RE: [ActiveDir] push a URL in the trusted zone with GPO...
Hi, Sorry for the late response, I was in a Go Live so I didn't watch/post to the list for many days. Thanks for the answer, I corrected it by removing the IE7 settings (yes, we are stuck with IE6 on most stations; our ERP doesn't support IE7 yet). Thanks! - -Original Message- - From: [EMAIL PROTECTED] [mailto:ActiveDir- - [EMAIL PROTECTED] On Behalf Of Darren Mar-Elia - Sent: January 6, 2007 12:18 PM - To: ActiveDir@mail.activedir.org - Subject: RE: [ActiveDir] push a URL in the trusted zone with GPO... - - Could be an issue if the lists ever differ. I don't remember how they - merge - (or don't). Probably best to put it in one place. - - -Original Message- - From: [EMAIL PROTECTED] - [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel - Sent: Saturday, January 06, 2007 7:37 AM - To: ActiveDir@mail.activedir.org - Subject: RE: [ActiveDir] push a URL in the trusted zone with GPO... - - Thanks, I have both, so I replicated the settings in both places. Do you - think this can cause me problems? - - List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] push a URL in the trusted zone with GPO...
Thanks for refreshing my memory!! It was a tough day, been at the office overnight, so memory doesn't serve well in theses conditions, hehehe. - -Original Message- - From: [EMAIL PROTECTED] [mailto:ActiveDir- - [EMAIL PROTECTED] On Behalf Of Kennedy, Jim - Sent: January 5, 2007 3:56 PM - To: ActiveDir@mail.activedir.org - Subject: RE: [ActiveDir] push a URL in the trusted zone with GPO... - - User configuration, windows settings, internet explorer maint, - security/security zones and content ratings, security zones and privacy, - sites in this zone. - List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] push a URL in the trusted zone with GPO...
Thanks, I have both, so I replicated the settings in both places. Do you think this can cause me problems? - -Original Message- - From: [EMAIL PROTECTED] [mailto:ActiveDir- - [EMAIL PROTECTED] On Behalf Of Darren Mar-Elia - Sent: January 5, 2007 6:05 PM - To: ActiveDir@mail.activedir.org - Subject: RE: [ActiveDir] push a URL in the trusted zone with GPO... - - Alternatively, if you have the IE 6, XP,SP2 version of inetres.adm or the - IE7 ADMs, you can use Administrative Template policy to set trusted - sites. I - personally like this method better than IE Maintenance. Its under - Computer - (or User) Configuration\Admin. Templates\Windows Components\Internet - Explorer\Internet Control Panel\Security Page\Site to Zone assignment - list - - Darren - - - Darren Mar-Elia - CTO Founder - SDM Software, Inc. - www.sdmsoftware.com - Speed Group Policy Troubleshooting with the NEW GPHealth Reporter tool at - http://www.sdmsoftware.com/products.php - List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
[ActiveDir] push a URL in the trusted zone with GPO...
Hi, I have a brain cramp actually, I can't remember how I can push a URL in the trusted zone and intranet zone for all the stations using a GPO, anybody can help? Thanks winmail.dat
RE: [ActiveDir] push a URL in the trusted zone with GPO...
Hi, The problem is that I can't seem to find the place to set them... I think I have to go get some sleep... last night was short... - -Original Message- - From: [EMAIL PROTECTED] [mailto:ActiveDir- - [EMAIL PROTECTED] On Behalf Of Ziots, Edward - Sent: January 5, 2007 3:42 PM - To: ActiveDir@mail.activedir.org - Subject: RE: [ActiveDir] push a URL in the trusted zone with GPO... - - You have to modify the GPO IE zone settings and put the url there. Then - apply to the unwilling targets. - - Z - - - Edward E. Ziots - Network Engineer - Lifespan Organization - MCSE,MCSA,MCP+I,M.E,CCA,Network+, Security + - email:[EMAIL PROTECTED] - cell:401-639-3505 - - -Original Message- - From: [EMAIL PROTECTED] - [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel - Sent: Friday, January 05, 2007 3:37 PM - To: ActiveDir@mail.activedir.org - Subject: push a URL in the trusted zone with GPO... - - Hi, - I have a brain cramp actually, I can't remember how I can push a - URL in the trusted zone and intranet zone for all the stations using a - GPO, anybody can help? - - Thanks - - - - List info : http://www.activedir.org/List.aspx - List FAQ: http://www.activedir.org/ListFAQ.aspx - List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] Problem with Active Sync
Hi, Last time i had this, I had to pin point the culprit by removing all the items and then re add them 1 by 1 synching between each item. It turned out to be a note that was corrupted I deleted it and then re added the notes to the sync and all went well after that. My 0.02$ (also, make sure your device is not connected to the pc when you boot the pc. When windows detect the device before active sync is started it screws things up a bit...) -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Ravi Dogra Sent: September 28, 2006 3:17 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Problem with Active Sync Hi All, I am facing problems while trying to sync my PPC. I receive error stating syncronization failed and support code is 80004004. I was facing some other problems with my active sync and oma which were rectified by changing authentication methods to not allowing anonymous and enabling Windows integrated and basic authentication. However i am doubting on my Active Sync. I think there is something wrong with it and i have no clue... This is really urgent -- Ravi Dogra List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] disable 200 users
You may want to take a look at ADmodify.net http://www.gotdotnet.com/workspaces/workspace.aspx?id=f5cbbfa9-e46b-4a7a-8ed8-3e44523f32e2 Nice tools for batch AD modifs. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Friday, August 25, 2006 2:16 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] disable 200 users Hi, I have been given a list of 200 users to disable, and move to another OU. The users are not currently in the same OU but in many different OU. I am trying to use the txt file that contains the list of users to be disable. How can I do this? I was trying to use the query tool that comes with AD users and computer to select the users but got nowhere with |((objectCategory=person)(objectSid=*)(!samAccountType:1.2.840.113556.1.4.804:=3))((objectCategory=person)(!objectSid=*))((objectCategory=group)(groupType:1.2.840.113556.1.4.804:=14(objectCategory=user)(cn=user1))) |((objectCategory=person)(objectSid=*)(!samAccountType:1.2.840.113556.1.4.804:=3))((objectCategory=person)(!objectSid=*))((objectCategory=group)(groupType:1.2.840.113556.1.4.804:=14(objectCategory=user)(cn=user2))) etc Thanks Rezuma
RE: [ActiveDir] setting the regional settings with GPO or other scripts...
The only entry that I have in this section is Restrict selection of Windows menus and dialogs language And I think that this is a setting for the MUI package, right? BTW a bit of information I didn't mentioned, Is that its awin2k domain using the XP sp2 ADM templates. Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Thursday, June 01, 2006 5:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] setting the regional settings with GPO or other scripts... You can set the default language and prevent users from changing the regional settings in Control Panel using the following setting: USER\Administrative Templates\Control Panel\Regional and Language Options Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: Friday, 2 June 2006 8:34 a.m. To: ActiveDir@mail.activedir.org Subject: [ActiveDir] setting the regional settings with GPO or other scripts... Hi, I would like to restrict the users from changing the regionals settings on their laptops. Also I would like to push the configuration as to date format and number decimals value and such. Anyone has a way to do that centrally? Thanks! Note: I'm googling for it right now, sorry if there is an easy answer for this one; I'm actually in a little hurry so I didn't search before posting. Sorry for that. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] setting the regional settings with GPO or other scripts...
Solved, I mixed GPO and logon script to define the params and remove the acces to the applets in CP. Thanks for all the answers! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of mike kline Sent: Thursday, June 01, 2006 5:38 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] setting the regional settings with GPO or other scripts... You should be able to set the date formats using a registry entry. Take a look at this page for the various settings http://www.jsifaq.com/SUBA/tip0300/rh0311.htm sTime and sTimeFormat should help you out. You can deploy the registry settings using a login script or create your own template. I like a freetool made by Desktopstandard for deploying registry settings via GPO. Check out PolicyMaker Registry Extension.Creating the adm template is really easy using that tool. Thanks Mike On 6/1/06, Tony Murray [EMAIL PROTECTED] wrote: You can set the default language and prevent users from changing the regional settings in Control Panel using the following setting: USER\Administrative Templates\Control Panel\Regional and Language Options Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Bruyere, Michel Sent: Friday, 2 June 2006 8:34 a.m. To: ActiveDir@mail.activedir.org Subject: [ActiveDir] setting the regional settings with GPO or other scripts... Hi, I would like to restrict the users from changing the regionals settings on their laptops. Also I would like to push the configuration as to date format and number decimals value and such. Anyone has a way to do that centrally? Thanks! Note: I'm googling for it right now, sorry if there is an easy answer for this one; I'm actually in a little hurry so I didn't search before posting. Sorry for that. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] setting the regional settings with GPO or other scripts...
Hi, I would like to restrict the users from changing the regionals settings on their laptops. Also I would like to push the configuration as to date format and number decimals value and such. Anyone has a way to do that centrally? Thanks! Note: I'm googling for it right now, sorry if there is an easy answer for this one; I'm actually in a little hurry so I didn't search before posting. Sorry for that. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Several IMAP Accounts-Outlook fail
I followed the MS recommendation to delete and recreate the IMAP account; it didn't work in the first time but worked the second one. It's the only resolution that I found. My 0.02$ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Milton Sancho Sent: Wednesday, May 03, 2006 6:17 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Several IMAP Accounts-Outlook fail Your Server Has Reported a UID Which Does Not Comply with the IMAP Standard I received this error once I configured several IMAP email-accounts in the same profile, the worse point if I use ny other e-mail client (Thunderbird-Evolution, etc) set the sme e-mail accounts works fine I refer to this Kb: http://support.microsoft.com/?kbid=294779 However the resolution is not very useful To resolve this behavior, remove the IMAP account and create a new one I am using Outlook 2003 client , Please help me to find a solution
RE: [ActiveDir] Robocopy(OT)
Hi, I got something similar but with a PDF file. The solution was to reboot the server From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Thursday, April 06, 2006 9:18 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Robocopy(OT) No one has this folder open. I've run Process Explorer and Filemon and nothing is accessing this folder. I can't delete it or share it out and its missing the security tab. anything else I should look for? Thanks On 4/5/06, Mark Parris [EMAIL PROTECTED] wrote: I have seen this if another PC has explorer open on that folder and you try and delete from another. Mark -Original Message- From: Steve Rochford [EMAIL PROTECTED] Date: Wed, 5 Apr 2006 16:37:03 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Robocopy(OT) This seems to happen when the folder is in the process of being deleted but hasn't quite gone. Sometimes, just waiting a while will clear the problem - I suspect that a process is holding open the folder (or, possibly, a file in the folder). More than once I've hit this and gone to use Sysinternals process explorer to find out which process is guilty. By the time I've run up the program and searched for the folder name there's nothing there. going back to the folder finds that it's either gone or can now be deleted. In your case, I'd guess that robocopy had started creating folders and when it got interrupted, something took a while for things to get tidied up - if the helpdesk guy hasn't yet unmapped the drives he was using then I think that this might help. Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of Tom Kern Sent: 05 April 2006 15:45 To: activedirectory Subject: [ActiveDir] Robocopy(OT) I have a strange issue. I had a help desk admin robocopy a dir from one server to another. During the copy, for whatever reason, he canceled the robocopy job. When he went to the target server a empty dir was created which now cannot be deleted. I can't delete it through explorer or the command console at the server and get an error of cannot delete file:cannot read from the source file or disk. If i do a RD /s, i get The system cannot find the file specified. However the dir shows up in a dir listing or explorer. The weird thing is also, the dir has no security tab(and its on an ntfs file system). Some backround on the robocopy job- the admin mapped 2 drives from his local box(win2k). One drive to the root of the volume on the source server and another to the root on the target. he then CD'ed to the source and ran robocopy with the /E and /V switches. after sometime, he killed the job and now I'm stuck with this undeletable DIR. Any insight would be great. thanks
[ActiveDir] FW: LDIFDE command or equivalent
Hi, Can someone help me out a bit with this one... I would like to use the LDEFIDE command to export from our LAN and import it in our test lab. I'm able to export users and OUs, but can't seem to find out how to export groups (and all the memberships). If someone has an idea how to do that or another free tool that I can use for that, it would be great! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] FW: LDIFDE command or equivalent
Ouf... I meant LDIFDE... Hi, Can someone help me out a bit with this one... I would like to use the LDEFIDE command to export from our LAN and import it in our test lab. I'm able to export users and OUs, but can't seem to find out how to export groups (and all the memberships). If someone has an idea how to do that or another free tool that I can use for that, it would be great! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Fully Own a User
Hi, What I do when I exmerge is that I set the Administrative account full mailbox access. The account must be enabled and the hide from exchange address book unchecked. Note that it takes some time to replicate the changes. Log in as administrative account to exmerge. Hope this helps From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Wednesday, December 14, 2005 7:45 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Fully Own a User Hi I have about 10 users that left the company. Their AD accounts are disabled. I would like to use Exmerge to archive their email to PST and then delete them. However, Exmerge kicks back an error: Error opening message store (MSEMS). These accounts have the same permissions as the users for whom Exmerge worked fine. I tried enabling one of the accounts, logged in as that user, and then tried to configure Outlook to use the account. This last step (Outlook) got rejected saying the user did not have permission to access the mailbox. So, how can I completely own this account and give my admin account full control? Thanks. -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.371 / Virus Database: 267.13.13/199 - Release Date: 12/13/2005
RE: [ActiveDir] Bit OT: ports needed to authenticate
Thanks I'll take a look at that. -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Tomasz Onyszko Sent: Wednesday, December 07, 2005 7:23 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Bit OT: ports needed to authenticate Bruyere, Michel wrote: Hi, Can someone tell me the ports that I need to open for a server behind a firewall to authenticate to the DCs. It's a secured space but it need to be on another interface of a PIX (call it secure DMZ if you want). I know that it's not the best configuration, but I need to make it work. This document should be helpful: http://www.microsoft.com/downloads/details.aspx?FamilyID=c2ef3846-43f0- 4caf-9767-a9166368434eDisplayLang=en -- Tomasz Onyszko http://www.w2k.pl List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Bit OT: ports needed to authenticate
Hi, Can someone tell me the ports that I need to open for a server behind a firewall to authenticate to the DCs. It's a secured space but it need to be on another interface of a PIX (call it secure DMZ if you want). I know that it's not the best configuration, but I need to make it work. Thanks! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] script to check the inheritance from the security Tab...
