RE: [ActiveDir] "Add or Remove Programs" GPO

[Darren Mar-Elia]

You would not get a permissions problem from that admin. templates policy.
They just don't work that way. So my guess is its something else. What
happens, as administrator, when you run "appwiz.cpl" from a command prompt?

 

Darren

 

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bart Van den
Wyngaert
Sent: Thursday, January 25, 2007 4:31 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] "Add or Remove Programs" GPO

 

I did, but the local administrators group has full control on the file. And
ofcourse, my AD admin account is part of the local administrators group on
the workstations (naturally).

 

That's the reason I absolutely don't have a clue, I don't see the relation
in restrictions put in place and the effect on the admin account and when I
start looking for that error message, I don't make progress either... 

 

On 1/25/07, Grillenmeier, Guido <[EMAIL PROTECTED]> wrote: 

So what is the NTFS security on C:\WINNT\System32\rundll32.exe?  The error
message could naturally be a false hint, but might as well check it out.

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bart Van den
Wyngaert
Sent: Donnerstag, 25. Januar 2007 12:00
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] "Add or Remove Programs" GPO

 

No NTFS or other restrictions set in that GPO or the PC GPO.

Only some other restrictions like no access to control panel, no messenger,
... stuff.

 

These apply to the specific Users OU + Computer OU, making a User & PC
configuration for those PC's + Users (certain department).

 

My admin account is totally somewhere else in the directory without those
GPO's applied to. The restrictions in the Computer GPO are also not set to
block the admin. I can drilldown the Computer GPO if you want, as I don't
see any relevant setting in it. Otherwise I would be blocking myself and
that's just the point I don't want... 

 

Thanks,

Bart

 

On 1/25/07, Grillenmeier, Guido <[EMAIL PROTECTED]> wrote: 

What other things did you change in the same or other GPOs that apply to the
machine you're logging on as admin?  If you've applied some lockdown GPOs
for file-system permissions, those will also apply for your admins 

 

/Guido

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bart Van den
Wyngaert
Sent: Mittwoch, 24. Januar 2007 17:38
To: ActiveDir
Subject: [ActiveDir] "Add or Remove Programs" GPO

 

Hi,

 

I've set a GPO for some users that restricts usage of "Add or Remove
Programs" (User Configuration\Administrative Templates\Control Panel\Add or
Remove Programs). This GPO is linked to a specific OU where those users
reside. 

 

But now I have even with admin accounts to which the GPO doesn't apply
(totally different OU location and so on...) problems with opening the
interface, it refers to security that is not correct on
C:\WINNT\System32\rundll32.exe 

 

Is this normal?! Did I miss something before setting this GPO?

 

Thanks,

Bart

 

 

RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy)

[Darren Mar-Elia]

 
>> 
>>> Yes, these are Broadcom NICs.  I want to go back to the last 
>>> question
>>>   
>
>   
>>> that was asked (if my network card drivers were up to date) and 
>>> change
>>> 
>>>   
>>   
>> 
>>> my answer.  I had ran the HP update package for the NC series cards 
>>> in
>>> 
>>>   
>>   
>> 
>>> the server and it showed as updated (even if I run it at the moment 
>>> it
>>> 
>>>   
>>   
>> 
>>> tells me that the drivers are up to date) with version 2.8.22.0.  
>>> The
>>>   
>
>   
>>> problem is that when I look at the actual driver version by going to

>>> the device manager and viewing properties it shows a version of
>>> 
>>>   
>> 2.8.13.0.
>>   
>> 
>>> On that note, in looking back at HP's revision history for their 
>>> driver for this card it has no mention of version 2.8.13.0 so is it 
>>> possible that this is the driver that came with Windows?  If so, how

>>> can I go about getting rid of that driver and installing this new
>>> 
>>>   
>> driver from HP.
>>   
>> 
>>> Updating the driver and choosing the new driver explicitly doesn't 
>>> work and running HP's update package for the driver obviously fails 
>>> to
>>> 
>>>   
>>   
>> 
>>> really update the driver.
>>>
>>> I can't say that this driver version is the root cause of the issue 
>>> but I do need the drivers updated to have a place to start from.
>>>
>>> Susan, is there a known issue with Broadcom's that could possibly 
>>> affect the problem I'm having?  Thanks for the assistance!
>>>
>>> Donavon
>>>
>>> -Original Message-
>>> From: [EMAIL PROTECTED]
>>> [mailto:[EMAIL PROTECTED] On Behalf Of Susan 
>>> Bradley, CPA aka Ebitz - SBS Rocks [MVP]
>>> Sent: Monday, January 15, 2007 1:39 PM
>>> To: ActiveDir@mail.activedir.org
>>> Subject: Re: [ActiveDir] 1054 Error (Windows cannot contact DC - 
>>> Group
>>> Policy)
>>>
>>> These aren't broadcom nics are they?
>>>
>>> (Broadcoms are evil)
>>>
>>> Darren Mar-Elia wrote:
>>>   
>>> 
>>>   
>>>> Does this server have the same NIC driver as other servers? Or, 
>>>> have
>>>> 
>
>   
>>>> you tried updating this server's NIC driver?
>>>>
>>>> -Original Message-
>>>> From: [EMAIL PROTECTED]
>>>> [mailto:[EMAIL PROTECTED] On Behalf Of Donavon 
>>>> Yelton
>>>> Sent: Monday, January 15, 2007 10:11 AM
>>>> To: ActiveDir@mail.activedir.org
>>>> Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - 
>>>> Group
>>>> Policy)
>>>>
>>>> This appears to be the only system on the network having this
issue.
>>>>   
>>>> 
>>   
>> 
>>>> I connected to another Windows 2003 Standard member server and did 
>>>> a
>>>> 
>
>   
>>>> gpupdate and then looked at the event log and it appears clean 
>>>> after
>>>> 
>
>   
>>>> the gpupdate command was ran.  Slow link detection has not been 
>>>> disabled on that machine (or any on my network for that matter, 
>>>> with
>>>> 
>
>   
>>>> the exception of this new problem server now).
>>>>
>>>> ICMP is not being blocked.  Windows firewall is turned off on all 
>>>> servers on the network (including the two DC's and this problem 
>>>> member
>>>> 
>>>>   
>>>> 
>>>   
>>> 
>>>   
>>>> server).  To my knowledge there is nothing on the network limiting 
>>>> ICMP packet size.  I certainly haven't done anything to limit it.
>>>>
>>>> For an update on the current status of disabling slow link
>>>> 
> detection.
>   
>>>> It has been roughly 30 minutes or so and no event log error shows 
>>>> after running gpupdate on the member server.  When doing a gpresult

>>>> everything appears to proc

RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy)

[Darren Mar-Elia]

 could possibly 
>> affect the problem I'm having?  Thanks for the assistance!
>>
>> Donavon
>>
>> -Original Message-
>> From: [EMAIL PROTECTED]
>> [mailto:[EMAIL PROTECTED] On Behalf Of Susan 
>> Bradley, CPA aka Ebitz - SBS Rocks [MVP]
>> Sent: Monday, January 15, 2007 1:39 PM
>> To: ActiveDir@mail.activedir.org
>> Subject: Re: [ActiveDir] 1054 Error (Windows cannot contact DC - 
>> Group
>> Policy)
>>
>> These aren't broadcom nics are they?
>>
>> (Broadcoms are evil)
>>
>> Darren Mar-Elia wrote:
>>   
>> 
>>> Does this server have the same NIC driver as other servers? Or, have

>>> you tried updating this server's NIC driver?
>>>
>>> -Original Message-
>>> From: [EMAIL PROTECTED]
>>> [mailto:[EMAIL PROTECTED] On Behalf Of Donavon 
>>> Yelton
>>> Sent: Monday, January 15, 2007 10:11 AM
>>> To: ActiveDir@mail.activedir.org
>>> Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - 
>>> Group
>>> Policy)
>>>
>>> This appears to be the only system on the network having this issue.
>>>   
>
>   
>>> I connected to another Windows 2003 Standard member server and did a

>>> gpupdate and then looked at the event log and it appears clean after

>>> the gpupdate command was ran.  Slow link detection has not been 
>>> disabled on that machine (or any on my network for that matter, with

>>> the exception of this new problem server now).
>>>
>>> ICMP is not being blocked.  Windows firewall is turned off on all 
>>> servers on the network (including the two DC's and this problem 
>>> member
>>> 
>>>   
>>   
>> 
>>> server).  To my knowledge there is nothing on the network limiting 
>>> ICMP packet size.  I certainly haven't done anything to limit it.
>>>
>>> For an update on the current status of disabling slow link
detection.
>>> It has been roughly 30 minutes or so and no event log error shows 
>>> after running gpupdate on the member server.  When doing a gpresult 
>>> everything appears to process correctly.  This problem server is a 
>>> new
>>> 
>>>   
>>   
>> 
>>> terminal server and when I logon as a TS user to this computer it 
>>> still shows a
>>> 1054 error and the same 59 errors in the userenv log file.  The only

>>> exception is when I login as the network admin account through 
>>> remote
>>>   
>
>   
>>> desktops (the account I made the registry edit for 
>>> GroupPolicyMinTransferRate under).
>>>
>>> Donavon
>>>
>>> -Original Message-
>>> From: [EMAIL PROTECTED]
>>> [mailto:[EMAIL PROTECTED] On Behalf Of Darren 
>>> Mar-Elia
>>> Sent: Monday, January 15, 2007 12:52 PM
>>> To: ActiveDir@mail.activedir.org
>>> Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - 
>>> Group
>>> Policy)
>>>
>>> Is this the only system that is having this problem? Are you doing 
>>> anything on your network to limit ICMP packet size?
>>>
>>>
>>> -Original Message-
>>> From: [EMAIL PROTECTED]
>>> [mailto:[EMAIL PROTECTED] On Behalf Of Donavon 
>>> Yelton
>>> Sent: Monday, January 15, 2007 9:39 AM
>>> To: ActiveDir@mail.activedir.org
>>> Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - 
>>> Group
>>> Policy)
>>>
>>> In further testing today I did end up finding the location to add 
>>> the
>>>   
>
>   
>>> GroupPolicyMinTransferRate DWORD value to the registry of the 
>>> problem
>>>   
>
>   
>>> server.  About 5 minutes ago I added that key with a value of 0 to 
>>> HKLM and HKCU and when running a gpupdate I do not get the error and

>>> when looking at the userenv log I do not see the error 59 or any 
>>> error
>>> 
>>>   
>>   
>> 
>>> that it cannot contact the DC.  I do not want to say that this is it

>>> for sure but for the moment it does appear to be working.
>>>
>>> Now I suppose I should ask that since this was simply a 
>>> troubleshooting step, what would I need to do in order to 
>>> investigate
>>>   
>
>   
>>> a long-term solution to the problem?  Thanks f

RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy)

[Darren Mar-Elia]

The other thing that would probably be worthwhile is to do a sniffer trace
from this server during the GP processing cycle. That may point out some
network issues that are not coming out of the userenv log.

