Re: [ActiveDir] OT: Domain List
I am talking about having that list disappear / do not want to see it so people are forced to use UPN Logon.I was hoping there was some adm gpo you could just turn on for this but I guess not. What Tony has suggested may work for me I have not had time to look into it in great detail but skimming over it it looked promising. As far as editing the Gina well I am not sure we have the resources for that but it also sounds like a good solution, I will look into that some more also. Thanks for your input, Aaron On 7/20/06 12:34 AM, "Paul Williams" <[EMAIL PROTECTED]> wrote: > Are you talking about having "Options" minimised by default and educating > users to logon with UPN or domain\samaccountname syntax or are you talking > about actually modifying the list built by Winlogon? > > There's probably a number of options. As Tony says you can modify the list > of domains available to Winlogon via ADM, or via a startup-script. You can > also modify the GINA or write a new GINA. > > Vista seems to have scrapped this and forces you to use > domain\samaccountname or UPN, which in my opinion is a good thing. > > > --Paul > > - Original Message - > From: "Aaron Visser" <[EMAIL PROTECTED]> > To: > Sent: Wednesday, July 19, 2006 7:19 PM > Subject: [ActiveDir] OT: Domain List > > >> Using a GPO >> >> How can I hide the drop-down list of domains that appears on the logon >> screen of Windows 2000 and XP machines that are connected to a Domain? >> >> OR >> >> How can I force UPN Logon? Username: [EMAIL PROTECTED] >> Password: xx >> >> I have found the following but it requires that the registry be edited on >> every computer (not the solution I was hoping for) as this would take way >> to >> long plus in order to change it I would have to edit every machine again >> >> >> >> A. To remove the domain drop-down list from the logon screen and force >> users >> to use their full user principal name (UPN), perform these steps: >> >> Start the registry editor (regedit.exe). >> Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows >> NT\CurrentVersion\Winlogon registry subkey. >>> From the Edit menu, select New, DWORD value. >> Enter a name of NoDomainUI and press Enter. >> Double-click the new value and set it to 1. Click OK. >> Reboot the machine. >> >> >> Any solutions or ideas would be much appreciated >> >> >> Thanks, >> >> Aaron >> >> >> List info : http://www.activedir.org/List.aspx >> List FAQ: http://www.activedir.org/ListFAQ.aspx >> List archive: http://www.activedir.org/ml/threads.aspx > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] OT: Domain List
Using a GPO How can I hide the drop-down list of domains that appears on the logon screen of Windows 2000 and XP machines that are connected to a Domain? OR How can I force UPN Logon? Username: [EMAIL PROTECTED] Password: xx I have found the following but it requires that the registry be edited on every computer (not the solution I was hoping for) as this would take way to long plus in order to change it I would have to edit every machine again A. To remove the domain drop-down list from the logon screen and force users to use their full user principal name (UPN), perform these steps: Start the registry editor (regedit.exe). Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon registry subkey. >From the Edit menu, select New, DWORD value. Enter a name of NoDomainUI and press Enter. Double-click the new value and set it to 1. Click OK. Reboot the machine. Any solutions or ideas would be much appreciated Thanks, Aaron List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] OT: Netlogon Service
Well if they did why wouldn't I be able to restart the services, I am thinking there is more to it than just someone stopped the ports, but I will look into the auditing, just to be sure. Thanks, Aaron -Original Message- From: Ken Schaefer [mailto:[EMAIL PROTECTED] Sent: Thu 3/9/2006 11:07 PM To: ActiveDir@mail.activedir.org Cc: Subject: RE: [ActiveDir] OT: Netlogon Service For all we know, someone did exactly what you did (connect remotely using administrative credentials) and disabled the services. Do you have logon auditing enabled? If so, have you checked to see who's logged onto the machine? Cheers Ken _ From: [EMAIL PROTECTED] on behalf of Aaron Visser Sent: Fri 3/10/2006 4:47 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Netlogon Service Well I know this is a little off topic but I cannot find any answers so I have decided that I need to tap into this huge fountain of knowledge. Computer - Win XP Pro SP2 latest Updates Problem - Computer was working fine and all of a sudden after a reboot today I can no longer login to it via the Domain (it says that the NetLogon Service is not started) So I logged onto another computer and remotely connected to the computer thru the Computer Management MMC Snap-In and checked the Netlogon Service and sure enough it was disabled, so I set it to Auto and then proceeded to start the Service. But it will not start because it says that the RPC Locator Service (to the best of my recollection) needs to be started, so I check that and sure enough it is disabled also. So I try to start that service but it gives me some error that I cannot recall at this time. Anyways trying to make this story short I am pretty sure that the computer in question was targeted from within the LAN remotely. So the big question or questions are is it possible to attack a computer in this manner? If it is possible does anyone have any info on how to accomplish this so that I can try and figure out how or what what used and maybe even nail the person (student) who did this. Thanks, Aaron <>
[ActiveDir] OT: Netlogon Service
Well I know this is a little off topic but I cannot find any answers so I have decided that I need to tap into this huge fountain of knowledge. Computer - Win XP Pro SP2 latest Updates Problem - Computer was working fine and all of a sudden after a reboot today I can no longer login to it via the Domain (it says that the NetLogon Service is not started) So I logged onto another computer and remotely connected to the computer thru the Computer Management MMC Snap-In and checked the Netlogon Service and sure enough it was disabled, so I set it to Auto and then proceeded to start the Service. But it will not start because it says that the RPC Locator Service (to the best of my recollection) needs to be started, so I check that and sure enough it is disabled also. So I try to start that service but it gives me some error that I cannot recall at this time. Anyways trying to make this story short I am pretty sure that the computer in question was targeted from within the LAN remotely. So the big question or questions are is it possible to attack a computer in this manner? If it is possible does anyone have any info on how to accomplish this so that I can try and figure out how or what what used and maybe even nail the person (student) who did this. Thanks, Aaron List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] MAC Address
Run command prompt Type ipconfig /all Aaron From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Hofert Sent: Thursday, February 23, 2006 8:40 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] MAC Address I have a client PC that does not list the MAC Address for it's wireless NIC anywhere in the OS. Is there a way to query that info from the card via command prompt or some other method? Thanks Todd This e-mail and any attachments may contain confidential and privileged information. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this e-mail and destroy any copies. Any dissemination or use of this information by a person other than the intended recipient is unauthorized and may be illegal.