Thanks for the input, Problem solved. Thanks to Yann too! -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Wednesday, October 26, 2005 2:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] script to check the inheritance from the security Tab... Hallo Michel, Look a the VB-Script in KB 817433 ( http://support.microsoft.com/?id=817433 ), especially the SetInheritanceFlag-Function. Ulf |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of |Bruyere, Michel |Sent: Wednesday, October 26, 2005 12:48 AM |To: ActiveDir@mail.activedir.org |Subject: [ActiveDir] script to check the inheritance from |the security Tab... | |Hi, | I would like to make sure that all the following check boxe is |checked: |Inherit from parent the permissions entries that apply to child object. | |I would like to do this as a batch job, without having to go |manually to each user objects. | | |Anyone has an idea on scripts or tools (freeware) that can |allow me to reset these? | | |Thanks! | | | | |List info : http://www.activedir.org/List.aspx |List FAQ: http://www.activedir.org/ListFAQ.aspx |List archive: |http://www.mail-archive.com/activedir%40mail.activedir.org/ | List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] script to check the inheritance from the security Tab...
Yes, it has been solved. If you want to come back on this, just mail me off list. Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Wednesday, October 26, 2005 9:39 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] script to check the inheritance from the security Tab... Hi Michel, If i can permit, have u solved your pb concerning this thread [ActiveDir] only 1 GPO not applying... u posted earlier in this list ? Here is your post Subject: [ActiveDir] only 1 GPO not applying... Hi, I have a little problem applying a GPO. SETUP: windows 2k native domain with XPsp2 ADM files. All stations are WinXP sp2. I had a GPO the pushed a screen saver configuration and some other restrictions. I had to split the GPO in 2 because I needed to deploy the Screensaver without the other restrictions. There is a problem woth this new GPO because it just do not apply to any machine/user. I used GMPC on a winXP sp2 with 2k3 adminpak to define and link the GPOs. Note: all other Policies are applied correctly and the one that do not apply isn't listed in the The following GPOs were not applied because they were filtered out section... Any ideas? Thanks for your time! I would be interested about your resolution :) Thank u for input and have a nice day. Yann -Message d'origine- De : [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] De la part de Bruyere, Michel Envoyé : mercredi 26 octobre 2005 14:32 À : ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] script to check the inheritance from the security Tab... Thanks for the input, Problem solved. Thanks to Yann too! -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Wednesday, October 26, 2005 2:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] script to check the inheritance from the security Tab... Hallo Michel, Look a the VB-Script in KB 817433 ( http://support.microsoft.com/?id=817433 ), especially the SetInheritanceFlag-Function. Ulf |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, |Michel |Sent: Wednesday, October 26, 2005 12:48 AM |To: ActiveDir@mail.activedir.org |Subject: [ActiveDir] script to check the inheritance from the |security Tab... | |Hi, | I would like to make sure that all the following check boxe is |checked: |Inherit from parent the permissions entries that apply to child object. | |I would like to do this as a batch job, without having to go manually |to each user objects. | | |Anyone has an idea on scripts or tools (freeware) that can allow me |to reset these? | | |Thanks! | | | | |List info : http://www.activedir.org/List.aspx |List FAQ: http://www.activedir.org/ListFAQ.aspx |List archive: |http://www.mail-archive.com/activedir%40mail.activedir.org/ | List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] script to check the inheritance from the security Tab...
Hi, I would like to make sure that all the following check boxe is checked: Inherit from parent the permissions entries that apply to child object. I would like to do this as a batch job, without having to go manually to each user objects. Anyone has an idea on scripts or tools (freeware) that can allow me to reset these? Thanks! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] only 1 GPO not applying...
Hi, That's the first thing I checked ;) they have the read and apply perms. I also added domain users in the perms (with read and apply) just to be sure. Still no go. Thanks for the thought! ;) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: September 19, 2005 4:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] only 1 GPO not applying... One other thing to look at in the filtering permissions... The user account/group must actually have two rights. It must have the right to read the policy object and the right to apply the policy object. FWIW - Frank -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: Monday, September 19, 2005 4:20 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] only 1 GPO not applying... Hi, I thought that this could be a problem... I added domain users and everyone in the permissions to test things out... still no go. The gpresult message does not report any filtering (except for the computers GPOs that have the users section disabled, but the reason listed is disabled which is normal). Still in the dark ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: September 19, 2005 4:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] only 1 GPO not applying... The filtering message you got from RSOP indicates that either security group filtering or WMI filtering may be getting in the way of this. How have you configured security on that GPO? By default, Authenticated Users (meaning all users and computers in the domain) will process a GPO. So if you removed the Authenticated Users ACE you need to replace that with a user group that contains all the users you wish to receive that GPO. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: Monday, September 19, 2005 12:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] only 1 GPO not applying... Hi, I found that only computer policies applies ;/ The user only policy do not apply, still searching but will appreciate any inputs. It may be permissions issue, I' looking this way. Thanks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: September 19, 2005 2:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] only 1 GPO not applying... Hi, I have a little problem applying a GPO. SETUP: windows 2k native domain with XPsp2 ADM files. All stations are WinXP sp2. I had a GPO the pushed a screen saver configuration and some other restrictions. I had to split the GPO in 2 because I needed to deploy the Screensaver without the other restrictions. There is a problem woth this new GPO because it just do not apply to any machine/user. I used GMPC on a winXP sp2 with 2k3 adminpak to define and link the GPOs. Note: all other Policies are applied correctly and the one that do not apply isn't listed in the The following GPOs were not applied because they were filtered out section... Any ideas? Thanks for your time! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] only 1 GPO not applying...
No, its only XP SP2 adm settings, there is only one object push IE config. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: September 19, 2005 5:14 PM To: ActiveDir.org Subject: Re: [ActiveDir] only 1 GPO not applying... Are you deploying any IE branding/customisation in the GPO, if so you will need a hotfix to enable the application of GPO's Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] only 1 GPO not applying...
There is no errors, only this Event Type: Success Audit Event Source: Security Event Category: Policy Change Event ID: 806 Date: 19/09/2005 Time: 3:36:07 PM User: AUTORITE NT\SYSTEM Computer: Computername Description: Per User Audit Policy was refreshed. Number of elements: 0 Policy ID: (0x0,0xB72C) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of DeStefano, Dan Sent: September 19, 2005 5:19 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] only 1 GPO not applying... So setting that policy enabled the computer policy to apply, but the user policy still isn't? are you getting any errors in the event logs? Usually when a group policy does not apply you will get some. Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: Monday, September 19, 2005 3:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] only 1 GPO not applying... Hi, I found that only computer policies applies ;/ The user only policy do not apply, still searching but will appreciate any inputs. It may be permissions issue, I' looking this way. Thanks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: September 19, 2005 2:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] only 1 GPO not applying... Hi, I have a little problem applying a GPO. SETUP: windows 2k native domain with XPsp2 ADM files. All stations are WinXP sp2. I had a GPO the pushed a screen saver configuration and some other restrictions. I had to split the GPO in 2 because I needed to deploy the Screensaver without the other restrictions. There is a problem woth this new GPO because it just do not apply to any machine/user. I used GMPC on a winXP sp2 with 2k3 adminpak to define and link the GPOs. Note: all other Policies are applied correctly and the one that do not apply isn't listed in the The following GPOs were not applied because they were filtered out section... Any ideas? Thanks for your time! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ NOTICE: The information contained in this transmission is privileged, confidential, and intended only for the use of the individual or entity named above. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or the taking of any action in reliance on the contents of this transmission is strictly prohibited. If you have received this transmission in error, please notify Eze Castle Integration, Inc. by e-mail and destroy the original message and all copies. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] only 1 GPO not applying...
Hi,
I'm activating the logging with verbose... do you think it's
enough?
Here is a part of whats in there.
USERENV(210.214) 11:22:59:390 CUserProfile::CleanupUserProfile: Ref
Count is not 0
USERENV(210.1a0) 01:34:18:174 ProcessGPOs: GetGPOInfo failed.
USERENV(208.608) 10:15:07:406 ReadMembershipList: Group
S-1-5-21-1785794336-1158417043-4547331-2117 not in current list of token
groups
USERENV(208.144) 10:15:09:937 PolicyChangedThread: UpdateUser failed
with 0.
USERENV(208.b6c) 13:52:56:848 PolicyChangedThread: UpdateUser failed
with 6.
Here is the complete configuration of the policy that I'm testing with:
ScreenSaver_User
General
Details
Domain Domain
Owner Domain\Domain Admins
Created 15/09/2005 9:07:24 AM
Modified 19/09/2005 3:28:06 PM
User Revisions 10 (AD), 10 (sysvol)
Computer Revisions 1 (AD), 1 (sysvol)
Unique ID {356D9C9D-53A3-49CD-ABB5-}
GPO Status Enabled
Links
LocationEnforced Link Status
Technique No Enabled
Usagers_direction No Enabled
Usagers_inventorieesNo Enabled
Usagers_portables No Enabled
Usagers_portables_valides No Enabled
Usagers_valideesNo Enabled
This list only includes links in the domain of the GPO.
