[ActiveDir] Migration without domain admin rights possible?
Hi Guys, We have a peculiar requirement, that one of the small group of around 300 users will be parting from corporate AD and will be setting up there own forest. We will be using ADMT 3.0 for migration. source DFL FFL : windows 2000 native Target DFL FFL : Windows 2003 Two way trust between domains. We would be givingFULL controlrights over those 300 users and their computers account to new admins of new forest. also, they are added to local admins of those computers to be migrated. They have domain admins rights in Target domain. We don't want to add them into administrators group on source domains (i.e. corporate AD) Is it possible to migrate, users,groups and computers? What will break, in migration? I can think of, we will not be installing PES as a result so, NO password migration. anything else? Thanking you in advance,-- Kamlesh~Never confuse movement with action.~
[ActiveDir] cn=meetings
AllJust a quick query. Does anyone know what cn=meetings,cn=system,dc=domainfqdn is for? CheersM@
RE: [ActiveDir] OT: HP disk array expansion
Maybe I misunderstand the post but why re build in this scenario? All the OP needs / wants to do is to add disks and to expand the existing arrays. He requires no or minimal downtime too. This can be achieved as the OP described. FWIW: I have performed this (not in the last 5 years) on many occasions and whilst the process can take some time to complete, it is relatively trivial to accomplish and AFAIK can be performed with zero downtime. neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed BufordSent: 27 July 2006 00:49To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: HP disk array expansion I would use the ghost method, Ive done this numerous times with servers and never ran into a problem. All in all it really is a fast solution. And since youre doing it over the wire you can speed the process up by using gigabit components. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Derek HarrisSent: Wednesday, July 26, 2006 6:12 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: HP disk array expansion This sounds like the safest way to do it, but you will have some downtime. I've done it (on a Dell box) the way you described: swapping one disk at a time, and there is downtime that way, too. (in addition to the severe performance hit of the array having to rebuild several times) From: Blair, James [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 26, 2006 3:52 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: HP disk array expansion James, Have been in a similar situation on numerous occasions with HP ML350 G3/G4s. In our case we installed a firewire card and a Lacie drive or utilised the native USB to portable HD and Acronis True Image. We imaged the disks and then pulled them out and put the new ones in and imaged it back, works nicelyThis solution even worked for an Exchange server and if it all fails you can simply put the old disks back in and be back where you started James From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James CarterSent: Thursday, 27 July 2006 7:36 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: HP disk array expansion Hi, I have a HP ML370 Proliant Server. It currently has 4 x 36GB in a RAID 5 set. I want to upgrade the disk capacity of this server. I have bought 4 x 300gb disks as replacements. At present I have 4 x 36GB disks in the server. I was told I couldreplace one disk in the RAID with a 300GB, let the raid rebuild and do the next disk.Repeat until all of the disks are 300GB and then I can look in the ACU and create a second logical drive that sees all that new space. Can this be done? Anyone know how long it would take to rebuild? currently there is 90gb used in the current volume. My other alternative is to buy a Tape Drive, backup, break array, create new array and then restore but this department don't want any downtime. Anyway shed some light as to which is the best method to take? thanks James __Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] Domain Local Groups vs Global Groups
Title: Message Matt / Dan - great posts from both of you and this has provided some good material to start planning. Thanks -David -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt HargravesSent: 27 Jul 2006 6:36To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Domain Local Groups vs Global GroupsThere are some considerations when you get to multidomain forests:Domain Global groups can only contain user or global group objects from the domain they actually reside within. In other words, if your global group resides within corp.company.com then you can have *only* members that are within the corp.company.com domain. They can be members of local groups in any other domain or universal groups anywhere within the forest though. They also will not allow universal or domain local group memberships. Thus, if you're going to have a multidomain forest, you will need to make sure that your role-based groups are inside your user domain and that you use those groups to sit in task-based groups (Domain Local groups). If all your DCs are also GCs (which there really is very little reason for them not to be, since you lose a good amount of performance by forcing authentication to go to a DC then to a GC to create a token -- if it can all be done on one machine, save yourself some headache later in life and make all your DCs GCs also). Universal groups are useful when you have groups that will be utilized to ACL items everywhere in the environment and no matter where the user resides, they will need that membership utilized. All Distribution List groups are automatically Universal, if I recall correctly. Universal groups can only contain users, global groups or universal groups from anywhere in the forest (or outside the forest). Local groups can have memberships of just about any type of object, no matter where it resides within the forest. However, you can only ACL items in a particular domain with a Domain Local group if that group resides in the same domain as the resource. There are a few different basic formats for multidomain forests...User/Exchange domain, resource domain(s). The nice thing about this model is that you only have role-based groups in your User/Exchange domain, so group memberships are relatively low and the Exchange Servers don't have much of a problem with their paged pool memory. You'll usually run into other barriers on your Exchange box before you run out of paged pool memory with this model. User domain, Exchange domain, Resource domain(s). I'm not really sure why anyone uses this model other than a lack of understanding of how tokens are created. Same as the above example, but you get to buy more DCs and your tokens in Exchange are probably actually larger than they would be in the above example. Multiple user/resource domains, single Exchange domain. Again, I think that this is another example of people who don't understand token creation same reasons as the immediately preceding example. Unless you have a lot of resources being accessed across domains (and cross domain memberships), you're probably just better off with a single forest root/domain structure than wasting money on extra DCs in this model. Then there is the standard single forest root/domain model that smaller companies go with. This has the wonderful elegance of simplicity. For the mostpart there is little reason to debate between global, universal and local groups other than making sure that you don't create local groups and try to nest them within global groups. For the mostpart, a security group is a security group is a security group in this model. You can ACL items with them and with the exception of nesting, there isn't a whole lot that you can do with one that you can't do with another. For more information about how a token is created, download the doc at the bottom of the following page:http://www.microsoft.com/downloads/details.aspx?FamilyID=22dd9251-0781-42e6-9346-89d577a3e74aDisplayLang=enFor more information on the differences between group types, go to:http://technet2.microsoft.com/WindowsServer/en/library/79d93e46-ecab-4165-8001-7adc3c9f804e1033.mspx?mfr=trueGoing back to the conversations from before though, try and make sure that you actually create a good RBS model and *use* it. There is no reason to create a bunch of global groups for users (a site RBS group set, a job RBS group set, and a hierarchy RBS group set) then not using them and nesting all your users in every other global group you create. This conversation has gotten probably way more complex than you expected... hehe.That being said, I also like a combination RBS/ABS model myself. Use role-based groups to create your 'general' access to items and then when people who are outside those
Re: [ActiveDir] Migration without domain admin rights possible?
