[ActiveDir] 3rd party DNS and windows DDNS updates

[Chandra Burra]

Hi,Wanted to know if any one has tried this or does this work.Having a 3rd party DNS with a sub-zone or child zone created for AD and delegated that zone to windows DDNS.Now if the clients are pointing to 3rd party DNS as primary DNS - will these clients be able to still register with the dynamic windows DNS?? 
Regards,Chandra Burra

[ActiveDir] AD DNS in Windows delegation to Novell DNS

[Chandra Burra]

Hi Team,
 
Wanted to know what are the pro's and con's of delegating the DNS zone created in Windows DNS for 2003AD being delegated to Novell DNS as the client wants to use Novell as the primary
 
Regards,
Chandra Burra

RE: [ActiveDir] NT and AD Permissions

[Chandra Burra]

You are the savior Deji!!   

i didn't knew that cusrmgr.exe can be used for adding user...i knew it as
only used for password reset...


But one last question...does the cusrmgr need to be local to all servers or
can i call it from my laptop??

Regards,
Chandra
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, January 11, 2006 7:59 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] NT and AD Permissions


Me, I just add the appropriate group/user (from the target) to the local
administrators' group of every computer (in the source) by script.
 
on the PDC:
net view /Domain:NT4Domain >c:\computer-list.txt
 
then, in a batch file:

FOR /F %%i IN (computer-list.txt) DO echo Working on %%i...& set v1=%%i&
call
:DoIt

:DoIt
cusrmgr -m %v1% -alg administrators add user -u 2K3Domain\User-or-Group-Name

 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCT
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Grillenmeier, Guido
Sent: Wed 1/11/2006 2:42 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] NT and AD Permissions


migrating the account with SIDhistory won't help you here => it's not the
User's (and his respective NT4 SID) that is added to the local admin group
on
all member servers and clients by default - it's the SID of the NT4 Domain
Admins group itself. When migrating the user with SIDhistory, you're not
adding the SID of this group to the user.
 
One option (which I certainly don't like - just trying to explain for you)
is
to merge the Domain Admins group from the NT4 Domain into the Domain Admins
group of AD incl. SID history.  But I'm not a friend of doing this - I much
preferr to add an appropriate AD group to the respective servers' local
admin
group (and clients if required). This must not necessarily be the AD Domain
Admins group => it's your chance to get some structure in the permission
model on your servers...!  The domain admin will be added anyways, once you
migrate the machines acrross to AD.
 
But if everything has to be done quickly (as is often the case), you can
also
use ADMT to add the Domain Admins to all your servers for you: to do so,
create an appropriate SID mapping file containing just the NT4 Domain Admins
group + SID and AD Domain Admins group + SID and choose to perform a
security
translation in ADD mode on all your servers in the source domain. This will
add the AD Domain Admins to the local admin group on the target machines and
give them the same permissions on files/shares/registry etc.  (if there are
any specific ones set for the NT4 domain admins group).
 
/Guido

____

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chandra Burra
Sent: Mittwoch, 11. Januar 2006 20:59
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] NT and AD Permissions


Jorge and Glen,
 
Thanks for the quick update...
 
I will breif here the steps i have taken...
 
1. This is a domain admin account which is being used from last 2years in NT
 
2. I have migrated this using the Bindview BV Admin with SID
 
3. I have taken the option to cancell the migration if the SID fails...so,
the SID is in the new domain
 
4. Added this account to the Domain admin group manually as we wont move the
group from NT
 
5. The account in the source domain is still active. 
 
 
Still no luck.,...not sure if this is the only tricky thing.i have
another account which i can test...do you want me to do something
different??
 
Regards
Chandra

 
On 1/11/06, Almeida Pinto, Jorge de <[EMAIL PROTECTED]>
wrote: 

yes... that is a solution (don't forget to clean it when not needed
anymore!). however, when using ADMT it will not be possible to migrate
domain
admins with sid history. ADMT will prevent that 
As most of the times the domain admins group of an NT4 domain is
populated will al kinds of accounts, do not migrate the membership of the
domain admins group in the source to the target

Jorge

 

From: [EMAIL PROTECTED] on behalf of Sitton Glen E
Sent: Wed 2006-01-11 20:33
To: ActiveDir@mail.activedir.org 
Subject: RE: [ActiveDir] NT and AD Permissions


Hi Chandra,

When you migrated the NT4 domain-admin account to your AD domain,
did
you keep "sidHistory"?  If the new AD domain-admin account has the
sidHistory
of the old NT4 domain-admin account, it should have no trouble exercising
'domain-admin' rights in the NT4 domain.  It will, in effect, be
masquerading
as the NT4 domain-admin. 

Look at the security token 

Re: [ActiveDir] NT and AD Permissions

[Chandra Burra]

Jorge and Glen,
 
Thanks for the quick update...
 
I will breif here the steps i have taken...
 
1. This is a domain admin account which is being used from last 2years in NT
 
2. I have migrated this using the Bindview BV Admin with SID
 
3. I have taken the option to cancell the migration if the SID fails...so, the SID is in the new domain
 
4. Added this account to the Domain admin group manually as we wont move the group from NT
 
5. The account in the source domain is still active. 
 
 
Still no luck.,...not sure if this is the only tricky thing.i have another account which i can test...do you want me to do something different??
 
Regards
Chandra 
On 1/11/06, Almeida Pinto, Jorge de <[EMAIL PROTECTED]> wrote:
yes... that is a solution (don't forget to clean it when not needed anymore!). however, when using ADMT it will not be possible to migrate domain admins with sid history. ADMT will prevent that
As most of the times the domain admins group of an NT4 domain is populated will al kinds of accounts, do not migrate the membership of the domain admins group in the source to the targetJorge
From: [EMAIL PROTECTED] on behalf of Sitton Glen ESent: Wed 2006-01-11 20:33To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] NT and AD PermissionsHi Chandra,When you migrated the NT4 domain-admin account to your AD domain, did you keep "sidHistory"?  If the new AD domain-admin account has the sidHistory of the old NT4 domain-admin account, it should have no trouble exercising 'domain-admin' rights in the NT4 domain.  It will, in effect, be masquerading as the NT4 domain-admin.
Look at the security token of your AD domain-admin account and see if the SID of the old NT4 domain-admin account is in there.  If not, that's your problem.  You need to migrate with sidHistory.- G
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
] On Behalf Of Chandra BurraSent: Wednesday, January 11, 2006 12:32 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] NT and AD Permissions
yes it is...and it was also domain admin in old NT domain.On 1/11/06, Almeida Pinto, Jorge de <[EMAIL PROTECTED]> wrote:
   is that account member of the Domain Admins in AD?   jorge          From: [EMAIL PROTECTED]
 on behalf of Chandra Burra   Sent: Wed 2006-01-11 18:41   To: ActiveDir@mail.activedir.org   Subject: [ActiveDir] NT and AD Permissions
   Hi,   we have a NT domain and a new 2003 AD domainMigrated a domain admin account, but after migration, that account can not connect to admin shares like C$ or D$.. is there any quick fix..
   I have the Domain Admins group on AD as a member of Local Administrators group on the NT Domain...is there something i am missing??   Thanks in advance...   Regards,   Chandra
   This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] NT and AD Permissions

[Chandra Burra]

This is on a member server, I am able to access the D$ and C$ on the NT PDC and BDCbut on a member server
 
putting these accounts on all member server??? this would be a difficult...as we have some 2000 server on NT domain??? and we do not have GP to do restrictive group
 
Regards,
Chandra
 
On 1/11/06, Tom Kern <[EMAIL PROTECTED]> wrote:

Don't you have to put the Domain Admin group from AD into every local Admin group on every pc where you want to access those shares?
 
Just putting the AD Domain Admins into the local Admin group on your NT DC's wont do it(except give you access to those admin shares on the DC's).
 
Am I reading you correctly?
 
Thanks 

On 1/11/06, Chandra Burra <[EMAIL PROTECTED]
> wrote: 
yes it is...and it was also domain admin in old NT domain. 

On 1/11/06, Almeida Pinto, Jorge de <
 [EMAIL PROTECTED]> wrote: 
is that account member of the Domain Admins in AD?jorge
From: [EMAIL PROTECTED] on behalf of Chandra BurraSent: Wed 2006-01-11 18:41 
To: ActiveDir@mail.activedir.org Subject: [ActiveDir] NT and AD PermissionsHi,
we have a NT domain and a new 2003 AD domainMigrated a domain admin account, but after migration, that account can not connect to admin shares like C$ or D$.. is there any quick fix.. I have the Domain Admins group on AD as a member of Local Administrators group on the NT Domain...is there something i am missing?? 
Thanks in advance...Regards,ChandraThis e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. 

Re: [ActiveDir] NT and AD Permissions

[Chandra Burra]

yes it is...and it was also domain admin in old NT domain.
On 1/11/06, Almeida Pinto, Jorge de <[EMAIL PROTECTED]> wrote:
is that account member of the Domain Admins in AD?jorge
From: [EMAIL PROTECTED] on behalf of Chandra BurraSent: Wed 2006-01-11 18:41To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] NT and AD PermissionsHi,we have a NT domain and a new 2003 AD domainMigrated a domain admin account, but after migration, that account can not connect to admin shares like C$ or D$.. is there any quick fix..
I have the Domain Admins group on AD as a member of Local Administrators group on the NT Domain...is there something i am missing??Thanks in advance...Regards,ChandraThis e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.

[ActiveDir] NT and AD Permissions

[Chandra Burra]

Hi,
 
we have a NT domain and a new 2003 AD domainMigrated a domain admin account, but after migration, that account can not connect to admin shares like C$ or D$.. is there any quick fix..
 
I have the Domain Admins group on AD as a member of Local Administrators group on the NT Domain...is there something i am missing??
 
 
Thanks in advance...
 
 
Regards,
Chandra 

Re: [ActiveDir] NOVELL and WINDOWS 2003 AD

[Chandra Burra]

Apologies for the delay...i was away on vacation...Thanks a lot for
all your inputs..


Thanks and Regards,




On 5/23/05, Medeiros, Jose <[EMAIL PROTECTED]> wrote:
> Hi Chadra,
> 
> I am forwarding you the response from our Netware Consultant,
> 
> " I'm assuming that by 'Novell' we mean 'NetWare' as Novell has different O/S 
> platforms with different DNS servers.
> 
> The newer NetWare DNS in NetWare 6.5 will support AD: 
> http://support.novell.com/cgi-bin/search/searchtid.cgi?/10093063.htm
> 
> eDirectory TREE name does not need to be a DNS record as we have other 
> resolvers (SLP) in use for that lookup. "
> 
> Matthew Culver
> Sr. Network Engineer
> Novell Inc
> 
> 
> 
> -----Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Chandra Burra
> Sent: Monday, May 23, 2005 7:47 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] NOVELL and WINDOWS 2003 AD
> 
> 
> All,
> 
> Quick one please.client wants to have same domain name for the
> existing Novell directory  and new Windows2003 AD as the same...ex;
> xxx.com
> 
> Can this be done ...if yes, then what are the implications...and also
> they wanted to stay on the Novell DNS...
> 
> Thanks you for inputs.
> 
> 
> Chandra
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] NOVELL and WINDOWS 2003 AD

[Chandra Burra]

All,

Quick one please.client wants to have same domain name for the
existing Novell directory  and new Windows2003 AD as the same...ex;
xxx.com

Can this be done ...if yes, then what are the implications...and also
they wanted to stay on the Novell DNS...

