RE: [ActiveDir] Vista GPO
Yes... * No more SYSVOL bloat as all Administrative Templates are stored in a central location * For domain environments a central store can be created so that ADMX/ADML files are NOT stored (which is the default) with EACH GPO (for both local and domain). * Results in less replication traffic for the SYSVOL and less storage is needed * This central store MUST created in ..\SYSVOL\Domain\Policies\PolicyDefinitions and is thus NOT available by default. (Create on the PDC FSMO!) * Can be used in EVERY domain environment (W2K/W2K3/W2K7/etc.) * Can ONLY be managed with the GPMC and GPO Editor from Vista and Longhorn * GPMC and GPO Editor will first try to use the central store and then the server's local store * Just Copy %WINDIR%\PolicyDefinitions to ..\SYSVOL\Domain\Policies and create your own language specific sub directories if needed (EN-US will be available by default) Cheers, jorge Met vriendelijke groeten / Kind regards, __ MVP Profile → https://mvp.support.microsoft.com/profile=f8c04f4a-bff2-453e-9aed-7dfedab0be10 MVP Home Site → https://mvp.support.microsoft.com/ MVP Overview → https://mvp.support.microsoft.com/mvpexecsum BLOG → http://blogs.dirteam.com/blogs/jorge/default.aspx __ -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Lu, WeiMing Sent: Friday, December 15, 2006 00:11 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO With Vista ADMX format, is it a better implementation to have central ADMX storage on the DCs? === Weiming Lu Emory College Computing Support (404)727-7917 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Thursday, December 14, 2006 5:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO Vista introduces a new Admin Template format called ADMX. These are found on Vista in C:\windows\policydefinitions and, unfortuately cannot be consumed by earlier versions of Windows. That is you must manage Vista GP from Vista. Darren -Original Message- From: Za Vue [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 12/14/2006 1:18 PM Subject: Re: [ActiveDir] Vista GPO Sorry. Exactly what Ben wrote. Thanks.. -Z.V. WATSON, BEN wrote: Maybe he may be referring to the location of any possible new ADM files included with Vista. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Thursday, December 14, 2006 10:34 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO What do you mean Za? I'm not familiar with any GPO plug-in for Win2K3, unless you mean the LDIF files that are in sources\adprep on the Vista CD? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: Thursday, December 14, 2006 9:57 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Vista GPO Anyone know what and where the GPO plugin for Win2003 on the Vista DVD is called and located? -Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
[ActiveDir] LDAP query
hi, Does anyone know how to query active LDAP sessions on a Win 2003 Domain Controller. I need to know the functional users which are used to query the AD by application or unix systemsy Thanks in advance Thomas List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
[ActiveDir] OT: Vista Resource Monitor blank
Has anyone ever seen the resource monitor of Vista RTM blank with no CPU/Mem/Disk etc... details at all? Last night I noticed when I used resource monitor it didnt display anything. Task Manager showed activity as expected but not the resource monitor. I assumed it was possibly due to the machine waking up from sleep but couldn't repro it. Cheers M@ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
[ActiveDir] SMB Problems
Good Morning, I'm not sure I should be asking this here but here goes. We have a full Windows 2003 domain and almost all XP Professional workstations. I have a Ricoh Printer, Copier, Scanner on the Network that we use to Scan documents to each users system. During the last Month or so all but about 4 workstations have failed to allow scans to be created, the scanner does not give me any error messages. Each user is in the scanner address book with their Windows User ID and Password to access the own PC Directory. Does any on have a clue as to why some work and some do not. Thanks for any thoughts you may have. Bob Anderson IT Guy Kent Sporting Goods 433 Park Ave. S New London OH 44851 419-929-7021 x315 email: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Way OT: Laptop Battery Life
Easy enough to check - it'll be labeled on the back/bottom of the battery what type it is... --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, December 13, 2006 12:00 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Way OT: Laptop Battery Life Whatever they give me must not be Lithium then. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Tuesday, December 12, 2006 11:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Way OT: Laptop Battery Life Lithium batteries are resilient to the charge/discharge issues associated with earlier batteries. Generally, you want to replace batteries after about 18 months, because that's when depreciation sets in. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com x-excid://3277/uri:http:/www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Brian Desmond Sent: Tue 12/12/2006 7:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Way OT: Laptop Battery Life I have this model too. Kill the Wifi and Bluetooth for starters. Wifi is Fn+F2 I think. Next, get a media bay battery from Dell - it can give you several (up to 4) more hours in my experience. I go through batteries pretty quickly - I think I killed the media bay battery (or at met its half life) in about 6 months. A combination of desk work and being mobile does this because of the uneven discharge/charge cycles. You can either be real meticulous about taking care of the batteries or start hitting your IT department up for new ones. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Tuesday, December 12, 2006 10:33 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Way OT: Laptop Battery Life Hi - When I travel with my standard issue Dell D600 (1.5GB RAM), I get maybe two hours out of a fully charged battery while doing standard Word, Excel, Outlook stuff. Throw in Visio or (ugh) Quickbooks and cut that time in half. Sometimes, I try to disable services that I know I will not need on the plane (does antivirus really need to autoprotect on the plane?), but I can't tell you that this actually gives me any more battery. Any recommendations for battery-life extending tricks, tools, services to disable, etc? Greatly appreciated as I head across the country for the late December boogie. Thanks. -- nme -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.409 / Virus Database: 268.15.16/582 - Release Date: 12/11/2006 ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system.
RE: [ActiveDir] Way OT: Laptop Battery Life
Originally you posted that Visio and Quickbooks cut your battery life in half. With Quickbooks it's probably constantly recalculating whenever you do things, and Visio is pretty CPU-intensive if you have drawings that are extensive at all. By contrast, other Office programs are practically idle while using them (unless you're doing major linking, charting, or large document reformatting with graphics). It's a guess, but I imagine the processing involved is the difference in battery life. Leaving a CD/DVD in the drive can be a drain if you keep spinning it up from looking in My Computer (Windows kindly spins it up to read it again each time), and PCMCIA cards are a big drain too, from what I've read. As far as letting it sleep and then waking it up... XP seemed to drain faster than usual when it did a lot of sleeping/waking - maybe processing involved on this too? Vista doesn't seem to have the same effect on it though - but the laptop I was using with Vista was a pretty new one so... (Latitude D620) --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- ”I love the smell of red herrings in the morning” - anonymous -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Egan (Temp) Sent: Wednesday, December 13, 2006 12:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Way OT: Laptop Battery Life The IBM T-series laptops that we use here have a battery mode that slows down the processor speed, resulting in less power consumption by the processor and less heat generated (resulting in the cooling fan cycling on and off less). Noah, if I am reading your question correctly, you are asking if spinning the disk up to speed draws significant current, and if you are constantly stopping and then re-starting the spin on the disk platter constantly does this negate the power savings of having the disk power down in the first place? As an engineer, the answer is: it depends. If the power-down/power-up cycle is sufficiently short (you're always waking the unit back up) then the answer is YES. If there are significant periods of time between sleeping and waking the machine, the answer is NO. I'd actually have to measure current draw from the platter motor to tell you what the cycle time would be. Having said that, I can tell you from experience with other dynamic systems that sometimes just leaving it run is the most advantageous/economical! Anybody else have the same conclusion? I am NOT a hard drive designer... Everybody, all of your suggestions are spot on. Especially the Network adapter and the WiFi... Steve Egan (temp) Systems/Network engineer Purcell Systems -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Wednesday, December 13, 2006 9:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Way OT: Laptop Battery Life So your last part about disk. Does waking up from those screen and hdd settings have a negative impact on battery? That is, if you are continually giggling the track pad to wake it up, is that worse than just leaving it run for a bit? Similarly, does coming out of Sleep hit the battery? Dell put out a document about battery life. The single biggest factor was screen. Next (I think) was network adapters. What about services? Are there services to disable to improve battery run time? -- nme -Original Message- From: Williams, Chris [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 13, 2006 6:08 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Way OT: Laptop Battery Life The Dell D600 and D610 have a network adaptor power setting where you can tell it to disable a network adaptor if it is not live when on battery, this may help extend your battery life a bit more. We use both these models and even using the internal wireless card we still get 3.5 to 4 hours out of a battery. Our power settings are wound right down so for example the screen powers off after 1min, HDD after 5min etc. Regards -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: 13 December 2006 08:32 To: ActiveDir.org Subject: Re: [ActiveDir] Way OT: Laptop Battery Life I also read a blog this week that Vista's default Wifi configuration is set in such a way that if the wifi hotspots don't support this Vista mode - it will drain the battery pretty quick. This leads me to ask do you have any power draining features turned on or inserted? Powersave set on Disk, screen, do you have an external mouse or PCMCIA/Express cards? Regards, Mark Parris Base IT Ltd Active Directory Consultancy Tel +44(0)7801
RE: [ActiveDir] Vista GPO
You may recall, there was a similar case when XP came out too - if memory serves, you had to manage XP GPO settings from an XP box - if you opened them on Win2K, there were problems (I can't recall now exactly what those problems were... it would corrupt the policy? Lose the settings?) anyway so there are tons more settings (+ side) and you have to use Vista for now (- side, sorta). I wouldn't be too surprised if they fix that with the next server and XP SP... but I haven't actually heard that. --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Thursday, December 14, 2006 4:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO Vista introduces a new Admin Template format called ADMX. These are found on Vista in C:\windows\policydefinitions and, unfortuately cannot be consumed by earlier versions of Windows. That is you must manage Vista GP from Vista. Darren -Original Message- From: Za Vue [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 12/14/2006 1:18 PM Subject: Re: [ActiveDir] Vista GPO Sorry. Exactly what Ben wrote. Thanks.. -Z.V. WATSON, BEN wrote: Maybe he may be referring to the location of any possible new ADM files included with Vista. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Thursday, December 14, 2006 10:34 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO What do you mean Za? I'm not familiar with any GPO plug-in for Win2K3, unless you mean the LDIF files that are in sources\adprep on the Vista CD? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: Thursday, December 14, 2006 9:57 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Vista GPO Anyone know what and where the GPO plugin for Win2003 on the Vista DVD is called and located? -Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Vista GPO
There was a hotfix for that - they lengthened some string or something in the adm file format if I remember right. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Friday, December 15, 2006 9:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO You may recall, there was a similar case when XP came out too - if memory serves, you had to manage XP GPO settings from an XP box - if you opened them on Win2K, there were problems (I can't recall now exactly what those problems were... it would corrupt the policy? Lose the settings?) anyway so there are tons more settings (+ side) and you have to use Vista for now (- side, sorta). I wouldn't be too surprised if they fix that with the next server and XP SP... but I haven't actually heard that. --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar- Elia Sent: Thursday, December 14, 2006 4:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO Vista introduces a new Admin Template format called ADMX. These are found on Vista in C:\windows\policydefinitions and, unfortuately cannot be consumed by earlier versions of Windows. That is you must manage Vista GP from Vista. Darren -Original Message- From: Za Vue [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 12/14/2006 1:18 PM Subject: Re: [ActiveDir] Vista GPO Sorry. Exactly what Ben wrote. Thanks.. -Z.V. WATSON, BEN wrote: Maybe he may be referring to the location of any possible new ADM files included with Vista. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Thursday, December 14, 2006 10:34 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO What do you mean Za? I'm not familiar with any GPO plug-in for Win2K3, unless you mean the LDIF files that are in sources\adprep on the Vista CD? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: Thursday, December 14, 2006 9:57 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Vista GPO Anyone know what and where the GPO plugin for Win2003 on the Vista DVD is called and located? -Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ:
Re: [ActiveDir] SMB Problems
SMB signing enabled? If it's not a newer one, they can't communicate over SMB with the require SMB signing on. In August of this year there was a patch that came down that adjusted the default SMB signing behavior and it was in the optional section and on WSUS. Was that installed perhaps? http://msinfluentials.com/blogs/jesper/archive/2006/08/24/SMB-Message-Signing-Troubles_3F00_.aspx Bob Anderson wrote: Good Morning, I'm not sure I should be asking this here but here goes. We have a full Windows 2003 domain and almost all XP Professional workstations. I have a Ricoh Printer, Copier, Scanner on the Network that we use to Scan documents to each users system. During the last Month or so all but about 4 workstations have failed to allow scans to be created, the scanner does not give me any error messages. Each user is in the scanner address book with their Windows User ID and Password to access the own PC Directory. Does any on have a clue as to why some work and some do not. Thanks for any thoughts you may have. Bob Anderson IT Guy Kent Sporting Goods 433 Park Ave. S New London OH 44851 419-929-7021 x315 email: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] Vista GPO
Yup. I think it finally WU'd down didn't it? Brian Desmond wrote: There was a hotfix for that - they lengthened some string or something in the adm file format if I remember right. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Friday, December 15, 2006 9:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO You may recall, there was a similar case when XP came out too - if memory serves, you had to manage XP GPO settings from an XP box - if you opened them on Win2K, there were problems (I can't recall now exactly what those problems were... it would corrupt the policy? Lose the settings?) anyway so there are tons more settings (+ side) and you have to use Vista for now (- side, sorta). I wouldn't be too surprised if they fix that with the next server and XP SP... but I haven't actually heard that. --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar- Elia Sent: Thursday, December 14, 2006 4:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO Vista introduces a new Admin Template format called ADMX. These are found on Vista in C:\windows\policydefinitions and, unfortuately cannot be consumed by earlier versions of Windows. That is you must manage Vista GP from Vista. Darren -Original Message- From: Za Vue [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 12/14/2006 1:18 PM Subject: Re: [ActiveDir] Vista GPO Sorry. Exactly what Ben wrote. Thanks.. -Z.V. WATSON, BEN wrote: Maybe he may be referring to the location of any possible new ADM files included with Vista. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Thursday, December 14, 2006 10:34 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO What do you mean Za? I'm not familiar with any GPO plug-in for Win2K3, unless you mean the LDIF files that are in sources\adprep on the Vista CD? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: Thursday, December 14, 2006 9:57 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Vista GPO Anyone know what and where the GPO plugin for Win2003 on the Vista DVD is called and located? -Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive:
RE: [ActiveDir] Vista GPO