Just curious, but what was the point of migration? Why not create new in the target and have them adhere to your new company standards? As for what would break. Hmm not sure you'd be able to read the information needed to perform the migration. At a minimum you would want to grant them the full rights to the user account OU but without testing, I couldn't say for sure what would or would not break. I don't think that's something I would even recommend given a similar situation. I mean, what would they need sidHistory for anyway? The trust is going to likely go away, so they would access?? Al On 7/27/06, Kamlesh Parmar [EMAIL PROTECTED] wrote: Hi Guys, We have a peculiar requirement, that one of the small group of around 300 users will be parting from corporate AD and will be setting up there own forest. We will be using ADMT 3.0 for migration. source DFL FFL : windows 2000 native Target DFL FFL : Windows 2003 Two way trust between domains. We would be givingFULL controlrights over those 300 users and their computers account to new admins of new forest. also, they are added to local admins of those computers to be migrated. They have domain admins rights in Target domain. We don't want to add them into administrators group on source domains (i.e. corporate AD) Is it possible to migrate, users,groups and computers? What will break, in migration? I can think of, we will not be installing PES as a result so, NO password migration. anything else? Thanking you in advance,-- Kamlesh~Never confuse movement with action.~
RE: [ActiveDir] Migration without domain admin rights possible?
you can migrate most objects from the source even without admin rights to them - the default auth. user already has plenty of permissions to read most attributes you would care to migrate. You could still setup passwords migration without giving themdomain admin privs to your source domain - you would install the PES server for them instead on one of your DCs (you'd need to exchange the PES key ofcourse). Migrating SID history on the other hand, requires admin privs on the source domain = while you can delegate SIDhistory migration to the target, I've always complained that you can't delegate it on the source. Full control on the respective Users OU in your source domain is not enough. But if they do their part right (i.e. reacl all their resources in a two step approach 1st add new acls prior to "activating" the target accounts, 2nd remove old acls after all users use the new accounts),they don't really need SIDhistory and can spare themselves from having to clean it up later. You'll still have the same challenges with apps as you always do and if you also use exchange, then migrating their mailboxes is a totally different story. Another special challenge in your scenario is group migration = depending on how your security model is setup, they may very likel need to migrate groups that don't "belong" to them, but that they need to have access to their resources (and allowing to re-acl them). This doesn't mean that they need to migrate the members that don't belong to "their" unit, but they do need read permissions on most of your groups (which most users have by default anyways...). /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh ParmarSent: Thursday, July 27, 2006 9:27 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Migration without domain admin rights possible? Hi Guys, We have a peculiar requirement, that one of the small group of around 300 users will be parting from corporate AD and will be setting up there own forest. We will be using ADMT 3.0 for migration. source DFL FFL : windows 2000 native Target DFL FFL : Windows 2003 Two way trust between domains. We would be givingFULL controlrights over those 300 users and their computers account to new admins of new forest. also, they are added to local admins of those computers to be migrated. They have domain admins rights in Target domain. We don't want to add them into administrators group on source domains (i.e. corporate AD) Is it possible to migrate, users,groups and computers? What will break, in migration? I can think of, we will not be installing PES as a result so, NO password migration. anything else? Thanking you in advance,-- Kamlesh~"Never confuse movement with action."~
Re: [ActiveDir] GP for Remote users in Domain
To disable cached credentials, simply alter the appropriate GPOs so that every system in the environment has the Computer Configuration, Windows Setting, Local Policy, Security Options control of Interactive Logon: Number of previous logons to cache (in case domain controller is not available) to 0 logons (from the default of 10). To force the workstation to consult a domain controller when unlocking, set the Computer Configuration, Windows Setting, Local Policy, Security Options control of Interactive Logon: Require Domain Controller authentication to unlock workstation to Enabled. More info at http://searchwinit.techtarget.com/tip/0,289483,sid1_gci968000,00.html Andrew Fidel Krenceski, William [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 07/27/2006 09:17 AM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject [ActiveDir] GP for Remote users in Domain I have a scenario where we give a user a pc (on the domain) setup a vpn connection to our RRAS Server. My question is how do I require the user to connect using the vpn during logon? I would like to use a GP but can not find anything. I was thinking that maybe there is a policy that won't allow caching of the user's logon credentials so that if they don't use the VPN connection to logon then they will not be able to even get on the computer because there will be no server available to handle the logon. Thanks in advance. William Krenceski Network Administrator Olean General Hospital [EMAIL PROTECTED] Confidentiality Notice: The information contained in this message may be legally privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any release, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error please notify the author immediately by replying to this message and deleting the original message. Thank you.
Re: [ActiveDir] GP for Remote users in Domain
Hi WIlliam Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Interactive Logon:Number of previous logons to cache, setting that to 0 will turn off cached credientals. Hope that helps, John Krenceski, William [EMAIL PROTECTED] To rg ActiveDir@mail.activedir.org Sent by: cc [EMAIL PROTECTED] ail.activedir.org Subject [ActiveDir] GP for Remote users in Domain 07/27/2006 08:17 AM Please respond to [EMAIL PROTECTED] tivedir.org I have a scenario where we give a user a pc (on the domain) setup a vpn connection to our RRAS Server. My question is how do I require the user to connect using the vpn during logon? I would like to use a GP but can not find anything. I was thinking that maybe there is a policy that won't allow caching of the user's logon credentials so that if they don't use the VPN connection to logon then they will not be able to even get on the computer because there will be no server available to handle the logon. Thanks in advance. William Krenceski Network Administrator Olean General Hospital [EMAIL PROTECTED] Confidentiality Notice: The information contained in this message may be legally privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any release, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error please notify the author immediately by replying to this message and deleting the original message. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] OT: HP disk array expansion
I'm not understanding why the OP doesn't just stick the new drives in, create the new RAID set from those, create the drives and restore from tape to the new RAID drives. As long as he does it on a Sunday, it shouldn't really take more than an hour to get the old drives out and the new ones in (and the RAID built), then he just needs to worry about restoring from tape to the new location. On 7/27/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Maybe I misunderstand the post but why re build in this scenario? All the OP needs / wants to do is to add disks and to expand the existing arrays. He requires no or minimal downtime too. This can be achieved as the OP described. FWIW: I have performed this (not in the last 5 years) on many occasions and whilst the process can take some time to complete, it is relatively trivial to accomplish and AFAIK can be performed with zero downtime. neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Ed BufordSent: 27 July 2006 00:49To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: HP disk array expansion I would use the ghost method, I've done this numerous times with servers and never ran into a problem. All in all it really is a fast solution. And since you're doing it over the wire you can speed the process up by using gigabit components. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Derek HarrisSent: Wednesday, July 26, 2006 6:12 PMTo: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: HP disk array expansion This sounds like the safest way to do it, but you will have some downtime. I've done it (on a Dell box) the way you described: swapping one disk at a time, and there is downtime that way, too. (in addition to the severe performance hit of the array having to rebuild several times) From: Blair, James [mailto:[EMAIL PROTECTED] ] Sent: Wednesday, July 26, 2006 3:52 PMTo: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: HP disk array expansion James, Have been in a similar situation on numerous occasions with HP ML350 G3/G4's. In our case we installed a firewire card and a Lacie drive or utilised the native USB to portable HD and Acronis True Image. We imaged the disks and then pulled them out and put the new ones in and imaged it back, works nicely…This solution even worked for an Exchange server and if it all fails you can simply put the old disks back in and be back where you started… James From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of James CarterSent: Thursday, 27 July 2006 7:36 AMTo: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: HP disk array expansion Hi, I have a HP ML370 Proliant Server. It currently has 4 x 36GB in a RAID 5 set. I want to upgrade the disk capacity of this server. I have bought 4 x 300gb disks as replacements. At present I have 4 x 36GB disks in the server. I was told I couldreplace one disk in the RAID with a 300GB, let the raid rebuild and do the next disk.Repeat until all of the disks are 300GB and then I can look in the ACU and create a second logical drive that sees all that new space. Can this be done? Anyone know how long it would take to rebuild? currently there is 90gb used in the current volume. My other alternative is to buy a Tape Drive, backup, break array, create new array and then restore but this department don't want any downtime. Anyway shed some light as to which is the best method to take? thanks James __Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447
[ActiveDir] R2 vs w2k3 SP1
Title: R2 vs w2k3 SP1 Question 1: Server 1 is built with R2 CD1. CD2 is not used at all. Server 2 is built with R2 CD1 and r2setup is executed from R2 CD2 as well. Will these 2 servers be configured differently in any way, other than the additional hooks in 'add/remove programs'? Question 2: If I have a build created with sp1 slipstreamed, does the statement 'slipstream R2 into the build' make any sense? I believe it does not make sense but others disagree :) Thanks, neil PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] R2 vs w2k3 SP1
Title: R2 vs w2k3 SP1 whenthe R2 binaries are installed on the server the only thing that happens is that the R2 options are INTEGRATED (not installed). The options still need to be installed additionally. So yes, the only differenceis the list in Add/Remove Programs. There is a small bug There will be a difference in tombstone lifetime depending on which server is used to create the forest. This is a bug within R2 that introduces an incorrect (nothing dangerous) SCHEMA.INI If you use a SP1 server to create the forest the tombstone lifetime will be 180 days If you use a R2 server to create the forest the tombstone lifetime will be60 days (not set), while 180 days is expected. don't understand your 2nd Q jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, July 27, 2006 15:56To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] R2 vs w2k3 SP1 Question 1: Server 1 is built with R2 CD1. CD2 is not used at all. Server 2 is built with R2 CD1 and r2setup is executed from R2 CD2 as well. Will these 2 servers be configured differently in any way, other than the additional hooks in 'add/remove programs'? Question 2: If I have a build created with sp1 slipstreamed, does the statement 'slipstream R2 into the build' make any sense? I believe it does not make sense but others disagree :) Thanks, neil PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
Re: [ActiveDir] Migration without domain admin rights possible?
