Re: [ActiveDir] "Add or Remove Programs" GPO

[Bart Van den Wyngaert]

That opens the snap-in...

So through the Control Panel it doesn't work, directly running the .cpl it
does. Still don't understand it totally though...


On 1/25/07, Darren Mar-Elia <[EMAIL PROTECTED]> wrote:


 You would not get a permissions problem from that admin. templates
policy. They just don't work that way. So my guess is its something else.
What happens, as administrator, when you run "appwiz.cpl" from a command
prompt?



Darren





*From:* [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED] *On Behalf Of *Bart Van den Wyngaert
*Sent:* Thursday, January 25, 2007 4:31 AM
*To:* ActiveDir@mail.activedir.org
*Subject:* Re: [ActiveDir] "Add or Remove Programs" GPO



I did, but the local administrators group has full control on the file.
And ofcourse, my AD admin account is part of the local administrators group
on the workstations (naturally).



That's the reason I absolutely don't have a clue, I don't see the relation
in restrictions put in place and the effect on the admin account and when I
start looking for that error message, I don't make progress either...



On 1/25/07, *Grillenmeier, Guido* <[EMAIL PROTECTED]> wrote:

So what is the NTFS security on C:\WINNT\System32\rundll32.exe?  The error
message could naturally be a false hint, but might as well check it out.



*From:* [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED] *On Behalf Of *Bart Van den Wyngaert
*Sent:* Donnerstag, 25. Januar 2007 12:00
*To:* ActiveDir@mail.activedir.org
*Subject: *Re: [ActiveDir] "Add or Remove Programs" GPO



No NTFS or other restrictions set in that GPO or the PC GPO.

Only some other restrictions like no access to control panel, no
messenger, ... stuff.



These apply to the specific Users OU + Computer OU, making a User & PC
configuration for those PC's + Users (certain department).



My admin account is totally somewhere else in the directory without those
GPO's applied to. The restrictions in the Computer GPO are also not set to
block the admin. I can drilldown the Computer GPO if you want, as I don't
see any relevant setting in it. Otherwise I would be blocking myself and
that's just the point I don't want...



Thanks,

Bart



On 1/25/07, *Grillenmeier, Guido* <[EMAIL PROTECTED]> wrote:

What other things did you change in the same or other GPOs that apply to
the machine you're logging on as admin?  If you've applied some lockdown
GPOs for file-system permissions, those will also apply for your admins



/Guido



*From:* [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED] *On Behalf Of *Bart Van den Wyngaert
*Sent:* Mittwoch, 24. Januar 2007 17:38
*To:* ActiveDir
*Subject:* [ActiveDir] "Add or Remove Programs" GPO



Hi,



I've set a GPO for some users that restricts usage of "Add or Remove
Programs" (User Configuration\Administrative Templates\Control Panel\Add or
Remove Programs). This GPO is linked to a specific OU where those users
reside.



But now I have even with admin accounts to which the GPO doesn't apply
(totally different OU location and so on...) problems with opening the
interface, it refers to security that is not correct on
C:\WINNT\System32\rundll32.exe



Is this normal?! Did I miss something before setting this GPO?



Thanks,

Bart

Re: [ActiveDir] "Add or Remove Programs" GPO

[Bart Van den Wyngaert]

I did, but the local administrators group has full control on the file. And
ofcourse, my AD admin account is part of the local administrators group on
the workstations (naturally).

That's the reason I absolutely don't have a clue, I don't see the relation
in restrictions put in place and the effect on the admin account and when I
start looking for that error message, I don't make progress either...


On 1/25/07, Grillenmeier, Guido <[EMAIL PROTECTED]> wrote:


 So what is the NTFS security on C:\WINNT\System32\rundll32.exe?  The
error message could naturally be a false hint, but might as well check it
out.



*From:* [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED] *On Behalf Of *Bart Van den Wyngaert
*Sent:* Donnerstag, 25. Januar 2007 12:00
*To:* ActiveDir@mail.activedir.org
*Subject:* Re: [ActiveDir] "Add or Remove Programs" GPO



No NTFS or other restrictions set in that GPO or the PC GPO.

Only some other restrictions like no access to control panel, no
messenger, ... stuff.



These apply to the specific Users OU + Computer OU, making a User & PC
configuration for those PC's + Users (certain department).



My admin account is totally somewhere else in the directory without those
GPO's applied to. The restrictions in the Computer GPO are also not set to
block the admin. I can drilldown the Computer GPO if you want, as I don't
see any relevant setting in it. Otherwise I would be blocking myself and
that's just the point I don't want...



Thanks,

Bart



On 1/25/07, *Grillenmeier, Guido* <[EMAIL PROTECTED]> wrote:

What other things did you change in the same or other GPOs that apply to
the machine you're logging on as admin?  If you've applied some lockdown
GPOs for file-system permissions, those will also apply for your admins



/Guido



*From:* [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED] *On Behalf Of *Bart Van den Wyngaert
*Sent:* Mittwoch, 24. Januar 2007 17:38
*To:* ActiveDir
*Subject:* [ActiveDir] "Add or Remove Programs" GPO



Hi,



I've set a GPO for some users that restricts usage of "Add or Remove
Programs" (User Configuration\Administrative Templates\Control Panel\Add or
Remove Programs). This GPO is linked to a specific OU where those users
reside.



But now I have even with admin accounts to which the GPO doesn't apply
(totally different OU location and so on...) problems with opening the
interface, it refers to security that is not correct on
C:\WINNT\System32\rundll32.exe



Is this normal?! Did I miss something before setting this GPO?



Thanks,

Bart

Re: [ActiveDir] "Add or Remove Programs" GPO

[Bart Van den Wyngaert]

No NTFS or other restrictions set in that GPO or the PC GPO.
Only some other restrictions like no access to control panel, no messenger,
... stuff.

These apply to the specific Users OU + Computer OU, making a User & PC
configuration for those PC's + Users (certain department).

My admin account is totally somewhere else in the directory without those
GPO's applied to. The restrictions in the Computer GPO are also not set to
block the admin. I can drilldown the Computer GPO if you want, as I don't
see any relevant setting in it. Otherwise I would be blocking myself and
that's just the point I don't want...

Thanks,
Bart


On 1/25/07, Grillenmeier, Guido <[EMAIL PROTECTED]> wrote:


 What other things did you change in the same or other GPOs that apply to
the machine you're logging on as admin?  If you've applied some lockdown
GPOs for file-system permissions, those will also apply for your admins



/Guido



*From:* [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED] *On Behalf Of *Bart Van den Wyngaert
*Sent:* Mittwoch, 24. Januar 2007 17:38
*To:* ActiveDir
*Subject:* [ActiveDir] "Add or Remove Programs" GPO



Hi,



I've set a GPO for some users that restricts usage of "Add or Remove
Programs" (User Configuration\Administrative Templates\Control Panel\Add or
Remove Programs). This GPO is linked to a specific OU where those users
reside.



But now I have even with admin accounts to which the GPO doesn't apply
(totally different OU location and so on...) problems with opening the
interface, it refers to security that is not correct on
C:\WINNT\System32\rundll32.exe



Is this normal?! Did I miss something before setting this GPO?



Thanks,

Bart

[ActiveDir] "Add or Remove Programs" GPO

[Bart Van den Wyngaert]

Hi,

I've set a GPO for some users that restricts usage of "Add or Remove
Programs" (User Configuration\Administrative Templates\Control Panel\Add or
Remove Programs). This GPO is linked to a specific OU where those users
reside.

But now I have even with admin accounts to which the GPO doesn't apply
(totally different OU location and so on...) problems with opening the
interface, it refers to security that is not correct on
C:\WINNT\System32\rundll32.exe

Is this normal?! Did I miss something before setting this GPO?

Thanks,
Bart

Re: [ActiveDir] [OT] Partitioning

[Bart Van den Wyngaert]

diskpart from MS ?

On 1/19/07, Brian Cline <[EMAIL PROTECTED]> wrote:


 Hi folks, we've got a few partitions we need to enlarge on about 3 of our
servers – the space is there and available, but the partition just needs
to be expanded. Seeing as how PartitionMagic Pro has been discontinued,
can anyone recommend a good product for this?



Brian Cline, Applications Developer
Department of Information Technology
G&P Trucking Company, Inc.
803.936.8595 Direct Line
800.922.1147 Toll-Free (x8595)
803.739.1176 Fax

Re: [ActiveDir] Unsubing

[Bart Van den Wyngaert]

You're not yet "assimilated" ??

On 1/19/07, Oliver Marshall <[EMAIL PROTECTED]> wrote:


Sorry to send this to the list, but I cant find the address to
unsubscribe. Can anyone help me out?



As much as I love you all, my recent affair with Apple OS X has left me
realising that  our love is just a sham and that other delights await me.

Big up'.

Olly

www.g2support.com/backups

Re: [ActiveDir] OT - BES 4.1.2 server on a SBS 2003 box

[Bart Van den Wyngaert]

Hi Susan,

Who else to answer SBS questions? *grin*

Yeah I know it's wise to drop the pop connector setup, but besides
that I don't like their "technical" explanation for troubleshooting
their install of BES...

I'm now troubleshooting it myself and already found out that they
don't have configured TCP 3101 on their firewall... So now the guy is
on the line with his ISP to have his firewall updated and I'm looking
for the error message he has.

And that's my case, I don't like people that tell strange "technical"
things that seem kinda strange to me. In that case I want to know
every little detail so I understand it and if correct, no objection to
do so. Call me "annoying" ;-)

Thanks
Bart

On 11/28/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
<[EMAIL PROTECTED]> wrote:

I'll  find you contacts with folks that have done this.

In general it's wise to get off of the popconnector anyway IMF has
no ability to filter spam in a pop connector setup.

Popconnector will also not route bcc'd email... so in general it's wise
to move off of pop.

Bart Van den Wyngaert wrote:
> Hi,
>
> Anybody experience with BES (BlackBerry Enterprise Server) 4.1.2 on a
> SBS 2003 box?
>
> More particular I have following case: client requested installation
> of BES by another company. E2K3 is configured to download mails from
> POP3 accounts and SMTP to relay to the ISP SMTP server. After a long
> ping-pong with the other company, they told that BES couldn't function
> in 2 ways due the fact E2K3 is not configured to support it and they
> keep refering to SMTP.
>
> Now if I read the docs well from BlackBerry, I see that the BES server
> communicates with the BB device on port 3101 TCP both ways. So I'm a
> bit confused...
>
> Do I need to advise my customer to review his E2K3 configuration and
> instead of downloading their email from POP3 mailboxes, reconfigure it
> that MX record points to the server itself etc. OR are those
> consultants way off topic and just guessing and stuff?
>
> Thanks in advance for all lights in this very OT matter,
> Bart
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
>
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

[ActiveDir] OT - BES 4.1.2 server on a SBS 2003 box - Addendum

[Bart Van den Wyngaert]

Just another thought about this question... If BES should look at SMTP
to dertermine whether or not to forward it to the BB device and you
send an internal mail from Outlook, Exchange will use MAPI and not
SMTP right? Or I'm am totally wrong?

-- Forwarded message --
From: Bart Van den Wyngaert <[EMAIL PROTECTED]>
Date: Nov 28, 2006 3:28 PM
Subject: OT - BES 4.1.2 server on a SBS 2003 box
To: ActiveDir 


Hi,

Anybody experience with BES (BlackBerry Enterprise Server) 4.1.2 on a
SBS 2003 box?

More particular I have following case: client requested installation
of BES by another company. E2K3 is configured to download mails from
POP3 accounts and SMTP to relay to the ISP SMTP server. After a long
ping-pong with the other company, they told that BES couldn't function
in 2 ways due the fact E2K3 is not configured to support it and they
keep refering to SMTP.

Now if I read the docs well from BlackBerry, I see that the BES server
communicates with the BB device on port 3101 TCP both ways. So I'm a
bit confused...

Do I need to advise my customer to review his E2K3 configuration and
instead of downloading their email from POP3 mailboxes, reconfigure it
that MX record points to the server itself etc. OR are those
consultants way off topic and just guessing and stuff?

Thanks in advance for all lights in this very OT matter,
Bart
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

[ActiveDir] OT - BES 4.1.2 server on a SBS 2003 box

[Bart Van den Wyngaert]

Hi,

Anybody experience with BES (BlackBerry Enterprise Server) 4.1.2 on a
SBS 2003 box?

More particular I have following case: client requested installation
of BES by another company. E2K3 is configured to download mails from
POP3 accounts and SMTP to relay to the ISP SMTP server. After a long
ping-pong with the other company, they told that BES couldn't function
in 2 ways due the fact E2K3 is not configured to support it and they
keep refering to SMTP.

Now if I read the docs well from BlackBerry, I see that the BES server
communicates with the BB device on port 3101 TCP both ways. So I'm a
bit confused...

Do I need to advise my customer to review his E2K3 configuration and
instead of downloading their email from POP3 mailboxes, reconfigure it
that MX record points to the server itself etc. OR are those
consultants way off topic and just guessing and stuff?

Thanks in advance for all lights in this very OT matter,
Bart
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

Re: [ActiveDir] Is it 2000 or 2003?

[Bart Van den Wyngaert]

Well actually I didn't use the adfind tool yet, when I read the
beginning of this thread I looked in the GUI "Active Directory Domains
and Trust" where is listed that my functional level of domain &
forrest is W2K3 (which I raised some months ago and seems correct).
But when I run the gpresult tool, it states that my domain type is
"Windows 2000", which I find a bit odd. Did I miss something in the
upgrade process or something? Is it an issue?

On 11/16/06, joe <[EMAIL PROTECTED]> wrote:

AdFind only determines the Directory level, it doesn't look for functional
modes or mixed mode. The way I get directory level is through the
supportedCapabilities attribute of the rootdse of the DC. Of course it is
possible to hit one DC looking for info and I pull the ROOTDSE from that DC
and then in the background a referral is processed which ends up getting the
info from another DC in another domain (or same domain if looking at app
parts).

You can get functionality modes from the rootdse attributes
domainFunctionality and forestFunctionality.

For all of those, just do an

AdFind -rootdse

And you will see what I am decoding and logically how I ascertain directory
level.



Mixed mode versus native you simply use the domain NCs nTMixedDomain
attribute.

  joe


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams
Sent: Thursday, November 16, 2006 11:50 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Is it 2000 or 2003?

I don't understand where you are seeing this info.  Are you referring to the

applet that is used to raise the FL?  Or something else?

As for the "flag" that is used to identify the directory, it is usually a
combination of:

msDS-Behavior-Version
nTMixedDomain
supportedCapabilities


Or at least, that is the way I put info. such as server and directory in
each of my scripts.  Just like Joe does in ADFIND and ADMOD.  I believe he
does it the same way too.

Basically, check msDS-Behavior-Version.  If it's 0, check nTMixedDomain.  If

it's 2, check supportedCapabilities to see whether or not it is ADAM (it's
ADAM if one of the supportedCapabilities is 1.2.840.113556.1.4.1851
[LDAP_CAP_ACTIVE_DIRECTORY_ADAM_OID]).

In my test lab(s), my directory is considered a 2003 directory.

In my labs, I used either DOMAIN.MSC or ADMOD to increase the FLs.


--Paul


- Original Message -
From: <[EMAIL PROTECTED]>
To: 
Sent: Thursday, November 16, 2006 3:45 PM
Subject: RE: [ActiveDir] Is it 2000 or 2003?