This is actually a little different because if you view a GPO that was created with Vista, using XP or 2003, none of the ADMX settings can actually be read at all, because they are a completely new format that GPEditor or GPMC on those older platforms don't understand. In fact, those XP or 2003 will happily copy up the ADMs into the Vista GPO like they used to do, and you're back to each GPO storing ADMs in SYSVOL. What I've been recommending to folks is that once you introduce Vista desktops into your environment, use Vista for all your ongoing GP management. The Vista ADMXs are a superset of the latest and greatest ADMs (i.e. they include 2003, XP and Vista settings) so you can happily manage Vista and non-Vista targeted GP settings from a Vista machine. Darren Darren Mar-Elia CTO Founder www.sdmsoftware.com [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Friday, December 15, 2006 6:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO You may recall, there was a similar case when XP came out too - if memory serves, you had to manage XP GPO settings from an XP box - if you opened them on Win2K, there were problems (I can't recall now exactly what those problems were... it would corrupt the policy? Lose the settings?) anyway so there are tons more settings (+ side) and you have to use Vista for now (- side, sorta). I wouldn't be too surprised if they fix that with the next server and XP SP... but I haven't actually heard that. --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Thursday, December 14, 2006 4:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO Vista introduces a new Admin Template format called ADMX. These are found on Vista in C:\windows\policydefinitions and, unfortuately cannot be consumed by earlier versions of Windows. That is you must manage Vista GP from Vista. Darren -Original Message- From: Za Vue [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 12/14/2006 1:18 PM Subject: Re: [ActiveDir] Vista GPO Sorry. Exactly what Ben wrote. Thanks.. -Z.V. WATSON, BEN wrote: Maybe he may be referring to the location of any possible new ADM files included with Vista. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Thursday, December 14, 2006 10:34 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO What do you mean Za? I'm not familiar with any GPO plug-in for Win2K3, unless you mean the LDIF files that are in sources\adprep on the Vista CD? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: Thursday, December 14, 2006 9:57 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Vista GPO Anyone know what and where the GPO plugin for Win2003 on the Vista DVD is called and located? -Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal
RE: [ActiveDir] Vista GPO
Sorry, I understand it's different, what I meant was merely that we had some growing pains like this when XP first came out. Our practice then became to use only XP desktops for GP management. I think there's a tendency to think this is such a terrible thing, this backwards-incompatibility, and we might forget that Vista is not new with this, we had similar issues before. And who remembers the teeth-pulling to get people to move to Active Directory?? --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, December 15, 2006 10:05 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO This is actually a little different because if you view a GPO that was created with Vista, using XP or 2003, none of the ADMX settings can actually be read at all, because they are a completely new format that GPEditor or GPMC on those older platforms don't understand. In fact, those XP or 2003 will happily copy up the ADMs into the Vista GPO like they used to do, and you're back to each GPO storing ADMs in SYSVOL. What I've been recommending to folks is that once you introduce Vista desktops into your environment, use Vista for all your ongoing GP management. The Vista ADMXs are a superset of the latest and greatest ADMs (i.e. they include 2003, XP and Vista settings) so you can happily manage Vista and non-Vista targeted GP settings from a Vista machine. Darren Darren Mar-Elia CTO Founder www.sdmsoftware.com [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Friday, December 15, 2006 6:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO You may recall, there was a similar case when XP came out too - if memory serves, you had to manage XP GPO settings from an XP box - if you opened them on Win2K, there were problems (I can't recall now exactly what those problems were... it would corrupt the policy? Lose the settings?) anyway so there are tons more settings (+ side) and you have to use Vista for now (- side, sorta). I wouldn't be too surprised if they fix that with the next server and XP SP... but I haven't actually heard that. --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Thursday, December 14, 2006 4:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO Vista introduces a new Admin Template format called ADMX. These are found on Vista in C:\windows\policydefinitions and, unfortuately cannot be consumed by earlier versions of Windows. That is you must manage Vista GP from Vista. Darren -Original Message- From: Za Vue [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 12/14/2006 1:18 PM Subject: Re: [ActiveDir] Vista GPO Sorry. Exactly what Ben wrote. Thanks.. -Z.V. WATSON, BEN wrote: Maybe he may be referring to the location of any possible new ADM files included with Vista. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Thursday, December 14, 2006 10:34 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO What do you mean Za? I'm not familiar with any GPO plug-in for Win2K3, unless you mean the LDIF files that are in sources\adprep on the Vista CD? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: Thursday, December 14, 2006 9:57 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Vista GPO Anyone know what and where the GPO plugin for Win2003 on the Vista DVD is called and located? -Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive:
RE: [ActiveDir] Vista GPO
I hear you Rich. I had a long discussion with someone on the GP newsgroups who thought that the fact that XP and 2003 couldn't read Vista GP settings was an abomination and a scandal of the highest order and that MS should be beaten for their insolence (I'm paraphrasing :-)). But, yes, we should all be used to the fact that sometimes, you have to adopt the new stuff to get the new toys. People don't seem to have a problem with that concept when it comes to game consoles :) Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Friday, December 15, 2006 9:04 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO Sorry, I understand it's different, what I meant was merely that we had some growing pains like this when XP first came out. Our practice then became to use only XP desktops for GP management. I think there's a tendency to think this is such a terrible thing, this backwards-incompatibility, and we might forget that Vista is not new with this, we had similar issues before. And who remembers the teeth-pulling to get people to move to Active Directory?? --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, December 15, 2006 10:05 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO This is actually a little different because if you view a GPO that was created with Vista, using XP or 2003, none of the ADMX settings can actually be read at all, because they are a completely new format that GPEditor or GPMC on those older platforms don't understand. In fact, those XP or 2003 will happily copy up the ADMs into the Vista GPO like they used to do, and you're back to each GPO storing ADMs in SYSVOL. What I've been recommending to folks is that once you introduce Vista desktops into your environment, use Vista for all your ongoing GP management. The Vista ADMXs are a superset of the latest and greatest ADMs (i.e. they include 2003, XP and Vista settings) so you can happily manage Vista and non-Vista targeted GP settings from a Vista machine. Darren Darren Mar-Elia CTO Founder www.sdmsoftware.com [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Friday, December 15, 2006 6:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO You may recall, there was a similar case when XP came out too - if memory serves, you had to manage XP GPO settings from an XP box - if you opened them on Win2K, there were problems (I can't recall now exactly what those problems were... it would corrupt the policy? Lose the settings?) anyway so there are tons more settings (+ side) and you have to use Vista for now (- side, sorta). I wouldn't be too surprised if they fix that with the next server and XP SP... but I haven't actually heard that. --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Thursday, December 14, 2006 4:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO Vista introduces a new Admin Template format called ADMX. These are found on Vista in C:\windows\policydefinitions and, unfortuately cannot be consumed by earlier versions of Windows. That is you must manage Vista GP from Vista. Darren -Original Message- From: Za Vue [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 12/14/2006 1:18 PM Subject: Re: [ActiveDir] Vista GPO Sorry. Exactly what Ben wrote. Thanks.. -Z.V. WATSON, BEN wrote: Maybe he may be referring to the location of any possible new ADM files included with Vista. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Thursday, December 14, 2006 10:34 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO What do you mean Za? I'm not familiar with any GPO plug-in for Win2K3, unless you mean the LDIF files that are in sources\adprep on the Vista CD? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: Thursday, December 14, 2006
RE: [ActiveDir] Vista GPO
People don't seem to have a problem with that concept when it comes to game consoles :) Bad analogy. Go stand in the corner, no wii for you :) When people start running their businesses on game consoles, then you can come back and compare. For now, it's just plain incomprehensible that you can't manage ADMX from anything but Vista. Yeah, ideally we would want to encourage clients to NOT manage things directly from servers, and to ensure that IF they are going to introduce Vista, the IT folks' machines should be doing the dog-fooding, but realistically, the ideal is always the exception in this field. Microsoft should know that. People will insist on managing GPO directly from the DCs, best practices be damned. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Darren Mar-Elia Sent: Fri 12/15/2006 9:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO I hear you Rich. I had a long discussion with someone on the GP newsgroups who thought that the fact that XP and 2003 couldn't read Vista GP settings was an abomination and a scandal of the highest order and that MS should be beaten for their insolence (I'm paraphrasing :-)). But, yes, we should all be used to the fact that sometimes, you have to adopt the new stuff to get the new toys. People don't seem to have a problem with that concept when it comes to game consoles :) Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Friday, December 15, 2006 9:04 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO Sorry, I understand it's different, what I meant was merely that we had some growing pains like this when XP first came out. Our practice then became to use only XP desktops for GP management. I think there's a tendency to think this is such a terrible thing, this backwards-incompatibility, and we might forget that Vista is not new with this, we had similar issues before. And who remembers the teeth-pulling to get people to move to Active Directory?? --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, December 15, 2006 10:05 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO This is actually a little different because if you view a GPO that was created with Vista, using XP or 2003, none of the ADMX settings can actually be read at all, because they are a completely new format that GPEditor or GPMC on those older platforms don't understand. In fact, those XP or 2003 will happily copy up the ADMs into the Vista GPO like they used to do, and you're back to each GPO storing ADMs in SYSVOL. What I've been recommending to folks is that once you introduce Vista desktops into your environment, use Vista for all your ongoing GP management. The Vista ADMXs are a superset of the latest and greatest ADMs (i.e. they include 2003, XP and Vista settings) so you can happily manage Vista and non-Vista targeted GP settings from a Vista machine. Darren Darren Mar-Elia CTO Founder www.sdmsoftware.com [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Friday, December 15, 2006 6:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO You may recall, there was a similar case when XP came out too - if memory serves, you had to manage XP GPO settings from an XP box - if you opened them on Win2K, there were problems (I can't recall now exactly what those problems were... it would corrupt the policy? Lose the settings?) anyway so there are tons more settings (+ side) and you have to use Vista for now (- side, sorta). I wouldn't be too surprised if they fix that with the next server and XP SP... but I haven't actually heard that. --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous
RE: [ActiveDir] Vista GPO
So Microsoft should encourage their bad practices? Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Friday, December 15, 2006 12:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO People don't seem to have a problem with that concept when it comes to game consoles :) Bad analogy. Go stand in the corner, no wii for you :) When people start running their businesses on game consoles, then you can come back and compare. For now, it's just plain incomprehensible that you can't manage ADMX from anything but Vista. Yeah, ideally we would want to encourage clients to NOT manage things directly from servers, and to ensure that IF they are going to introduce Vista, the IT folks' machines should be doing the dog-fooding, but realistically, the ideal is always the exception in this field. Microsoft should know that. People will insist on managing GPO directly from the DCs, best practices be damned. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services HYPERLINK x-excid://3277/uri:http://www.akomolafe.com; \nwww.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon _ From: Darren Mar-Elia Sent: Fri 12/15/2006 9:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO I hear you Rich. I had a long discussion with someone on the GP newsgroups who thought that the fact that XP and 2003 couldn't read Vista GP settings was an abomination and a scandal of the highest order and that MS should be beaten for their insolence (I'm paraphrasing :-)). But, yes, we should all be used to the fact that sometimes, you have to adopt the new stuff to get the new toys. People don't seem to have a problem with that concept when it comes to game consoles :) Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Friday, December 15, 2006 9:04 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO Sorry, I understand it's different, what I meant was merely that we had some growing pains like this when XP first came out. Our practice then became to use only XP desktops for GP management. I think there's a tendency to think this is such a terrible thing, this backwards-incompatibility, and we might forget that Vista is not new with this, we had similar issues before. And who remembers the teeth-pulling to get people to move to Active Directory?? --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, December 15, 2006 10:05 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO This is actually a little different because if you view a GPO that was created with Vista, using XP or 2003, none of the ADMX settings can actually be read at all, because they are a completely new format that GPEditor or GPMC on those older platforms don't understand. In fact, those XP or 2003 will happily copy up the ADMs into the Vista GPO like they used to do, and you're back to each GPO storing ADMs in SYSVOL. What I've been recommending to folks is that once you introduce Vista desktops into your environment, use Vista for all your ongoing GP management. The Vista ADMXs are a superset of the latest and greatest ADMs (i.e. they include 2003, XP and Vista settings) so you can happily manage Vista and non-Vista targeted GP settings from a Vista machine. Darren Darren Mar-Elia CTO Founder www.sdmsoftware.com [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Friday, December 15, 2006 6:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO You may recall, there was a similar case when XP came out too - if memory serves, you had to manage XP GPO settings from an XP box - if you opened them on Win2K, there were problems (I can't recall now exactly what those problems were... it would corrupt the policy? Lose the settings?) anyway so there are tons more settings (+ side) and you have to use Vista for now (- side, sorta). I wouldn't be too surprised if they fix that with the next server and XP SP... but I haven't
RE: [ActiveDir] Vista GPO