Thanks you for inputs.


Chandra
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Event ID 36872

[Chandra Burra]

I think that it might be a problem with the 
server certificate. Applications 
that use 
Secure Socket Layer connections and there is no valid certificate is found, then the event 36872 is 
logged. Try manually enrolling a 
certificate or generating a new one from the enterprise Certificate 
Authority.
 
Chandra

  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of Lucia 
  WashayaSent: Thursday, April 28, 2005 8:11 AMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] Event ID 
  36872Dear 
  Colleagues, I am having a problem 
  with my proxy server. It is a  Windows 2000 Server running Msproxy 
  2.0 Usera get access by authenticating 
  with the AD on this machinee. It has started giving the error: 
  
  


  No suitable default server credential 
exists on this system. This will prevent server applications that expect 
to make use of the system default credentials from accepting SSL 
connections. An example of such an application is the directory server. 
Applications that manage their own credentials, such as the internet 
information server, are not affected by 
  this.Does 
  anyone know how to correct this? Ms 
  Knowledge base says you can ignore it but my users are failing to access ssl 
  sites so I cannot igonre it. Please help. Regards,Lucia WashayaTel: 
  5497=The 
  cobra will bite whether you call it Cobra or Dear Mr. 
  Cobra.=

[ActiveDir] Remote.exe in Windows 2003

[Chandra Burra]

Hi,

Has any one worked on Remote.exe of windows2003 resource kit...any inputs
pls.


Regards,
<>

RE: [ActiveDir] deny internet

[Chandra Burra]

2 easy and simple ways of doing it

 
1 --> create a OU with the users u do not want to have internet access -->
create a new GP with a proxy which does not exist. Also deny the permissions
for the users to change the settings of IE.

2 --> create a group and assign permissions to proxy server --> only the
team which is in the list will be getting access


Regards,
Chandra



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil
Sent: 09 March 2005 10:58
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] deny internet 


The issue with that approach is that anyone can login to those PCs and
access the internet so if the point is to try and restrict internet
access to specific people this won't really cover that. You could put
workstation restrictions on the users but once you get past a certain
number of people (and it's not a very large number) this begins to be a
pain in the ass.

A proxy server is your best bet since it will also allow you to setup
caching which will likely improve your web performance. I'm interested
in seeing the IPSec setup too though.

Phil 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carr, Jonathan
(OFT)
Sent: Wednesday, March 09, 2005 8:26 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] deny internet 

you could use Cisco's ACL with DHCP reservations.  that way the pc
always get the same ip until you change the network card.   You could
also go into the configuration of the network card and give the
"special" people a specific MAC and do the DHCP reservations that way
 
 



From: [EMAIL PROTECTED] on behalf of
[EMAIL PROTECTED]
Sent: Wed 3/9/2005 12:12 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] deny internet 



Get a Proxy Server and use it to control outbound internet access.

 

Deji

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Tuesday, March 08, 2005 7:22 PM
To: ActiveDir (E-mail)
Subject: [ActiveDir] deny internet 

 

hi all.

If I want to deny a user internet access but allow everything else, is
this possible via GPO? On win2k and winXP?

also to include other browsers besides IE

a firewall solution is not possible right now and the clients are dhcp
so cisco acl's won't always work.

Can I gpo this or is it easier to give the client a static ip and acl it
on the router?

thanks

 

List info   : http://www.activedir.org/List.aspx

List FAQ: http://www.activedir.org/ListFAQ.aspx

List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
<>

[ActiveDir] Help!!! - Urgent Issue...

[Chandra Burra]

Hi,

Not able to add PC's to thedomaini get the DNS error ...lookedup the
link poped up to find this

http://www.microsoft.com/windows2000/dns/tshoot/dns_tshoot2A.asp#Join_RR


Checked all (DNS and also AD - both on the same server) and everything works
fine..any quick help please...



Regards,
Chandra

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DC - rebuld issues

[Chandra Burra]

Thanks stuart...I got this resolved by running the re-store again...

How ever i have another issue here...i wanted this to be a single DC
domain...but my domain owner is DC2 which we do not want to build... Can
some one help me with the proper commands...


I am checking on the ntdsutil --> roles and sieze rolesam i going
correct...please help


Regards,
Chandra

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Fuller, Stuart
Sent: 14 February 2005 21:02
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DC - rebuld issues


I have seen a similar thing while using Ntbackup during our DR drills.

The first restore goes along and doesn't really complete (no log file
pops up and no warning - ntbackup simply stops and exits somewhere in
the AD portion of the restore).  You reboot the server and you login
with local admin credentials instead getting a choice to use AD.  This
second login can take a while because it has to fail on a bunch of
partially restored stuff. If you simply run the full restore again after
reboot then that works and the DC comes up just fine.  This occurs with
the target server set to AD Disaster Recovery safe mode or just booted
normally.  

-Stuart Fuller   

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chandra Burra
Sent: Monday, February 14, 2005 12:51 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DC - rebuld issues
Importance: High


Hi,

I have a typical issue with re-building a DC.


I am currently in the stage of re-creating a AD domain for DR
documentation.
Have installed W2k server --> trying to restore for a backup tape from
the
live system ( whole C drive and the System state) --> make registry
changes
for RPC and NTFRS

Issue here is that after completely restoring and re-starting -->
prompted
with the login of the local system and not the domain ...mostly if i
login
with the local admin - nothing comes upexplorer.exe does not start
up.


Any ideas and suggetions please.


Regards,
Chandra

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
<>

[ActiveDir] DC - rebuld issues

[Chandra Burra]

Hi,

I have a typical issue with re-building a DC.


I am currently in the stage of re-creating a AD domain for DR documentation.
Have installed W2k server --> trying to restore for a backup tape from the
live system ( whole C drive and the System state) --> make registry changes
for RPC and NTFRS

Issue here is that after completely restoring and re-starting --> prompted
with the login of the local system and not the domain ...mostly if i login
with the local admin - nothing comes upexplorer.exe does not start up.


Any ideas and suggetions please.


Regards,
Chandra

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] GPO design

[Chandra Burra]

I suggest have SUS or WUS in the business and create one GP for
implementation of all patches and updates from MS at one go...

Other applications consolidate into one and publish.



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Bart Vandyck
Sent: 14 February 2005 18:25
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] GPO design


Hi Jorge,

Great input.. But do i understand you correct that performance is
depended on the amount of different GPO instead of the settings done
by these gpo's?

rgds,

Bart


On Mon, 14 Feb 2005 10:47:43 +0100, Jorge de Almeida Pinto
<[EMAIL PROTECTED]> wrote:
> Hi,
>
> Be carefull with creating a GPO for each application. If you have a lot of
> apps and lets say all computers get those apps then those wokstations will
> go through each GPO and then you may have performance issue. It may be
> better to consolidate several apps that have similar "characteristics"
into
> one GPO.
> If within a GPO the computer or user configuration is NOT used (not
settings
> defined) disable it accordingly. If it is disabled then it will not be
> processed and that is good for performance!
>
> The naming convention for GPOs I always use is:
> * GPO
>
> Where:
>  = POL (policy settings) or SWD (software distribution)
>  = C (computer) or U (user) or B (both) this one also tells me
which
> configuration is enabled without opening the GPO
>  = can be anything such as location, region, department, etc.
>  = what it is (e.g. default settings)
>
> Examples:
> GPO_POL_C_Dept01_DefaultSettings
> GPO_SWD_U_Site01_AcrobatReader
>
> As I think of it: don't go crazy on GPOs. GPOs provide lots of
functionality
> but may also kill performance
>
> Cheers,
> Jorge
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Bart Vandyck
> Sent: maandag 14 februari 2005 10:22
> To: activedir@mail.activedir.org
> Subject: [ActiveDir] GPO design
>
> Hi all,
>
> I just wanted some feedback on this project I'm working on from people
with
> real world knowledge.
>
> We have AD in place with and OU structure. I've been asked the make plan
to
> implement GPO's in this organization. I was thinking about creating a GPO
> for each application we want to manage  and this in combination with each
OU
> level.
>  For example:  GPO-Region-IE6-users
>   GPO-Region-WINXPSP1-machine
>  GPO-Site01-IE6-users
>  GPO-Site02-IE6-machine
>  GPO-Site01-winxpsp1-user
>
> The site GPO will only be made or in effect if the need to overrule
settings
> made on the region level.
>
> Is this a maintainable solutions or will  this become to complex in the
end.
>
> Anybody know some good descriptions or best practices about managing
> software with GPO.  I've seen lots of stuff about creating GPO's,
> troubleshoot them, etc.. but haven't found real implementations case
studies
> with  advantages and disadvantages..
>
> rgds,
>
> Bart
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
> This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Very OT: Please Settle a Bet

[Chandra Burra]

As i recall it was hybrid 16bit/32bit OS.- a 32bit os which can run 16bit
applications
 
Below are a listing of different applications shipped with Windows95 that
are 16 bit applications. and the rest are 32bit

FreeCell (FREECELL.EXE)
Microsoft Hearts Network (MSHEARTS.EXE)
  Solitaire (SOL.EXE)
Character Map (CHARMAP.EXE)
Chat (WINCHAT.EXE)
Clipboard Viewer (CLIPBRD.EXE)
Dialer (DIALER.EXE)
Disk Defragmenter (DEFRAG.EXE)
DriveSpace (DRVSPACE.EXE)
ScanDisk for Windows (SCANDSKW.EXE)
System Configuration Editor (SYSEDIT.EXE)
Windows 3.1 File Manager (WINFILE.EXE)
Windows 3.1 Program Manager (PROGMAN.EXE)
Windows 95 Tour (TOUR.EXE)
Windows Version (WINVER.EXE)
Windows popup (WINPOPUP.EXE)

 

Chandra

 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Perdue David J Contr
InDyne/Enterprise IT
Sent: 11 February 2005 17:36
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Very OT: Please Settle a Bet


I'd have to agree with you.  An option was to reboot to DOS from Win95.  For
the life of me, I can't remember what version it was at the command line
though.
 
//SIGNED//

David J. Perdue
Network Security Engineer, InDyne Inc 
Comm: (805) 606-4597DSN: 276-4597 

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles
Sent: Friday, February 11, 2005 14:18 PM
To: 'ActiveDir@mail.activedir.org'; Send - AD mailing list
Subject: RE: [ActiveDir] Very OT: Please Settle a Bet


My vote is that Win 95 required DOS and therefore was a frontend DOS
application and not a true OS.  A good example, watch a Win 95 box boot, it
always starts out with DOS and then DOS runs the interface, WIN 95.
 
Gnome isn't and OS its simply a shell, DOS is the same thing.

-Original Message-
From: Dean Wells [mailto:[EMAIL PROTECTED]
Sent: Friday, February 11, 2005 4:01 PM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Very OT: Please Settle a Bet


32 bit cooperatively multitasked if memory serves ...but it might not ;)
--
Dean Wells
MSEtechnology
* Email: dwells  @msetechnology.com
  http://msetechnology.com

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano
Sent: Friday, February 11, 2005 4:54 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Very OT: Please Settle a Bet



Could anyone settle a bet for me? I would like to know if Windows 95 was a
16 or 32-bit OS. One of us is saying that it was natively 32-bit, but ran
16-bit apps in a VM, while the other one is saying the reverse: it was a
16-bit OS that was capable of running 32-bit apps in a VM.

