[ActiveDir] Best practice GPO's
Hello, What is the best practice for applying policy in AD? Currently we create a GPO for every separate policy we want to apply (WSUS, DNS search order, LCS and so on) and we place all these policies in a created OU called GPOs and link that to different OUs as needed. My question is are we better off to stay with this method or should we limit the number of GPOs and combine policies into one GPO? For example should we take the policy settings from WSUS, DNS and LCS and put them into one (1) GPO instead of the three (3) separate policies that are currently being applied? It seems easier to manage them when they are separated by function. I am curious if I am missing something that will cause issues down the road as the numbers of policies will most likely increase significantly in the future as we try to reign in the desktops and the users. Thank you in advance for all responses. Dan
[ActiveDir] Disabled Accounts/Mail accepted
Hello, A few years back we had changed the way we disabled AD user accounts from disabling the account to restricting logon hours (restricted 24x7) and hiding from GAL. We did this because mail sent to disabled accounts was getting rejected and the sender was getting a NDR. Also, management would come back to us a week later and want the ex-employees email correspondence after they left the company. At that time we were a 2000 SP2 domain with exchange 2000, currently we are a 2003 SP1 domain with exchange 2003. Presently, we have become aware that mail sent to accounts with the disabled box checked arrives in the mailbox. My question isdid this behavior change when you upgrade to a 2003 AD/exchange 2003 or at some service pack level? Were we wrong in our original assumption that email would not flow to disabled accounts a few years back? The following MSFT article seems to support my assumption that disabled accounts will generate a NDR unless modified. http://support.microsoft.com/default.aspx?scid=kb;EN-US;319047 Any thoughts on this, thank you in advance. Dan
RE: [ActiveDir] DC authentication
Set l will return your logon server. Dan Cariglia Systems Analyst Concerto Software, Inc. 6 Technology Park Drive Westford, MA 01886 (978)952-0618 Ext. 20618 email: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christine Allen Sent: Wednesday, August 31, 2005 4:58 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DC authentication Sorry, I'm have a brain hiccup. Does anyone know the command line utility that tells you which dc authenticates you? -Christine Christine N. Allen Systems Engineer BMC HealthNet Plan 2 Copley Place Boston, MA 02216 617-748-6034 617-293-4407 [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Problem with SUS Group Policy
Try turning the time up from 1 minute to at least 5 minutes, not sure if this is your problem but I have read of this being an issue with regard to scheduling the installs. Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jennifer Fountain Sent: Friday, February 11, 2005 2:41 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Problem with SUS Group Policy I have the following configured in my group policy: Policy Setting Configure Automatic Updates Enabled Configure automatic updating: 4 - Auto download and schedule the install The following settings are only required and applicable if 4 is selected. Scheduled install day: 0 - Every day Scheduled install time: 20:00 Policy Setting No auto-restart for scheduled Automatic Updates installations Disabled Reschedule Automatic Updates scheduled installations Enabled Wait after system startup (minutes): 1 Works fine but instead of getting updates as soon as they login (reschedule automatic updates), they get them later in the day. I am not sure what is causing this issue and my boss isn't happy right now because of it (we make people auto reboot because normally they wouldn't.) Can anyone shed some light on this for me? Thanks! Kind Regards, Jennifer Fountain Systems Administrator/Security RB Distribution 3400 E Walnut Street Colmar, PA 18915 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Problem with DL owners not able to modify lists
Hello, Having a rather odd problem with distribution lists, some owners can modify the lists while others cannot. It does not seem dependent upon which GC their Outlook client uses. Nothing has changed in the domain or forest recently and everything was working fine until about a week ago when some owners started reporting the problem. They are shown as the owner in the Global Address List as well as in ADUC with the manager can update membership box checked. They get an error that states changes could not be saved, you do not have sufficient permissions to perform an operation on this object. I have compared permissions of managers of lists who are experiencing the problem and those who are not having issues and they are identical. Any ideas would be appreciated. Dan
[ActiveDir] group structure -universal groups
Hello, I have a question regarding group structure and administration of such. We run a multi-domain AD environment with basically an empty root domain and 2 child domains where the users live. The problem is if we structure groups the way it is recommended (accounts into Global groups which are then placed into Universal Groups which are then placed into Domain Local groups in the domain where the resource lives and permissions applied using the Domain local group. The problem is we prefer our distribution lists (universal groups) to be managed/administered by the users/owner of the list. All distribution lists are composed of individual users presently (came from an NT 4 domain) and if we follow the recommended group practices we will nest the Global group(s) from both domains inside the Universal groups and remove the individual users presently in them and effectively they will have the same members, but when the owners try to modify the members through their Outlook client they will only see the Global group(s) and not the members of the group who will receive the messages sent to the distribution list. Is there a better way to administer permissions in a multi domain Active Directory environment or do we set every owner of a distribution list up with rights and a tool to manage the global groups effectively adding these users to the Universal groups by nesting the global groups? Any feedback is appreciated, thank you.