Main point of migration is they don't want to lose their current workstation profile settings, and network share permission. I have setup a test network, and without giving admin rights on source, I am able to migrate groups, users without sidHistory.I checked clonepr.vbs and stuff, but that also demands admin rights on source domain. Without sidHistory, I am not sure, during transition, they will be able to access non-migrated server resources like file shares. Yes, trust, and sidHistory will not be there after migration. -- Kamlesh~Never confuse movement with action.~ On 7/27/06, Al Mulnick [EMAIL PROTECTED] wrote: Just curious, but what was the point of migration? Why not create new in the target and have them adhere to your new company standards? As for what would break. Hmm not sure you'd be able to read the information needed to perform the migration. At a minimum you would want to grant them the full rights to the user account OU but without testing, I couldn't say for sure what would or would not break. I don't think that's something I would even recommend given a similar situation. I mean, what would they need sidHistory for anyway? The trust is going to likely go away, so they would access?? Al On 7/27/06, Kamlesh Parmar [EMAIL PROTECTED] wrote: Hi Guys, We have a peculiar requirement, that one of the small group of around 300 users will be parting from corporate AD and will be setting up there own forest. We will be using ADMT 3.0 for migration. source DFL FFL : windows 2000 native Target DFL FFL : Windows 2003 Two way trust between domains. We would be givingFULL controlrights over those 300 users and their computers account to new admins of new forest. also, they are added to local admins of those computers to be migrated. They have domain admins rights in Target domain. We don't want to add them into administrators group on source domains (i.e. corporate AD) Is it possible to migrate, users,groups and computers? What will break, in migration? I can think of, we will not be installing PES as a result so, NO password migration. anything else? Thanking you in advance,-- Kamlesh~Never confuse movement with action.~
RE: [ActiveDir] Question on restricted group policy.
Laura, yes the restricted group gpo that I created. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. RobinsonSent: Wednesday, July 26, 2006 4:13 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Question on "restricted group" policy. If you delete what? The GPO? Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John StrongoskySent: Wednesday, July 26, 2006 7:08 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Question on "restricted group" policy. Hey, Created a restricted group policy for my domain that's adds some groups to the local administrators group of the workstations. My question is now management wants me to delete it. If I understand the way this works is that if I delete it then it will delete the groups that were associated with this policy thus leaving nobody in the local admin group. Am I correct... v/r john
Re: [ActiveDir] Migration without domain admin rights possible?
Appreciate the quick response, I was able to migrate groups, users without sIDhistory to target. I also tried using clonepr.vbs, it also asks for admin rights on source. And reading further, it made it clear that, can't populate sIDhistory through legitimate APIs without having admin rights on source domain. So, now my hopes are based on security translation at each and every to be migrated resource. I will read up about PES service, so that if possible passwords also can be migrated without admin rights. In this case, no AD dependant app like exchange comes into picture. :-) this is more of completely independent unit with their own groups, users and computers contained within one OU. So group membership related stuff won't be problematic. (at least it seems on initial inspection) Anyway to make 2nd approach you mentioned more systematic and less painless? subinacl? ADMT security translation wizard? Thanks once again for your response, -- Kamlesh~Never confuse movement with action.~ On 7/27/06, Grillenmeier, Guido [EMAIL PROTECTED] wrote: you can migrate most objects from the source even without admin rights to them - the default auth. user already has plenty of permissions to read most attributes you would care to migrate. You could still setup passwords migration without giving themdomain admin privs to your source domain - you would install the PES server for them instead on one of your DCs (you'd need to exchange the PES key ofcourse). Migrating SID history on the other hand, requires admin privs on the source domain = while you can delegate SIDhistory migration to the target, I've always complained that you can't delegate it on the source. Full control on the respective Users OU in your source domain is not enough. But if they do their part right (i.e. reacl all their resources in a two step approach 1st add new acls prior to activating the target accounts, 2nd remove old acls after all users use the new accounts),they don't really need SIDhistory and can spare themselves from having to clean it up later. You'll still have the same challenges with apps as you always do and if you also use exchange, then migrating their mailboxes is a totally different story. Another special challenge in your scenario is group migration = depending on how your security model is setup, they may very likel need to migrate groups that don't belong to them, but that they need to have access to their resources (and allowing to re-acl them). This doesn't mean that they need to migrate the members that don't belong to their unit, but they do need read permissions on most of your groups (which most users have by default anyways...). /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of Kamlesh ParmarSent: Thursday, July 27, 2006 9:27 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Migration without domain admin rights possible? Hi Guys, We have a peculiar requirement, that one of the small group of around 300 users will be parting from corporate AD and will be setting up there own forest. We will be using ADMT 3.0 for migration. source DFL FFL : windows 2000 native Target DFL FFL : Windows 2003 Two way trust between domains. We would be givingFULL controlrights over those 300 users and their computers account to new admins of new forest. also, they are added to local admins of those computers to be migrated. They have domain admins rights in Target domain. We don't want to add them into administrators group on source domains (i.e. corporate AD) Is it possible to migrate, users,groups and computers? What will break, in migration? I can think of, we will not be installing PES as a result so, NO password migration. anything else? Thanking you in advance,-- Kamlesh~Never confuse movement with action.~
RE: [ActiveDir] R2 vs w2k3 SP1