Security Filtering
The settings in this GPO can only apply to the following groups, users,
and computers:
NT AUTHORITY\Authenticated Users
Domain\Domain Users
WMI Filtering
WMI Filter Name None
Description Not applicable
Delegation
These groups and users have the specified permission for this GPOName
Allowed Permissions
Inherited
Everyone Read (from Security Filtering) No
NT AUTHORITY\Authenticated Users Read (from Security Filtering) No
NT AUTHORITY\SYSTEM Edit settings, delete, modify security No
DOMAIN\Domain Admins Edit settings, delete, modify security No
DOMAIN\Domain Users Read (from Security Filtering) No
DOMAIN\Enterprise Admins Edit settings, delete, modify security No
Computer Configuration (Enabled)
Administrative Templates
System/Logon
Policy Setting
Always wait for the network at computer startup and logon Enabled
User Configuration (Enabled)
Administrative Templates
Control Panel/Display
Policy Setting
Hide Screen Saver tab Enabled
Password protect the screen saver Enabled
Screen Saver Enabled
Screen Saver executable name Enabled
Screen Saver executable name %systemroot%\system32\ssmarque.scr
Policy Setting
Screen Saver timeout Enabled
Number of seconds to wait to enable the Screen Saver
Seconds: 600
Thanks for your help!
Darren: I can send you the result file for the userenv log. It's about
200KB.
You can contact me offlist at mbruyere at gmail dot com.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: September 19, 2005 4:45 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] only 1 GPO not applying...
Ok, so in the RSOP report, does it show the setting being applied to the
user? If not, then the next step is to enable userenv logging and see
what it shows when it enumerates the GPOs to process for the user. These
kinds of problems typically break down into:
--infrastructure problems (e.g. DNS, FRS, etc. which usually means no
GPOs apply)
--Configuration problems (e.g. GPO linked wrong, filtered wrong or
blocked by some config. error)
--Client problems (e.g. Required client services not running, issues
with client communicating with DC, etc.)
In your case it sounds like either a config. problem or a client
problem--probably the latter. One thing to double-check--sometimes a
setting gets applied but the client doesn't behave as expected. Look in
the system.adm file and determine what registry value should be set for
that screen saver policy then confirm on the client that it indeed is
not being set. That way you know that it's a problem of not processing
the GPO correctly rather than a problem of the policy not responding the
way you expect.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel
Sent: Monday, September 19, 2005 1:20 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] only 1 GPO not applying...
Hi,
I thought that this could be a problem... I added domain users
and everyone in the permissions to test things out... still no go.
The gpresult message does not report any filtering (except for the
computers GPOs that have the users section disabled, but the reason
listed is disabled which is normal).
Still in the dark ...
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: September 19, 2005 4:00 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir
[ActiveDir] only 1 GPO not applying...
Hi, I have a little problem applying a GPO. SETUP: windows 2k native domain with XPsp2 ADM files. All stations are WinXP sp2. I had a GPO the pushed a screen saver configuration and some other restrictions. I had to split the GPO in 2 because I needed to deploy the Screensaver without the other restrictions. There is a problem woth this new GPO because it just do not apply to any machine/user. I used GMPC on a winXP sp2 with 2k3 adminpak to define and link the GPOs. Note: all other Policies are applied correctly and the one that do not apply isn't listed in the The following GPOs were not applied because they were filtered out section... Any ideas? Thanks for your time! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] only 1 GPO not applying...
Nope, I'll try it! Thanks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of DeStefano, Dan Sent: September 19, 2005 2:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] only 1 GPO not applying... Have you tried enabling the Always wait for the network at computer startup and logon? it is in computer configurationadministrative templatessystemlogon. Dan DeStefano -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: Monday, September 19, 2005 2:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] only 1 GPO not applying... Hi, I have a little problem applying a GPO. SETUP: windows 2k native domain with XPsp2 ADM files. All stations are WinXP sp2. I had a GPO the pushed a screen saver configuration and some other restrictions. I had to split the GPO in 2 because I needed to deploy the Screensaver without the other restrictions. There is a problem woth this new GPO because it just do not apply to any machine/user. I used GMPC on a winXP sp2 with 2k3 adminpak to define and link the GPOs. Note: all other Policies are applied correctly and the one that do not apply isn't listed in the The following GPOs were not applied because they were filtered out section... Any ideas? Thanks for your time! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ NOTICE: The information contained in this transmission is privileged, confidential, and intended only for the use of the individual or entity named above. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or the taking of any action in reliance on the contents of this transmission is strictly prohibited. If you have received this transmission in error, please notify Eze Castle Integration, Inc. by e-mail and destroy the original message and all copies. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] only 1 GPO not applying...
Hi, I found that only computer policies applies ;/ The user only policy do not apply, still searching but will appreciate any inputs. It may be permissions issue, I' looking this way. Thanks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: September 19, 2005 2:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] only 1 GPO not applying... Hi, I have a little problem applying a GPO. SETUP: windows 2k native domain with XPsp2 ADM files. All stations are WinXP sp2. I had a GPO the pushed a screen saver configuration and some other restrictions. I had to split the GPO in 2 because I needed to deploy the Screensaver without the other restrictions. There is a problem woth this new GPO because it just do not apply to any machine/user. I used GMPC on a winXP sp2 with 2k3 adminpak to define and link the GPOs. Note: all other Policies are applied correctly and the one that do not apply isn't listed in the The following GPOs were not applied because they were filtered out section... Any ideas? Thanks for your time! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] only 1 GPO not applying...
Hi, Look within quotes... Are you applying the policy to an OU that does not have users? If so that is why the GPO is not applying. You would need to do a loopback processing option for this. Nope, there are user's accounts in the OU. The AD OUs are defined with some OUs for users and some OUs for computers (by dept.) You need to enable loopback Processing This is under Computer/administrative templates/system/group policy Used it in 1 case and it works fine. I had to apply user settings on a per computer basis. Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] only 1 GPO not applying...
Hi, I thought that this could be a problem... I added domain users and everyone in the permissions to test things out... still no go. The gpresult message does not report any filtering (except for the computers GPOs that have the users section disabled, but the reason listed is disabled which is normal). Still in the dark ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: September 19, 2005 4:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] only 1 GPO not applying... The filtering message you got from RSOP indicates that either security group filtering or WMI filtering may be getting in the way of this. How have you configured security on that GPO? By default, Authenticated Users (meaning all users and computers in the domain) will process a GPO. So if you removed the Authenticated Users ACE you need to replace that with a user group that contains all the users you wish to receive that GPO. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: Monday, September 19, 2005 12:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] only 1 GPO not applying... Hi, I found that only computer policies applies ;/ The user only policy do not apply, still searching but will appreciate any inputs. It may be permissions issue, I' looking this way. Thanks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: September 19, 2005 2:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] only 1 GPO not applying... Hi, I have a little problem applying a GPO. SETUP: windows 2k native domain with XPsp2 ADM files. All stations are WinXP sp2. I had a GPO the pushed a screen saver configuration and some other restrictions. I had to split the GPO in 2 because I needed to deploy the Screensaver without the other restrictions. There is a problem woth this new GPO because it just do not apply to any machine/user. I used GMPC on a winXP sp2 with 2k3 adminpak to define and link the GPOs. Note: all other Policies are applied correctly and the one that do not apply isn't listed in the The following GPOs were not applied because they were filtered out section... Any ideas? Thanks for your time! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Change ownership
Title: DC replicating with deleted DSA object Right click on the folder then properties Go in security tab and click advanced In there click on the owner tab and then select/add the owner you want Check the box that says replace owner on subcontainers and object Youre done ;) De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Douglas M. Long Envoyé: Monday, August 08, 2005 2:32 PM À: ActiveDir@mail.activedir.org Objet: [ActiveDir] OT: Change ownership Is there an easy way to change ownership on all files and folders in a directory owned by userA? I think I am having a stupid attack
RE: [ActiveDir] OT: Change ownership
Title: DC replicating with deleted DSA object Oh! I did not understand the question, other than scripting I cant think of a way to do that. De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Douglas M. Long Envoyé: Monday, August 08, 2005 2:51 PM À: ActiveDir@mail.activedir.org Objet: RE: [ActiveDir] OT: Change ownership I only want to replace the owner on files/folders for a specific user, not all of them. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: Monday, August 08, 2005 2:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Change ownership Right click on the folder then properties Go in security tab and click advanced In there click on the owner tab and then select/add the owner you want Check the box that says replace owner on subcontainers and object Youre done ;) De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Douglas M. Long Envoyé: Monday, August 08, 2005 2:32 PM À: ActiveDir@mail.activedir.org Objet: [ActiveDir] OT: Change ownership Is there an easy way to change ownership on all files and folders in a directory owned by userA? I think I am having a stupid attack
RE: [ActiveDir] Changing a authoritative restore password on a DC
Hi,
I kept it when posted... here it is
Forest wide DSRM password reset script / Dean Wells / MSEtechnology / Jun. 2005
Thanks Dean for the tool BTW.
-Message d'origine-
De : [EMAIL PROTECTED] [mailto:ActiveDir-
[EMAIL PROTECTED] De la part de Hunter, Laura E.
Envoyé : Friday, August 05, 2005 1:41 PM
À : ActiveDir@mail.activedir.org
Objet : RE: [ActiveDir] Changing a authoritative restore password on a DC
Dean sent a script to the list awhile ago that will change it for all
DCs...
...
*digs around* I know it's here somewhere.
Hah!
-Original Message-
From: Medeiros, Jose [mailto:[EMAIL PROTECTED]
Sent: Friday, August 05, 2005 1:30 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Changing a authoritative restore password on a DC
Greetings,
Quick question, does any one ever change their initial
password used when they installed Active Directory? If so do
you use a third party tool to automate the password change
across all the controllers or is this some thing that is
easily scriptable?
Sincerely,
Jose Medeiros
408-449-6621 Cell
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
:: Forest wide DSRM password reset script / Dean Wells / MSEtechnology / Jun.
2005
:: Script determines all DCs within a specified forest and resets their DSRM
password to the supplied value
:: - script depends upon SETPWD.EXE found ONLY in Windows 2000
@echo off
if %1==SPAWNRESET goto :SPAWNRESET
if %2== goto :HELP
if %2==/? goto :HELP
if not %3== goto :HELP
setlocal ENABLEDELAYEDEXPANSION
cls
echo/
:: Locate critical executables
for %%e in (setpwd.exe ldifde.exe find.exe mode.com) do (
set where=%%~$PATH:e
if !where!== (
echo ERROR - Required executable, %%e, not located within the
path
goto :EOF
)
)
set DSADNS=
set FQDN=%1
set ROOT=dc=%fqdn:.=,dc=%
set PWD=%2
echo STATUS - Attempting DSRM reset on all DCs within Forest %FQDN% ...
echo/
echo* Running on %COMPUTERNAME%
echo* Obtaining list of Domain Controllers from %ROOT%
echo/
ldifde -j %TEMP% -s %FQDN% -d cn=configuration,%ROOT% -r (objectClass=server)
-l dnshostname -f %TEMP%\servers.log nul
if errorlevel 1 (
echo ERROR - LDAP query failed enumerating list of Domain Controllers
goto :EOF
)
title DSRM forest-wide password reset ...
:: Parse the servers and trigger all processes
for /f tokens=2 delims=: %%h in ('type %TEMP%\servers.log ^| find /i
dnshostname: ') do (
set DSADNS=%%h
if not !DSADNS!== (
call :SPAWNRESET !DSADNS!