 

Also, one person is saying that W95 required DOS (like Win3.1.1) and the
other is saying that, while built on DOS, DOS was not required and the OS
went above and beyond its DOS roots.

 

If anyone can settle these issues and offer proof like links to Web pages
and such, we would be grateful.

 

_

 

Daniel DeStefano

PC Support Specialist

 

IAG Research

345 Park Avenue South, 12th Floor

New York, NY 10010

T. 212.871.5262

F. 212.871.5300

 

www.iagr.net  

Measuring Ad Effectiveness on Television

 

The information contained in this communication is confidential, may be
privileged and is intended for the exclusive use of the above named
addressee(s). If you are not the intended recipient(s), you are expressly
prohibited from copying, distributing, disseminating, or in any other way
using any of the information contained within this communication. If you
have received this communication in error, please contact the sender by
telephone 212.871.5262 or by response via e-mail.

 

 

<>

RE: [ActiveDir] Question: AD Group Policy not taking effect

[Chandra Burra]

did u try the commands i gave...whats the result?



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Umer Y.
Sent: 11 February 2005 17:00
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Question: AD Group Policy not taking effect


Oh. Thats what I meant.

A user 'Test' was created inside the OU. And then I added first, then 
changed the group policy for the OU.

Also, I am changing the policy settings only in 'User Configurations'.


From: "Seyboldt, Volker" <[EMAIL PROTECTED]>
Reply-To: ActiveDir@mail.activedir.org
To: 
Subject: RE: [ActiveDir] Question: AD Group Policy not taking effect
Date: Fri, 11 Feb 2005 22:54:10 +0100

If you have changed settings in the computer part of the policy, then
the computer object must be placed also in/under this OU. Otherwise the
computer related settings will not be applied.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Umer Y.
Sent: Freitag, 11. Februar 2005 22:38
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Question: AD Group Policy not taking effect

Hello,

I added an OU. Added a test user.

I added a group policy by clicking 'add' under 'group policy' in OU's
properties.

Changed a couple of things around.

Logged onto a test client. Group policy wouldn't take effect.

What am I missing?

I will appreciate your help in this regard.

Thanks.




... you don't know what you've got 'till it's gone..

- Joni Mitchell


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/





... you don't know what you've got 'till it's gone..

- Joni Mitchell


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Question: AD Group Policy not taking effect

[Chandra Burra]

just to give you more... the clients should get auto refresh in backgroud...

use this commands to do a force of gp refresh

secedit /refreshpolicy user_policy /enforce

secedit /refreshpolicy machine_policy /enforce


chandra


-Original Message-
From: Chandra Burra [mailto:[EMAIL PROTECTED]
Sent: 11 February 2005 
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Question: AD Group Policy not taking effect


if its windows2000 pro. do the following on the command line

secedit /refreshpolicy user_policy



chandra



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Umer Y.
Sent: 11 February 2005 21:38
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Question: AD Group Policy not taking effect


Hello,

I added an OU. Added a test user.

I added a group policy by clicking 'add' under 'group policy' in OU's 
properties.

Changed a couple of things around.

Logged onto a test client. Group policy wouldn't take effect.

What am I missing?

I will appreciate your help in this regard.

Thanks.




... you don't know what you've got 'till it's gone..

- Joni Mitchell


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Question: AD Group Policy not taking effect

[Chandra Burra]

if its windows2000 pro. do the following on the command line

secedit /refreshpolicy user_policy



chandra



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Umer Y.
Sent: 11 February 2005 21:38
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Question: AD Group Policy not taking effect


Hello,

I added an OU. Added a test user.

I added a group policy by clicking 'add' under 'group policy' in OU's 
properties.

Changed a couple of things around.

Logged onto a test client. Group policy wouldn't take effect.

What am I missing?

I will appreciate your help in this regard.

Thanks.




... you don't know what you've got 'till it's gone..

- Joni Mitchell


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Problem with SUS Group Policy

[Chandra Burra]

Can you please explain what you mean by AS SOON AS THEY LOGIN  - Since the
updates or patches will be downloaded on to the client systems in a temp
folder one by one as per the priority -- first come first served i think...

Suggest that you configure it to downloadand install in middle of the
night..If the user misses this time it will install and re-boot on his next
login.


Chandra


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Jennifer
Fountain
Sent: 11 February 2005 19:41
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Problem with SUS Group Policy


I have the following configured in my group policy:

Policy Setting 
Configure Automatic Updates Enabled 
Configure automatic updating: 4 - Auto download and schedule the install

The following settings are only required 
and applicable if 4 is selected. 
Scheduled install day:  0 - Every day 
Scheduled install time: 20:00 
 
Policy Setting 
No auto-restart for scheduled Automatic Updates installations Disabled 
Reschedule Automatic Updates scheduled installations Enabled 
Wait after system 
startup (minutes):  1 
 
Works fine but instead of getting updates as soon as they login
(reschedule automatic updates), they get them later in the day.  I am
not sure what is causing this issue and my boss isn't happy right now
because of it (we make people auto reboot because normally they
wouldn't.)  Can anyone shed some light on this for me? Thanks!

Kind Regards,

Jennifer Fountain
Systems Administrator/Security
R&B Distribution
3400 E Walnut Street
Colmar, PA  18915

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
<>

Re: [ActiveDir] New Site

[Chandra Burra]

Thanks paul for the upadates...

to give a bit background into my question:

My colleague in networks team told me that if we have a FR circuit
from the branch into HQ then it terminates on one of the interface on
internal routers and will not require any firewalls by any corporate
standards.

we are currently working to upgrade our field offices across into
W2K3( already completed 3).Just wanted to get the issues list up
on table.


Chandra


On Wed, 2 Feb 2005 16:25:54 +, Chandra Burra
<[EMAIL PROTECTED]> wrote:
> Hey Paul, Is there any known issues with the leased lines (or FR
> ciruits) terminating into HQ from branch offices ???
> 
> going thorough the document now...
> 
> 
> Chandra
> 
> 
> On Wed, 2 Feb 2005 16:58:51 +0100, Paul van Geldrop
> <[EMAIL PROTECTED]> wrote:
> >
> >
> > To answer your second question:
> >
> >
> >
> > You might want to consider using a VPN between the locations and just all
> > VPN traffic go up and down between the sites without any blocking.
> > Especially handy if you wish to use ISA Server on the central location or
> > something similar for the site's Internet access as well. If you, however,
> > choose not to do so and just set up the right ports.. Use the big orange
> > 'Open Port' button in the Cisco router interface.. or read the following
> > link and configure the router accordingly:
> >
> >
> >
> > http://www.microsoft.com/serviceproviders/columns/config_ipsec_p63623.asp
> >
> >
> >
> > Don't be scared of the blond guy.. gave me a start first time ;)
> >
> >
> >
> > Regards,
> >
> >
> >
> > Paul
> >
> >
> > 
> >
> >
> > Van: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] Namens George Arezina
> > Verzonden: woensdag 2 februari 2005 16:08
> > Aan: ActiveDir@mail.activedir.org
> > Onderwerp: [ActiveDir] New Site
> >
> >
> >
> > Hi folks,
> >
> > I need some advice as setting up a new site in active directory site &
> > services (ADSS).
> >
> > I am in the process of opening a remote office in another city. I have a
> > digital leased line at 128 kbps and two Cisco 1721 routers with an ISDN
> > backup line. I plan to create a new subnet for the remote office (eg. if I
> > currently use 1.1.1.0 I/24 I plan to use 1.1.2.0/24 for the remote site).
> > The remote site will host a DC and a backup database server. They are all
> > part of the domain.
> >
> > Question: will the users automatically login to the DC in the remote site or
> > will they go across the WAN to login at my head office? If they do not
> > automatically login to the DC in the remote office, what needs to be
> > configured to force them to login to the DC in the remote office?
> >
> > Question: What ports on the Cisco routers need to be opened for AD and make
> > sure replication takes place?
> >
> > Thanks in advance.
> >
> > George
> >
> >
> > Informacija sa Stedionica Opportunity International A.D. Novi Sad putem
> > e-maila je bez garancije. Zakljucivanje pravnih poslova putem ovog medija
> > nije dozvoljeno. Ovaj e-mail moze sadrzati poverljive i/ili povlascene
> > informacije. Ukoliko ste ovaj e-mail primili greskom, ovim putem vas
> > obavestavamo da je svako otkrivanje, kopiranje, distribucija ili
> > preduzimanje bilo kakvih aktivnosti u vezi njegovog sadrzaja strogo
> > zabranjeno i moze biti nezakonito. Ukoliko ste e-mail primili greskom,
> > molimo Vas da nas odmah obavestite tako sto cete odgovoriti na ovaj email, a
> > zatim ga izbrisite iz vaseg sistema.
> > 
> >
> > 
> > The exchange of messages with Stedionica Opportunity International A.D. Novi
> > Sad via e-mail is not binding. Declarations regarding legal transactions
> > must not be exchanged via this medium. The information contained in this
> > e-mail message is confidential and intended exclusively for the addressee.
> > Persons receiving this e-mail message who are not the named addressee (or
> > his/her co-workers, or persons authorized to take delivery) must not use,
> > forward or reproduce its contents. If you have received this e-mail message
> > by mistake, please contact us immediately and delete this email message
> > beyond retrieval.
> > This e-mail and any attachment is for authorised use by the intended
> > recipient(s) only. It may contain proprietary material, confidential
> > information and/or be subject to legal privilege. It should not be copied,
> > disclosed to, retained or used by, any other party. If you are not an
> > intended recipient then please promptly delete this e-mail and any
> > attachment and all copies and inform the sender. Thank you.
> >
>
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] New Site

[Chandra Burra]

Hey Paul, Is there any known issues with the leased lines (or FR
ciruits) terminating into HQ from branch offices ???

going thorough the document now...