Darren


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Monday, January 15, 2007 12:50 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group
Policy)

Sorry, just catching up here. In terms of updating the driver, if it's a MS
provided driver, I think it would say it in the Driver Details. You might
want to run Windows Update and see if there are any optional updates for
that NIC driver--if MS provided it originally they may have a Windows Update
way of getting it. 

In terms of disabling slow link for all users, that's a toughie, because
that key is in HKEY_CURRENT_USER, which means a user has to be logged on to
deliver it, but its also in the policies key, which is permissioned away
from regular users by default. If you can get GP to process at least once
when the user logs on, then you can deliver it using the User Configuration
GP setting. However, if per-user GP processing is not working, its kinda of
a chicken-and-egg thing. The not-so-fun way of doing this would be to
temporarily make all users logging into that MS a member of the local
Administrators group, and then deliver the slow link disabling registry
entry via logon script. But, that is not ideal of course.

Darren


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Donavon Yelton
Sent: Monday, January 15, 2007 12:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group
Policy)

I'm not about to give up on the Broadcom NICs as this is a brand new
server that cost as much as a Honda Accord.  I'm not sure I can believe
that HP would put a defective card in such a machine.  You'd think
others would have the same issues in mass quantity if that were the
case.  I'm also using Broadcoms in other HP servers here (including the
two DCs) and they have not had any issues.  It is all too easy to chalk
up a problem like this to network cards, but I don't think it explains
why the GPO is applied successfully without issues within the first 15
minutes or so after a reboot.  There are no other problems cropping up
from these Broadcoms either.

Now for a question, how do I disable slow link detection for all
terminal service users on this problem server since that seems to have
fixed the issue?  I need to make the change in the registry on the
problem server apparently as making the switch in the GPO itself seems
to not have any effect.

Donavon 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Monday, January 15, 2007 3:09 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] 1054 Error (Windows cannot contact DC - Group
Policy)

Dump the broadcoms and get Intel.
http://msmvps.com/blogs/bradley/archive/2007/01/04/the-following-network
-cards-are-evil.aspx

We've had no end of weirdness with those suckers.
Even the latest drivers don't work.
Donavon Yelton wrote:
> Yes, these are Broadcom NICs.  I want to go back to the last question 
> that was asked (if my network card drivers were up to date) and change

> my answer.  I had ran the HP update package for the NC series cards in

> the server and it showed as updated (even if I run it at the moment it

> tells me that the drivers are up to date) with version 2.8.22.0.  The 
> problem is that when I look at the actual driver version by going to 
> the device manager and viewing properties it shows a version of
2.8.13.0.
>
> On that note, in looking back at HP's revision history for their 
> driver for this card it has no mention of version 2.8.13.0 so is it 
> possible that this is the driver that came with Windows?  If so, how 
> can I go about getting rid of that driver and installing this new
driver from HP.
> Updating the driver and choosing the new driver explicitly doesn't 
> work and running HP's update package for the driver obviously fails to

> really update the driver.
>
> I can't say that this driver version is the root cause of the issue 
> but I do need the drivers updated to have a place to start from.
>
> Susan, is there a known issue with Broadcom's that could possibly 
> affect the problem I'm having?  Thanks for the assistance!
>
> Donavon
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Susan 
> Bradley, CPA aka Ebitz - SBS Rocks [MVP]
> Sent: Monday, January 15, 2007 1:39 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] 1054 Error (Windows can

RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy)

[Darren Mar-Elia]

Sorry, just catching up here. In terms of updating the driver, if it's a MS
provided driver, I think it would say it in the Driver Details. You might
want to run Windows Update and see if there are any optional updates for
that NIC driver--if MS provided it originally they may have a Windows Update
way of getting it. 

In terms of disabling slow link for all users, that's a toughie, because
that key is in HKEY_CURRENT_USER, which means a user has to be logged on to
deliver it, but its also in the policies key, which is permissioned away
from regular users by default. If you can get GP to process at least once
when the user logs on, then you can deliver it using the User Configuration
GP setting. However, if per-user GP processing is not working, its kinda of
a chicken-and-egg thing. The not-so-fun way of doing this would be to
temporarily make all users logging into that MS a member of the local
Administrators group, and then deliver the slow link disabling registry
entry via logon script. But, that is not ideal of course.

Darren


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Donavon Yelton
Sent: Monday, January 15, 2007 12:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group
Policy)

I'm not about to give up on the Broadcom NICs as this is a brand new
server that cost as much as a Honda Accord.  I'm not sure I can believe
that HP would put a defective card in such a machine.  You'd think
others would have the same issues in mass quantity if that were the
case.  I'm also using Broadcoms in other HP servers here (including the
two DCs) and they have not had any issues.  It is all too easy to chalk
up a problem like this to network cards, but I don't think it explains
why the GPO is applied successfully without issues within the first 15
minutes or so after a reboot.  There are no other problems cropping up
from these Broadcoms either.

Now for a question, how do I disable slow link detection for all
terminal service users on this problem server since that seems to have
fixed the issue?  I need to make the change in the registry on the
problem server apparently as making the switch in the GPO itself seems
to not have any effect.

Donavon 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Monday, January 15, 2007 3:09 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] 1054 Error (Windows cannot contact DC - Group
Policy)

Dump the broadcoms and get Intel.
http://msmvps.com/blogs/bradley/archive/2007/01/04/the-following-network
-cards-are-evil.aspx

We've had no end of weirdness with those suckers.
Even the latest drivers don't work.
Donavon Yelton wrote:
> Yes, these are Broadcom NICs.  I want to go back to the last question 
> that was asked (if my network card drivers were up to date) and change

> my answer.  I had ran the HP update package for the NC series cards in

> the server and it showed as updated (even if I run it at the moment it

> tells me that the drivers are up to date) with version 2.8.22.0.  The 
> problem is that when I look at the actual driver version by going to 
> the device manager and viewing properties it shows a version of
2.8.13.0.
>
> On that note, in looking back at HP's revision history for their 
> driver for this card it has no mention of version 2.8.13.0 so is it 
> possible that this is the driver that came with Windows?  If so, how 
> can I go about getting rid of that driver and installing this new
driver from HP.
> Updating the driver and choosing the new driver explicitly doesn't 
> work and running HP's update package for the driver obviously fails to

> really update the driver.
>
> I can't say that this driver version is the root cause of the issue 
> but I do need the drivers updated to have a place to start from.
>
> Susan, is there a known issue with Broadcom's that could possibly 
> affect the problem I'm having?  Thanks for the assistance!
>
> Donavon
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Susan 
> Bradley, CPA aka Ebitz - SBS Rocks [MVP]
> Sent: Monday, January 15, 2007 1:39 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] 1054 Error (Windows cannot contact DC - Group
> Policy)
>
> These aren't broadcom nics are they?
>
> (Broadcoms are evil)
>
> Darren Mar-Elia wrote:
>   
>> Does this server have the same NIC driver as other servers? Or, have 
>> you tried updating this server's NIC driver?
>>
>> -Original Message-
>> From: [EMAIL PROTECTED]
>> [mailto:[EMAIL PROTECTED] On Behalf Of Donavon 
>> Yelton
>> Sent: Monday, January 15

RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy)

[Darren Mar-Elia]

Does this server have the same NIC driver as other servers? Or, have you
tried updating this server's NIC driver?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Donavon Yelton
Sent: Monday, January 15, 2007 10:11 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group
Policy)

This appears to be the only system on the network having this issue.  I
connected to another Windows 2003 Standard member server and did a
gpupdate and then looked at the event log and it appears clean after the
gpupdate command was ran.  Slow link detection has not been disabled on
that machine (or any on my network for that matter, with the exception
of this new problem server now).

ICMP is not being blocked.  Windows firewall is turned off on all
servers on the network (including the two DC's and this problem member
server).  To my knowledge there is nothing on the network limiting ICMP
packet size.  I certainly haven't done anything to limit it.

For an update on the current status of disabling slow link detection.
It has been roughly 30 minutes or so and no event log error shows after
running gpupdate on the member server.  When doing a gpresult everything
appears to process correctly.  This problem server is a new terminal
server and when I logon as a TS user to this computer it still shows a
1054 error and the same 59 errors in the userenv log file.  The only
exception is when I login as the network admin account through remote
desktops (the account I made the registry edit for
GroupPolicyMinTransferRate under).

Donavon

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Monday, January 15, 2007 12:52 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group
Policy)

Is this the only system that is having this problem? Are you doing
anything on your network to limit ICMP packet size?


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Donavon Yelton
Sent: Monday, January 15, 2007 9:39 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group
Policy)

In further testing today I did end up finding the location to add the
GroupPolicyMinTransferRate DWORD value to the registry of the problem
server.  About 5 minutes ago I added that key with a value of 0 to HKLM
and HKCU and when running a gpupdate I do not get the error and when
looking at the userenv log I do not see the error 59 or any error that
it cannot contact the DC.  I do not want to say that this is it for sure
but for the moment it does appear to be working.