[ActiveDir] Microsoft Patch
I am in the process of looking at alternatives to distribute/manage Microsoft patches. We have SUS running in a lab setup and it seems alright. My question is are there superior products out there that someone has used and can recommend that work well with AD? Running AD with an empty root and 2 child domains where the users reside, users are either Windows 2000 Pro or XP Pro. Any suggestions would be appreciated. Thank You, Dan
[ActiveDir] DNS replication question
Hello, I have been lurking on this list for about 6 months now and have a question regarding DNS and replication. I have just got my AD up and running with one child domain. The problem is when a PC registers with DNS on the root it never replicates down to the child DNS. It picks up a DHCP address from a NON-AD server but the DNS entry on the PC is manually set for DNS on the root server. The registration shows up on the root DNS server. I have not been able to find a clear way to have DNS replicate from the root to child or vice versa from Microsoft. Any assistance would be greatly appreciated, as I am still a bit green with AD. Thank you in advance. Dan Cariglia
RE: [ActiveDir] DNS replication question
Title: Message Thanks Rick, that did the trick. Great list everyone, thanks for your help. Dan -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Monday, March 10, 2003 4:43 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS replication question Daniel, Wrong assumption. DNS information, like all domain information, is not replicated to other domains. If you are using AD-Integrated DNS, the information will not replicate unless you set up Secondary zones in the other domain and then configure the transfer properties appropriately on each side of the transfer. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] .org] On Behalf Of Cariglia, Daniel Sent: Monday, March 10, 2003 3:30 PM To: '[EMAIL PROTECTED]' We are running integrated zones. We have tried registering with both the child and the root Dns servers at different times, replicated and the result is the same (no record in the other Dns server). Am I correct in assuming this information should be replicated without setting up the zone transfer properties due to it being integrated? Thanks Dan -Original Message- From: John Hicks/MIS/HQ/KEMET/US [mailto:[EMAIL PROTECTED] Sent: Monday, March 10, 2003 2:17 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] DNS replication question Are you running AD integrated zones or standard? If you are running standard you would setup a secondary zone in the child domain that pulls from the Primary in the root domain. If you go into the properties of the zone on each server you can set the zone transfer properties. Put in the names and that should take care of it. Cariglia, Daniel [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 03/10/2003 12:08 PM Please respond to [EMAIL PROTECTED] To 'ActiveDir (E-mail) [EMAIL PROTECTED] cc Subject [ActiveDir] DNS replication question Hello, I have been lurking on this list for about 6 months now and have a question regarding DNS and replication. I have just got my AD up and running with one child domain. The problem is when a PC registers with DNS on the root it never replicates down to the child DNS. It picks up a DHCP address from a NON-AD server but the DNS entry on the PC is manually set for DNS on the root server. The registration shows up on the root DNS server. I have not been able to find a clear way to have DNS replicate from the root to child or vice versa from Microsoft. Any assistance would be greatly appreciated. Thank you in advance. Dan Cariglia