Chandra



On Wed, 2 Feb 2005 16:58:51 +0100, Paul van Geldrop
<[EMAIL PROTECTED]> wrote:
> 
> 
> To answer your second question:
> 
>  
> 
> You might want to consider using a VPN between the locations and just all
> VPN traffic go up and down between the sites without any blocking.
> Especially handy if you wish to use ISA Server on the central location or
> something similar for the site's Internet access as well. If you, however,
> choose not to do so and just set up the right ports.. Use the big orange
> 'Open Port' button in the Cisco router interface.. or read the following
> link and configure the router accordingly:
> 
>  
> 
> http://www.microsoft.com/serviceproviders/columns/config_ipsec_p63623.asp
> 
>  
> 
> Don't be scared of the blond guy.. gave me a start first time ;)
> 
>  
> 
> Regards,
> 
>  
> 
> Paul
> 
>  
> 
> 
> 
> Van: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Namens George Arezina
> Verzonden: woensdag 2 februari 2005 16:08
> Aan: ActiveDir@mail.activedir.org
> Onderwerp: [ActiveDir] New Site
> 
>  
> 
> Hi folks,
> 
> I need some advice as setting up a new site in active directory site &
> services (ADSS). 
> 
> I am in the process of opening a remote office in another city. I have a
> digital leased line at 128 kbps and two Cisco 1721 routers with an ISDN
> backup line. I plan to create a new subnet for the remote office (eg. if I
> currently use 1.1.1.0 I/24 I plan to use 1.1.2.0/24 for the remote site).
> The remote site will host a DC and a backup database server. They are all
> part of the domain. 
> 
> Question: will the users automatically login to the DC in the remote site or
> will they go across the WAN to login at my head office? If they do not
> automatically login to the DC in the remote office, what needs to be
> configured to force them to login to the DC in the remote office? 
> 
> Question: What ports on the Cisco routers need to be opened for AD and make
> sure replication takes place?
> 
> Thanks in advance.
> 
> George
> 
> 
> Informacija sa Stedionica Opportunity International A.D. Novi Sad putem
> e-maila je bez garancije. Zakljucivanje pravnih poslova putem ovog medija
> nije dozvoljeno. Ovaj e-mail moze sadrzati poverljive i/ili povlascene
> informacije. Ukoliko ste ovaj e-mail primili greskom, ovim putem vas
> obavestavamo da je svako otkrivanje, kopiranje, distribucija ili
> preduzimanje bilo kakvih aktivnosti u vezi njegovog sadrzaja strogo
> zabranjeno i moze biti nezakonito. Ukoliko ste e-mail primili greskom,
> molimo Vas da nas odmah obavestite tako sto cete odgovoriti na ovaj email, a
> zatim ga izbrisite iz vaseg sistema.
> 
> 
> 
> The exchange of messages with Stedionica Opportunity International A.D. Novi
> Sad via e-mail is not binding. Declarations regarding legal transactions
> must not be exchanged via this medium. The information contained in this
> e-mail message is confidential and intended exclusively for the addressee.
> Persons receiving this e-mail message who are not the named addressee (or
> his/her co-workers, or persons authorized to take delivery) must not use,
> forward or reproduce its contents. If you have received this e-mail message
> by mistake, please contact us immediately and delete this email message
> beyond retrieval.
> This e-mail and any attachment is for authorised use by the intended
> recipient(s) only. It may contain proprietary material, confidential
> information and/or be subject to legal privilege. It should not be copied,
> disclosed to, retained or used by, any other party. If you are not an
> intended recipient then please promptly delete this e-mail and any
> attachment and all copies and inform the sender. Thank you.
>
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] New Site

[Chandra Burra]

Once you configure the site and assign the DC for the site...

by theory the local PC's and laptops should go to that site DC.

In practical world...several Admins had some bad tastes - hope you
should't have any


Chandra


On Wed, 2 Feb 2005 16:07:53 +0100, George Arezina <[EMAIL PROTECTED]> wrote:
> 
> 
> Hi folks,
> 
> I need some advice as setting up a new site in active directory site &
> services (ADSS). 
> 
> I am in the process of opening a remote office in another city. I have a
> digital leased line at 128 kbps and two Cisco 1721 routers with an ISDN
> backup line. I plan to create a new subnet for the remote office (eg. if I
> currently use 1.1.1.0 I/24 I plan to use 1.1.2.0/24 for the remote site).
> The remote site will host a DC and a backup database server. They are all
> part of the domain. 
> 
> Question: will the users automatically login to the DC in the remote site or
> will they go across the WAN to login at my head office? If they do not
> automatically login to the DC in the remote office, what needs to be
> configured to force them to login to the DC in the remote office? 
> 
> Question: What ports on the Cisco routers need to be opened for AD and make
> sure replication takes place?
> 
> Thanks in advance.
> 
> George
> Informacija sa Stedionica Opportunity International A.D. Novi Sad putem
> e-maila je bez garancije. Zakljucivanje pravnih poslova putem ovog medija
> nije dozvoljeno. Ovaj e-mail moze sadrzati poverljive i/ili povlascene
> informacije. Ukoliko ste ovaj e-mail primili greskom, ovim putem vas
> obavestavamo da je svako otkrivanje, kopiranje, distribucija ili
> preduzimanje bilo kakvih aktivnosti u vezi njegovog sadrzaja strogo
> zabranjeno i moze biti nezakonito. Ukoliko ste e-mail primili greskom,
> molimo Vas da nas odmah obavestite tako sto cete odgovoriti na ovaj email, a
> zatim ga izbrisite iz vaseg sistema.
> 
> 
> 
> The exchange of messages with Stedionica Opportunity International A.D. Novi
> Sad via e-mail is not binding. Declarations regarding legal transactions
> must not be exchanged via this medium. The information contained in this
> e-mail message is confidential and intended exclusively for the addressee.
> Persons receiving this e-mail message who are not the named addressee (or
> his/her co-workers, or persons authorized to take delivery) must not use,
> forward or reproduce its contents. If you have received this e-mail message
> by mistake, please contact us immediately and delete this email message
> beyond retrieval.
>
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Outlook/Exchange Issue

[Chandra Burra]

One more thing...we can try is..make a change in the DC @ HQ and then
try to replicate it across to the LA site.

if the replication is success then this might avoid any replication or
permissions issues.


Chandra


On Wed, 2 Feb 2005 09:50:03 -0500, Dan DeStefano <[EMAIL PROTECTED]> wrote:
> 
> 
> Yes. The thing is that this is not a new user. This user has been with the
> company for a while and it worked fine before.
> 
>  
> 
> Dan
> 
>  
> 
> 
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Chandra Burra
> Sent: Tuesday, February 01, 2005 6:14 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Outlook/Exchange Issue
> 
>  
> 
> 
> Dan, did u check on local DC @ LA site?  can you check if the user account
> has replicated properlythink it could be the attribute changes may not
> have replicated properly to the DC in LA
> 
> 
>  
> 
> 
> Regards,
> Chandra
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Dan DeStefano
> Sent: 01 February 2005 17:04
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Outlook/Exchange Issue
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Outlook/Exchange Issue
> 
> 
> 
> 
> When logging onto a machine at the HQ site, Outlook works fine for the user.
> But when logging on from any PC at the LA site, Outlook hangs. However,
> other users at the LA site are not having this problem. It is very weird
> that only this one user is having this problem when logging on from this one
> site.
> 
>  
> 
>  
> 
> Dan
> 
>  
> 
> 
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of joe
> Sent: Tuesday, February 01, 2005 4:57 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Outlook/Exchange Issue
> 
>  
> 
> What happens if you log into a machine at the HQ site with the user's info?
> 
>  
> 
> As for account corruption. I have never actually ever seen account
> corruption. I know a lot of folks who said they had corruption and they
> proved it was corruption by deleting and recreating. That doesn't actually
> prove corruption, it just proves something wasn't right that the admin
> didn't understand. Mailbox corruption, well that is another matter. MAPI is
> a four letter word. 
> 
> 
>  
> 
> 
>   joe
> 
> 
>  
> 
> 
>  
> 
> 
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano
> Sent: Tuesday, February 01, 2005 4:10 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Outlook/Exchange Issue
> 
> The tech working on the problem has tried this, but to no avail.
> 
> Some more information:
> 
> If I logon to the PC with any other user account and open Outlook it works
> fine. I also had the user logon to PCs in other sites and the problem
> persists. This has led me to believe that the problem may be with the user's
> account itself. However the user can logon using OWA and has no problems
> logging onto the domain so I am at a loss.
> 
> Is it possible that there is some weird corruption with the user's domain
> account and/or mailbox? Would re-creating the mailbox/user account be worth
> a try? If so, what is the best way to go about doing this? Export the user's
> mailbox to a .pst file and delete the account/mailbox, recreate it, then
> import the .pst file? If so, what preferences, appointments, tasks, etc.
> will the user lose?
> 
>  
> 
> I greatly appreciate everyone's help with this frustrating issue.
> 
>  
> 
>  
> 
> Dan
> 
>  
> 
>  
> 
>  
> 
> 
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet
> Sent: Tuesday, February 01, 2005 2:10 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Outlook/Exchange Issue
> 
>  
> 
> 
> We have lots of kerberos authentication problems over VPN connections. The
> solution is to force kerberos to use TCP.
> 
> 
>  
> 
> 
> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]
> "MaxPacketSize"=dword:0001
> 
> 
>  
> 
> 
> Not sure if that is your problem, but it's worth a shot.
> 
> 
>  
> 
> 
> BTW, does anyone why kerberos was designed to use UDP in the first place?
> Seems pretty silly to me.
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On B

RE: [ActiveDir] Outlook/Exchange Issue

[Chandra Burra]

Dan, did u check on local DC @ LA site?  can you check if the user account
has replicated properlythink it could be the attribute changes may not
have replicated properly to the DC in LA
 
Regards,
Chandra

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Dan DeStefano
Sent: 01 February 2005 17:04
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Outlook/Exchange Issue



When logging onto a machine at the HQ site, Outlook works fine for the user.
But when logging on from any PC at the LA site, Outlook hangs. However,
other users at the LA site are not having this problem. It is very weird
that only this one user is having this problem when logging on from this one
site.

 

 

Dan

 


  _  


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, February 01, 2005 4:57 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Outlook/Exchange Issue

 

What happens if you log into a machine at the HQ site with the user's info?

 

As for account corruption. I have never actually ever seen account
corruption. I know a lot of folks who said they had corruption and they
proved it was corruption by deleting and recreating. That doesn't actually
prove corruption, it just proves something wasn't right that the admin
didn't understand. Mailbox corruption, well that is another matter. MAPI is
a four letter word. 

 

  joe

 

 


  _  


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano
Sent: Tuesday, February 01, 2005 4:10 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Outlook/Exchange Issue

The tech working on the problem has tried this, but to no avail.

Some more information:

If I logon to the PC with any other user account and open Outlook it works
fine. I also had the user logon to PCs in other sites and the problem
persists. This has led me to believe that the problem may be with the user's
account itself. However the user can logon using OWA and has no problems
logging onto the domain so I am at a loss.

Is it possible that there is some weird corruption with the user's domain
account and/or mailbox? Would re-creating the mailbox/user account be worth
a try? If so, what is the best way to go about doing this? Export the user's
mailbox to a .pst file and delete the account/mailbox, recreate it, then
import the .pst file? If so, what preferences, appointments, tasks, etc.
will the user lose?

 

I greatly appreciate everyone's help with this frustrating issue.

 

 

Dan

 

 

 


  _  


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet
Sent: Tuesday, February 01, 2005 2:10 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Outlook/Exchange Issue

 

We have lots of kerberos authentication problems over VPN connections. The
solution is to force kerberos to use TCP.

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
]
"MaxPacketSize"=dword:0001

 

Not sure if that is your problem, but it's worth a shot.

 

BTW, does anyone why kerberos was designed to use UDP in the first place?
Seems pretty silly to me.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano
Sent: Tuesday, February 01, 2005 1:59 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Outlook/Exchange Issue

I have a frustrating problem:

We have a W2k AD domain with 3 sites and 5 subnets - 3 bound to our HQ site
and one each bound to our other two sites. These sites are connected by
persistent VPN connections using our Nokia Checkpoint firewalls - two of our
sites have dedicated T3 connections and the other site has a dedicated
T1.Each site has a GC.

