RE: [ActiveDir] Granting rights to 'Manage GPOs'
I'd prefer to grant the service the rights it *needs* rather than carte
blanche Domain Admins rights. However, as new GPOs are created, only the
default (Schema defined?) ACLs are applied, which includes DAs but will
*not* include my service account.
Back to the drawing board...
neil
_
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves
Sent: 04 December 2006 04:38
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Granting rights to 'Manage GPOs'
You might want to set the account to have non-interactive rights, since
I'm assuming that it runs a service that actually handles all the
changes - then grant it membership within the Domain Admins group - that
would fix the issue once and for all, unless you've changed Domain
Admins to not have the ability to edit GPOs, though it's automatically
granted every time a new GPO is created, regardless of what permissions
were before.
On 11/25/06, Darren Mar-Elia [EMAIL PROTECTED] wrote:
Neil-
Assuming the setgpocreationpermissions script didn't fail in
some way, I think the next step would be to check the perms on the
various objects that should get this right. Namely, the service account
you're granting access to should have the Create GroupPolicyContainer
right over the cn=policies,cn=system container in AD and, similarly on
the SYSVOL Policies folder, it should have Change rights over that
container.
Darren
Darren Mar-Elia
For comprehensive Windows Group Policy Information, check out
www.gpoguy.com http://www.gpoguy.com/ -- the best source for GPO FAQs,
video training, tools and whitepapers. Also check out the Windows Group
Policy Guide
http://www.amazon.com/gp/product/0735622175/qid=1122367169/sr=8-1/ref=p
d_bbs_1/104-1133146-9411929?v=glancen=283155 , the definitive resource
for Group Policy information.
Group Policy Management solutions at SDM Software
http://www.sdmsoftware.com/
From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]
mailto:[EMAIL PROTECTED] ] On Behalf Of
[EMAIL PROTECTED]
Sent: Friday, November 24, 2006 6:57 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Granting rights to 'Manage GPOs'
I am attempting to assign rights to a service account [sys-zzz],
used by a Group Policy Management tool (3rd party) so that the service
account has the necessary rights to 'manage' all GPOs in the domain.
Aside from app specific rights, I have assigned the following
rights using GPMC scripts [scripts shown below]:
1. Create/edit GPO links at the root of the domain and all child
containers
cscript %programfiles%\gpmc\scripts\SetSOMPermissions.wsf
xxx.yyy xxx\sys-zzz /Permission:linkgpos /Inherit /Domain:xxx.yyy
2. Create new GPOs in the domain
cscript
%programfiles%\gpmc\scripts\SetGPOCreationPermissions.wsf xxx\sys-zzz
/Domain:xxx.yyy
3. Edit, delete and mod security rights to all existing GPOs in
the domain
cscript
%programfiles%\gpmc\scripts\GrantPermissionOnAllGPOs.wsf xxx\sys-zzz
/Permission:fulledit /Domain:xxx.yyy
To cut a long story short, step 2 does not appear to grant the
required 'create' right [GP mgmt tool complains of an access denied
issue]. However, if I manually (using GPMC) add the service account to
the list of objects permitted to create GPOs in the domain [instead of
using the script in step 2], then the GP Management app functions fine.
Has anyone encountered a similar issues? Are there newer version
of the GPMC scripts? [I have GPMC with SP1]
Just to add to the strangeness of this issue, if I execute the
same scripts above but against a different domain (same service account)
the 3rd party app functions fine in that other domain :/
Any comments?
Thanks,
neil
PLEASE READ: The information contained in this email is
confidential and
intended for the named recipient(s) only. If you are not an
intended
recipient of this email please notify the sender immediately and
delete your
copy from your system. You must not copy, distribute or take any
further
action in reliance on it. Email is not a secure method of
communication and
Nomura International plc ('NIplc') will not, to the extent
permitted by law,
accept responsibility or liability for (a) the accuracy or
completeness of,
or (b) the presence of any virus, worm or similar malicious or
disabling
code in, this message or any attachment(s) to it. If
verification of this
email is sought then please request a hard copy. Unless
otherwise stated
this email: (1) is not, and should not be treated or relied upon
as,
investment research; (2) contains views or opinions that are
solely those of
the
RE: [ActiveDir] OT: Possessed PCs
Your father is probably mild http://amasci.com/weird/unusual/zap.html these guys (if you believe them) have real problems. Mike Guest IT Solutions HML Padiham DDI: +44 (0)1282 682550 Internal Extension: (61) 2550 _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 01 December 2006 23:58 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Possessed PCs Happens with my father and watches as well. The man cannot wear a watch without it dying within weeks. But thats another story. If you can isolate the symptoms to time of day or even the remote chance its a bad ballast (flouresent lighting used to cause occasional problems with old CRTs), etc. Atleast you can start to wittle things down a bit. But in this case it sounds like RF overlap. Perhaps there is one mouse that is emitting too strong a signal. I was a bit thrown this morning though when I thought I read that this was happening with corded devices as well. Brent Eads Employee Technology Solutions, Inc. Office: (312) 762-9224 Fax: (312) 762-9275 The contents contain privileged and/or confidential information intended for the named recipient of this email. ETSI (Employee Technology Solutions, Inc.) does not warrant that the contents of any electronically transmitted information will remain confidential. If the reader of this email is not the intended recipient you are hereby notified that any use, reproduction, disclosure or distribution of the information contained in the email in error, please reply to us immediately and delete the document. Viruses, Malware, Phishing and other known and unknown electronic threats: It is the recipient/client's duties to perform virus scans and otherwise test the information provided before loading onto any computer system. No warranty is made that this material is free from computer virus or any other defect. Any loss/damage incurred by using this material is not the sender's responsibility. Liability will be limited to resupplying the material. Message scanned by TrendMicro *** This email is intended only for the addressee named above. As this email may contain confidential or privileged information, if you are not the named addressee or receive this message in error, please notify us immediately, delete it and do not make use of or copy it. This message is protected by copyright. HML accepts no responsibility for viruses found in this message or any file attachment. Homeloan Management Limited Registered in England No. 2214839 1 Providence Place, Skipton, North Yorkshire BD23 2HL
Re: [ActiveDir] 100% CPU utilization when querying Win32_Account on DC
MONAD for Exchange is supposed to fix that but I am expecting tremendous scaling issues in the environments I play in with it and quite frankly have even admitted that I would rather see WMI as it doesn't saturate the network lines passing data that isn't being requested. I agree with you here. I've started playing with PowerShell, and was trying to prove that you could use the WinNT provider to someone. It took me ~5 minutes to get as far as C* when outputting all user objects in my domain. And we're only talking ~40,000 in this particular instance. --Paul - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Sunday, December 03, 2006 5:01 PM Subject: RE: [ActiveDir] 100% CPU utilization when querying Win32_Account on DC Oh I see that. On the flip side, companies that produce professional products like x, y, and z[1] etc should have the skill sets to produce more efficient and directed applications that don't have a reliance on those abstraction layers and use the more efficient APIs in ways that are directly relevant to the goals of the applications and that they have a greater understanding of. Obviously someone may not have a super strong understanding of the core APIs but at least there is only a single level where problems can be introduced versus the multiple levels that can be introduced in the abstractions such that you have to try and figure out at what level the issue is at. Possibly if the abstraction layers had amazing logging that could be enabled to track issues and explain what they are translating the requests to at the lower levels it might be easier for someone to identify where the issue cropped up. One issue I see is someone who can write a basic vbscript based on these frameworks think they are a programmer and start producing tools that they sell. They have no understanding of the underpinnings of the overall system and quite frankly, to scale things up, they really ought to, the abstractions are not great in that arena and to be fair, I don't believe they really were designed to be. It was more to get the masses so they could do basic things. Another issue I see is when someone only published say a WMI interface into something. I have that issue with Exchange 2000/2003 as they really did a poor job with a lot of that from being poor performers to not performing correctly at all. I took this up with the Exchange PSS Support folks and finally got the great answer of WMI isn't designed to be used for monitoring... How do you argue that point? Unfortunately the only other recourse is to try and work through completely undocumented MAPI stuff and MAPI is already painful and sucky at best though it was designed to be a nice abstraction layer to make lives easier. MONAD for Exchange is supposed to fix that but I am expecting tremendous scaling issues in the environments I play in with it and quite frankly have even admitted that I would rather see WMI as it doesn't saturate the network lines passing data that isn't being requested. [1] Names withheld to protect the guilty. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Saturday, December 02, 2006 6:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 100% CPU utilization when querying Win32_Account on DC You must take into account that not everyone is a Win32 API or LDAP API C or C++ developer to write its own logic and create its own tool to perform the management task their business requires. Abstraction layers like WMI, ADSI, CDO, XMLDOM, WSH, ADO and so on ... are helping thousands of people to write scripts and applications without having to dig into the API programming level. Both worlds have pros and cons. The API programming level requires a more specific programming knowledge, the abstraction layers introduce a proxy, simplifies the access pattern and obviously have a performance cost. I think that none of the two worlds have to be rejected, they just need to be used correctly and when appropriate. This why Microsoft is documenting Win32 API, COM interfaces and .NET API. If the COM abstraction layers were that yuck, programming environments like WSH and/or VB6 would have not been so heavily used and successful. Are abstraction layers perfect? Clearly not. Are they useful? Yes for sure. Is there room for improvement? Always. Regards, /Alain Alain LISSOIR blocked::http://www.LissWare.Net cid:609343613@02122006-153C mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] Home Page: http://www.LissWare.Net blocked::http://www.LissWare.Net Where am I? http://map.LissWare.Net blocked::http://map.LissWare.Net From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, December 02, 2006 1:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 100% CPU utilization when
RE: [ActiveDir] Import User Details from a XLS file