Title: R2 vs w2k3 SP1 whenthe R2 binaries are installed on the server the only thing that happens is that the R2 options are INTEGRATED (not installed). The options still need to be installed additionally. So yes, the only differenceis the list in Add/Remove Programs. [Neil Ruston]is that documented as being the only change? I can see new login bitmaps etc which indicate (IMO) that certain files on CD1differ from the original w2k3 files. There is a small bug There will be a difference in tombstone lifetime depending on which server is used to create the forest. This is a bug within R2 that introduces an incorrect (nothing dangerous) SCHEMA.INI If you use a SP1 server to create the forest the tombstone lifetime will be 180 days If you use a R2 server to create the forest the tombstone lifetime will be60 days (not set), while 180 days is expected. [Neil Ruston]yep, discussed this internally already :) don't understand your 2nd Q [Neil Ruston]let's say I have a build source share which houses the server build and has sp1 slipstreamed into w2k3. I now wish to build r2 servers onlyand soI'm asked to slipstream r2 into that build repository. Is this even a meaningful statement? I ask because of the above and the fact that I believe an r2 server may appear differently to a w2k3 sp1 server even if CD2 is *not* applied. jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, July 27, 2006 15:56To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] R2 vs w2k3 SP1 Question 1: Server 1 is built with R2 CD1. CD2 is not used at all. Server 2 is built with R2 CD1 and r2setup is executed from R2 CD2 as well. Will these 2 servers be configured differently in any way, other than the additional hooks in 'add/remove programs'? Question 2: If I have a build created with sp1 slipstreamed, does the statement 'slipstream R2 into the build' make any sense? I believe it does not make sense but others disagree :) Thanks, neil PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational
[ActiveDir] Adding the first Win2003 R2 DC
I have 4 DCs that are Win2003 SP1 and 1 DC that is still Win2000 SP4. Id like to add a new DC that is Win2003 R2. Is there anything special I need to do (i.e. forestprep/domainprep) or can I join it just like another Win2003 SP1 DC? Thanks, Bryan Lucas Server Administrator Texas Christian University
RE: [ActiveDir] OT: HP disk array expansion
Well for starters: 1. WhenyoulaydownaGhostimageonthenew drive array, Ghost will handle the drive expansion for you; you won't have to run diskpart to expand the disk. 2.You can retain the disks you removed if there's any problem you can go back to it with little headache. 3. You don't have to install an OS on the disks to restore the backups to. 4 You don't have to trust that your backup tape will really work. 5. It takesless time to pull aGhost image than it does to pull a backup 6. It takes less time to lay down a Ghost image than it does to lay down a backup. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt HargravesSent: Thursday, July 27, 2006 9:42 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: HP disk array expansion I'm not understanding why the OP doesn't just stick the new drives in, create the new RAID set from those, create the drives and restore from tape to the new RAID drives. As long as he does it on a Sunday, it shouldn't really take more than an hour to get the old drives out and the new ones in (and the RAID built), then he just needs to worry about restoring from tape to the new location. On 7/27/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Maybe I misunderstand the post but why re build in this scenario? All the OP needs / wants to do is to add disks and to expand the existing arrays. He requires no or minimal downtime too. This can be achieved as the OP described. FWIW: I have performed this (not in the last 5 years) on many occasions and whilst the process can take some time to complete, it is relatively trivial to accomplish and AFAIK can be performed with zero downtime. neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Ed BufordSent: 27 July 2006 00:49 To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: HP disk array expansion I would use the ghost method, I've done this numerous times with servers and never ran into a problem. All in all it really is a fast solution. And since you're doing it over the wire you can speed the process up by using gigabit components. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Derek HarrisSent: Wednesday, July 26, 2006 6:12 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: HP disk array expansion This sounds like the safest way to do it, but you will have some downtime. I've done it (on a Dell box) the way you described: swapping one disk at a time, and there is downtime that way, too. (in addition to the severe performance hit of the array having to rebuild several times) From: Blair, James [mailto:[EMAIL PROTECTED] ] Sent: Wednesday, July 26, 2006 3:52 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: HP disk array expansion James, Have been in a similar situation on numerous occasions with HP ML350 G3/G4's. In our case we installed a firewire card and a Lacie drive or utilised the native USB to portable HD and Acronis True Image. We imaged the disks and then pulled them out and put the new ones in and imaged it back, works nicelyThis solution even worked for an Exchange server and if it all fails you can simply put the old disks back in and be back where you started James From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of James CarterSent: Thursday, 27 July 2006 7:36 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: HP disk array expansion Hi, I have a HP ML370 Proliant Server. It currently has 4 x 36GB in a RAID 5 set. I want to upgrade the disk capacity of this server. I have bought 4 x 300gb disks as replacements. At present I have 4 x 36GB disks in the server. I was told I couldreplace one disk in the RAID with a 300GB, let the raid rebuild and do the next disk.Repeat until all of the disks are 300GB and then I can look in the ACU and create a second logical drive that sees all that new space. Can this be done? Anyone know how long it would take to rebuild? currently there is 90gb used in the current volume. My other alternative is to buy a Tape Drive, backup, break array, create new array and then restore but this department don't want any downtime. Anyway shed some light as to which is the best method to take? thanks James __Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy,
RE: [ActiveDir] Adding the first Win2003 R2 DC
Youwillhavetoexpandyourschema: http://technet2.microsoft.com/WindowsServer/en/library/509ada1a-9fdc-45c1-8739-20085b20797b1033.mspx?mfr=true From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, BryanSent: Thursday, July 27, 2006 11:15 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Adding the first Win2003 R2 DC I have 4 DCs that are Win2003 SP1 and 1 DC that is still Win2000 SP4. Id like to add a new DC that is Win2003 R2. Is there anything special I need to do (i.e. forestprep/domainprep) or can I join it just like another Win2003 SP1 DC? Thanks, Bryan Lucas Server Administrator Texas Christian University
RE: [ActiveDir] Adding the first Win2003 R2 DC