> I've entered this thread late so apologies if the below has already been
> stated:
>
> I recently created a new dev forest, with multiple domains. I too raised
> DFL and FFL as soon as all domains were built.
>
> I do not see the issues you describe and would suggest you download the
> scripts available here http://www.jadonex.com/
>
> One of the scripts (written by Dean) checks the DFL and FFL for the
> forest and across all domains.
>
> For a manual check, I also look here:
>
> FFL
> ===
> CN=Partitions,CN=Configuration,DC=xxx
> Attribute msDS-Behavior-Version
> 0=w2k FFL, 1=interim FFL, 2=w2k3 FFL
>
> DFL
> ===
> CN=,CN=Partitions,CN=Configuration,DC=xxx
> Attribute msDS-Behavior-Version
> 0=w2k DFL, 1=interim DFL, 2=w2k3 DFL
>
> Hope that helps,
> neil
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Tim Onsomu
> Sent: 16 November 2006 14:35
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Is it 2000 or 2003?
>
> I got curios about this and decide to dcpromo my vm image of windows
> 2003 R2.
>
> After the AD installation (which sits at Windows 2000 for domain type) I
> raised the functionality for the domain and forest.
>
> The result for domain type was windows 2000.
>
> I am not sure it is supposed to be different.
>
> Anybody out there who can say their install says something else?
>
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
> CPA aka Ebitz - SBS Rocks [MVP]
> Sent: Wednesday, November 15, 2006 3:15 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Is it 2000 or 2003?
>
> Were these clean installs or inplace?
>
> Bart Van den Wyngaert wrote:
>> Well I also have a strange thing... It concerns 2 SBS 2003 systems.
>> Some months ago I raised both domain and forrest functional level on
>> those boxes. By reading this thread I decided to have a look...
>>
>> Both tools report the correct OS actually on both boxes.
>>
>> The only I wonder is a bit that they both report with the gpresult
>> tool tha

Re: [ActiveDir] Is it 2000 or 2003?

[Bart Van den Wyngaert]

Clean ones, both of them.
1 in English, 1 in a regional language called Dutch.
Both act the same way.
On both boxes I raised the functional level the same way.

On 11/16/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
<[EMAIL PROTECTED]> wrote:

Were these clean installs or inplace?

Bart Van den Wyngaert wrote:
> Well I also have a strange thing... It concerns 2 SBS 2003 systems.
> Some months ago I raised both domain and forrest functional level on
> those boxes. By reading this thread I decided to have a look...
>
> Both tools report the correct OS actually on both boxes.
>
> The only I wonder is a bit that they both report with the gpresult
> tool that the domain type is Windows 2000
>
> If I look using GUI, they both report functional level of domain &
> forest being at 2003.
>
> Don't really get actually. Is this related? Normal or missed something
> when I did raise the functional levels?
>
> Thanks,
> Bart
>
> On 11/10/06, Noah Eiger <[EMAIL PROTECTED]> wrote:
>> Good question. DFL = 2003 and FFL = 2003. So it must just be some
>> lingering
>> text string. Does anyone think there is more it?
>>
>> Thanks.
>>
>> -- nme
>>
>> -Original Message-
>> From: Clingaman, Bruce [mailto:[EMAIL PROTECTED]
>> Sent: Friday, November 10, 2006 9:39 AM
>> To: ActiveDir@mail.activedir.org
>> Subject: RE: [ActiveDir] Is it 2000 or 2003?
>>
>>
>>
>> What does it say under:  AD Users & Computers | [right click domain
>> name] | Raise Domain Functional Level...
>>
>> ?
>>
>>
>> -Original Message-
>> From: [EMAIL PROTECTED]
>> [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger
>> Sent: Friday, November 10, 2006 11:12 AM
>> To: ActiveDir@mail.activedir.org
>> Subject: [ActiveDir] Is it 2000 or 2003?
>>
>> Hi -
>>
>>
>>
>> Several months ago, I upgraded a small, multi-site domain from W2k to
>> W2k3. Or so I thought. The various markings in the schema indicate that
>> the upgrade was successful. But when I run, for example, gpresult, it
>> reports a Windows 2000 domain. Is this just some flag or string that did
>> not get set properly or is there really a problem with the upgrade?
>>
>>
>>
>> Thanks.
>>
>>
>>
>> -- nme
>>
>>
>>
>> P.S. I also just noticed that when I run netdiag on a new W2k3EN DC, it
>> says "System info: Windows 2000 Server (Build 3790)".
>>
>>
>>
>>
>> --
>> No virus found in this outgoing message.
>> Checked by AVG Free Edition.
>> Version: 7.1.409 / Virus Database: 268.13.32/523 - Release Date:
>> 11/7/2006
>>
>>
>> List info   : http://www.activedir.org/List.aspx
>> List FAQ: http://www.activedir.org/ListFAQ.aspx
>> List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
>>
>> --
>> No virus found in this incoming message.
>> Checked by AVG Free Edition.
>> Version: 7.1.409 / Virus Database: 268.13.32/523 - Release Date:
>> 11/7/2006
>>
>>
>> --
>> No virus found in this outgoing message.
>> Checked by AVG Free Edition.
>> Version: 7.1.409 / Virus Database: 268.13.32/523 - Release Date:
>> 11/7/2006
>>
>>
>> List info   : http://www.activedir.org/List.aspx
>> List FAQ: http://www.activedir.org/ListFAQ.aspx
>> List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
>>
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
>

--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com

If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will 
hunt you down...
http://blogs.technet.com/sbs

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

Re: [ActiveDir] Is it 2000 or 2003?

[Bart Van den Wyngaert]

Well I also have a strange thing... It concerns 2 SBS 2003 systems.
Some months ago I raised both domain and forrest functional level on
those boxes. By reading this thread I decided to have a look...

Both tools report the correct OS actually on both boxes.

The only I wonder is a bit that they both report with the gpresult
tool that the domain type is Windows 2000

If I look using GUI, they both report functional level of domain &
forest being at 2003.

Don't really get actually. Is this related? Normal or missed something
when I did raise the functional levels?

Thanks,
Bart

On 11/10/06, Noah Eiger <[EMAIL PROTECTED]> wrote:

Good question. DFL = 2003 and FFL = 2003. So it must just be some lingering
text string. Does anyone think there is more it?

Thanks.

-- nme

-Original Message-
From: Clingaman, Bruce [mailto:[EMAIL PROTECTED]
Sent: Friday, November 10, 2006 9:39 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it 2000 or 2003?



What does it say under:  AD Users & Computers | [right click domain
name] | Raise Domain Functional Level...

?


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger
Sent: Friday, November 10, 2006 11:12 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Is it 2000 or 2003?

Hi -



Several months ago, I upgraded a small, multi-site domain from W2k to
W2k3. Or so I thought. The various markings in the schema indicate that
the upgrade was successful. But when I run, for example, gpresult, it
reports a Windows 2000 domain. Is this just some flag or string that did
not get set properly or is there really a problem with the upgrade?



Thanks.



-- nme



P.S. I also just noticed that when I run netdiag on a new W2k3EN DC, it
says "System info: Windows 2000 Server (Build 3790)".




--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.409 / Virus Database: 268.13.32/523 - Release Date:
11/7/2006


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.409 / Virus Database: 268.13.32/523 - Release Date: 11/7/2006


--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.409 / Virus Database: 268.13.32/523 - Release Date: 11/7/2006


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

Re: [ActiveDir] OT: M$

[Bart Van den Wyngaert]

Humz... This is going into a direction like who will define what's
funny or what isn't? Nobody can, it's personal! And there are a lot of
examples concerning the subject "humour", remind for example the issue
of a comic published in Denmark this year?

On 11/13/06, Bahta, Nathaniel V CTR USAF NASIC/SCNA
<[EMAIL PROTECTED]> wrote:


Useless Air Farce would not be found funny because its just that, not funny.
 Funnier is US Chair Force.  Thats funny, and people here laugh at it all
the time.

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Robert Rutherford
Sent: Monday, November 13, 2006 7:32 AM

To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: M$




;oP




Rob

Robert Rutherford
QuoStar Solutions Limited

T:+44 (0) 8456 440 331
F:+44 (0) 8456 440 332
M:+44 (0) 7974 249 494
E:[EMAIL PROTECTED]
W:www.quostar.com





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Laura A. Robinson
Sent: 13 November 2006 12:16
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: M$




There's a reason for the "OT" portion of the subject line, you know. ;-)





Laura






From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Robert Rutherford
Sent: Monday, November 13, 2006 6:42 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: M$

Can we kill this thread now, please?




Rob

Robert Rutherford
QuoStar Solutions Limited

T:+44 (0) 8456 440 331
F:+44 (0) 8456 440 332
M:+44 (0) 7974 249 494
E:[EMAIL PROTECTED]
W:www.quostar.com





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Laura A. Robinson
Sent: 13 November 2006 11:31
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: M$




Clearly there are differing opinions about whether it's merely "slang" or
whether it's an inappropriate slur. Simpler just not to use it, don't you
think? I mean, I don't refer to the USAF as the "useless air farce" and
expect its members to think that's funny.





I don't take offense when people refer to Microsoft as "borg" or talk about
"drinking the Kool-Aid"; in fact, I have been known to reference both
myself. However, I remember the origin of "M$" (unlike, I suspect, some of
those who use the phrase and think it's funny), and I think it's ignorant
and inappropriate for people to use it on a Microsoft-centric list.





Laura






From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Bahta, Nathaniel V CTR USAF NASIC/SCNA
Sent: Monday, November 13, 2006 5:48 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: M$

You have to be able to laugh at yourself.  M$ is a tounge in cheek
expression and certainly a corporation like Microsoft can laugh at itself
when M$ is used as slang in its reference.  Thats why we nickname really big
guys tiny.





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Albert Duro
Sent: Sunday, November 12, 2006 10:27 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: M$


being conciliatory is laudable, but I think you're missing the point.  It's
not wether anybody is offended or not -- the question is why does someone
come into a peaceful gathering casting offense.  Especially when it's not
necessary.  If someone deliberately spits on the dinner table, do you say
'oh, well, he didn't hit any plate, let's just forget it' ?  or even worse,
'he hit someone else's plate -- no worries.'





- Original Message -


From: [EMAIL PROTECTED]


To: ActiveDir@mail.activedir.org


Sent: Friday, November 10, 2006 9:08 AM


Subject: RE: [ActiveDir] OT: M$





I highly doubt that any MS employee takes offence at what is surely as
tongue in cheek expression.





Let's not get _too_ PC please :/





neil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of
Laura A. Robinson
Sent: Thursday, November 09, 2006 6:14 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: M$


Just out of curiosity, what makes people think it's appropriate to refer to
Microsoft as "M$" on an MS-focused mailing list whose participants include
Microsoft employees, Microsoft contractors, Microsoft MVPs and various other
people who may have a relatively positive view of Microsoft?





Laura






From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Jitendra Kalyankar
Sent: Thursday, November 09, 2006 10:16 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Beginner's Book on Scripting - WSH or VBScript?


This is the link to M$ to start with...very good info





http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnanchor/html/scriptinga.asp






--
Sincerely,
J




On 11/9/06, Stu Packett <[EMAIL PROTECTED]> wrote:

Hello everyone.  After reading through 

Re: [ActiveDir] OT: M$

[Bart Van den Wyngaert]

I agree about the origin but I think that the usage/meaning of M$ has
changed the last years. I think that is evolution or something.
Today I see people using it all around, even those that only work on
Microsoft platforms for many years. I also agree on the "relativation"
approach. A lot of people laugh with misery and other things, why not
sometimes smile with little things like that.
OK in the past it was used in a totally different way, but I think
that we have evolved now... Let's move on! Personally I use MS as it
is commonly known and types really fast :-)

On 11/13/06, Laura A. Robinson <[EMAIL PROTECTED]> wrote:


Clearly there are differing opinions about whether it's merely "slang" or
whether it's an inappropriate slur. Simpler just not to use it, don't you
think? I mean, I don't refer to the USAF as the "useless air farce" and
expect its members to think that's funny.

I don't take offense when people refer to Microsoft as "borg" or talk about
"drinking the Kool-Aid"; in fact, I have been known to reference both
myself. However, I remember the origin of "M$" (unlike, I suspect, some of
those who use the phrase and think it's funny), and I think it's ignorant
and inappropriate for people to use it on a Microsoft-centric list.

Laura


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Bahta, Nathaniel V CTR USAF NASIC/SCNA
Sent: Monday, November 13, 2006 5:48 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: M$


You have to be able to laugh at yourself.  M$ is a tounge in cheek
expression and certainly a corporation like Microsoft can laugh at itself
when M$ is used as slang in its reference.  Thats why we nickname really big
guys tiny.

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Albert Duro
Sent: Sunday, November 12, 2006 10:27 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: M$


being conciliatory is laudable, but I think you're missing the point.  It's
not wether anybody is offended or not -- the question is why does someone
come into a peaceful gathering casting offense.  Especially when it's not
necessary.  If someone deliberately spits on the dinner table, do you say
'oh, well, he didn't hit any plate, let's just forget it' ?  or even worse,
'he hit someone else's plate -- no worries.'

- Original Message -
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Friday, November 10, 2006 9:08 AM
Subject: RE: [ActiveDir] OT: M$

I highly doubt that any MS employee takes offence at what is surely as
tongue in cheek expression.

Let's not get _too_ PC please :/

neil
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of
Laura A. Robinson
Sent: Thursday, November 09, 2006 6:14 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: M$

Just out of curiosity, what makes people think it's appropriate to refer to
Microsoft as "M$" on an MS-focused mailing list whose participants include
Microsoft employees, Microsoft contractors, Microsoft MVPs and various other
people who may have a relatively positive view of Microsoft?

Laura


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Jitendra Kalyankar
Sent: Thursday, November 09, 2006 10:16 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Beginner's Book on Scripting - WSH or VBScript?


This is the link to M$ to start with...very good info

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnanchor/html/scriptinga.asp


--
Sincerely,
J


On 11/9/06, Stu Packett <[EMAIL PROTECTED]> wrote:
> Hello everyone.  After reading through a lot of the posts on this mailing
list, I realize I could make my job easier if I knew how to script.  I have
no experience in scripting, but would like to know what books do you
recommend as a beginner's book on scripting?  Also, I don't really know the
difference between WSH and VBScript, so if anyone could explain that, I'd
appreciate that.  After browsing through Amazon, I saw several books on WSH
and VBScript, but don't know where I should focus on.  I'm also open to
computer based training (CBT) videos of any exist.  Thanks in advance.
>


PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stat

Re: [ActiveDir] OT - Exchange 2003 IMF v2 configuration

[Bart Van den Wyngaert]

It is always possible to perform the transitioning, but as it is a
very small customer... You can guess I have to talk to them about it.


On 10/31/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
<[EMAIL PROTECTED]> wrote:

Yup IMF no can do with the POP connector... it picks up the messages and
bypasses the IMF capability.  Honestly POP is not really a "business"
class protocol and the POP connector was placed there for 'transition
purposes'... and folks have been transitioning for a loonnnggg
time.  If you can, as soon as you can see if you can get them off of POP.