Come on Deji-its exactly the same, else why in the world do we upgrade perfectly good IT systems? J Folks can manage their GP from DCs when Longhorn ships. Until then, its Vista. Also, it would fairly trivial, if not time-consuming, to convert all those ADMXs in Vista back to ADMs. There is nothing technically preventing that. But, it is not trivial to back-port the other new Vista functionality, like published printers, wired policy, the new IPSec and Firewall stuff, back to older versions. You wouldn't need to back-port all of it-just enough to support GP Editing, but still, it's a lot of work and MS, like most other software companies, probably needs to make the hard call about where to put dev and testing resources. I agree that its not ideal, but I don't think having to manage GP from Vista for the intervening space of time until Longhorn ships is a terrible thing. It will probably take most orgs that much time to decide when to go to Vista anyway. And for the aggressive ones, Vista is not a bad choice for a management platform. I think the benefits of the central store and other improvements outweigh the medium term inconvenience. I am curious, however, what others think. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Friday, December 15, 2006 9:39 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO People don't seem to have a problem with that concept when it comes to game consoles :) Bad analogy. Go stand in the corner, no wii for you :) When people start running their businesses on game consoles, then you can come back and compare. For now, it's just plain incomprehensible that you can't manage ADMX from anything but Vista. Yeah, ideally we would want to encourage clients to NOT manage things directly from servers, and to ensure that IF they are going to introduce Vista, the IT folks' machines should be doing the dog-fooding, but realistically, the ideal is always the exception in this field. Microsoft should know that. People will insist on managing GPO directly from the DCs, best practices be damned. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com x-excid://3277/uri:http:/www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon _ From: Darren Mar-Elia Sent: Fri 12/15/2006 9:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO I hear you Rich. I had a long discussion with someone on the GP newsgroups who thought that the fact that XP and 2003 couldn't read Vista GP settings was an abomination and a scandal of the highest order and that MS should be beaten for their insolence (I'm paraphrasing :-)). But, yes, we should all be used to the fact that sometimes, you have to adopt the new stuff to get the new toys. People don't seem to have a problem with that concept when it comes to game consoles :) Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Friday, December 15, 2006 9:04 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO Sorry, I understand it's different, what I meant was merely that we had some growing pains like this when XP first came out. Our practice then became to use only XP desktops for GP management. I think there's a tendency to think this is such a terrible thing, this backwards-incompatibility, and we might forget that Vista is not new with this, we had similar issues before. And who remembers the teeth-pulling to get people to move to Active Directory?? --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, December 15, 2006 10:05 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO This is actually a little different because if you view a GPO that was created with Vista, using XP or 2003, none of the ADMX settings can actually be read at all, because they are a completely new format that GPEditor or GPMC on those older platforms don't understand. In fact, those XP or 2003 will happily copy up the ADMs into the Vista GPO like they used to do, and you're back to each GPO storing ADMs in SYSVOL. What I've been recommending to folks is that once
[ActiveDir] Can't validate trust
In a small R D setup of one group, having two domains and two way trust between them. xyz (win2k3) and abc.com (win2k) While verifying a trust from xyz PDC, we got error that, domain controller can't make a RPC call to PDC of domain abc.com. And in network trace of it, it gives a SMB errors as STATUS_CANNOT_IMPERSONATE Has anyone seen this error? We verified that, 1) DNS is working for both domains. 2) SMB signing parameters are matching. 3) Lmcompatibilitylevel registry key is matching. 4) restrictanonymous is set to 0 (just as a precaution) -- Kamlesh ~ You teach best what you most need to learn. ~
RE: [ActiveDir] Vista GPO
I wouldn't put it in those words. But, yeah, I would expect Microsoft to be... shall we say...pragmatic, realistic. Something like, enable its customers to run their businesses. I mean, refrain from dictating its wishes. You know? Because at the end of the day, it is the clueless customers that actually write the checks that add up to those billions in the vault. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Laura A. Robinson Sent: Fri 12/15/2006 10:19 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO So Microsoft should encourage their bad practices? Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Friday, December 15, 2006 12:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO People don't seem to have a problem with that concept when it comes to game consoles :) Bad analogy. Go stand in the corner, no wii for you :) When people start running their businesses on game consoles, then you can come back and compare. For now, it's just plain incomprehensible that you can't manage ADMX from anything but Vista. Yeah, ideally we would want to encourage clients to NOT manage things directly from servers, and to ensure that IF they are going to introduce Vista, the IT folks' machines should be doing the dog-fooding, but realistically, the ideal is always the exception in this field. Microsoft should know that. People will insist on managing GPO directly from the DCs, best practices be damned. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Darren Mar-Elia Sent: Fri 12/15/2006 9:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO I hear you Rich. I had a long discussion with someone on the GP newsgroups who thought that the fact that XP and 2003 couldn't read Vista GP settings was an abomination and a scandal of the highest order and that MS should be beaten for their insolence (I'm paraphrasing :-)). But, yes, we should all be used to the fact that sometimes, you have to adopt the new stuff to get the new toys. People don't seem to have a problem with that concept when it comes to game consoles :) Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Friday, December 15, 2006 9:04 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO Sorry, I understand it's different, what I meant was merely that we had some growing pains like this when XP first came out. Our practice then became to use only XP desktops for GP management. I think there's a tendency to think this is such a terrible thing, this backwards-incompatibility, and we might forget that Vista is not new with this, we had similar issues before. And who remembers the teeth-pulling to get people to move to Active Directory?? --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, December 15, 2006 10:05 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO This is actually a little different because if you view a GPO that was created with Vista, using XP or 2003, none of the ADMX settings can actually be read at all, because they are a completely new format that GPEditor or GPMC on those older platforms don't understand. In fact, those XP or 2003 will happily copy up the ADMs into the Vista GPO like they used to do, and you're back to each GPO storing ADMs in SYSVOL. What I've been recommending to folks is that once you introduce Vista desktops into your environment, use Vista for all your ongoing GP management. The Vista ADMXs are a superset of the latest and greatest ADMs (i.e. they include 2003, XP and Vista settings) so you can happily manage Vista and non-Vista targeted GP settings from a Vista machine. Darren
Re: [ActiveDir] Vista GPO
Bad for whom? Down here where the bar is low for best practices in the first place the var/vap comes in and has to kick the owner off of his shiny new OEM Vista box and borrow it to set up the group policy firewall settings for it, or other settings that the managed services partner may want to do. When I'm doing group policy stuff... I'm up on that GPMC that is automagically installed on that SBS box and I'm in a group policy frame of mind. I could manage GPOs from my desktop but I just don't... I RDP into the server. What you guys should think of is burning in a VCD (virtual) Vista image that is pre-staged to be nothing but a Group policy management tool? (stupid idea?) Laura A. Robinson wrote: So Microsoft should encourage their bad practices? Laura *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Akomolafe, Deji *Sent:* Friday, December 15, 2006 12:39 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Vista GPO People don't seem to have a problem with that concept when it comes to game consoles :) Bad analogy. Go stand in the corner, no wii for you :) When people start running their businesses on game consoles, then you can come back and compare. For now, it's just plain incomprehensible that you can't manage ADMX from anything but Vista. Yeah, ideally we would want to encourage clients to NOT manage things directly from servers, and to ensure that IF they are going to introduce Vista, the IT folks' machines should be doing the dog-fooding, but realistically, the ideal is always the exception in this field. Microsoft should know that. People will insist on managing GPO directly from the DCs, best practices be damned. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com x-excid://3277/uri:http://www.akomolafe.com - we know IT *-5.75, -3.23* Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon *From:* Darren Mar-Elia *Sent:* Fri 12/15/2006 9:18 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Vista GPO I hear you Rich. I had a long discussion with someone on the GP newsgroups who thought that the fact that XP and 2003 couldn't read Vista GP settings was an abomination and a scandal of the highest order and that MS should be beaten for their insolence (I'm paraphrasing :-)). But, yes, we should all be used to the fact that sometimes, you have to adopt the new stuff to get the new toys. People don't seem to have a problem with that concept when it comes to game consoles :) Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Friday, December 15, 2006 9:04 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO Sorry, I understand it's different, what I meant was merely that we had some growing pains like this when XP first came out. Our practice then became to use only XP desktops for GP management. I think there's a tendency to think this is such a terrible thing, this backwards-incompatibility, and we might forget that Vista is not new with this, we had similar issues before. And who remembers the teeth-pulling to get people to move to Active Directory?? --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, December 15, 2006 10:05 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO This is actually a little different because if you view a GPO that was created with Vista, using XP or 2003, none of the ADMX settings can actually be read at all, because they are a completely new format that GPEditor or GPMC on those older platforms don't understand. In fact, those XP or 2003 will happily copy up the ADMs into the Vista GPO like they used to do, and you're back to each GPO storing ADMs in SYSVOL.
RE: [ActiveDir] Vista GPO
They won't do it if Microsoft makes it so they CAN'T do it. I feel Microsoft should be applauded for forcing admins to do their jobs correctly for a change, instead of giving in to the lazy or uninformed amongst us. Just my opinion, Tim From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Friday, December 15, 2006 11:39 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO People don't seem to have a problem with that concept when it comes to game consoles :) Bad analogy. Go stand in the corner, no wii for you :) When people start running their businesses on game consoles, then you can come back and compare. For now, it's just plain incomprehensible that you can't manage ADMX from anything but Vista. Yeah, ideally we would want to encourage clients to NOT manage things directly from servers, and to ensure that IF they are going to introduce Vista, the IT folks' machines should be doing the dog-fooding, but realistically, the ideal is always the exception in this field. Microsoft should know that. People will insist on managing GPO directly from the DCs, best practices be damned. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com x-excid://3277/uri:http:/www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Darren Mar-Elia Sent: Fri 12/15/2006 9:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO I hear you Rich. I had a long discussion with someone on the GP newsgroups who thought that the fact that XP and 2003 couldn't read Vista GP settings was an abomination and a scandal of the highest order and that MS should be beaten for their insolence (I'm paraphrasing :-)). But, yes, we should all be used to the fact that sometimes, you have to adopt the new stuff to get the new toys. People don't seem to have a problem with that concept when it comes to game consoles :) Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Friday, December 15, 2006 9:04 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO Sorry, I understand it's different, what I meant was merely that we had some growing pains like this when XP first came out. Our practice then became to use only XP desktops for GP management. I think there's a tendency to think this is such a terrible thing, this backwards-incompatibility, and we might forget that Vista is not new with this, we had similar issues before. And who remembers the teeth-pulling to get people to move to Active Directory?? --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, December 15, 2006 10:05 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO This is actually a little different because if you view a GPO that was created with Vista, using XP or 2003, none of the ADMX settings can actually be read at all, because they are a completely new format that GPEditor or GPMC on those older platforms don't understand. In fact, those XP or 2003 will happily copy up the ADMs into the Vista GPO like they used to do, and you're back to each GPO storing ADMs in SYSVOL. What I've been recommending to folks is that once you introduce Vista desktops into your environment, use Vista for all your ongoing GP management. The Vista ADMXs are a superset of the latest and greatest ADMs (i.e. they include 2003, XP and Vista settings) so you can happily manage Vista and non-Vista targeted GP settings from a Vista machine. Darren Darren Mar-Elia CTO Founder www.sdmsoftware.com [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Friday, December 15, 2006 6:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO You may recall, there was a similar case when XP came out too - if memory serves, you had to manage XP GPO settings from an XP box - if you opened them on Win2K, there were problems (I can't recall now exactly what those problems were... it would corrupt the policy? Lose the settings?) anyway so there are tons more settings (+ side) and you have to use Vista for
RE: [ActiveDir] Vista GPO
I'm sure that you are aware that LH is still many years away from significant adoption. We will see several intervening years between LH release and its reaching the mainstream. In the meantime, Vista would have become the de-facto desktop OS in place of XP (yes, I can dream). So, between now, then and when-ever, people will be needlessly handicapped in their ADM/ADMX decision making. I foresee a lot of gnashing of the teeth, more gripping, beaucoup evil M$ rants, and other heart-burn-inducing misunderstandings. Nobody said it would be non-trivial. If it were, people like me will not need people like you. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Darren Mar-Elia Sent: Fri 12/15/2006 10:21 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO Come on Deji-its exactly the same, else why in the world do we upgrade perfectly good IT systems? J Folks can manage their GP from DCs when Longhorn ships. Until then, its Vista. Also, it would fairly trivial, if not time-consuming, to convert all those ADMXs in Vista back to ADMs. There is nothing technically preventing that. But, it is not trivial to back-port the other new Vista functionality, like published printers, wired policy, the new IPSec and Firewall stuff, back to older versions. You wouldn't need to back-port all of it-just enough to support GP Editing, but still, it's a lot of work and MS, like most other software companies, probably needs to make the hard call about where to put dev and testing resources. I agree that its not ideal, but I don't think having to manage GP from Vista for the intervening space of time until Longhorn ships is a terrible thing. It will probably take most orgs that much time to decide when to go to Vista anyway. And for the aggressive ones, Vista is not a bad choice for a management platform. I think the benefits of the central store and other improvements outweigh the medium term inconvenience. I am curious, however, what others think. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Friday, December 15, 2006 9:39 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO People don't seem to have a problem with that concept when it comes to game consoles :) Bad analogy. Go stand in the corner, no wii for you :) When people start running their businesses on game consoles, then you can come back and compare. For now, it's just plain incomprehensible that you can't manage ADMX from anything but Vista. Yeah, ideally we would want to encourage clients to NOT manage things directly from servers, and to ensure that IF they are going to introduce Vista, the IT folks' machines should be doing the dog-fooding, but realistically, the ideal is always the exception in this field. Microsoft should know that. People will insist on managing GPO directly from the DCs, best practices be damned. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Darren Mar-Elia Sent: Fri 12/15/2006 9:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO I hear you Rich. I had a long discussion with someone on the GP newsgroups who thought that the fact that XP and 2003 couldn't read Vista GP settings was an abomination and a scandal of the highest order and that MS should be beaten for their insolence (I'm paraphrasing :-)). But, yes, we should all be used to the fact that sometimes, you have to adopt the new stuff to get the new toys. People don't seem to have a problem with that concept when it comes to game consoles :) Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Friday, December 15, 2006 9:04 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO Sorry, I understand it's different, what I meant was merely that we had some growing pains like this when XP first came out. Our practice then became to use only XP desktops for GP management. I think there's a tendency to think this is such a terrible thing, this backwards-incompatibility, and we might forget that Vista is not new with this, we had similar issues before. And who remembers the teeth-pulling to get
RE: [ActiveDir] OT: Replicating Print Queues To Multiple (40+) Servers via Script or Software?