run ADPREP /FORESTPREP from the SECOND R2 CD! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, BryanSent: Thursday, July 27, 2006 17:15To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Adding the first Win2003 R2 DC I have 4 DCs that are Win2003 SP1 and 1 DC that is still Win2000 SP4. Id like to add a new DC that is Win2003 R2. Is there anything special I need to do (i.e. forestprep/domainprep) or can I join it just like another Win2003 SP1 DC? Thanks, Bryan Lucas Server Administrator Texas Christian University This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
Re: [ActiveDir] Adding the first Win2003 R2 DC
On 7/27/06, Lucas, Bryan [EMAIL PROTECTED] wrote: I have 4 DC's that are Win2003 SP1 and 1 DC that is still Win2000 SP4. I'd like to add a new DC that is Win2003 R2. Is there anything special I need to do (i.e. forestprep/domainprep) or can I join it just like another Win2003 SP1 DC? Yes, run adprep from CD 2: http://technet2.microsoft.com/WindowsServer/en/library/5022eea0-54bc-422f-b98b-ddb836c8ee851033.mspx?mfr=true ...D -- CPDE - Certified Petroleum Distribution Engineer CCBC - Certified Canadian Beer Consumer List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Adding the first Win2003 R2 DC
make sure you run adprep /forestprep and /domainprep from the second r2(windows 2003) discit's located in i386\cmpnts\r2\adprephttp://blogs.dirteam.com/blogs/jorge/archive/2006/05/06/930.aspx follow jorge's blog entry on how to identify if R2 has updated the schema version.On 7/27/06, Lucas, Bryan [EMAIL PROTECTED] wrote: I have 4 DC's that are Win2003 SP1 and 1 DC that is still Win2000 SP4. I'd like to add a new DC that is Win2003 R2. Is there anything special I need to do (i.e. forestprep/domainprep) or can I join it just like another Win2003 SP1 DC? Thanks, Bryan Lucas Server Administrator Texas Christian University -- HBooGz:\
RE: [ActiveDir] Adding the first Win2003 R2 DC
There is an adprep folder on the R2 cd. Run it just like you would for 2000 to 2003 upgrade. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, Bryan Sent: Thursday, July 27, 2006 10:15 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Adding the first Win2003 R2 DC I have 4 DCs that are Win2003 SP1 and 1 DC that is still Win2000 SP4. Id like to add a new DC that is Win2003 R2. Is there anything special I need to do (i.e. forestprep/domainprep) or can I join it just like another Win2003 SP1 DC? Thanks, Bryan Lucas Server Administrator Texas Christian University
Re: [ActiveDir] Adding the first Win2003 R2 DC
You need to run forestprep from the R2 CD on your schema master. Paul has a nice summary here: http://www.msresource.net/content/view/60/47/ and more from Microsoft http://technet2.microsoft.com/WindowsServer/en/library/5022eea0-54bc-422f-b98b-ddb836c8ee851033.mspx?mfr=true Thanks Mike On 7/27/06, Lucas, Bryan [EMAIL PROTECTED] wrote: I have 4 DC's that are Win2003 SP1 and 1 DC that is still Win2000 SP4. I'd like to add a new DC that is Win2003 R2. Is there anything special I need to do ( i.e. forestprep/domainprep) or can I join it just like another Win2003 SP1 DC? Thanks, Bryan Lucas Server Administrator Texas Christian University
RE: [ActiveDir] R2 vs w2k3 SP1
Title: R2 vs w2k3 SP1 (1) I remember seing it somewhere (while writing this, I remembered the location which can be found in the link below! ;-)) ). INTEGRATING R2 onto a server does impact that server. It just adds options to the Add/Remove Programs list. Installing one of the new options should not impact the server or other components within the infrastructure. Just like before you would be adding a new option to the server (e.g. adding the DHCP server role to it). However, SOME of the R2 options REQUIRE a schema change (DFS-R, UnixIDm, distributing printer connections through GPOs) and SOME of the R2 options REQUIRE the new .NET Framwork v2. For those two I say: test, test and test. As always implementing new technology requires testing, but just introducing an option, that option should not have that great of an impact. (2) ok, done (3) now I understand... If you just want to R2 servers from a network source by using the current source a change is needed. Remember... CD1 from the R2 distribution set is W2K3 with SP1 slipstreamed, BUT that media will also trigger the INTEGRATION of CD2 from the R2 distribution set. The NORMAL W2K3 with SP1 slipstreamed will not trigger that integration and that must therfore be triggered manually. From the R2 documentation placing the I386 dir (CD1) and the CMPNENTS dir (CD2) on the same network share should give you the possibility to install servers with the R2 binaries integrated (don't forget to use the R2 product key during the setup, otherwise during the integration you will need to enter the R2 key as well!!!). After that you still need to install the options manually or during install you need to specify what to install by using an answer file. For additional info also see: http://download.microsoft.com/download/4/e/d/4eda5dc2-2842-468e-834e-3756e4221cdb/Windows%20Server%202003%20R2%20Overview%20Guide.doc jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, July 27, 2006 17:12To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] R2 vs w2k3 SP1 whenthe R2 binaries are installed on the server the only thing that happens is that the R2 options are INTEGRATED (not installed). The options still need to be installed additionally. So yes, the only differenceis the list in Add/Remove Programs. [Neil Ruston]is that documented as being the only change? I can see new login bitmaps etc which indicate (IMO) that certain files on CD1differ from the original w2k3 files. There is a small bug There will be a difference in tombstone lifetime depending on which server is used to create the forest. This is a bug within R2 that introduces an incorrect (nothing dangerous) SCHEMA.INI If you use a SP1 server to create the forest the tombstone lifetime will be 180 days If you use a R2 server to create the forest the tombstone lifetime will be60 days (not set), while 180 days is expected. [Neil Ruston]yep, discussed this internally already :) don't understand your 2nd Q [Neil Ruston]let's say I have a build source share which houses the server build and has sp1 slipstreamed into w2k3. I now wish to build r2 servers onlyand soI'm asked to slipstream r2 into that build repository. Is this even a meaningful statement? I ask because of the above and the fact that I believe an r2 server may appear differently to a w2k3 sp1 server even if CD2 is *not* applied. jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, July 27, 2006 15:56To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] R2 vs w2k3 SP1 Question 1: Server 1 is built with R2 CD1. CD2 is not used at all. Server 2 is built with R2 CD1 and r2setup is executed from R2 CD2 as well. Will these 2 servers be configured differently in any way, other than the additional hooks in 'add/remove programs'? Question 2: If I have a build created with sp1 slipstreamed, does the statement 'slipstream R2 into the build' make any sense? I believe it does not make sense but others disagree :) Thanks, neil PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code
RE: [ActiveDir] Question on restricted group policy.