Bart Van den Wyngaert wrote:
> That's the answer indeed, I'm using the POP3 connector...
>
> Thanks Susan!
>
> On 10/31/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
> <[EMAIL PROTECTED]> wrote:
>> First off are you using SMTP?  And not the Pop connector?
>> Check out this article:
>> http://www.vladville.com/articles/exchangesp2imf.asp
>>
>>
>>
>> Bart Van den Wyngaert wrote:
>> > Hi all,
>> >
>> > I'm having problems with the configuration of the Exchange 2003 IMF v2
>> > (SP2) on a SBS 2003 system. I've enabled it following the MS procedure
>> > and configured the archive folder on another disk, but I don't see the
>> > IMF working actually, neither are there no messages at all archived.
>> > Even with the SLC settings set to the maximum, no changes...
>> >
>> > Anybody ideas for me?
>> >
>> > Thanks,
>> > Bart
>> > List info   : http://www.activedir.org/List.aspx
>> > List FAQ: http://www.activedir.org/ListFAQ.aspx
>> > List archive:
>> http://www.mail-archive.com/activedir@mail.activedir.org/
>> >
>> List info   : http://www.activedir.org/List.aspx
>> List FAQ: http://www.activedir.org/ListFAQ.aspx
>> List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
>>
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
>

--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com

If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will 
hunt you down...
http://blogs.technet.com/sbs

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

Re: [ActiveDir] OT - Exchange 2003 IMF v2 configuration

[Bart Van den Wyngaert]

That's the answer indeed, I'm using the POP3 connector...

Thanks Susan!

On 10/31/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
<[EMAIL PROTECTED]> wrote:

First off are you using SMTP?  And not the Pop connector?
Check out this article:
http://www.vladville.com/articles/exchangesp2imf.asp



Bart Van den Wyngaert wrote:
> Hi all,
>
> I'm having problems with the configuration of the Exchange 2003 IMF v2
> (SP2) on a SBS 2003 system. I've enabled it following the MS procedure
> and configured the archive folder on another disk, but I don't see the
> IMF working actually, neither are there no messages at all archived.
> Even with the SLC settings set to the maximum, no changes...
>
> Anybody ideas for me?
>
> Thanks,
> Bart
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
>
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

[ActiveDir] OT - Exchange 2003 IMF v2 configuration

[Bart Van den Wyngaert]

Hi all,

I'm having problems with the configuration of the Exchange 2003 IMF v2
(SP2) on a SBS 2003 system. I've enabled it following the MS procedure
and configured the archive folder on another disk, but I don't see the
IMF working actually, neither are there no messages at all archived.
Even with the SLC settings set to the maximum, no changes...

Anybody ideas for me?

Thanks,
Bart
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

Re: [ActiveDir] OT: Ello!

[Bart Van den Wyngaert]

... Dutch men :-))

On 10/11/06, Paul van Geldrop <[EMAIL PROTECTED]> wrote:

You only have yourself to blame for pointing me to it, young man!
That brings the amount of possible ways to annoy you to.. 7. Muahaha.
Getting scared yet ? :P

Paul

-Original Message-
From: Almeida Pinto, Jorge de [mailto:[EMAIL PROTECTED] On
Behalf Of Almeida Pinto, Jorge de
Sent: Wednesday, October 11, 2006 12:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Ello!

sh!t..he found the list...and I hoped he would never find it
well... I guess it did not work when I told him it was something like
edir.org
;-)

Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services

LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
* Tel : +31-(0)40-29.57.777
* Mobile : +31-(0)6-26.26.62.80
*E-mail  : 

 _

From: [EMAIL PROTECTED] on behalf of Paul van Geldrop
Sent: Tue 2006-10-10 17:37
To: ActiveDir
Subject: [ActiveDir] OT: Ello!
Ello!

Just thought I'd at least have the decency to announce my presence on this
list. ;)
Joined today and looking forward to learning from all the grey matter
frequenting this list!

Regards,

Paul



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Test 123

[Bart Van den Wyngaert]

Or have sometimes better (or other) things to do... ;-)

On 9/28/06, Ramon Linan <[EMAIL PROTECTED]> wrote:

That's because the people like to sleep during the night :)

Just Joking

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Thursday, September 28, 2006 2:53 AM
To: ActiveDir.org
Subject: [ActiveDir] Test 123

Just checking to see if the list is working as nothing landed overnight.


Mark Parris

Base IT Ltd
Active Directory Consultancy
Tel +44(0)7801 690596
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box

[Bart Van den Wyngaert]

Hoorah !! :-)

On 8/3/06, Michael B. Smith <[EMAIL PROTECTED]> wrote:

The feature is in Exchange 2007.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bart Van den
Wyngaert
Sent: Thursday, August 03, 2006 6:10 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box

Thanks Paul, as they are currently working (GMT+1), I will test again
this evening and post my findings here.

As you pointed out: troubleshooting is a real pain in the ass... Yes
I'm using VBScript, I have more experience with that then VB itself
and that makes it more easy for me.

Indeed MAPI Clients => Outlook! What a wonderfull world we live in...
I thought that they communicate with MAPI towards the Exchange server
which sends out in SMTP format. So I have a real problem with
understanding why MS didn't provide the feature themselves built-in.

Perhaps it's an idea for them for the future releases. They are
working on a lot of tools (ex. IMF) themselves to cut the need of
third-party tools, but something essential like this (I think it's
standard for a company to have a disclaimer, not?) is not available in
GUI and needs quiet some manipulation. Additionally the exception of
working with SBS and having the SMTP connector to be able to forward
mail to the SMTP of your ISP.

I know I keep hanging on that point, but I think I'm not the only
one.

On 8/3/06, Paul Williams <[EMAIL PROTECTED]> wrote:
> I've done this a couple of times, but on the exchange gateway servers,
not
> on an SBS box.  I've never seen SBS.
>
> Anyway, the easiest way to do this is to create a second virtual SMTP
server
> and set it to listen on port 26 (and send on 25).  Configure the first
> virtual server to send on 26 (its already listening on 25).  Then
register
> the sink on the second virtual server.
>
> The reason is that most of your clients are MAPI clients, so don't
trigger
> the SMTP sink.
>
> If you're using a connector, you need to point the second virtual
server at
> the connector (I think, it's been even longer since I did one where
they had
> an SMTP connector).
>
> I'm afraid I can't give you the scripts as they're at customer sites,
etc.
> One thing I will say is troubleshooting this is a real pain.  On one
problem
> I had Dev Support MSFT people help out.  We took it from the bottom
up.
> Unregistered all the sinks (that I'd registered, the VBS script you
use to
> register allows you to view all sinks) and then registered a new one
that
> simply created a text file on the D drive.
>
> As you're using VBS, not VB, ensure that you use absolute paths for
things
> like text files, etc. as the script will run and not error without
absolute
> paths but they won't work...
>
>
> --Paul
>
> - Original Message -
> From: "Bart Van den Wyngaert" <[EMAIL PROTECTED]>
> To: "ActiveDir" 
> Sent: Wednesday, August 02, 2006 9:41 PM
> Subject: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box
>
>
> > Hi guys,
> >
> > I'm having trouble with adding a disclaimer on E2K3 on a SBS 2K3
box.
> > I'm using the EventSink with a .vbs to add the disclaimer. The box
is
> > configured with a default SMTP server and a SMTP connector which
> > forwards all external email to the SMTP of the ISP.
> >
> > Anybody who has done the trick already? If so, can you please tell
me
> > the little secret for this? *g*
> >
> > Many thanks to all,
> > Bart
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ml/threads.aspx
>
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
>
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box

[Bart Van den Wyngaert]

Thanks Paul, as they are currently working (GMT+1), I will test again
this evening and post my findings here.

As you pointed out: troubleshooting is a real pain in the ass... Yes
I'm using VBScript, I have more experience with that then VB itself
and that makes it more easy for me.

Indeed MAPI Clients => Outlook! What a wonderfull world we live in...
I thought that they communicate with MAPI towards the Exchange server
which sends out in SMTP format. So I have a real problem with
understanding why MS didn't provide the feature themselves built-in.

Perhaps it's an idea for them for the future releases. They are
working on a lot of tools (ex. IMF) themselves to cut the need of
third-party tools, but something essential like this (I think it's
standard for a company to have a disclaimer, not?) is not available in
GUI and needs quiet some manipulation. Additionally the exception of
working with SBS and having the SMTP connector to be able to forward
mail to the SMTP of your ISP.

I know I keep hanging on that point, but I think I'm not the only one.

On 8/3/06, Paul Williams <[EMAIL PROTECTED]> wrote:

I've done this a couple of times, but on the exchange gateway servers, not
on an SBS box.  I've never seen SBS.

Anyway, the easiest way to do this is to create a second virtual SMTP server
and set it to listen on port 26 (and send on 25).  Configure the first
virtual server to send on 26 (its already listening on 25).  Then register
the sink on the second virtual server.

The reason is that most of your clients are MAPI clients, so don't trigger
the SMTP sink.

If you're using a connector, you need to point the second virtual server at
the connector (I think, it's been even longer since I did one where they had
an SMTP connector).

I'm afraid I can't give you the scripts as they're at customer sites, etc.
One thing I will say is troubleshooting this is a real pain.  On one problem
I had Dev Support MSFT people help out.  We took it from the bottom up.
Unregistered all the sinks (that I'd registered, the VBS script you use to
register allows you to view all sinks) and then registered a new one that
simply created a text file on the D drive.

As you're using VBS, not VB, ensure that you use absolute paths for things
like text files, etc. as the script will run and not error without absolute
paths but they won't work...


--Paul

- Original Message -
From: "Bart Van den Wyngaert" <[EMAIL PROTECTED]>
To: "ActiveDir" 
Sent: Wednesday, August 02, 2006 9:41 PM
Subject: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box


> Hi guys,
>
> I'm having trouble with adding a disclaimer on E2K3 on a SBS 2K3 box.
> I'm using the EventSink with a .vbs to add the disclaimer. The box is
> configured with a default SMTP server and a SMTP connector which
> forwards all external email to the SMTP of the ISP.
>
> Anybody who has done the trick already? If so, can you please tell me
> the little secret for this? *g*
>
> Many thanks to all,
> Bart
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box

[Bart Van den Wyngaert]

I'm blessed I know :-)

That article I didn't came accross last night actually. Although the
info in that artcile I already did find. Performace isn't an issue btw
(min. 10 users).

Like I said before: I find this a real missing feature of Exchange...
As the author states, it's the most commonly asked question and
Exchange doesn't provide a nice GUI in which you can enable it.

On 8/3/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
<[EMAIL PROTECTED]> wrote:

http://www.msexchange.org/articles/Disclaimer-Fun.html

Glutten for punishment aren't ya?

Bart Van den Wyngaert wrote:
> That's what I used, but in VBScript (the brother of the article you
> send).
>
> I indeed can bind that event sink to the default SMTP virtual server,
> but I don't see the disclaimers on external addresses. Then I saw that
> Marette had instructions involving some manipulation on SMTP in case
> you're using SBS.
>
> Which also kinda sounds strange. But when I went digging a little bit,
> I found that clients working with OL, will not have the disclaimer
> added (MAPI). Finally I'm having the impression that this is kinda
> made difficult while it should be easy by design... Or I'm a missing
> something on that point?
>
> It's not about the money, at least I don't pay it so don't care. From
> my point of view, it's the technical aspect that I want to know how
> it's structured and how to make it work really. That way I gain the
> knowledge :-)
>
> Bart
>
> On 8/3/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
> <[EMAIL PROTECTED]> wrote:
>> Are you using the SBS's SMTP connector or using the
>> http://support.microsoft.com/?id=317327 info there?
>>
>> Marette's instructions to remove the SBS's native smtp connection, build
>> a new one that listens on port 26, the time it would have taking me to
>> follow her instructions.. I saved the time and money in getting out my
>> credit card and buying an event sink already done.
>>
>>
>>
>> Bart Van den Wyngaert wrote:
>> > Thanks all!
>> >
>> > Now the reason that I want to use the Event Sink way is because there
>> > is no more need then that... And like said, GFI is no longer. Neither
>> > the doc on Smallbizz.
>> >
>> > I know there is a manipulation needed on SMTP level, but I just don't
>> > see it. If somebody knows the little trick (was it an additional
>> > connector or virtual server)...?
>> >
>> > Thanks for the other inputs so far.
>> > Bart
>> >
>> > On 8/3/06, Joe Kaplan <[EMAIL PROTECTED]> wrote:
>> >> Sure, I saw the message and remembered that we were still using a
>> >> disclaimer
>> >> script for this, so I thought I'd offer some help, but a word of
>> caution
>> >> about the fact that the script can get tricky.
>> >>
>> >> With only that many users, many of those problems might never show
>> >> up.  We
>> >> have a few more users than that (ok, 4 orders of magnitude!), so we
>> >> see a
>> >> lot of weird stuff that is hard to even imagine when you are
>> testing the
>> >> code.  :)
>> >>
>> >> The product is probably a better choice, especially if it is cheap.
>> >>
>> >> We really did try to buy a product to do this as we wanted more
>> >> features and
>> >> fewer problems (or someone else to blame them on), but only the
>> >> script had
>> >> reasonable performance.  Everything else brought our gateways to
>> >> their knees
>> >> and had to be disabled.  I was shocked by this actually.  :)
>> >>
>> >> Joe K.
>> >> - Original Message -
>> >> From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]"
>> >> <[EMAIL PROTECTED]>
>> >> To: 
>> >> Sent: Wednesday, August 02, 2006 9:24 PM
>> >> Subject: Re: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS
>> 2K3 box
>> >>
>> >>
>> >> > This is an SBS box. we may have performance problems.. but it's
>> >> > certainly not caused by a SMTP sink event on that Exchange
>> server  ;-)
>> >> > Remember at the most we're only hosting 75 users/devices on that
>> >> server
>> >> > with a max of 75 gigs (remember no snickering from the Enterprise
>> >> folks)
>> >> > of Store.
>> >> >
>> >> > 

Re: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box

[Bart Van den Wyngaert]

That's what I used, but in VBScript (the brother of the article you send).

I indeed can bind that event sink to the default SMTP virtual server,
but I don't see the disclaimers on external addresses. Then I saw that
Marette had instructions involving some manipulation on SMTP in case
you're using SBS.

Which also kinda sounds strange. But when I went digging a little bit,
I found that clients working with OL, will not have the disclaimer
added (MAPI). Finally I'm having the impression that this is kinda
made difficult while it should be easy by design... Or I'm a missing
something on that point?

It's not about the money, at least I don't pay it so don't care. From
my point of view, it's the technical aspect that I want to know how
it's structured and how to make it work really. That way I gain the
knowledge :-)

Bart

On 8/3/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
<[EMAIL PROTECTED]> wrote:

Are you using the SBS's SMTP connector or using the
http://support.microsoft.com/?id=317327 info there?

Marette's instructions to remove the SBS's native smtp connection, build
a new one that listens on port 26, the time it would have taking me to
follow her instructions.. I saved the time and money in getting out my
credit card and buying an event sink already done.