)
)
:: All done
echo/
echo STATUS - Process complete.
title Command Prompt
goto :EOF
:SPAWNRESET
set /p =- !DSADNS! ... nul
setpwd /s:%1 /p:%PWD% nul
if not errorlevel 1 (
echo SUCCEEDED
) else (
echo FAILED^!
)
goto :EOF
:HELP
echo/
echo SYNTAX - %0 ^Forest Root FQDN^ ^DSRM password^
echo/
echo PURPOSE - Script determines all DCs in the supplied forest and
echo resets their DSRM password to the supplied value.
echo/
echo * Requires Windows 2000 SETPWD.EXE within path
echo * Requires sufficient security context
goto :EOF
RE: [ActiveDir] Urgh... troubleshooting....
May look strange but are you running McAfee 8.0i?? Got someone that had something similar and the TDI driver of VS8 was the culprit... -Message d'origine- De : [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] De la part de vex Envoyé : Friday, July 29, 2005 4:15 PM À : ActiveDir@mail.activedir.org Objet : [ActiveDir] Urgh... troubleshooting Greetings, I've been a lurker here for quite some time and have had a relatively quiet AD until recently. We have a small network with 2K servers and a mix of 2K and XP2 workstations. Until recently, everything was find. Then Something Happened. I'm not sure what started the ball rolling, but it's certainly rolling now. I have one server that is listed in the AD and DNS as a DC, but it won't replicate AD either direction. I've spent a couple of hours doing some web surfing and initial troubleshooting, but I've had less than stellar success. (at one point in time it was working fine, since I have a lot of older AD information on the problem server) I've run DnsLint and all the DNS entries look good. When I do a 'net view \\servername' from the DC that does not have up to date AD information, I get a message back, access denied, and a corresponding entry in the security log about a failure audit of the server I'm attempting to view. But when I do the same thing and use an IP address instead of a server name, the net view information displays. Another symptom is printer connections and drive mapping. If I'm at the server with the out of date AD information, I'm getting an 'access denied' message when attempting to connect to a network printer or map a network drive. All of the steps outlined above work fine when initiated from any of the other servers. It's almost like the server with the out of date AD information is allowing access, but the rest of the servers in the organization won't let *that* particular server have access to any domain related stuff, such as printers and network shares. I can't even run dcpromo and remove AD from the affected server because it asks for some sort of authorization from other DC's located in the organization, but the other DC's won't allow it to access information. I'm assuming it's trying to tell the other DC's to remove any pertinent entries from the AD in regards to the server that's attempting to have it's AD removed Does anyone have any links to places I can continue to search for troubleshooting information? --Brett List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT Allow users to edit Excel Spreadsheet at the same time
Just go in the tools menu and you'll have an option that say share the spreadsheet or something like that. Sorry if I don't have the exact wording, my excel is in French so I have to translate it. Hope this help. -Message d'origine- De : [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] De la part de Salandra, Justin A. Envoyé : Tuesday, July 26, 2005 1:12 PM À : ActiveDir@mail.activedir.org Objet : [ActiveDir] OT Allow users to edit Excel Spreadsheet at the same time I have a user that insists that her spreadsheet used to allow up to three people to access it and edit it at the same time. Is this possible and if it is how in the world do you configure it? Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] delegation not working on Win2k AD
Title: Re: [ActiveDir] delegation not working on Win2k AD Hi Rick , Thanks for the answer, I double checked and I already have the technicians full control on computer objects set on the Computers container. Any other Ideas? De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Rick Kingslan Envoyé: Tuesday, May 17, 2005 6:09 PM À: ActiveDir@mail.activedir.org Objet: RE: [ActiveDir] delegation not working on Win2k AD I agree with many of the other posts here a domain level is likely the correct area to do this, simply because the usual location for a joined computer is the Computers Container not an OU. If they dont have access to the container, then they arent going to be able to join them. What is the scope of the delegated permissions? Is it This object and all child objects? Also, I think that Id create a new delegation in the Advanced properties of the AD Securities tab (it might exist if you arent used to using the Advanced view of Security in AD, you wont see it) for the techs. This time, however you are going to want to select Computer Objects from the dropdown, then select Full Control for the techs. Save this. If you dont have a clear idea on how to proceed, reply back. Ill send or post detailed instructions with pictures, if necessary, on how to do exactly what you want. -rtk From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: Tuesday, May 17, 2005 2:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] delegation not working on Win2k AD Hi, Thanks for the hint, but I did it too Here are the settings I have. In the user rights the group technicians is allowed to add computers to the domain. I also have the following perms on the Computers OU List content Read all properties Write all properties Read permissions Create computer objects Delete computer objects Read Container info Write container info Read heuristics Write heuristics I used the delegation wizard on the domain, not on the OU. Is there anything else Im missing? Thanks De: TIROA YANN [mailto:[EMAIL PROTECTED] De la part de TIROA YANN Envoyé: Tuesday, May 17, 2005 2:23 PM À: ActiveDir@mail.activedir.org; Bruyere, Michel Objet: RE: [ActiveDir] delegation not working on Win2k AD Hello ;-) If You want to delegate creation of computers for a subset of users, you may have to create a security groups (ie:technicians group), then go to the Default domain controller policy on Domain Controllers OU, and not on the Default Domain Policy of your Domain root. Add your group to Join computer to the domain. Notice that you have already security objects such as authenticated users: remove this group if necessary. Then yourusers will have the rights to join computers to domain: those will appear by default in Computers container. Cheers, Yann TIROA I would run the delegation wizard at the Domain.com level and delegate the Join a computer to the domain permission instead of creating a GPO. By using the wizard it grants the Create Computer Objects permission on This object and all child objects. Setting this permission at the OU level will allow the user to move computer objects between OU's but not join computers to the domain. Chris Ryan The Kroger Company [EMAIL PROTECTED] Office (513) 698-1935 Cell (513) 623-5362 Mark Parris [EMAIL PROTECTED] it.co.uk To Sent by: ActiveDir@mail.activedir.org [EMAIL PROTECTED] cc ail.activedir.org Subject Re: [ActiveDir] delegation not 05/17/2005 12:25 working on Win2k AD PM Please respond to [EMAIL PROTECTED] tivedir.org I was under the impression that the setting in the GPO add workstations to a domain was the legacy way of granting such permissions and the correct way was on an OU where the accounts would live would be to grant create and delete computer objects and then grant full control to those objects. Regards Mark -Original Message- From: Medeiros, Jose [EMAIL PROTECTED] Date: Mon, 16 May 2005 13:44:26 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] delegation not working on Win2k AD Hi Michael, By default everyone in the domain can join up to 10 computers. My only thought is that you may have inadvertnly configured the wrong setting and after they added the 10 machines they are now be denied the right to do so. The corerect seeting is add workstations to a domain . Sincerely, Jose Medeiros Former Vice President and Postmaster NTEA MCP+I, MCSE, NT4 MCT www.ntea.net www.tvnug.org www.sfntug.org -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Bruyere, Michel Sent: Monday, May 16, 2005 11:46 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] delegation not working on Win2k AD Hi, I used the delegation wizard to delegate the join computer to the domain task
RE: [ActiveDir] delegation not working on Win2k AD
Title: Re: [ActiveDir] delegation not working on Win2k AD Hi, Thanks for the hint, but I did it too Here are the settings I have. In the user rights the group technicians is allowed to add computers to the domain. I also have the following perms on the Computers OU List content Read all properties Write all properties Read permissions Create computer objects Delete computer objects Read Container info Write container info Read heuristics Write heuristics I used the delegation wizard on the domain, not on the OU. Is there anything else Im missing? Thanks De: TIROA YANN [mailto:[EMAIL PROTECTED] De la part de TIROA YANN Envoyé: Tuesday, May 17, 2005 2:23 PM À: ActiveDir@mail.activedir.org; Bruyere, Michel Objet: RE: [ActiveDir] delegation not working on Win2k AD Hello ;-) If You want to delegate creation of computers for a subset of users, you may have to create a security groups (ie:technicians group), then go to the Default domain controller policy on Domain Controllers OU, and not on the Default Domain Policy of your Domain root. Add your group to Join computer to the domain. Notice that you have already security objects such as authenticated users: remove this group if necessary. Then yourusers will have the rights to join computers to domain: those will appear by default in Computers container. Cheers, Yann TIROA I would run the delegation wizard at the Domain.com level and delegate the Join a computer to the domain permission instead of creating a GPO. By using the wizard it grants the Create Computer Objects permission on This object and all child objects. Setting this permission at the OU level will allow the user to move computer objects between OU's but not join computers to the domain. Chris Ryan The Kroger Company [EMAIL PROTECTED] Office (513) 698-1935 Cell (513) 623-5362 Mark Parris [EMAIL PROTECTED] it.co.uk To Sent by: ActiveDir@mail.activedir.org [EMAIL PROTECTED] cc ail.activedir.org Subject Re: [ActiveDir] delegation not 05/17/2005 12:25 working on Win2k AD PM Please respond to [EMAIL PROTECTED] tivedir.org I was under the impression that the setting in the GPO add workstations to a domain was the legacy way of granting such permissions and the correct way was on an OU where the accounts would live would be to grant create and delete computer objects and then grant full control to those objects. Regards Mark -Original Message- From: Medeiros, Jose [EMAIL PROTECTED] Date: Mon, 16 May 2005 13:44:26 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] delegation not working on Win2k AD Hi Michael, By default everyone in the domain can join up to 10 computers. My only thought is that you may have inadvertnly configured the wrong setting and after they added the 10 machines they are now be denied the right to do so. The corerect seeting is add workstations to a domain . Sincerely, Jose Medeiros Former Vice President and Postmaster NTEA MCP+I, MCSE, NT4 MCT www.ntea.net www.tvnug.org www.sfntug.org -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Bruyere, Michel Sent: Monday, May 16, 2005 11:46 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] delegation not working on Win2k AD Hi, I used the delegation wizard to delegate the join computer to the domain task to the technicians group. Everything worked fine until today. For no apparent reasons, it gives an access denied to the technicians group members when they try to join a computer to the domain. Nothing has changed on the system, I mean manually. When I go into the security tab, I can see that they have the right to create computer objects. I tried to use the delegation wizard again, but still no go. Ideas anyone? Thanks List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] delegation not working on Win2k AD
Hi, I used the delegation wizard to delegate the join computer to the domain task to the technicians group. Everything worked fine until today. For no apparent reasons, it gives an access denied to the technicians group members when they try to join a computer to the domain. Nothing has changed on the system, I mean manually. When I go into the security tab, I can see that they have the right to create computer objects. I tried to use the delegation wizard again, but still no go. Ideas anyone? Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Strange problem
Thanks everyone for the inputs. I used the delegation wizard but it wasn't allowing to re-enable disabled account. So I decided to do that the hard way. Actually it's fixed, seems that I was just too in a hurry. This morning everything was working fine and I didn't change anyhting. So it was like a replication not done yet issue. Thanks! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Strange problem
My bad, I used the wrong word, I didn't mean disabled, but locked out account ;/. -Message d'origine- De : [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] De la part de joe Envoyé : Tuesday, May 10, 2005 1:25 PM À : ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] Strange problem Delegating enabling a disabled account is a little more involved, well maybe not so much so. You can't just delegate that function. The disabled flag is maintained in useraccountcontrol which is home to lots of flags[1]. So delegating that attribute means you delegate things other than ability to enable/disable. You also enable password not required, etc. One way around that would be to delegate account expiration since that can be maintained in a single attribute. If you want to disable the account, you simply set the date of expiration in the past. To delegate useraccountcontrol WP userAccountControl To delegate accountexpiration WP accountExpires joe [1] See http://msdn.microsoft.com/library/default.asp?url=/library/en- us/adsi/adsi/a ds_user_flag_enum.asp. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: Tuesday, May 10, 2005 11:13 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Strange problem Thanks everyone for the inputs. I used the delegation wizard but it wasn't allowing to re-enable disabled account. So I decided to do that the hard way. Actually it's fixed, seems that I was just too in a hurry. This morning everything was working fine and I didn't change anyhting. So it was like a replication not done yet issue. Thanks! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Strange problem
Hi, I delegated the password management to the technicians group. There is a glitch though, they can't seem to be able to reset password even if I gave the permission to do so (on the OU). All the get is Access denied (and the check box to set the change password a next logon bit is grayed. The permissions have been set in the security tab, using the Advanced view of ADUC. Here are the security settings for the Technicians group: reset password change password read pwdLastSet write pwdLastSet read LockoutTime write LockoutTime read accountrestrictions What I'm missing here? Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Solved - [ActiveDir] GPO errors on logon
Well, This is the weirdest thing I ever seen. I did another profile reset and it fixed it. I did it once already and the problem was still there. Yesterday I thought that I would retry that and guest what, it worked! Well thanks for all the help you guys provided! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Group Policy Not working
What does GPresult return? De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Christine Allen Envoyé: Thursday, April 28, 2005 11:35 AM À: 'ActiveDir@mail.activedir.org' Objet: [ActiveDir] Group Policy Not working Hello, My environment is windows 2000 Ad. I have a GPO that runs a logon script that attaches printers by ou. It's working for most, but not a few individuals. No errors in the event log. They are in the correct ou. They are logging into the domain. Any other areas Ishould check? I'm lost. Many Thanks -Christine Christine N. Allen Systems Engineer BMC HealthNet Plan One Design Center Place Boston, MA 02210 617-748-6034 617-293-4407
RE: [ActiveDir] Email Addresses in AD
Im not sure that its what you want to do, but http://support.microsoft.com/default.aspx?scid=kb;en-us;285136Product=exch2k From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey Sent: Tuesday, April 19, 2005 4:03 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Email Addresses in AD If I don't have user email addresses setup in AD (on all user profiles/account) can I setup Exchange to pull the account name and then add the domain information to it to create the email address automatically for users? Thanks, Brenda
RE: RE : [ActiveDir] GPO errors on logon
Hi,
Sorry for the time it took to get back, the user was out of the office.