Now I suppose I should ask that since this was simply a troubleshooting
step, what would I need to do in order to investigate a long-term
solution to the problem?  Thanks for all of the help!

Donavon

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Donavon Yelton
Sent: Monday, January 15, 2007 11:35 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group
Policy)

In addition to my last response I have noticed that when I reboot the
problem server it will apparently apply the group policy without issues
for 15 minutes or so and then will fail to do so from that point
forward.  When viewing the userenv log file after a reboot and after
giving the gpupdate command, it shows no 59 errors and nothing shows up
in the event log.  Wait about 15 minutes or so and the event log shows
the 1054 error and the userenv log shows the 59 error.

Donavon 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Donavon Yelton
Sent: Monday, January 15, 2007 10:44 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group
Policy)

Hi Steve,

When running nltest /dsgetdc: on the problem member server I
get the following (NOTE: I ran it twice, once for DOMAIN and again for
DOMAIN.LOCAL which is the full name.  I noticed that the flags for each
are different):

C:\Documents and Settings\supervisor>nltest /dsgetdc:domain
   DC: \\ATHENA
  Address: \\192.168.1.6
 Dom Guid: 0c93e47c-f1a8-4e05-916c-d6e6670f2c96
 Dom Name: DOMAIN
  Forest Name: domain.local
 Dc Site Name: Default-First-Site-Name
Our Site Name: Default-First-Site-Name
Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_FOREST
CLOSE_S ITE The command completed successfully

C:\Documents and Settings\supervisor>nltest /dsgetdc:domain.local
   DC: \\athena.domain.local
  Address: \\192.168.1.6
 Dom Guid: 0c93e47c-f1a8-4e05-916c-d6e6670f2c96
 Dom Name: domain.local
  Forest Name: domain.local
 Dc Site Name: Default-First-Site-Name
Our Site Name: Default-First-Site-Name
Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_DC

RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy)

[Darren Mar-Elia]

Is this the only system that is having this problem? Are you doing anything
on your network to limit ICMP packet size?


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Donavon Yelton
Sent: Monday, January 15, 2007 9:39 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group
Policy)

In further testing today I did end up finding the location to add the
GroupPolicyMinTransferRate DWORD value to the registry of the problem
server.  About 5 minutes ago I added that key with a value of 0 to HKLM
and HKCU and when running a gpupdate I do not get the error and when
looking at the userenv log I do not see the error 59 or any error that
it cannot contact the DC.  I do not want to say that this is it for sure
but for the moment it does appear to be working.

Now I suppose I should ask that since this was simply a troubleshooting
step, what would I need to do in order to investigate a long-term
solution to the problem?  Thanks for all of the help!

Donavon

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Donavon Yelton
Sent: Monday, January 15, 2007 11:35 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group
Policy)

In addition to my last response I have noticed that when I reboot the
problem server it will apparently apply the group policy without issues
for 15 minutes or so and then will fail to do so from that point
forward.  When viewing the userenv log file after a reboot and after
giving the gpupdate command, it shows no 59 errors and nothing shows up
in the event log.  Wait about 15 minutes or so and the event log shows
the 1054 error and the userenv log shows the 59 error.

Donavon 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Donavon Yelton
Sent: Monday, January 15, 2007 10:44 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group
Policy)

Hi Steve,

When running nltest /dsgetdc: on the problem member server I
get the following (NOTE: I ran it twice, once for DOMAIN and again for
DOMAIN.LOCAL which is the full name.  I noticed that the flags for each
are different):

C:\Documents and Settings\supervisor>nltest /dsgetdc:domain
   DC: \\ATHENA
  Address: \\192.168.1.6
 Dom Guid: 0c93e47c-f1a8-4e05-916c-d6e6670f2c96
 Dom Name: DOMAIN
  Forest Name: domain.local
 Dc Site Name: Default-First-Site-Name
Our Site Name: Default-First-Site-Name
Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_FOREST
CLOSE_S ITE The command completed successfully

C:\Documents and Settings\supervisor>nltest /dsgetdc:domain.local
   DC: \\athena.domain.local
  Address: \\192.168.1.6
 Dom Guid: 0c93e47c-f1a8-4e05-916c-d6e6670f2c96
 Dom Name: domain.local
  Forest Name: domain.local
 Dc Site Name: Default-First-Site-Name
Our Site Name: Default-First-Site-Name
Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_DC
DNS_DOMAIN DNS_FOREST CLOSE_SITE The command completed successfully 




I have already tried to disable slow link detection on the problem
member server however I had to do so by going into gpedit.msc and
setting it to 0 as that registry location doesn't exist on Windows 2003
Server R2 x64 (when searching on Google I could not find the location of
this key in this version of windows).  Also of note is that I have went
so far as forcing 100Mb connection on the active NIC on the problem
member server but it also did not solve the issue so I set it back to
auto.  The NIC in the machine is a 1Gb card.

This morning I removed it from the domain and added it back.  The group
policy seemed to work for a bit but after about 15 minutes of tests I
got the 1054 error again.  Strangely if I do a gpupdate /force I don't
get the 1054 error in the event log and instead get a 1704 (Security
policy in the Group policy objects has been applied successfully).

Donavon

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan
Sent: Monday, January 15, 2007 10:20 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group
Policy)

It appears that you are having problems with slow link detection from
the log below.  You can try disabling it on the client to see if that
corrects the problem by following the steps in this article for
disabling slow link detection:
http://support.microsoft.com/kb/910206/en-us.  I would not recommend
this as a long term solution but simply a troubleshooting step to see if
it is indeed a problem with Slow link detection.  I believe the LDAP
error 59 later in the log is spurious and caused by the abortion of slow
link detection.  However just in case you can also validate that you can
successfully make a DSGetDCName() call by using nltest
/dsgetdc:  and see if it returns the sam

RE: [ActiveDir] Policy Failing to apply

[Darren Mar-Elia]

Ok. If this user has a roaming profile, you might try deleting any locally
cached copies of her profile and letting the roaming one download anew. That
might free things up. Outside of some profile issue, you could check the IE
Maintenance logs to see what is going on. If you open up her profile on the
local machine and go into Application Data\Microsoft\Internet Explorer,
there should be a log file called brndlog.txt that will contain the events
that IE Maintenance generates at application time.

 

Darren

 

 

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade
Sent: Monday, January 15, 2007 8:31 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Policy Failing to apply

 

Oh yes, no one can surf the net without it. We do get occasional issues
where it does not apply, and some times we set it manually while we sort the
problem out. Normally if we do this the settings "stick" and don't get wiped
when the policy refreshes. However in this case they are wiped when the user
logs in. It appears to be some issue with the users settings as the problem
"follows" her from PC to PC.

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: 15 January 2007 15:24
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Policy Failing to apply

Dave-

Does that same proxy policy work for any other users correctly? 


Darren

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade
Sent: Monday, January 15, 2007 3:49 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Policy Failing to apply

 

Folks,

 

 I have a user for whom the Internet Explorer Proxy settings are not
applying correctly. They are set in the user portion of the Default Domain
Policy. I have checked with "Group Policy Results" tool in the Group Policy
Management snap in and it reports that they have been applied. But when the
user tries to surf the net they can't, and on checking in IE the proxy
fields are blank.

 

To make matters worse if I manually set the proxy, and then do a "gpupdate
/force" they are cleared. 

 

I have checked the event log on the machine and there is nothing obvious
amiss there. Has any one any idea why this is happening before I start
turning on userenv debugging?

 

Not this is an isolated incident, and it appears to follow the user rather
than being machine specific.

 

Dave Wade

0161 474 5456



 

 



**
This email, and any files transmitted with it, is confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose
this email, or any response to it, under the Freedom of Information Act
2000, unless the information in it is covered by one of the exemptions in
the Act. 

If you receive this email in error please notify Stockport e-Services via
[EMAIL PROTECTED] and then permanently remove it from your
system. 

Thank you.

http://www.stockport.gov.uk
**

<>

RE: [ActiveDir] Policy Failing to apply

[Darren Mar-Elia]

Dave-

Does that same proxy policy work for any other users correctly? 


Darren

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade
Sent: Monday, January 15, 2007 3:49 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Policy Failing to apply

 

Folks,

 

 I have a user for whom the Internet Explorer Proxy settings are not
applying correctly. They are set in the user portion of the Default Domain
Policy. I have checked with "Group Policy Results" tool in the Group Policy
Management snap in and it reports that they have been applied. But when the
user tries to surf the net they can't, and on checking in IE the proxy
fields are blank.

 

To make matters worse if I manually set the proxy, and then do a "gpupdate
/force" they are cleared. 

 

I have checked the event log on the machine and there is nothing obvious
amiss there. Has any one any idea why this is happening before I start
turning on userenv debugging?

 

Not this is an isolated incident, and it appears to follow the user rather
than being machine specific.

 

Dave Wade

0161 474 5456



 

 



**
This email, and any files transmitted with it, is confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose
this email, or any response to it, under the Freedom of Information Act
2000, unless the information in it is covered by one of the exemptions in
the Act. 

If you receive this email in error please notify Stockport e-Services via
[EMAIL PROTECTED] and then permanently remove it from your
system. 

Thank you.

http://www.stockport.gov.uk
**

<>

RE: [ActiveDir] DNS Comments

[Darren Mar-Elia]

I like these guys: http://www.miceandmen.com/

 

 

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Monday, January 08, 2007 4:56 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS Comments

 

Well there hasn’t been some sort of ruling on whether the existing BIND folks 
will get new tools or the AD team (which is very gui dependent) will take it 
over.

 

Are there any commercial tools you’d recommend I look at as far as management 
goes?