Is there a way to set a restricted group membership, yet allow for additional members to not be removed when the group policy is refreshed? We have a number of engineers that we grant local administrator privileges on a case by case basis, and the initial reason I dismissed the use of Restricted Groups was due to the fact that it prevented the ability to add any additional admins so I went back to a Net localgroup script to accomplish what I was looking for. Im just looking for a way to have the GPO look at the restricted group and make sure that the groups/users I specify are a part of the restricted group, and not worry about anything in addition that might be there. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves Sent: Wednesday, July 26, 2006 9:39 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Question on restricted group policy. From my experience, Restricted Groups settings simply state what the computer (or domain controller if you stick the setting in your DCs GPO) will make sure what the group memberships are going to be when it checks the GPO. If you set the Administrators group to be Domain Admins; groupa; groupb then when the computer applies the GPO settings, it will check to make sure that the local Administrators group (Or domain group for a DC) contains Domain Admins; groupa; groupb; builtin\Administrator. Just so you know, like with any GPO setting, anyone who has the right to change that group can still change it, but when the GPO applies, the group memberships will be verified again, removing whatever was added, or adding whatever was removed. This may be 2 minutes later or 2 hours later. This is the same if you set a service to disabled an administrator can still change it to enabled, but when the GPO goes back through, it will re-disable the service (though if the user also started the service it will remain started until the computer is restarted or someone manually stops it). If you remove the GPO setting, then it simply won't check the group memberships for those groups any more. Or at least that's my interpretation. Kind of like when you move a computer out of an OU where there is a GPO applied to it and into an OU without any GPOs applied to it; it won't change the current settings, though you can now manually change them and they won't be reverted. I guess I think of a GPO being a Go make sure that everything is like this and if it isn't, make it like this kind of thing and that's the way I always see it actually get applied. If the GPO isn't there, then nothing gets altered to a previous state, but it won't continue reverting settings to what the prior GPO settings stated that they would be. On 7/26/06, Derek Harris [EMAIL PROTECTED] wrote: Yes -- I've done that, and that's how it worked for me. From: Darren Mar-Elia [mailto:[EMAIL PROTECTED] ] Sent: Wednesday, July 26, 2006 5:23 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on restricted group policy. This somewhat depends upon which side of Restricted Groups you're using (i.e. Members of this Group or This group is a member of). If its the former, and you clear out the users in the list but leave the local Administrators group under control, then it will clear out the members of that local Admin group on the target machines (but will leave the local Administrator account in (always)). If the latter, and you clear out the members of the group, I think what you will find is that those users/groups are simply left in the group that you made them members of. If you simply delete or unlink the GPO, then the groups should be left the way they were before you deleted/unlinked it (i.e. the group membership changes do not get unapplied in the case of restricted group policy). Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com -- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guide,the definitiveresource for Group Policy information. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John Strongosky Sent: Wednesday, July 26, 2006 4:08 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Question on restricted group policy. Hey, Created a restricted group policy for my domain that's adds some groups to the local administrators group of the workstations. My question is now management wants me to delete it. If I understand the way this works is that if I delete it then it will delete the groups that were associated with this policy thus leaving nobody in the local admin group. Am I correct... v/r john
RE: [ActiveDir] cn=meetings
MS NetMeeting uses the Meetings container to publish network meeting objects. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Thursday, July 27, 2006 12:31 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] cn=meetings All Just a quick query. Does anyone know what cn=meetings,cn=system,dc=domainfqdn is for? Cheers M@ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] OT: Query Based Distribution Groups
[unlurk] Hi Justin, Right-click on the Distribution Group that you'd like the QBDG to be a member of and select "Add Exchange Query-based Distribution Groups". HTH, Katherine [/unlurk] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin (ITS)Sent: 26 July 2006 16:56To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Query Based Distribution Groups What are the rules for nesting QDGs? Most of the MS documentation we see says that you can nest QDGs in other Universal Distribution Groups, but when we try to add a QDG to a Universal DG, we are unable to find the QDG. Were running Exchange 2003 Native Mode and 2003 FFL for AD. Our Exchange admins have the Exchange 2003 ADUC console installed. What are we missing? Thanks, Justin ITS ENTERPRISE SERVICES EMAIL NOTICEThe information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
RE: [ActiveDir] Question on restricted group policy.
I have a few correcting comments on this (see below). Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt HargravesSent: Wednesday, July 26, 2006 9:39 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Question on "restricted group" policy. From my experience, Restricted Groups settings simply state what the computer (or domain controller if you stick the setting in your DCs GPO) will make sure what the group memberships are going to be when it checks the GPO. If you set the "Administrators" group to be "Domain Admins; groupa; groupb" then when the computer applies the GPO settings, it will check to make sure that the local Administrators group (Or domain group for a DC) contains "Domain Admins; groupa; groupb; builtin\Administrator". [Darren] In general I think its a bad idea to use restricted groups to control AD group membership.If you think about how GP is applied, you can see why. Each DC, whichhas the ability to originate AD changes, is going to processthat GP. So, each DC is going to write the new group membership, which is the exact same membership that the last DC wrote, when it processes GP. At the very least this will cause excess replication traffic every time GP is processed, as each DC thinks its changes are newer than its partner's. Just so you know, like with any GPO setting, anyone who has the right to change that group can still change it, but when the GPO applies, the group memberships will be verified again, removing whatever was added, or adding whatever was removed. This may be 2 minutes later or 2 hours later. This is the same if you set a service to disabled an administrator can still change it to enabled, but when the GPO goes back through, it will re-disable the service (though if the user also started the service it will remain started until the computer is restarted or someone manually stops it). [Darren] This is not entirely accurate. GP is only processed if a) thereis a changethat has occurredin one of the GPOs that the user orcomputer is processing b) the security group membership of the user or computer has changed c) the list of GPOs that apply to the computer or user has changed d) for security policy, it will re-process every 16 hours regardless of whether any of the above has occurred. So, in general, if an administrator "undoes" a policy it will not necessarily get corrected in a timely manner.If you remove the GPO setting, then it simply won't check the group memberships for those groups any more. Or at least that's my interpretation. Kind of like when you move a computer out of an OU where there is a GPO applied to it and into an OU without any GPOs applied to it; it won't change the current settings, though you can now manually change them and they won't be reverted. [Darren] Not entirely correct. Some policy (e.g. Admin. Templates) do get automatically removed when thecomputer or user is no longer in the scope of policy. Someother policy (e.g. security policy) does not. Still others (e.g. Software Installation, Folder REdirection) let you decide what happens when the policy is no longer in scope. I guess I think of a GPO being a "Go make sure that everything is like this and if it isn't, make it like this" kind of thing and that's the way I always see it actually get applied. If the GPO isn't there, then nothing gets altered to a previous state, but it won't continue reverting settings to what the prior GPO settings stated that they would be. On 7/26/06, Derek Harris [EMAIL PROTECTED] wrote: Yes -- I've done that, and that's how it worked for me. From: Darren Mar-Elia [mailto:[EMAIL PROTECTED] ] Sent: Wednesday, July 26, 2006 5:23 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on "restricted group" policy. This somewhat depends upon which side of Restricted Groups you're using (i.e. "Members of this Group" or "This group is a member of"). If its the former, and you clear out the users in the list but leave the local Administrators group under control, then it will clear out the members of that local Admin group on the target machines (but will leave the local Administrator account in (always)). If the latter, and you clear out the members of the group, I think what you will find is that those users/groups are simply left in the group that you made them members of. If you simply delete or unlink the GPO, then the groups should be left the way they were before you deleted/unlinked it (i.e. the group membership changes do not get unapplied in the case of restricted group policy). Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com -- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guide,the definitiveresource for Group Policy information.
[ActiveDir] Exchange rollout - How much larger does NTDS.DIT become?
Title: Exchange rollout - How much larger does NTDS.DIT become? NTDS.DIT is currently 650megs. Once Exchange has been fully deployed, any guesses as to how much larger it will become? Just looking for a ballpark figure...thx,RM
RE: [ActiveDir] Question on restricted group policy.