I recently configured a laptop here in our main site for a user in our LA
site. The laptop has a wired and wireless connection, however, our only site
with wireless access is our main site - but since the user travels between
sites periodically I configured the wireless connection as well. I installed
Office 2000 from an administrative installation point at this site and
configured Outlook to connect to our sole Exchange server here at our main
site. I also set up the user's Outlook profile from this site, connected to
our Exchange server, synchronized the user's mailbox (I set up Outlook in
cached mode) and all worked well.

After shipping the laptop to the user at the remote site, I got a call from
the user. Outlook hangs after opening and gives me the "Not Responding" even
after leaving it alone for 10+minutes.

One of the other techs here is working on the problem and he tried repairing
the Office installation, disabling the wireless connection, reinstalling
Outlook, tried creating a new user profile, but nothing has been successful
so far.

 

Has anyone experienced this before? If I have left out any info, please let
me know and I will provide it.

 

 

Dan DeStefano

 

 

<>

[ActiveDir] Netlogon Polocies in W2K3 AD GP

[Chandra Burra]

All,

Just wondering if some one has worked on the Netlogon policies in the
W2K3 GP (system.adm)

This have options to specify the site - DC srv records and so on


just was going through them...Can some one highlight on specifically
tested and used.


Thanks,
Chandra
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] VPN Connections with 2003 ADs

[Chandra Burra]

I had seen a similar issue, this was resolved after placing a DC in the
local site and also configuring it as a local print server.

Major hits were with the print server, each time user prints it goes to the
spooler in HQ and then comes back to print in local office, later the
notification is expected by the client from the print server on completion
of the print.

Other traffic might also be going through same tunnel...like other business
applications, E2K and so on...

have the n/w team monitor the link or use netmon to get the same
yourself...that might give you more insight...


Regards,
Chandra




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Paul van Geldrop
Sent: 31 January 2005 17:14
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] VPN Connections with 2003 ADs


Are there still NT4 machines at the site ?

You seem to have symptoms of timeouts and/or DNS misconfiguration.

Any errors in the DNS server logs ? Have you ran DNSdiag yet by any
chance ?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carerros,
Charles
Sent: Monday, January 31, 2005 5:53 PM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] VPN Connections with 2003 ADs

This site goes back to our main location that houses this sites DNS, DC,
GC
and other server related sites.  The VPN concentrator at this location
grants DHCP servers to the location and uses a routing table for
security.
All of the ISA and other firewall issues are dealt with at the main
location
as the routing table only allows communication through here.

We are using AD integrated DNS (which is housed on our DCs) and all DCs
are
GCs.

The odd thing is that if you are at that location and are using a
workstation on the NT domain then all web services as well as
workstation
boot up and logon times are normally.  Only AD related workstations are
affected.

We are using Cisco VPN concentrators on both ends.

Does this cover the information that you were looking for.  If you need
something else, let me know.

Charlie

-Original Message-
From: Paul van Geldrop [mailto:[EMAIL PROTECTED]
Sent: Monday, January 31, 2005 10:36 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] VPN Connections with 2003 ADs


Some more info might be good.. such as location of DCs, GCs, DNS
configuration, etc. I presume you're setting up the VPN with firewalls..
or
are you using ISA Server ?

Regards,

Paul

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carerros,
Charles
Sent: maandag 31 januari 2005 17:27
To: 'ActiveDir@mail.activedir.org'
Subject: [ActiveDir] VPN Connections with 2003 ADs

I am working on a NT to 2003 AD migration where I have a lot of remote
locations.  I have just completed the migration of our of my sites that
is
using a VPN connection to our central hub.  Before the migration they
were
not experiencing any issues, however after the migration they are not
seeing
large lag times in starting up their machines and logging in.

Also, when they browse the internet and they try to access pages that
require authentication they get stuck (the page never loads completely
and
they do not receive an error message and this includes sites such as
mail.yahoo and gmail.com).

Has anyone seen an issue like this where the migration of the network
kills
the VPN?

Thanks,

Charlie
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Missing 'default domain policy gpo' in sysvol folder

[Chandra Burra]

Do that domain has a replication partner.if yes can you check on
that server if you can copy that folder off...

others i can think of is the tool to restore the deleted items from
the harddisk - like File restore from winternals


On Mon, 31 Jan 2005 11:48:14 -, knighTslayer
<[EMAIL PROTECTED]> wrote:
> The GPO GUID is missing from the sysvol directory.  I understand your
> suggestion about the permissions and I followed the KB which relates to
> this, but simply, the object (folder) is missing from the sysvol folder.
> 
> I am unable to edit it, because it is missing.
> 
> Adam
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Chandra Burra
> 
> Sent: 31 January 2005 11:36
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Missing 'default domain policy gpo' in sysvol
> folder
> 
> Adam.,
> 
> If i understood the problem correct --> you are able to c the GP In the GPUC
> --> but are not able to edit.
> 
> then can you confirm that the object exisit. Go to GPUC--> System -->
> Polocies and check for the GP SID u r mentionging.
> 
> If that exisits and you are not able to edit that GP then its simply issue
> with permissions on that child domain.
> 
> Regards,
> Chandra
> 
> On Mon, 31 Jan 2005 11:14:14 -, knighTslayer
> <[EMAIL PROTECTED]> wrote:
> > Chandra, thanks for your response.  I looked in Lost and found and it
> > is empty.
> >
> > Regards
> >
> > Adam
> >
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Chandra Burra
> > Sent: 31 January 2005 11:08
> > To: ActiveDir@mail.activedir.org
> > Subject: Re: [ActiveDir] Missing 'default domain policy gpo' in sysvol
> > folder
> >
> > did u try in Lost and Found
> >
> > AD users & Computes --> View --> Advanced Features ( check this) to
> > get more folders on the left panel.
> >
> > Regards,
> > Chandra
> >
> > On Mon, 31 Jan 2005 10:26:33 -, knighTslayer
> > <[EMAIL PROTECTED]> wrote:
> > > Hi,
> > >
> > > Running Windows 2000 sp4 Active Directory.
> > > Domain concerned is a child domain off the root domain.
> > >
> > > I cannot edit the default domain policy object through ADUC or GPO
> > > edit.  I get a Group Policy Error:
> > >
> > > "Failed to open the Group Policy Object. You may not have
> > > appropriate rights."
> > >
> > > I followed KB 294275, however it occurred to me that the actual
> > > folder is missing in \Sysvol\Domain\Policies\
> > "{6AC1786C-016F-11D2-945F-00C04fB984F9}"
> > >
> > > There are no backups or copies of the directories anywhere.  This is
> > > a domain without users (yet) and was set-up by another 3rd party
> > > under the control of the root domain admins.
> > >
> > > Can I regenerate the default domain gpo or is there another option
> > > to recreate this?
> > >
> > > TIA
> > >
> > > Adam
> > >
> > > List info   : http://www.activedir.org/List.aspx
> > > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > > List archive:
> > > http://www.mail-archive.com/activedir%40mail.activedir.org/
> > >
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive:
> > http://www.mail-archive.com/activedir%40mail.activedir.org/
> >
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive:
> > http://www.mail-archive.com/activedir%40mail.activedir.org/
> >
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Missing 'default domain policy gpo' in sysvol folder

[Chandra Burra]

Adam., 

If i understood the problem correct --> you are able to c the GP In
the GPUC --> but are not able to edit.

then can you confirm that the object exisit. Go to GPUC--> System -->
Polocies and check for the GP SID u r mentionging.

If that exisits and you are not able to edit that GP then its simply
issue with permissions on that child domain.

Regards,
Chandra


On Mon, 31 Jan 2005 11:14:14 -, knighTslayer
<[EMAIL PROTECTED]> wrote:
> Chandra, thanks for your response.  I looked in Lost and found and it is
> empty.
> 
> Regards
> 
> Adam
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Chandra Burra
> Sent: 31 January 2005 11:08
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Missing 'default domain policy gpo' in sysvol
> folder
> 
> did u try in Lost and Found
> 
> AD users & Computes --> View --> Advanced Features ( check this) to get more
> folders on the left panel.
> 
> Regards,
> Chandra
> 
> On Mon, 31 Jan 2005 10:26:33 -, knighTslayer
> <[EMAIL PROTECTED]> wrote:
> > Hi,
> >
> > Running Windows 2000 sp4 Active Directory.
> > Domain concerned is a child domain off the root domain.
> >
> > I cannot edit the default domain policy object through ADUC or GPO
> > edit.  I get a Group Policy Error:
> >
> > "Failed to open the Group Policy Object. You may not have appropriate
> > rights."
> >
> > I followed KB 294275, however it occurred to me that the actual folder
> > is missing in \Sysvol\Domain\Policies\
> "{6AC1786C-016F-11D2-945F-00C04fB984F9}"
> >
> > There are no backups or copies of the directories anywhere.  This is a
> > domain without users (yet) and was set-up by another 3rd party under
> > the control of the toot domain admins.
> >
> > Can I regenerate the default domain gpo or is there another option to
> > recreate this?
> >
> > TIA
> >
> > Adam
> >
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive:
> > http://www.mail-archive.com/activedir%40mail.activedir.org/
> >
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Missing 'default domain policy gpo' in sysvol folder

[Chandra Burra]

did u try in Lost and Found

AD users & Computes --> View --> Advanced Features ( check this) to 
get more folders on the left panel.

Regards,
Chandra


On Mon, 31 Jan 2005 10:26:33 -, knighTslayer
<[EMAIL PROTECTED]> wrote:
> Hi,
> 
> Running Windows 2000 sp4 Active Directory.
> Domain concerned is a child domain off the root domain.
> 
> I cannot edit the default domain policy object through ADUC or GPO edit.  I
> get a Group Policy Error:
> 
> "Failed to open the Group Policy Object. You may not have appropriate
> rights."
> 
> I followed KB 294275, however it occurred to me that the actual folder is
> missing in \Sysvol\Domain\Policies\ "{6AC1786C-016F-11D2-945F-00C04fB984F9}"
> 
> There are no backups or copies of the directories anywhere.  This is a
> domain without users (yet) and was set-up by another 3rd party under the
> control of the toot domain admins.
> 
> Can I regenerate the default domain gpo or is there another option to
> recreate this?
> 
> TIA
> 
> Adam
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Restricting applications

[Chandra Burra]

User Config --> Admin templates --> Windows Components --> Windows
Installer --> Install with Elevated Privileges

or u can user "Disable media source for any install" --> from the same location


Regards,
Chandra


On Mon, 31 Jan 2005 09:17:25 -, Allan Reynolds
<[EMAIL PROTECTED]> wrote:
> I might be missing something but the only thing i have seen in GPO seems to
> be related to MSI install.  Is there something else that will restrict other
> installs? 
>  
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Chandra Burra
> Sent: 28 January 2005 16:15
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Restricting applications
> 
> Simple way is to restrict any installation by the users. this is easy to do
> via GP
>  
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Darren Mar-Elia
> Sent: 28 January 2005 11:08
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Restricting applications
> 
> If you can reliably know the drive letters of these removeable devices then
> you can use Software Restriction Policy path rules to prevent execution of
> any code from a given path.
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Allan Reynolds
> Sent: Friday, January 28, 2005 11:03 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Restricting applications
> 
> Hi, 
>  
>   I'm not sure if this is even possible but I saw something saying it should
> in an article the other day but it gave no specifics.  
>  
> What we are looking to do is give users access to CDROM/Floppy/USB Drives
> but want the ability to prevent installing or even running applications from
> these drives.
>  
> The article seemed to imply that this might be possible using GPO's and I
> was interested if anyone here knows how this can be achieved or can point me
> in the general direction of some info that might be able to help me. 
>  
> Cheers 
> Allan 
>  
> 
> 
> DISCLAIMER: The information in this email is confidential and may contain
> personal views which are not those of Myers Grove School. The contents may
> not be disclosed or used by anyone other than the addressee. If you are not
> the addressee, please tell us by using the reply facility in your email
> software as soon as possible. Myers Grove School cannot accept any
> responsibility for the accuracy or completeness of this message as it has
> been transmitted over a public network. If you suspect that the message may
> have been intercepted or amended please tell us as soon as possible. 
> 
> 
> 
> 
> 
> 
> DISCLAIMER: The information in this email is confidential and may contain
> personal views which are not those of Myers Grove School. The contents may
> not be disclosed or used by anyone other than the addressee. If you are not
> the addressee, please tell us by using the reply facility in your email
> software as soon as possible. Myers Grove School cannot accept any
> responsibility for the accuracy or completeness of this message as it has
> been transmitted over a public network. If you suspect that the message may
> have been intercepted or amended please tell us as soon as possible. 
> 
>
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Windows 2000 logon

[Chandra Burra]

This is not THE solution but you can try.