Bart Van den Wyngaert wrote:
> Thanks all!
>
> Now the reason that I want to use the Event Sink way is because there
> is no more need then that... And like said, GFI is no longer. Neither
> the doc on Smallbizz.
>
> I know there is a manipulation needed on SMTP level, but I just don't
> see it. If somebody knows the little trick (was it an additional
> connector or virtual server)...?
>
> Thanks for the other inputs so far.
> Bart
>
> On 8/3/06, Joe Kaplan <[EMAIL PROTECTED]> wrote:
>> Sure, I saw the message and remembered that we were still using a
>> disclaimer
>> script for this, so I thought I'd offer some help, but a word of caution
>> about the fact that the script can get tricky.
>>
>> With only that many users, many of those problems might never show
>> up.  We
>> have a few more users than that (ok, 4 orders of magnitude!), so we
>> see a
>> lot of weird stuff that is hard to even imagine when you are testing the
>> code.  :)
>>
>> The product is probably a better choice, especially if it is cheap.
>>
>> We really did try to buy a product to do this as we wanted more
>> features and
>> fewer problems (or someone else to blame them on), but only the
>> script had
>> reasonable performance.  Everything else brought our gateways to
>> their knees
>> and had to be disabled.  I was shocked by this actually.  :)
>>
>> Joe K.
>> - Original Message -
>> From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]"
>> <[EMAIL PROTECTED]>
>> To: 
>> Sent: Wednesday, August 02, 2006 9:24 PM
>> Subject: Re: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box
>>
>>
>> > This is an SBS box. we may have performance problems.. but it's
>> > certainly not caused by a SMTP sink event on that Exchange server  ;-)
>> > Remember at the most we're only hosting 75 users/devices on that
>> server
>> > with a max of 75 gigs (remember no snickering from the Enterprise
>> folks)
>> > of Store.
>> >
>> > (and reading his message.. see why I went with Policypatrol?
>> >
>> > Joe Kaplan wrote:
>> >> We actually use a script at work after having tried a few products
>> and
>> >> having terrible performance problems.  If you are interested, I'll
>> ping
>> >> one of the exchange guys and see if he can provide a little
>> direction.
>> >>
>> >> Once you actually get it working from a plumbing standpoint, the
>> script
>> >> itself is actually a bit trickier to implement than the trivial
>> sample MS
>> >> shows.  You have to decide if you are going to put HTML into HTML
>> body
>> >> parts, text into text body parts, both into messages that have
>> both, and
>> >> what to do about signed messages, as the disclaimer will change
>> the data
>> >> and invalidate the digital signature.  You also need to be careful
>> you
>> >> don't screw up the encoding of messages in non-ASCII or ISO-8859-1
>> >> character sets. You can also decide if you want to add the
>> disclaimer to
>> >> messages that already contain it (sometimes mail routing may cause a
>> >> message to hit the sink more than 

Re: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box

[Bart Van den Wyngaert]

Thanks all!

Now the reason that I want to use the Event Sink way is because there
is no more need then that... And like said, GFI is no longer. Neither
the doc on Smallbizz.

I know there is a manipulation needed on SMTP level, but I just don't
see it. If somebody knows the little trick (was it an additional
connector or virtual server)...?

Thanks for the other inputs so far.
Bart

On 8/3/06, Joe Kaplan <[EMAIL PROTECTED]> wrote:

Sure, I saw the message and remembered that we were still using a disclaimer
script for this, so I thought I'd offer some help, but a word of caution
about the fact that the script can get tricky.

With only that many users, many of those problems might never show up.  We
have a few more users than that (ok, 4 orders of magnitude!), so we see a
lot of weird stuff that is hard to even imagine when you are testing the
code.  :)

The product is probably a better choice, especially if it is cheap.

We really did try to buy a product to do this as we wanted more features and
fewer problems (or someone else to blame them on), but only the script had
reasonable performance.  Everything else brought our gateways to their knees
and had to be disabled.  I was shocked by this actually.  :)

Joe K.
- Original Message -
From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]"
<[EMAIL PROTECTED]>
To: 
Sent: Wednesday, August 02, 2006 9:24 PM
Subject: Re: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box


> This is an SBS box. we may have performance problems.. but it's
> certainly not caused by a SMTP sink event on that Exchange server  ;-)
> Remember at the most we're only hosting 75 users/devices on that server
> with a max of 75 gigs (remember no snickering from the Enterprise folks)
> of Store.
>
> (and reading his message.. see why I went with Policypatrol?
>
> Joe Kaplan wrote:
>> We actually use a script at work after having tried a few products and
>> having terrible performance problems.  If you are interested, I'll ping
>> one of the exchange guys and see if he can provide a little direction.
>>
>> Once you actually get it working from a plumbing standpoint, the script
>> itself is actually a bit trickier to implement than the trivial sample MS
>> shows.  You have to decide if you are going to put HTML into HTML body
>> parts, text into text body parts, both into messages that have both, and
>> what to do about signed messages, as the disclaimer will change the data
>> and invalidate the digital signature.  You also need to be careful you
>> don't screw up the encoding of messages in non-ASCII or ISO-8859-1
>> character sets. You can also decide if you want to add the disclaimer to
>> messages that already contain it (sometimes mail routing may cause a
>> message to hit the sink more than once) or not, and if you care about
>> that, how do you decide if the disclaimer is in there?  :)
>>
>> Ours still has some issues with a few of these points, but some of the
>> problems were too tough to deal with for the people who were trying to
>> solve them, so they just slid.
>>
>> Joe K.
>> - Original Message - From: "Bart Van den Wyngaert"
>> <[EMAIL PROTECTED]>
>> To: "ActiveDir" 
>> Sent: Wednesday, August 02, 2006 3:41 PM
>> Subject: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box
>>
>>
>>> Hi guys,
>>>
>>> I'm having trouble with adding a disclaimer on E2K3 on a SBS 2K3 box.
>>> I'm using the EventSink with a .vbs to add the disclaimer. The box is
>>> configured with a default SMTP server and a SMTP connector which
>>> forwards all external email to the SMTP of the ISP.
>>>
>>> Anybody who has done the trick already? If so, can you please tell me
>>> the little secret for this? *g*
>>>
>>> Many thanks to all,
>>> Bart
>>> List info   : http://www.activedir.org/List.aspx
>>> List FAQ: http://www.activedir.org/ListFAQ.aspx
>>> List archive: http://www.activedir.org/ml/threads.aspx
>>
>> List info   : http://www.activedir.org/List.aspx
>> List FAQ: http://www.activedir.org/ListFAQ.aspx
>> List archive: http://www.activedir.org/ml/threads.aspx
>>
>
> --
> Letting your vendors set your risk analysis these days?
> http://www.threatcode.com
>
> If you are a SBSer and you don't subscribe to the SBS Blog... man ... I
> will hunt you down...
> http://blogs.technet.com/sbs
>
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

[ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box

[Bart Van den Wyngaert]

Hi guys,

I'm having trouble with adding a disclaimer on E2K3 on a SBS 2K3 box.
I'm using the EventSink with a .vbs to add the disclaimer. The box is
configured with a default SMTP server and a SMTP connector which
forwards all external email to the SMTP of the ISP.

Anybody who has done the trick already? If so, can you please tell me
the little secret for this? *g*

Many thanks to all,
Bart
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Reset home page via GPO

[Bart Van den Wyngaert]

That's the point, but they will get used to it. It's like implementing
strong password policy in an environment which doesn't have it yet.
First there will be complaints, but after a while they stop nagging
and just follow the flow :-)

Bart

On 7/24/06, Tim Foster <[EMAIL PROTECTED]> wrote:


I have done this in the past and the only issue I am aware of is users not
liking your choice of home page!

User Configuration\Windows Settings\Internet Explorer Maintenance\URLs

Tim





> Date: Mon, 24 Jul 2006 10:33:41 -0500
> From: [EMAIL PROTECTED]

> Subject: [ActiveDir] Reset home page via GPO
> To: ActiveDir@mail.activedir.org
>
> Hello, colleagues,
>
> Our HR department wants everybody's IE home
page reset to our intranet
> home page. I presume the way to do this is via GPO,
and apply it only to
> the users' OU.
>
> Are there any issues (other than political ones,
of course) with doing
> this?
>
> (Just an aside: We're back to work following the
worst power outtage in
> St. Louis history. Over 500,000 people without power
for several days,
> and nearly 200,000 still out. Very interesting week we
just had.)
>
> --

> Larry Wahlers
> Concordia Technologies
> The Lutheran Church - Missouri Synod
> mailto:[EMAIL PROTECTED]
> direct office line: (314) 996-1876
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Reset home page via GPO

[Bart Van den Wyngaert]

We do it without issues. Only in case you have a large number of
users, it can give a load on your intranet ofcourse (each time IE is
opened, hitting your intranet).

I see most companies implementing that GPO. Not always that funny, but
you get used to it... :-)

Regards,
Bart

On 7/24/06, Larry Wahlers <[EMAIL PROTECTED]> wrote:

Hello, colleagues,

Our HR department wants everybody's IE home page reset to our intranet
home page. I presume the way to do this is via GPO, and apply it only to
the users' OU.

Are there any issues (other than political ones, of course) with doing
this?

(Just an aside: We're back to work following the worst power outtage in
St. Louis history. Over 500,000 people without power for several days,
and nearly 200,000 still out. Very interesting week we just had.)

--
Larry Wahlers
Concordia Technologies
The Lutheran Church - Missouri Synod
mailto:[EMAIL PROTECTED]
direct office line: (314) 996-1876
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] RDP Over SSL (No Security tab in Client)

[Bart Van den Wyngaert]

Hi Al,

Just came accross this link... Didn't test it myself as I am going to
do a real upgrade of the stuff (I still don't understand why there is
no real upgrade package, I really don't see any difference except the
added feature and I want to have both mstsc.exe as the MMC with the
feature)...

http://www.petri.co.il/download_rdp_5_2.htm

Regards,
Bart

On 7/4/06, Al Mulnick <[EMAIL PROTECTED]> wrote:


Sounds suspiciously like a bug of omission that ought to be reported.  The
newer version should be laid down with the applications that it comes with
IMHO. If it's in the code tree that far ahead, then I can't see a reason
that it isn't laid down.

Al



On 7/4/06, Bart Van den Wyngaert <[EMAIL PROTECTED]> wrote:
>
What I have found today is that I actually don't have to register the
.DLL file, only have both files in the same directory present already
does the trick. Although when you do a 'Start > Run > mstsc' it will
start the one in your Windows folder ofcourse.

Old version: 5.1.2600.2180
New version: 5.2.3790.1830

And when registering the new .DLL in another location then the current
one (ex. D:\MSTSC\MSTSCAX.DLL), I receive the message "*.DLL was
loaded, but the DllInstall entry point was not found. *.DLL does not
appear the be a .DLL or .OCX file"

For tsmmc.msc I have found that I needed to install the MMC 3.0
update, register the .DLL (although I had a warning) and then it was
available...

I've installed W2K3 SP1 Administration Tools, but that didn't actually
do the upgrade. If I look into the source of the Support Tools, I
don't see the .DLL files or the .EXE files located there.

So actually we should fine tune this to have the ideal 'upgrade' ;-)

Regards,
Bart

On 6/21/06, Al Mulnick < [EMAIL PROTECTED]> wrote:
>
> I would have expected the support tools from W2K3 SP1 Server to upgrade
the
> version.  Can you send the file version and time stamp information for
those
> files?
>
>
> Al
>
>
>
> On 6/20/06, Ravi Dogra <[EMAIL PROTECTED]> wrote:
> > HI,
> >
> > Al Mulnick::
> > I have tried updating the version but that didnt helped me. Did you
> > see the snapshot without security tab it was same after installing
> > updated version.
> >
> > Can you send me a link from where i can find Updated version to modify
> > built in MSTSC.
> >
> > Thanks for all your help.
> >
> > Bart Van den Wyngaert::
> > You are right i tried same but it wasnt giving me option to select
> > "Require Authentication"
> >
> > It look like there is a dll which is used by both mstsc and tsmmc.msc
> > because when i registered this dll both things worked fine for me.
> >
> > Let me know if i am missing something?
> >
> > Thanks and Regards
> > Ravi Dogra
> >
> >
> >
>
>
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] RDP Over SSL (No Security tab in Client)

[Bart Van den Wyngaert]

To be clear, I was talking about implementing the new version on my XP
workstation, not on the server itself.

I assume (not yet tested) that if you deregister the current
MSTSCAX.DLL, copy the 2 new files (.DLL + .EXE), register the new
.DLL, that you should have done an 'upgrade'.

Did not yet tested that one. Also will this not trigger File Protection?


From my point of view, I think it's silly not to have the upgrade.

Perhaps they already implemented it in R2 and are we just a little too
fast before they have a chance to release a decent upgrade for other
versions of Windows?

Bart

On 7/4/06, Al Mulnick <[EMAIL PROTECTED]> wrote:


Sounds suspiciously like a bug of omission that ought to be reported.  The
newer version should be laid down with the applications that it comes with
IMHO. If it's in the code tree that far ahead, then I can't see a reason
that it isn't laid down.

Al



On 7/4/06, Bart Van den Wyngaert <[EMAIL PROTECTED]> wrote:
>
What I have found today is that I actually don't have to register the
.DLL file, only have both files in the same directory present already
does the trick. Although when you do a 'Start > Run > mstsc' it will
start the one in your Windows folder ofcourse.

Old version: 5.1.2600.2180
New version: 5.2.3790.1830

And when registering the new .DLL in another location then the current
one (ex. D:\MSTSC\MSTSCAX.DLL), I receive the message "*.DLL was
loaded, but the DllInstall entry point was not found. *.DLL does not
appear the be a .DLL or .OCX file"

For tsmmc.msc I have found that I needed to install the MMC 3.0
update, register the .DLL (although I had a warning) and then it was
available...

I've installed W2K3 SP1 Administration Tools, but that didn't actually
do the upgrade. If I look into the source of the Support Tools, I
don't see the .DLL files or the .EXE files located there.

So actually we should fine tune this to have the ideal 'upgrade' ;-)

Regards,
Bart

On 6/21/06, Al Mulnick < [EMAIL PROTECTED]> wrote:
>
> I would have expected the support tools from W2K3 SP1 Server to upgrade
the
> version.  Can you send the file version and time stamp information for
those
> files?
>
>
> Al
>
>
>
> On 6/20/06, Ravi Dogra <[EMAIL PROTECTED]> wrote:
> > HI,
> >
> > Al Mulnick::
> > I have tried updating the version but that didnt helped me. Did you
> > see the snapshot without security tab it was same after installing
> > updated version.
> >
> > Can you send me a link from where i can find Updated version to modify
> > built in MSTSC.
> >
> > Thanks for all your help.
> >
> > Bart Van den Wyngaert::
> > You are right i tried same but it wasnt giving me option to select
> > "Require Authentication"
> >
> > It look like there is a dll which is used by both mstsc and tsmmc.msc
> > because when i registered this dll both things worked fine for me.
> >
> > Let me know if i am missing something?
> >
> > Thanks and Regards
> > Ravi Dogra
> >
> >
> >
>
>
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] RDP Over SSL (No Security tab in Client)

[Bart Van den Wyngaert]

What I have found today is that I actually don't have to register the
.DLL file, only have both files in the same directory present already
does the trick. Although when you do a 'Start > Run > mstsc' it will
start the one in your Windows folder ofcourse.

Old version: 5.1.2600.2180
New version: 5.2.3790.1830

And when registering the new .DLL in another location then the current
one (ex. D:\MSTSC\MSTSCAX.DLL), I receive the message "*.DLL was
loaded, but the DllInstall entry point was not found. *.DLL does not
appear the be a .DLL or .OCX file"

For tsmmc.msc I have found that I needed to install the MMC 3.0
update, register the .DLL (although I had a warning) and then it was
available...

I've installed W2K3 SP1 Administration Tools, but that didn't actually
do the upgrade. If I look into the source of the Support Tools, I
don't see the .DLL files or the .EXE files located there.

So actually we should fine tune this to have the ideal 'upgrade' ;-)

Regards,
Bart

On 6/21/06, Al Mulnick <[EMAIL PROTECTED]> wrote:


I would have expected the support tools from W2K3 SP1 Server to upgrade the
version.  Can you send the file version and time stamp information for those
files?