Dear Thomas/Brian, I am waiting for your reply. Kindly send me the solution. I know how to import through ldifde csvde but my problem is I have to modify some properties of all users like their contact no, department, location etc I cannot understand what condition has to be set to modify their properties. If anyone else is having any idea, kindly send me ASAP. Dhiraj Haritwal -Original Message- From: Haritwal, Dhiraj Sent: Friday, December 01, 2006 10:05 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Import User Details from a XLS file Dear Thomas/Brian, Thanks for ur reply. But I want to add some information (Attributes) with existing users. Like I wanaa add Contact No, location, Department etc... to the existing users from an Excel file. Thanks, Dhiraj Haritwal -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thomas Hess Sent: Thursday, November 30, 2006 9:31 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Import User Details from a XLS file Hi Dhiraj, see MS KB237677 for Using LDIFDE to import and export directory objects to Active Directory http://support.microsoft.com/kb/237677/en-us Greetings Thomas 2006/11/30, Haritwal, Dhiraj [EMAIL PROTECTED]: Dear All, How can I import, AD Users Details like Department, Telephone No, Location etc... from an XLS file. Dhiraj Haritwal This email is confidential and intended only for the use of the individual or entity named above and may contain information that is privileged. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this email is strictly prohibited. If you have received this email in error, please notify us immediately by return email or telephone and destroy the original message. - This mail is sent via Sony Asia Pacific Mail Gateway. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ --- This email is confidential and intended only for the use of the individual or entity named above and may contain information that is privileged. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this email is strictly prohibited. If you have received this email in error, please notify us immediately by return email or telephone and destroy the original message. - This mail is sent via Sony Asia Pacific Mail Gateway. --- List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Import User Details from a XLS file
Hi Dhiraj You could do vbs script that uses the put and set info commands to populate the attributes. The code would look something like this. ' Text file stuff to define the file to open to read, and to build an error file on error resume next Set fso = CreateObject(Scripting.FileSystemObject) Set fso2 = CreateObject(Scripting.FileSystemObject) set errfyle = fso2.createtextfile(errorfyle.txt,true) errfyle.close set errfyle = fso2.opentextfile(errorfyle.txt,8,true) set myreadfyle = fso.opentextfile(fylenam with data) While Not myreadfyle.AtEndOfStream fyleline = myreadfyle.readline ' Create an array called acctarray that contains the DN as value acctarray(0) and the new attribs as values 1 - x acctarray=split(fyleline,chr(9)) set objuser=getobject(LDAP://trim(acctarray(0)) if err0 then err=0 ' Do this section or each attribute, or call a function and then feed it the attributename and the acctarray(x) ' ** objuser.put attributename,acctarray(1) objuser.setinfo if err0 then errfyle.writeline acctarray(0) : Error setting attribute attributename err=0 end if ' else errfyle.writeline acctarray(0) : Object does not exist end if wend Script assumes the data is tab delimited and the first column is the DN of the user you are changing. Additional columns would be the attributes you are changing. attributename is the name of the attribute that you can read via. ADSIEdit (ie. Samaccountname is the pre Win2K logon name). This is basically a scaled down version of the custom one I used for a migration - it probably needs some customization for your environment. Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service 202-354-1464 202-230-2983 (CEL) [EMAIL PROTECTED] Haritwal, Dhiraj Dhiraj.Haritwal@ To ap.sony.com ActiveDir@mail.activedir.org Sent by: cc [EMAIL PROTECTED] ail.activedir.org Subject RE: [ActiveDir] Import User Details from a XLS file 12/04/2006 07:02 PM ZE5B Please respond to [EMAIL PROTECTED] tivedir.org Dear Thomas/Brian, I am waiting for your reply. Kindly send me the solution. I know how to import through ldifde csvde but my problem is I have to modify some properties of all users like their contact no, department, location etc I cannot understand what condition has to be set to modify their properties. If anyone else is having any idea, kindly send me ASAP. Dhiraj Haritwal -Original Message- From: Haritwal, Dhiraj Sent: Friday, December 01, 2006 10:05 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Import User Details from a XLS file Dear Thomas/Brian, Thanks for ur reply. But I want to add some information (Attributes) with existing users. Like I wanaa add Contact No, location, Department etc... to the existing users from an Excel file. Thanks, Dhiraj Haritwal -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thomas Hess Sent: Thursday, November 30, 2006 9:31 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Import User Details from a XLS file Hi Dhiraj, see MS KB237677 for Using LDIFDE to import and export directory objects to Active Directory http://support.microsoft.com/kb/237677/en-us Greetings Thomas 2006/11/30, Haritwal, Dhiraj [EMAIL PROTECTED]: Dear All, How can I import, AD Users Details like Department, Telephone No, Location etc... from an XLS file. Dhiraj Haritwal This email is confidential and intended only for the use of the individual or entity named above and may contain
RE: [ActiveDir] OT: Possessed PCs
It can be even more amusing with wireless keyboards. Somebody is typing up an email and random characters begin appearing. Scott Klassen From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Cline Sent: Friday, December 01, 2006 3:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Possessed PCs Yep, that was it. The one guy sitting between them all replaced his batteries a few days ago, which is when the problems began. I almost took a sledgehammer to that thing :-) -- Brian Cline _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Cline Sent: Friday 01 December 2006 13:42 To: Active Directory Mailing List Subject: RE: [ActiveDir] OT: Possessed PCs Just to update... I was finally able to catch this in action. It stopped as soon as I unplugged the wireless keyboard/mouse device from the PC. It appears that one particular person's wireless mouse is crossing signal with select others, but none of the nearby mice are the culprit. It still occurs after the affected devices are reset with the connect button on the kb/mouse receiver. This could get interesting... _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Cline Sent: Friday 01 December 2006 11:07 To: Active Directory Mailing List Subject: [ActiveDir] OT: Possessed PCs Yesterday we had several people complain that their cursor was moving around on its own, but not erratically or quickly as one would suspect might be the case of a mouse issue. I used SMS remote tools to watch one person's screen, and she noted that the way the cursor moved while I was in there checking things was exactly the same way it was moving before -- it was just as though someone was actually in there. Now I can't begin to describe how odd this is -- but I can't seem to find any common denominator for the folks who experienced this problem (so far, three or four). Some have wireless mice with a short range and good batteries with no problems otherwise, whereas the others have standard, working USB mice. I have seen this before where the language bar was detecting office and keyboard noise through the microphone as dictated commands to do thing, but the problem persisted on the first PC after I disabled it, and I don't think that particular model has a built-in mic. I checked the event logs and the only person who used the SMS remote control was me, so I can't imagine that anyone else would have been remoting it either. So far today I have not heard any more complaints, but nevertheless I'm still curious yet baffled. All PCs have updated virus and spyware definitions. Does anyone have ideas on where to start looking if this problem surfaces again? If it continues we'll have the corporate chaplain bring in his exorcist buddy. Brian Cline, Applications Developer Department of Information Technology GP Trucking Company, Inc. 803.936.8595 Direct Line 800.922.1147 Toll-Free (x8595) 803.739.1176 Fax
RE: [ActiveDir] Can you run DHCP on a XP computer??
I also do not know what DECO is, but I do know that one short-term third-party DHCP solution is TFTPD32: http://tftpd32.jounin.net/ The original request did not specify more details on the requirements. The big issue with TFTPD32 is it is meant for short-term use, so it does not save leases in a persistent fashion, so you start over when the program is cycled. This makes it much more useful in a lab/development environment than in a production environment. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Friday, December 01, 2006 2:16 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Can you run DHCP on a XP computer?? What's DECO? (I'm guessing a typo, but want to make sure you're not referring to some third-party DHCP service.) If you are referring to the Microsoft DHCP service, I think whoever told you that is confused, perhaps by having seen the DHCP client service in the services list? Laura -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.3/561 - Release Date: 12/1/2006 6:36 AM
RE: [ActiveDir] Granting rights to 'Manage GPOs'
Neil-
You can modify the defaultSecurityDescriptor attribute in the schema to
change which groups are automatically granted rights on a newly created GPO.
Its described here:
http://support.microsoft.com/kb/321476/en-us
Darren
Darren Mar-Elia
CTO Founder
www.sdmsoftware.com http://www.sdmsoftware.com/
[EMAIL PROTECTED]
v) 415-670-9302
f) 415-532-2655
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Monday, December 04, 2006 1:23 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Granting rights to 'Manage GPOs'
I'd prefer to grant the service the rights it *needs* rather than carte
blanche Domain Admins rights. However, as new GPOs are created, only the
default (Schema defined?) ACLs are applied, which includes DAs but will
*not* include my service account.
Back to the drawing board...
neil
_
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves
Sent: 04 December 2006 04:38
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Granting rights to 'Manage GPOs'
You might want to set the account to have non-interactive rights, since I'm
assuming that it runs a service that actually handles all the changes - then
grant it membership within the Domain Admins group - that would fix the
issue once and for all, unless you've changed Domain Admins to not have the
ability to edit GPOs, though it's automatically granted every time a new GPO
is created, regardless of what permissions were before.
On 11/25/06, Darren Mar-Elia [EMAIL PROTECTED] wrote:
Neil-
Assuming the setgpocreationpermissions script didn't fail in some way, I
think the next step would be to check the perms on the various objects that
should get this right. Namely, the service account you're granting access to
should have the Create GroupPolicyContainer right over the
cn=policies,cn=system container in AD and, similarly on the SYSVOL Policies
folder, it should have Change rights over that container.
Darren
Darren Mar-Elia
For comprehensive Windows Group Policy Information, check out www.gpoguy.com
http://www.gpoguy.com/ -- the best source for GPO FAQs, video training,
tools and whitepapers. Also check out the Windows Group Policy Guide
http://www.amazon.com/gp/product/0735622175/qid=1122367169/sr=8-1/ref=pd_bb
s_1/104-1133146-9411929?v=glancen=283155 , the definitive resource for
Group Policy information.
Group Policy Management solutions at SDM Software
http://www.sdmsoftware.com/
From: [EMAIL PROTECTED] [mailto:
mailto:[EMAIL PROTECTED]
[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Friday, November 24, 2006 6:57 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Granting rights to 'Manage GPOs'
I am attempting to assign rights to a service account [sys-zzz], used by a
Group Policy Management tool (3rd party) so that the service account has the
necessary rights to 'manage' all GPOs in the domain.
Aside from app specific rights, I have assigned the following rights using
GPMC scripts [scripts shown below]:
1. Create/edit GPO links at the root of the domain and all child containers
cscript %programfiles%\gpmc\scripts\SetSOMPermissions.wsf xxx.yyy
xxx\sys-zzz /Permission:linkgpos /Inherit /Domain:xxx.yyy
2. Create new GPOs in the domain
cscript %programfiles%\gpmc\scripts\SetGPOCreationPermissions.wsf
xxx\sys-zzz /Domain:xxx.yyy
3. Edit, delete and mod security rights to all existing GPOs in the domain
cscript %programfiles%\gpmc\scripts\GrantPermissionOnAllGPOs.wsf
xxx\sys-zzz /Permission:fulledit /Domain:xxx.yyy
To cut a long story short, step 2 does not appear to grant the required
'create' right [GP mgmt tool complains of an access denied issue].
However, if I manually (using GPMC) add the service account to the list of
objects permitted to create GPOs in the domain [instead of using the script
in step 2], then the GP Management app functions fine.
Has anyone encountered a similar issues? Are there newer version of the GPMC
scripts? [I have GPMC with SP1]
Just to add to the strangeness of this issue, if I execute the same scripts
above but against a different domain (same service account) the 3rd party
app functions fine in that other domain :/
Any comments?
Thanks,
neil
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of
RE: [ActiveDir] Can you run DHCP on a XP computer??