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Sunday, January 07, 2007 1:35 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] DNS Comments

 

Backup a second - how do you plan to manage the zones? 

 

I ask because this might be a good time to re-evaluate the metadata concept of 
the zones. 

 

In BIND you see that information because of the way you manage the zone.  In AD 
there is a different way to manage the zone information that doesn't include 
that information.  

 

If you decide to manage the zones the same way, then handle the comments the 
same way.  If you decide to go GUI (often a shock for a real BIND techie and 
often doesn't last long) then consider using a CMDB-type of mechanism to record 
the metadata. You may also consider some alternate tools to manage the DNS 
systems instead of the built in tools.  Performance is pretty rough with the 
included anyway so it's not like you won't consider it later :) 

 

This is a change in the way they do things.  It deserves a change in the way 
they are used to doing things. 

 

Al

 

On 1/5/07, Brian Desmond <[EMAIL PROTECTED]> wrote: 

Has anyone on this DL have experience with this problem?

 

I am working on potentially migrating numerous UNIX BIND zones to AD Integrated 
DNS. The BIND zones have various comments in them which go with the record. I 
believe the dnsNode class in AD supports a notes field or similar but the GUI 
doesn't. How do people manage metadata about their DNS zones? 

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

 

RE: [ActiveDir] Roaming Profiles not updating

[Darren Mar-Elia]

Ernesto-
Profiles are notorious for not completely unloading at logoff (i.e. resource
handles "leak" and remain open). As a result, the profile is unable to copy
up to the central server and therefore the server version doesn't get
updated. If that is the problem here, then you can get a hold of the User
Profile Hive Cleanup service on the MS download site, and install it on the
Tablet PC if you think that is the issue. Also, keep in mind that user
profiles don't get written up to the roaming profile until a user logs off.
So if a user stays logged onto a machine where they deleted those icons, and
then went to another machine without logging off of the first, and made some
changes, then logged off--that second machine would write up the profile
with the icons intact. Then, going back to the first machine would of course
result in the icons not being there. 

Darren



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ernesto Nieto
Sent: Monday, January 08, 2007 7:13 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Roaming Profiles not updating

I'm having some problems with roaming profiles.
I have several users that use 3 different computers.
1 is a table pc, and two are workstations, and sometimes the OS on the
workstation can be XP or win2k.

The users keep telling me that when they delete icons from their desktop,
the settings stay, but maybe a week or two later, all those desktop icons
that they deleted return.  What I can't pinpoint is the why the profile
doesn't update.  I think the old profile returns when the tablet is used.
The tablet PC is wireless too, which they take home.

Any ideas?

Ernesto


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] push a URL in the trusted zone with GPO...

[Darren Mar-Elia]

Could be an issue if the lists ever differ. I don't remember how they merge
(or don't). Probably best to put it in one place.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel
Sent: Saturday, January 06, 2007 7:37 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] push a URL in the trusted zone with GPO...

Thanks, I have both, so I replicated the settings in both places. Do you
think this can cause me problems? 




-> -Original Message-
-> From: [EMAIL PROTECTED] [mailto:ActiveDir-
-> [EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
-> Sent: January 5, 2007 6:05 PM
-> To: ActiveDir@mail.activedir.org
-> Subject: RE: [ActiveDir] push a URL in the trusted zone with GPO...
-> 
-> Alternatively, if you have the IE 6, XP,SP2 version of inetres.adm or
the
-> IE7 ADMs, you can use Administrative Template policy to set trusted
-> sites. I
-> personally like this method better than IE Maintenance. Its under
-> Computer
-> (or User) Configuration\Admin. Templates\Windows Components\Internet
-> Explorer\Internet Control Panel\Security Page\Site to Zone assignment
-> list
-> 
-> Darren
-> 
-> 
-> Darren Mar-Elia
-> CTO & Founder
-> SDM Software, Inc.
-> www.sdmsoftware.com
-> Speed Group Policy Troubleshooting with the NEW GPHealth Reporter
tool at
-> http://www.sdmsoftware.com/products.php
-> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] push a URL in the trusted zone with GPO...

[Darren Mar-Elia]

Alternatively, if you have the IE 6, XP,SP2 version of inetres.adm or the
IE7 ADMs, you can use Administrative Template policy to set trusted sites. I
personally like this method better than IE Maintenance. Its under Computer
(or User) Configuration\Admin. Templates\Windows Components\Internet
Explorer\Internet Control Panel\Security Page\Site to Zone assignment list

Darren


Darren Mar-Elia
CTO & Founder
SDM Software, Inc.
www.sdmsoftware.com
Speed Group Policy Troubleshooting with the NEW GPHealth Reporter tool at
http://www.sdmsoftware.com/products.php



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kennedy, Jim
Sent: Friday, January 05, 2007 12:56 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] push a URL in the trusted zone with GPO...

 User configuration, windows settings, internet explorer maint,
security/security zones and content ratings, security zones and privacy,
sites in this zone.


> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere,
> Michel
> Sent: Friday, January 05, 2007 3:37 PM
> To: ActiveDir@mail.activedir.org
> Subject: push a URL in the trusted zone with GPO...
> 
> Hi,
>   I have a brain cramp actually, I can't remember how I can push a
> URL in the trusted zone and intranet zone for all the stations using a
> GPO, anybody can help?
> 
> Thanks
> 
> 
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] DesktopStandard

[Darren Mar-Elia]

I don't think the decision has been made yet. I could be wrong but I think
the first iteration of the "Advanced Group Policy Management" only includes
the GP change control product, and not the PolicyMaker extensions. I'm not
sure yet if its been announced or even decided what the ship vehicle is for
those extensions are.

Darren


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Monday, December 18, 2006 9:43 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DesktopStandard

Yes as far as I can tell...

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Nathan Casey
> Sent: Monday, December 18, 2006 12:31 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] DesktopStandard
> 
> Does this mean that only the product will only be available
> via the Microsoft Desktop Optimization Pack for SA
> customers?
> 
> >>> [EMAIL PROTECTED] 12/15/2006 5:09:11 PM >>>
> Or an even better, more official answer:
> 
> http://download.microsoft.com/download/6/4/F/64F5DC66-832A-4DF3-BAF4-
> 3B4E7FB
> 
> 9E500/datasheet-faqs.pdf
> 
> Q: When can I order Microsoft Desktop Optimization Pack for
> Software
> Assurance and when will it be available?
> 
> A: You may order Microsoft Desktop Optimization Pack for
> Software Assurance
> from the January 2007 Price List. The software will be
> available in the
> February VL Kit shipment and MVLS download site. The
> initial release of the
> Microsoft Desktop Optimization Pack for Software Assurance
> will only include
> SoftGrid v4.1. As other technologies become available they
> will be added to
> the media kit that will ship within the monthly Select and
> EA kits. The
> remaining technologies (Microsoft Diagnostic and Recovery
> Toolset, Microsoft
> Advanced Group Policy Management, and Microsoft Asset
> Inventory Service)
> will be available by the end of Q2 CY 2007.
> 
> HTH,
> 
> Laura
> 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of
> Nathan Casey
> > Sent: Friday, December 15, 2006 5:38 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: [ActiveDir] DesktopStandard
> >
> > Does anyone have any new info on when MS will update the
> 
> > Desktopstandard product to work with Windows Vista?
> > Thanks
> > Nathan
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive:
> > http://www.mail-archive.com/activedir@mail.activedir.org/
> 
> >
> > --
> > No virus found in this incoming message.
> > Checked by AVG Free Edition.
> > Version: 7.5.432 / Virus Database: 268.15.20/588 -
> Release
> > Date: 12/15/2006 10:02 AM
> >
> >
> 
> --
> No virus found in this outgoing message.
> Checked by AVG Free Edition.
> Version: 7.5.432 / Virus Database: 268.15.20/588 - Release
> Date: 12/15/2006
> 10:02 AM
> 
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir@mail.activedir.org/
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Vista GPO

[Darren Mar-Elia]

 in to the lazy or uninformed amongst us.

Just my opinion,

Tim

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji
Sent: Friday, December 15, 2006 11:39 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vista GPO

 

>>> People don't seem to have a problem with that concept when it comes to
game consoles :)

 

Bad analogy. Go stand in the corner, no wii for you :)

 

When people start running their businesses on game consoles, then you can
come back and compare. For now, it's just plain incomprehensible that you
can't manage ADMX from anything but Vista. Yeah, ideally we would want to
encourage clients to NOT manage things directly from servers, and to ensure
that IF they are going to introduce Vista, the IT folks' machines should be
doing the dog-fooding, but realistically, the "ideal" is always the
exception in this field. Microsoft should know that. People will insist on
managing GPO directly from the DCs, best practices be damned.


Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/       
Microsoft MVP - Directory Services
www.akomolafe.com   - we
know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon

 

  _  

From: Darren Mar-Elia
Sent: Fri 12/15/2006 9:18 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vista GPO

I hear you Rich. I had a long discussion with someone on the GP newsgroups
who thought that the fact that XP and 2003 couldn't read Vista GP settings
was an abomination and a scandal of the highest order and that MS should be
beaten for their insolence (I'm paraphrasing :-)). But, yes, we should all
be used to the fact that sometimes, you have to adopt the new stuff to get
the new toys. People don't seem to have a problem with that concept when it
comes to game consoles :)
 
Darren
 
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn
Sent: Friday, December 15, 2006 9:04 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vista GPO
 
Sorry, I understand it's different, what I meant was merely that we had
some growing pains like this when XP first came out.  Our practice then
became to use only XP desktops for GP management.  I think there's a
tendency to think this is such a terrible thing, this
backwards-incompatibility, and we might forget that Vista is not new
with this, we had similar issues before.  And who remembers the
teeth-pulling to get people to move to Active Directory??
 