RE: [ActiveDir] Limit Logon thru GPO
This cconnect.exe seems interesting anybody used it with 2003 Server? or is it strictly a NT/2000 tool? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Thursday, February 16, 2006 8:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Limit Logon thru GPO There is no native way of doing this in GP, but there is the Resource Kit utility Cconnect.exe that tries to accomplish the same thing without messy AD partitions (not at all to imply that anything remotely related to AD is messy :)) Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Visser Sent: Thursday, February 16, 2006 7:59 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Limit Logon thru GPO Sorry if this question has already been asked but I was sure I saw this at one time and now I cannot find it anywhere. I am beginning to think it was all just a wishful dream. Q. Is it possible to limit the number of logon’s a user may have at any one moment, using GPO? Microsoft has released the LimitLogin tool, which you can download from http://download.microsoft.com/download/f/d/0/fd05def7-68a1-4f71-8546-25c359cc0842/limitlogin.exe. The tool stores logged-on information in a custom AD partition (dc=limitlogin, dc=, dc=; e.g., dc=limitlogin,dc=savilltech,dc=com) via a Microsoft IIS 6.0 (Windows Server 2003) hosted Web service, a client component, and a logon and logoff script. This is the only answer I could find on the internet but surely this cannot be the only way, like I mentioned I was sure I saw this at one time and now I cannot find it anywhere. Was it all a dream? Should MS get there act together? or did I really see this? I would rather not use LimitLogon as it seems like a bit of a pain in the a$$ to setup and I am pretty sure it is irreversible. Thanks, Aaron Visser Computer Services Tech School District #33 Chilliwack Secondary School [EMAIL PROTECTED] 604.795.7295
[ActiveDir] Limit Logon thru GPO
Sorry if this question has already been asked but I was sure I saw this at one time and now I cannot find it anywhere. I am beginning to think it was all just a wishful dream. Q. Is it possible to limit the number of logon’s a user may have at any one moment, using GPO? Microsoft has released the LimitLogin tool, which you can download from http://download.microsoft.com/download/f/d/0/fd05def7-68a1-4f71-8546-25c359cc0842/limitlogin.exe. The tool stores logged-on information in a custom AD partition (dc=limitlogin, dc=, dc=; e.g., dc=limitlogin,dc=savilltech,dc=com) via a Microsoft IIS 6.0 (Windows Server 2003) hosted Web service, a client component, and a logon and logoff script. This is the only answer I could find on the internet but surely this cannot be the only way, like I mentioned I was sure I saw this at one time and now I cannot find it anywhere. Was it all a dream? Should MS get there act together? or did I really see this? I would rather not use LimitLogon as it seems like a bit of a pain in the a$$ to setup and I am pretty sure it is irreversible. Thanks, Aaron Visser Computer Services Tech School District #33 Chilliwack Secondary School [EMAIL PROTECTED] 604.795.7295
RE: [ActiveDir] AD computer accounts being removed
Title: Message Sorry, Sorry, Sorry it is Friday and I have had enough, next time I will try to think before I hit Send (Disregard last post on this topic) Aaron Visser From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Friday, January 20, 2006 11:37 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Tell me about it. We had a vendor roll a server into every site to do as they pleased with. Didn’t get sysprep’ed. Many sites decided to dcpromo theirs up. Of course every independent domain has to trust me, and you can’t trust more than one domain with the same sid… Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook Sent: Friday, January 20, 2006 2:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed You can have collisions between a domain controller SID and a member server SID when two machines have duplicate SIDs and one is DCPROMO’d and the other is joined to the new domain. The error messages that are logged say something to the effect that the domain and the member server SIDs conflict. Darn confusing when you see it for the first time. I’ll see if I can dig out the exact text of the message. Wook From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, January 18, 2006 6:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Yep sorry, didn't intend to say it wasn't a good idea. At some point the list will catch up and my post that says that will show up. :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, January 18, 2006 8:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Dozen other reasons to run it. Not running sysprep is just a bad idea. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, January 18, 2006 8:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Well not really. The important SID in question is the Domain SID and that isn't duped. The domain doesn't care about the machine SID. It is still good practice to newsid the machines though. If the accounts are disappearing it is one of two things 1. Someone is deleting it. 2. During the join process something fails and the computer deletes the object out. I don't recall the details of this but I do recall hearing it happen. It happens right after the failed join though, you don't have to wait for it. I have also heard other people who don't have enough rights report the account being disabled instead of deleted. I never verified personally either. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, January 18, 2006 6:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed NO NO NO NO NO BAD BAD BAD You have to use sysprep. You’re getting duplicate SIDs here – bad. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Visser Sent: Wednesday, January 18, 2006 5:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Gary, Brian, I do not use Sysprep on my images and have yet to come across any problems, but there may be one big difference with my images, before I ghost them or create the image I put the said machine into a workgroup and then create image. After I have imaged a computer I log on and change the Computer Name reboot and then join the domain with the new computer name, should I be using Sysprep? And Brenda I have experienced your problem but I have never noticed the accounts actually being out of AD, anyways most times for me a simple reboot works although I have had to actually ghost computers in order to rejoin the domain because I do not have any local accounts active on my computers in the school, makes it a little safer J but with that comes more work L From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, January 18, 2006 12:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Gary- Are you implying you don’t sysprep your images? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Garyphold Sent: Wednesday, January 18, 2006 3:04 PM To: ActiveDir@mail.activedir.org Subject: R
RE: [ActiveDir] AD computer accounts being removed
Title: Message I was referring to workstations not Servers, who would even think of ghosting a Server? And here is the bottom line I have been ghosting workstations for several years now at this site without using Sysprep or anything like it, and it has caused me no problems, I have yet to hear anything worth while on why I should be running sysprep on a workstation in a Domain Environment where local login is not prohibited other than some BS stuff from Wininternals or some other mag like that. So put your rolled up newspapers away ( unless of course your going to be using it on yourself ) and give me something worth while or concrete as to why I should be running Sysprep in the mentioned environment other than NO NO NO NO BAD BAD BAD BAD you must run sysprep. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Friday, January 20, 2006 11:37 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Tell me about it. We had a vendor roll a server into every site to do as they pleased with. Didn’t get sysprep’ed. Many sites decided to dcpromo theirs up. Of course every independent domain has to trust me, and you can’t trust more than one domain with the same sid… Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook Sent: Friday, January 20, 2006 2:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed You can have collisions between a domain controller SID and a member server SID when two machines have duplicate SIDs and one is DCPROMO’d and the other is joined to the new domain. The error messages that are logged say something to the effect that the domain and the member server SIDs conflict. Darn confusing when you see it for the first time. I’ll see if I can dig out the exact text of the message. Wook From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, January 18, 2006 6:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Yep sorry, didn't intend to say it wasn't a good idea. At some point the list will catch up and my post that says that will show up. :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, January 18, 2006 8:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Dozen other reasons to run it. Not running sysprep is just a bad idea. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, January 18, 2006 8:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Well not really. The important SID in question is the Domain SID and that isn't duped. The domain doesn't care about the machine SID. It is still good practice to newsid the machines though. If the accounts are disappearing it is one of two things 1. Someone is deleting it. 2. During the join process something fails and the computer deletes the object out. I don't recall the details of this but I do recall hearing it happen. It happens right after the failed join though, you don't have to wait for it. I have also heard other people who don't have enough rights report the account being disabled instead of deleted. I never verified personally either. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, January 18, 2006 6:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed NO NO NO NO NO BAD BAD BAD You have to use sysprep. You’re getting duplicate SIDs here – bad. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Visser Sent: Wednesday, January 18, 2006 5:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Gary, Brian, I do not use Sysprep on my images and have yet to come across any problems, but there may be one big difference with my images, before I ghost them or create the image I put the said machine into a workgroup and then create image. After I have imaged a computer I log on and change the Computer Name reboot and then join the domain with the new computer name, should I be using Sysprep? And Brenda I have experienced your problem but I have never noticed the accounts actually being out of AD, anyways most times for me a simple reboot works although I have had to actually ghost computers in order to rejoin the domain because I do not have any local accounts active on my computers in the school, make
RE: [ActiveDir] AD computer accounts being removed
Title: Message Well I would agree that is not a safe practice for most but for my application where all Local accounts are disabled I do not see a problem. Taken from http://www.sysinternals.com/Utilities/NewSid.html under the SID Duplication Problem Duplicate SIDs aren't an issue in a Domain-based environment since domain accounts have SID's based on the Domain SID. But, according to Microsoft Knowledge Base article Q162001, "Do Not Disk Duplicate Installed Versions of Windows NT", in a Workgroup environment security is based on local account SIDs. Thus, if two computers have users with the same SID, the Workgroup will not be able to distinguish between the users. All resources, including files and Registry keys, that one user has access to, the other will as well. Aaron From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, January 18, 2006 3:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed NO NO NO NO NO BAD BAD BAD You have to use sysprep. You’re getting duplicate SIDs here – bad. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Visser Sent: Wednesday, January 18, 2006 5:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Gary, Brian, I do not use Sysprep on my images and have yet to come across any problems, but there may be one big difference with my images, before I ghost them or create the image I put the said machine into a workgroup and then create image. After I have imaged a computer I log on and change the Computer Name reboot and then join the domain with the new computer name, should I be using Sysprep? And Brenda I have experienced your problem but I have never noticed the accounts actually being out of AD, anyways most times for me a simple reboot works although I have had to actually ghost computers in order to rejoin the domain because I do not have any local accounts active on my computers in the school, makes it a little safer J but with that comes more work L From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, January 18, 2006 12:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Gary- Are you implying you don’t sysprep your images? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Garyphold Sent: Wednesday, January 18, 2006 3:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Brenda, FWIW: It happens to me when I clone a workstation then try to join that workstation to the domain in order to change the computer name. AD sees 2 machines with the same name, gives me a notification and lets the 2nd one in. Then when the original machine with that name logs in next time, it isn't seen on the network. Then I have to do the same thing you did - with the original machine. Then all is well again. Don't know if that will help, but it might narrow down the problem some. Gary Gary Polvinale Denton ATD -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey Sent: Wednesday, January 18, 2006 2:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Yes, their computer account in AD is actually gone. Thanks, Brenda Brenda Casey Network Manager Billings Public Schools [EMAIL PROTECTED] 406-247-3792 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Wednesday, January 18, 2006 11:14 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed When you say "lose their account", do you mean the computer object in AD disappears? Or something else? -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey Sent: Wednesday, January 18, 2006 10:42 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD computer accounts being removed Occasionally computers will lose their account in Active Directory for no apparent reason. Sometimes it is a computer that has just joined the domain, while other times the machine has been a member of the domain for 2 years. The computer can only be logged on by a local account (not a domain account). To remedy this, the computer has to be disjoined from the domain, join a workgroup, then join the domain again. As I am sure you all are aware, this is not only time consuming, but very inappropriate to have to do. Has anyone else had this experience and how have you fixed it? Thanks, Brenda
RE: [ActiveDir] AD computer accounts being removed
No it is not possible to delete that account. (As far as I know) but there are times when the account has been disabled thru a Policy (that is how I disable it) and that program has not worked, I know it doesn't make a lot of sense because why is the policy being enforced if it will not connect to the domain but guess what sometimes it is like that, and if everything always worked the way it was supposed to well then we wouldn't be needed now would we? Aaron Visser -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AdamT Sent: Wednesday, January 18, 2006 3:10 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD computer accounts being removed On 1/18/06, Aaron Visser <[EMAIL PROTECTED]> wrote: snip > I have had to actually ghost computers in order to rejoin the > domain because I do not have any local accounts active on my computers in > the school, makes it a little safer J but with that comes more work L > Surely it's not possible to delete the administrator account? You might be able to disable it, but IIRC, you can reset the password and unlock/re-enable to account using the infamous bootdisk at: http://home.eunet.no/~pnordahl/ntpasswd/ Shouldn't need to re-image. -- AdamT "Maidenhead is *not* in Kent" List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD computer accounts being removed
Title: Message Gary, Brian, I do not use Sysprep on my images and have yet to come across any problems, but there may be one big difference with my images, before I ghost them or create the image I put the said machine into a workgroup and then create image. After I have imaged a computer I log on and change the Computer Name reboot and then join the domain with the new computer name, should I be using Sysprep? And Brenda I have experienced your problem but I have never noticed the accounts actually being out of AD, anyways most times for me a simple reboot works although I have had to actually ghost computers in order to rejoin the domain because I do not have any local accounts active on my computers in the school, makes it a little safer J but with that comes more work L From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, January 18, 2006 12:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Gary- Are you implying you don’t sysprep your images? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Garyphold Sent: Wednesday, January 18, 2006 3:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Brenda, FWIW: It happens to me when I clone a workstation then try to join that workstation to the domain in order to change the computer name. AD sees 2 machines with the same name, gives me a notification and lets the 2nd one in. Then when the original machine with that name logs in next time, it isn't seen on the network. Then I have to do the same thing you did - with the original machine. Then all is well again. Don't know if that will help, but it might narrow down the problem some. Gary Gary Polvinale Denton ATD -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey Sent: Wednesday, January 18, 2006 2:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed Yes, their computer account in AD is actually gone. Thanks, Brenda Brenda Casey Network Manager Billings Public Schools [EMAIL PROTECTED] 406-247-3792 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Wednesday, January 18, 2006 11:14 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD computer accounts being removed When you say "lose their account", do you mean the computer object in AD disappears? Or something else? -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey Sent: Wednesday, January 18, 2006 10:42 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD computer accounts being removed Occasionally computers will lose their account in Active Directory for no apparent reason. Sometimes it is a computer that has just joined the domain, while other times the machine has been a member of the domain for 2 years. The computer can only be logged on by a local account (not a domain account). To remedy this, the computer has to be disjoined from the domain, join a workgroup, then join the domain again. As I am sure you all are aware, this is not only time consuming, but very inappropriate to have to do. Has anyone else had this experience and how have you fixed it? Thanks, Brenda