Return Receipt Your RE: [ActiveDir] Can you run DHCP on a XP computer?? document: wasJustin Leney/US/DCI received by: at:12/04/2006 09:56:06 AM He thrashes, he roars, he's Discovery's Roboreptile - Child Magazine's Best Toy of the Year! Now save 20% on Roboreptile, visit http://discoverystore.com. This e-mail, and any attachment, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, re-transmission, copying, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. The contents of this message may contain personal views which are not the views of Discovery Communications, Inc. (DCI). List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] mailNickName(OT)
I don't have much comment on the technical aspects of your blog. I read it to learn, as I don't know much about this problem -- it's not a problem in my small environment. But, since I was a writer and editor in a previous life, I can offer some comments on the blog and the prospective article (which I encourage) I recommend tightening it up a bit (the article could easily start at the third paragraph, for example); structuring it so that a description of the problem and/or solution is at the beginning of each subsection and of the article itself; giving concrete illustrations at every major point. It's clear that you have good mastery of the naming infrastructure (or infrasnakesnest) and dynamics of AD, but not everyone who can benefit from your article will necessarily know all those things you take for granted. So a summary of all that wouldn't be a bad idea. I hope this is helpful. -Original Message- From: Al Mulnick [mailto:[EMAIL PROTECTED] Sent: Monday, November 27, 2006 6:57 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] mailNickName(OT) Now that I've shaken that turkey-induced coma: http://blogs.dirteam.com/blogs/al/archive/2006/10/05/History-Repeats-Its elf.aspx I have to say though, I am a shy person by nature. Ask anyone that knows me and they'll tell you how shy I am in person ;) Albert, and anyone that reads the blog, I would appreciate comments. Anything I can do to make things better, I'm happy and eager to do. Al On 11/24/06, Albert Duro [EMAIL PROTECTED] wrote: Could I bother you for a link to your blog? Searching on 'al mulnick blog mailnickname' (and various combinations thereof) got me all kinds of stuff, none of which seemed to be what you're referring to. C'mon, Al, you gotta get over this shyness... - Original Message - From: Al Mulnick mailto:[EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wednesday, November 22, 2006 8:41 AM Subject: Re: [ActiveDir] mailNickName(OT) Other than being used for access by other protocols such as pop, imap, and owa, last I checked it's also the value used for the x.400 like address which is used for mail delivery internally by Exchange. You wouldn't want that to be non-unique else you might have to call somebody like joe to come in and help clean up :) I'm surprised that this company you're at has not gone to unique values for this. I'm equally surprised they don't have other issues with their Exchange deployment, but it's possible you haven't gotten far enough into it yet to notice some of them. I've blogged about my thoughts regarding what should be globally unique in an AD/Exchange environment. It's a long enough blog it may even be a good candidate for an essay or possibly a sleep aid. If you want the details, have a read. The short answer is that you want every user to be unique and to have a consistent and trouble-free experience. That keeps you from being up late at night with international customers first and your local in-country customers the next day. Mailnickname is one of the attributes that should be unique same as samaccountname and smtp address (some are enforced per forest, some per domain but all should be enforced regardless in my opinion). Since they can often feed on one another, I maintan that samaccountname should be the user's foundational, non-changing, never touched as long as that person is a member of the company in good standing, network id. Exchange relies on Active Directory and as such you're better following the same rules . Al On 11/22/06, joe [EMAIL PROTECTED] wrote: The mailnickname isn't populated in a similar way to display name. The common ways for mailnickname generation and its population are through the RUS, by CDOEXM, or by the special ADUC extension (and no ADUC doesn't use CDOEXM). This is unlike displayname which has ADUC as its common way to be populated. Certainly they could have done something like that but they didn't. Changing the format is ok, most companies don't do it but some do. But if there is going to be a change, change to something that is guaranteed to be unique in your organization. Display names are very often not unique; definitely not unique at scale which is why Al said, it don't scale Go to any larger company in the US and type in Smith, Jones, Brown, or Johnson in the GAL and you will likely see multiple Alan's, Andrew's, Amy's, Bob's, Carol's, Fred's, John's, Steve's, etc... If you are multi-national try Chang, Chen, Gupta, Singh, Lopez, Hernandez, Jannsen, Smit, Larsen, Berg, Schulz, or Schmidt. The attribute is used quite a bit in Exchange. Where all it is used I will let some Exchange person respond if they want, but look quickly at a mailbox enabled user and check how many times you see the value. Note that none of the other attributes that use mailNickname in their initial generation will change if you change mailnickname, you absolutely wouldn't want that or else it would break
RE: [ActiveDir] Can you run DHCP on a XP computer??
Return Receipt Your RE: [ActiveDir] Can you run DHCP on a XP computer?? document: wasJason Centenni/CDS/CG/CAPITAL received by: at:12/04/2006 10:33:39 AM CST List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] mailNickName(OT)
That is absolutely very helpful. I deeply appreciate the feedback, Albert. Al On 12/4/06, Albert Duro [EMAIL PROTECTED] wrote: I don't have much comment on the technical aspects of your blog. I read it to learn, as I don't know much about this problem -- it's not a problem in my small environment. But, since I was a writer and editor in a previous life, I can offer some comments on the blog and the prospective article (which I encourage) I recommend tightening it up a bit (the article could easily start at the third paragraph, for example); structuring it so that a description of the problem and/or solution is at the beginning of each subsection and of the article itself; giving concrete illustrations at every major point. It's clear that you have good mastery of the naming infrastructure (or infrasnakesnest) and dynamics of AD, but not everyone who can benefit from your article will necessarily know all those things you take for granted. So a summary of all that wouldn't be a bad idea. I hope this is helpful. -Original Message- *From:* Al Mulnick [mailto:[EMAIL PROTECTED] *Sent:* Monday, November 27, 2006 6:57 AM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] mailNickName(OT) Now that I've shaken that turkey-induced coma: http://blogs.dirteam.com/blogs/al/archive/2006/10/05/History-Repeats-Itself.aspx I have to say though, I am a shy person by nature. Ask anyone that knows me and they'll tell you how shy I am in person ;) Albert, and anyone that reads the blog, I would appreciate comments. Anything I can do to make things better, I'm happy and eager to do. Al On 11/24/06, Albert Duro [EMAIL PROTECTED] wrote: Could I bother you for a link to your blog? Searching on 'al mulnick blog mailnickname' (and various combinations thereof) got me all kinds of stuff, none of which seemed to be what you're referring to. C'mon, Al, you gotta get over this shyness... - Original Message - *From:* Al Mulnick [EMAIL PROTECTED] *To:* ActiveDir@mail.activedir.org *Sent:* Wednesday, November 22, 2006 8:41 AM *Subject:* Re: [ActiveDir] mailNickName(OT) Other than being used for access by other protocols such as pop, imap, and owa, last I checked it's also the value used for the x.400 like address which is used for mail delivery internally by Exchange. You wouldn't want that to be non-unique else you might have to call somebody like joe to come in and help clean up :) I'm surprised that this company you're at has not gone to unique values for this. I'm equally surprised they don't have other issues with their Exchange deployment, but it's possible you haven't gotten far enough into it yet to notice some of them. I've blogged about my thoughts regarding what should be globally unique in an AD/Exchange environment. It's a long enough blog it may even be a good candidate for an essay or possibly a sleep aid. If you want the details, have a read. The short answer is that you want every user to be unique and to have a consistent and trouble-free experience. That keeps you from being up late at night with international customers first and your local in-country customers the next day. Mailnickname is one of the attributes that should be unique same as samaccountname and smtp address (some are enforced per forest, some per domain but all should be enforced regardless in my opinion). Since they can often feed on one another, I maintan that samaccountname should be the user's foundational, non-changing, never touched as long as that person is a member of the company in good standing, network id. Exchange relies on Active Directory and as such you're better following the same rules . Al On 11/22/06, joe [EMAIL PROTECTED] wrote: The mailnickname isn't populated in a similar way to display name. The common ways for mailnickname generation and its population are through the RUS, by CDOEXM, or by the special ADUC extension (and no ADUC doesn't use CDOEXM). This is unlike displayname which has ADUC as its common way to be populated. Certainly they could have done something like that but they didn't. Changing the format is ok, most companies don't do it but some do. But if there is going to be a change, change to something that is guaranteed to be unique in your organization. Display names are very often not unique; definitely not unique at scale which is why Al said, it don't scale Go to any larger company in the US and type in Smith, Jones, Brown, or Johnson in the GAL and you will likely see multiple Alan's, Andrew's, Amy's, Bob's, Carol's, Fred's, John's, Steve's, etc... If you are multi-national try Chang, Chen, Gupta, Singh, Lopez, Hernandez, Jannsen, Smit, Larsen, Berg, Schulz, or Schmidt. The attribute is used quite a bit in Exchange. Where all it is used I will let some Exchange person respond if they want, but look quickly at a mailbox enabled user and check how
RE: [ActiveDir] OT: Possessed PCs
Please do! :-) They sit in an area that is somewhat densely clustered with cubes. However, the first two of the affected users sat in cubes next to each other with a direct line of sight to the problem source roughly 15ft away, and have a near direct line of sight to a third affected user that was about 25ft and two walls away from the source of the problem. The fourth affected user was also about 25-30ft and three walls away from the source, in the opposite direction of the third user. The row of VP offices directly across from the fourth user's office were not affected (whew!). And of course once we told the problem user what was going on, he had a little bit of fun with it first. -- Brian Cline From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Friday 01 December 2006 17:30 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Possessed PCs When I go near wireless mice/keyboards, they stop working. (I can provide witnesses to this.) Want me to visit your office? ;-) Laura P.S. How densely clustered are these users? Does one user's interference stop if you turn off the other user's mouse? Seems like it'd be a quick way to verify that it's not somebody between them before you start cubicle crawling. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Cline Sent: Friday, December 01, 2006 3:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Possessed PCs Since this morning, we've ruled out the possibility of the USB mice being affected as well. Apparently those folks with USB mice who complained were not having the same kind of cursor movement -- it was just the seldom jumpy cursor (where it spasms between 2-3 pixels while idle) usually seen only with optical mice. Fortunately I've been able to see it in action today, and it definitely seems to be coming from someone else's mouse as it appears to be normal mouse movements. The affected users are roughly 30-40 feet away, so we're checking to see if there is someone between of all of them who has a wireless mouse. I like the idea of prohibiting the devices altogether. Would definitely save a lot of time -- I've not been able to get much serious work done today. -- Brian Cline From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Klassen Sent: Friday 01 December 2006 12:57 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Possessed PCs Usually I see this from interference using wireless mice. Usually it’s caused by people with other wireless devices close by and they are both operating on the same channel. RF can operate through walls, so interference doesn’t have to be line of sight and can come through walls, from above or below if transmitting omnidirectionally. Just had this recently where a bunch of staffers with laptops got wireless external keypads, all the same make and model, and found the range of these things was 20 feet. Cell Phones, Microwaves, and other common items may also cause this for the same reasons. I no longer allow wireless devices in my environments just to save the hassle. You say this also happens with some wired usb mice? Have you tried moving these to a different USB port on the system, preferably connected to a different USB controller? Scott Klassen From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Cline Sent: Friday, December 01, 2006 10:07 AM To: Active Directory Mailing List Subject: [ActiveDir] OT: Possessed PCs Yesterday we had several people complain that their cursor was moving around on its own, but not erratically or quickly as one would suspect might be the case of a mouse issue. I used SMS remote tools to watch one person's screen, and she noted that the way the cursor moved while I was in there checking things was exactly the same way it was moving before -- it was just as though someone was actually in there. Now I can't begin to describe how odd this is -- but I can't seem to find any common denominator for the folks who experienced this problem (so far, three or four). Some have wireless mice with a short range and good batteries with no problems otherwise, whereas the others have standard, working USB mice. I have seen this before where the language bar was detecting office and keyboard noise through the microphone as dictated commands to do thing, but the problem persisted on the first PC after I disabled it, and I don't think that particular model has a built-in mic. I checked the event logs and the only person who used the SMS remote
RE: [ActiveDir] OT: Possessed PCs