Al



On 6/20/06, Ravi Dogra <[EMAIL PROTECTED]> wrote:
> HI,
>
> Al Mulnick::
> I have tried updating the version but that didnt helped me. Did you
> see the snapshot without security tab it was same after installing
> updated version.
>
> Can you send me a link from where i can find Updated version to modify
> built in MSTSC.
>
> Thanks for all your help.
>
> Bart Van den Wyngaert::
> You are right i tried same but it wasnt giving me option to select
> "Require Authentication"
>
> It look like there is a dll which is used by both mstsc and tsmmc.msc
> because when i registered this dll both things worked fine for me.
>
> Let me know if i am missing something?
>
> Thanks and Regards
> Ravi Dogra
>
>
>



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] RDP Over SSL (No Security tab in Client)

[Bart Van den Wyngaert]

OK cool...
 
But as most know, there is 'tsmmc.msc' also to work with RDP. I use this a lot to have less windows open... If they make SSL available, what about having SSL with the 'tsmmc.msc' ?
 
TIA
 
On 6/20/06, Al Mulnick <[EMAIL PROTECTED]> wrote:


 
Why?  Why did you not just install the updated version using the installer? Was there an advantage? 
 
I'm so full of questions I know, but this seems the hard way with issues waiting for later.  

On 6/20/06, Ravi Dogra <[EMAIL PROTECTED]
> wrote: 
Thanks,I have acheived by making a copy of mstsc.exe and mstscax.dll fromwindows2k3 sp1 box and placing it in a different folder of client 
other than system32.Registered the dll and this fixed the problem.Thanks Again,Ravi DograList info   : 
http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: 
http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] SBS and reducing downtime on crash

[Bart Van den Wyngaert]

Totally agree on the points said by Susan. Practive is important though, it's even documented by MS and that works just fine. And I use the built in backup, no issues poped up and I had the server up and running in now time!
 
On 6/8/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] <[EMAIL PROTECTED]> wrote:
1.  Go to TechEd 2006 in Boston2.  Go to Jeff Middleton's Myths of DR on SBSAny questions?
Okay so seriously...3.  Remember that under the hood we're AD.. so even though the big guysaround here cringe at a single DC, all on one box.. all the tricks forAD restoration still work.Okay Susan's first and foremost SBS rule of DR
1. Buy good hardware.I have been running SBS since SBS 4.0 and here's what nailed me in the pastNIC diedHub died (back when we did hubs)NIC diedSwitch diedHarddrive dropped off raid
Switch froze up required hard reset  (just two weeks ago.. good excusefor upgrading to gig switches don't you think?)In all those years I've had minimal downtime.  Notice that I've onlylost one drive and that was on my adaptec raid screaming like crazy but
the network still chugged just fine ..so these days I buy spare nics andharddrives.I've also always had SCSI drives, and with my current baby (HP) havethat lovely hardware monitoring stuff that sends me emails when the
hardware gets even a sniffle.Now I have a Dell OEM with IDE drives and it's not a server and you canso tell.  The SATA drive ones are ... well ask us again in aboutanother year or so of the 'three year let's see how they do compared to
SCSI'.  My home server is a cheap SATA HP but even that is better thanthe cheap Dell OEM version I got.Lesson 1 - buy HP.. buy good server quality hardware.2.  Consider adding to that backup a drive image software
(okay someone go tell the Garage door guy, the AD guru and the Joewareguy to stick fingers in their ears and don't read this)We are only one DC.  It's a little hard to have replication andtombstone issues when you only have one AD.  Acronis may not say they
will support imaging a DC... but when you only have one... it's not abiggie and it works.  We've done it.  Heck we can even restore a systemstate that's getting gray hairs.  When you only have "one"...sometimes
you can do things that in big server land you absolutely would neverever do.3.  Consider adding a secondary DC.These days with virtual pc/server/vmware load up a server os on aworkstation even and park an additional domain controller to replicate
that AD.4.  Practice that restore.  "A few days to get it back in the air"?Worst case scenerio... Hurricane Katrina.. Jeff Middleton is from NewOrleans Louisiana.. you know what he found? (and I'm ccing him so he can
chat with you more directly).. ever try to buy a server hardware in acomputer store?  He was buying MCE editions as they were the beefierones have offsite backups of mediaas he was scrambling in some
cases to get the right media.  Sometimes it was the little things thatnailed him.Your worst case scenerio is replacing that hardware... bare metalrecovery in the 2k3 era is not the same as we had it in the 2k era with
the SFN issues.SBS is no different of a DR recovery than the big guys... it justmagnifies it is allIn a normal DR setup ... to get that back in the air.. on an SBS box?Not if you know what you are doing and have practiced.
5.  Cold server rights.  If you have SA you have cold serverrightsyou can park another server with a copy of the OS and thenturn it off and leave it.Okay now let's review some of that 'the firm is down'.
1.  Cached credentials, cached outlook means that the server can dropoff the face of the earth and the workstations just kinda hang out untilit comes back on.2.  Have alternative ways to get to key data.  I have a robocopy that
pulls a copy of certain folders over to a spare drive on myworkstation.. Excel and Word docs.. should the gang absopositively needto get into a doc for a case, even if the server is down, we have aduplicate that can be gotten into.
But honestly we're no different of a DR story than the big guys..a tadmore complicated due to the all on one box... but the same rules applyRAIDHardwaredon't skimpPracticeDecide if you are not going to do the secondary DC and to a server
image...or do the secondary DC and don't image.and don't panic.and in my case I'm calling Jeff and paying him to bemy calm DR buddy should something occur...btw I don't like Veritas in a single SBS setup.. the built in SBS backup
works fine.. if you need to backup additional servers, then do VeritasQuatro Info wrote:>Hi all,>>>Have a general question / case.>>On small companies ( 10 - 20 employees), what config is the best to set the downtime in case of a crash to a minimum. Especially in
>a SBS environment / small company.>>Lets keep it an easy example:>>   -company has 15 employees>   -15 XP workstations>   -one SBS 2k3 server installed with all necessary tools etc..veritas backup exec / groupshield   etc etc..
>   -raid m

Re: [ActiveDir] urgent help please

[Bart Van den Wyngaert]

They have those rights because of the fact they manage each a server? Because they have quiet a lot rights actually.
 
Perhaps review your security administration/architecture?
 
Best regards,
Bart 
On 4/24/06, marwahashem <[EMAIL PROTECTED]> wrote:
Dear All ,I have here in My Network 2 users as the following :-User 1- He is Member of the follwoing group in Our Active Directory Domain:-
1. Account Operators.2. Backup Operators.3. DNS Admin.4. Domain Admins.5. Domain Computers.6. Domain Users.7. Enterprise Admin.8. Group Policy Creator Owner.9. Remote Desktop Users.
10. Schema Admin.--User 2- He is a member of the following groups:-1- Account Operators.2- Backup Operators.3- Domain Admins.
4- Domain Users.5- Enterprise Admin.6- Remote Desktop Users.7- Schema Admin.8- Group Policy Creator.=Now, Both Of them have 2 server speraatly and every one manage his server in
Our domain Alone with his user name and Password.the First server is Axapta server & the Second is Normal Intranet server.Both server are member of our domain.we have only 1 domain with single forest with 2 DC.
Now, both of them when ever they want to access the Domain Controller Byusing Terminal Service Or by Login  to the domain controller while they arestanding of him  by his user name & Passowrd instead of the Administrator
user name & Password, they are able completely without any Problem.Due to that , we face some Problem with one of them Because he completelydid something to the Domain Controller .Now, My Manager asked me to only allow User 2 to access the Domain
Controoler by his user name & Password & even By using Terminal service .and he does not want any other Persons to have the chance to login to thedomain controller by his user name & Password & Even by using Termianl
Service or Remote Desktop Connection.\Please guide me , what should i do in order to achive this , what should ineed to delete ?Thanks & Best Regards,Marwa,Thanks & Best Regards,
Marwa,List info   : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Domain Controllers on blade servers

[Bart Van den Wyngaert]

Yes, the only consideration was that there should several DC's be in seperate enclosures. Simple consideration I think. But the DC's are running like it should be, can't say we had any issue related to the fact that it is running on a Blade actually.

 
Regards,
Bart 
On 4/24/06, Mark Parris <[EMAIL PROTECTED]> wrote:
Apart from there only being two physical disks are there any real concerns about running DC's on blade technolgies?
I have not had to implement AD on blades as of yet and wanted to know any real world experiences of doing so - it will be a production environment and supporting exchange 2003 (which they want to run on blade technology too - connected to a SAN)
MarkList info   : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Somebody experience with recovery AD with Veritas (W2K)

[Bart Van den Wyngaert]

Believe or not, but the guy has found a way to restore AD *hallelujah*
 
It's not my problem to trust the backup or not... Not that your point isn't a good one, but I was called for this while the guy was onsite. It is his client and his responsability, not mine.
 
Secondly there is just 1 server... Not even Exchange on it, but some kinda strange tool for emailing.
 
So he managed to get AD back (using a backup from begin April) and I simply advised him to migrate the server and to do a decent migration. Because the issues he encountered are in fact quiet stupid. The server has been installed long time ago by somebody else. Due circumstances he has now the contract for maintenance of that server, but the client wouldn't pay a migration to a new one so you could have a nice clean install W2K3. During the night from Wednesday to Thursday, the server started crashing during Automatic Updates, resulting in a corrupt AD.

 
He lost (and no, I'm not joking) 8 hours in order to gain access in "Directory Services Restore Mode"... This because he didn't do the actual install and didn't know the account. Then problems with the backups, totally unaware of the config, never done tests, and so on and so on.

 
So my conclusion: not only the client has learned an important lesson, he did also :-)
 
Many thanks for all your thoughts!
Bart 
On 4/23/06, Al Mulnick <[EMAIL PROTECTED]> wrote:
Another thing to consider would be whether or not you really want torecover it from a backup that may or may not be trusted. At this
point, you might have some second thoughts about that.As long as there are more DC's, recovery might consist of getting ridof the corrupted DC, fix the problem, and then repromote (IFM if lowbandwidth concerns, might be an option).
Trusting the backup in this case seems risky.My $0.04 worth.On 4/22/06, Paessens, Daniel <[EMAIL PROTECTED]> wrote:>> Recoverying the AD will depend of the way how you perform a backup the AD.
> For example Using NTBackup to create a system state backup on disk and then> backup these on tape with Veritas.> Or Performing this backup directly with Veritas.>> Best is to find out what is the items backup currently and react with these
> knowledge.>> Daniel> ____________>> From: [EMAIL PROTECTED]> [mailto:
[EMAIL PROTECTED]] On Behalf Of> Bart Van den Wyngaert> Sent: Friday, April 21, 2006 12:21> To: ActiveDir@mail.activedir.org> Subject: Re: [ActiveDir] Somebody experience with recovery AD with Veritas
> (W2K)>> From: [EMAIL PROTECTED]> [mailto:[EMAIL PROTECTED]
] On Behalf Of> Bart Van den Wyngaert> Sent: Friday, April 21, 2006 12:21> To: ActiveDir@mail.activedir.org> Subject: Re: [ActiveDir] Somebody experience with recovery AD with Veritas
> (W2K)>>> I made already the request to perform an inventory when booted into> Directory Services Restore Mode because I suspect that there are issues in> that direction. Personally I never did a disaster or AD recovery with
> Veritas and I'm not familiar with the configuration locally.>> We'll see what happens, if the guys can read the docs properly I just> sent...>>> On 4/21/06, Almeida Pinto, Jorge de
> <[EMAIL PROTECTED]> wrote:> >> >> > in google I found:> >> 
http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GGLG,GGLG:2006-05,GGLG:en&q=Physical+volume+library+media+is+not+found> > does that help?> > jorge> >> >
> >> > > From: [EMAIL PROTECTED] [mailto:> 
[EMAIL PROTECTED]] On Behalf Of Bart Van> den Wyngaert> > Sent: Friday, April 21, 2006 11:59> > To: ActiveDir> > Subject: [ActiveDir] Somebody experience with recovery AD with Veritas
> (W2K)> >> >> >> >> > Hi,> >> > Does somebody has experience with recovery AD with Veritas on a W2K DC?> >> > Reason is that a collegue of mine is on a site where the AD has become
> corrupt, but there are problems with restoring system state using Veritas.> Error message is "Physical volume library media is not found."> >> > The support documentation on the Veritas website doesn't really help us
> further, we're still stuck there. Additionally this is a site of which we> don't have docs :-( Making the job real hard for us...> >> > Any tips, suggestions, etc. are welcome!> >
> > Thanks in advance,> > Bart> >> >> >> >> >> > This e-mail and any attachment is for authorised use by the intended> recipient(s) only. It may contain proprietary material, confidential
> information and/or be subject to legal privilege. It should not be copied,> disclosed to, retained or used by, any other party. If you are not an> intended recipient then please promptly delete this e-mail and any
> attachment and all copies and inform the sender. Thank you.>>

Re: [ActiveDir] Somebody experience with recovery AD with Veritas (W2K)

[Bart Van den Wyngaert]

I made already the request to perform an inventory when booted into Directory Services Restore Mode because I suspect that there are issues in that direction. Personally I never did a disaster or AD recovery with Veritas and I'm not familiar with the configuration locally.

 
We'll see what happens, if the guys can read the docs properly I just sent... 
On 4/21/06, Almeida Pinto, Jorge de <[EMAIL PROTECTED]> wrote:


in google I found:

http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GGLG,GGLG:2006-05,GGLG:en&q=Physical+volume+library+media+is+not+found
does that help?
jorge
 



From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Bart Van den WyngaertSent: Friday, April 21, 2006 11:59To: ActiveDirSubject: [ActiveDir] Somebody experience with recovery AD with Veritas (W2K)
 


Hi,
 
Does somebody has experience with recovery AD with Veritas on a W2K DC?
 
Reason is that a collegue of mine is on a site where the AD has become corrupt, but there are problems with restoring system state using Veritas. Error message is "Physical volume library media is not found." 

 
The support documentation on the Veritas website doesn't really help us further, we're still stuck there. Additionally this is a site of which we don't have docs :-( Making the job real hard for us...
 
Any tips, suggestions, etc. are welcome!
 
Thanks in advance,
Bart


This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.

[ActiveDir] Somebody experience with recovery AD with Veritas (W2K)

[Bart Van den Wyngaert]

Hi,
 
Does somebody has experience with recovery AD with Veritas on a W2K DC?
 
Reason is that a collegue of mine is on a site where the AD has become corrupt, but there are problems with restoring system state using Veritas. Error message is "Physical volume library media is not found."

 
The support documentation on the Veritas website doesn't really help us further, we're still stuck there. Additionally this is a site of which we don't have docs :-( Making the job real hard for us...
 
Any tips, suggestions, etc. are welcome!
 
Thanks in advance,
Bart

Re: [ActiveDir] OT - Somebody already experience with SQL Server Express?

[Bart Van den Wyngaert]

Hi Susan,
 
Thanks for the feedback, I knew there were some SBS "mothers" and/or "fathers" reading this list :-)
 
It's not like "I need SQL Express", it was a "is that a new direction to follow" kinda question. SQL is not really my thing, only use it for apps that require it. But it could have been that is was interesting for some advantages... But as you just pointed out, I don't think there are real advantages on a SBS box, instead more risks and looking for trouble!

 
That's preciesly the answer I was looking for, thanks!
Bart 
On 3/29/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] <[EMAIL PROTECTED]> wrote:
Hang on.. SBS?SBSmonitoring is not supported on anything other than MSDE.As part of R2 we'll get SQL 2005 workgroup...
Whatcha doing to that box?  (me see SBS and I get protective motherlyinstincts kick in)Watch companyweb.. we're finding that it prefers .NET 1.whatever and not2.x as well.Bart Van den Wyngaert wrote:
> Hi,>> I was just reading about MS SQL Server Express and I was wondering if> somebody has already experience with it, more specifically with> migrating from MSDE on a SBS box?>
> Reason is that I want to know if it is an interesting thing to> consider or not. Also WSUS is installed on the box.>> Thanks in advance for sharing,> BartList info   : 
http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] OT - Somebody already experience with SQL Server Express?