Shutdown or disconnect the DC1 you do not want to authenticate from
the network.

Go to the PC's which you want to connect to DC2 and log in. 

Bring the DC1 back into the network... -- the pc's which are connected
to DC2 still remembers DC2 and go to it for authentication.


Regards,
Chandra


On Mon, 31 Jan 2005 14:39:56 +0530, Tashildar, Dinesh (Cognizant)
<[EMAIL PROTECTED]> wrote:
> Got it... but this is fine, in case if you have single DC in a site. Lets
> say, if I have 2 DC in a site and I wanted group of PC should get
> authentication from DC1 and other from DC2 then how can I tell PC's ?
>  
> Note : I know we can achieve this by creating a separate sites for single DC
> and assign subnet's to it. I am looking for some other solution, which will
> not disturb sites and subnet settings.
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Mohammed Tantawi
> Sent: Monday, January 31, 2005 2:31 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Windows 2000 logon
> 
> 
> 
> As far as I know , the authentication Method done with using DNS Server , 
> 
>  
> 
> I mean , when you type your user name & password , it take it and it ask the
> DNS and tell him  the following ( ok, DNS, I have this user name & password
> from this PC in the Network , Please I want to validate the user name &
> password for this , then DNS Reply .
> 
>  
> 
> DNS reply : ok pc, I have here in My records in the Zone , this Server is
> making the authentaction , Take His AP-Address and take to him .
> 
> PC : ok, DNS , please give me this IP-Address.
> 
> DNS:   ok, IP-address is  192.168.1.1
> 
> PC:  ok, thanks , I will take to this Server now.
> 
>  
> 
> PC â To- Server :   dear Server, Please  I have this user name &
> Password , Please Authenticate it .
> 
>  
> 
>  
> 
> So this is the Process as I know , 
> 
>  
> 
> So , if you change the IP-Address of the server which is making Kerbroes
> Service , I think you will be able to make it, Please tell me if this enough
> for you . 
> 
>  
> 
>  
> 
> 
> 
> From: Yakir, Ronen [mailto:[EMAIL PROTECTED] 
> Sent: 21 ØÙ ØÙØØØ, 1425 11:47 Ø
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Windows 2000 logon
> 
>  
> 
> 
> Hi
> 
> 
>  
> 
> 
> As far As I know, there is no way to force a pc to authenticate with a
> specific server.
> 
> 
>  
> 
> 
>  
> 
> 
>  
> 
>  
> 
> Ronen Yakir
> 
> Customer Support Engineer
> 
> 
> 
> 
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Mohammed Tantawi
> Sent: Monday, January 31, 2005 8:11 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Windows 2000 logon
> 
> What do you mean ? Can you explain More details to help you 
> 
>  
> 
> Mohammed
> 
>  
> 
>  
> 
> 
> 
> From: Tashildar, Dinesh (Cognizant) [mailto:[EMAIL PROTECTED] 
> Sent: 21 ØÙ ØÙØØØ, 1425 08:44 Ø
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Windows 2000 logon
> 
>  
> 
> Hi, 
> Does anyone know how to force a Windows 2000 Pro PC to logon to a specific
> Windows 2000 Server rather than just using any old server that can
> authenticate? 
> 
> I have tried by changing LOGONSERVER environment variable to force logon to
> DC, but its not working. 
> 
> Regards,
> Dinesh Tashildar
>
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Restricting applications

[Chandra Burra]

Simple way is to restrict any installation by the users. this is easy to do
via GP
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Darren Mar-Elia
Sent: 28 January 2005 11:08
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Restricting applications


If you can reliably know the drive letters of these removeable devices then
you can use Software Restriction Policy path rules to prevent execution of
any code from a given path.

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Allan Reynolds
Sent: Friday, January 28, 2005 11:03 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Restricting applications


Hi, 
 
  I'm not sure if this is even possible but I saw something saying it should
in an article the other day but it gave no specifics.  
 
What we are looking to do is give users access to CDROM/Floppy/USB Drives
but want the ability to prevent installing or even running applications from
these drives.
 
The article seemed to imply that this might be possible using GPO's and I
was interested if anyone here knows how this can be achieved or can point me
in the general direction of some info that might be able to help me. 
 
Cheers 
Allan 
 



  _  

DISCLAIMER: The information in this email is confidential and may contain
personal views which are not those of Myers Grove School. The contents may
not be disclosed or used by anyone other than the addressee. If you are not
the addressee, please tell us by using the reply facility in your email
software as soon as possible. Myers Grove School cannot accept any
responsibility for the accuracy or completeness of this message as it has
been transmitted over a public network. If you suspect that the message may
have been intercepted or amended please tell us as soon as possible. 



<>

Re: [ActiveDir] LDAP export pros/cons

[Chandra Burra]

Precisely..unless i am dreaming ;-)



On Fri, 21 Jan 2005 07:41:11 -0600, Robert N. Leali <[EMAIL PROTECTED]> wrote:
> Maybe I'm not see the big picture of how this can be done with website
> redirection.  Is it just a matter of making one mutual user account on
> both my web server and the third party portal server that is trusted by
> both machines and using that account to pass the web traffic after the
> users authenticate to my site?
> 
> My ultimate goal is to keep my risk and exposure of user names/
> passwords/ authentication to the bare minimum and still get the desired
> affect of not maintaining two user names/passwords per user.  It's not
> that the third party isn't trusted as much as they aren't careful or
> vigilant in their security configurations and we have no control over
> that situation.  We are trying to keep the attack surface coming from
> their side as small as possible because we are required to make the
> portal work for our users.
> 
> I think I have a grasp on how a reverse proxy web publishing can achieve
> this and still keep everything encrypted and semi secure using
> certificates.
> 
> R-
> 
> -----Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Chandra Burra
> Sent: Friday, January 21, 2005 3:30 AM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] LDAP export pros/cons
> 
> Not worked that much on the 3rd party integrations.but have an idea
> 
> Can you try do Authentication re-directions to that site -> i mean
> instead of people going to 3rd party site for authentication --> can
> they come to your own website and get authenticated through your ldap or
> RSA server and get re-directed to the desired locations.
> 
> Regards,
> Chandra
> 
> On Thu, 20 Jan 2005 23:54:28 -0500, joe <[EMAIL PROTECTED]> wrote:
> > Ditto. Whomever is running that web site gets to see all of the clear
> > text passwords for every user that authenticates. I would say that is
> > giving out a bit more info to the third party than you would normally
> like to supply.
> > Heck I don't even like doing that on intranet sites run by people in
> > the same company let alone someone outside of the company. Sort of on
> > par with saying, hi, here are my most sensitive parts and giving them
> > to a third party and asking them to be nice to them.
> >
> >   joe
> > 
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
> > Sent: Thursday, January 20, 2005 6:54 PM
> >
> > To: 'ActiveDir@mail.activedir.org'
> > Subject: RE: [ActiveDir] LDAP export pros/cons
> > 
> > Interesting. I may just not understand what you have in mind.
> >
> > I would agree, but I'm leery of ldap bind for authentication in this
> > scenario.  In addition, it seems that it would not really provide the
> > full amount of usefulness to the solution since the user has to also
> > remember a different set of creds if they use this portal with dual
> > id.  Am I just misunderstanding, or were you thinking of something
> different??
> >
> > Al
> > 
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Coleman,
> > Hunter
> > Sent: Thursday, January 20, 2005 4:44 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] LDAP export pros/cons
> > 
> > Here's a common scenario, where an application like the web portal
> > outsources authentication to an external directory but retains
> > authorizationyour user hits the web portal and gets a prompt for
> > her login ID and password. She enters that information and hits the OK
> 
> > button, and your portal then attempts to do an authenticated bind to
> > the user's object in the LDAP directory, using the submitted ID and
> > password. If the bind is successful, then the LDAP directory returns a
> 
> > successful acknowledgement to the portal. The portal hears that the
> > user ID and password are correct, so the portal can then present the
> > user with the appropriate content based on the portal permissions
> assigned to her account.
> >
> > The key here is that there has to be a common identifier in the portal
> 
> > and LDAP directory, so that the user gets the right stuff (based on
> > the authorization in the portal) as a result of successful LDAP
> > "login" (based on the LDAP authentication). Typically the common
> > identifier is the logon ID, so that the portal knows that a successful
> 
>

Re: [ActiveDir] LDAP export pros/cons

[Chandra Burra]

Not worked that much on the 3rd party integrations.but have an idea

Can you try do Authentication re-directions to that site -> i mean
instead of people going to 3rd party site for authentication --> can
they come to your own website and get authenticated through your ldap
or RSA server and get re-directed to the desired locations.