To be honest I'm not sure why those guys have wireless devices to begin with. They were problably given to them at the time solely because it was the latest and greatest. Not too big a fan of that doctrine myself. -- Brian Cline From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves Sent: Sunday 03 December 2006 22:48 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Possessed PCs There are some wireless mice/keyboards that can potentially support hundreds of non-interfering devices - if they want to have wireless, make them use what has been 'approved' or nothing at all :) On 12/1/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Happens with my father and watches as well. The man cannot wear a watch without it dying within weeks. But thats another story. If you can isolate the symptoms to time of day or even the remote chance its a bad ballast (flouresent lighting used to cause occasional problems with old CRTs), etc. Atleast you can start to wittle things down a bit. But in this case it sounds like RF overlap. Perhaps there is one mouse that is emitting too strong a signal. I was a bit thrown this morning though when I thought I read that this was happening with corded devices as well. Brent Eads Employee Technology Solutions, Inc. Office: (312) 762-9224 Fax: (312) 762-9275 The contents contain privileged and/or confidential information intended for the named recipient of this email. ETSI (Employee Technology Solutions, Inc.) does not warrant that the contents of any electronically transmitted information will remain confidential. If the reader of this email is not the intended recipient you are hereby notified that any use, reproduction, disclosure or distribution of the information contained in the email in error, please reply to us immediately and delete the document. Viruses, Malware, Phishing and other known and unknown electronic threats: It is the recipient/client's duties to perform virus scans and otherwise test the information provided before loading onto any computer system. No warranty is made that this material is free from computer virus or any other defect. Any loss/damage incurred by using this material is not the sender's responsibility. Liability will be limited to resupplying the material. Message scanned by TrendMicro
[ActiveDir] OT: Vista Activation and KMS
I was testing out the RTM of Vista Enterprise last night and noticed I didn't have to enter a key at any point during the install. When Windows tried to activate, it told me there was a DNS error, so I suspected it looks for a local activation server by default. Sure enough, in the DNS cache was a lookup for a nonexistent _vlmcs._tcp.domain.com. Upon further research, it appears Microsoft has not released KMS yet, and I couldn't find any option to activate directly with Microsoft. For the moment, is telephone activation the only option? Brian Cline, Applications Developer Department of Information Technology GP Trucking Company, Inc. 803.936.8595 Direct Line 800.922.1147 Toll-Free (x8595) 803.739.1176 Fax
RE: [ActiveDir] OT: Possessed PCs
RF is funny stuff. Depending on the strength/frequency of the carrier wave, walls, current-carrying wires within those walls, and even rebar within concrete can act as waveguides. Toss in a healthy dose of multipathing and BFO's (Beat Frequency Oscillators) and you have a nightmare in cubicle-land. You have to walk around with a Spectrum Analyzer to appreciate what goes on in the RF spectrum in an office building, believe me. Add a rogue device that's spitting stuff out too loudly, or at just the wrong frequency, and stir. Your brains. Because you can't figure out the @#$%^$-ing problem. The sledgehammer solution works just peachy! We banned all this stuff, and our service calls went away. No more broken keyboards and mice. Wireless ain't what it's cracked up to be because there are now too many devices using the very narrow spectrum. Just ask the FCC... Steve Egan Purcell Systems System/Network Administrator desk 509 755-0341 x110 cell 509 475-7682 fax 509 755-0345 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Cline Sent: Monday, December 04, 2006 9:30 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Possessed PCs Please do! :-) They sit in an area that is somewhat densely clustered with cubes. However, the first two of the affected users sat in cubes next to each other with a direct line of sight to the problem source roughly 15ft away, and have a near direct line of sight to a third affected user that was about 25ft and two walls away from the source of the problem. The fourth affected user was also about 25-30ft and three walls away from the source, in the opposite direction of the third user. The row of VP offices directly across from the fourth user's office were not affected (whew!). And of course once we told the problem user what was going on, he had a little bit of fun with it first. -- Brian Cline From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Friday 01 December 2006 17:30 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Possessed PCs When I go near wireless mice/keyboards, they stop working. (I can provide witnesses to this.) Want me to visit your office? ;-) Laura P.S. How densely clustered are these users? Does one user's interference stop if you turn off the other user's mouse? Seems like it'd be a quick way to verify that it's not somebody between them before you start cubicle crawling. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Cline Sent: Friday, December 01, 2006 3:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Possessed PCs Since this morning, we've ruled out the possibility of the USB mice being affected as well. Apparently those folks with USB mice who complained were not having the same kind of cursor movement -- it was just the seldom jumpy cursor (where it spasms between 2-3 pixels while idle) usually seen only with optical mice. Fortunately I've been able to see it in action today, and it definitely seems to be coming from someone else's mouse as it appears to be normal mouse movements. The affected users are roughly 30-40 feet away, so we're checking to see if there is someone between of all of them who has a wireless mouse. I like the idea of prohibiting the devices altogether. Would definitely save a lot of time -- I've not been able to get much serious work done today. -- Brian Cline From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Klassen Sent: Friday 01 December 2006 12:57 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Possessed PCs Usually I see this from interference using wireless mice. Usually it's caused by people with other wireless devices close by and they are both operating on the same channel. RF can operate through walls, so interference doesn't have to be line of sight and can come through walls, from above or below if transmitting omnidirectionally. Just had this recently where a bunch of staffers with laptops got wireless external keypads, all the same make and model, and found the range of these things was 20 feet. Cell Phones, Microwaves, and other common items may also cause this for the same reasons. I no longer allow wireless devices in my environments just to save the hassle. You say this also happens with some wired usb mice? Have you tried moving these to a different USB port on the system, preferably connected to a different USB controller? Scott Klassen From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Cline Sent:
Re: [ActiveDir] _msdcs not propagated in AXFR
Usually dcpromo creates all these zones. Windows creates these zones in a forest partition. If you have a linux DNS server just create another slave zone of _msdcs.example.com. The gray one is only the delegation. Hans - Original Message From: Michael B Allen [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Cc: [EMAIL PROTECTED] Sent: Saturday, December 2, 2006 5:39:26 PM Subject: Re: [ActiveDir] _msdcs not propagated in AXFR Ok, so basically _msdcs is just a separate zone. Do Windows DNS setups usually do this? I'm using SBS. I have a bind DNS server running on a linux machine with a slave zone for example.com. The AXFR doesn't have those records (aside from the NS record). So what you're saying is that I need to setup another slave zone for the _msdcs subdomain? Mike On Sat, 2 Dec 2006 03:02:22 -0800 (PST) Hans Halbmayr [EMAIL PROTECTED] wrote: Hi Mike, the gray one is the delegation of the zone. The _msdcs ist a subdomain of your forest root. Because it is needed all over the forest it is delegated. Regards Hans - Original Message From: Michael B Allen [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Cc: [EMAIL PROTECTED] Sent: Saturday, December 2, 2006 12:15:29 AM Subject: Re: [ActiveDir] _msdcs not propagated in AXFR I'm not sure I understand. In DNS admin I see two zones. One for _msdcs.example.com with all the usual _msdcs records and one for example.com which incedentally has an NS record for _msdcs.example.com. The little folder thingy for this _msdcs is grey which I guess signifies that it's some kind of link to the other zone? So I understand why the _msdcs records other than the one NS record are not transferring but I don't understand why the structure is split into two zones and if I can/should do something about it. Mike On Fri, 1 Dec 2006 11:27:14 -0800 Akomolafe, Deji [EMAIL PROTECTED] wrote: Seen this? http://support.microsoft.com/kb/817470 Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Michael B Allen Sent: Fri 12/1/2006 9:40 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] _msdcs not propagated in AXFR Does anyone know why the _msdcs records are not returned in an AXFR DNS query? This means that slave zones will not have those records and that software querying for a domain controller may not find one. Mike -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ Do you Yahoo!? Everyone is raving about the all-new Yahoo! Mail beta. http://new.mail.yahoo.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ Need a quick answer? Get one in minutes from people who know. Ask your question on www.Answers.yahoo.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] OT: Vista Activation and KMS
Nope, I've done it web based. At the present time there are two kinds of keycodes up on MVLS.. one that wants a KMS, the other that will phone home to Redmond automatically. Have your MVLS folks request the other type of key is my understanding how this will work for now. The KMS type won't be out until Longhorn. KMS activations will have to phone home to your servers twice a year. Brian Cline wrote: I was testing out the RTM of Vista Enterprise last night and noticed I didn't have to enter a key at any point during the install. When Windows tried to activate, it told me there was a DNS error, so I suspected it looks for a local activation server by default. Sure enough, in the DNS cache was a lookup for a nonexistent _vlmcs._tcp.domain.com. Upon further research, it appears Microsoft has not released KMS yet, and I couldn't find any option to activate directly with Microsoft. For the moment, is telephone activation the only option? Brian Cline, Applications Developer Department of Information Technology GP Trucking Company, Inc. 803.936.8595 Direct Line 800.922.1147 Toll-Free (x8595) 803.739.1176 Fax -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] OT: Vista Activation and KMS
On the VL site there are different MAK and KMS keys...which did you use Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Cline Sent: Monday, December 04, 2006 12:45 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Vista Activation and KMS I was testing out the RTM of Vista Enterprise last night and noticed I didn't have to enter a key at any point during the install. When Windows tried to activate, it told me there was a DNS error, so I suspected it looks for a local activation server by default. Sure enough, in the DNS cache was a lookup for a nonexistent _vlmcs._tcp.domain.com. Upon further research, it appears Microsoft has not released KMS yet, and I couldn't find any option to activate directly with Microsoft. For the moment, is telephone activation the only option? Brian Cline, Applications Developer Department of Information Technology GP Trucking Company, Inc. 803.936.8595 Direct Line 800.922.1147 Toll-Free (x8595) 803.739.1176 Fax
Re: [ActiveDir] _msdcs not propagated in AXFR
(the red flag of SBS brings out you know who) SBS does the best when it is the DNSer... and when it is the DNSer... it does all that you need when it's installed. SBS does the necessary DNS zones when it's set up to be the main cheese of the network. how did you set up this box? Ask a SBSer what dcpromo is and we go dc-what?. Our install wizard does that for us... we don't ever use the command dcpromo ... unless we are migrating a SBS box into an existing network or Swing migratin' from one to another. Hans Halbmayr wrote: Usually dcpromo creates all these zones. Windows creates these zones in a forest partition. If you have a linux DNS server just create another slave zone of _msdcs.example.com. The gray one is only the delegation. Hans - Original Message From: Michael B Allen [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Cc: [EMAIL PROTECTED] Sent: Saturday, December 2, 2006 5:39:26 PM Subject: Re: [ActiveDir] _msdcs not propagated in AXFR Ok, so basically _msdcs is just a separate zone. Do Windows DNS setups usually do this? I'm using SBS. I have a bind DNS server running on a linux machine with a slave zone for example.com. The AXFR doesn't have those records (aside from the NS record). So what you're saying is that I need to setup another slave zone for the _msdcs subdomain? Mike On Sat, 2 Dec 2006 03:02:22 -0800 (PST) Hans Halbmayr [EMAIL PROTECTED] wrote: Hi Mike, the gray one is the delegation of the zone. The _msdcs ist a subdomain of your forest root. Because it is needed all over the forest it is delegated. Regards Hans - Original Message From: Michael B Allen [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Cc: [EMAIL PROTECTED] Sent: Saturday, December 2, 2006 12:15:29 AM Subject: Re: [ActiveDir] _msdcs not propagated in AXFR I'm not sure I understand. In DNS admin I see two zones. One for _msdcs.example.com with all the usual _msdcs records and one for example.com which incedentally has an NS record for _msdcs.example.com. The little folder thingy for this _msdcs is grey which I guess signifies that it's some kind of link to the other zone? So I understand why the _msdcs records other than the one NS record are not transferring but I don't understand why the structure is split into two zones and if I can/should do something about it. Mike On Fri, 1 Dec 2006 11:27:14 -0800 Akomolafe, Deji [EMAIL PROTECTED] wrote: Seen this? http://support.microsoft.com/kb/817470 Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Michael B Allen Sent: Fri 12/1/2006 9:40 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] _msdcs not propagated in AXFR Does anyone know why the _msdcs records are not returned in an AXFR DNS query? This means that slave zones will not have those records and that software querying for a domain controller may not find one. Mike -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ Do you Yahoo!? Everyone is raving about the all-new Yahoo! Mail beta. http://new.mail.yahoo.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Can you run DHCP on a XP computer??