Re: [ActiveDir] Password policy change
Nevermind OWA = Outlook Web Access On 8/26/05 3:39 PM, "Figueroa, Johnny" <[EMAIL PROTECTED]> wrote: > > I mean, if I use the check box to "user must change password at next logon" > our users whose only way into the domain is OWA will not prompt them to change > their password... Unless I am missing something. > > Thanks > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of SysPro Support > Sent: Friday, August 26, 2005 3:19 PM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] Password policy change > > Johnny, > > We do exactly what you suggest, change the password and set the "user must > change password at next logon" and they are able to change it, even within the > "password cannot be changed period". > > What do you mean by "that would effectively lock out the OWA only users"? > > > Alan Cuthbertson > > > Policy Management Software:- > http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml > ADM Template Editor:- > http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml > Policy Log Reporter(Free) > http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml > > > > - Original Message - > From: "Figueroa, Johnny" <[EMAIL PROTECTED]> > To: > Sent: Saturday, August 27, 2005 2:56 AM > Subject: RE: [ActiveDir] Password policy change > > > > Help desk sets he password to something "something", tells the user to > change their password to whatever they want it to be and the user can not. I > thought about having the HD check the box that makes it so the user has to > change the password the next time they log in but I think that would > effectively lock out the OWA only users. > > The point is that the HD gets the user going by setting the password to > something generic, then the user is supposed to change it to whatever they > want to keep. > > > Thanks > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] > Sent: Friday, August 26, 2005 9:45 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Password policy change > > Which part is "not working" and how is it "not working"? > > > Sincerely, > > Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I > Microsoft MVP - Directory Services > www.readymaids.com - we know IT > www.akomolafe.com > Do you now realize that Today is the Tomorrow you were worried about > Yesterday? -anon > > > > From: [EMAIL PROTECTED] on behalf of Figueroa, Johnny > Sent: Fri 8/26/2005 9:34 AM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] Password policy change > > > > > Good morning folks, yesterday I changed the domain password security to > retain password history for 5 passwords and the password can not be changed > for one day. > > Our help desk used to set passwords to a default value when they got a call > from a user and then tell the user to change it to something they want. It > looks like that is not working for them > > Is there anyway around this ? > > Thanks > > Johnny Figueroa > Enterprise Network Consultant/Integrator Network Services Banner Health > Voice (602) > 495-4195 Fax (602) 495-4406 > > WARNING: This message, and any attachments, are intended only for the use of > the individual or entity to which it is addressed and may contain > information that is privileged, confidential and exempt from disclosure > under applicable law. If the reader of this message is not the intended > recipient or employee/agent responsible for delivering the message to the > intended recipient, you are hereby notified that any dissemination, > distribution or copying of the communication is strictly prohibited. If you > receive this communication in error, please notify us immediately > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Password policy change
I think he wants to know what is OWA or at least I want to know :) On 8/26/05 3:39 PM, "Figueroa, Johnny" <[EMAIL PROTECTED]> wrote: > > I mean, if I use the check box to "user must change password at next logon" > our users whose only way into the domain is OWA will not prompt them to change > their password... Unless I am missing something. > > Thanks > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of SysPro Support > Sent: Friday, August 26, 2005 3:19 PM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] Password policy change > > Johnny, > > We do exactly what you suggest, change the password and set the "user must > change password at next logon" and they are able to change it, even within the > "password cannot be changed period". > > What do you mean by "that would effectively lock out the OWA only users"? > > > Alan Cuthbertson > > > Policy Management Software:- > http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml > ADM Template Editor:- > http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml > Policy Log Reporter(Free) > http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml > > > > - Original Message - > From: "Figueroa, Johnny" <[EMAIL PROTECTED]> > To: > Sent: Saturday, August 27, 2005 2:56 AM > Subject: RE: [ActiveDir] Password policy change > > > > Help desk sets he password to something "something", tells the user to > change their password to whatever they want it to be and the user can not. I > thought about having the HD check the box that makes it so the user has to > change the password the next time they log in but I think that would > effectively lock out the OWA only users. > > The point is that the HD gets the user going by setting the password to > something generic, then the user is supposed to change it to whatever they > want to keep. > > > Thanks > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] > Sent: Friday, August 26, 2005 9:45 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Password policy change > > Which part is "not working" and how is it "not working"? > > > Sincerely, > > Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I > Microsoft MVP - Directory Services > www.readymaids.com - we know IT > www.akomolafe.com > Do you now realize that Today is the Tomorrow you were worried about > Yesterday? -anon > > > > From: [EMAIL PROTECTED] on behalf of Figueroa, Johnny > Sent: Fri 8/26/2005 9:34 AM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] Password policy change > > > > > Good morning folks, yesterday I changed the domain password security to > retain password history for 5 passwords and the password can not be changed > for one day. > > Our help desk used to set passwords to a default value when they got a call > from a user and then tell the user to change it to something they want. It > looks like that is not working for them > > Is there anyway around this ? > > Thanks > > Johnny Figueroa > Enterprise Network Consultant/Integrator Network Services Banner Health > Voice (602) > 495-4195 Fax (602) 495-4406 > > WARNING: This message, and any attachments, are intended only for the use of > the individual or entity to which it is addressed and may contain > information that is privileged, confidential and exempt from disclosure > under applicable law. If the reader of this message is not the intended > recipient or employee/agent responsible for delivering the message to the > intended recipient, you are hereby notified that any dissemination, > distribution or copying of the communication is strictly prohibited. If you > receive this communication in error, please notify us immediately > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Question on WSUS implementation and GPO's...
No I do not believe this would be possible without creating more than 1 GPO, however WSUS does allow you to break down the computers into groups but I am pretty sure this is strictly for patch management and not release management(ie picking what groups get what patches but not when they get them) Aaron -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Steven L Dunn Sent: Thursday, August 25, 2005 7:27 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Question on WSUS implementation and GPO's... Friends, Our company is about to implement a WSUS server for patching and updates. I am wondering if there is any way to allow for breaking the updates down into groups (say by department) but using only a single GPO to do it? For instance, we have our legal and executive departments using a separate GPO, which would allow for them to get updates Tuesday @ 12:00 or Wednesday @ 12:00, respectively. Our other departments are set up along similar lines, with 5 GPO's in all active. What I'm seeing is a general "slowdown" in login processing time (from sign in to desktop appearing) due ...I'm guessing, to the GPO having to run through and check against Group Membership or process. I'm looking for any ideas on whether this is the "only" arrangement for making this happen, or I'm missing something that might be a possibility. Thanks in advance. -Steve -- Steven L. Dunn Director of Information Technology Illinois State Bar Association [EMAIL PROTECTED] | 217-747-1455 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] DSN(No, this is not a typo!)