Regards,
Chandra


On Thu, 20 Jan 2005 23:54:28 -0500, joe <[EMAIL PROTECTED]> wrote:
> Ditto. Whomever is running that web site gets to see all of the clear text
> passwords for every user that authenticates. I would say that is giving out
> a bit more info to the third party than you would normally like to supply.
> Heck I don't even like doing that on intranet sites run by people in the
> same company let alone someone outside of the company. Sort of on par with
> saying, hi, here are my most sensitive parts and giving them to a third
> party and asking them to be nice to them. 
>  
>   joe
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
> Sent: Thursday, January 20, 2005 6:54 PM
> 
> To: 'ActiveDir@mail.activedir.org'
> Subject: RE: [ActiveDir] LDAP export pros/cons
> 
> Interesting. I may just not understand what you have in mind.  
>  
> I would agree, but I'm leery of ldap bind for authentication in this
> scenario.  In addition, it seems that it would not really provide the full
> amount of usefulness to the solution since the user has to also remember a
> different set of creds if they use this portal with dual id.  Am I just
> misunderstanding, or were you thinking of something different??  
>  
> Al
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter
> Sent: Thursday, January 20, 2005 4:44 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] LDAP export pros/cons
> 
> Here's a common scenario, where an application like the web portal
> outsources authentication to an external directory but retains
> authorizationyour user hits the web portal and gets a prompt for her
> login ID and password. She enters that information and hits the OK button,
> and your portal then attempts to do an authenticated bind to the user's
> object in the LDAP directory, using the submitted ID and password. If the
> bind is successful, then the LDAP directory returns a successful
> acknowledgement to the portal. The portal hears that the user ID and
> password are correct, so the portal can then present the user with the
> appropriate content based on the portal permissions assigned to her account.
>  
> The key here is that there has to be a common identifier in the portal and
> LDAP directory, so that the user gets the right stuff (based on the
> authorization in the portal) as a result of successful LDAP "login" (based
> on the LDAP authentication). Typically the common identifier is the logon
> ID, so that the portal knows that a successful LDAP bind to jane.doe should
> be associated with the jane.doe object in the portal.
>  
> It would be a good idea to ask what specific attributes the portal is
> looking for, or even the syntax of the LDAP queries they hope to issue.
>  
> Hunter
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Robert N. Leali
> Sent: Thursday, January 20, 2005 2:05 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] LDAP export pros/cons
> 
> I understand what you are saying and agree.  On the same topic, what do you
> suggest is the best practice for having users authenticate to a third party
> web portal. Is it better to set up a one-way non-transitive trust between
> the two forests or domains, or go with an ldap export assuming this is going
> to be a long term solution.   The only thing we are trying to do is to allow
> our users to log into the third party web portal without having to learn an
> additional user name & password.  I do not want to give out any more
> information than that about my users. 
>  
> Thanks for the quick responses.
>  
> R- 
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
> Sent: Thursday, January 20, 2005 2:27 PM
> To: 'ActiveDir@mail.activedir.org'
> Subject: RE: [ActiveDir] LDAP export pros/cons
> 
> not sure there are any documented risks.  Risks being relational to the
> entity taking them.
>  
> However, as a disinterested third party I'd have to point out that the risk
> is not technical in nature but rather about the information you're sharing. 
> I suppose the information you give out is far mare important to the
> conversation, but it seems you don't know these folks nor trust them really.
>  If that's the case, then it's possible you could be giving out the account
> information to a non-trusted source.  
>  
> The questions you need to ask are "what can they do with the information I
> provide and can I take any action to protect myself?"
>  

RE: [ActiveDir] email disappearing

[Chandra Burra]

Dan,
 
Can you create a new MAPI profile and check if that resolves the issue
 
Regards,
Chandra

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Dan Morentin
Sent: 18 January 2005 20:18
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] email disappearing



Hi Chandra, no I wish it was that easy. It doesn't seem to be the usual. No
rules, viewing messages, im not sure about auto archive, though I don't
think it is defined. 

 

 



PERFORMANCE MATERIALS CORPORATION

Dan Morentin

Network Administrator

805-482-1722 x231

cell: 818-445-7834

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chandra Burra
Sent: Tuesday, January 18, 2005 12:10 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] email disappearing

 

Looks like  you are using the VIEW ( only unread messages are shown)

 

Once you open the mail or its displayed in the preview pane - an emial is
marked as READ.

 

Once they are READ they vanish from the INBOX - if this explain your problem
then following is the solution

 

 

In Outlool --> Click on VIEW -->  Current View --> Select MESSAGES 

 

 

Should resolve your issue

 

 

Regards,

Chandra

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Dan Morentin
Sent: 18 January 2005 19:24
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] email disappearing

Yes its delivering to inbox. They come in, but soon disappear. No rules
defined. hmmm

 

 



PERFORMANCE MATERIALS CORPORATION

Dan Morentin

Network Administrator

805-482-1722 x231

cell: 818-445-7834

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Tuesday, January 18, 2005 11:11 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] email disappearing

 

Tools, email accounts, view/change existing email..

 

It's on the next page, saying deliver to the following location.

 

Rules can do this to you as well. Be a good idea to check the rules.

 

To troubleshoot, you may want to turn the client off and use OWA to see if
it's staying in the inbox. If it's not, it may be a server side rule or a
client left on somewhere other than the machine you're currently using.  POP
clients such as PDA's, Outlook Express, etc are known to do such things.

 

-ajm

 


  _  


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dan Morentin
Sent: Tuesday, January 18, 2005 1:44 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] email disappearing

Where would I check to see if I was routing mail to pst?

 

 



PERFORMANCE MATERIALS CORPORATION

Dan Morentin

Network Administrator

805-482-1722 x231

cell: 818-445-7834

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dan Morentin
Sent: Tuesday, January 18, 2005 09:45 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] email disappearing

 

I think I remember a thread of this subject. Anyway email is leaving the
inbox and going?  When I leave outlook alone for a while the inbox clears
out?? Don't know where they are going, but im used to going through a
hundred emails a daynow just a few and they disappearing. Anyone? Ive
done some searching on google, but cant seem to get a grip on it.

 

 



PERFORMANCE MATERIALS CORPORATION

Dan Morentin

Network Administrator

805-482-1722 x231

cell: 818-445-7834

 

<>

RE: [ActiveDir] email disappearing

[Chandra Burra]

Looks like  you are using the VIEW ( only unread messages are shown)
 
Once you open the mail or its displayed in the preview pane - an emial is
marked as READ.
 
Once they are READ they vanish from the INBOX - if this explain your problem
then following is the solution
 
 
In Outlool --> Click on VIEW -->  Current View --> Select MESSAGES 
 
 
Should resolve your issue
 
 
Regards,
Chandra

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Dan Morentin
Sent: 18 January 2005 19:24
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] email disappearing



Yes its delivering to inbox. They come in, but soon disappear. No rules
defined. hmmm

 

 



PERFORMANCE MATERIALS CORPORATION

Dan Morentin

Network Administrator

805-482-1722 x231

cell: 818-445-7834

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Tuesday, January 18, 2005 11:11 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] email disappearing

 

Tools, email accounts, view/change existing email..

 

It's on the next page, saying deliver to the following location.

 

Rules can do this to you as well. Be a good idea to check the rules.

 

To troubleshoot, you may want to turn the client off and use OWA to see if
it's staying in the inbox. If it's not, it may be a server side rule or a
client left on somewhere other than the machine you're currently using.  POP
clients such as PDA's, Outlook Express, etc are known to do such things.

 

-ajm

 


  _  


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dan Morentin
Sent: Tuesday, January 18, 2005 1:44 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] email disappearing

Where would I check to see if I was routing mail to pst?

 

 



PERFORMANCE MATERIALS CORPORATION

Dan Morentin

Network Administrator

805-482-1722 x231

cell: 818-445-7834

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dan Morentin
Sent: Tuesday, January 18, 2005 09:45 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] email disappearing

 

I think I remember a thread of this subject. Anyway email is leaving the
inbox and going?  When I leave outlook alone for a while the inbox clears
out?? Don't know where they are going, but im used to going through a
hundred emails a daynow just a few and they disappearing. Anyone? Ive
done some searching on google, but cant seem to get a grip on it.

 

 



PERFORMANCE MATERIALS CORPORATION

Dan Morentin

Network Administrator

805-482-1722 x231

cell: 818-445-7834

 

<>

Re: [ActiveDir] Kerberos Event ID 4

[Chandra Burra]

Similar event --do not remember if it was kerberos one ... happened
when you have a ghost image of the clients which has the sms client
installed.

re-install the sms client and c if that helps - take a new ghost image
of the client system without the sms client.


Chandra


On Tue, 18 Jan 2005 08:33:43 +0200, Peter Johnson <[EMAIL PROTECTED]> wrote:
> 
> 
> Hi all 
> 
>  
> 
> I've got one server, an SMS box, on which I'm getting Kerberos error ID 4.
> The event log reads as follows:
> 
>  
> 
> The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
> $. This indicates that the password used to encrypt the
> kerberos service ticket is different than that on the target server.
> Commonly, this is due to identically named  machine accounts in the target
> realm (), and the client realm. Please contact your system
> administrator.
> 
>  
> 
> I've checked all the name resolution issues and have no clashes. 
> 
>  
> 
> Anyone have any ideas as I'm a bit stumped.
> 
>  
> 
> Regards
> 
> Peter Johnson
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] More questions from a new AD parent

[Chandra Burra]

Netbios vs DNS -->this is common and depends on the org or admin who set up
the same

There should not be any diffrence in operations and Exchange should not have
any problem connecting either with the netbios name or DNS name

seen some Admins naming the domian DNS: blah.net and netbios as : phoo

Regards,
Chandra

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Alonzo Hess
Sent: 17 January 2005 19:14
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] More questions from a new AD parent


Thanks to everyone that answered my previous questions about some groups
in AD that I couldn't find. Turns out that they were filtered and I
didn't see that. So thanks for a very obvious solution. Now on to my
next question. The AD that a have inherited has one DC which is named
ntfs1.blahco.com even though the domain name under the properties is
listed as blah (pre-Windows 2000) in mixed mode. Is this configured
wrong? I'm concerned as the domain name doesn't machine the end of the
machine name(hope that made sense). Is this going to cause me problems
down the road? My plans are to upgrade this to AD v1.1 and introduce a
win2k3 server running Exchange2k3.


Thanks,
Alonzo
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Event ID 1126

[Chandra Burra]

This was seen in exchange2000 and MS says they resolved this in sp2 of
exchange2000..

try apply SP1 and c how it goes...

Chandra

On Fri, 14 Jan 2005 16:48:44 -0500, Salandra, Justin A.
<[EMAIL PROTECTED]> wrote:
> I am also getting these errors
> 
> Event Type: Error
> Event Source:   MSExchangeAL
> Event Category: LDAP Operations
> Event ID:   8270
> Date:   1/14/2005
> Time:   4:47:07 PM
> User:   N/A
> Computer:   CHCSMAIL01
> Description:
> LDAP returned the error [34] Unavailable when importing the transaction
> dn: 
> changetype: Modify
> member:add:
> -
> DC=STNRC,DC=CHCSNET,DC=ORG
> 
> For more information, click
> http://www.microsoft.com/contentredirect.asp.
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
> Justin A.
> Sent: Friday, January 14, 2005 4:24 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Event ID 1126
> 
> I am getting errors on two of my child domains when the RUS from the
> Exchange 2003 server tries to connect to these two child domains.
> 
> "Unable to connect to global catalog"
> 
> Both servers in the remote locations are GC/DC so I don't understand why
> it can't be found.
> 
> What have I tried?
> 
> 1.  Restart Netlogon
> 2.  Recreated RUS Connections for these two domains
> 3.  Kicked off the KCC to check the replications topology
> 4.  ipconfig /flushdns on both remote servers and Exchange server
> 5.  restarted DNS on both remote servers
> 
> What else should I try?
> 
> Justin A. Salandra
> MCSE Windows 2000 & 2003
> Network and Technology Services Manager
> Catholic Healthcare System
> 212.752.7300 - office
> 917.455.0110 - cell
> [EMAIL PROTECTED]
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Folder Redirection

[Chandra Burra]

Are you trying to do this for citrix roaming profiles or general user

have seen similar issue for the citrix users and has a resolution for that..