Yes, it workes in some cases. One of the issues that it has is some of the servers are setup with a c:\ as the root, and the citrix are setup with M:\ as the root. When Print Migrator creates it's cab file, it is hardcoded with the root drive letter. For the most part the print drivers don't change all that often, the new LPR printer ports and the queues change fairly often. I would think that some kind of scheduled/realtime registry replicator might solve a lot of the issue.It would really help if the developers could fix the printing issue so that all we would need is a single print server instead of the rediculous number of print servers that I have now. (Somewhere in the neighborhood of 600 with some as high as 400 queues on each) I really hate printers, Andy - Original Message - From: Blair, James [EMAIL PROTECTED] Date: Thursday, December 14, 2006 6:29 pm Subject: RE: [ActiveDir] OT: Replicating Print Queues To Multiple (40+) Servers via Script or Software? Andrew, Have you had a look at Print Migrator 3 from Microsoft? This utility backs up the printers, drivers, ports etc. and restores them to alternate server/s: http://www.microsoft.com/downloads/details.aspx?FamilyID=D6915F13- EDE4-4 708-83C1-0091EEADE293displaylang=en James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, 15 December 2006 9:21 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Replicating Print Queues To Multiple (40+) Servers via Script or Software? Due to a restriction from the application, every print queue must resideon each Citrix server as an LPR print queue. I have in some cases 60 replicas of the print queue across 60 servers. Another question, is there a util that will create LPR printer ports? I can't seem to find one. Andrew - Original Message - From: Kevin Brunson [EMAIL PROTECTED] Date: Thursday, December 14, 2006 4:49 pm Subject: RE: [ActiveDir] OT: Replicating Print Queues To Multiple (40+)Servers via Script of Software? What about using the built-in Citrix printer tools? Are you talking about copying the printer drivers, or actually publishing printers? If you are talking about printer drivers so that remote printing works,then the Citrix Console can do all that. Put the driver on one, and tell it that the rest of the servers need the driver too. If you are saying you want to set up 40 network printers on 40 servers,then I would say you need some servers specifically set up as print servers, and then you can set users to connect to the shared printers automatically. Can you give us some more info on what exactly you are trying to do? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, December 14, 2006 3:27 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] OT: Replicating Print Queues To Multiple (40+) Servers via Script of Software? Does anyone know of any software or script that you would like to sharethat performs this? I have between 20 and 60 citrix servers per client, each printer is published on each server. When a change or addition is made to one server, all of the others have to change as well. Print Migrator is a way, but very much a pain to use. Thanks in advance, Andrew List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail- archive.com/activedir@mail.activedir.org/List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail- archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail- archive.com/activedir@mail.activedir.org/ Note: This email, including any attachments, is confidential. If you have received this email in error, please advise the sender and delete it and all copies of it from your system. If you are not the intended recipient of this email, you must not use, print, distribute, copy or disclose its content to anyone. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail- archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Vista GPO
And it's the clueful customers who (rightly) become angry when something in a product that exists purely for backward compatibility opens a security hole. Now, I'm not saying that all security holes are due to backward compatibility, and I'm not saying that every bit of code that comes out of Redmond is perfect. However, I have said for years that many of the things that people don't like about Microsoft's products are the result of backward compatibility, not bad coding or a lack of consideration on the part of Microsoft's programmers. As somebody else (Darren? Richard?) said, there is a point where a line has to be drawn in the sand. I personally don't see anything dictatorial about requiring a Vista+ machine to edit *VISTA* policies. I mean, seriously, if you're writing Vista GPOs, that would imply that you're using Vista machines, and if you're using Vista machines, what is the issue with using one of those Vista machines as your editing workstation? I think that that *IS* a very pragmatic, realistic approach. Sorry, I just don't follow your logic on this one. That said, my opinions are purely my own, do not represent those of my employer, are not intended to represent those of my employer and for all I know, may even pi$$ off my employer. :-) Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Friday, December 15, 2006 1:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO I wouldn't put it in those words. But, yeah, I would expect Microsoft to be... shall we say...pragmatic, realistic. Something like, enable its customers to run their businesses. I mean, refrain from dictating its wishes. You know? Because at the end of the day, it is the clueless customers that actually write the checks that add up to those billions in the vault. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services HYPERLINK x-excid://3277/uri:http://www.akomolafe.com; \nwww.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon _ From: Laura A. Robinson Sent: Fri 12/15/2006 10:19 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO So Microsoft should encourage their bad practices? Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Friday, December 15, 2006 12:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO People don't seem to have a problem with that concept when it comes to game consoles :) Bad analogy. Go stand in the corner, no wii for you :) When people start running their businesses on game consoles, then you can come back and compare. For now, it's just plain incomprehensible that you can't manage ADMX from anything but Vista. Yeah, ideally we would want to encourage clients to NOT manage things directly from servers, and to ensure that IF they are going to introduce Vista, the IT folks' machines should be doing the dog-fooding, but realistically, the ideal is always the exception in this field. Microsoft should know that. People will insist on managing GPO directly from the DCs, best practices be damned. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services HYPERLINK x-excid://3277/uri:http://www.akomolafe.com; \nwww.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon _ From: Darren Mar-Elia Sent: Fri 12/15/2006 9:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO I hear you Rich. I had a long discussion with someone on the GP newsgroups who thought that the fact that XP and 2003 couldn't read Vista GP settings was an abomination and a scandal of the highest order and that MS should be beaten for their insolence (I'm paraphrasing :-)). But, yes, we should all be used to the fact that sometimes, you have to adopt the new stuff to get the new toys. People don't seem to have a problem with that concept when it comes to game consoles :) Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Friday, December 15, 2006 9:04 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO Sorry, I understand it's different, what I meant was merely that we had some growing pains like this when XP first came out. Our practice then became to use only XP desktops for GP management. I
RE: [ActiveDir] Vista GPO
Tim, it is the height of professional arrogance to think that anyone who don't/can't/won't do things the way you think they should be done (best practices) are lazy and uninformed. I know you said that it is just your opinion, and, if I were like you, I would hazard that it is a misinformed opinion. But I won't. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Tim Vander Kooi Sent: Fri 12/15/2006 10:53 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO They won't do it if Microsoft makes it so they CAN'T do it. I feel Microsoft should be applauded for forcing admins to do their jobs correctly for a change, instead of giving in to the lazy or uninformed amongst us. Just my opinion, Tim From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Friday, December 15, 2006 11:39 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO People don't seem to have a problem with that concept when it comes to game consoles :) Bad analogy. Go stand in the corner, no wii for you :) When people start running their businesses on game consoles, then you can come back and compare. For now, it's just plain incomprehensible that you can't manage ADMX from anything but Vista. Yeah, ideally we would want to encourage clients to NOT manage things directly from servers, and to ensure that IF they are going to introduce Vista, the IT folks' machines should be doing the dog-fooding, but realistically, the ideal is always the exception in this field. Microsoft should know that. People will insist on managing GPO directly from the DCs, best practices be damned. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Darren Mar-Elia Sent: Fri 12/15/2006 9:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO I hear you Rich. I had a long discussion with someone on the GP newsgroups who thought that the fact that XP and 2003 couldn't read Vista GP settings was an abomination and a scandal of the highest order and that MS should be beaten for their insolence (I'm paraphrasing :-)). But, yes, we should all be used to the fact that sometimes, you have to adopt the new stuff to get the new toys. People don't seem to have a problem with that concept when it comes to game consoles :) Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Friday, December 15, 2006 9:04 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO Sorry, I understand it's different, what I meant was merely that we had some growing pains like this when XP first came out. Our practice then became to use only XP desktops for GP management. I think there's a tendency to think this is such a terrible thing, this backwards-incompatibility, and we might forget that Vista is not new with this, we had similar issues before. And who remembers the teeth-pulling to get people to move to Active Directory?? --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, December 15, 2006 10:05 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO This is actually a little different because if you view a GPO that was created with Vista, using XP or 2003, none of the ADMX settings can actually be read at all, because they are a completely new format that GPEditor or GPMC on those older platforms don't understand. In fact, those XP or 2003 will happily copy up the ADMs into the Vista GPO like they used to do, and you're back to each GPO storing ADMs in SYSVOL. What I've been recommending to folks is that once you introduce Vista desktops into your environment, use Vista for all your ongoing GP management. The Vista ADMXs are a superset of the latest and greatest ADMs (i.e. they
Re: [ActiveDir] Vista GPO
And SBS's version of "fill in the blank" always lags behind the big guys (we let you bleed first so we don't have to :-) We're 64bit only or bust in the Longhorn era. That means for us to have a Longhorn GP'er... we're migratin' the Kitchen sink to run on faster hardware (the water will run that much faster... just think of it) Akomolafe, Deji wrote: I'm sure that you are aware that LH is still many years away from significant adoption. We will see several intervening years between LH release and its reaching the mainstream. In the meantime, Vista would have become the de-facto desktop OS in place of XP (yes, I can dream). So, between now, then and when-ever, people will be needlessly handicapped in their ADM/ADMX decision making. I foresee a lot of gnashing of the teeth, more gripping, beaucoup "evil M$" rants, and other heart-burn-inducing misunderstandings. Nobody said it would be non-trivial. If it were, people like me will not need people like you. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com- we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Darren Mar-Elia Sent: Fri 12/15/2006 10:21 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO Come on Dejiits exactly the same, else why in the world do we upgrade perfectly good IT systems? J Folks can manage their GP from DCs when Longhorn ships. Until then, its Vista. Also, it would fairly trivial, if not time-consuming, to convert all those ADMXs in Vista back to ADMs. There is nothing technically preventing that. But, it is not trivial to back-port the other new Vista functionality, like published printers, wired policy, the new IPSec and Firewall stuff, back to older versions. You wouldnt need to back-port all of itjust enough to support GP Editing, but still, its a lot of work and MS, like most other software companies, probably needs to make the hard call about where to put dev and testing resources. I agree that its not ideal, but I dont think having to manage GP from Vista for the intervening space of time until Longhorn ships is a terrible thing. It will probably take most orgs that much time to decide when to go to Vista anyway. And for the aggressive ones, Vista is not a bad choice for a management platform. I think the benefits of the central store and other improvements outweigh the medium term inconvenience. I am curious, however, what others think. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Akomolafe, Deji Sent: Friday, December 15, 2006 9:39 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO People don't seem to have a problem with that concept when it comes to game consoles :) Bad analogy. Go stand in the corner, no wii for you :) When people start running their businesses on game consoles, then you can come back and compare. For now, it's just plain incomprehensible that you can't manage ADMX from anything but Vista. Yeah, ideally we would want to encourage clients to NOT manage things directly from servers, and to ensure that IF they are going to introduce Vista, the IT folks' machines should be doing the dog-fooding, but realistically, the "ideal" is always the exception in this field. Microsoft should know that. People will insist on managing GPO directly from the DCs, best practices be damned. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com- we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Darren Mar-Elia Sent: Fri 12/15/2006 9:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO I hear you Rich. I had a long discussion with someone on the GP newsgroups who thought that the fact that XP and 2003 couldn't read Vista GP settings was an abomination and a scandal of the highest order and that MS should be beaten for their insolence (I'm paraphrasing :-)). But, yes, we should all be used to the fact that sometimes, you have to adopt the new stuff to get the new toys. People don't seem to have a problem with that concept when it comes to game consoles :) Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rich Milburn Sent: Friday, December 15, 2006 9:04 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO Sorry, I understand it's different, what I meant was merely that we had some growing pains like this when XP first came out. Our practice
RE: [ActiveDir] Vista GPO