This might help you out, got it off of:
http://www.experts-exchange.com/Databases/Q_21032275.html
The best way to deploy your new DSN is to create a GPO and apply it to the
Active Directory OU for workstations. This GPO will release the registry
export (ie .reg) at the next boot of your clients.
You'll find the DSN informations in your registry (Start -> Run -> regedit)
at :
HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBC.INI for a system DSN
HKEY_CURRENT_USER (or HKEY_USERS\{user SID}) \SOFTWARE\ODBC\ODBC.INI for a
user one
Simply export the key and create the GPO, and AD will deploy it for you.
Again not sure about this just got it from the site above
Aaron
On 8/24/05 5:43 PM, "Marc A. Mapplebeck" <[EMAIL PROTECTED]> wrote:
> Hi everyone, I am having a problem here, and Google wants to keep asking me
> if I mean DNS and screws up my search. I need to install a DSN for an SQL
> server on all machines in my domain, but I am not aware of an easy way to do
> this i.e. GPO. Is there a script out there to install a data source on many
> machines? Any help would be appreciated. - Marc
>
> List info : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] OT: ISA FW Client
I need to make it so that when a user logs into a computer they do not see the FW icon in the tray. all I have been able to come up with is this info from isaserver.org http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=27;t=000313 I tried the method of placing the following in the All Users\Application Data\Microsoft\Firewall Client 2004 then Common.ini [TrayIcon] TrayIconVisualState=1 But this does not seem to do anything I even tried restarting after this and still no luck so then I tried it in the Management.ini and no luck there either. So anyways I am getting frustrated and I am hoping that someone here may have some insight to this. Also is there anyway to configure the client so that it cannot be disabled? Is there any GPO's for this stuff? Thanks, Aaron Visser List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GPO on XP & 2000 Pro
Why not just move the servers to a new OU called Servers? and then move the remaining computers into a new OU called Workstations? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Harding, Devon Sent: Wednesday, August 24, 2005 3:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GPO on XP & 2000 Pro I have over 2000 machines in my computers containers. Is there any other way? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Wednesday, August 24, 2005 5:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GPO on XP & 2000 Pro WMI filters aren't processed by Win2K so that won't work on that platform. Your best bet is probably to put all the XP & win2k machines in one security group and then security filter the GPO based on that group (i.e. remove the Authenticated Users ACE from the sec. filter on that GPO and add the new group with Read and Apply GP permissions). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Wednesday, August 24, 2005 2:40 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] GPO on XP & 2000 Pro How can I get a GPO to only run on all Windows XP and 2000 Pro. machines in a domain? WMI Filter is applied to 2000 machines so it'll run on 2000 server if I filter by OS type. Devon Harding Windows Systems Engineer Southern Wine & Spirits - BSG 954-602-2469 - __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] OT Assign Icon in script
Thanks that worked On 6/2/05 1:18 AM, "Peter Jessop" <[EMAIL PROTECTED]> wrote: > Aaron > > scut.IconLocation = "\\server\folder\customicon.ico" > should work > > Regards > > Peter > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] OT Assign Icon in script
Title: OT Assign Icon in script Is it possible to assign an icon to a shortcut, to all the computers in the domain via GPO Logon Scripts? What I have got is this: set ws = Wscript.CreateObject(“Wscript.Shell”) dsktop = ws.SpecialFolders(“Desktop”) Set scut = ws.createShortcut (dsktop & “\shortcut name.lnk”) scut. TargetPath = “http://enter url here” scut.Save Now this is all great and works (creating the Shortcut on the desktop) but I would also like to assign a custom icon is this at all possible? Thanks, Aaron Visser
Re: [ActiveDir] Way OT: FTP not working for certain files...
What is the Web Server/FTP Server? And what clients have been successful? I would look into permissions due to the fact that you are unable to copy the said files to a USB drive. On 6/1/05 10:40 AM, "Lou Vega" <[EMAIL PROTECTED]> wrote: > I thought it might be that too. The web server is a non-Windows one. I also > attempted to take the existing files and copy them to a USB thumb drive > which was FAT versus NTFS and the same files still did not copy. The file > perms on the web server are set apparently correct since when I take them on > a different computer they upload fine. > > All virus/malware scans come up negative. I've run McAfee, Symantec and AVG > all with the latest definitions and engines. Microsoft Spyware reports > nothing, nor does any other spyware/malware program I've run (many at this > point). > > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Peter Jessop > Sent: Wednesday, June 01, 2005 1:18 PM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] Way OT: FTP not working for certain files... > > I think that you have to check the NTFS permissions on the current website > files > > Regards > > Peter > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Checking who deleted Files
Title: Re: [ActiveDir] Checking who deleted Files Thank you Peter and Jose your info is very helpful I have enabled it and no it’s time to play the waiting game :) Aaron On 4/21/05 11:29 PM, "Peter Jessop" <[EMAIL PROTECTED]> wrote: More specifically: To detect file deletion you must audit Succesful object access. Additionally you must then enable auditing on the folders by means of the security tab. You must then look for securiy events with ID 560. The following is a query you can use with logparser to extract the delete events SELECT timegenerated AS EventTime, extract_token(strings, 7, '|') AS UserName, extract_token(strings, 2, '|') AS File FROM security WHERE EventID = '560' AND EventTypeName = 'Success Audit event' AND extract_token(strings, 1, '|') like 'File' AND Message LIKE '%DELETE%' ORDER BY EventTime DESC
[ActiveDir] Checking who deleted Files
Hello I am running a W2K3 Server environment with WinXP clients is there anyway for me to find out who deleted some files from one of my server shares? It is not a huge deal as it was backed up but I would LOVE to know who deleted it to begin with. Thanks, Aaron List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] limit time user is allow to be logged in
You may want to look into this product http://www.citadel.com/netoff.asp Regards, Aaron -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Jeff KrausSent: Monday, January 24, 2005 8:09 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] limt time user is allow to be logged in Hi, we have a problem with some shift workers not loggin out after their shift is over. is there any way to limit users to being logged in for a few hours at a time ? I would like to log them out ever hour and have them log back in again. I can set allowed login time by user because they change shift time IE: some time they work nites some times days. They always log into the same computers though. can a computer be assghned to keep a login for a set time ? that in advanced for your help o' gods of the Active Directory Jeff Kraus Network Manger NIC Holding Corp. 25 Melville Park Rd Melville NY, 11747 Voice: 631.753.4272 Fax: 631.753.4305 Email: [EMAIL PROTECTED]
Re: [ActiveDir] Setting Outlook