[Bart Van den Wyngaert]

Hi,
 
I was just reading about MS SQL Server Express and I was wondering if somebody has already experience with it, more specifically with migrating from MSDE on a SBS box?
 
Reason is that I want to know if it is an interesting thing to consider or not. Also WSUS is installed on the box.
 
Thanks in advance for sharing,
Bart

Re: [ActiveDir] OT - Sample Script

[Bart Van den Wyngaert]

Take a look at http://www.microsoft.com/technet/scriptcenter
In the repository you'll find a lot of examples which will help you without any doubt.
 
Bart 
On 3/2/06, Kennedy, Jim <[EMAIL PROTECTED]> wrote:
Anyone using a script running as a task that looks at the members of anOU, and modifies their group membership based upon what OU they are in?
I could use a sample to steal your hard work if you don't mind.List info   : http://www.activedir.org/List.aspxList FAQ: 
http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Software to handle access requests

[Bart Van den Wyngaert]

Hi Bonnie,
 
Not that I know about. Most have companies I know have created their own custom forms or flows (ex. in Notes) to request accesses. I suggest to google for it.
 
Either way a developer can make it customized for you ofcourse...
 
Bart 
On 3/14/06, [EMAIL PROTECTED] <
[EMAIL PROTECTED]> wrote:


The scenario: We currently have a wide array of forms that are used to request access to our different resources (both network and phone related). Some of our less technical end users are getting confused on which form does what and who to send each form.

 
We would like to implement some sort of app, available via our Intranet site, that users can access to fill out the paperwork. We would like to setup some sort of guided site that asks them questions, fills out the forms based on their responses, and then prints the form to their default printer OR emails the completed form to the supervisor for a signature. At this point, business requirements require that a physical form with the original department supervisor signature be submitted for every request.

 
The example: It would be nice to have a site that starts like so Are you a new employee? Yes or No? If yes, do you need a telephone extension? Yes or No? Do you need a computer login? Yes or No? If yes, ask for first name, last name, etc... 

 
We would also like to be able to set fields as "required" so that the end user would not be able to proceed without inputting information. Lastly, it would be even better if we had some sort of work flow process setup that would notify the supervisor, or even forward the completed form to the supervisor for signature so it doesn't have to be physically walked around to each desk.

 
The question: Does anyone know of an app that can be downloaded or purchased that could handle this type of setup? 
 

BONNIE POHLSCHNEIDER
COPELAND HELP DESK
 

Re: re[2]: [ActiveDir] Automatic update and Non-Admin Accounts

[Bart Van den Wyngaert]

Shane,
 
My GPO settings for WSUS
 

- 4 - Auto download and schedule the install
 ==> Scheduled install day: 0 - Every day
 ==> Scheduled install time: 03:00
- Enable client-side targeting: Enabled
- Target group name for this computer: Computers (or Servers in case of Servers GPO)
- Specify intranet Microsoft update service location: Enabled
  ==> for both (intranet update service + statistics) : http://:8530
 
But as indicated this afternoon, read something about, the docs are very good and take some hours to get the correct config for your specific environment. Please also into account the remarks by Susan and Daniel and you will have a proper solution!

Best regards,
Bart 
On 3/15/06, Shane De Jager <[EMAIL PROTECTED]> wrote:
In my scenario the pc are not on constantly (they are only on when the user uses it). Can you send those settings over please. These are the settings I have at the moment:
Do not display "Install Updates and Shutdown' option in Shutdown Windows dialog box - DisabledConfigure Automatic Updates - Enabled (3)No auto-restart for scheduled Automatic Updates Installations - Enabled
Allow Automatic Updates immediate installations - EnabledAllow Non-Admin to receive update notifications - EnabledAlso how do I go about setting up WSUS?--Shane De JagerTechnical Developer
INTERGAGEHigh-performance, updateable Web sitesSwitchboard   +44 (0)845 456 1022==www.intergage.co.uk[EMAIL PROTECTED]
PS - Are you aware of our referral scheme? Learn how you could profit personally from passing us leads.Click here to pass a referral: www.intergage.co.uk/referrals
-- Original Message ----------FROM:      "Bart Van den Wyngaert" <[EMAIL PROTECTED]>TO:
ActiveDir@mail.activedir.orgDATE:  Wed, 15 Mar 2006 14:01:14 +0100SUBJECT:   Re: [ActiveDir] Automatic update and Non-Admin AccountsHi Shane, 
No you do not need to log onto each machine and run updates manually :-) I've configured my WSUS settings through GPO for the clients. They install each night the updates from my WSUS server and if a user is logged on (locked the pc), the pc won't reboot automatically in case it's needed, but display a notification.
 I can send you the GPO settings I use and ofcourse you can link all pc's directly to the internet of to your local WSUS server. 
In case you're using it for servers, other settings are applicable ofcourse depending on your environment. Best regards,Bart 
On 3/15/06, Shane De Jager <[EMAIL PROTECTED]
">[EMAIL PROTECTED]> wrote:Hi,Do automatic updates install automatically with no admin accounts? Or do I have to log onto each machine and run updates manually? What is the best group policy setting for automatic updates?
--Shane De JagerTechnical DeveloperINTERGAGEHigh-performance, updateable Web sitesSwitchboard   +44 (0)845 456 1022==http://www.intergage.co.uk">www.intergage.co.uk
[EMAIL PROTECTED]">[EMAIL PROTECTED]PS - Are you aware of our referral scheme? Learn how you could profit personally from passing us leads.Click here to pass a referral:
http://www.intergage.co.uk/referrals">www.intergage.co.uk/referralsList info   : http://www.activedir.org/List.aspx">http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx">http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/">http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspxList FAQ: 
http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Automatic update and Non-Admin Accounts

[Bart Van den Wyngaert]

I agree on both points indicated by Susan and Daniel.
 
For the one of Susan: preciesly what I did!
 
For the remark of Daniel: I have only XP SP2 in that environment, so no issues there. But ofcourse it is a requirement for automatic updates!
 
Bart 
On 3/15/06, Paessens, Daniel <[EMAIL PROTECTED]> wrote:


The only thing that you need to verify for these features is that OS are on the minimum service pack level.
For example W2K need to be at SP4 for being able to work with the GPO. (In the past you needed to install a client version of it)

 
 
Best regards,
 
Daniel



From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Bart Van den Wyngaert

Sent: Wednesday, March 15, 2006 14:01
To: ActiveDir@mail.activedir.orgSubject:
 Re: [ActiveDir] Automatic update and Non-Admin Accounts
 


Hi Shane,
 
No you do not need to log onto each machine and run updates manually :-)
 
I've configured my WSUS settings through GPO for the clients. They install each night the updates from my WSUS server and if a user is logged on (locked the pc), the pc won't reboot automatically in case it's needed, but display a notification. 

 
I can send you the GPO settings I use and ofcourse you can link all pc's directly to the internet of to your local WSUS server.
 
In case you're using it for servers, other settings are applicable ofcourse depending on your environment.
 
Best regards,
Bart 


On 3/15/06, Shane De Jager <
[EMAIL PROTECTED]> wrote: 


Hi,Do automatic updates install automatically with no admin accounts? Or do I have to log onto each machine and run updates manually? What is the best group policy setting for automatic updates? 
--Shane De JagerTechnical DeveloperINTERGAGEHigh-performance, updateable Web sitesSwitchboard   +44 (0)845 456 1022==
www.intergage.co.uk [EMAIL PROTECTED]PS - Are you aware of our referral scheme? Learn how you could profit personally from passing us leads.
Click here to pass a referral: www.intergage.co.uk/referrals
List info   : http://www.activedir.org/List.aspxList FAQ: 
http://www.activedir.org/ListFAQ.aspxList archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/

 

Re: re[2]: [ActiveDir] Automatic update and Non-Admin Accounts

[Bart Van den Wyngaert]

I will post the settings I use this evening as I'm working currently on another site.
 
About WSUS, did you already install a SUS server? It's quiet similar except that WSUS has much more capabilities. And like for settings towards the clients, you can use GPO to push the settings and not WSUS. For me that solution works perfectly: 1 point where I maintain the settings for the clients. Using WSUS itself to push settings to clients is usefull in case of workgroups. Also the groups you can create in WSUS (ex. Computers, Servers) you can configure through GPO so that when the GPO is applied, the computer/server is automatically set in the correct group within WSUS. I advise that you visit the WSUS homepage on the Microsoft website to read a bit about it, very good documentation is located there which I used myself as reference at the moment I've implemented WSUS.

 
There are 2 errors I've encountered in my scenario:
1) there was an error on WSUS itself, but easily to solve (the site to contact)
2) I have a GPO which forces that the service "Automatic Updates" should be started and configured as "Automatic". Suddenly on clients, the service wouldn't start anymore. Solution was to configure the security settings for that service in the GPO, add read access for "Authenticated users". Since then no more issues.

 
Both errors were widly documented and I didn't loose much time on investigating/resolving them. For the environment where I've implemented it, this configuration was an absolute must. You must always evaluate whether it meets your requirements ofcourse.

 
Best regards,
Bart 
On 3/15/06, Shane De Jager <[EMAIL PROTECTED]> wrote:
In my scenario the pc are not on constantly (they are only on when the user uses it). Can you send those settings over please. These are the settings I have at the moment:
Do not display "Install Updates and Shutdown' option in Shutdown Windows dialog box - DisabledConfigure Automatic Updates - Enabled (3)No auto-restart for scheduled Automatic Updates Installations - Enabled
Allow Automatic Updates immediate installations - EnabledAllow Non-Admin to receive update notifications - EnabledAlso how do I go about setting up WSUS?--Shane De JagerTechnical Developer
INTERGAGEHigh-performance, updateable Web sitesSwitchboard   +44 (0)845 456 1022==www.intergage.co.uk[EMAIL PROTECTED]
PS - Are you aware of our referral scheme? Learn how you could profit personally from passing us leads.Click here to pass a referral: www.intergage.co.uk/referrals
-- Original Message --FROM:  "Bart Van den Wyngaert" <[EMAIL PROTECTED]>TO:
ActiveDir@mail.activedir.orgDATE:  Wed, 15 Mar 2006 14:01:14 +0100SUBJECT:   Re: [ActiveDir] Automatic update and Non-Admin AccountsHi Shane, 
No you do not need to log onto each machine and run updates manually :-) I've configured my WSUS settings through GPO for the clients. They install each night the updates from my WSUS server and if a user is logged on (locked the pc), the pc won't reboot automatically in case it's needed, but display a notification.
 I can send you the GPO settings I use and ofcourse you can link all pc's directly to the internet of to your local WSUS server. 
In case you're using it for servers, other settings are applicable ofcourse depending on your environment. Best regards,Bart 
On 3/15/06, Shane De Jager <[EMAIL PROTECTED]
">[EMAIL PROTECTED]> wrote:Hi,Do automatic updates install automatically with no admin accounts? Or do I have to log onto each machine and run updates manually? What is the best group policy setting for automatic updates?
--Shane De JagerTechnical DeveloperINTERGAGEHigh-performance, updateable Web sitesSwitchboard   +44 (0)845 456 1022==http://www.intergage.co.uk">www.intergage.co.uk
[EMAIL PROTECTED]">[EMAIL PROTECTED]PS - Are you aware of our referral scheme? Learn how you could profit personally from passing us leads.Click here to pass a referral:
http://www.intergage.co.uk/referrals">www.intergage.co.uk/referralsList info   : http://www.activedir.org/List.aspx">http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx">http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/">http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspxList FAQ: 
http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Folder redirection exceptions?

[Bart Van den Wyngaert]

Indeed a long job to do.
 
You have nevertheless several options.
 
1) GPO ==> My Documents redirection with the issues pointed out already
2) GPO to push values in the HKCU registry keys
2) Modify your login script and push values in the HKCU registry keys from there
 
It's the one you choose ofcourse. I personally prefer option 2, give more configuration options as 1 and is easier to maintain then 3.
 
Best regards,
Bart 
On 3/15/06, Noah Eiger <[EMAIL PROTECTED]> wrote:



Ken, I assume there was supposed to be something in that message ;-) It came through blank in my inbox (but does show up in the archives).

 
As for the redirection issue, Susan do you manually do that for each machine? Yikes! Rather than a Joeware fix, it seems like something Darren Mar-Elia might have a thought about. I posted this same question last year and the only response suggested looking at this: 
http://www.annoyances.org/exec/show/article05-100 which seems to run counter to the use of TweekUI.

 
TIA
 
-- nme
 



From: Ken Schaefer [mailto:
[EMAIL PROTECTED]] Sent: Tuesday, March 14, 2006 5:40 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Folder redirection exceptions?
 
 
--No virus found in this outgoing message.Checked by AVG Free Edition.Version: 7.1.385 / Virus Database: 268.2.2/280 - Release Date: 3/13/2006

Re: [ActiveDir] Automatic update and Non-Admin Accounts

[Bart Van den Wyngaert]

Hi Shane,
 
No you do not need to log onto each machine and run updates manually :-)
 
I've configured my WSUS settings through GPO for the clients. They install each night the updates from my WSUS server and if a user is logged on (locked the pc), the pc won't reboot automatically in case it's needed, but display a notification.

 
I can send you the GPO settings I use and ofcourse you can link all pc's directly to the internet of to your local WSUS server.
 
In case you're using it for servers, other settings are applicable ofcourse depending on your environment.
 
Best regards,
Bart 
On 3/15/06, Shane De Jager <[EMAIL PROTECTED]> wrote:
Hi,Do automatic updates install automatically with no admin accounts? Or do I have to log onto each machine and run updates manually? What is the best group policy setting for automatic updates?
--Shane De JagerTechnical DeveloperINTERGAGEHigh-performance, updateable Web sitesSwitchboard   +44 (0)845 456 1022==www.intergage.co.uk
[EMAIL PROTECTED]PS - Are you aware of our referral scheme? Learn how you could profit personally from passing us leads.Click here to pass a referral: 
www.intergage.co.uk/referralsList info   : http://www.activedir.org/List.aspxList FAQ: 
http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] OT : Query DNS using wildcards?

[Bart Van den Wyngaert]

Hi Dèjì,
 
This is such moment when a person says to himself (or herself ofcourse) "Why didn't I think about that?!".
 
Yes that is a solution! Hope they only are willing to accept it...
 