I just been able to run it. Here is the result
Computer Name: Computer
DNS Host Name: Computer.domain
System info : Windows 2000 Professional (Build 2600)
Processor : x86 Family 6 Model 13 Stepping 8, GenuineIntel
List of installed hotfixes :
KB834707
KB884018
KB885855
KB889673
Q147222
Netcard queries test . . . . . . . : Passed
GetStats failed for 'Infrared Port'. [ERROR_NOT_SUPPORTED]
[WARNING] The net card 'SMSC IrCC - Fast Infrared Port' may not be working
because it has not received any packets.
Per interface results:
Adapter : Local Area Connection
Netcard queries test . . . : Passed
Host Name. . . . . . . . . : Computer
IP Address . . . . . . . . : 192.168.0.211
Subnet Mask. . . . . . . . : 255.255.248.0
Default Gateway. . . . . . : 192.168.0.19
Dns Servers. . . . . . . . : 192.168.0.17
192.168.0.10
AutoConfiguration results. . . . . . : Passed
Default gateway test . . . : Passed
NetBT name test. . . . . . : Passed
WINS service test. . . . . : Skipped
There are no WINS servers configured for this interface.
Global results:
Domain membership test . . . . . . : Passed
NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{4F3C9BDE-FC0A-4FFA-B4E3-B0F4C0864A50}
1 NetBt transport currently configured.
Autonet address test . . . . . . . : Passed
IP loopback ping test. . . . . . . : Passed
Default gateway test . . . . . . . : Passed
NetBT name test. . . . . . . . . . : Passed
Winsock test . . . . . . . . . . . : Passed
DNS test . . . . . . . . . . . . . : Passed
Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{4F3C9BDE-FC0A-4FFA-B4E3-B0F4C0864A50}
The redir is bound to 1 NetBt transport.
List of NetBt transports currently bound to the browser
NetBT_Tcpip_{4F3C9BDE-FC0A-4FFA-B4E3-B0F4C0864A50}
The browser is bound to 1 NetBt transport.
DC discovery test. . . . . . . . . : Passed
DC list test . . . . . . . . . . . : Passed
Trust relationship test. . . . . . : Passed
Secure channel for domain 'DOMAIN' is to '\\DC.Domain'.
Kerberos test. . . . . . . . . . . : Passed
LDAP test. . . . . . . . . . . . . : Passed
Bindings test. . . . . . . . . . . : Passed
WAN configuration test . . . . . . : Skipped
No active remote access connections.
Modem diagnostics test . . . . . . : Passed
IP Security test . . . . . . . . . : Passed
Service status is: Started
Service startup is: Automatic
IPSec service is available, but no policy is assigned or active
Note: run ipseccmd /? for more detailed information
The command completed successfully
I just recreated the profile and things seem to be a lot better now... I'll
keep you posted if it really fixed it or if it's just luck.
-Message d'origine-
De : [EMAIL PROTECTED] [mailto:ActiveDir-
[EMAIL PROTECTED] De la part de tvanden
Envoyé : Tuesday, April 26, 2005 1:24 PM
À : ActiveDir@mail.activedir.org
Objet : RE : [ActiveDir] GPO errors on logon
Hi,
Could you post an output of netdiag run on your XP ?
Thanks
-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] De la part de Bruyere,
Michel
Envoyé : mardi 26 avril 2005 16:45
À : ActiveDir@mail.activedir.org
Objet : RE: [ActiveDir] GPO errors on logon
Hi,
Sorry for the delay, I've been quite busy lately. Checking the
DNS was the first thing I did when I got the error. After checking a bit
further I found 3 other machines that have this error (including my own
laptop where the error started out of nowhere). I tried some things in
the GPOs but nothing seemed to work.
Any other ideas are welcomed! (I may try to call PSS to get that hot
fix, but as I said, the article talks about XP SP1 only and we are under
SP2)
-Message d'origine-
De : [EMAIL PROTECTED] [mailto:ActiveDir-
[EMAIL PROTECTED] De la part de Cothern Jeff D. Team EITC
Envoyé : Saturday, April 23, 2005 3:21 PM
À : ActiveDir@mail.activedir.org
Objet : RE: [ActiveDir] GPO errors on logon
Verify your network settings. Is the Primary DNS set to the correct
DNS
server? I found this happening on a system and it was cause it
couldn't
find the Domain Controller properly. Not sure if that is your problem
per se but its definitely worth a look.
Jeff
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bruyere,
Michel
Sent: Friday, April 22, 2005 4:14 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] GPO errors on logon
Hi,
I have 2 laptops
RE: [ActiveDir] GPO errors on logon
Hi, Sorry for the delay, I've been quite busy lately. Checking the DNS was the first thing I did when I got the error. After checking a bit further I found 3 other machines that have this error (including my own laptop where the error started out of nowhere). I tried some things in the GPOs but nothing seemed to work. Any other ideas are welcomed! (I may try to call PSS to get that hot fix, but as I said, the article talks about XP SP1 only and we are under SP2) -Message d'origine- De : [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] De la part de Cothern Jeff D. Team EITC Envoyé : Saturday, April 23, 2005 3:21 PM À : ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] GPO errors on logon Verify your network settings. Is the Primary DNS set to the correct DNS server? I found this happening on a system and it was cause it couldn't find the Domain Controller properly. Not sure if that is your problem per se but its definitely worth a look. Jeff -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: Friday, April 22, 2005 4:14 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] GPO errors on logon Hi, I have 2 laptops that have the same problem. They are very slow to logon the domain and they generates the following events: Event Type: Error Event Source: Userenv Event Category: None Event ID: 1030 Date: 4/22/2005 Time: 3:55:08 PM User: Domain\username Computer: computername Description: Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine. Event Type: Error Event Source: Userenv Event Category: None Event ID: 1006 Date: 4/22/2005 Time: 3:55:08 PM User: Domain\username Computer: computername Description: Windows cannot bind to workgroup domain. (Erreur locale). Group Policy processing aborted. I've done some research and I found an article that seems to cover this issue though it's applicable on XP sp1 and the laptops are SP2. The solution on this article was a hot fix that needs to be sent by PSS. The other problem (that seems to be related to the first one) is that it takes almost 1 minute to logon. Both laptops are Toshiba with Windows XP sp2 full patched. The domain is a Win2k native domain. Anyone has seen that already? Thanks! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] GPO errors on logon
Hi, I have 2 laptops that have the same problem. They are very slow to logon the domain and they generates the following events: Event Type: Error Event Source: Userenv Event Category: None Event ID: 1030 Date: 4/22/2005 Time: 3:55:08 PM User: Domain\username Computer: computername Description: Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine. Event Type: Error Event Source: Userenv Event Category: None Event ID: 1006 Date: 4/22/2005 Time: 3:55:08 PM User: Domain\username Computer: computername Description: Windows cannot bind to workgroup domain. (Erreur locale). Group Policy processing aborted. I've done some research and I found an article that seems to cover this issue though it's applicable on XP sp1 and the laptops are SP2. The solution on this article was a hot fix that needs to be sent by PSS. The other problem (that seems to be related to the first one) is that it takes almost 1 minute to logon. Both laptops are Toshiba with Windows XP sp2 full patched. The domain is a Win2k native domain. Anyone has seen that already? Thanks! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] OT:Upgrade from 2k to 2k3
Hi, I'm just looking to upgrade our domain controllers from 2k to 2k3. I actually have a 2k with exchange 2k that need to be upgraded to 2k3 and Exchange 2k3. Should I upgrade the exchange system before doing the DCs? Anyone have any docs with pros and cons? What is better or would cause fewer troubles. Thanks! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] joining station to the domain and GPO...
Hi all, Thanks everyone for your inputs! The solution is now adopted. I'll go with your suggestions, temporarily I'll pre-create the objects in AD until I upgrade to Win2k3 (soon) and then ill use the Redircomp command. Keep up the good work! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] joining station to the domain and GPO...
Hi, I have a little question as to how you guys would handle this situation... I have 2 techs that are adding stations to the domain from time to time. When they join the stations to the domain, the computer account is created in the COMPUTERS built-in UO. I have many UOs that are used to deploy the GPOs depending on the type of computers, let say desktop and laptops. The problem actually occurs because they forget to tell me that they added a new laptop to the domain and this new added machine ends up on the network w/o the proper GPOs applied. I actually check the UO manually but I would like to have any automated way to check for new computer account added in the UO. For control purposes, they don't have access to move the computer account from an UO to another and it have to stay that way. Any ideas or 3rd party programs that can help are appreciated... Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] joining station to the domain and GPO...
Sorry for not mentioning it... it's a native win2k domain with XP sp2 stations and laptops. -Message d'origine- De : [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] De la part de mike kline Envoyé : Wednesday, April 13, 2005 2:37 PM À : ActiveDir@mail.activedir.org Objet : Re: [ActiveDir] joining station to the domain and GPO... Michel, If you are running Windows 2003 then the Redircomp.exe may be what you are looking for. From: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Dep Kit/bf5437ce-389c-4dc9-953c-999f854b98d1.mspx Redirusr.exe (for user accounts) and Redircomp.exe (for computer accounts) are two new tools included with Windows Server 2003 that enable you to change the default location where new user and computer accounts are created so you can more easily scope GPOs directly to newly created user and computer objects. This article describes it's use: http://support.microsoft.com/default.aspx?scid=kb;en-us;324949 I hope that helps Thanks Mike On 4/13/05, Bruyere, Michel [EMAIL PROTECTED] wrote: Hi, I have a little question as to how you guys would handle this situation... I have 2 techs that are adding stations to the domain from time to time. When they join the stations to the domain, the computer account is created in the COMPUTERS built-in UO. I have many UOs that are used to deploy the GPOs depending on the type of computers, let say desktop and laptops. The problem actually occurs because they forget to tell me that they added a new laptop to the domain and this new added machine ends up on the network w/o the proper GPOs applied. I actually check the UO manually but I would like to have any automated way to check for new computer account added in the UO. For control purposes, they don't have access to move the computer account from an UO to another and it have to stay that way. Any ideas or 3rd party programs that can help are appreciated... Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail- archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] joining station to the domain and GPO...