Thank you, Aaron On 11/23/04 11:47 AM, "Lara, Greg" <[EMAIL PROTECTED]> wrote: > Open your default domain policy, go to User Configuration>Windows > Settings>Internet Explorer Maintenance>Programs. Select Import the current > Program Settings, then click the Modify button. Make changes as necessary. > You may also want to limit the user's ability to modify this by enabling the > Disable changing Messaging Settings option in the Administrative > Templates>Internet Explorer section as well. > > Greg Lara > > > --- > This e-mail message may contain privileged, confidential and/or proprietary > information intended only for the person(s) named. If you are not the > intended recipient, please destroy this message, and any attachments, and > notify the sender by return e-mail. If you are not the intended > recipient(s), or the employee or agent responsible for delivering the > message to the intended recipient(s), you are hereby notified that any > dissemination, disclosure or copying of this communication is strictly > prohibited. > -------- > --- > > > -Original Message- > From: Aaron Visser [mailto:[EMAIL PROTECTED] > Sent: Tuesday, November 23, 2004 2:29 PM > To: ActiveDir > Subject: [ActiveDir] Setting Outlook > > Is there any way for me to set MS Outlook as the Default mail client Domain > Wide ? > > Thanks, > > Aaron Visser > > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Setting Outlook
Is there any way for me to set MS Outlook as the Default mail client Domain Wide ? Thanks, Aaron Visser List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Mac connection prob from Monday
Sorry but I have deleted the original mail about this topic and do not remember the exact subject. I was just thinking about what the problem could have been in why your macs are now not connecting to your server after upgrading it to 2003. Do you have the latest Microsoft UAM? They can be found here http://www.microsoft.com/mac/otherproducts/otherproducts.aspx?pid=windows200 0sfm For both os 8-9 and os x Just a thought, Aaron List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Getting print info from event log
Sorry Bob not really enjoying this log parser :( anything else? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Free, Bob Sent: Friday, October 15, 2004 3:27 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Getting print info from event log Look into logparser.exe to extract the events/fields you want. http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid= 8cde4028-e247-45be-bab9-ac851fc166a4 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Visser Sent: Friday, October 15, 2004 2:56 PM To: ActiveDir Subject: [ActiveDir] Getting print info from event log Does anyone have or know anyway to pull print info out of the System event logs so that it can be easily reviewed Example I need to know who, how many pages now I can go thru each event and record this info by hand but it seems rather tedious and that there should be an easier way to gather this info. Any help is appreciated, Thanks, Aaron Visser List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Getting print info from event log
Does anyone have or know anyway to pull print info out of the System event logs so that it can be easily reviewed Example I need to know who, how many pages now I can go thru each event and record this info by hand but it seems rather tedious and that there should be an easier way to gather this info. Any help is appreciated, Thanks, Aaron Visser List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] DNS Issue
Deji, could you give me a shout at [EMAIL PROTECTED] Thanks On 9/23/04 12:36 PM, "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> wrote: > Awesome. Glad you got it working :) > > I am in San Jose, in sunny California. > > 1. Yes > 2. Yes > > Make sure you manually check and remove any lingering reference to the old > computer in ADUC (Domain Controllers OU), AD Site and Services and WINS. > After that, you should be good to go. > > > Sincerely, > > Dèjì Akómöláfé, MCSE MCSA MCP+I > Microsoft MVP - Directory Services > www.readymaids.com - we know IT > www.akomolafe.com > Do you now realize that Today is the Tomorrow you were worried about > Yesterday? -anon > > ____ > > From: [EMAIL PROTECTED] on behalf of Aaron Visser > Sent: Thu 9/23/2004 10:34 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] DNS Issue > > > Deji it worked AWESOME Thanks a ton man, Where are you located? Couple more > questions or concerns: > 1) I am in the process of rebuiling the downed server and I plan to make it > the secondary DC am I able to give it the same computer name or will this > cause some problems > 2) When setting up a new DNS zone on the new DC I tried to do the top optoin > (this server will supply DNS for your forest) but got a 'Server > Failure Error' So I Restarted the New Zone wizard and selected the Bottom > option (this server will supply DNS for your Domain Controllers ) > and it is working. :) is this ok? > > Thanks, > Aaron > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Deji Akomolafe > Sent: Wednesday, September 22, 2004 11:35 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] DNS Issue > > > In case you are still reading this, I'm still up for the next 30 > minutes in case you need someone to bounce ideas off of. If not, good luck. > > > > Sincerely, > > Dèjì Akómöláfé, MCSE MCSA MCP+I > Microsoft MVP - Directory Services > www.readymaids.com - we know IT > www.akomolafe.com > Do you now realize that Today is the Tomorrow you were worried about > Yesterday? -anon > > > > From: Aaron Visser > Sent: Wed 9/22/2004 9:26 PM > To: [EMAIL PROTECTED] > Subject: Re: [ActiveDir] DNS Issue > > > Deji, Thanks for the info I am heading back to work to give this a > try. My only concern is the fact that I did not have DNS running on the > secondary DC before the 1st one went down. > > Aaron Visser > > > On 9/22/04 7:28 PM, "Deji Akomolafe" <[EMAIL PROTECTED]> wrote: > > > > Look at the TCP/IP properties of the new server and make sure > that it is pointing to itself for DNS (and WINS, if you use WINS). Make sure > that the option to "use lmhosts..." is uncheck. Make sure you've properly > removed traces of the dead server from AD. Make sure that you remove all > replication links between the new and dead server (AD SItes and Services) > > Take a look at my little "FSMO" pep talk here: > http://www.akomolafe.com/docs/xferfsmos.htm > > You should be able to create your zone without the presence > of the dead server. Check eventlog for relevant errors. Also be sure to > modify your DHCP scope to reflect the fact that this is now your main DNS > server (at least for the time being) > > > Sincerely, > > Dèjì Akómöláfé, MCSE MCSA MCP+I > Microsoft MVP - Directory Services > www.readymaids.com <http://www.readymaids.com> - we know IT > www.akomolafe.com > Do you now realize that Today is the Tomorrow you were > worried about Yesterday? -anon > > > > > From: Aaron Visser > Sent: Wed 9/22/2004 5:59 PM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] DNS Issue > > Ok here it goes, > > Windows 2003 Servers > > Today the Raid controller lost the HD config on my main AD > server after hour > or so of trying to get it back online I decided to opt for > the promotion of > AD to my secondary Domain controller and just rebuild the 1st > one. Well the > big problem I faced was that I never installed DNS on the > second domain > controller. I decieded to go ahead with the FSMO promotion > and everything > was seized just fine. But now I sit with no DNS (I installed > DNS before the > Seizer of roles) but it is not creating any Zones. I have > tried to create a > new Zone but it keeps looking for the downed server? > > Any help in this would be greatly appreciated > > Thanks, > Aaron Visser > > List info : http://www.activedir.org
RE: [ActiveDir] DNS Issue