Many thanks!
Bart 
On 3/7/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
>>>Extracting the zones to a .txt file which a script can loop throughsearching for certain strings. Ideal solution would be to look for *
records and delete them as they are being found. But as already indicated byother people, this is not available..Why not? If it's a standard zone, you could just read the zone file, usingfilesystemobject, do a Readline, and if you see  in the line,
delete the line.Or did I misread you?Sincerely,Dèjì Akómöláfé, MCSE+M MCSA+M MCTMicrosoft MVP - Directory Serviceswww.readymaids.com - we know IT
www.akomolafe.comDo you now realize that Today is the Tomorrow you were worried aboutYesterday?  -anonFrom: 
[EMAIL PROTECTED] on behalf of Bart Van den WyngaertSent: Mon 3/6/2006 3:07 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT : Query DNS using wildcards?
Hi Al,Thanks for your answer. It's not zone transfers I'm looking for, but youranswer nevertheless pointed me towards another road with a lot of thoughts!We are used to register DNS records manually by script. All other records are
added manually. When a server is at the end of it's life, we clean all it'sregistrations. In case of a cluster, including all records for it's clusterresources.As this process is totally manually and there are some with quiet a lot of
records pointing to cluster resources, we're looking for a way to query theDNS server to retrieve all records related to that server/cluster and thendelete them.Additionally a lot of servers/clusters are being powered off some week
already before we format them and unregister everything in our environment.This is mostly the case for migrations so that the owners are sure theyhaven't forgotten a little thing ;-) Currently we have to boot the server
again to have a script running locally to retrieve IP's and names registeredin the DNS. If we should have a workaround, we don't need to this anymore andwe just break the array, run a script that looks everything up and removes
the registrations.I'm having already a small idea of a way to perform the check, although notideal. Extracting the zones to a .txt file which a script can loop throughsearching for certain strings. Ideal solution would be to look for *
records and delete them as they are being found. But as already indicated byother people, this is not available... At least not to our knowledge.Another possible to solution is to review the DNS infrastructure, like for
example aging. But, and it's not my choice, I have nothing to see with thatpart... Although I'm trying to find out if there is nobody interested inadapting the DNS infra to make my life easier, but that rather working on the
political road ;-)I could understand that it doesn't make a lot of sense, but that's the way ofworking at this moment. And I have to deal with it and try handle it the bestpossible way. So in short: looking for a way to retrieve all records like
"*string*" in DNS so I can remove them all and keep the DNS tidy...Best regards,BartOn 3/5/06, Al Mulnick <[EMAIL PROTECTED]> wrote:
   It sounds like what you really want is to move those records toanother server.  I don't recall if this is AD integrated or not, and if so,what the scope of those records is set to.  However, setting up a second
server and using zone transfer to that server (for backup purposes) is oneway to get all of the records in the zones into text files. You could alsouse WMI scripts/programs to cull that information or you could realize that
if it is AD integrated that data exists elsewhere and that copying it off isnot what you want to do.  One other method, which is very much a zonetransfer is to use the nslookup ls -d zonename command which puts that
information to std i/o. Using dnscmd would be able to gather that informationas would a backup (either AD based (see above if that's what you need) orserver file based.   If not AD-Integrated, you could just copy the zone files  :)
   Am I missing something you need to do?   Al   On 3/2/06, Bart Van den Wyngaert <[EMAIL PROTECTED] > wrote:   Well I kind of need a DNS query. We used to register our DNS
records manually and also remove them. But in case the server is at the endof it's lifecycle, we shut it down for some weeks (in case of migrationscenario) and then remove all it's registrations.   We're looking into a way that we don't need to power on the
server again, but still are able to remove all DNS registrations (serveritself, cluster resources, ...). So it would be like a DNS query... But ifthere is someth

Re: [ActiveDir] OT : Query DNS using wildcards?

[Bart Van den Wyngaert]

Hi Al,
 
Thanks for your answer. It's not zone transfers I'm looking for, but your answer nevertheless pointed me towards another road with a lot of thoughts!
 
We are used to register DNS records manually by script. All other records are added manually. When a server is at the end of it's life, we clean all it's registrations. In case of a cluster, including all records for it's cluster resources.

 
As this process is totally manually and there are some with quiet a lot of records pointing to cluster resources, we're looking for a way to query the DNS server to retrieve all records related to that server/cluster and then delete them.

 
Additionally a lot of servers/clusters are being powered off some week already before we format them and unregister everything in our environment. This is mostly the case for migrations so that the owners are sure they haven't forgotten a little thing ;-) Currently we have to boot the server again to have a script running locally to retrieve IP's and names registered in the DNS. If we should have a workaround, we don't need to this anymore and we just break the array, run a script that looks everything up and removes the registrations.

 
I'm having already a small idea of a way to perform the check, although not ideal. Extracting the zones to a .txt file which a script can loop through searching for certain strings. Ideal solution would be to look for * records and delete them as they are being found. But as already indicated by other people, this is not available... At least not to our knowledge.

 
Another possible to solution is to review the DNS infrastructure, like for example aging. But, and it's not my choice, I have nothing to see with that part... Although I'm trying to find out if there is nobody interested in adapting the DNS infra to make my life easier, but that rather working on the political road ;-)
 
I could understand that it doesn't make a lot of sense, but that's the way of working at this moment. And I have to deal with it and try handle it the best possible way. So in short: looking for a way to retrieve all records like "*string*" in DNS so I can remove them all and keep the DNS tidy...

 
Best regards,
Bart 
On 3/5/06, Al Mulnick <[EMAIL PROTECTED]> wrote:


It sounds like what you really want is to move those records to another server.  I don't recall if this is AD integrated or not, and if so, what the scope of those records is set to.  However, setting up a second server and using zone transfer to that server (for backup purposes) is one way to get all of the records in the zones into text files. You could also use WMI scripts/programs to cull that information or you could realize that if it is AD integrated that data exists elsewhere and that copying it off is not what you want to do.  One other method, which is very much a zone transfer is to use the nslookup ls -d zonename command which puts that information to std i/o. Using dnscmd would be able to gather that information as would a backup (either AD based (see above if that's what you need) or server file based. 

 
If not AD-Integrated, you could just copy the zone files  :)
 
Am I missing something you need to do? 

 
 
Al 

On 3/2/06, Bart Van den Wyngaert <[EMAIL PROTECTED]
> wrote: 


Well I kind of need a DNS query. We used to register our DNS records manually and also remove them. But in case the server is at the end of it's lifecycle, we shut it down for some weeks (in case of migration scenario) and then remove all it's registrations. 

We're looking into a way that we don't need to power on the server again, but still are able to remove all DNS registrations (server itself, cluster resources, ...). So it would be like a DNS query... But if there is something in AD that we can use as reference... Something like an LDAP query for AD, but then on DNS seems like the best description. 

Also there is a part that is always related to the server, but there are extensions (ex. cluster resources), that's why I started talking about wildcards...
 
I'll have a look into the dsquery tool you mentioned, as I'm not familiar with that tool I'll get back to you.
 
Many thanks,

Bart 
On 3/1/06, Ulf B. Simon-Weidner <[EMAIL PROTECTED] 
> wrote: 


Very true point - as long as you don't need it to be a DNS-Query you can use dsquery or admod to query for the dnsNode-Objects in the container hosting the DNS-Zones (out of my head since none of my test-dcs is currenty running: cn=MicrosoftDNS,cn=system,dc=xxx where xxx is either the domain or the application partition). 

 
However keep in mind that those LDAP-Queries are getting expensive when not querying all of them but specific and the wildcard is in front - 
e.g. querying at *.domain.com is heavy on the server, server01.* would be OK.
 
Gruesse - Sincerely, 
Ulf B. Simon-Weidner 
  MVP-

Re: [ActiveDir] OT : Query DNS using wildcards?

[Bart Van den Wyngaert]

Well I kind of need a DNS query. We used to register our DNS records manually and also remove them. But in case the server is at the end of it's lifecycle, we shut it down for some weeks (in case of migration scenario) and then remove all it's registrations.

We're looking into a way that we don't need to power on the server again, but still are able to remove all DNS registrations (server itself, cluster resources, ...). So it would be like a DNS query... But if there is something in AD that we can use as reference... Something like an LDAP query for AD, but then on DNS seems like the best description.

Also there is a part that is always related to the server, but there are extensions (ex. cluster resources), that's why I started talking about wildcards...
 
I'll have a look into the dsquery tool you mentioned, as I'm not familiar with that tool I'll get back to you.
 
Many thanks,
Bart 
On 3/1/06, Ulf B. Simon-Weidner <[EMAIL PROTECTED]> wrote:


Very true point - as long as you don't need it to be a DNS-Query you can use dsquery or admod to query for the dnsNode-Objects in the container hosting the DNS-Zones (out of my head since none of my test-dcs is currenty running: cn=MicrosoftDNS,cn=system,dc=xxx where xxx is either the domain or the application partition).

 
However keep in mind that those LDAP-Queries are getting expensive when not querying all of them but specific and the wildcard is in front - 
e.g. querying at *.domain.com is heavy on the server, server01.* would be OK.
 
Gruesse - Sincerely, 
Ulf B. Simon-Weidner 
  MVP-Book "Windows XP - Die Expertentipps": 
http://tinyurl.com/44zcz  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: 
http://www.windowsserverfaq.org  Profile:   
http://mvp.support.microsoft.com/profile="">   
 



From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Paessens, DanielSent: Wednesday, March 01, 2006 9:10 PM
To: ActiveDir@mail.activedir.org

Subject: RE: [ActiveDir] OT : Query DNS using wildcards? 


Hello,
 
Against what are you trying to perform a query. it's possible to perform a query against AD by using a csvde command.
When using these command you are able to use some wildcards.
 
Regards,
 
Daniel


From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Bart Van den WyngaertSent: Wednesday, March 01, 2006 15:43To: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT : Query DNS using wildcards? 

Hello Ulf,
 
I agree on the point that it would open up an attack surface, but on the other hand we want to keep our environment clean when a server is at the end of lifecycle.
 
In a lot of cases the server is already powered off some week before we start cleaning the different environments (to be sure there is nothing forgotten). In case of a cluster, you have several hosts registered into DNS and IP's for all the resources. We're looking into a way to retrieve that info without the need to power on the server again... 

 
Best regards,
Bart 
On 3/1/06, Ulf B. Simon-Weidner <[EMAIL PROTECTED]
> wrote: 

Hello Bart,
 
AFAIK DNS is not designed being queried with a wildcard - which would open up a attack surface you definitelly don't want. Closest thing you can do is performing a LS-Command against a DNS-Server ( 
e.g. with nslookup), however this requires the DNS-Server to allow zone transfers to the machine where you perform the ls-command.
 
Ulf
 



From: [EMAIL PROTECTED] [mailto:
 [EMAIL PROTECTED]] On Behalf Of Bart Van den WyngaertSent: Wednesday, March 01, 2006 1:34 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT : Query DNS using wildcards? 


Hi all,
 
We're looking at this moment for a way to query DNS using wildcards, but untill now, no luck!
 
Does anybody knows a way to do this?
 
Thanks,
Bart

Re: [ActiveDir] OT : Query DNS using wildcards?

[Bart Van den Wyngaert]

Hello Ulf,
 
I agree on the point that it would open up an attack surface, but on the other hand we want to keep our environment clean when a server is at the end of lifecycle.
 
In a lot of cases the server is already powered off some week before we start cleaning the different environments (to be sure there is nothing forgotten). In case of a cluster, you have several hosts registered into DNS and IP's for all the resources. We're looking into a way to retrieve that info without the need to power on the server again...

 
Best regards,
Bart 
On 3/1/06, Ulf B. Simon-Weidner <[EMAIL PROTECTED]> wrote:

Hello Bart,
 
AFAIK DNS is not designed being queried with a wildcard - which would open up a attack surface you definitelly don't want. Closest thing you can do is performing a LS-Command against a DNS-Server (
e.g. with nslookup), however this requires the DNS-Server to allow zone transfers to the machine where you perform the ls-command.
 
Ulf
 



From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Bart Van den WyngaertSent: Wednesday, March 01, 2006 1:34 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT : Query DNS using wildcards? 


Hi all,
 
We're looking at this moment for a way to query DNS using wildcards, but untill now, no luck!
 
Does anybody knows a way to do this?
 
Thanks,
Bart

[ActiveDir] OT : Query DNS using wildcards?

[Bart Van den Wyngaert]

Hi all,
 
We're looking at this moment for a way to query DNS using wildcards, but untill now, no luck!
 
Does anybody knows a way to do this?
 
Thanks,
Bart

Re: [ActiveDir] OT : Problems with joing W2K cluster (SP2), error code 5036

[Bart Van den Wyngaert]

Hi Jose,
 
I'm going to work during the weekend on this issue.
Reason is that the first node is up and running at this moment and serving all cluster resources. As it concerns production, we can not just take it offline to investigate further on the second node. That's why during the weekend.

Planned to do is take the first node offline and then try get the second one up and running. As the first is being down at that moment, the second node can access the disks etc.
I'll let you know what happened/found/etc.
 
Best regards,
Bart 
On 11/22/05, Bart Van den Wyngaert <[EMAIL PROTECTED]> wrote:

Hi Jose,
 
I've checked and the remote registry service is up and running on both nodes.
 
However I've got some hints in the link you sent, I'm going to look into it deeper today and get back to you with some feedback!
 
Thanks,
Bart 

On 11/22/05, Medeiros, Jose <[EMAIL PROTECTED]
> wrote: 

I have yet to have a bad Quorum disk. But that may be your problem. Take a look at these guides for repairing a corrupt Quorum. 
 

http://www.Microsoft.com/TechNet/prodtechnol/windowsserver2003/library/Operations/e2e5674c-0625-4aba-afee-0c7057f8ac2e.mspx
 I am interested to know what you find is causing the problem.
Sincerely,Jose MedeirosADP | National Account ServicesProBusiness Division | Information Services925.737.7967 | 408-449-6621 CELL

-Original Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of 
Bart Van den WyngaertSent: Monday, November 21, 2005 3:50 PMTo: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT : Problems with joing W2K cluster (SP2), error code 5036
Hi,
 
Yes I've found this evening an article about the remote registry service. I think that it is always started, but I'm going to check in the morning to be 100% sure. It would be strange, as we never have experienced this issue and I don't see why somebody else would have stopped this service. Nevertheless I will check it... 

 
The second node was already in the domain. Some weeks ago we started to have problems with corrupted quorum. Since then several people have worked on the servers, but I didn't receive a status... I found them with the first node running, the second was evicted but the cluster service was still installed. I removed it, reboot, reinstalled it and then it failed at the end of the wizard with that error code. Since then not much progress... 

 
While working on these machines, we were always using a functional account with the proper rights (checked all rights conform MS article).
 
 
Thanks,
Bart


From: [EMAIL PROTECTED] [mailto:
 [EMAIL PROTECTED]] On Behalf Of Medeiros, JoseSent: Tuesday, November 22, 2005 00:39To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT : Problems with joing W2K cluster (SP2), error code 5036 

Hmm.. I've only seen that if the cluster service is not started on the first node, or if the remote registry service has also not started. 
 
I know this sounds like a stupid question, but did you join the second node to the domain and reboot prior to trying to join  it to the first cluster node? 
 
Sincerely,Jose MedeirosADP | National Account ServicesProBusiness Division | Information Services925.737.7967 | 408-449-6621 CELL

-Original Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of 
Bart Van den WyngaertSent: Monday, November 21, 2005 3:27 PMTo: activedir@mail.activedir.org 
Subject: [ActiveDir] OT : Problems with joing W2K cluster (SP2), error code 5036
Hi all, 
We're having a problem with (re)joining a node into a cluster (W2K SP2) after some issues with the cluster. 
When trying to join, the node is added in the cluster, but when starting the service at the end of the configuration wizard, it returns error 5036 (A cluster node is not available for this operation).
This also is being returned afterwards when retrying to start the service. Cluster service is running properly on the first node.
Now I can't find any solution offer when having this issue, and no idea where to look to resolve this issue… The only article found specificely about this error is on the MS site, but it concerns Application Center which is not installed in this case. 

There is also an error logged at the first node, but I don't have the precies error message available here at home. I will look it up tomorrow.
 
Does anybody has information about this error? Or suggestions? 
MTIA 
Bart 

Re: [ActiveDir] OT : Problems with joing W2K cluster (SP2), error code 5036

[Bart Van den Wyngaert]

Hi Jose,
 
I've checked and the remote registry service is up and running on both nodes.
 
However I've got some hints in the link you sent, I'm going to look into it deeper today and get back to you with some feedback!
 