---
Rich Milburn
MCSE, Microsoft MVP - Directory Services
Sr Network Analyst, Field Platform Development
Applebee's International, Inc.
4551 W. 107th St
Overland Park, KS 66207
913-967-2819
------
"I love the smell of red herrings in the morning" - anonymous
 
 
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Friday, December 15, 2006 10:05 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vista GPO
 
This is actually a little different because if you view a GPO that was
created with Vista, using XP or 2003, none of the ADMX settings can
actually
be read at all, because they are a completely new format that GPEditor
or
GPMC on those older platforms don't understand. In fact, those XP or
2003
will happily copy up the ADMs into the Vista GPO like they used to do,
and
you're back to each GPO storing ADMs in SYSVOL. What I've been
recommending
to folks is that once you introduce Vista desktops into your
environment,
use Vista for all your ongoing GP management. The Vista ADMXs are a
superset
of the latest and greatest ADMs (i.e. they include 2003, XP and Vista
settings) so you can happily manage Vista and non-Vista targeted GP
settings
from a Vista machine.
 
Darren
 
Darren Mar-Elia
CTO & Founder
www.sdmsoftware.com
[EMAIL PROTECTED]
 
 
 
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn
Sent: Friday, December 15, 2006 6:49 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vista GPO
 
You may recall, there was a similar case when XP came out too - if
memory serves, you had to manage XP GPO settings from an XP box - if you
opened them on Win2K, there were problems (I can't recall now exactly
what those problems were... it would corrupt the policy? Lose the
settings?) anyway so there are tons more settings (+ side) and you have
to use Vista for now (- side, sorta).  I wouldn't be too surprised if
they fix that with the next server and XP SP... but I haven't actuall

RE: [ActiveDir] Vista GPO

[Darren Mar-Elia]

Come on Deji-its exactly the same, else why in the world do we upgrade
perfectly good IT systems? J

 

Folks can manage their GP from DCs when Longhorn ships. Until then, its
Vista. Also, it would fairly trivial, if not time-consuming, to convert all
those ADMXs in Vista back to ADMs. There is nothing technically preventing
that. But, it is not trivial to back-port the other new Vista functionality,
like published printers, wired policy, the new IPSec and Firewall stuff,
back to older versions. You wouldn't need to back-port all of it-just enough
to support GP Editing, but still, it's a lot of work and MS, like most other
software companies, probably needs to make the hard call about where to put
dev and testing resources. 

 

I agree that its not ideal, but I don't think having to manage GP from Vista
for the intervening space of time until Longhorn ships is a terrible thing.
It will probably take most orgs that much time to decide when to go to Vista
anyway. And for the aggressive ones, Vista is not a bad choice for a
management platform. I think the benefits of the central store and other
improvements outweigh the medium term inconvenience. 

 

I am curious, however, what others think. 

 

Darren

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji
Sent: Friday, December 15, 2006 9:39 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vista GPO

 

>>> People don't seem to have a problem with that concept when it comes to
game consoles :)

 

Bad analogy. Go stand in the corner, no wii for you :)

 

When people start running their businesses on game consoles, then you can
come back and compare. For now, it's just plain incomprehensible that you
can't manage ADMX from anything but Vista. Yeah, ideally we would want to
encourage clients to NOT manage things directly from servers, and to ensure
that IF they are going to introduce Vista, the IT folks' machines should be
doing the dog-fooding, but realistically, the "ideal" is always the
exception in this field. Microsoft should know that. People will insist on
managing GPO directly from the DCs, best practices be damned.


Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com   - we
know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon

 

  _  

From: Darren Mar-Elia
Sent: Fri 12/15/2006 9:18 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vista GPO

I hear you Rich. I had a long discussion with someone on the GP newsgroups
who thought that the fact that XP and 2003 couldn't read Vista GP settings
was an abomination and a scandal of the highest order and that MS should be
beaten for their insolence (I'm paraphrasing :-)). But, yes, we should all
be used to the fact that sometimes, you have to adopt the new stuff to get
the new toys. People don't seem to have a problem with that concept when it
comes to game consoles :)
 
Darren
 
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn
Sent: Friday, December 15, 2006 9:04 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vista GPO
 
Sorry, I understand it's different, what I meant was merely that we had
some growing pains like this when XP first came out.  Our practice then
became to use only XP desktops for GP management.  I think there's a
tendency to think this is such a terrible thing, this
backwards-incompatibility, and we might forget that Vista is not new
with this, we had similar issues before.  And who remembers the
teeth-pulling to get people to move to Active Directory??
 
---
Rich Milburn
MCSE, Microsoft MVP - Directory Services
Sr Network Analyst, Field Platform Development
Applebee's International, Inc.
4551 W. 107th St
Overland Park, KS 66207
913-967-2819
--
"I love the smell of red herrings in the morning" - anonymous
 
 
-----Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Friday, December 15, 2006 10:05 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vista GPO
 
This is actually a little different because if you view a GPO that was
created with Vista, using XP or 2003, none of the ADMX settings can
actually
be read at all, because they are a completely new format that GPEditor
or
GPMC on those older platforms don't understand. In fact, those XP or
2003
will happily copy up the ADMs into the Vista GPO like they used to do,
and
you're back to each GPO storing 

RE: [ActiveDir] Vista GPO

[Darren Mar-Elia]

I hear you Rich. I had a long discussion with someone on the GP newsgroups
who thought that the fact that XP and 2003 couldn't read Vista GP settings
was an abomination and a scandal of the highest order and that MS should be
beaten for their insolence (I'm paraphrasing :-)). But, yes, we should all
be used to the fact that sometimes, you have to adopt the new stuff to get
the new toys. People don't seem to have a problem with that concept when it
comes to game consoles :)

Darren

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn
Sent: Friday, December 15, 2006 9:04 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vista GPO

Sorry, I understand it's different, what I meant was merely that we had
some growing pains like this when XP first came out.  Our practice then
became to use only XP desktops for GP management.  I think there's a
tendency to think this is such a terrible thing, this
backwards-incompatibility, and we might forget that Vista is not new
with this, we had similar issues before.  And who remembers the
teeth-pulling to get people to move to Active Directory??

---
Rich Milburn
MCSE, Microsoft MVP - Directory Services
Sr Network Analyst, Field Platform Development
Applebee's International, Inc.
4551 W. 107th St
Overland Park, KS 66207
913-967-2819
--
"I love the smell of red herrings in the morning" - anonymous


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Friday, December 15, 2006 10:05 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vista GPO

This is actually a little different because if you view a GPO that was
created with Vista, using XP or 2003, none of the ADMX settings can
actually
be read at all, because they are a completely new format that GPEditor
or
GPMC on those older platforms don't understand. In fact, those XP or
2003
will happily copy up the ADMs into the Vista GPO like they used to do,
and
you're back to each GPO storing ADMs in SYSVOL. What I've been
recommending
to folks is that once you introduce Vista desktops into your
environment,
use Vista for all your ongoing GP management. The Vista ADMXs are a
superset
of the latest and greatest ADMs (i.e. they include 2003, XP and Vista
settings) so you can happily manage Vista and non-Vista targeted GP
settings
from a Vista machine.

Darren

Darren Mar-Elia
CTO & Founder
www.sdmsoftware.com
[EMAIL PROTECTED]



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn
Sent: Friday, December 15, 2006 6:49 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vista GPO

You may recall, there was a similar case when XP came out too - if
memory serves, you had to manage XP GPO settings from an XP box - if you
opened them on Win2K, there were problems (I can't recall now exactly
what those problems were... it would corrupt the policy? Lose the
settings?) anyway so there are tons more settings (+ side) and you have
to use Vista for now (- side, sorta).  I wouldn't be too surprised if
they fix that with the next server and XP SP... but I haven't actually
heard that.

---
Rich Milburn
MCSE, Microsoft MVP - Directory Services
Sr Network Analyst, Field Platform Development
Applebee's International, Inc.
4551 W. 107th St
Overland Park, KS 66207
913-967-2819
--
"I love the smell of red herrings in the morning" - anonymous


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Thursday, December 14, 2006 4:13 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vista GPO

Vista introduces a new Admin Template format called ADMX. These are
found on Vista in C:\windows\policydefinitions and, unfortuately cannot
be consumed by earlier versions of Windows. That is you must manage
Vista GP from Vista.

Darren

-Original Message-
From: "Za Vue" <[EMAIL PROTECTED]>
To: ActiveDir@mail.activedir.org
Sent: 12/14/2006 1:18 PM
Subject: Re: [ActiveDir] Vista GPO

Sorry. Exactly what Ben wrote.

Thanks..

-Z.V.

WATSON, BEN wrote:
> Maybe he may be referring to the location of any possible new ADM
files
> included with Vista.
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Darren
Mar-Elia
> Sent: Thursday, December 14, 2006 10:34 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Vista GPO 
>
> What do you mean Za? I'm not familiar with any GPO plug-in for Win2K3,
> unless you mean the LDIF files that are in

RE: [ActiveDir] Vista GPO

[Darren Mar-Elia]

This is actually a little different because if you view a GPO that was
created with Vista, using XP or 2003, none of the ADMX settings can actually
be read at all, because they are a completely new format that GPEditor or
GPMC on those older platforms don't understand. In fact, those XP or 2003
will happily copy up the ADMs into the Vista GPO like they used to do, and
you're back to each GPO storing ADMs in SYSVOL. What I've been recommending
to folks is that once you introduce Vista desktops into your environment,
use Vista for all your ongoing GP management. The Vista ADMXs are a superset
of the latest and greatest ADMs (i.e. they include 2003, XP and Vista
settings) so you can happily manage Vista and non-Vista targeted GP settings
from a Vista machine.

Darren

Darren Mar-Elia
CTO & Founder
www.sdmsoftware.com
[EMAIL PROTECTED]



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn
Sent: Friday, December 15, 2006 6:49 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vista GPO

You may recall, there was a similar case when XP came out too - if
memory serves, you had to manage XP GPO settings from an XP box - if you
opened them on Win2K, there were problems (I can't recall now exactly
what those problems were... it would corrupt the policy? Lose the
settings?) anyway so there are tons more settings (+ side) and you have
to use Vista for now (- side, sorta).  I wouldn't be too surprised if
they fix that with the next server and XP SP... but I haven't actually
heard that.