Title: Re: [ActiveDir] DNS Issue Deji it worked AWESOME Thanks a ton man, Where are you located? Couple more questions or concerns: 1) I am in the process of rebuiling the downed server and I plan to make it the secondary DC am I able to give it the same computer name or will this cause some problems 2) When setting up a new DNS zone on the new DC I tried to do the top optoin (this server will supply DNS for your forest) but got a 'Server Failure Error' So I Restarted the New Zone wizard and selected the Bottom option (this server will supply DNS for your Domain Controllers ) and it is working. :) is this ok? Thanks, Aaron -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Deji AkomolafeSent: Wednesday, September 22, 2004 11:35 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DNS Issue In case you are still reading this, I'm still up for the next 30 minutes in case you need someone to bounce ideas off of. If not, good luck. Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know ITwww.akomolafe.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Aaron VisserSent: Wed 9/22/2004 9:26 PMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] DNS Issue Deji, Thanks for the info I am heading back to work to give this a try. My only concern is the fact that I did not have DNS running on the secondary DC before the 1st one went down.Aaron VisserOn 9/22/04 7:28 PM, "Deji Akomolafe" <[EMAIL PROTECTED]> wrote: Look at the TCP/IP properties of the new server and make sure that it is pointing to itself for DNS (and WINS, if you use WINS). Make sure that the option to "use lmhosts..." is uncheck. Make sure you've properly removed traces of the dead server from AD. Make sure that you remove all replication links between the new and dead server (AD SItes and Services)Take a look at my little "FSMO" pep talk here: http://www.akomolafe.com/docs/xferfsmos.htmYou should be able to create your zone without the presence of the dead server. Check eventlog for relevant errors. Also be sure to modify your DHCP scope to reflect the fact that this is now your main DNS server (at least for the time being)Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+IMicrosoft MVP - Directory Serviceswww.readymaids.com - we know ITwww.akomolafe.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Aaron VisserSent: Wed 9/22/2004 5:59 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] DNS IssueOk here it goes,Windows 2003 ServersToday the Raid controller lost the HD config on my main AD server after houror so of trying to get it back online I decided to opt for the promotion ofAD to my secondary Domain controller and just rebuild the 1st one. Well thebig problem I faced was that I never installed DNS on the second domaincontroller. I decieded to go ahead with the FSMO promotion and everythingwas seized just fine. But now I sit with no DNS (I installed DNS before theSeizer of roles) but it is not creating any Zones. I have tried to create anew Zone but it keeps looking for the downed server?Any help in this would be greatly appreciatedThanks,Aaron VisserList info : http://www.activedir.org/mail_list.htmList FAQ : http://www.activedir.org/list_faq.htmList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] DNS Issue
Title: Re: [ActiveDir] DNS Issue Deji, Thanks for the info I am heading back to work to give this a try. My only concern is the fact that I did not have DNS running on the secondary DC before the 1st one went down. Aaron Visser On 9/22/04 7:28 PM, "Deji Akomolafe" <[EMAIL PROTECTED]> wrote: Look at the TCP/IP properties of the new server and make sure that it is pointing to itself for DNS (and WINS, if you use WINS). Make sure that the option to "use lmhosts..." is uncheck. Make sure you've properly removed traces of the dead server from AD. Make sure that you remove all replication links between the new and dead server (AD SItes and Services) Take a look at my little "FSMO" pep talk here: http://www.akomolafe.com/docs/xferfsmos.htm You should be able to create your zone without the presence of the dead server. Check eventlog for relevant errors. Also be sure to modify your DHCP scope to reflect the fact that this is now your main DNS server (at least for the time being) Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Aaron Visser Sent: Wed 9/22/2004 5:59 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] DNS Issue Ok here it goes, Windows 2003 Servers Today the Raid controller lost the HD config on my main AD server after hour or so of trying to get it back online I decided to opt for the promotion of AD to my secondary Domain controller and just rebuild the 1st one. Well the big problem I faced was that I never installed DNS on the second domain controller. I decieded to go ahead with the FSMO promotion and everything was seized just fine. But now I sit with no DNS (I installed DNS before the Seizer of roles) but it is not creating any Zones. I have tried to create a new Zone but it keeps looking for the downed server? Any help in this would be greatly appreciated Thanks, Aaron Visser List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] DNS Issue
Ok here it goes, Windows 2003 Servers Today the Raid controller lost the HD config on my main AD server after hour or so of trying to get it back online I decided to opt for the promotion of AD to my secondary Domain controller and just rebuild the 1st one. Well the big problem I faced was that I never installed DNS on the second domain controller. I decieded to go ahead with the FSMO promotion and everything was seized just fine. But now I sit with no DNS (I installed DNS before the Seizer of roles) but it is not creating any Zones. I have tried to create a new Zone but it keeps looking for the downed server? Any help in this would be greatly appreciated Thanks, Aaron Visser List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Any way out of this mess?
On 7/26/04 1:40 PM, "Brian Desmond" <[EMAIL PROTECTED]> wrote: > If you can log onto one of the machines as a domain admin (using cached > credentials), you may be able to remotely reconfigure each machine. That's a > long shot. > > Otherwise you'll need to restore a DC from your old domain from backup and > make the policy change, and so on and so forth. Might want to check out the > ADMT tool next go-around. :) > > --Brian Desmond > [EMAIL PROTECTED] > Payton on the Web! Http://www.wpcp.org > > v: 773.534.0034 x135 > f: 773.534.0035 > > > > -Original Message- > From: Aaron Visser [mailto:[EMAIL PROTECTED] > Sent: Monday, July 26, 2004 3:29 PM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] Any way out of this mess? > > I have just rebuilt our Servers with Server 2003 (a fresh install) All the > new users are created all the new groups done new GPO's etc etc etc. The big > mistake I made was not removing the clients from the old Domain before I > blew it away (I thought I could just login as local admin and leave the old > Domain and reboot and join the new one) Well that would have worked real > well if only I had known that the old Domain had a GPO that disallowed even > the Local Admin to logon interactively to the computers. So now when I try > to login to the Local admin account on the workstations that no longer have > a valid domain membership I get 'the local policy of this system does not > permit you to logon interactively' message and I cannot logon. > > Anything I can do to allow me to logon or remove the account from the old > domain? All I can think of right now is reinstalling the OS on the > workstations but then I would have to reconfigure all the programs etc for > every station (not liking that option) :( > > Thanks, > Aaron > > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > Well this seems to be working (Cached Credentials) (Thanks Brian) :) The only problem I face now is I have not been to every workstation and logged in as admin since I have been here and I have no idea what the old admin passwords are lets just hope I don't run into to many of those computers. Also I do have access to the Admin share on these computers via the local network so I will be trying out Alex's idea for those ones that I am unable to access the cached info. :) Thanks to all, wish it was Friday, Aaron List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Any way out of this mess?