Yes, I admit - I hit change on the spell check when I should have hit add ;) Thank you for the responses! Russ _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Friday, December 01, 2006 2:16 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Can you run DHCP on a XP computer?? What's DECO? (I'm guessing a typo, but want to make sure you're not referring to some third-party DHCP service.) If you are referring to the Microsoft DHCP service, I think whoever told you that is confused, perhaps by having seen the DHCP client service in the services list? Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Group, Russ Sent: Friday, December 01, 2006 12:33 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Can you run DHCP on a XP computer?? Hi all Someone told me you can run DECO on a computer running Windows XP. I was totally unaware of this. Does any one have any information about this? -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.3/561 - Release Date: 12/1/2006 6:36 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.3/561 - Release Date: 12/1/2006 6:36 AM
[ActiveDir] Tombstone.
Hi all, I have a query Is that possible to recover network object from AD tombstone. If not then wht is use of it. Regards, Ajay pardeshi
RE: [ActiveDir] OT: Possessed PCs
I agree. I'm also curious about the security side of this. Are the transmissions encrypted? Apparently not very well if one mouse affects another's pc. Just open notepad on an affected PC and you have a poor man's keylogger. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Cline Sent: Monday, December 04, 2006 11:39 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Possessed PCs To be honest I'm not sure why those guys have wireless devices to begin with. They were problably given to them at the time solely because it was the latest and greatest. Not too big a fan of that doctrine myself. -- Brian Cline From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves Sent: Sunday 03 December 2006 22:48 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Possessed PCs There are some wireless mice/keyboards that can potentially support hundreds of non-interfering devices - if they want to have wireless, make them use what has been 'approved' or nothing at all :) On 12/1/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Happens with my father and watches as well. The man cannot wear a watch without it dying within weeks. But thats another story. If you can isolate the symptoms to time of day or even the remote chance its a bad ballast (flouresent lighting used to cause occasional problems with old CRTs), etc. Atleast you can start to wittle things down a bit. But in this case it sounds like RF overlap. Perhaps there is one mouse that is emitting too strong a signal. I was a bit thrown this morning though when I thought I read that this was happening with corded devices as well. Brent Eads Employee Technology Solutions, Inc. Office: (312) 762-9224 Fax: (312) 762-9275 The contents contain privileged and/or confidential information intended for the named recipient of this email. ETSI (Employee Technology Solutions, Inc.) does not warrant that the contents of any electronically transmitted information will remain confidential. If the reader of this email is not the intended recipient you are hereby notified that any use, reproduction, disclosure or distribution of the information contained in the email in error, please reply to us immediately and delete the document. Viruses, Malware, Phishing and other known and unknown electronic threats: It is the recipient/client's duties to perform virus scans and otherwise test the information provided before loading onto any computer system. No warranty is made that this material is free from computer virus or any other defect. Any loss/damage incurred by using this material is not the sender's responsibility. Liability will be limited to resupplying the material. Message scanned by TrendMicro
RE: [ActiveDir] OT: Vista Activation and KMS
You need to go to Control Panel System then at the bottom select Change Product Key. This will allow you to enter your VL key which will result in Vista activating via the web. Definitely not well documented unfortunately. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Cline Sent: Monday, December 04, 2006 11:45 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Vista Activation and KMS I was testing out the RTM of Vista Enterprise last night and noticed I didn't have to enter a key at any point during the install. When Windows tried to activate, it told me there was a DNS error, so I suspected it looks for a local activation server by default. Sure enough, in the DNS cache was a lookup for a nonexistent _vlmcs._tcp.domain.com. Upon further research, it appears Microsoft has not released KMS yet, and I couldn't find any option to activate directly with Microsoft. For the moment, is telephone activation the only option? Brian Cline, Applications Developer Department of Information Technology GP Trucking Company, Inc. 803.936.8595 Direct Line 800.922.1147 Toll-Free (x8595) 803.739.1176 Fax
Re: [ActiveDir] Tombstone.
Hi Ajay Not sure what network objects you are interested in, but you do have the ability to reanimate tombstoned objects. The main issue with this is that not all of the attributes are preserved when the object is tombstoned, which means you won't get back everything that was lost using this method. For some tools leveraging the reanimation API, have a look at: http://www.microsoft.com/technet/sysinternals/utilities/AdRestore.mspx http://www.quest.com/object_restore_for_active_directory/ Also have a look at the discussion thread below. Dean Wells shows how to modify the schema to include additional attributes in tombstone reanimation. http://www.mail-archive.com/activedir@mail.activedir.org/msg30802.html Tony -- Original Message -- From: Ajay Kumar [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Date: Tue, 5 Dec 2006 00:33:21 +0530 Hi all, I have a query Is that possible to recover network object from AD tombstone. If not then wht is use of it. Regards, Ajay pardeshi Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
[ActiveDir] OT (sorta):Group Policy Log View
Download details: Group Policy Log View: http://www.microsoft.com/downloads/details.aspx?familyid=bcfb1955-ca1d-4f00-9cff-6f541bad4563displaylang=en -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] Tombstone.
By default it is not possible to recover an AD object from an AD tombstone. The AD tombstone mechanism is used to support AD replication. The way AD replications works, is that in a sense a delete is really like a modify by setting the isDeleted attribute (really the metadata, maybe the attr too, don't remember OTOH). By setting this attribute the AD object turns into an AD tombstone, a change that can replicate normally around to make the delete global. Cheers, Brett Shirley On Tue, 5 Dec 2006, Ajay Kumar wrote: Hi all, I have a query Is that possible to recover network object from AD tombstone. If not then wht is use of it. Regards, Ajay pardeshi List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
[ActiveDir] Is it possible to determine who created an AD object?
We had a few user accounts that were deleted and then recreated and nobody will take responsibility. I used ADSIedit to verify the creation date/time. While auditing is enabled, the Security log rolled and we missed the event (yes I know it's an issue). Is there a way to see who created the the user object? Thanks, Mitch.
Re: [ActiveDir] OT: Vista Activation and KMS
But the MVLS admin has to request the MAK keys... on mine the KMS were default and I had to request MAK (like Brian said) Tim Vander Kooi wrote: You need to go to Control Panel System then at the bottom select Change Product Key. This will allow you to enter your VL key which will result in Vista activating via the web. Definitely not well documented unfortunately. *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Brian Cline *Sent:* Monday, December 04, 2006 11:45 AM *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] OT: Vista Activation and KMS I was testing out the RTM of Vista Enterprise last night and noticed I didn't have to enter a key at any point during the install. When Windows tried to activate, it told me there was a DNS error, so I suspected it looks for a local activation server by default. Sure enough, in the DNS cache was a lookup for a nonexistent _vlmcs._tcp.domain.com. Upon further research, it appears Microsoft has not released KMS yet, and I couldn't find any option to activate directly with Microsoft. For the moment, is telephone activation the only option? Brian Cline, Applications Developer Department of Information Technology GP Trucking Company, Inc. 803.936.8595 Direct Line 800.922.1147 Toll-Free (x8595) 803.739.1176 Fax -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Tombstone.
are you asking if it is possible to undelete a tombstone which was created when an object was deleted? Well, yes it is possible. When an object is deleted almost all of its attributes are lost except several important attributes. Undeleting the object will not return the values of those attributes. Only doing an authoritative restore or an undelete followed by a write back of attributes (from some repository) will fully restore the object also see: MS-KBQ840001_How to restore deleted user accounts and their group memberships in Active Directory Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Ajay Kumar Sent: Mon 2006-12-04 20:03 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Tombstone. ? Hi all, I have a query Is that possible to recover network object from AD tombstone. If not then wht is use of it. Regards, Ajay pardeshi This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
Re: [ActiveDir] Tombstone.
Brett, because of the way the question was asked it might be a good idea to mention why that's important vs. just deleting an object and replicating that. My $0.04 for the day. Al On 12/4/06, Brett Shirley [EMAIL PROTECTED] wrote: By default it is not possible to recover an AD object from an AD tombstone. The AD tombstone mechanism is used to support AD replication. The way AD replications works, is that in a sense a delete is really like a modify by setting the isDeleted attribute (really the metadata, maybe the attr too, don't remember OTOH). By setting this attribute the AD object turns into an AD tombstone, a change that can replicate normally around to make the delete global. Cheers, Brett Shirley On Tue, 5 Dec 2006, Ajay Kumar wrote: Hi all, I have a query Is that possible to recover network object from AD tombstone. If not then wht is use of it. Regards, Ajay pardeshi List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Is it possible to determine who created an AD object?
look at the owner if it lists ADMINISTRATORS, you might wanna change the security option in the default DCs GPO which is called: system objects: default owner for objects created by members of the administrators group Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Mitch Reid Sent: Mon 2006-12-04 21:14 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Is it possible to determine who created an AD object? ? We had a few user accounts that were deleted and then recreated and nobody will take responsibility. I used ADSIedit to verify the creation date/time. While auditing is enabled, the Security log rolled and we missed the event (yes I know it's an issue). Is there a way to see who created the the user object? Thanks, Mitch. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
[ActiveDir] NetBT errors 4321
Hi All, I cannot find a resolution to event log error that we are having within our development domain the event is logged every 3-6 mins. I have exhausted the internet results but to no avail, any help would be greatly appreciated. We have two DC's living on different subnets both acting as BH servers. 1st DC holds all FSMO roles, single domain, D FFL 2003 Anyway below is the event log message I have done all the searches possible and come up with nothing at all. Source NetBT EventID: 4321 The name DEV..:Id Could not be registered on the interface with IP address xxx.xxx.xxx.xxx The machine with the IP address xxx.xxx.xxx.xxx did not allow the name to be claimed by the machine. The results of both DC's are as follows: Nbtstat -an DC1 DC2 00 unique 00 unique 00 Group 00 Group 1c Group 1c Group 20 Unique 20 Unique 1D Unique 1E Group 1E Group -MSBROWSE Mac address
Re: [ActiveDir] Is it possible to determine who created an AD object?