Thanks,
Bart 
On 11/22/05, Medeiros, Jose <[EMAIL PROTECTED]> wrote:

I have yet to have a bad Quorum disk. But that may be your problem. Take a look at these guides for repairing a corrupt Quorum. 
 

http://www.Microsoft.com/TechNet/prodtechnol/windowsserver2003/library/Operations/e2e5674c-0625-4aba-afee-0c7057f8ac2e.mspx
 I am interested to know what you find is causing the problem.
Sincerely,Jose MedeirosADP | National Account ServicesProBusiness Division | Information Services925.737.7967 | 408-449-6621 CELL

-Original Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of 
Bart Van den WyngaertSent: Monday, November 21, 2005 3:50 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT : Problems with joing W2K cluster (SP2), error code 5036
Hi,
 
Yes I've found this evening an article about the remote registry service. I think that it is always started, but I'm going to check in the morning to be 100% sure. It would be strange, as we never have experienced this issue and I don't see why somebody else would have stopped this service. Nevertheless I will check it...

 
The second node was already in the domain. Some weeks ago we started to have problems with corrupted quorum. Since then several people have worked on the servers, but I didn't receive a status... I found them with the first node running, the second was evicted but the cluster service was still installed. I removed it, reboot, reinstalled it and then it failed at the end of the wizard with that error code. Since then not much progress...

 
While working on these machines, we were always using a functional account with the proper rights (checked all rights conform MS article).

 
Thanks,
Bart


From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Medeiros, JoseSent: Tuesday, November 22, 2005 00:39To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT : Problems with joing W2K cluster (SP2), error code 5036 

Hmm.. I've only seen that if the cluster service is not started on the first node, or if the remote registry service has also not started. 
 
I know this sounds like a stupid question, but did you join the second node to the domain and reboot prior to trying to join  it to the first cluster node?
 
Sincerely,Jose MedeirosADP | National Account ServicesProBusiness Division | Information Services925.737.7967 | 408-449-6621 CELL

-Original Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of 
Bart Van den WyngaertSent: Monday, November 21, 2005 3:27 PMTo: activedir@mail.activedir.org
Subject: [ActiveDir] OT : Problems with joing W2K cluster (SP2), error code 5036
Hi all, 
We're having a problem with (re)joining a node into a cluster (W2K SP2) after some issues with the cluster. 
When trying to join, the node is added in the cluster, but when starting the service at the end of the configuration wizard, it returns error 5036 (A cluster node is not available for this operation).
This also is being returned afterwards when retrying to start the service. Cluster service is running properly on the first node.
Now I can't find any solution offer when having this issue, and no idea where to look to resolve this issue… The only article found specificely about this error is on the MS site, but it concerns Application Center which is not installed in this case.

There is also an error logged at the first node, but I don't have the precies error message available here at home. I will look it up tomorrow.

Does anybody has information about this error? Or suggestions? 
MTIA 
Bart 

RE: [ActiveDir] OT : Problems with joing W2K cluster (SP2), error code 5036

[Bart Van den Wyngaert]

Title: OT : Problems with joing W2K cluster (SP2), error code 5036



Hi,
 
Yes I've found this evening an article about the remote 
registry service. I think that it is always started, but I'm going to check in 
the morning to be 100% sure. It would be strange, as we never have experienced 
this issue and I don't see why somebody else would have stopped this service. 
Nevertheless I will check it...
 
The second node was already in the domain. Some weeks ago 
we started to have problems with corrupted quorum. Since then several people 
have worked on the servers, but I didn't receive a status... I found them with 
the first node running, the second was evicted but the cluster service was still 
installed. I removed it, reboot, reinstalled it and then it failed at the end of 
the wizard with that error code. Since then not much 
progress...
 
While working on these machines, we were always using a 
functional account with the proper rights (checked all rights conform MS 
article).
 
Thanks,
Bart


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, 
JoseSent: Tuesday, November 22, 2005 00:39To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT : Problems 
with joing W2K cluster (SP2), error code 5036

Hmm.. 
I've only seen that if the cluster service is not started on the first node, or 
if the remote registry service has also not started. 
 
I know 
this sounds like a stupid question, but did you join the second node to the 
domain and reboot prior to trying to join the first cluster 
node?
Sincerely,Jose MedeirosADP | National Account 
ServicesProBusiness Division | Information Services925.737.7967 | 
408-449-6621 CELL

  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of Bart Van den 
  WyngaertSent: Monday, November 21, 2005 3:27 PMTo: 
  activedir@mail.activedir.orgSubject: [ActiveDir] OT : Problems with 
  joing W2K cluster (SP2), error code 5036
  Hi 
  all, 
  We're having a 
  problem with (re)joining a node into a cluster (W2K SP2) after some issues 
  with the cluster. When trying to join, the node is added in the cluster, 
  but when starting the service at the end of the configuration wizard, it 
  returns error 5036 (A cluster node is not available for this 
  operation).
  This also is being 
  returned afterwards when retrying to start the service. Cluster service is 
  running properly on the first node.
  Now I can't find 
  any solution offer when having this issue, and no idea where to look to 
  resolve this issue… The only article found specificely about this error is on 
  the MS site, but it concerns Application Center which is not installed in this 
  case.
  There is also an 
  error logged at the first node, but I don't have the precies error message 
  available here at home. I will look it up tomorrow.
  Does anybody has 
  information about this error? Or suggestions? 
  MTIA 
  
  Bart 
  

[ActiveDir] OT : Problems with joing W2K cluster (SP2), error code 5036

[Bart Van den Wyngaert]

Title: OT : Problems with joing W2K cluster (SP2), error code 5036






Hi all,


We're having a problem with (re)joining a node into a cluster (W2K SP2) after some issues with the cluster.

When trying to join, the node is added in the cluster, but when starting the service at the end of the configuration wizard, it returns error 5036 (A cluster node is not available for this operation).

This also is being returned afterwards when retrying to start the service. Cluster service is running properly on the first node.

Now I can't find any solution offer when having this issue, and no idea where to look to resolve this issue… The only article found specificely about this error is on the MS site, but it concerns Application Center which is not installed in this case.

There is also an error logged at the first node, but I don't have the precies error message available here at home. I will look it up tomorrow.

Does anybody has information about this error? Or suggestions?


MTIA


Bart

Re: [ActiveDir] OT: MBSA

[Bart Van den Wyngaert]

Hi,
 
In a LAN these services and ports are most of the time available. In DMZ zones, the security will be more hardened and you probably will have disabled these services mostly...
 
It's normal that MBSA need these things, it will look at file versions, check registry (if you install hotfixes, they have always a registry key(s)), etc.
 
So if working in a LAN nicely protected by firewall etc., you normally haven't disabled these services and you wouldn't have any issue with remote scanning. If you do have these kind of security measurements implemented and you don't want to change them, you can alternatively write for example a little script to execute on the remote computers/servers (locally ofcourse) that checks the installed hotfixes by looking up their registry keys Depends what you need of information and the environment working in.
 
Hope this helps you a very little bit ;-)
 
Rgds,
B
-Original Message-From: Douglas M. Long [mailto:[EMAIL PROTECTED]Sent: Thursday, March 3, 2005 02:23 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: MBSA

I am reading that remote scans using MBSA require TCP ports 139 and 445 and UDP ports 137 and 138 to be open and Server service, Remote Registry service, and File & Print Sharing must be running. 

Aren?t these about the worst ports you could leave open on? Not the best services to be open on a desktop either, are they?

It would be easy enough to open the ports and start the services via group policy, but do I really want to. What are your thoughts? How do you guys do it?

Re: [ActiveDir] Event 673 on SBS 2003

[Bart Van den Wyngaert]

Read that one, but it doesn't help me any further.
Here's btw the link on TechNet of which I'm talking about:
http://support.microsoft.com/default.aspx?scid=kb;en-us;824905

Workaround just waits longer thus less events logged. I want to understand it 
in order to fix it or is it a bug? Will it be in SP1? Client doesn't have a 
support contract...

Regards,
Bart

>-Original Message-
>From: Free, Bob [mailto:[EMAIL PROTECTED]
>Sent: Friday, December 17, 2004 01:20 AM
>To: [EMAIL PROTECTED]
>Subject: RE: [ActiveDir] Event 673 on SBS 2003
>
> 
>http://www.eventid.net/display.asp?eventid=673&eventno=2707&source=Secur
>ity&phase=1
>
>-Original Message-
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf Of Bart Van den
>Wyngaert
>Sent: Thursday, December 16, 2004 1:43 PM
>To: [EMAIL PROTECTED]
>Subject: [ActiveDir] Event 673 on SBS 2003
>
>Hi all,
>
>I don't know if somebody already asked this (can't find back anything in
>my ActiveDir archive), but I'm having this error on a SBS 2003 Standard
>Edition box. This was a clean installation, no upgrade from SBS 2000.
>
>**
>Event Type: Failure Audit
>Event Source: Security
>Event Category: Account Logon
>Event ID: 673
>Date:  7/2/2003
>Time:  3:33:32 PM
>User:  NT AUTHORITY\SYSTEM
>Computer: MyServer
>Description:
>Service Ticket Request:
>  User Name:
>  User Domain:  MyDomain.Net
>  Service Name:  host/MyServer.MyDomain.Net
>  Service ID:  -
>  Ticket Options:  0x4083
>  Ticket Encryption Type: -
>  Client Address:  127.0.0.1
>  Failure Code:  0xD
>  Logon GUID:  -
>  Transited Services: -
>
>For more information, see Help and Support Center at
>http://go.microsoft.com/fwlink/events.asp.
>
>*
>
>I've found an article on TechNet about this event, but it doesn't help
>me really further (sorry I don't have the link to the article here, I
>have it at home).
>
>Anybody that can give me more information about this? Somebody that has
>a solution?
>
>Thanks,
>Bart
>
>
>
>
>
>List info   : http://www.activedir.org/mail_list.htm
>List FAQ: http://www.activedir.org/list_faq.htm
>List archive:
>http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>List info   : http://www.activedir.org/mail_list.htm
>List FAQ: http://www.activedir.org/list_faq.htm
>List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>
>


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Event 673 on SBS 2003

[Bart Van den Wyngaert]

Hi all,

I don't know if somebody already asked this (can't find back anything in my 
ActiveDir archive), but I'm having this error on a SBS 2003 Standard Edition 
box. This was a clean installation, no upgrade from SBS 2000.

**
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 673
Date:  7/2/2003
Time:  3:33:32 PM
User:  NT AUTHORITY\SYSTEM
Computer: MyServer
Description:
Service Ticket Request:
  User Name:
  User Domain:  MyDomain.Net
  Service Name:  host/MyServer.MyDomain.Net
  Service ID:  -
  Ticket Options:  0x4083
  Ticket Encryption Type: -
  Client Address:  127.0.0.1
  Failure Code:  0xD
  Logon GUID:  -
  Transited Services: -

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

*

I've found an article on TechNet about this event, but it doesn't help me 
really further (sorry I don't have the link to the article here, I have it at 
home).

Anybody that can give me more information about this? Somebody that has a 
solution?

Thanks,
Bart





List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] OT:spyware

[Bart Van den Wyngaert]

Client rollout you can do it yourself by using unattended setup through the network. 
The only thing that can be a problem is the number of different hardware types. But I 
believe the you can easily simply the installations and standardize them easily (which 
is a good thing I believe). A benefit is in case of reinstallation. In the beginning 
it's a bit searching your way, but once you get hold on the process, it's quiet fun to 
set up :-)

But you will need another solution for the deployment of patches etc. which comes 
afterwards when the clients are already in production, but I believe that you can find 
one which meets your requirements etc. very easy ;-)

Regards,
Bart

>-Original Message-
>From: Creamer, Mark [mailto:[EMAIL PROTECTED]
>Sent: Thursday, September 30, 2004 08:55 PM
>To: [EMAIL PROTECTED]
>Subject: RE: [ActiveDir] OT:spyware
>
>Yes, but have you *met* your son yet?
>
>
>
>
>
>  _
>
>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
>Kern, Tom
>Sent: Thursday, September 30, 2004 4:41 PM
>To: [EMAIL PROTECTED]
>Subject: RE: [ActiveDir] OT:spyware
>
>
>
>I exaggerate a bit.
>
>
>
>I have a staff of 3 to do basic help desk for 400 users here in NYC and another 100 
>upstate.
>
>i'm the only one who supports server side stuff- 
>AD,Exchange,AV,Firewall,Routers/switches,DR
>testing,blackberry,etc. and help desk if the other 3 are too busy.
>
>so its not as bad as it seems.
>
>I had enough time to get married and have a 18 month old boy :)
>
>
>
>Thanks for all your help. you guys are great.
>
>   -Original Message-
>   From: Dan DeStefano [mailto:[EMAIL PROTECTED]
>   Sent: Thursday, September 30, 2004 3:21 PM
>   To: [EMAIL PROTECTED]
>   Subject: RE: [ActiveDir] OT:spyware
>
>   We do not use RIS.
>
>   Ghost is not just for client deployments. It can be used to roll out/roll back 
> patches,
>software packages, backup user files/settings, etc, etc. And for a single admin in a 
>400-user
>environment I believe this is a near necessity. Are you really the only admin in a 
>400-user
>environment? Do you have any help at all? How do you have any time for a personal 
>life?
>
>   
>
>   _
>
>   
>
>   Daniel DeStefano
>
>   PC Support Specialist
>
>   
>
>   IAG Research
>
>   345 Park Avenue South, 12th Floor
>
>   New York, NY 10010
>
>   T. 212.871.5262
>
>   F212.871.5300
>
>   
>
>   www.iagr.net 
>
>   Measuring Ad Effectiveness on Television
>
>   
>
>   The information contained in this communication is confidential, may be 
> privileged and is
>intended for the exclusive use of the above named addressee(s). If you are not the 
>intended
>recipient(s), you are expressly prohibited from copying, distributing, disseminating, 
>or in any other
>way using any of the information contained within this communication. If you have 
>received this
>communication in error, please contact the sender by telephone 212.871.5262 or by 
>response via e-mail.
>
>   -Original Message-
>   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
>Behalf Of Kern, Tom
>   Sent: Thursday, September 30, 2004 11:01 AM
>   To: [EMAIL PROTECTED]
>   Subject: RE: [ActiveDir] OT:spyware
>
>   We don't push out enough clients to merit ghost. About 5-10 a month.
>
>   We just get the preinstalled os with HP and run thru the mini setup 
> and install
>AV,Office,patch,etc.
>
>   
>
>   Do you think ghost would be better in this environment?
>
>   
>
>   Do you guys use RIS at all?
>
>   
>
>   
>  _
>
>
>   From: Dan DeStefano [mailto:[EMAIL PROTECTED]
>   Sent: Thursday, September 30, 2004 9:40 AM
>   To: [EMAIL PROTECTED]
>   Subject: RE: [ActiveDir] OT:spyware
>
>   
>
>   For the last part, have you thought about desktop imaging using a 
> product such as
>Symantec Ghost or Altiris Client Management Suite? Then you could create standard 
>desktop images for
>your clients. Then you could implement folder redirection to redirect users' My 
>Documents folders to
>their home folders on the network and, if you want, enable roaming profiles so that 
>user profiles are
>stored on a server. Then configure the NTFS permissions on the client machines so 
>that the only place
>locally that users can write to would be their user profile directory (users would 
>obviously need to
>be restricted users on the local machines, not administrators). This would make the 
>data on the client
>machines expendible, so if you have an outbreak and the machine gets totally borked, 
>you could simply
>re-image it. There are other aspects to this as well - if the user's roaming profile 
>or home folder is
>infected you would have to clean it, b