---
Rich Milburn
MCSE, Microsoft MVP - Directory Services
Sr Network Analyst, Field Platform Development
Applebee's International, Inc.
4551 W. 107th St
Overland Park, KS 66207
913-967-2819
--
"I love the smell of red herrings in the morning" - anonymous


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Thursday, December 14, 2006 4:13 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vista GPO

Vista introduces a new Admin Template format called ADMX. These are
found on Vista in C:\windows\policydefinitions and, unfortuately cannot
be consumed by earlier versions of Windows. That is you must manage
Vista GP from Vista.

Darren

-Original Message-
From: "Za Vue" <[EMAIL PROTECTED]>
To: ActiveDir@mail.activedir.org
Sent: 12/14/2006 1:18 PM
Subject: Re: [ActiveDir] Vista GPO

Sorry. Exactly what Ben wrote.

Thanks..

-Z.V.

WATSON, BEN wrote:
> Maybe he may be referring to the location of any possible new ADM
files
> included with Vista.
>
> -Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Darren
Mar-Elia
> Sent: Thursday, December 14, 2006 10:34 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Vista GPO 
>
> What do you mean Za? I'm not familiar with any GPO plug-in for Win2K3,
> unless you mean the LDIF files that are in sources\adprep on the Vista
> CD?
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue
> Sent: Thursday, December 14, 2006 9:57 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Vista GPO 
>
> Anyone know what and where the GPO plugin for Win2003 on the Vista DVD

> is called and located?
>
> -Z.V.
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
http://www.mail-archive.com/activedir@mail.activedir.org/
>
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
http://www.mail-archive.com/activedir@mail.activedir.org/
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
http://www.mail-archive.com/activedir@mail.activedir.org/
>
>
>   
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE---
PRIVILEGED / 
CONFIDENTIAL INFORMATION may be contained in this message or any
attachments. 
This information is strictly confidential and may be subject to
attorney-client 
privilege. This message is intended only for the use of the named addressee.
If 
you are not the intended recipient of this message, unauthorized forwarding,

printing, copying, distribution, or using such informat

RE: [ActiveDir] Vista GPO

[Darren Mar-Elia]

The Central Store gives you some nice features. First, it gives you a
central place for all GP administrators to get their ADMXs from. That way
you can control which ones get loaded for a given GPO. 2nd, it gives you a
central point of version control, which is not something you had with each
GPO storing its own copy of ADMs in pre-Vista days. However, the one
downside to the Central Store from my perspective is that, once it exists,
all GP editors in the domain will refer to it. That means there is no
granularity anymore in terms of which ADMXs appear for a given GPO. So, in
the ADM days (you know, long ago, like a month ago :)) you could load one or
ten ADMs into a GPO based on your needs. In the ADMX world, once the Central
Store is populated, all GPOs in the domain load all ADMXs in the Central
Store and you can't change that unless you want to revert back to using ADMs
stored in each GPO.

So, good and bad--mostly good I think for most shops.

Darren




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Lu, WeiMing
Sent: Thursday, December 14, 2006 3:11 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vista GPO

With Vista ADMX format, is it a better implementation to have central
ADMX storage on the DCs?  


 
===
Weiming Lu
Emory College Computing Support
(404)727-7917

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Thursday, December 14, 2006 5:13 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vista GPO

Vista introduces a new Admin Template format called ADMX. These are
found on Vista in C:\windows\policydefinitions and, unfortuately cannot
be consumed by earlier versions of Windows. That is you must manage
Vista GP from Vista.

Darren

-Original Message-
From: "Za Vue" <[EMAIL PROTECTED]>
To: ActiveDir@mail.activedir.org
Sent: 12/14/2006 1:18 PM
Subject: Re: [ActiveDir] Vista GPO

Sorry. Exactly what Ben wrote.

Thanks..

-Z.V.

WATSON, BEN wrote:
> Maybe he may be referring to the location of any possible new ADM 
> files included with Vista.
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Darren 
> Mar-Elia
> Sent: Thursday, December 14, 2006 10:34 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Vista GPO
>
> What do you mean Za? I'm not familiar with any GPO plug-in for Win2K3,

> unless you mean the LDIF files that are in sources\adprep on the Vista

> CD?
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue
> Sent: Thursday, December 14, 2006 9:57 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Vista GPO
>
> Anyone know what and where the GPO plugin for Win2003 on the Vista DVD

> is called and located?
>
> -Z.V.
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir@mail.activedir.org/
>
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
http://www.mail-archive.com/activedir@mail.activedir.org/
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir@mail.activedir.org/
>
>
>   
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Vista GPO

[Darren Mar-Elia]

The converter (ADMX Migrator) is only meant to convert ADMs into ADMXs-- not 
the other way around unfortunately.

Darren
-Original Message-
From: "Mark Parris" <[EMAIL PROTECTED]>
To: "ActiveDir.org" 
Sent: 12/14/2006 2:20 PM
Subject: Re: [ActiveDir] Vista GPO

www.microsoft.com/downloads has a load of the new adms and admx conversionsList 
info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Vista GPO

[Darren Mar-Elia]

Vista introduces a new Admin Template format called ADMX. These are found on 
Vista in C:\windows\policydefinitions and, unfortuately cannot be consumed by 
earlier versions of Windows. That is you must manage Vista GP from Vista.

Darren

-Original Message-
From: "Za Vue" <[EMAIL PROTECTED]>
To: ActiveDir@mail.activedir.org
Sent: 12/14/2006 1:18 PM
Subject: Re: [ActiveDir] Vista GPO

Sorry. Exactly what Ben wrote.

Thanks..

-Z.V.

WATSON, BEN wrote:
> Maybe he may be referring to the location of any possible new ADM files
> included with Vista.
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
> Sent: Thursday, December 14, 2006 10:34 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Vista GPO 
>
> What do you mean Za? I'm not familiar with any GPO plug-in for Win2K3,
> unless you mean the LDIF files that are in sources\adprep on the Vista
> CD?
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue
> Sent: Thursday, December 14, 2006 9:57 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Vista GPO 
>
> Anyone know what and where the GPO plugin for Win2003 on the Vista DVD 
> is called and located?
>
> -Z.V.
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
>
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
>
>
>   
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Vista GPO

[Darren Mar-Elia]

What do you mean Za? I'm not familiar with any GPO plug-in for Win2K3,
unless you mean the LDIF files that are in sources\adprep on the Vista CD?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Za Vue
Sent: Thursday, December 14, 2006 9:57 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Vista GPO 

Anyone know what and where the GPO plugin for Win2003 on the Vista DVD 
is called and located?

-Z.V.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Lockdown CD-ROM access for some

[Darren Mar-Elia]

Theoretically you could do that, but besides the obvious security downside,
the registry tweaks really only disable the driver startup, so you would
still have to reboot for that to take effect. All in all, the ADM approach
talked about in that article is pretty weak and only good for completely
disabling a device rather than having granularity of who gets it disabled.
One thing I forgot to mention is that Vista now includes device lockdown as
part of GP, including control over read and read and writing a particular
device. Of course, you need Vista.

 

 

Darren

 

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jon Best
Sent: Wednesday, December 13, 2006 12:01 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Lockdown CD-ROM access for some

 

Can't you just set up two group policies with two .adm files?  One activates
the lock, and the other group policy deactivates the lock.  Or, as those are
just registry entries, you *can* set it up so that the people that are to
have CD-ROM access also have high enough rights to change those keys on the
registry (you can set access rights on individual registry keys as of XP).
Their login script deactivates the lock, and their logout script enables the
lock again.

 

Jon

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Wednesday, December 13, 2006 10:58 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Lockdown CD-ROM access for some

 

Yes, that's the same one I had found previously and didn't meet my
requirements since it's on a per-computer basis, not per-user unfortunately.

 

That information was actually pulled from this KB article.

 

http://support.microsoft.com/kb/555324

 

~Ben

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Aaron Steele
Sent: Wednesday, December 13, 2006 9:02 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Lockdown CD-ROM access for some

 

A quick google search turned up this reference to a custom .ADM template
that is available.

 

http://joeelway.spaces.live.com/blog/cns!2095EAC3772C41DB!293.entry

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Wednesday, December 13, 2006 9:36 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Lockdown CD-ROM access for some

 

I have been given a task for our secured environments (by secured, I mean
government clearances required) to develop a means to lock down access to
the CDROM drive at a user based level.  They want most users to be
restricted from using the CDROM drives in anyway, but allow a certain
security group the ability to have full use of their CDROM drives.

 

As far as I can tell, there is not a group policy that allows for this type
of granular lockdown of the devices.  Any suggestions on how to best tackle
this?

 

Information simply cannot leave these secured environments, and they no
longer want users to have unfettered access to CD/DVD burners.  The drive
letter of the CD drives may not always be the same, in fact some machine's
drive letters may vary wildly.

 

Thanks,

~Ben

  _  


*
WARNING: This electronic transmission is intended only for the person or
entity to which it is addressed and may contain confidential and/or
privileged material. If you are not the intended recipient of this message
you are hereby notified that any dissemination, distribution, reproduction
or any other use of this message is prohibited. If you have received this
message in error, please notify us immediately by return email and destroy
the original transmission immediately and all copies thereof. Any views
expressed in this message are those of the individual sender and may not
necessarily reflect the views of Calgary Olympic Development
Association/Canada Olympic Park.