You might be able to find out who created it by looking at the Owner in the Security tab. However if the account used to create the object is a member of Domain Admins it will show this as owner instead of the specific user's name. There was a discussion thread on this a couple of days ago. http://www.activedir.org/ma/default.aspx?msg=16424 Tony -- Original Message -- From: Mitch Reid [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Date: Mon, 4 Dec 2006 15:14:50 -0500 We had a few user accounts that were deleted and then recreated and nobody will take responsibility. I used ADSIedit to verify the creation date/time. While auditing is enabled, the Security log rolled and we missed the event (yes I know it's an issue). Is there a way to see who created the the user object? Thanks, Mitch. Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] _msdcs not propagated in AXFR
I have confirmed that this is indeed the solution and that it works.
For posterity here's what I did.
I enabled Zone transfers under DNS Forward Lookup Zones
_msdcs.example.com Properties Zone Transfers and tested that from
the Linux machine with:
$ dig -t AXFR @192.168.1.1
Then I added the following to the Linux named.conf (in addition to the
other slave zone for example.com):
zone _msdcs.example.com IN {
type slave;
file data/slave-_msdcs.example.com;
masters { 192.168.1.1; };
};
and restarted named. Then I tested with:
$ dig -t SRV _ldap.dc._msdcs.example.com
Thanks,
Mike
On Mon, 4 Dec 2006 10:06:10 -0800 (PST)
Hans Halbmayr [EMAIL PROTECTED] wrote:
Usually dcpromo creates all these zones. Windows creates these zones in a
forest partition. If you have a linux DNS server just create another slave
zone of _msdcs.example.com. The gray one is only the delegation.
Hans
- Original Message
From: Michael B Allen [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Cc: [EMAIL PROTECTED]
Sent: Saturday, December 2, 2006 5:39:26 PM
Subject: Re: [ActiveDir] _msdcs not propagated in AXFR
Ok, so basically _msdcs is just a separate zone. Do Windows DNS setups
usually do this? I'm using SBS.
I have a bind DNS server running on a linux machine with a slave zone
for example.com. The AXFR doesn't have those records (aside from the
NS record). So what you're saying is that I need to setup another slave
zone for the _msdcs subdomain?
Mike
On Sat, 2 Dec 2006 03:02:22 -0800 (PST)
Hans Halbmayr [EMAIL PROTECTED] wrote:
Hi Mike,
the gray one is the delegation of the zone. The _msdcs ist a subdomain of
your forest root. Because it is needed all over the forest it is delegated.
Regards
Hans
- Original Message
From: Michael B Allen [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Cc: [EMAIL PROTECTED]
Sent: Saturday, December 2, 2006 12:15:29 AM
Subject: Re: [ActiveDir] _msdcs not propagated in AXFR
I'm not sure I understand. In DNS admin I see two zones. One
for _msdcs.example.com with all the usual _msdcs records and
one for example.com which incedentally has an NS record for
_msdcs.example.com. The little folder thingy for this _msdcs is grey
which I guess signifies that it's some kind of link to the other zone?
So I understand why the _msdcs records other than the one NS record are
not transferring but I don't understand why the structure is split into
two zones and if I can/should do something about it.
Mike
On Fri, 1 Dec 2006 11:27:14 -0800
Akomolafe, Deji [EMAIL PROTECTED] wrote:
Seen this? http://support.microsoft.com/kb/817470
Sincerely,
_
(, / | /) /) /)
/---| (/_ __ ___// _ // _
) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
From: Michael B Allen
Sent: Fri 12/1/2006 9:40 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] _msdcs not propagated in AXFR
Does anyone know why the _msdcs records are not returned in an AXFR DNS
query? This means that slave zones will not have those records and that
software querying for a domain controller may not find one.
Mike
--
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
--
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Do you Yahoo!?
Everyone is raving about the all-new Yahoo! Mail beta.
http://new.mail.yahoo.com
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
--
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Need a quick answer? Get one in minutes from people who know.
Ask your question on www.Answers.yahoo.com
List info :
[ActiveDir] Renaming sites
Does anyone know of any issue with renaming sites? For example, if we change the site call Chicago to ChicagoIL, what issues could arise? I expect that since the GUID is not changes that there will not be a problem. How about if we use SMS??
Re: [ActiveDir] Renaming sites
I can remember some issues with DFS and Windows 2000 but I assume you are Windows 2003 now? So I won't go into them without checking. Regards, Mark Parris Base IT Ltd Active Directory Consultancy Tel +44(0)7801 690596 -Original Message- From: Huber, Rob \(HNI Corp\) [EMAIL PROTECTED] Date: Mon, 4 Dec 2006 16:36:59 To:ActiveDir@mail.activedir.org Subject: [ActiveDir] Renaming sites Does anyone know of any issue with renaming sites? For example, if we change the site call Chicago to ChicagoIL, what issues could arise? I expect that since the GUID is not changes that there will not be a problem. How about if we use SMS??
RE: [ActiveDir] Renaming sites
You should be fine, but your example leads me to believe that you should hash out your naming conventions such that they're thoughtful and future-proof and only do this once. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Huber, Rob (HNI Corp) Sent: Monday, December 04, 2006 5:37 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Renaming sites Does anyone know of any issue with renaming sites? For example, if we change the site call Chicago to ChicagoIL, what issues could arise? I expect that since the GUID is not changes that there will not be a problem. How about if we use SMS??
RE: [ActiveDir] Renaming sites
SMS will be irritated as it stores the site names in its own DB. Also Exchange gets a little uptight if it is in the site with the name being changed - a restart is required. Sent from my Windows Mobile device. -Original Message- From: Mark Parris [EMAIL PROTECTED] To: ActiveDir.org ActiveDir@mail.activedir.org Sent: 12/4/06 3:29 PM Subject: Re: [ActiveDir] Renaming sites I can remember some issues with DFS and Windows 2000 but I assume you are Windows 2003 now? So I won't go into them without checking. Regards, Mark Parris Base IT Ltd Active Directory Consultancy Tel +44(0)7801 690596 -Original Message- From: Huber, Rob \(HNI Corp\) [EMAIL PROTECTED] Date: Mon, 4 Dec 2006 16:36:59 To:ActiveDir@mail.activedir.org Subject: [ActiveDir] Renaming sites Does anyone know of any issue with renaming sites? For example, if we change the site call Chicago to ChicagoIL, what issues could arise? I expect that since the GUID is not changes that there will not be a problem. How about if we use SMS?? â²Ø§~^m¶Yÿà rدyØ«¢¸?.+-jÊq.+-!¶Úÿ 0iËb½çb®Sàü¸¬´PjÊq.+-j·!S÷¡¶Úÿ 0(tm)¨¥j·!S÷oe¢oÚrدyØ«(tm)¨¥iËb½çb®Sà List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Is it possible to determine who created an AD object?
Which will have no effect on the ownership of the directory objects. Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Monday, December 04, 2006 4:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? look at the owner if it lists ADMINISTRATORS, you might wanna change the security option in the default DCs GPO which is called: system objects: default owner for objects created by members of the administrators group Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address _ From: [EMAIL PROTECTED] on behalf of Mitch Reid Sent: Mon 2006-12-04 21:14 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Is it possible to determine who created an AD object? ? We had a few user accounts that were deleted and then recreated and nobody will take responsibility. I used ADSIedit to verify the creation date/time. While auditing is enabled, the Security log rolled and we missed the event (yes I know it's an issue). Is there a way to see who created the the user object? Thanks, Mitch. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date: 12/4/2006 7:18 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date: 12/4/2006 7:18 AM attachment: winmail.dat
RE: [ActiveDir] OT: Vista Activation and KMS
Actually, it is clearly documented, along with a lot more information on KMS, MAK and Vista Volume Activation (btw, Volume Licensing doesn't exist in Vista; VL and VA are not the same things). You probably don't want to get me started on a big long explanation of how volume activation works, so I'll just point you to this site: HYPERLINK http://www.microsoft.com/technet/windowsvista/plan/volact.mspxhttp://www.m icrosoft.com/technet/windowsvista/plan/volact.mspx :-) I highly recommend both the FAQ and the step-by-step guide. The latter provides information on how to change from KMS to MAK and vice versa (there are several ways), as well as documentation of defaults, configuration options, etc. Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander Kooi Sent: Monday, December 04, 2006 2:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Vista Activation and KMS You need to go to Control Panel System then at the bottom select Change Product Key. This will allow you to enter your VL key which will result in Vista activating via the web. Definitely not well documented unfortunately. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Cline Sent: Monday, December 04, 2006 11:45 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Vista Activation and KMS I was testing out the RTM of Vista Enterprise last night and noticed I didn't have to enter a key at any point during the install. When Windows tried to activate, it told me there was a DNS error, so I suspected it looks for a local activation server by default. Sure enough, in the DNS cache was a lookup for a nonexistent _vlmcs._tcp.domain.com. Upon further research, it appears Microsoft has not released KMS yet, and I couldn't find any option to activate directly with Microsoft. For the moment, is telephone activation the only option? Brian Cline, Applications Developer Department of Information Technology GP Trucking Company, Inc. 803.936.8595 Direct Line 800.922.1147 Toll-Free (x8595) 803.739.1176 Fax -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date: 12/4/2006 7:18 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date: 12/4/2006 7:18 AM
RE: [ActiveDir] OT: Vista Activation and KMS
HYPERLINK http://www.microsoft.com/technet/windowsvista/plan/volact1.mspx#StepsforImp lementingConfigDeployingKMShttp://www.microsoft.com/technet/windowsvista/pl an/volact1.mspx#StepsforImplementingConfigDeployingKMS See the section entitled, To install KMS hosts for KMS activation The short answer is, slmgr.vbs is about to become your new best friend. :-) BTW, there's also information there on configuring the SRV records for the KMS host so you won't get that error again. Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Cline Sent: Monday, December 04, 2006 12:45 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Vista Activation and KMS I was testing out the RTM of Vista Enterprise last night and noticed I didn't have to enter a key at any point during the install. When Windows tried to activate, it told me there was a DNS error, so I suspected it looks for a local activation server by default. Sure enough, in the DNS cache was a lookup for a nonexistent _vlmcs._tcp.domain.com. Upon further research, it appears Microsoft has not released KMS yet, and I couldn't find any option to activate directly with Microsoft. For the moment, is telephone activation the only option? Brian Cline, Applications Developer Department of Information Technology GP Trucking Company, Inc. 803.936.8595 Direct Line 800.922.1147 Toll-Free (x8595) 803.739.1176 Fax -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date: 12/4/2006 7:18 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date: 12/4/2006 7:18 AM
RE: [ActiveDir] OT: Vista Activation and KMS
Required reading for those with Volume Agreements. http://www.microsoft.com/technet/windowsvista/plan/volact.mspx From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Cline Sent: Monday, December 04, 2006 12:45 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Vista Activation and KMS I was testing out the RTM of Vista Enterprise last night and noticed I didn't have to enter a key at any point during the install. When Windows tried to activate, it told me there was a DNS error, so I suspected it looks for a local activation server by default. Sure enough, in the DNS cache was a lookup for a nonexistent _vlmcs._tcp.domain.com. Upon further research, it appears Microsoft has not released KMS yet, and I couldn't find any option to activate directly with Microsoft. For the moment, is telephone activation the only option? Brian Cline, Applications Developer Department of Information Technology GP Trucking Company, Inc. 803.936.8595 Direct Line 800.922.1147 Toll-Free (x8595) 803.739.1176 Fax
RE: [ActiveDir] NetBT errors 4321
Okay, first question- is the first xxx.xxx.xxx.xxx address the same as the second xxx.xxx.xxx.xxx, or are they actually different addresses? Second, if we're talking two IPs, which one is the DC's IP? Basically, I can't get enough from your genericized [I made that word up] error to figure out which machine is which, where this error came from, what machine(s) is/are identified by the IPs in the error, and therefore, why I should care about the Nbstat entries. :-) Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Simon Bembridge Sent: Monday, December 04, 2006 4:23 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] NetBT errors 4321 Hi All, I cannot find a resolution to event log error that we are having within our development domain the event is logged every 3-6 mins. I have exhausted the internet results but to no avail, any help would be greatly appreciated. We have two DC’s living on different subnets both acting as BH servers. 1st DC holds all FSMO roles, single domain, D FFL 2003 Anyway below is the event log message I have done all the searches possible and come up with nothing at all. Source NetBT EventID: 4321 The name “DEV….:Id” Could not be registered on the interface with IP address xxx.xxx.xxx.xxx The machine with the IP address xxx.xxx.xxx.xxx did not allow the name to be claimed by the machine. The results of both DC’s are as follows: Nbtstat –an DC1 DC2 00 unique 00 unique 00 Group 00 Group 1c Group 1c Group 20 Unique 20 Unique 1D Unique 1E Group 1E Group -MSBROWSE Mac address -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date: 12/4/2006 7:18 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date: 12/4/2006 7:18 AM
RE: [ActiveDir] Granting rights to 'Manage GPOs'
So why not change the default security in the schema so that your service
account is included?