Chandra


On Fri, 14 Jan 2005 16:25:58 -0500, Christine Allen
<[EMAIL PROTECTED]> wrote:
> Happy Friday
>  
>  
> I'm running W2k Ad.
>  
> I have folder redirection in place and the path is
> \\server\share\%username%.  My pilot team thinks it's too confusing because
> the path is their home folder and they store other things on there.  They
> would prefer \\server\share\%username%\MyDocuments.
>  
> However when I set that up it receive the following errors:
>  
> 
> 
> Aborting redirection of folder My Documents. The new folder path may not be
> a subdirectory of the current path. The folder is configured to be
> redirected to \\server\share\%username%\MyDocuments\. Files were to be moved
> from \\server\share\%username%\ to \\server\share\%username%\MyDocuments\
> 
>  
> 
>  
> 
> However, when using the help feature for GPO's  for folder redirect is gives
> me 
> "\\server\share\%username%\My Documents" as an example.  Can this not be
> done?
>  
> 
> -Christine
> 
> Christine N. Allen
> Citrix/Windows 2000 Engineer
> BMC Healthnet Plan
> One Design Center Place
> Boston, MA 02210
> 
> Work:  617-748-6034
> Cell:  617-293-4407
>   
>
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Migrating to Win2k3

[Chandra Burra]

I Agree with Jordondon't rely on ADMT if you wanted to go ahead
with the parallel upgrade. I had several issues with the ADMT and MS
was not able to resolve the problems and ended up migrating the pc's
manually and then doing the security translation.i suggest you
better get NETIQ tools for migration...

Do not suggest a parallel upgrade for w2k to w2k3 unless your old
domain is an upgrade from NT to w2k3...

Chandra

On Fri, 14 Jan 2005 13:54:55 -0600, Jordan Arendt
<[EMAIL PROTECTED]> wrote:
> For 5000 users I would definitely recommend getting 3rd party tools.
> I've done a migration using ADMTv2.  You get what you pay for.  I
> would revisit the business case for renaming your domain.  Why are you
> doing it?  If it's just because you don't like the current name, it
> would well be worth your while to suck it up and just upgrade in
> place. Having done both a migration and an upgrade in place I would
> choose upgrade in place everytime, if I could.
> 
> On Thu, 13 Jan 2005 11:06:38 +0100, Fush Grubber <[EMAIL PROTECTED]> wrote:
> > Hello All,
> >
> > I am currently carrying out an upgrade from windows 2000 to windows 2003,
> > and I want to change my domain name. Instead of upgrading all my domain
> > controllers from to windows 2000 to windows 2003, I want to build an
> > entirely new win2k3 machine as a new domain controller with the new domain
> > name I want to move to;
> >
> > Set up a trust relationship with the 2 domains
> > Use the ADMT tool to migrate all accounts from the old to the new domain
> > Use the migration wizard to move mailboxes from my old exchange 2000 server
> > to a new exchange 2003 server I want to set up in the new domain.
> >
> > One of the top questions lingering in my mind is that since I have about
> > 5000 clients running windows xp, how will I automate the process of clients
> > joining the new domain, since they are presently members of the old domain.
> >
> > Secondly, I want to find out if any one has used this method to carry out an
> > upgrade and advice me if I am doing anything wrong and the best steps I
> > would need to take to ensure the upgrade is successful.
> >
> > Fush
> >
> > _
> > Express yourself instantly with MSN Messenger! Download today it's FREE!
> > http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
> >
> > List info   : http://www.activedir.org/mail_list.htm
> > List FAQ: http://www.activedir.org/list_faq.htm
> > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> >
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Exchange Backup

[Chandra Burra]

I have not worked on backup exec for Exchange...however i have worked
on Arkserv, which has one more type called Brick level backup - which
does the backup mailbox by mailbox - gives an option for admin to
restore sigle mailboxes...but takes for ever..


On Fri, 14 Jan 2005 07:03:27 -0800 (PST), Brett Shirley
<[EMAIL PROTECTED]> wrote:
> So not sure what you mean by "hot" backups.
> 
> Exchange APIs allow you to grab incremental (or full of course, or
> differential backups as well).  Take a full backup, then you can take
> regular incremental backups to your hearts content.  This can give you
> very little mail loss (well that has always been my belief anyway).
> 
> All these 3 backup types can be done on a live server, so they're all live
> backups, such that you can backup the mail database, and the service needs
> not be taken offline, and that database will be (able to be made with the
> log files) consistent.
> 
> I'm sorry I'm not familiar with Backup Exec per se, so I'm not sure how
> these 3 online backup types are exposed.
> 
> Cheers,
> Brett Shirley [msft]
> ESE Developer
> 
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> 
> 
> On Fri, 14 Jan 2005, Kern, Tom wrote:
> 
> > Backup Exec does "live" backups. It uses the Exchange backup API's to
> > get you a consistent backup of a live mail server. why would you do a
> > flat file backup? and when you say flat file of your priv and pub
> > stores, does this include the trans logs and checkpoint file or just
> > the .edb and .stm files?
> >
> > -Original Message-
> > From: John Parker [mailto:[EMAIL PROTECTED]
> > Sent: Friday, January 14, 2005 9:07 AM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] Exchange Backup
> >
> >
> > I am using a Retrospect program that periodically makes a flat file
> > backup of my private and public stores.  It is simply called
> > retrospect exchange backup.
> >
> > Pretty small actually, it does the bachup to a location and also has
> > scheduling, which is temperamental at best.
> >
> > John Parker, MCSE
> > IS Admin.
> > Senior Technical Specialist
> > Alpha Display Systems.
> > Alpha Video
> > 7711 Computer Ave.
> > Edina, MN. 55435
> >
> > 952-896-9898 Local
> > 800-388-0008 Watts
> > 952-896-9899 Fax
> > 612-804-8769 Cell
> > 952-841-3327 Direct
> > [EMAIL PROTECTED]
> > "Be excellent to each other"
> > ---End of Line---
> >
> >  -Original Message-
> > From: Mulnick, Al [mailto:[EMAIL PROTECTED]
> > Sent: Thursday, January 13, 2005 3:59 PM
> > To:   ActiveDir@mail.activedir.org
> > Subject:  RE: [ActiveDir] Exchange Backup
> >
> > When you say "live backup" what exactly are you referring to?  Are you using
> > an openfilemanager to back up the Exchange files with?
> >
> > al
> >
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of John Parker
> > Sent: Thursday, January 13, 2005 4:08 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: [ActiveDir] Exchange Backup
> >
> > Hi all...
> >
> > I currently use Backup exec to perform my nightly backups. I like it, it
> > seems to work just fine.
> > I also use a small retrospect piece that does a live backup to a flat file 4
> > times throughout the day.
> >
> > I was wondering if anyone else is performing "Hot" backups throughout the
> > day and if so, what are you using?
> >
> > We are running Exchange 2000 on server 2000.
> >
> > Thank you.
> >
> >
> >
> > John Parker, MCSE
> > IS Admin.
> > Senior Technical Specialist
> > Alpha Display Systems.
> >
> > List info   : http://www.activedir.org/mail_list.htm
> > List FAQ: http://www.activedir.org/list_faq.htm
> > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> > List info   : http://www.activedir.org/mail_list.htm
> > List FAQ: http://www.activedir.org/list_faq.htm
> > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> >
> > List info   : http://www.activedir.org/mail_list.htm
> > List FAQ: http://www.activedir.org/list_faq.htm
> > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> > List info   : http://www.activedir.org/mail_list.htm
> > List FAQ: http://www.activedir.org/list_faq.htm
> > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> >
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Policy for Office 2003

[Chandra Burra]

Edit the GP of the OU you wanted and thenright click on the Admin
templates and load the adm file there

On Fri, 14 Jan 2005 09:23:40 -0500, Liz Vaibar <[EMAIL PROTECTED]> wrote:
> Where do you load the adm file?
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
> Sent: Wednesday, January 12, 2005 5:15 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Policy for Office 2003
> 
> Yes, it is actually a global Office 2K3 setting so you need to load up
> Office11.adm and then the policy you want is at:
> 
> User Configuration\Administrative Templates\Microsoft Office 2003\Help\Help
> | Customer Feedback Options...\Enable Customer Experience Improvement
> Program
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D.
> Team EITC
> Sent: Wednesday, January 12, 2005 1:35 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Policy for Office 2003
> 
> Does anyone know a policy setting or a option change for office 2003 that
> will turn off the customer experience option for outlook.  I found one for
> the OS but cant find one for Outlook 2003.
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Crazy question

[Chandra Burra]

Its not clear weather he has the old NT box still on the network.

A) If he has the existing NT box on the network its easy to migrate
the users have him use ADMT and other shares on the the new box.

B) if he does not.start from the scratch...create all the users
with same user names as they had before

either way there would not be any down time as the users should be
able to login to the cached profiles.


Chandra


On Thu, 13 Jan 2005 14:23:11 -0500, joe <[EMAIL PROTECTED]> wrote:
> However but for anything but the smallest of NT4 deployments you are almost
> certainly going to end up working on a machinein production. You simply have
> plans in place to help facilitate rollback such as offline DC's etc. Moving
> accounts to a new domain is generally not feasible or such a complicated
> expensive process that it doesn't make sense once you have any real size
> domain.
> 
> What would I do at home? I would rebuild everything from scratch. What would
> I do for a environment of 20 users in an office? Consider rebuild from
> scratch or possibly migrate. 60 users? Possibly migrate or possibly upgrade.
> 100 users? Possibly migrate but more likely upgrade unless there are serious
> NT4 domain issues. Over that and I am almost certainly going to upgrade
> unless things are really really bad.
> 
> Note I won't keep the upgraded DC, a new fresh built machine will be
> promoted and assume the fsmo's then the upgraded machine will be reloaded
> and repromoted.
> 
> When you upgrade you can take a lot of bad things along with you, however
> unless you have a good grasp of what you have you could have a lot of things
> you don't understand breaking if you migrate. If you had such a good grasp
> you probably wouldn't have a lot of bad things in the first place.
> 
>  joe
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue
> Sent: Thursday, January 13, 2005 12:59 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Crazy question
> 
> I personally do no like to mess with a system that is in production
> already. You will be just hoping that nothing will go wrong with the
> upgrade. I have had my share of staying up to 3:00 AM.
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> [EMAIL PROTECTED]
> Sent: Thursday, January 13, 2005 12:47 PM
> To: ActiveDir@mail.activedir.org
> Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Crazy question
> 
> You could install NT 4 on it, make it a BDC and then upgrade it to W2K3.
> That will upgrade your domain and bring over all the good things in it now
> with users etc.
> 
> It will also bring over all the problems groups, users, security issues, etc
> but nobody ever talks about that side of it.
> 
> James R. Day
> Active Directory Core Team
> Office of the Chief Information Officer
> National Park Service
> (202) 354-1464 (direct)
> (202) 371-1549 (fax)
> [EMAIL PROTECTED]
> 
> I have been asked this from a friend of mine and wasn't sure of the outcome
> even though I have told him not to go ahead. I was just interested in the
> implications and whether it can be done.
> He has a customer with an existing NT4 domain one PDC that's it. He has
> bought a brand new box and installed W2K3 dcpromo'd the thing and set up
> users, thinking he could just add the box to the existing domain and
> everything would be okay to migrate the users and data over.
> I know this sounds pretty crazy, but it got me thinking what would the
> implications of doing this and what is the best procedure for him at this
> stage. If any.
> 
> Gary
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/