That's a good idea, I'll check into that option. So simple that I never thought about it. -Message d'origine- De : [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] De la part de David Aragon Envoyé : Wednesday, April 13, 2005 2:59 PM À : ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] joining station to the domain and GPO... Michel, You asked how we would handle the situation. Rather than a solution that looks at things done after the fact, my question back to you would be this: You mention the techs have the ability to add computers to the Domain, but do not have the ability to move objects from one OU to another OU (I have the same setup). Do the techs have, and if not someone in your organization should have, the ability to pre-create the computer objects where they belong, say when the request comes in from the user or a supervisor to join a system? I mention this because you said the computer account is created in OU=COMPUTERS, the default container used when there is no pre-created object. Pre-creation would solve your problem as when the system is joined to the Domain it would be where it belonged and get all the appropriate GPO's. I understand your pain, I suffer from the same ailment your describing, a few techs that can't seem to follow even the simplest instruction set, but in the long run pre-creation actually saves time and energy. David Aragon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: Wednesday, April 13, 2005 8:31 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] joining station to the domain and GPO... Hi, I have a little question as to how you guys would handle this situation... I have 2 techs that are adding stations to the domain from time to time. When they join the stations to the domain, the computer account is created in the COMPUTERS built-in UO. I have many UOs that are used to deploy the GPOs depending on the type of computers, let say desktop and laptops. The problem actually occurs because they forget to tell me that they added a new laptop to the domain and this new added machine ends up on the network w/o the proper GPOs applied. I actually check the UO manually but I would like to have any automated way to check for new computer account added in the UO. For control purposes, they don't have access to move the computer account from an UO to another and it have to stay that way. Any ideas or 3rd party programs that can help are appreciated... Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Exchange Transaction logs
Hi, So lets say I get the backup software working correctly (Duh, I forgot to turn on the open file option)...will I ever need the transaction logs from say January of this year? The reason I ask is because for now I have just moved all logs older than February to another machine to free space. If I don't need to ever backup those transaction logs, then I will just delete them once I have verified that the backups are working correctly. You shouldn't delete them. Exchange will flush them after a good backup. If your backup ends up successfully but the logs are still there, then its because you don't backup Exchange using the right method. Using a flat file backup isn't the proper way to backup exchange. If you have a large collection of logs, and want to delete them manually, then you won't be able to recover from a disaster (you may, but it's gonna be tricky). List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Exchange Transaction logs
Hi, I'm still not exactly sure of what you're saying but if I understand correctly, you have old logs stored on a file server. These logs are coming from a time where there was no exchange backups, so they were building up eating disk space. If this is right, having a good backup that committed the logs after the date of those stored logs render them useless. So, yes you can delete them. Sorry if I didn't got it right -Message d'origine- De : [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] De la part de Douglas M. Long Envoyé : Tuesday, April 12, 2005 11:33 AM À : ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] OT: Exchange Transaction logs I guess I didn't make what I was saying very clear. A proper backup won't clear the older logs that I am speaking of because that machine (just a machine with disk space, not an exchange machine) is not being backed up. I just don't know if I will need those older logs backed up at all. I do understand that once the backups are running properly, then I shouldn't have to manage the transaction logs anymore. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Exchange Transaction logs
I'm using Veritas 9.1 actually but it's almost the same as 10.0, with the exchange agent. You can contact me off list; I may be able to help you out a bit -Message d'origine- De : [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] De la part de Douglas M. Long Envoyé : Tuesday, April 12, 2005 2:03 PM À : ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] OT: Exchange Transaction logs I am using BackupExec 10. I believe Michel answered my specific question. I am talking to the Veritas people right now to see what I have setup wrong. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Exchange Transaction logs
OMG, I hope he's not oing BLB's, That's the worst thing I ever tried ;/ -Message d'origine- De : [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] De la part de Medeiros, Jose Envoyé : Tuesday, April 12, 2005 3:35 PM À : ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] OT: Exchange Transaction logs This may sound like a simple suggestion, however did you reboot after installing the Veritas agent on Exchange? While your at it, check to make sure that Circular logging is off or you'll have problems with Incremental Backups. One other issue that I found in Arcadia Backup Exec 6 /Seagate 7 and Verritas 8 9 is that the Veritas service account and mailbox you created requires that it not be hidden from the Global Address list for brick level backups to work correctly. Hope this helps, Jose Medeiros MCP+I, MCSE, MCT www.ntea.net www.sfntug.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Ad delegation
Hi, It's me again. I have another problem ;) I would like to delegate 3 actions to the technicians in the AD. The 2 first are easy to set, the third is the one that cause me a problem. 1- reset the users password 2- set the must change password at next logon 3- enable account that was disabled due to the password policy (locked after bad attempts) I looked in the security and the delegation tabs and I never saw anything concrete about it. Anyone has an idea on how to achieve it? BTW it's a Win2k native domain. Thanks! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Ad delegation
Solved... I would like to delegate 3 actions to the technicians in the AD. The 2 first are easy to set, the third is the one that cause me a problem. 1- reset the users password 2- set the must change password at next logon 3- enable account that was disabled due to the password policy (locked after bad attempts) I looked in the security and the delegation tabs and I never saw anything concrete about it. Anyone has an idea on how to achieve it? BTW it's a Win2k native domain. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Ad delegation
Here it is: Set these to the UO for the group/user you want * allow Reset Password permission for user objects-grants permission to reset an account's password * allow Write lockoutTime permission for user objects-grants permission to unlock an account * allow Write pwdLastSet permission for user objects-grants permission to set User must change password at next logon account property * allow Read AccountRestrictions permission for user objects-grants permission to read all account options -Message d'origine- De : [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] De la part de Francis Ouellet Envoyé : Tuesday, March 22, 2005 2:54 PM À : ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] Ad delegation Hi Michel, Care to explain the steps you took? Thanks! Francis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: 22 mars 2005 14:45 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Ad delegation Solved... I would like to delegate 3 actions to the technicians in the AD. The 2 first are easy to set, the third is the one that cause me a problem. 1- reset the users password 2- set the must change password at next logon 3- enable account that was disabled due to the password policy (locked after bad attempts) I looked in the security and the delegation tabs and I never saw anything concrete about it. Anyone has an idea on how to achieve it? BTW it's a Win2k native domain. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT:RPC over HTTP vs OWA
You're right, I meant UNLOCKING accounts not enabling them! As for the lockout time... it is available in 2k too. De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de joe Envoyé: Tuesday, March 22, 2005 3:13 PM À: ActiveDir@mail.activedir.org Objet: RE: [ActiveDir] OT:RPC over HTTP vs OWA OWA allows for two-factor authentication such as SecurID and Windows Password. RPC over HTTP does not have that capabaility that I have seen. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pelle, Joe Sent: Tuesday, March 22, 2005 2:52 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT:RPC over HTTP vs OWA Hey all I was wondering what everyones thoughts were about using RPC over HTTP vs Outlook Web Access? Is one more secure than the other? What were the reasons you implemented one and not the other? Any insight is always much appreciated! Thanks! Joe Pelle Senior Infrastructure Architect Information Technology Valassis / IT 19975 Victor Parkway Livonia, MI 48152 Tel 734.591.7324 Fax 734.632.6151 [EMAIL PROTECTED] http://www.valassis.com/ This message may include proprietary or protected information. If you are not the intended recipient, please notify me, delete this message, and do not further communicate the information contained herein without my express written consent.
RE: [ActiveDir] GPO loopback again...
Ok, Thanks for the input, I'll try to find out another way to achieve what is requested... there must be user policies combination that may get the result wanted... -Message d'origine- De : [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] De la part de [EMAIL PROTECTED] Envoyé : Wednesday, March 16, 2005 2:50 PM À : ActiveDir@mail.activedir.org Objet : Re: [ActiveDir] GPO loopback again... Hi Michel, I don't believe there is a loop back equivalent to do what you want. I am not exactly sure what you mean by restrict installation process. If you mean to install and deinstall software for a given user, you can do that via the User part of the policy. If you mean Change some machine registry keys, you could write a script to do it, but remember you are running in the user context and so may not have access to change the key. Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/index.php?ref=activedirf=pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/index.php?ref=activedirf=adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/index.php?ref=activedirf=policyreporter.shtml - Original Message - From: Bruyere, Michel [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wednesday, March 16, 2005 6:42 AM Subject: [ActiveDir] GPO loopback again... Hi, After testing things out with the loopback i still can't do something and i'm wondering if it posible to do it. With the loopback it's possible to make a user defined policy on a computer basis, but is it possible to make a computer defined policy on a user basis? What I wanna do is to restrict installation process and things like this but on a user basis to avoid having to move the computer account in and out of the UO. Thanks for your help! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] GPO loopback again...