* 

RE: [ActiveDir] Lockdown CD-ROM access for some

[Darren Mar-Elia]

Ben-

You might want to consider one of the 3rd party solutions for this. There
are several on the market that both use and don't use Group Policy to
implement lockdown. Check out Securewave and DesktopStandard, among others.
If you don't have a budget, then there is a policy hack you can use to just
disable the CD device driver altogether. This would be on a per computer
basis though-not per user. See the following KB for details:

http://support.microsoft.com/kb/555324

 

Darren

 

 

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Wednesday, December 13, 2006 7:36 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Lockdown CD-ROM access for some

 

I have been given a task for our secured environments (by secured, I mean
government clearances required) to develop a means to lock down access to
the CDROM drive at a user based level.  They want most users to be
restricted from using the CDROM drives in anyway, but allow a certain
security group the ability to have full use of their CDROM drives.

 

As far as I can tell, there is not a group policy that allows for this type
of granular lockdown of the devices.  Any suggestions on how to best tackle
this?

 

Information simply cannot leave these secured environments, and they no
longer want users to have unfettered access to CD/DVD burners.  The drive
letter of the CD drives may not always be the same, in fact some machine's
drive letters may vary wildly.

 

Thanks,

~Ben

RE: [ActiveDir] group policy object

[Darren Mar-Elia]

If you have GPMC installed, then the GP tab is removed from ADU&C and you'll
need to manage GP from the GPMC. 

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John
Sent: Tuesday, December 12, 2006 8:16 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] group policy object

 

I am trying to create a GPO however I can not find the group policy tab
under my domain.

 

Is there something to be fix.

 

Thanks.

John

 

  _  

Everyone is raving about the
  all-new Yahoo! Mail beta.

RE: [ActiveDir] Quest Recovery Manager

[Darren Mar-Elia]

"we will call him Art"

Hehe. Hypothetically of course... ;)

-Original Message-
From: "joe" <[EMAIL PROTECTED]>
To: ActiveDir@mail.activedir.org
Sent: 12/9/2006 3:09 PM
Subject: RE: [ActiveDir] Quest Recovery Manager

Yep, when I was at one large widget company we would really be interested in
some product from a given company but the per user or per object licensing
costs were so insanely out of the park for an infrastructure type product
versus the money available for infrastructure that we could never buy the
products... Then every December the main sales guy, we will call him Art to
protect the guilty, would come along and take folks out to lunch or dinner
or whatever and say it is all half off or more so buy now... Unfortunately,
in this company I was in, it was pretty much impossible to purchase anything
after Thanksgiving due to the complexity of the buying system and the number
of folks who had to sign off on things and the amount of vacation time being
taken by people. If it wasn't at a price that was expensable on corporate
credit card, it wasn't getting bought at the end of the year. So half off,
three quarter off, heck even pennies on the dollar likely wouldn't reduce
the pricing enough although everyone wanted it.
 
Silly thing is if the company would simply go to a site based licensing
scheme and put a good price on it they would have been selling products to
the company 6 years ago and not going through the same dance every year. 
 
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 
 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Wednesday, December 06, 2006 7:18 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Quest Recovery Manager



"The Quest guys told me the other day they had a lot of leeway on some
pricing for one of my clients so I'm wondering if this is the end of the
year for the salesmen and they need to make their year this month (if so
this is an excellent time to buy Quest software)"

 

Ha! Show me a sales person from ANY software company who doesn't get that
wide-eyed, crazed, foaming-at-the-mouth look in his or her eye around
quarter-end or year-end and I'll show you a sales person that is about to be
fired. Its part of the game. Gotta make quota, esp. at year end, and to do
that, you gotta discount! I would think most IT shops are wise to it by nowList 
info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Quest Recovery Manager

[Darren Mar-Elia]

Boy that just makes me proud to be in the software business...



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick
Sent: Thursday, December 07, 2006 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Quest Recovery Manager

Just to give an idea of how insane it can get

A good friend of mine works at a software company (not in the Microsoft
space)... lets call it company G. Company G is small (300 people or so)
and privately held, with a superior product. Company G's main
competition is Company W, a large, bloated publically held company, with
a decidely inferior product. Company W hasn't developed anything
inovative in years... all their new products have come through
acquisitions.

Now check this out: Company G has a competitive sales program for
Company W's customers. If a customer has decided on Company W, for
whatever reason, and there is no way that they will buy Company G's
product, Company G will work with the customer to provide a competitive
bid *just to drive Company W's prices down.* The customer doesn't even
have to look at Company G's products.

Now THAT's ruthless sales behavior!

-gil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CC/DCRI) [E]
Sent: Thursday, December 07, 2006 10:12 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Quest Recovery Manager

I would say companies competing via innovative features benefit
customers more than just low balling each other in this space / vertical
market.

And just like a free puppy... If you don't train it... you eventually
have to call in the Directory Whispers.

I think I might have just found some inspiration for a new TV Show.

Todd

-Original Message-
From: Martin Tuip [mailto:[EMAIL PROTECTED] 
Sent: Thursday, December 07, 2006 8:16 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Quest Recovery Manager

Competition benefits customers.


Martin

- Original Message - 
From: "Gil Kirkpatrick" <[EMAIL PROTECTED]>
To: 
Sent: Wednesday, December 06, 2006 7:46 PM
Subject: RE: [ActiveDir] Quest Recovery Manager


It gets even nuttier in competitive situations. Bring in the NetPro
products 
for eval, and watch how fast the Quest price goes to zero. Its like the
old 
Crazy Eddy's TV ads in New York.

Of course its free like a puppy... :)

-gil

________

From: [EMAIL PROTECTED] on behalf of Darren Mar-Elia
Sent: Wed 12/6/2006 4:18 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Quest Recovery Manager



"The Quest guys told me the other day they had a lot of leeway on some 
pricing for one of my clients so I'm wondering if this is the end of the

year for the salesmen and they need to make their year this month (if so

this is an excellent time to buy Quest software)"



Ha! Show me a sales person from ANY software company who doesn't get
that 
wide-eyed, crazed, foaming-at-the-mouth look in his or her eye around 
quarter-end or year-end and I'll show you a sales person that is about
to be 
fired. Its part of the game. Gotta make quota, esp. at year end, and to
do 
that, you gotta discount! I would think most IT shops are wise to it by
now. 
Its kind of a sick dance we all do J



Darren



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Wednesday, December 06, 2006 1:54 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Quest Recovery Manager



Yeah. Sit down with your team and figure out what it is you need - must 
have, would like to have, and nice to have. Then, tell all the vendors
you 
want a little webinar (they love these), and then compare your notes
after 
each/all of them again. Rule out any ones now that don't do the trick


Then go get ready to have it shoved way up your ass when they give you
the 
pricing. Then you can suggest (if they haven't already) that they come 
discuss it in further and plan on a lunch/dinner or two on their dime
while 
you further discuss how expensive their stuff is and what they can do
for 
you to make it more attractive. The Quest guys told me the other day
they 
had a lot of leeway on some pricing for one of my clients so I'm
wondering 
if this is the end of the year for the salesmen and they need to make
their 
year this month (if so this is an excellent time to buy Quest software).



Now that said, I've worked in a few large shops, and we haven't had any
of 
this frilly fancy shit. It's expensive, I hate the per head/per seat/per

whatever pricing, and frankly all I think it does is idiot proof what's 
already there. Rather than having something do it for you, why don't you

learn how it does it, because then you'll be smarter, and you can go get
a 
new better job with your new found talents.



That said there

RE: [ActiveDir] OT: SpecOps GPUPDATE tool

[Darren Mar-Elia]

I know the SpecOps guys lurk on this forum so you should get a response, but
I would also suggest that they have a forum on their website for asking
questions and getting feedback from other users.

 

Darren

 

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of McCann, Danny
Sent: Thursday, December 07, 2006 8:08 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: SpecOps GPUPDATE tool

 

Including bugs! :)

Maybe should have been 2 emails - One here for any problems encountered and
one to SpecOps for technical detail.

Any users encountered any problems with this tool? :)))

 

Kind regards

 

Danny

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: 07 December 2006 14:26
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: SpecOps GPUPDATE tool

I would expect specops to provide that info, if I were in your position.

 

neil

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of McCann, Danny
Sent: 07 December 2006 13:54
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: SpecOps GPUPDATE tool

Hi 

Has anyone used the WoL feature of this tool? If so, can you let me know of
any issues that you came across please? We are currently only interested in
the Shutdown/WoL feature, and would be interested to know how it obtains the
MAC addresses required and the method of transmission of the wake up packet
across the subnets - to keep our active network team happy. They had a
recent incident with a Ghost server and they're a bit edgy. :)

Cheers 

Danny 

PLEASE READ: The information contained in this email is confidential and 

intended for the named recipient(s) only. If you are not an intended 

recipient of this email please notify the sender immediately and delete your


copy from your system. You must not copy, distribute or take any further 

action in reliance on it. Email is not a secure method of communication and 

Nomura International plc ('NIplc') will not, to the extent permitted by law,


accept responsibility or liability for (a) the accuracy or completeness of, 

or (b) the presence of any virus, worm or similar malicious or disabling 

code in, this message or any attachment(s) to it. If verification of this 

email is sought then please request a hard copy. Unless otherwise stated 

this email: (1) is not, and should not be treated or relied upon as, 

investment research; (2) contains views or opinions that are solely those of


the author and do not necessarily represent those of NIplc; (3) is intended 

for informational purposes only and is not a recommendation, solicitation or


offer to buy or sell securities or related financial instruments. NIplc 

does not provide investment services to private customers. Authorised and 

regulated by the Financial Services Authority. Registered in England 

no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, 

London, EC1A 4NP. A member of the Nomura group of companies. 