Laura
_
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Monday, December 04, 2006 4:23 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Granting rights to 'Manage GPOs'
I'd prefer to grant the service the rights it *needs* rather than carte
blanche Domain Admins rights. However, as new GPOs are created, only the
default (Schema defined?) ACLs are applied, which includes DAs but will
*not* include my service account.
Back to the drawing board...
neil
_
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves
Sent: 04 December 2006 04:38
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Granting rights to 'Manage GPOs'
You might want to set the account to have non-interactive rights, since I'm
assuming that it runs a service that actually handles all the changes - then
grant it membership within the Domain Admins group - that would fix the
issue once and for all, unless you've changed Domain Admins to not have the
ability to edit GPOs, though it's automatically granted every time a new GPO
is created, regardless of what permissions were before.
On 11/25/06, Darren Mar-Elia HYPERLINK
mailto:[EMAIL PROTECTED][EMAIL PROTECTED] wrote:
Neil-
Assuming the setgpocreationpermissions script didn't fail in some way, I
think the next step would be to check the perms on the various objects that
should get this right. Namely, the service account you're granting access to
should have the Create GroupPolicyContainer right over the
cn=policies,cn=system container in AD and, similarly on the SYSVOL Policies
folder, it should have Change rights over that container.
Darren
Darren Mar-Elia
For comprehensive Windows Group Policy Information, check out HYPERLINK
http://www.gpoguy.com/; \nwww.gpoguy.com-- the best source for GPO FAQs,
video training, tools and whitepapers. Also check out the HYPERLINK
http://www.amazon.com/gp/product/0735622175/qid=1122367169/sr=8-1/ref=pd_bb
s_1/104-1133146-9411929?v=glancen=283155 \nWindows Group Policy Guide, the
definitive resource for Group Policy information.
Group Policy Management solutions at HYPERLINK http://www.sdmsoftware.com/;
\nSDM Software
From: HYPERLINK mailto:[EMAIL PROTECTED]
[EMAIL PROTECTED] [mailto:HYPERLINK
mailto:[EMAIL PROTECTED] \n
[EMAIL PROTECTED] On Behalf Of HYPERLINK
mailto:[EMAIL PROTECTED] [EMAIL PROTECTED]
Sent: Friday, November 24, 2006 6:57 AM
To: HYPERLINK mailto:ActiveDir@mail.activedir.org;
[EMAIL PROTECTED]
Subject: [ActiveDir] Granting rights to 'Manage GPOs'
I am attempting to assign rights to a service account [sys-zzz], used by a
Group Policy Management tool (3rd party) so that the service account has the
necessary rights to 'manage' all GPOs in the domain.
Aside from app specific rights, I have assigned the following rights using
GPMC scripts [scripts shown below]:
1. Create/edit GPO links at the root of the domain and all child containers
cscript %programfiles%\gpmc\scripts\SetSOMPermissions.wsf xxx.yyy
xxx\sys-zzz /Permission:linkgpos /Inherit /Domain:xxx.yyy
2. Create new GPOs in the domain
cscript %programfiles%\gpmc\scripts\SetGPOCreationPermissions.wsf
xxx\sys-zzz /Domain:xxx.yyy
3. Edit, delete and mod security rights to all existing GPOs in the domain
cscript %programfiles%\gpmc\scripts\GrantPermissionOnAllGPOs.wsf
xxx\sys-zzz /Permission:fulledit /Domain:xxx.yyy
To cut a long story short, step 2 does not appear to grant the required
'create' right [GP mgmt tool complains of an access denied issue].
However, if I manually (using GPMC) add the service account to the list of
objects permitted to create GPOs in the domain [instead of using the script
in step 2], then the GP Management app functions fine.
Has anyone encountered a similar issues? Are there newer version of the GPMC
scripts? [I have GPMC with SP1]
Just to add to the strangeness of this issue, if I execute the same scripts
above but against a different domain (same service account) the 3rd party
app functions fine in that other domain :/
Any comments?
Thanks,
neil
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this
RE: [ActiveDir] OT: Possessed PCs
The watch thing happened to me until the East Coast blackout of 2003. I used to have baskets of dead watches. Since the blackout, I've been able to wear watches. They still die a lot faster than they do on other people if they're battery-powered, but at least I can wear 'em now. I also beta tested a watch for Timex (I kid you not; who knew they beta test watches, anyway?) that had a battery that was supposed to be guaranteed to last three years. It made it nine months on me, which is a personal record. I also have street light, um, issues. However, I have never been kidnapped by aliens. Born of them, perhaps, but not kidnapped by any. :-) Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Guest Sent: Monday, December 04, 2006 5:21 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Possessed PCs Your father is probably mild…. HYPERLINK http://amasci.com/weird/unusual/zap.htmlhttp://amasci.com/weird/unusual/za p.html these guys (if you believe them) have real problems. Mike Guest IT Solutions HML Padiham DDI: +44 (0)1282 682550 Internal Extension: (61) 2550 _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 01 December 2006 23:58 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Possessed PCs Happens with my father and watches as well. The man cannot wear a watch without it dying within weeks. But thats another story. If you can isolate the symptoms to time of day or even the remote chance its a bad ballast (flouresent lighting used to cause occasional problems with old CRTs), etc. Atleast you can start to wittle things down a bit. But in this case it sounds like RF overlap. Perhaps there is one mouse that is emitting too strong a signal. I was a bit thrown this morning though when I thought I read that this was happening with corded devices as well. Brent Eads Employee Technology Solutions, Inc. Office: (312) 762-9224 Fax: (312) 762-9275 The contents contain privileged and/or confidential information intended for the named recipient of this email. ETSI (Employee Technology Solutions, Inc.) does not warrant that the contents of any electronically transmitted information will remain confidential. If the reader of this email is not the intended recipient you are hereby notified that any use, reproduction, disclosure or distribution of the information contained in the email in error, please reply to us immediately and delete the document. Viruses, Malware, Phishing and other known and unknown electronic threats: It is the recipient/client's duties to perform virus scans and otherwise test the information provided before loading onto any computer system. No warranty is made that this material is free from computer virus or any other defect. Any loss/damage incurred by using this material is not the sender's responsibility. Liability will be limited to resupplying the material. Message scanned by TrendMicro *** This email is intended only for the addressee named above. As this email may contain confidential or privileged information, if you are not the named addressee or receive this message in error, please notify us immediately, delete it and do not make use of or copy it. This message is protected by copyright. HML accepts no responsibility for viruses found in this message or any file attachment. Homeloan Management Limited Registered in England No. 2214839 1 Providence Place, Skipton, North Yorkshire BD23 2HL -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.6/565 - Release Date: 12/2/2006 9:39 PM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date: 12/4/2006 7:18 AM
Re: [ActiveDir] _msdcs not propagated in AXFR
We install the Kitchen Sink service too don't forget ;-) (wait until we start talking about the My Business OU...that's usually good for another freak out or two) Laura A. Robinson wrote: Small point- dcpromo creates those zones as mentioned in the original question *if* you have not configured DNS beforehand, *if* you tell dcpromo to go ahead and do it for you, and *if* you're building the forest root domain. If you have configured DNS beforehand, how the zones get created (as stub zones, as subdomains, etc.) will depend on that preconfiguration. If you're not building the forest root domain, the subdomain already exists and dcpromo is just populating it. I bring this up only because there are many companies that have existing DNS infrastructures and it's important to know that default is not equivalent to mandatory. It is not a requirement that the _msdcs zone be either a separate zone or a subdomain in an existing zone, whether it's a stub or a full zone, etc. Of course, since we're talking SBS, all of this goes out the window (no pun intended). SBS is its own freaky little animal. Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hans Halbmayr Sent: Monday, December 04, 2006 1:06 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] _msdcs not propagated in AXFR Usually dcpromo creates all these zones. Windows creates these zones in a forest partition. If you have a linux DNS server just create another slave zone of _msdcs.example.com. The gray one is only the delegation. Hans - Original Message From: Michael B Allen [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Cc: [EMAIL PROTECTED] Sent: Saturday, December 2, 2006 5:39:26 PM Subject: Re: [ActiveDir] _msdcs not propagated in AXFR Ok, so basically _msdcs is just a separate zone. Do Windows DNS setups usually do this? I'm using SBS. I have a bind DNS server running on a linux machine with a slave zone for example.com. The AXFR doesn't have those records (aside from the NS record). So what you're saying is that I need to setup another slave zone for the _msdcs subdomain? Mike On Sat, 2 Dec 2006 03:02:22 -0800 (PST) Hans Halbmayr [EMAIL PROTECTED] wrote: Hi Mike, the gray one is the delegation of the zone. The _msdcs ist a subdomain of your forest root. Because it is needed all over the forest it is delegated. Regards Hans - Original Message From: Michael B Allen [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Cc: [EMAIL PROTECTED] Sent: Saturday, December 2, 2006 12:15:29 AM Subject: Re: [ActiveDir] _msdcs not propagated in AXFR I'm not sure I understand. In DNS admin I see two zones. One for _msdcs.example.com with all the usual _msdcs records and one for example.com which incedentally has an NS record for _msdcs.example.com. The little folder thingy for this _msdcs is grey which I guess signifies that it's some kind of link to the other zone? So I understand why the _msdcs records other than the one NS record are not transferring but I don't understand why the structure is split into two zones and if I can/should do something about it. Mike On Fri, 1 Dec 2006 11:27:14 -0800 Akomolafe, Deji [EMAIL PROTECTED] wrote: Seen this? http://support.microsoft.com/kb/817470 Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Michael B Allen Sent: Fri 12/1/2006 9:40 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] _msdcs not propagated in AXFR Does anyone know why the _msdcs records are not returned in an AXFR DNS query? This means that slave zones will not have those records and that software querying for a domain controller may not find one. Mike -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ __ __ Do you Yahoo!? Everyone is raving about the all-new Yahoo! Mail beta. http://new.mail.yahoo.com List info : http://www.activedir.org/List.aspx List FAQ:
RE: [ActiveDir] OT: Vista Activation and KMS
KMS runs on Vista (now), will run on Longhorn when Longhorn is released, and will also run on Win2K3 as soon as we finish making the Win2K3 install. :-) Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Monday, December 04, 2006 1:12 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Vista Activation and KMS Nope, I've done it web based. At the present time there are two kinds of keycodes up on MVLS.. one that wants a KMS, the other that will phone home to Redmond automatically. Have your MVLS folks request the other type of key is my understanding how this will work for now. The KMS type won't be out until Longhorn. KMS activations will have to phone home to your servers twice a year. Brian Cline wrote: I was testing out the RTM of Vista Enterprise last night and noticed I didn't have to enter a key at any point during the install. When Windows tried to activate, it told me there was a DNS error, so I suspected it looks for a local activation server by default. Sure enough, in the DNS cache was a lookup for a nonexistent _vlmcs._tcp.domain.com. Upon further research, it appears Microsoft has not released KMS yet, and I couldn't find any option to activate directly with Microsoft. For the moment, is telephone activation the only option? Brian Cline, Applications Developer Department of Information Technology GP Trucking Company, Inc. 803.936.8595 Direct Line 800.922.1147 Toll-Free (x8595) 803.739.1176 Fax -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date: 12/4/2006 7:18 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date: 12/4/2006 7:18 AM List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Granting rights to 'Manage GPOs'
Note to self: read all other responses before typing one of your own. :-)
Laura
_
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson
Sent: Monday, December 04, 2006 8:50 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Granting rights to 'Manage GPOs'
So why not change the default security in the schema so that your service
account is included?