Hi, After testing things out with the loopback i still can't do something and i'm wondering if it posible to do it. With the loopback it's possible to make a user defined policy on a computer basis, but is it possible to make a computer defined policy on a user basis? What I wanna do is to restrict installation process and things like this but on a user basis to avoid having to move the computer account in and out of the UO. Thanks for your help! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] GPO question
Hi, I've been asked to do something quite unusual (for me though). I want to make GPOs from the Computer administrative templates apply to Users. I don't know if it's possible to do such thing, but I tried it and here is the result I got. COMPUTER SETTINGS -- Applied Group Policy Objects - dns Default Domain Policy The following GPOs were not applied because they were filtered out --- wallpaper Filtering: Not Applied (Empty) Local Group Policy Filtering: Not Applied (Empty) USER SETTINGS -- Applied Group Policy Objects - start menu and taskbar control panel network connections system_user MMC IE_user netmeeting_user desktop Default Domain Policy The following GPOs were not applied because they were filtered out --- system_machine Filtering: Not Applied (Empty) msn Messenger Filtering: Not Applied (Empty) Windows installer and update Filtering: Not Applied (Empty) Local Group Policy Filtering: Not Applied (Empty) ts_machine Filtering: Not Applied (Empty) As you can see, there are no settings applied because the system sees that there is no user policies defined in the object and vice versa. What is required is to apply the settings from the computer administrative templates on a per user basis instead of computer. Can you guys tell me if it's possible to do it? If yes how. Thanks for your time List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GPO question
Thank you sir! I already seen this in the past, you just reminded me it! -Message d'origine- De : [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] De la part de Crawford, Scott Envoyé : Monday, March 14, 2005 4:30 PM À : ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] GPO question Yup, just set the below key to enabled and then any settings you put in the User Configuration part of that GPO will be applied to any user logging into any computer assigned that GPO. Computer Configuration\Administrative Templates\System\Group Policy\User Group Policy loopback processing mode -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: Monday, March 14, 2005 3:16 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] GPO question Hi, I've been asked to do something quite unusual (for me though). I want to make GPOs from the Computer administrative templates apply to Users. I don't know if it's possible to do such thing, but I tried it and here is the result I got. COMPUTER SETTINGS -- Applied Group Policy Objects - dns Default Domain Policy The following GPOs were not applied because they were filtered out --- wallpaper Filtering: Not Applied (Empty) Local Group Policy Filtering: Not Applied (Empty) USER SETTINGS -- Applied Group Policy Objects - start menu and taskbar control panel network connections system_user MMC IE_user netmeeting_user desktop Default Domain Policy The following GPOs were not applied because they were filtered out --- system_machine Filtering: Not Applied (Empty) msn Messenger Filtering: Not Applied (Empty) Windows installer and update Filtering: Not Applied (Empty) Local Group Policy Filtering: Not Applied (Empty) ts_machine Filtering: Not Applied (Empty) As you can see, there are no settings applied because the system sees that there is no user policies defined in the object and vice versa. What is required is to apply the settings from the computer administrative templates on a per user basis instead of computer. Can you guys tell me if it's possible to do it? If yes how. Thanks for your time List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GPO doesnt apply
You're right... its my bad... -Message d'origine- De : [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] De la part de [EMAIL PROTECTED] Envoyé : Monday, January 31, 2005 9:55 AM À : ActiveDir@mail.activedir.org Objet : Re: [ActiveDir] GPO doesnt apply Hi Michel... Is MSN supposed to be MSN messenger? I dont think the policies are for that, but for Windows Messenger.Or maybe I'm just not reading this right. Not that it would make applying them any differently, but you might be able to just eliminate that policy, if that's the case. John Bruyere, Michel [EMAIL PROTECTED] ada.com To Sent by: ActiveDir@mail.activedir.org [EMAIL PROTECTED] cc ail.activedir.org Subject [ActiveDir] GPO doesnt apply 01/31/2005 08:40 AM Please respond to [EMAIL PROTECTED] tivedir.org Hi, I'm actually facing a strange problem... I can't seem to make 2 policies apply simultaneously. Here is the configuration: Domain - Users_ou1 - Users_ou2 - Users_ou3 - Users_ou4 - Users_ou5 - Users_ou1 - Computers_ou1 - Computers_ou2 - Computers_ou3 - Computers_ou4 - Computers_ou5 The OUs are different departments and they contain user's accounts for the users OUs and computer's accounts for the Computers_ou. I created a GPO using the Windows XP sp2 adm templates. I applied/modified them from a station with the 2k3 admin pack and GPMC. The GPOs that I wanna apply are quite basics. 1- MSN - I deny the launch of msn at windows start and prevent running the program. 2- unwanted programs - I denied the exe for the latest version of MSN (for some reasons, the MSN gpo doesn't catch it up) The result that I have is the following: Applied Group Policy Objects - screensaver unwanted Default Domain Policy OR Applied Group Policy Objects - screensaver MSN Default Domain Policy And what I would like is: Applied Group Policy Objects - screensaver unwanted MSN Default Domain Policy Note that the MSN is applied to the computers_ou and the unwanted on the users_ou Anyone can share a thought about it? Thanks! M.Bruyere Network/systems administrator CompTIA A+, Network+ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] GPO question
Hi, I would like to know if its possible for a Win2k Sp4 to push GPOs of WinXP sp2. I've found a list of all XPsp2 gpos on the MS site and I want to push some of them. I did take the .adm from a XPsp2 and I added them to the Win 2k server. The problem is that I get a whole lot of messages: The following entry in the [string] section is too long and has been truncated. And, just below this message, I have what looks like explanations of some policies. I can see/use the GPOs after I clicked OK 2 trilions times. Is there a way to get around this?? Thanks M.Bruyere Network/systems administrator CompTIA A+, Network+ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GPO question
Hi Thanks for the information. I had tried the 323593 fix but no go ;) now hopefully this one will work -Message d'origine- De : [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] De la part de Tomasz Onyszko Envoyé : Monday, December 06, 2004 3:16 PM À : [EMAIL PROTECTED] Objet : Re: [ActiveDir] GPO question On Mon, 6 Dec 2004 14:46:38 -0500, Bruyere, Michel wrote Hi, I would like to know if its possible for a Win2k Sp4 to push GPOs of WinXP sp2. I've found a list of all XPsp2 gpos on the MS site and I want to push some of them. I did take the .adm from a XPsp2 and I added them to the Win 2k server. The problem is that I get a whole lot of messages: The following entry in the [string] section is too long and has been truncated. And, just below this message, I have what looks like explanations of some policies. I can see/use the GPOs after I clicked OK 2 trilions times. Is there a way to get around t Read this KB: http://support.microsoft.com/kb/842933 -- Tomasz Onyszko - [EMAIL PROTECTED] http://www.w2k.pl List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] a bit offtopic, but ...
Hi, Does some know if there is an impact on DCs, GPOs, DNS and AD if I change the net mask? (just the net mask, not the ip) I have to change the net mask on an entire network to allow more IPs to be allocated. I actually did some tests in a test lab and I got no problems but I wanted to get inputs from you guys. Is there any knows watch-outs? Thanks! M.Bruyere Network/systems administrator CompTIA A+, Network+ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] User export/import
Hi, I would like to know what would be the best way to export and reimport users and group from a DC to another. The source DC is the one that is in our LAN and the second one is in a test lab. They both must have the same accounts and groups but, they are not connected in any way and the configuration differ from one to the other (ip range is not the same). IIRC I saw a VBS script that could export users and groups in a file then allow the reimport process... but this is a long time ago, so I may not recall correctly. So what you guys would do to achieve this goal? BTW, I tried to backup the system state and restore it to the other DC, but the DC froze after the reboot... I don't know if this could be caused because of the configuration diff. Thanks! M.Bruyere List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] User export/import
Hi, Thanks for the information... that's exactly the type of tool I was looking for... I didn't know that MS had such a tool. Many thanks! M.Bruyere -Message d'origine- De : [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] De la part de [EMAIL PROTECTED] Envoyé : Tuesday, November 02, 2004 8:25 AM À : [EMAIL PROTECTED] Objet : RE: [ActiveDir] User export/import I believe LDIFDE will allow you to achieve this. http://support.microsoft.com/kb/q237677/ Its available on the Windows 200x Server CD Iain List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] program to crate reports...
Hi, I'M actually searching for a program that could create reports based on the structure of our AD. There are some nested groups and I would like to get the global view of my AD using some kind of reports. The preferred output would be to have something like arborescence, where I could see the groups and the users memberships. Anyone know a good tool to create such report? I'm looking for already made scripts/softwares that are cheap, if possible. Thanks! M. Bruyere Network/systems administrator CompTIA A+, Network+ The quickest way to find something is to start looking for something else. :-) List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Desktop folder
My first thought would be something like roaming profile... You create the shortcut on the desktop and it will follow the user on any computer he logs on. I'm not sure that I really understood what you really wanted to achieve tough. M. Bruyere Network/systems administrator CompTIA A+, Network+ The quickest way to find something is to start looking for something else. :-) -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Jacob Stabl Envoyé : Tuesday, September 07, 2004 3:49 PM À : [EMAIL PROTECTED] Objet : [ActiveDir] Desktop folder I have a network folder created for staff members that is called Backup I want to have this folder mounted as a folder on the desktop of the computer they logon to. Staff members use multiple computers, not always the same one. How/Where do I create a GP to place a folder on the desktop that is redirected to that network share? -- Jacob Stabl Network Engineer Plain Local Schools http://plainlocal.org Work: 330.492.3500 x.383 Cell: 330.704.1278 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] printing GPO listing
Hi, I've been asked to print, for documentation purpose, the list of all GPO's and their settings. I did a search to find something on the MS site but all that I found was a XLS file listing the GPO's from w2k3 (we are still on w2k). You guys have any 3rd parties of idea on how I can achieve this? Thanks! BTW, it's my first post here, I've been reading the list for awhile though and I must say that you guys rock! I learned many things just by reading this list. Keep up the good work guys!! M.Bruyere Network/systems administrator CompTIA A+, Network+ The quickest way to find something is to start looking for something else. :-) List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] printing GPO listing
Hi, Thank you guys, I'll look forward to GPMC. M.Bruyere Network/systems administrator CompTIA A+, Network+ The quickest way to find something is to start looking for something else. :-) -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Rick Kingslan Envoyé : Tuesday, August 31, 2004 8:51 AM À : [EMAIL PROTECTED] Objet : RE: [ActiveDir] printing GPO listing Look into the Group Policy Management Console. It will allow you to do a verbose listing of each GPO and the settings within. This display can then be printed, saved as an HTNL file for use on a common site, etc. Get it at the Microsoft download section: http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35- 9272-dd3cbfc81887DisplayLang=en Rick Kingslan MCSE, MCSA, MCT, CISSP Microsoft MVP: Windows Server / Directory Services Windows Server / Rights Management Windows Security (Affiliate) Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone WebLog - www.msmvps.com/willhack4food -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: Tuesday, August 31, 2004 7:34 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] printing GPO listing Hi, I've been asked to print, for documentation purpose, the list of all GPO's and their settings. I did a search to find something on the MS site but all that I found was a XLS file listing the GPO's from w2k3 (we are still on w2k). You guys have any 3rd parties of idea on how I can achieve this? Thanks! BTW, it's my first post here, I've been reading the list for awhile though and I must say that you guys rock! I learned many things just by reading this list. Keep up the good work guys!! M.Bruyere Network/systems administrator CompTIA A+, Network+ The quickest way to find something is to start looking for something else. :-) List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] printing GPO listing
Hi, It's me again ;) I can't find what you're talking about when you talk about a verbose listing. I actually have half of the job done, I still need to find a way to print the entire list of GPOs, even those that were not modified/set. GPMC can't seem to do that, actually the best I could get is the listing and params of the defined and applied GPOs. Sorry to bother you again guys ;) -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Rick Kingslan Envoyé : Tuesday, August 31, 2004 8:51 AM À : [EMAIL PROTECTED] Objet : RE: [ActiveDir] printing GPO listing Look into the Group Policy Management Console. It will allow you to do a verbose listing of each GPO and the settings within. This display can then be printed, saved as an HTNL file for use on a common site, etc. Get it at the Microsoft download section: http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35- 9272-dd3cbfc81887DisplayLang=en Rick Kingslan MCSE, MCSA, MCT, CISSP Microsoft MVP: Windows Server / Directory Services Windows Server / Rights Management Windows Security (Affiliate) Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone WebLog - www.msmvps.com/willhack4food -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: Tuesday, August 31, 2004 7:34 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] printing GPO listing Hi, I've been asked to print, for documentation purpose, the list of all GPO's and their settings. I did a search to find something on the MS site but all that I found was a XLS file listing the GPO's from w2k3 (we are still on w2k). You guys have any 3rd parties of idea on how I can achieve this? Thanks! BTW, it's my first post here, I've been reading the list for awhile though and I must say that you guys rock! I learned many things just by reading this list. Keep up the good work guys!! M.Bruyere Network/systems administrator CompTIA A+, Network+ The quickest way to find something is to start looking for something else. :-) List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] printing GPO listing