Well said. But while you're at it, could you let someone know that I very upset that I can't manage my Vista GPOs from my Windows ME PC. Thanks much. ;-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Friday, December 15, 2006 1:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO And it's the clueful customers who (rightly) become angry when something in a product that exists purely for backward compatibility opens a security hole. Now, I'm not saying that all security holes are due to backward compatibility, and I'm not saying that every bit of code that comes out of Redmond is perfect. However, I have said for years that many of the things that people don't like about Microsoft's products are the result of backward compatibility, not bad coding or a lack of consideration on the part of Microsoft's programmers. As somebody else (Darren? Richard?) said, there is a point where a line has to be drawn in the sand. I personally don't see anything dictatorial about requiring a Vista+ machine to edit *VISTA* policies. I mean, seriously, if you're writing Vista GPOs, that would imply that you're using Vista machines, and if you're using Vista machines, what is the issue with using one of those Vista machines as your editing workstation? I think that that *IS* a very pragmatic, realistic approach. Sorry, I just don't follow your logic on this one. That said, my opinions are purely my own, do not represent those of my employer, are not intended to represent those of my employer and for all I know, may even pi$$ off my employer. :-) Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Friday, December 15, 2006 1:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO I wouldn't put it in those words. But, yeah, I would expect Microsoft to be... shall we say...pragmatic, realistic. Something like, enable its customers to run their businesses. I mean, refrain from dictating its wishes. You know? Because at the end of the day, it is the clueless customers that actually write the checks that add up to those billions in the vault. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com x-excid://3277/uri:http:/www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Laura A. Robinson Sent: Fri 12/15/2006 10:19 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO So Microsoft should encourage their bad practices? Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Friday, December 15, 2006 12:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO People don't seem to have a problem with that concept when it comes to game consoles :) Bad analogy. Go stand in the corner, no wii for you :) When people start running their businesses on game consoles, then you can come back and compare. For now, it's just plain incomprehensible that you can't manage ADMX from anything but Vista. Yeah, ideally we would want to encourage clients to NOT manage things directly from servers, and to ensure that IF they are going to introduce Vista, the IT folks' machines should be doing the dog-fooding, but realistically, the ideal is always the exception in this field. Microsoft should know that. People will insist on managing GPO directly from the DCs, best practices be damned. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com x-excid://3277/uri:http:/www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
RE: [ActiveDir] Vista GPO
BTW, I would disagree with your assessment of Microsoft's customer base. I work in Microsoft's largest district, with our largest customers, and I find them far from clueless. I also find very few clueless folks writing us checks that add up to those billions in the vault. Do I run into misinformed people? Absolutely. Clueless? Not really. Well, not among my customers, anyway. :-) Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Friday, December 15, 2006 2:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO And it's the clueful customers who (rightly) become angry when something in a product that exists purely for backward compatibility opens a security hole. Now, I'm not saying that all security holes are due to backward compatibility, and I'm not saying that every bit of code that comes out of Redmond is perfect. However, I have said for years that many of the things that people don't like about Microsoft's products are the result of backward compatibility, not bad coding or a lack of consideration on the part of Microsoft's programmers. As somebody else (Darren? Richard?) said, there is a point where a line has to be drawn in the sand. I personally don't see anything dictatorial about requiring a Vista+ machine to edit *VISTA* policies. I mean, seriously, if you're writing Vista GPOs, that would imply that you're using Vista machines, and if you're using Vista machines, what is the issue with using one of those Vista machines as your editing workstation? I think that that *IS* a very pragmatic, realistic approach. Sorry, I just don't follow your logic on this one. That said, my opinions are purely my own, do not represent those of my employer, are not intended to represent those of my employer and for all I know, may even pi$$ off my employer. :-) Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Friday, December 15, 2006 1:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO I wouldn't put it in those words. But, yeah, I would expect Microsoft to be... shall we say...pragmatic, realistic. Something like, enable its customers to run their businesses. I mean, refrain from dictating its wishes. You know? Because at the end of the day, it is the clueless customers that actually write the checks that add up to those billions in the vault. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services HYPERLINK x-excid://3277/uri:http://www.akomolafe.com; \nwww.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon _ From: Laura A. Robinson Sent: Fri 12/15/2006 10:19 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO So Microsoft should encourage their bad practices? Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Friday, December 15, 2006 12:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO People don't seem to have a problem with that concept when it comes to game consoles :) Bad analogy. Go stand in the corner, no wii for you :) When people start running their businesses on game consoles, then you can come back and compare. For now, it's just plain incomprehensible that you can't manage ADMX from anything but Vista. Yeah, ideally we would want to encourage clients to NOT manage things directly from servers, and to ensure that IF they are going to introduce Vista, the IT folks' machines should be doing the dog-fooding, but realistically, the ideal is always the exception in this field. Microsoft should know that. People will insist on managing GPO directly from the DCs, best practices be damned. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services HYPERLINK x-excid://3277/uri:http://www.akomolafe.com; \nwww.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon _ From: Darren Mar-Elia Sent: Fri 12/15/2006 9:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO I hear you Rich. I had a long discussion with someone on the GP newsgroups who thought that the fact that XP and 2003 couldn't read Vista GP settings was an abomination and a scandal of the highest order and that MS should be beaten for their insolence (I'm paraphrasing :-)). But, yes, we should all be used to
RE: [ActiveDir] Vista GPO
Know your audience. Know your customers. Know your consumers. I can't speak to whether or not you pi$$ off your employer, but I can name a few of your colleagues in the trenches (because I run into them every now and then) who will be more than glad to tell you that there are more that go into a client's administrative decision making, technology adoption, PO approval, etc, than best practices. I will not speak to the security hole boogey-man that you are floating because I don't think you want us veering into that arena. Imagine what it would sound like if we start saying that MS is not making AMDX administration available on non-Vista/LH platform because of security issues. No, you don't want that. So, what you are left with is nothing but Best Practices. You want to draw a line because it is the sensible thing to do. Well, my logic is that a lot of things make sense in my head and in my labs. They just don't translate well in the real brick and mortar life out there. People are going to administer their GPOs from their servers for any number of reasons. These same people will NOT install LH until RTM+x number of years. These people are the ones paying my bills. They are the ones paying yours. Unless you are actually making the case that MS is aware of some technical inhibitions to making ADMX administrable from legacy OSes, there is no compelling reason why MS should not factor in HOW its customers uses its products/technologies when decisions as to whether or not to make something available. It is this unwillingness/reluctance to relate to the real-word and to insist on a set of prescriptive mandates that continue to hurt MS in many places. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Laura A. Robinson Sent: Fri 12/15/2006 11:26 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO And it's the clueful customers who (rightly) become angry when something in a product that exists purely for backward compatibility opens a security hole. Now, I'm not saying that all security holes are due to backward compatibility, and I'm not saying that every bit of code that comes out of Redmond is perfect. However, I have said for years that many of the things that people don't like about Microsoft's products are the result of backward compatibility, not bad coding or a lack of consideration on the part of Microsoft's programmers. As somebody else (Darren? Richard?) said, there is a point where a line has to be drawn in the sand. I personally don't see anything dictatorial about requiring a Vista+ machine to edit *VISTA* policies. I mean, seriously, if you're writing Vista GPOs, that would imply that you're using Vista machines, and if you're using Vista machines, what is the issue with using one of those Vista machines as your editing workstation? I think that that *IS* a very pragmatic, realistic approach. Sorry, I just don't follow your logic on this one. That said, my opinions are purely my own, do not represent those of my employer, are not intended to represent those of my employer and for all I know, may even pi$$ off my employer. :-) Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Friday, December 15, 2006 1:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO I wouldn't put it in those words. But, yeah, I would expect Microsoft to be... shall we say...pragmatic, realistic. Something like, enable its customers to run their businesses. I mean, refrain from dictating its wishes. You know? Because at the end of the day, it is the clueless customers that actually write the checks that add up to those billions in the vault. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Laura A. Robinson Sent: Fri 12/15/2006 10:19 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO So Microsoft should encourage their bad practices? Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Friday, December 15, 2006 12:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO People don't seem to have a problem with that concept when it comes to game consoles :)
RE: [ActiveDir] Vista GPO
Since many of us are in the habit of expressing various opinions, perhaps we should refrain from characterizing those with which we disagree as the height of professional arrogance and misinformed. See, if we start doing that, I might express the opinion that referring to Microsoft's customers as clueless and insisting that Microsoft should accommodate cluelessness at the expense of new product development, security and code review (which is exactly what the expense is to devote resources to doing nothing but backporting new features) is the height of professional inexperience, myopia and lack of exposure to sophisticated IT environments. But I won't. :-) Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Friday, December 15, 2006 2:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO Tim, it is the height of professional arrogance to think that anyone who don't/can't/won't do things the way you think they should be done (best practices) are lazy and uninformed. I know you said that it is just your opinion, and, if I were like you, I would hazard that it is a misinformed opinion. But I won't. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services HYPERLINK x-excid://3277/uri:http://www.akomolafe.com; \nwww.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon _ From: Tim Vander Kooi Sent: Fri 12/15/2006 10:53 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO They won’t do it if Microsoft makes it so they CAN’T do it. I feel Microsoft should be applauded for forcing admins to do their jobs correctly for a change, instead of giving in to the lazy or uninformed amongst us. Just my opinion, Tim From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Friday, December 15, 2006 11:39 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO People don't seem to have a problem with that concept when it comes to game consoles :) Bad analogy. Go stand in the corner, no wii for you :) When people start running their businesses on game consoles, then you can come back and compare. For now, it's just plain incomprehensible that you can't manage ADMX from anything but Vista. Yeah, ideally we would want to encourage clients to NOT manage things directly from servers, and to ensure that IF they are going to introduce Vista, the IT folks' machines should be doing the dog-fooding, but realistically, the ideal is always the exception in this field. Microsoft should know that. People will insist on managing GPO directly from the DCs, best practices be damned. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services HYPERLINK x-excid://3277/uri:http:/www.akomolafe.com \nwww.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon _ From: Darren Mar-Elia Sent: Fri 12/15/2006 9:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO I hear you Rich. I had a long discussion with someone on the GP newsgroups who thought that the fact that XP and 2003 couldn't read Vista GP settings was an abomination and a scandal of the highest order and that MS should be beaten for their insolence (I'm paraphrasing :-)). But, yes, we should all be used to the fact that sometimes, you have to adopt the new stuff to get the new toys. People don't seem to have a problem with that concept when it comes to game consoles :) Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Friday, December 15, 2006 9:04 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO Sorry, I understand it's different, what I meant was merely that we had some growing pains like this when XP first came out. Our practice then became to use only XP desktops for GP management. I think there's a tendency to think this is such a terrible thing, this backwards-incompatibility, and we might forget that Vista is not new with this, we had similar issues before. And who remembers the teeth-pulling to get people to move to Active Directory?? --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland
[ActiveDir] OT: help with running a scheduled job
We are trying to get a particular account to run a scheduled backup job on a server. Our results are puzzling. Here are the particulars: 2003 R2 standard server Domain account, non privileged, doesn't belong to domain users Added to local backup operators group Trying to run a system state backup job through a scheduled batch (.bat) file File permissions appear to be ok in file system where batch file is located. Results: When run from a remote scheduled tasks/run (without the user logged into the server): a scheduled job with the user's credentials specifying an ipconfig command works. a scheduled job with the user's credentials specifying notepad.exe works. a scheduled job with the user's credentials calling a batch file (.bat) which runs ntbackup.exe FAILS with (from SchedLgU.txt): test.job (simple.bat) 12/13/2006 5:50:08 PM ** ERROR ** Unable to start task. The specific error is: 0x80070005: Access is denied. Try using the Task page Browse button to locate the application. All the jobs run successfully from a remote scheduled tasks/run environment if the user is in the local administrators group. When the user is only in the local Backup Operators group, all the jobs run successfully from a remote scheduled tasks/run environment when this account is logged into the server/console! They can also be run successfully locally by the user. Note this same user got an Access is denied previously. We checked through the local security policy thinking it could be related to User Rights assignments or Security Options but did not see anything there. I think we're missing something really simple here, but it's eluding us. Any thoughts are appreciated. Mike Thommes
RE: [ActiveDir] Vista GPO