That program is great but unless I am missing something it does not remove the account from the old computer domain I had already used that program to reset the local admin pass because I had no idea what it was (I took this site over a few months ago) and I get the same message 'the > local policy of this system does not permit you to logon interactively' On 7/26/04 1:40 PM, "Michael B. Smith" <[EMAIL PROTECTED]> wrote: > http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Visser > Sent: Monday, July 26, 2004 4:29 PM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] Any way out of this mess? > > I have just rebuilt our Servers with Server 2003 (a fresh install) All > the new users are created all the new groups done new GPO's etc etc etc. > The big mistake I made was not removing the clients from the old Domain > before I blew it away (I thought I could just login as local admin and > leave the old Domain and reboot and join the new one) Well that would > have worked real well if only I had known that the old Domain had a GPO > that disallowed even the Local Admin to logon interactively to the > computers. So now when I try to login to the Local admin account on the > workstations that no longer have a valid domain membership I get 'the > local policy of this system does not permit you to logon interactively' > message and I cannot logon. > > Anything I can do to allow me to logon or remove the account from the > old domain? All I can think of right now is reinstalling the OS on the > workstations but then I would have to reconfigure all the programs etc > for every station (not liking that option) :( > > Thanks, > Aaron > > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Any way out of this mess?
I have just rebuilt our Servers with Server 2003 (a fresh install) All the new users are created all the new groups done new GPO's etc etc etc. The big mistake I made was not removing the clients from the old Domain before I blew it away (I thought I could just login as local admin and leave the old Domain and reboot and join the new one) Well that would have worked real well if only I had known that the old Domain had a GPO that disallowed even the Local Admin to logon interactively to the computers. So now when I try to login to the Local admin account on the workstations that no longer have a valid domain membership I get 'the local policy of this system does not permit you to logon interactively' message and I cannot logon. Anything I can do to allow me to logon or remove the account from the old domain? All I can think of right now is reinstalling the OS on the workstations but then I would have to reconfigure all the programs etc for every station (not liking that option) :( Thanks, Aaron List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Active Directory Sites and Services - IP Ranges for Site - SMS 2003
Title: Re: [ActiveDir] Active Directory Sites and Services - IP Ranges for Site - SMS 2003 What I have come up with 155.168.0.0/16 155.168.0.1 - 155.168.255.254 155.168.64.0/18 155.168.64.1 - 155.168.127.254 155.168.128.0/17 155.168.128.1 – 155.168.255.254 Aaron Visser From: "Jones, Rick J.(Desktop Engineering)" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Date: Fri, 9 Jul 2004 08:09:53 -0700 To: <[EMAIL PROTECTED]> Subject: [ActiveDir] Active Directory Sites and Services - IP Ranges for Site - SMS 2003 I have a TCP/IP question for you guys. In Active directory Sites and Services there is a set of IP ranges that I am trying to figure out. Here are the entries; 155.168.0.0/16 Bothell 155.168.128.0/17 Allen 155.168.64.0/18 Allen What I am trying to do is figure out what IP ranges these cover so that I can put the IP range into SMS 2003 boundaries for systems that are not in active directory to be able to assign to our sites. In SMS 2003 we are using the Active Directory Boundaries of Bothell and Allen; I just want to duplicate this in the server without causing overlapping which will mess up the SMS clients. I think I have it figured out…. But am not sure, please correct me if I have it messed up, my eyeballs were very crossed yesterday as I was trying to figure this out. AD Site Effective IP range covered 155.168.0.0/16 155.168.0.1 to 155.168.63.254 155.168.64.0/18 155.168.64.1 to 155.168.127.254 155.168.128.0/17 155.168.128.1 to 155.168.255.254 Rick J. Jones Desktop Engineering Resource Group http://www.attwireless.com Bothell 6 Cube 1151B Phone:425-288-6240
Re: [ActiveDir] Security
More Details Win2k Servers 1 Root Server with another one for redundancy, 1 ISA Server, 1 Server for Teacher Data, 1 Server for Student Data Win2003 Servers 1 for Office Staff And the fun begins, Well the biggest problem I am faced with is that the users (Students) ON the network are constantly trying to break in or crash the Servers, They are relentless somehow yesterday (I have no idea how) they had managed to add accounts to the Domain Admin Group, the Schema Admins and the Enterprise Admins. The accounts they have added have been removed but again today I encountered two new instances of users being added to the Domain Admin group. I am following this as closely as I can checking the groups every 10 15 minutes but that becomes very tedious and a real pain in the ...so I was wondering if I could be notified of such things happening rather than have to find out the hard way. I did the GPO thing of Restricting Groups and I restricted the mentioned groups but I am pretty sure I shouldn't have done that as now all my Admin groups are Restricted(Domain Admins, Schema Admins, Enterprise Admins) I just want to make it a few more weeks until the end of the School year so I can rebuild the entire network with new servers etc. ,(I inherited it about a month ago). Any help or insight or just thoughts on the whole situation is appreciated Thanks to everyone, Aaron Visser > From: "Passo, Larry" <[EMAIL PROTECTED]> > Reply-To: [EMAIL PROTECTED] > Date: Thu, 10 Jun 2004 20:37:24 -0700 > To: <[EMAIL PROTECTED]> > Subject: RE: [ActiveDir] Security > > I'm curious, do you have any more details? > > -Original Message- > From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED] > Sent: Thursday, June 10, 2004 2:47 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Security > > > don't use the Restricted Groups feature on domain groups, especially > domain admins. This has caused various issues for companies and thus > they've backed away from this approach. However, using restricted > groups on member servers and clients works well. > > \Guido > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry > Sent: Donnerstag, 10. Juni 2004 19:38 > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Security > > If you want to make sure that no one is added to the group you could > make the group a Restricted Group via a GPO. > > If you want to know when a user is added to the group, you could use a > GPO to turn on auditing of "Account Management" but then you would have > to search the audit logs of all of the DCs in the domain to find the > activity. > > Or you could write a script that looked at the group membership and > compared it with a pre-determined list. Then execute the script on a > schedule of your choice. > > -Original Message- > From: Aaron Visser [mailto:[EMAIL PROTECTED] > Sent: Thursday, June 10, 2004 9:51 AM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] Security > > I need to know when the Domain Admin Group has a user added to it or at > least have that operation audited, is there anyway to perform this with > GPO > or something built into win2k server. > > Thanks, > Aaron Visser > > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Security
I need to know when the Domain Admin Group has a user added to it or at least have that operation audited, is there anyway to perform this with GPO or something built into win2k server. Thanks, Aaron Visser List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