What you've described can be done with the "This group is a member of" portion of restricted groups. This allows you to put a particular group into another group without caring what other memberships are contained in that group. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BENSent: Thursday, July 27, 2006 8:56 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Question on "restricted group" policy. Is there a way to set a restricted group membership, yet allow for additional members to not be removed when the group policy is refreshed? We have a number of engineers that we grant local administrator privileges on a case by case basis, and the initial reason I dismissed the use of Restricted Groups was due to the fact that it prevented the ability to add any additional admins so I went back to a Net localgroup script to accomplish what I was looking for. Im just looking for a way to have the GPO look at the restricted group and make sure that the groups/users I specify are a part of the restricted group, and not worry about anything in addition that might be there. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt HargravesSent: Wednesday, July 26, 2006 9:39 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Question on "restricted group" policy. From my experience, Restricted Groups settings simply state what the computer (or domain controller if you stick the setting in your DCs GPO) will make sure what the group memberships are going to be when it checks the GPO. If you set the "Administrators" group to be "Domain Admins; groupa; groupb" then when the computer applies the GPO settings, it will check to make sure that the local Administrators group (Or domain group for a DC) contains "Domain Admins; groupa; groupb; builtin\Administrator". Just so you know, like with any GPO setting, anyone who has the right to change that group can still change it, but when the GPO applies, the group memberships will be verified again, removing whatever was added, or adding whatever was removed. This may be 2 minutes later or 2 hours later. This is the same if you set a service to disabled an administrator can still change it to enabled, but when the GPO goes back through, it will re-disable the service (though if the user also started the service it will remain started until the computer is restarted or someone manually stops it). If you remove the GPO setting, then it simply won't check the group memberships for those groups any more. Or at least that's my interpretation. Kind of like when you move a computer out of an OU where there is a GPO applied to it and into an OU without any GPOs applied to it; it won't change the current settings, though you can now manually change them and they won't be reverted. I guess I think of a GPO being a "Go make sure that everything is like this and if it isn't, make it like this" kind of thing and that's the way I always see it actually get applied. If the GPO isn't there, then nothing gets altered to a previous state, but it won't continue reverting settings to what the prior GPO settings stated that they would be. On 7/26/06, Derek Harris [EMAIL PROTECTED] wrote: Yes -- I've done that, and that's how it worked for me. From: Darren Mar-Elia [mailto:[EMAIL PROTECTED] ] Sent: Wednesday, July 26, 2006 5:23 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on "restricted group" policy. This somewhat depends upon which side of Restricted Groups you're using (i.e. "Members of this Group" or "This group is a member of"). If its the former, and you clear out the users in the list but leave the local Administrators group under control, then it will clear out the members of that local Admin group on the target machines (but will leave the local Administrator account in (always)). If the latter, and you clear out the members of the group, I think what you will find is that those users/groups are simply left in the group that you made them members of. If you simply delete or unlink the GPO, then the groups should be left the way they were before you deleted/unlinked it (i.e. the group membership changes do not get unapplied in the case of restricted group policy). Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com -- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guide,the definitiveresource for Group Policy information. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John StrongoskySent: Wednesday, July 26, 2006 4:08 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Question on "restricted group" policy. Hey, Created a restricted group policy for my domain that's adds some groups to the local administrators group of the workstations. My question is now management
RE: [ActiveDir] Exchange rollout - How much larger does NTDS.DIT become?
Title: Exchange rollout - How much larger does NTDS.DIT become? How many domains, how many users, is it 650 meg on a GC or non-GC? Is this 650meg after an offline defrag? If not when was the last time it was defragged? I am not sure it is answerable even with that info, but it certainly doesnt seem answerable without. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of RM Sent: Thursday, July 27, 2006 11:46 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Exchange rollout - How much larger does NTDS.DIT become? NTDS.DIT is currently 650megs. Once Exchange has been fully deployed, any guesses as to how much larger it will become? Just looking for a ballpark figure... thx, RM
Re: [ActiveDir] Exchange rollout - How much larger does NTDS.DIT become?
Anything from about 700 up. You can actually find the numbers to figure out how much larger you can expect it to get based on the fields you use. If you don't use any, or don't have any addresses, etc, then it's very small bump. If you do have a lot of Exchange data that you intend to populate, lots of PF's that are mail-enabled, lots of mail enabled groups, distribution groups, etc., then it could larger. Generally speaking, if your DIT drive is low on space, I think you should consider newer drives that come in increments of at least 36GB (if you can find them these days). If it's the backups you're concerned about, then again, even a double of that size should not make or break you. You should have a little more than 600 MB buffer for a backup or a disk drive on a DC IMHO. Al On 7/27/06, RM [EMAIL PROTECTED] wrote: NTDS.DIT is currently 650megs. Once Exchange has been fully deployed, any guesses as to how much larger it will become? Just looking for a ballpark figure... thx, RM
RE: [ActiveDir] OT: Query Based Distribution Groups
Wow Katherine, thanks! I cant believe we missed such an obvious context menu! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katherine Coombs Sent: Thursday, July 27, 2006 11:23 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Query Based Distribution Groups [unlurk] Hi Justin, Right-click on the Distribution Group that you'd like the QBDG to be a member of and select Add Exchange Query-based Distribution Groups. HTH, Katherine [/unlurk] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin (ITS) Sent: 26 July 2006 16:56 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Query Based Distribution Groups What are the rules for nesting QDGs? Most of the MS documentation we see says that you can nest QDGs in other Universal Distribution Groups, but when we try to add a QDG to a Universal DG, we are unable to find the QDG. Were running Exchange 2003 Native Mode and 2003 FFL for AD. Our Exchange admins have the Exchange 2003 ADUC console installed. What are we missing? Thanks, Justin ITS ENTERPRISE SERVICES EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system. ITS ENTERPRISE SERVICES EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
RE: [ActiveDir] Adding the first Win2003 R2 DC
Thanks to all for the responses. Bryan Lucas Server Administrator Texas Christian University From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of mike kline Sent: Thursday, July 27, 2006 10:44 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Adding the first Win2003 R2 DC You need to run forestprep from the R2 CD on your schema master. Paul has a nice summary here: http://www.msresource.net/content/view/60/47/ and more from Microsoft http://technet2.microsoft.com/WindowsServer/en/library/5022eea0-54bc-422f-b98b-ddb836c8ee851033.mspx?mfr=true Thanks Mike On 7/27/06, Lucas, Bryan [EMAIL PROTECTED] wrote: I have 4 DC's that are Win2003 SP1 and 1 DC that is still Win2000 SP4. I'd like to add a new DC that is Win2003 R2. Is there anything special I need to do ( i.e. forestprep/domainprep) or can I join it just like another Win2003 SP1 DC? Thanks, Bryan Lucas Server Administrator Texas Christian University
RE: [ActiveDir] ldp in ADAM-SP1
