thanks

RE: [ActiveDir] How to Determine Who Has Authenticated Against DC

[Darren Mar-Elia]

Noah-
Yes, any authentications to a DC are logged in the security 
event log (assuming Logon auditing is enabled). User logons should show up as 
528 events. 

Darren


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Noah 
EigerSent: Tuesday, May 16, 2006 7:30 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] How to Determine Who 
Has Authenticated Against DC


Hello:

Sorry 
for what might be an obvious question: Is it possible to determine who has 
authenticated against a particular DC over a period of time? (And if so how?) I 
suspect that some machines in one site are authenticating against a DC in 
another. Without checking each workstation, how can I see where they are 
authenticating? 

Thanks.

-- 
nme

P.S. 
Not sure if it is related, but the DC in question reports that it cant provide 
some time service to machines in the remote site. (Sorry, not looking at the 
exact warning message right now.)
--No virus found in this outgoing message.Checked by AVG 
Free Edition.Version: 7.1.392 / Virus Database: 268.5.6/340 - Release Date: 
5/15/2006

[ActiveDir] how to find DNS servers in a forest?

[Manjeet Singh]

If I have a list of DCs in windows 2003
forest, I just want to verify if they have Microsoft-DNS installed on them? Where
this information stored in AD?



Or I want to find how many DCs have DNS Installed.



Thanks, Manjeet