Hi, I did that and I got the information about the GPOs, but it list only the GPO items that are already defined/applied. I would like to have the entire list of available GPO items. As I've been told a bit earlier, there is nothing to print ALL the GPO settings (defined or not) ;/ What a messy task... Thanks! -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Coleman, Hunter Envoyé : Tuesday, August 31, 2004 11:50 AM À : '[EMAIL PROTECTED]' Objet : RE: [ActiveDir] printing GPO listing In the GPMC, go down to Forest-Domains-domain-Group Policy Objects That will show all of the Group Policy Objects that exist in your domain, whether they are linked/enabled or not. If you have any Site-defined GPOs, they will be under Forest-Sites Hunter -Original Message- From: Bruyere, Michel [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 31, 2004 8:55 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] printing GPO listing Hi, It's me again ;) I can't find what you're talking about when you talk about a verbose listing. I actually have half of the job done, I still need to find a way to print the entire list of GPOs, even those that were not modified/set. GPMC can't seem to do that, actually the best I could get is the listing and params of the defined and applied GPOs. Sorry to bother you again guys ;) -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Rick Kingslan Envoyé : Tuesday, August 31, 2004 8:51 AM À : [EMAIL PROTECTED] Objet : RE: [ActiveDir] printing GPO listing Look into the Group Policy Management Console. It will allow you to do a verbose listing of each GPO and the settings within. This display can then be printed, saved as an HTNL file for use on a common site, etc. Get it at the Microsoft download section: http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35- 9272-dd3cbfc81887DisplayLang=en Rick Kingslan MCSE, MCSA, MCT, CISSP Microsoft MVP: Windows Server / Directory Services Windows Server / Rights Management Windows Security (Affiliate) Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone WebLog - www.msmvps.com/willhack4food -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: Tuesday, August 31, 2004 7:34 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] printing GPO listing Hi, I've been asked to print, for documentation purpose, the list of all GPO's and their settings. I did a search to find something on the MS site but all that I found was a XLS file listing the GPO's from w2k3 (we are still on w2k). You guys have any 3rd parties of idea on how I can achieve this? Thanks! BTW, it's my first post here, I've been reading the list for awhile though and I must say that you guys rock! I learned many things just by reading this list. Keep up the good work guys!! M.Bruyere Network/systems administrator CompTIA A+, Network+ The quickest way to find something is to start looking for something else. :-) List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] printing GPO listing
Hi, Thanks to all of you that sent me spreadsheets and link to them. I'll be able to build some doc with all that information! Thanks for your time guys! M.Bruyere Network/systems administrator CompTIA A+, Network+ The quickest way to find something is to start looking for something else. :-) -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Coleman, Hunter Envoyé : Tuesday, August 31, 2004 12:21 PM À : '[EMAIL PROTECTED]' Objet : RE: [ActiveDir] printing GPO listing Have a look at this: http://www.microsoft.com/downloads/details.aspx?FamilyID=ef3a35c0-19b9-4acc- b5be-9b7dab13108edisplaylang=en (watch the URL wrapping) -Original Message- From: Bruyere, Michel [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 31, 2004 10:05 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] printing GPO listing Hi, I did that and I got the information about the GPOs, but it list only the GPO items that are already defined/applied. I would like to have the entire list of available GPO items. As I've been told a bit earlier, there is nothing to print ALL the GPO settings (defined or not) ;/ What a messy task... Thanks! -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Coleman, Hunter Envoyé : Tuesday, August 31, 2004 11:50 AM À : '[EMAIL PROTECTED]' Objet : RE: [ActiveDir] printing GPO listing In the GPMC, go down to Forest-Domains-domain-Group Policy Objects That will show all of the Group Policy Objects that exist in your domain, whether they are linked/enabled or not. If you have any Site-defined GPOs, they will be under Forest-Sites Hunter -Original Message- From: Bruyere, Michel [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 31, 2004 8:55 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] printing GPO listing Hi, It's me again ;) I can't find what you're talking about when you talk about a verbose listing. I actually have half of the job done, I still need to find a way to print the entire list of GPOs, even those that were not modified/set. GPMC can't seem to do that, actually the best I could get is the listing and params of the defined and applied GPOs. Sorry to bother you again guys ;) -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Rick Kingslan Envoyé : Tuesday, August 31, 2004 8:51 AM À : [EMAIL PROTECTED] Objet : RE: [ActiveDir] printing GPO listing Look into the Group Policy Management Console. It will allow you to do a verbose listing of each GPO and the settings within. This display can then be printed, saved as an HTNL file for use on a common site, etc. Get it at the Microsoft download section: http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35- 9272-dd3cbfc81887DisplayLang=en Rick Kingslan MCSE, MCSA, MCT, CISSP Microsoft MVP: Windows Server / Directory Services Windows Server / Rights Management Windows Security (Affiliate) Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone WebLog - www.msmvps.com/willhack4food -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: Tuesday, August 31, 2004 7:34 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] printing GPO listing Hi, I've been asked to print, for documentation purpose, the list of all GPO's and their settings. I did a search to find something on the MS site but all that I found was a XLS file listing the GPO's from w2k3 (we are still on w2k). You guys have any 3rd parties of idea on how I can achieve this? Thanks! BTW, it's my first post here, I've been reading the list for awhile though and I must say that you guys rock! I learned many things just by reading this list. Keep up the good work guys!! M.Bruyere Network/systems administrator CompTIA A+, Network+ The quickest way to find something is to start looking for something else. :-) List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List
RE: [ActiveDir] strange thing...
Hi, I did recheck that and the result is that the group is listed in there, and under the local policy setting there is no check in the box but there is one under the effective policy setting column So the problem should be elsewhere. Thanks Michel Bruyere Network/systems administrator CompTIA A+, Network+ The quickest way to find something is to start looking for something else. :-) -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Passo, Larry Envoyé : Wednesday, June 09, 2004 2:50 PM À : [EMAIL PROTECTED] Objet : RE: [ActiveDir] strange thing... Go to one of your DCs, then run: Start...Programs...Administrative Tools...Local Security Policies Then under: Local Policies...User Rights Assigments What is the value for the Add workstations to domain user right? If the technician group is missing, then another GPO is overriding that setting. -Original Message- From: Bruyere, Michel [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 09, 2004 11:19 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] strange thing... Hi, This user right has been set into the Default Domain Controller policy. I simply added the group technician in there. There was already administrators and domain admins in there. Michel Bruyere Network/systems administrator CompTIA A+, Network+ The quickest way to find something is to start looking for something else. :-) -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Passo, Larry Envoyé : Wednesday, June 09, 2004 11:04 AM À : [EMAIL PROTECTED] Objet : RE: [ActiveDir] strange thing... Do you have a GPO that is specifying that specific user right? You can check with GPRESULT.EXE -Original Message- From: Rutherford, Robert [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 09, 2004 7:55 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] strange thing... Just clarifying It appears that you are saying ... when you first designate the rights that members of the technician group can add wks to the domain and the next day they cannot? Are the rights still set on the next day as you defined them on the first day? Or are the reverting back? -Original Message- From: Bruyere, Michel [mailto:[EMAIL PROTECTED] Sent: 09 June 2004 15:37 To: [EMAIL PROTECTED] Subject: [ActiveDir] strange thing... Hi all, It's my first post here. I've been referred here and been told that you guys were the real gurus of AD. I have a strange thing happening and I would like to have your thoughts about it. Here is the situation, I created a group called technicians and I gave the user right add station to the domain to it. I then added the technician group to the computers OU and set the following: List contents Read all properties Read permissions Create computer objects Delete computer objects The problem is that when I set these, everything works fine. But the next day when a tech (member of the technician group) tries to join a computer to the domain he has an access denied. To fix the issue temporarily, I gave the group the perms (create all childs object and delete all childs object). I tried to remove the inheritance of the perms on this ou but it didn't help. I can't see why this is happening. Thanks Michel Bruyere Network/systems administrator CompTIA A+, Network+ The quickest way to find something is to start looking for something else. :-) List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes. The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm
[ActiveDir] strange thing...
Hi all, It's my first post here. I've been referred here and been told that you guys were the real gurus of AD. I have a strange thing happening and I would like to have your thoughts about it. Here is the situation, I created a group called technicians and I gave the user right add station to the domain to it. I then added the technician group to the computers OU and set the following: List contents Read all properties Read permissions Create computer objects Delete computer objects The problem is that when I set these, everything works fine. But the next day when a tech (member of the technician group) tries to join a computer to the domain he has an access denied. To fix the issue temporarily, I gave the group the perms (create all childs object and delete all childs object). I tried to remove the inheritance of the perms on this ou but it didn't help. I can't see why this is happening. Thanks Michel Bruyere Network/systems administrator CompTIA A+, Network+ The quickest way to find something is to start looking for something else. :-) List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] strange thing...
Hi, In fact what happen is that it create 2 distinct items under the advanced button. It's like the perms being cut into 2 categories. I have the first object (the technician group) which has List contents Read all properties Read permissions And a second one lower at the bottom of the list where there are Create computer objects Delete computer objects I tried to put the Create computer objects and Delete computer objects on the first one and delete the second, but I revert to the same setting. It's removing the computer objects from the first in the list to recreate a second in the list. I don't know if this can help you but if you prefer I can send you PrinScreens off list Michel Bruyere Network/systems administrator CompTIA A+, Network+ The quickest way to find something is to start looking for something else. :-) -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Rutherford, Robert Envoyé : Wednesday, June 09, 2004 10:55 AM À : [EMAIL PROTECTED] Objet : RE: [ActiveDir] strange thing... Just clarifying It appears that you are saying ... when you first designate the rights that members of the technician group can add wks to the domain and the next day they cannot? Are the rights still set on the next day as you defined them on the first day? Or are the reverting back? -Original Message- From: Bruyere, Michel [mailto:[EMAIL PROTECTED] Sent: 09 June 2004 15:37 To: [EMAIL PROTECTED] Subject: [ActiveDir] strange thing... Hi all, It's my first post here. I've been referred here and been told that you guys were the real gurus of AD. I have a strange thing happening and I would like to have your thoughts about it. Here is the situation, I created a group called technicians and I gave the user right add station to the domain to it. I then added the technician group to the computers OU and set the following: List contents Read all properties Read permissions Create computer objects Delete computer objects The problem is that when I set these, everything works fine. But the next day when a tech (member of the technician group) tries to join a computer to the domain he has an access denied. To fix the issue temporarily, I gave the group the perms (create all childs object and delete all childs object). I tried to remove the inheritance of the perms on this ou but it didn't help. I can't see why this is happening. Thanks Michel Bruyere Network/systems administrator CompTIA A+, Network+ The quickest way to find something is to start looking for something else. :-) List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes. The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] strange thing...
Hi, This user right has been set into the Default Domain Controller policy. I simply added the group technician in there. There was already administrators and domain admins in there. Michel Bruyere Network/systems administrator CompTIA A+, Network+ The quickest way to find something is to start looking for something else. :-) -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Passo, Larry Envoyé : Wednesday, June 09, 2004 11:04 AM À : [EMAIL PROTECTED] Objet : RE: [ActiveDir] strange thing... Do you have a GPO that is specifying that specific user right? You can check with GPRESULT.EXE -Original Message- From: Rutherford, Robert [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 09, 2004 7:55 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] strange thing... Just clarifying It appears that you are saying ... when you first designate the rights that members of the technician group can add wks to the domain and the next day they cannot? Are the rights still set on the next day as you defined them on the first day? Or are the reverting back? -Original Message- From: Bruyere, Michel [mailto:[EMAIL PROTECTED] Sent: 09 June 2004 15:37 To: [EMAIL PROTECTED] Subject: [ActiveDir] strange thing... Hi all, It's my first post here. I've been referred here and been told that you guys were the real gurus of AD. I have a strange thing happening and I would like to have your thoughts about it. Here is the situation, I created a group called technicians and I gave the user right add station to the domain to it. I then added the technician group to the computers OU and set the following: List contents Read all properties Read permissions Create computer objects Delete computer objects The problem is that when I set these, everything works fine. But the next day when a tech (member of the technician group) tries to join a computer to the domain he has an access denied. To fix the issue temporarily, I gave the group the perms (create all childs object and delete all childs object). I tried to remove the inheritance of the perms on this ou but it didn't help. I can't see why this is happening. Thanks Michel Bruyere Network/systems administrator CompTIA A+, Network+ The quickest way to find something is to start looking for something else. :-) List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes. The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