Guido, which changes to you want to see in dsacls in B3? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Tuesday, July 25, 2006 6:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ldp in ADAM-SP1 well, for Win2000 and Win2003 AD that tool is DSACLS for 95% of what you should need to do. You've already tripped over some of it's limitations especially around handling the confidential bit - however, I have not seen many customers that actually leverage the confidential bit yet for anything else but OS features (for example for PKI credential roaming). It would be nice to leverage it for many more lockdown scenarios, but you can't use it for the base schema attributes (category 1), which includes almost all of the interesting attributes you may want to restrict access to. Ofcourse you can use it for your own schema extensions. For file-system ACLing that tool is CALS or XCACLS - probably for 99% of what you need to do. Note for the FS you may also want to check out the betas of either Windows Longhorn or the current Windows 2003 SP2 = they include a new commandline ACLing tool called Icacls.exe, which can be used to reset the account control lists (ACL) on files from Recovery Console, and to back up ACLs. It can also handle replacement of ACLs (much like subinacl) and works well with either names or SIDs. At last, unlike Cacls.exe, Icacles.exe preserves canonical ordering of ACEs and thus correctly propagates changes to and creation of inherited ACLs. DSACLs has only been updated slightly in LH, but I hope to see some more changes prior to beta 3. At last, depending on your requirements, you may also need to look into changing the default security descriptor of some of the objects (for example, check out all the default write permissions, which every user is granted on it's own object via the SELF security principal; many companies are still unaware of this). You can check these rights most easily via the schema mgmt mmc (check properties of a class object, such as user and click on the Default Security tab). So it's fair to say that although handling ACLs remains to be a complex topic, you can get most of the things done with existing commandline tools from MSFT. Sometimes it will simply be more appropriate to use the UI for a few settings. And there is always the option to script setting ACLs if you really have special requirements. As for your delegation model = I would not have the goal to teach your delegated admins how to do ACLing inside AD. I'm fine with a delegated admin doing the security on a file-server that he completely manages on his own. But AD security should be kept in the hand of domain and enterprise admins (partly because it is rather complex and you only want few folks to fiddle around with it, partly because it is plain risky to do it otherwise). The critical piece for most delegation models to succeed is to build a centrally controlled OU structure (ideally standardized for your different delegated admin units as I like to call them and not to grant your data admin (= the delegated admins) any rights to create OUs themselves (otherwise - with the current ACLing model - you can't prevent them to configure the security of the OU). Basically the same is true for any objects they create, but it's the OUs that allow you to manage the security for multiple child objects at once (and thus these need to be controlled centrally). Many more things to share in this respect, but no delegation model is the same as any other so you're best to understand and plan it from the ground up. There may be similarities between many models, but for the various infrastructures I've planned, every customer has had their special requirements. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Tuesday, July 25, 2006 9:34 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] ldp in ADAM-SP1 Wow, Thanks you so much for the detailed info guys. Basically my goal is quite simple. At least it is in my head. What I want to do, is to go through the entire case study given in the AD delegation whitepaper, and do all of that permissions configuration entirely at command line (where possible). I am willing to use the delegation wizard to some extent, but as I am configuring quite a lot of permissions for an AD design I am involved in, I would rather avoid having to use GUI tools for this. You see, I am going to end up as been a very privileged service administrator and data administrator once my proposed AD design model is in place. I expect I will be making some endeavour to train sufficiently capable people in doing this. But I dont plan to spoon feed. I want the guys to know to a decent level ACL'ing and if not, do their research. At least on an adhoc basis. Then once they understand whats involved, they can go ahead and add/modify/delete
[ActiveDir] Firewall block Group Policy
Hi, When user on VPN network, they can not apply Group Policy since there is a firewall between VPN network and Internal network. Now, I need to find out how many ports are required to allow clients to successfully apply group policy. Based on KB832017, To successfully apply Group Policy, a client must be able to contact a domain controller over the DCOM, ICMP, LDAP, SMB, and RPC protocols. Here is the list port information: Application protocol Protocol Ports DCOM TCP + UDP random port number between 1024 - 65534 ICMP (ping) ICMP 20 LDAP TCP 389 SMB TCP 445 RPC TCP 135, random port number between 1024 - 65534 It is not feasible to open up so many high ports (1024 - 65534). So do you have any recommendation for this issue? Thanks in advance! Andy
RE: [ActiveDir] Firewall block Group Policy
Check out this article for restricting the range of dynamic ports used by RPC/DCOM. http://msdn.microsoft.com/library/default.asp?url=""> Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guide,the definitiveresource for Group Policy information. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy WangSent: Thursday, July 27, 2006 12:02 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Firewall block Group Policy Hi,When user on VPN network, they can not apply Group Policy since there is a firewall between VPN network and Internal network. Now, I need to find out how many ports are required to allow clients to successfully apply group policy.Based on KB832017, "To successfully apply Group Policy, a client must be able to contact a domain controller over the DCOM, ICMP, LDAP, SMB, and RPC protocols."Here is the list port information:Application protocol Protocol PortsDCOM TCP + UDP random port number between 1024 - 65534ICMP (ping) ICMP 20LDAP TCP 389SMB TCP 445RPC TCP 135, random port number between 1024 - 65534It is not feasible to open up so many high ports (1024 - 65534). So do you have any recommendation for this issue?Thanks in advance!Andy
[ActiveDir] Query on Security Groups
Hi,I have two queries:1. What is the difference between the Users Container and Builtin Container off the root of AD. What do the different groups do?2. What is the difference between the Administrators group and the Domain Admins group. which has higher permissions within the forest?thanksFrank Do you Yahoo!? Get on board. You're invited to try the new Yahoo! Mail Beta.
Re: [ActiveDir] Firewall block Group Policy
The article below works well. I push the registry to my machines via GPO. My ports used are 5001-5051. -Z.V. Darren Mar-Elia wrote: Check out this article for restricting the range of dynamic ports used by RPC/DCOM. http://msdn.microsoft.com/library/default.asp?url=""> Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guide,the definitiveresource for Group Policy information. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Andy Wang Sent: Thursday, July 27, 2006 12:02 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Firewall block Group Policy Hi, When user on VPN network, they can not apply Group Policy since there is a firewall between VPN network and Internal network. Now, I need to find out how many ports are required to allow clients to successfully apply group policy. Based on KB832017, "To successfully apply Group Policy, a client must be able to contact a domain controller over the DCOM, ICMP, LDAP, SMB, and RPC protocols." Here is the list port information: Application protocol Protocol Ports DCOM TCP + UDP random port number between 1024 - 65534 ICMP (ping) ICMP 20 LDAP TCP 389 SMB TCP 445 RPC TCP 135, random port number between 1024 - 65534 It is not feasible to open up so many high ports (1024 - 65534). So do you have any recommendation for this issue? Thanks in advance! Andy
Re: [ActiveDir] Query on Security Groups
Interesting CN=Users = default container for users CN=Builtin = default container for builtin objects such as administrators. IIRC. Domain Admins vs. Administrators? It's a toss up because either can become the other. By default however, domain admins has rights to more objects because by default the domain admins has the ability to edit GPO and is added to the member wkstns and server administrators group on joining the domain. What makes you ask? On 7/27/06, Frank Abagnale [EMAIL PROTECTED] wrote: Hi, I have two queries: 1. What is the difference between the Users Container and Builtin Container off the root of AD. What do the different groups do? 2. What is the difference between the Administrators group and the Domain Admins group. which has higher permissions within the forest? thanks Frank Do you Yahoo!?Get on board. You're invited to try the new Yahoo! Mail Beta.
Re: [ActiveDir] Query on Security Groups
I was just curious what the different security groups were in each container, wondered if the users container was the default for users, why have various security groups in there as well. Why not have them all residing in the one container.Thanks for respondingAl Mulnick [EMAIL PROTECTED] wrote:InterestingCN=Users = default container for users CN=Builtin = default container for builtin objects such as administrators.IIRC. Domain Admins vs. Administrators? It's a toss up because either can become the other. By default however, domain admins has rights to more objects because by default the domain admins has the ability to edit GPO and is added to the member wkstns and server administrators group on joining the domain. What makes you ask? On 7/27/06, Frank Abagnale [EMAIL PROTECTED] wrote: Hi,I have two queries:1. What is the difference between the Users Container and Builtin Container off the root of AD. What do the different groups do?2. What is the difference between the Administrators group and the Domain Admins group. which has higher permissions within the forest?thanks Frank Do you Yahoo!?Get on board. You're invited to try the new Yahoo! Mail Beta. Do you Yahoo!? Get on board. You're invited to try the new Yahoo! Mail Beta.