Laura
_
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Monday, December 04, 2006 4:23 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Granting rights to 'Manage GPOs'
I'd prefer to grant the service the rights it *needs* rather than carte
blanche Domain Admins rights. However, as new GPOs are created, only the
default (Schema defined?) ACLs are applied, which includes DAs but will
*not* include my service account.
Back to the drawing board...
neil
_
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves
Sent: 04 December 2006 04:38
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Granting rights to 'Manage GPOs'
You might want to set the account to have non-interactive rights, since I'm
assuming that it runs a service that actually handles all the changes - then
grant it membership within the Domain Admins group - that would fix the
issue once and for all, unless you've changed Domain Admins to not have the
ability to edit GPOs, though it's automatically granted every time a new GPO
is created, regardless of what permissions were before.
On 11/25/06, Darren Mar-Elia HYPERLINK
mailto:[EMAIL PROTECTED][EMAIL PROTECTED] wrote:
Neil-
Assuming the setgpocreationpermissions script didn't fail in some way, I
think the next step would be to check the perms on the various objects that
should get this right. Namely, the service account you're granting access to
should have the Create GroupPolicyContainer right over the
cn=policies,cn=system container in AD and, similarly on the SYSVOL Policies
folder, it should have Change rights over that container.
Darren
Darren Mar-Elia
For comprehensive Windows Group Policy Information, check out HYPERLINK
http://www.gpoguy.com/; \nwww.gpoguy.com-- the best source for GPO FAQs,
video training, tools and whitepapers. Also check out the HYPERLINK
http://www.amazon.com/gp/product/0735622175/qid=1122367169/sr=8-1/ref=pd_bb
s_1/104-1133146-9411929?v=glancen=283155 \nWindows Group Policy Guide, the
definitive resource for Group Policy information.
Group Policy Management solutions at HYPERLINK http://www.sdmsoftware.com/;
\nSDM Software
From: HYPERLINK mailto:[EMAIL PROTECTED]
[EMAIL PROTECTED] [mailto:HYPERLINK
mailto:[EMAIL PROTECTED] \n
[EMAIL PROTECTED] On Behalf Of HYPERLINK
mailto:[EMAIL PROTECTED] [EMAIL PROTECTED]
Sent: Friday, November 24, 2006 6:57 AM
To: HYPERLINK mailto:ActiveDir@mail.activedir.org;
[EMAIL PROTECTED]
Subject: [ActiveDir] Granting rights to 'Manage GPOs'
I am attempting to assign rights to a service account [sys-zzz], used by a
Group Policy Management tool (3rd party) so that the service account has the
necessary rights to 'manage' all GPOs in the domain.
Aside from app specific rights, I have assigned the following rights using
GPMC scripts [scripts shown below]:
1. Create/edit GPO links at the root of the domain and all child containers
cscript %programfiles%\gpmc\scripts\SetSOMPermissions.wsf xxx.yyy
xxx\sys-zzz /Permission:linkgpos /Inherit /Domain:xxx.yyy
2. Create new GPOs in the domain
cscript %programfiles%\gpmc\scripts\SetGPOCreationPermissions.wsf
xxx\sys-zzz /Domain:xxx.yyy
3. Edit, delete and mod security rights to all existing GPOs in the domain
cscript %programfiles%\gpmc\scripts\GrantPermissionOnAllGPOs.wsf
xxx\sys-zzz /Permission:fulledit /Domain:xxx.yyy
To cut a long story short, step 2 does not appear to grant the required
'create' right [GP mgmt tool complains of an access denied issue].
However, if I manually (using GPMC) add the service account to the list of
objects permitted to create GPOs in the domain [instead of using the script
in step 2], then the GP Management app functions fine.
Has anyone encountered a similar issues? Are there newer version of the GPMC
scripts? [I have GPMC with SP1]
Just to add to the strangeness of this issue, if I execute the same scripts
above but against a different domain (same service account) the 3rd party
app functions fine in that other domain :/
Any comments?
Thanks,
neil
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
RE: [ActiveDir] _msdcs not propagated in AXFR
Please tell me that you're making that up. Otherwise I'll have to stab myself in the eye with a fork. My Business Words fail me. :-) Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Monday, December 04, 2006 9:13 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] _msdcs not propagated in AXFR We install the Kitchen Sink service too don't forget ;-) (wait until we start talking about the My Business OU...that's usually good for another freak out or two) Laura A. Robinson wrote: Small point- dcpromo creates those zones as mentioned in the original question *if* you have not configured DNS beforehand, *if* you tell dcpromo to go ahead and do it for you, and *if* you're building the forest root domain. If you have configured DNS beforehand, how the zones get created (as stub zones, as subdomains, etc.) will depend on that preconfiguration. If you're not building the forest root domain, the subdomain already exists and dcpromo is just populating it. I bring this up only because there are many companies that have existing DNS infrastructures and it's important to know that default is not equivalent to mandatory. It is not a requirement that the _msdcs zone be either a separate zone or a subdomain in an existing zone, whether it's a stub or a full zone, etc. Of course, since we're talking SBS, all of this goes out the window (no pun intended). SBS is its own freaky little animal. Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hans Halbmayr Sent: Monday, December 04, 2006 1:06 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] _msdcs not propagated in AXFR Usually dcpromo creates all these zones. Windows creates these zones in a forest partition. If you have a linux DNS server just create another slave zone of _msdcs.example.com. The gray one is only the delegation. Hans - Original Message From: Michael B Allen [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Cc: [EMAIL PROTECTED] Sent: Saturday, December 2, 2006 5:39:26 PM Subject: Re: [ActiveDir] _msdcs not propagated in AXFR Ok, so basically _msdcs is just a separate zone. Do Windows DNS setups usually do this? I'm using SBS. I have a bind DNS server running on a linux machine with a slave zone for example.com. The AXFR doesn't have those records (aside from the NS record). So what you're saying is that I need to setup another slave zone for the _msdcs subdomain? Mike On Sat, 2 Dec 2006 03:02:22 -0800 (PST) Hans Halbmayr [EMAIL PROTECTED] wrote: Hi Mike, the gray one is the delegation of the zone. The _msdcs ist a subdomain of your forest root. Because it is needed all over the forest it is delegated. Regards Hans - Original Message From: Michael B Allen [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Cc: [EMAIL PROTECTED] Sent: Saturday, December 2, 2006 12:15:29 AM Subject: Re: [ActiveDir] _msdcs not propagated in AXFR I'm not sure I understand. In DNS admin I see two zones. One for _msdcs.example.com with all the usual _msdcs records and one for example.com which incedentally has an NS record for _msdcs.example.com. The little folder thingy for this _msdcs is grey which I guess signifies that it's some kind of link to the other zone? So I understand why the _msdcs records other than the one NS record are not transferring but I don't understand why the structure is split into two zones and if I can/should do something about it. Mike On Fri, 1 Dec 2006 11:27:14 -0800 Akomolafe, Deji [EMAIL PROTECTED] wrote: Seen this? http://support.microsoft.com/kb/817470 Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Michael B Allen Sent: Fri 12/1/2006 9:40 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] _msdcs not propagated in AXFR Does anyone know why the _msdcs records are not returned in an AXFR DNS query? This means that slave zones will not have those records and that software querying for a domain controller may not find one. Mike -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ List info :
RE: [ActiveDir] Is it possible to determine who created an AD object?
? can you explain? Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Laura A. Robinson Sent: Tue 2006-12-05 01:45 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? Which will have no effect on the ownership of the directory objects. Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Monday, December 04, 2006 4:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? look at the owner if it lists ADMINISTRATORS, you might wanna change the security option in the default DCs GPO which is called: system objects: default owner for objects created by members of the administrators group Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Mitch Reid Sent: Mon 2006-12-04 21:14 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Is it possible to determine who created an AD object? ? We had a few user accounts that were deleted and then recreated and nobody will take responsibility. I used ADSIedit to verify the creation date/time. While auditing is enabled, the Security log rolled and we missed the event (yes I know it's an issue). Is there a way to see who created the the user object? Thanks, Mitch. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date: 12/4/2006 7:18 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date: 12/4/2006 7:18 AM winmail.dat