I would say you do server things on the server with your admin ID and do user stuff on your workstation with your workstation ID, so doing GP editing on the workstation isn't best practice, but that's my point of view =) Thanks, Andrew Fidel Tim Vander Kooi [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/15/2006 01:53 PM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject RE: [ActiveDir] Vista GPO They won?t do it if Microsoft makes it so they CAN?T do it. I feel Microsoft should be applauded for forcing admins to do their jobs correctly for a change, instead of giving in to the lazy or uninformed amongst us. Just my opinion, Tim From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Friday, December 15, 2006 11:39 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO People don't seem to have a problem with that concept when it comes to game consoles :) Bad analogy. Go stand in the corner, no wii for you :) When people start running their businesses on game consoles, then you can come back and compare. For now, it's just plain incomprehensible that you can't manage ADMX from anything but Vista. Yeah, ideally we would want to encourage clients to NOT manage things directly from servers, and to ensure that IF they are going to introduce Vista, the IT folks' machines should be doing the dog-fooding, but realistically, the ideal is always the exception in this field. Microsoft should know that. People will insist on managing GPO directly from the DCs, best practices be damned. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Darren Mar-Elia Sent: Fri 12/15/2006 9:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO I hear you Rich. I had a long discussion with someone on the GP newsgroups who thought that the fact that XP and 2003 couldn't read Vista GP settings was an abomination and a scandal of the highest order and that MS should be beaten for their insolence (I'm paraphrasing :-)). But, yes, we should all be used to the fact that sometimes, you have to adopt the new stuff to get the new toys. People don't seem to have a problem with that concept when it comes to game consoles :) Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Friday, December 15, 2006 9:04 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO Sorry, I understand it's different, what I meant was merely that we had some growing pains like this when XP first came out. Our practice then became to use only XP desktops for GP management. I think there's a tendency to think this is such a terrible thing, this backwards-incompatibility, and we might forget that Vista is not new with this, we had similar issues before. And who remembers the teeth-pulling to get people to move to Active Directory?? --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, December 15, 2006 10:05 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO This is actually a little different because if you view a GPO that was created with Vista, using XP or 2003, none of the ADMX settings can actually be read at all, because they are a completely new format that GPEditor or GPMC on those older platforms don't understand. In fact, those XP or 2003 will happily copy up the ADMs into the Vista GPO like they used to do, and you're back to each GPO storing ADMs in SYSVOL. What I've been recommending to folks is that once you introduce Vista desktops into your environment, use Vista for all your ongoing GP management. The Vista ADMXs are a superset of the latest and greatest ADMs (i.e. they include 2003, XP and Vista settings) so you can happily manage Vista and non-Vista targeted GP settings from a Vista machine. Darren Darren Mar-Elia CTO Founder www.sdmsoftware.com [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Friday, December 15, 2006 6:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO You may recall, there was a
RE: [ActiveDir] Vista GPO
Did I actually say that clueless folks are writing you checks? Or are you projecting? That those who write you checks but don't/can't/won't do things the right way (according to you) are clueless, and you don't like their checks? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Laura A. Robinson Sent: Fri 12/15/2006 12:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO BTW, I would disagree with your assessment of Microsoft's customer base. I work in Microsoft's largest district, with our largest customers, and I find them far from clueless. I also find very few clueless folks writing us checks that add up to those billions in the vault. Do I run into misinformed people? Absolutely. Clueless? Not really. Well, not among my customers, anyway. :-) Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Friday, December 15, 2006 2:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO And it's the clueful customers who (rightly) become angry when something in a product that exists purely for backward compatibility opens a security hole. Now, I'm not saying that all security holes are due to backward compatibility, and I'm not saying that every bit of code that comes out of Redmond is perfect. However, I have said for years that many of the things that people don't like about Microsoft's products are the result of backward compatibility, not bad coding or a lack of consideration on the part of Microsoft's programmers. As somebody else (Darren? Richard?) said, there is a point where a line has to be drawn in the sand. I personally don't see anything dictatorial about requiring a Vista+ machine to edit *VISTA* policies. I mean, seriously, if you're writing Vista GPOs, that would imply that you're using Vista machines, and if you're using Vista machines, what is the issue with using one of those Vista machines as your editing workstation? I think that that *IS* a very pragmatic, realistic approach. Sorry, I just don't follow your logic on this one. That said, my opinions are purely my own, do not represent those of my employer, are not intended to represent those of my employer and for all I know, may even pi$$ off my employer. :-) Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Friday, December 15, 2006 1:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO I wouldn't put it in those words. But, yeah, I would expect Microsoft to be... shall we say...pragmatic, realistic. Something like, enable its customers to run their businesses. I mean, refrain from dictating its wishes. You know? Because at the end of the day, it is the clueless customers that actually write the checks that add up to those billions in the vault. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Laura A. Robinson Sent: Fri 12/15/2006 10:19 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO So Microsoft should encourage their bad practices? Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Friday, December 15, 2006 12:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO People don't seem to have a problem with that concept when it comes to game consoles :) Bad analogy. Go stand in the corner, no wii for you :) When people start running their businesses on game consoles, then you can come back and compare. For now, it's just plain incomprehensible that you can't manage ADMX from anything but Vista. Yeah, ideally we would want to encourage clients to NOT manage things directly from servers, and to ensure that IF they are going to introduce Vista, the IT folks' machines should be doing the dog-fooding, but realistically, the ideal is always the exception in this field. Microsoft should know that. People will insist on managing GPO directly from the DCs, best practices be damned. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /)
RE: [ActiveDir] Vista GPO
Then we can agree to disagree. Personally I don't believe that it is arrogant to say that there is a right way and wrong way in some instances, if it is true. In this case I believe it is. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Friday, December 15, 2006 1:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO Tim, it is the height of professional arrogance to think that anyone who don't/can't/won't do things the way you think they should be done (best practices) are lazy and uninformed. I know you said that it is just your opinion, and, if I were like you, I would hazard that it is a misinformed opinion. But I won't. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com x-excid://3277/uri:http:/www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Tim Vander Kooi Sent: Fri 12/15/2006 10:53 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO They won't do it if Microsoft makes it so they CAN'T do it. I feel Microsoft should be applauded for forcing admins to do their jobs correctly for a change, instead of giving in to the lazy or uninformed amongst us. Just my opinion, Tim From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Friday, December 15, 2006 11:39 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO People don't seem to have a problem with that concept when it comes to game consoles :) Bad analogy. Go stand in the corner, no wii for you :) When people start running their businesses on game consoles, then you can come back and compare. For now, it's just plain incomprehensible that you can't manage ADMX from anything but Vista. Yeah, ideally we would want to encourage clients to NOT manage things directly from servers, and to ensure that IF they are going to introduce Vista, the IT folks' machines should be doing the dog-fooding, but realistically, the ideal is always the exception in this field. Microsoft should know that. People will insist on managing GPO directly from the DCs, best practices be damned. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com x-excid://3277/uri:http:/www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Darren Mar-Elia Sent: Fri 12/15/2006 9:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO I hear you Rich. I had a long discussion with someone on the GP newsgroups who thought that the fact that XP and 2003 couldn't read Vista GP settings was an abomination and a scandal of the highest order and that MS should be beaten for their insolence (I'm paraphrasing :-)). But, yes, we should all be used to the fact that sometimes, you have to adopt the new stuff to get the new toys. People don't seem to have a problem with that concept when it comes to game consoles :) Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Friday, December 15, 2006 9:04 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO Sorry, I understand it's different, what I meant was merely that we had some growing pains like this when XP first came out. Our practice then became to use only XP desktops for GP management. I think there's a tendency to think this is such a terrible thing, this backwards-incompatibility, and we might forget that Vista is not new with this, we had similar issues before. And who remembers the teeth-pulling to get people to move to Active Directory?? --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, December 15, 2006 10:05 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO This is actually a little different because if you view a GPO that was created with
RE: [ActiveDir] OT: Vista Resource Monitor blank
Are you referring to Performance Monitor? If so, that's normal. You have to pick the objects and counters that you want to watch. Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Friday, December 15, 2006 5:34 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Vista Resource Monitor blank Has anyone ever seen the resource monitor of Vista RTM blank with no CPU/Mem/Disk etc... details at all? Last night I noticed when I used resource monitor it didnt display anything. Task Manager showed activity as expected but not the resource monitor. I assumed it was possibly due to the machine waking up from sleep but couldn't repro it. Cheers M@ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.15.18/586 - Release Date: 12/13/2006 6:13 PM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.15.20/588 - Release Date: 12/15/2006 10:02 AM List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Vista GPO
We're releasing the Vista management tools for Windows ME at the same time that we release them for Microsoft Bob, IIRC. ;-) Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander Kooi Sent: Friday, December 15, 2006 3:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO Well said. But while you’re at it, could you let someone know that I very upset that I can’t manage my Vista GPOs from my Windows ME PC. Thanks much. ;-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Friday, December 15, 2006 1:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO And it's the clueful customers who (rightly) become angry when something in a product that exists purely for backward compatibility opens a security hole. Now, I'm not saying that all security holes are due to backward compatibility, and I'm not saying that every bit of code that comes out of Redmond is perfect. However, I have said for years that many of the things that people don't like about Microsoft's products are the result of backward compatibility, not bad coding or a lack of consideration on the part of Microsoft's programmers. As somebody else (Darren? Richard?) said, there is a point where a line has to be drawn in the sand. I personally don't see anything dictatorial about requiring a Vista+ machine to edit *VISTA* policies. I mean, seriously, if you're writing Vista GPOs, that would imply that you're using Vista machines, and if you're using Vista machines, what is the issue with using one of those Vista machines as your editing workstation? I think that that *IS* a very pragmatic, realistic approach. Sorry, I just don't follow your logic on this one. That said, my opinions are purely my own, do not represent those of my employer, are not intended to represent those of my employer and for all I know, may even pi$$ off my employer. :-) Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Friday, December 15, 2006 1:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO I wouldn't put it in those words. But, yeah, I would expect Microsoft to be... shall we say...pragmatic, realistic. Something like, enable its customers to run their businesses. I mean, refrain from dictating its wishes. You know? Because at the end of the day, it is the clueless customers that actually write the checks that add up to those billions in the vault. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services HYPERLINK x-excid://3277/uri:http:/www.akomolafe.com \nwww.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon _ From: Laura A. Robinson Sent: Fri 12/15/2006 10:19 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO So Microsoft should encourage their bad practices? Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Friday, December 15, 2006 12:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO People don't seem to have a problem with that concept when it comes to game consoles :) Bad analogy. Go stand in the corner, no wii for you :) When people start running their businesses on game consoles, then you can come back and compare. For now, it's just plain incomprehensible that you can't manage ADMX from anything but Vista. Yeah, ideally we would want to encourage clients to NOT manage things directly from servers, and to ensure that IF they are going to introduce Vista, the IT folks' machines should be doing the dog-fooding, but realistically, the ideal is always the exception in this field. Microsoft should know that. People will insist on managing GPO directly from the DCs, best practices be damned. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services HYPERLINK x-excid://3277/uri:http:/www.akomolafe.com \nwww.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon _ From: Darren Mar-Elia Sent: Fri 12/15/2006 9:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO I hear you Rich. I had a long discussion with someone on the GP newsgroups who thought that the fact that XP and 2003 couldn't read Vista GP settings was an abomination and a scandal of the highest order and
[ActiveDir] DesktopStandard
Does anyone have any new info on when MS will update the Desktopstandard product to work with Windows Vista? Thanks Nathan List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Vista GPO
Again, you are projecting. I don't call MS customers clueless. Why? Because I don't believe they are. Now, will I sometimes call some MS people arrogant? It depends. Will I take offence if someone thinks I lack exposure to sophisticated IT environments? No, Never. Why? Probably because I move around a lot in the real world, and sophisticated IT environments are very hard to come by. I've read and heard that there are plenty of them in silos. I just haven't seen enough of them to convince me that they come close to the number unevolved IT environments I deal with on regular basis. Come to think of it, I have a bunch of MS technical and marketing materials that speak to how much technical, financial and marketing effort MS is going to expend this year and next getting a whopping 60% of its customer-base to the Rationalized stage of optimization. Mind you, they are not shooting for Dynamic. Certainly not Sophisticated. So, yeah, there are more of us than there are of you out there, so you better start factoring us in when you make decisions that affect how we do things. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Laura A. Robinson Sent: Fri 12/15/2006 1:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO Since many of us are in the habit of expressing various opinions, perhaps we should refrain from characterizing those with which we disagree as the height of professional arrogance and misinformed. See, if we start doing that, I might express the opinion that referring to Microsoft's customers as clueless and insisting that Microsoft should accommodate cluelessness at the expense of new product development, security and code review (which is exactly what the expense is to devote resources to doing nothing but backporting new features) is the height of professional inexperience, myopia and lack of exposure to sophisticated IT environments. But I won't. :-) Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Friday, December 15, 2006 2:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO Tim, it is the height of professional arrogance to think that anyone who don't/can't/won't do things the way you think they should be done (best practices) are lazy and uninformed. I know you said that it is just your opinion, and, if I were like you, I would hazard that it is a misinformed opinion. But I won't. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Tim Vander Kooi Sent: Fri 12/15/2006 10:53 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO They won't do it if Microsoft makes it so they CAN'T do it. I feel Microsoft should be applauded for forcing admins to do their jobs correctly for a change, instead of giving in to the lazy or uninformed amongst us. Just my opinion, Tim From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Friday, December 15, 2006 11:39 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO People don't seem to have a problem with that concept when it comes to game consoles :) Bad analogy. Go stand in the corner, no wii for you :) When people start running their businesses on game consoles, then you can come back and compare. For now, it's just plain incomprehensible that you can't manage ADMX from anything but Vista. Yeah, ideally we would want to encourage clients to NOT manage things directly from servers, and to ensure that IF they are going to introduce Vista, the IT folks' machines should be doing the dog-fooding, but realistically, the ideal is always the exception in this field. Microsoft should know that. People will insist on managing GPO directly from the DCs, best practices be damned. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From:
RE: [ActiveDir] Vista GPO
I suspect this thread is creeping ever-so-close to the heralded beaten-to-death status, but let me add a line of thought here that I alluded to earlier. Deji, as I mentioned, there is nothing technically hard in allowing 2003 or XP systems to edit Administrative Template policy for Vista machines. The ADMX is, in simplified terms, ADM in XML. So, if enough people wanted it, I or someone could probably write a parser that would take all the ADMXs and convert them back to ADM and Microsoft wouldn't have to do a thing about it, because ADMs are just ADMs. However, let's say I did that. Vista doesn't just add new Administrative Template settings. It also adds new Client Side Extensions built on new OS capabilities. So, backporting ADMXs only now suddenly makes administration of Group Policy more complex (regardless of where you do it), because now you've got GPOs that are meant for XP and 2003 being administered from those platforms, you've got GPOs meant for Vista, administered from Vista and showing all the new functionality and then GPOs with some Vista functionality (i.e backported ADMXs) but not all administered from downlevel platforms . I hope you would agree, that this would be extremely confusing. Ok, so now lets take the next logical and say to Microsoft, hey Microsoft, you need to backport all that new Vista GP stuff to XP and 2003 because we want to manage it from there. Well, a lot of that new functionality in GP is built on core OS components that don't exist or are updated for Vista. So now, instead of just backporting a bunch of XML files, you've also got to backport those Client Side Extensions and the core OS functionality they are dependent upon. So now, instead of Vista shipping in November of 2006, it gets pushed to 2010, because, hey, Group Policy isn't the only area that wants the new stuff on the old platforms, so does XYZ feature. And suddenly, we all get angry at MS for never shipping their stuff they keep promising. I would submit that this is just a hard one to please everyone with, and they are taking the best possible approach to be able to ship a new OS to the umpteen-million people that use it. I am very cognizant of the fact folks like Susan supports in the SBS world, or just regular customers sometimes don't do things optimally. And, they will absolutely have to deal with this issue and likely many others as Vista gets deployed. I think the best thing we, as technology professionals in our various expertises, can do is to help folks understand what the best practices are and explain to them what happens when they don't follow those, so at least they know what to expect. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Friday, December 15, 2006 1:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO Since many of us are in the habit of expressing various opinions, perhaps we should refrain from characterizing those with which we disagree as the height of professional arrogance and misinformed. See, if we start doing that, I might express the opinion that referring to Microsoft's customers as clueless and insisting that Microsoft should accommodate cluelessness at the expense of new product development, security and code review (which is exactly what the expense is to devote resources to doing nothing but backporting new features) is the height of professional inexperience, myopia and lack of exposure to sophisticated IT environments. But I won't. :-) Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Friday, December 15, 2006 2:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO Tim, it is the height of professional arrogance to think that anyone who don't/can't/won't do things the way you think they should be done (best practices) are lazy and uninformed. I know you said that it is just your opinion, and, if I were like you, I would hazard that it is a misinformed opinion. But I won't. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com x-excid://3277/uri:http:/www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon _ From: Tim Vander Kooi Sent: Fri 12/15/2006 10:53 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO They won't do it if Microsoft makes it so they CAN'T do it. I feel Microsoft should be applauded for forcing admins to do their jobs correctly for a change, instead of giving in to the lazy or uninformed amongst us. Just my opinion, Tim From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
RE: [ActiveDir] Vista GPO
Deji, One of my other posts on this subject is working its way through the server as I write this one, but let me give you a bit of my perspective, if I may. I am in a customer-facing technical role. Every day, I interact with some of the largest companies in the world. I am responsible for serving 300 exclusively enterprise-level accounts. With those customers, I have discussions about every aspect of their technical decision-making, including but not limited to business drivers, business hurdles, pain points, budgetary concerns, licensing decisions, design and implementation guidance, rollout schedules, political infighting, technical bias, refresh cycles, rack space, disaster recovery plans, OEM relationships, cross-vendor interoperability, you name it. I speak with my colleagues in the trenches for a living. And here are some of my *personal* observations that result directly from those conversations, as well as the conversations I had in the years that I dealt with or worked for those very same companies before I took the position in which I am now employed: 1. I have not heard a single of my customers complain that it is unreasonable for them to have a Vista machine in their environment from which to edit Vista GPOs. Not one. Have I heard them express concern about having to have a Vista machine as an activation server? Yes, and that's probably why Microsoft is releasing an update for Win2K3 to allow it to be a KMS host. Again, however, NOT ONE customer has said to me that being asked to use a Vista machine to edit Vista GPOs is an unreasonable requirement or something that they see as a mandate from Microsoft. If Microsoft has enough customers requesting that Vista GPOs be editable from a Windows Server 2003 machine, and if it is technologically feasible, then I would guess that Microsoft will almost certainly pull developers off of other tasks to make that happen. Perhaps those other tasks could be things such as reviewing Longhorn code or writing new code and features, which means more delay in those things, but I know from experience that if customers really can't function without Microsoft making some kind of backporting decision happen, then Microsoft makes it happen. 2. Not only do customers use the prescriptive guidance (which are not mandates, or they'd be called mandatory), but customers *request* those guides, sometimes even withholding from rolling out a product until a prescriptive guide has been released. It is all we can do to keep up with customer requests for prescriptive guidance for Microsoft's product offerings. So while you personally may find Microsoft's prescriptive guidance unwelcome, unnecessary or somehow draconian, that opinion is the polar opposite of what I hear from customers every day. 3. The subject of best practices comes up in nearly every discussion I have with customers, and it is always in the context of the customer requesting that we tell them what we consider best practices. Every day, I am awed by some of our customers' IT infrastructures and the tremendous amount of planning, regulation, and yes, adherence to best practice that is part of what they mandate for their companies. Not us. Them. The SEC. The EU. HIPAA regulations. But not Microsoft. To the best of my knowledge, Microsoft is not in the business of mandating. However, I cannot name a single customer with which I deal that does not attempt to implement and comply with best practices whenever and wherever possible. Now, I don't know if you and I are meeting different types of Microsoft customers, but given that you referred to clueless customers and I have yet to characterize one of my customers in that fashion either privately or publicly, I'm going to assume that perhaps we deal in different markets. I will certainly accede to the possibility that your customers might not be as large or as technologically sophisticated as the ones with which I interact, and perhaps for them it is an onerous proposition that they be asked to use a Vista machine to edit Vista policies, or that they consider undertaking best practices in their infrastructures. If that is the case, then I encourage you to encourage your customers to speak to their Microsoft representatives about these concerns, because I do know that Redmond listens to feedback they receive from their customers- more than most people realize, I'd wager. Additionally, I want to make something very clear- I did not at any time state that making ADMX administration available on non-Vista/LH was because of security issues, and I do not care for the implication that I did. As an MVP, you well know that sometimes, for various reasons, people cannot make public statements regarding futures in technology. It is not my place to state here why or why not ADMX editing is/will be/won't be available from pre-Vista platforms, and when I am not sure whether or not something has become public knowledge about our products, I try to err on the side of
RE: [ActiveDir] Vista GPO
Deji, I've had enough of you attributing statements to me that I have not made, and therefore I am finished with this conversation. Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Friday, December 15, 2006 4:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO Did I actually say that clueless folks are writing you checks? Or are you projecting? That those who write you checks but don't/can't/won't do things the right way (according to you) are clueless, and you don't like their checks? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services HYPERLINK x-excid://3277/uri:http://www.akomolafe.com; \nwww.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon _ From: Laura A. Robinson Sent: Fri 12/15/2006 12:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO BTW, I would disagree with your assessment of Microsoft's customer base. I work in Microsoft's largest district, with our largest customers, and I find them far from clueless. I also find very few clueless folks writing us checks that add up to those billions in the vault. Do I run into misinformed people? Absolutely. Clueless? Not really. Well, not among my customers, anyway. :-) Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Friday, December 15, 2006 2:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO And it's the clueful customers who (rightly) become angry when something in a product that exists purely for backward compatibility opens a security hole. Now, I'm not saying that all security holes are due to backward compatibility, and I'm not saying that every bit of code that comes out of Redmond is perfect. However, I have said for years that many of the things that people don't like about Microsoft's products are the result of backward compatibility, not bad coding or a lack of consideration on the part of Microsoft's programmers. As somebody else (Darren? Richard?) said, there is a point where a line has to be drawn in the sand. I personally don't see anything dictatorial about requiring a Vista+ machine to edit *VISTA* policies. I mean, seriously, if you're writing Vista GPOs, that would imply that you're using Vista machines, and if you're using Vista machines, what is the issue with using one of those Vista machines as your editing workstation? I think that that *IS* a very pragmatic, realistic approach. Sorry, I just don't follow your logic on this one. That said, my opinions are purely my own, do not represent those of my employer, are not intended to represent those of my employer and for all I know, may even pi$$ off my employer. :-) Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Friday, December 15, 2006 1:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO I wouldn't put it in those words. But, yeah, I would expect Microsoft to be... shall we say...pragmatic, realistic. Something like, enable its customers to run their businesses. I mean, refrain from dictating its wishes. You know? Because at the end of the day, it is the clueless customers that actually write the checks that add up to those billions in the vault. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services HYPERLINK x-excid://3277/uri:http://www.akomolafe.com; \nwww.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon _ From: Laura A. Robinson Sent: Fri 12/15/2006 10:19 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO So Microsoft should encourage their bad practices? Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Friday, December 15, 2006 12:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO People don't seem to have a problem with that concept when it comes to game consoles :) Bad analogy. Go stand in the corner, no wii for you :) When people start running their businesses on game consoles, then you can come back and compare. For now, it's just plain incomprehensible that you can't manage ADMX from anything but Vista. Yeah, ideally we would want to encourage clients to NOT manage things directly from servers, and to ensure that IF they are
RE: [ActiveDir] Vista GPO
With Vista I would argue that that practice changes. You would now do all things from your workstation with admin privileges if necessary. But I don't log directly onto the server for anything other than loading updates. I must admit that I'm not at all happy that for the time being you can't run the ESM from Vista, so that is no longer completely true. But for things like running ADUC and GPMC which are usually done by different people through delegation you don't want them being done directly on the server, it would be a big security risk. Even if you are a 1 man shop I would make the same argument, because it makes it much easier for whoever replaces you someday to step in and take over. And let's face it, we'll all be replaced someday. Using GPMC from the workstation is best practice, just not the only practice. The fact that Microsoft made sure to have GPMC running on Vista before it was released points to that. Tim From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, December 15, 2006 3:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO I would say you do server things on the server with your admin ID and do user stuff on your workstation with your workstation ID, so doing GP editing on the workstation isn't best practice, but that's my point of view =) Thanks, Andrew Fidel Tim Vander Kooi [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/15/2006 01:53 PM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject RE: [ActiveDir] Vista GPO They won't do it if Microsoft makes it so they CAN'T do it. I feel Microsoft should be applauded for forcing admins to do their jobs correctly for a change, instead of giving in to the lazy or uninformed amongst us. Just my opinion, Tim From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Friday, December 15, 2006 11:39 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO People don't seem to have a problem with that concept when it comes to game consoles :) Bad analogy. Go stand in the corner, no wii for you :) When people start running their businesses on game consoles, then you can come back and compare. For now, it's just plain incomprehensible that you can't manage ADMX from anything but Vista. Yeah, ideally we would want to encourage clients to NOT manage things directly from servers, and to ensure that IF they are going to introduce Vista, the IT folks' machines should be doing the dog-fooding, but realistically, the ideal is always the exception in this field. Microsoft should know that. People will insist on managing GPO directly from the DCs, best practices be damned. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com x-excid://3277/uri:http:/www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Darren Mar-Elia Sent: Fri 12/15/2006 9:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO I hear you Rich. I had a long discussion with someone on the GP newsgroups who thought that the fact that XP and 2003 couldn't read Vista GP settings was an abomination and a scandal of the highest order and that MS should be beaten for their insolence (I'm paraphrasing :-)). But, yes, we should all be used to the fact that sometimes, you have to adopt the new stuff to get the new toys. People don't seem to have a problem with that concept when it comes to game consoles :) Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Friday, December 15, 2006 9:04 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO Sorry, I understand it's different, what I meant was merely that we had some growing pains like this when XP first came out. Our practice then became to use only XP desktops for GP management. I think there's a tendency to think this is such a terrible thing, this backwards-incompatibility, and we might forget that Vista is not new with this, we had similar issues before. And who remembers the teeth-pulling to get people to move to Active Directory?? --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning -
RE: [ActiveDir] OT: help with running a scheduled job
I think the default permissions of the CMD.exe file are getting you, read the KB enclosed. As I recall permissions allow RX for the interactive special group which is why it worked if you're signed in at the console. On our servers where we have ordinary users executing batch jobs I've setup a local group to grant read and execute. http://support.microsoft.com/kb/867466 Mike From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Friday, December 15, 2006 4:31 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: help with running a scheduled job We are trying to get a particular account to run a scheduled backup job on a server. Our results are puzzling. Here are the particulars: 2003 R2 standard server Domain account, non privileged, doesn't belong to domain users Added to local backup operators group Trying to run a system state backup job through a scheduled batch (.bat) file File permissions appear to be ok in file system where batch file is located. Results: When run from a remote scheduled tasks/run (without the user logged into the server): a scheduled job with the user's credentials specifying an ipconfig command works. a scheduled job with the user's credentials specifying notepad.exe works. a scheduled job with the user's credentials calling a batch file (.bat) which runs ntbackup.exe FAILS with (from SchedLgU.txt): test.job (simple.bat) 12/13/2006 5:50:08 PM ** ERROR ** Unable to start task. The specific error is: 0x80070005: Access is denied. Try using the Task page Browse button to locate the application. All the jobs run successfully from a remote scheduled tasks/run environment if the user is in the local administrators group. When the user is only in the local Backup Operators group, all the jobs run successfully from a remote scheduled tasks/run environment when this account is logged into the server/console! They can also be run successfully locally by the user. Note this same user got an Access is denied previously. We checked through the local security policy thinking it could be related to User Rights assignments or Security Options but did not see anything there. I think we're missing something really simple here, but it's eluding us. Any thoughts are appreciated. Mike Thommes
RE: [ActiveDir] Vista GPO
Excellent. I can't wait. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Friday, December 15, 2006 4:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO We're releasing the Vista management tools for Windows ME at the same time that we release them for Microsoft Bob, IIRC. ;-) Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander Kooi Sent: Friday, December 15, 2006 3:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO Well said. But while you're at it, could you let someone know that I very upset that I can't manage my Vista GPOs from my Windows ME PC. Thanks much. ;-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Friday, December 15, 2006 1:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO And it's the clueful customers who (rightly) become angry when something in a product that exists purely for backward compatibility opens a security hole. Now, I'm not saying that all security holes are due to backward compatibility, and I'm not saying that every bit of code that comes out of Redmond is perfect. However, I have said for years that many of the things that people don't like about Microsoft's products are the result of backward compatibility, not bad coding or a lack of consideration on the part of Microsoft's programmers. As somebody else (Darren? Richard?) said, there is a point where a line has to be drawn in the sand. I personally don't see anything dictatorial about requiring a Vista+ machine to edit *VISTA* policies. I mean, seriously, if you're writing Vista GPOs, that would imply that you're using Vista machines, and if you're using Vista machines, what is the issue with using one of those Vista machines as your editing workstation? I think that that *IS* a very pragmatic, realistic approach. Sorry, I just don't follow your logic on this one. That said, my opinions are purely my own, do not represent those of my employer, are not intended to represent those of my employer and for all I know, may even pi$$ off my employer. :-) Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Friday, December 15, 2006 1:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO I wouldn't put it in those words. But, yeah, I would expect Microsoft to be... shall we say...pragmatic, realistic. Something like, enable its customers to run their businesses. I mean, refrain from dictating its wishes. You know? Because at the end of the day, it is the clueless customers that actually write the checks that add up to those billions in the vault. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com x-excid://3277/uri:http:/www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Laura A. Robinson Sent: Fri 12/15/2006 10:19 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO So Microsoft should encourage their bad practices? Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Friday, December 15, 2006 12:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO People don't seem to have a problem with that concept when it comes to game consoles :) Bad analogy. Go stand in the corner, no wii for you :) When people start running their businesses on game consoles, then you can come back and compare. For now, it's just plain incomprehensible that you can't manage ADMX from anything but Vista. Yeah, ideally we would want to encourage clients to NOT manage things directly from
[ActiveDir] AD admin tool for Vista
Does anyone know when Microsoft will release Adminpak for Vista? The following link is the only solution now? I followed the instruction, and was able to snap in to MMC, but all AD objects become not-recognizable icon. Thanks. http://www.petri.co.il/running_win_2003_adminpak_on_vista_rtm.htm
RE: [ActiveDir] DesktopStandard
GPO Vault Enterprise (to be called Microsoft Advanced Group Policy Management) will be part of the Microsoft Desktop Optimization Pack for SA is slated for release in Spring/Summer of 2007. The Policy Maker Standard Edition and Share Manager tools are targeted for a subsequent release. Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nathan Casey Sent: Friday, December 15, 2006 5:38 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DesktopStandard Does anyone have any new info on when MS will update the Desktopstandard product to work with Windows Vista? Thanks Nathan List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.15.20/588 - Release Date: 12/15/2006 10:02 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.15.20/588 - Release Date: 12/15/2006 10:02 AM List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] DesktopStandard
Or an even better, more official answer: http://download.microsoft.com/download/6/4/F/64F5DC66-832A-4DF3-BAF4-3B4E7FB 9E500/datasheet-faqs.pdf Q: When can I order Microsoft Desktop Optimization Pack for Software Assurance and when will it be available? A: You may order Microsoft Desktop Optimization Pack for Software Assurance from the January 2007 Price List. The software will be available in the February VL Kit shipment and MVLS download site. The initial release of the Microsoft Desktop Optimization Pack for Software Assurance will only include SoftGrid v4.1. As other technologies become available they will be added to the media kit that will ship within the monthly Select and EA kits. The remaining technologies (Microsoft Diagnostic and Recovery Toolset, Microsoft Advanced Group Policy Management, and Microsoft Asset Inventory Service) will be available by the end of Q2 CY 2007. HTH, Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nathan Casey Sent: Friday, December 15, 2006 5:38 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DesktopStandard Does anyone have any new info on when MS will update the Desktopstandard product to work with Windows Vista? Thanks Nathan List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.15.20/588 - Release Date: 12/15/2006 10:02 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.15.20/588 - Release Date: 12/15/2006 10:02 AM List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] Vista GPO
(as a bystander here .. I personally like the point/counterpoints.. just sometimes we need to realize that we lose ...what? About 60% of communication via email? And adjust accordingly okay? Can we hug and make up?) Pogue’s Posts - Technology - New York Times Blog: http://pogue.blogs.nytimes.com/2006/12/14/14pogue-email-2/ Granted I'm little... but are you guys really and truly rolling out Vista in other than Lab settings anyway? I'm getting hit over the head on a daily basis by vendors are are saying Wait. My two benchmarks of when I can say I'm somewhat business ready on Vista is when the ISA firewall client that supports Vista ships (it did earlier this week) and when Trend isn't offering up beta versions as the only ones that will run on Vista. Are you guys really and truly rolling these suckers out on production boxes? Don't geeks adapt anyway? (We may not read... but we adapt right?) This is slightly incorrect...but the fact is SQL 2005 express officially needs sp2 to run on Vista http://money.cnn.com/2006/12/14/magazines/business2/microsoft_vista.biz2/index.htm?cnn=yes *Wait Until after Tax Time? *Note that Intuit's tax software divisions are recommending that their users wait until after tax season to make any move to Windows Vista. These notices are posted for both Lacerte Professional Tax Software http://recp.proadvisors.intuit.com/ctt?kn=18m=399604r=MzE0NTkxNTExOQS2b=0j=NzQzNjgzNDcS1mt=1 and ProSeries Professional Tax Software http://recp.proadvisors.intuit.com/ctt?kn=21m=399604r=MzE0NTkxNTExOQS2b=0j=NzQzNjgzNDcS1mt=1. *Prudence Suggested for QuickBooks Users Too.* Windows Vista holds much promise for significant improvements in security and functionality. However, Intuit suggests the decision to upgrade to Windows Vista be approached carefully, for two reasons: * Potential reliability issues often associated with the initial release of operating systems. * Intuit will not be able to support QuickBooks 2006 and earlier on Windows Vista. Laura A. Robinson wrote: Deji, I've had enough of you attributing statements to me that I have not made, and therefore I am finished with this conversation. Laura *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Akomolafe, Deji *Sent:* Friday, December 15, 2006 4:44 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Vista GPO Did I actually say that clueless folks are writing you checks? Or are you projecting? That those who write you checks but don't/can't/won't do things the right way (according to you) are clueless, and you don't like their checks? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com x-excid://3277/uri:http://www.akomolafe.com - we know IT *-5.75, -3.23* Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon *From:* Laura A. Robinson *Sent:* Fri 12/15/2006 12:50 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Vista GPO BTW, I would disagree with your assessment of Microsoft's customer base. I work in Microsoft's largest district, with our largest customers, and I find them far from clueless. I also find very few clueless folks writing us checks that add up to those billions in the vault. Do I run into misinformed people? Absolutely. Clueless? Not really. Well, not among my customers, anyway. :-) Laura *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Laura A. Robinson *Sent:* Friday, December 15, 2006 2:26 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Vista GPO And it's the clueful customers who (rightly) become angry when something in a product that exists purely for backward compatibility opens a security hole. Now, I'm not saying that all security holes are due to backward compatibility, and I'm not saying that every bit of code that comes out of Redmond is perfect. However, I have said for years that many of the things that people don't like about Microsoft's products are the result of backward compatibility, not bad coding or a lack of consideration on the part of Microsoft's programmers. As somebody else (Darren? Richard?) said, there is a point where a line has to be drawn in the
RE: [ActiveDir] OT: help with running a scheduled job
Mike, Thanks! That worked. I owe you a beer if we ever cross paths! Thanks again! Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael A. Barker Sent: Friday, December 15, 2006 5:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: help with running a scheduled job I think the default permissions of the CMD.exe file are getting you, read the KB enclosed. As I recall permissions allow RX for the interactive special group which is why it worked if you're signed in at the console. On our servers where we have ordinary users executing batch jobs I've setup a local group to grant read and execute. http://support.microsoft.com/kb/867466 Mike From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Friday, December 15, 2006 4:31 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: help with running a scheduled job We are trying to get a particular account to run a scheduled backup job on a server. Our results are puzzling. Here are the particulars: 2003 R2 standard server Domain account, non privileged, doesn't belong to domain users Added to local backup operators group Trying to run a system state backup job through a scheduled batch (.bat) file File permissions appear to be ok in file system where batch file is located. Results: When run from a remote scheduled tasks/run (without the user logged into the server): a scheduled job with the user's credentials specifying an ipconfig command works. a scheduled job with the user's credentials specifying notepad.exe works. a scheduled job with the user's credentials calling a batch file (.bat) which runs ntbackup.exe FAILS with (from SchedLgU.txt): test.job (simple.bat) 12/13/2006 5:50:08 PM ** ERROR ** Unable to start task. The specific error is: 0x80070005: Access is denied. Try using the Task page Browse button to locate the application. All the jobs run successfully from a remote scheduled tasks/run environment if the user is in the local administrators group. When the user is only in the local Backup Operators group, all the jobs run successfully from a remote scheduled tasks/run environment when this account is logged into the server/console! They can also be run successfully locally by the user. Note this same user got an Access is denied previously. We checked through the local security policy thinking it could be related to User Rights assignments or Security Options but did not see anything there. I think we're missing something really simple here, but it's eluding us. Any thoughts are appreciated. Mike Thommes
Re: [ActiveDir] OT: Vista Resource Monitor blank
Yes I was. I often launch the resource monitor from task manager and its not blank. But in this instance it was. So I find it hard to believe its normal. Thanks for the reply anyway Laura. Cheers M@ On 12/15/06, Laura A. Robinson [EMAIL PROTECTED] wrote: Are you referring to Performance Monitor? If so, that's normal. You have to pick the objects and counters that you want to watch. Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Friday, December 15, 2006 5:34 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Vista Resource Monitor blank Has anyone ever seen the resource monitor of Vista RTM blank with no CPU/Mem/Disk etc... details at all? Last night I noticed when I used resource monitor it didnt display anything. Task Manager showed activity as expected but not the resource monitor. I assumed it was possibly due to the machine waking up from sleep but couldn't repro it. Cheers M@ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.15.18/586 - Release Date: 12/13/2006 6:13 PM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.15.20/588 - Release Date: 12/15/2006 10:02 AM List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