Email has been scanned for viruses 
by Altman Technologies' email management service

RE: [ActiveDir] Quest Recovery Manager

[Darren Mar-Elia]

"The Quest guys told me the other day they had a lot of leeway on some
pricing for one of my clients so I'm wondering if this is the end of the
year for the salesmen and they need to make their year this month (if so
this is an excellent time to buy Quest software)"

 

Ha! Show me a sales person from ANY software company who doesn't get that
wide-eyed, crazed, foaming-at-the-mouth look in his or her eye around
quarter-end or year-end and I'll show you a sales person that is about to be
fired. Its part of the game. Gotta make quota, esp. at year end, and to do
that, you gotta discount! I would think most IT shops are wise to it by now.
Its kind of a sick dance we all do J

 

Darren

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Wednesday, December 06, 2006 1:54 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Quest Recovery Manager

 

Yeah. Sit down with your team and figure out what it is you need - must
have, would like to have, and nice to have. Then, tell all the vendors you
want a little webinar (they love these), and then compare your notes after
each/all of them again. Rule out any ones now that don't do the trick


Then go get ready to have it shoved way up your ass when they give you the
pricing. Then you can suggest (if they haven't already) that they come
discuss it in further and plan on a lunch/dinner or two on their dime while
you further discuss how expensive their stuff is and what they can do for
you to make it more attractive. The Quest guys told me the other day they
had a lot of leeway on some pricing for one of my clients so I'm wondering
if this is the end of the year for the salesmen and they need to make their
year this month (if so this is an excellent time to buy Quest software).

 

Now that said, I've worked in a few large shops, and we haven't had any of
this frilly fancy shit. It's expensive, I hate the per head/per seat/per
whatever pricing, and frankly all I think it does is idiot proof what's
already there. Rather than having something do it for you, why don't you
learn how it does it, because then you'll be smarter, and you can go get a
new better job with your new found talents.

 

That said there is some cool shit from quest and NetIQ and those guys - I'm
into the change control/management stuff in shops where there are too many
cooks in the kitchen. Quest's migration stuff is of course great if you can
afford it.

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CC/DCRI) [E]
Sent: Wednesday, December 06, 2006 3:23 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Quest Recovery Manager

 

I don't think there are many independent rankings out there.  You have to
figure that Windows ITPro and SearchWindows are probably the easiest sources
to get access to online, but they are influenced by ad dollars sometimes.
It is possible that Burton Group and possibly Gartner have done some
research.. But I doubt it.  I know that directions on Microsoft hasn't
covered it.  It is a pretty niche topic.

 

I think the best way to approach this is to have a good old fashion bake off
of the technologies.  Depending how big a player you are, you can probably
get Quest, Netpro, Veritas, and Commvalt to step-up.  I would say that all
the technologies are pretty stable at the moment; there isn't a lot of
innovation going on anymore, so it is pretty hard to make a mistake choosing
one of these products.

 

 

Todd

  _  

From: Tim Onsomu [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, December 06, 2006 2:06 PM
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Quest Recovery Manager

 

Does anybody know what independent rankings look like for AD DR tools?




-Original Message-
From: [EMAIL PROTECTED] on behalf of Gil Kirkpatrick
Sent: Wed 12/6/2006 9:59 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Quest Recovery Manager



NetPro has an AD data recovery product called RestoreADmin that competes
very well with the Quest product. It's solves the AD object recovery
problem nicely.

See http://www.netpro.com/products/restoreadmin/index.cfm.



-gil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, December 06, 2006 7:37 AM
To: ActiveDir@mail.activedir.org
Cc: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Quest Recovery Manager

Todd, thanks for your insight. Good points to think about.


James Masters
Systems Architecture and Engineering
The Kroger Co.
Office: (859) 363-2346
Cell:(859) 653-8644


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CC/DCRI) [E]
Sent: Wednesday, December 06, 2006 9:14 AM
To: ActiveDir@mail.activedir.org
Cc: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Quest Recovery Manager

Same here... Good stuff.

To be 

RE: [ActiveDir] Quest Recovery Manager

[Darren Mar-Elia]

Tim-

Sadly in our business I think you'd have a hard time finding someting akin to a 
decent, educated and un-biased review of this stuff. No Consumer Reports for 
software. What I would always recommend is to gather your requirements clearly 
and evaluate all players against those requirements and their costs. 

Darren 

-Original Message-
From: "Tim Onsomu" <[EMAIL PROTECTED]>
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Sent: 12/6/2006 11:05 AM
Subject: RE: [ActiveDir] Quest Recovery Manager

Does anybody know what independent rankings look like for AD DR tools?




-Original Message-
From: [EMAIL PROTECTED] on behalf of Gil Kirkpatrick
Sent: Wed 12/6/2006 9:59 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Quest Recovery Manager
 


NetPro has an AD data recovery product called RestoreADmin that competes
very well with the Quest product. It's solves the AD object recovery
problem nicely.

See http://www.netpro.com/products/restoreadmin/index.cfm.



-gil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, December 06, 2006 7:37 AM
To: ActiveDir@mail.activedir.org
Cc: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Quest Recovery Manager

Todd, thanks for your insight. Good points to think about. 


James Masters
Systems Architecture and Engineering
The Kroger Co.
Office: (859) 363-2346
Cell:(859) 653-8644


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CC/DCRI) [E]
Sent: Wednesday, December 06, 2006 9:14 AM
To: ActiveDir@mail.activedir.org
Cc: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Quest Recovery Manager

Same here... Good stuff.

To be fair though, most of the major AD players have these tools now.
The thing about the Quest (Aelita) tool was its use of their own APIs to
address issues like Domain Local Groups etc.  I haven't kept up with the
latest versions so I am not sure what direction they have gone since
2003.

[truncated by sender]
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Granting rights to 'Manage GPOs'

[Darren Mar-Elia]

Neil-

You can modify the defaultSecurityDescriptor attribute in the schema to
change which groups are automatically granted rights on a newly created GPO.
Its described here: 

http://support.microsoft.com/kb/321476/en-us

 

 

Darren

 

 

Darren Mar-Elia

CTO & Founder

 www.sdmsoftware.com <http://www.sdmsoftware.com/> 

[EMAIL PROTECTED]

v) 415-670-9302

f) 415-532-2655

 

 

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Monday, December 04, 2006 1:23 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Granting rights to 'Manage GPOs'

 

I'd prefer to grant the service the rights it *needs* rather than carte
blanche Domain Admins rights. However, as new GPOs are created, only the
default (Schema defined?) ACLs are applied, which includes DAs but will
*not* include my service account.

 

Back to the drawing board...

 

neil

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves
Sent: 04 December 2006 04:38
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Granting rights to 'Manage GPOs'

You might want to set the account to have non-interactive rights, since I'm
assuming that it runs a service that actually handles all the changes - then
grant it membership within the Domain Admins group - that would fix the
issue once and for all, unless you've changed Domain Admins to not have the
ability to edit GPOs, though it's automatically granted every time a new GPO
is created, regardless of what permissions were before. 




On 11/25/06, Darren Mar-Elia <[EMAIL PROTECTED]> wrote: 

Neil-

Assuming the setgpocreationpermissions script didn't fail in some way, I
think the next step would be to check the perms on the various objects that
should get this right. Namely, the service account you're granting access to
should have the  Create GroupPolicyContainer right over the
cn=policies,cn=system container in AD and, similarly on the SYSVOL Policies
folder, it should have Change rights over that container.

 

Darren

 

 

Darren Mar-Elia

For comprehensive Windows Group Policy Information, check out www.gpoguy.com
<http://www.gpoguy.com/> -- the best source for GPO FAQs, video training,
tools and whitepapers. Also check out the Windows Group Policy Guide
<http://www.amazon.com/gp/product/0735622175/qid=1122367169/sr=8-1/ref=pd_bb
s_1/104-1133146-9411929?v=glance&n=283155> , the definitive resource for
Group Policy information. 

 

Group Policy Management solutions at SDM Software
<http://www.sdmsoftware.com/> 

 

 

 

From: [EMAIL PROTECTED] [mailto:
<mailto:[EMAIL PROTECTED]>
[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Friday, November 24, 2006 6:57 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Granting rights to 'Manage GPOs'

 

I am attempting to assign rights to a service account [sys-zzz], used by a
Group Policy Management tool (3rd party) so that the service account has the
necessary rights to 'manage' all GPOs in the domain.

Aside from app specific rights, I have assigned the following rights using
GPMC scripts [scripts shown below]: 

1. Create/edit GPO links at the root of the domain and all child containers 
cscript "%programfiles%\gpmc\scripts\SetSOMPermissions.wsf" xxx.yyy
xxx\sys-zzz /Permission:linkgpos /Inherit /Domain:xxx.yyy

2. Create new GPOs in the domain 
cscript "%programfiles%\gpmc\scripts\SetGPOCreationPermissions.wsf"
xxx\sys-zzz /Domain:xxx.yyy 

3. Edit, delete and mod security rights to all existing GPOs in the domain 
cscript "%programfiles%\gpmc\scripts\GrantPermissionOnAllGPOs.wsf"
xxx\sys-zzz /Permission:fulledit /Domain:xxx.yyy 

 

To cut a long story short, step 2 does not appear to grant the required
'create' right [GP mgmt tool complains of an "access denied" issue].
However, if I manually (using GPMC) add the service account to the list of
objects permitted to create GPOs in the domain [instead of using the script
in step 2], then the GP Management app functions fine.

Has anyone encountered a similar issues? Are there newer version of the GPMC
scripts? [I have GPMC with SP1] 

Just to add to the strangeness of this issue, if I execute the same scripts
above but against a different domain (same service account) the 3rd party
app functions fine in that other domain :/

Any comments? 

Thanks, 
neil 

PLEASE READ: The information contained in this email is confidential and 

intended for the named recipient(s) only. If you are not an intended 

recipient of this email please notify the sender immediately and delete your


copy from your system. You must not copy, distribute or take any further 

action in reliance on it. Email is not a secure method of communication and 

Nomura International plc ('NIplc') will not, to the extent permitted by law,


accept responsibility or li

RE: [ActiveDir] Script to delete unwanted profiles form desktop

[Darren Mar-Elia]

Check out delprof.exe. Its either in the reskit or part of suppor tools or
part of the OS, depending upon which version of the OS you have. You would
have to run it in a GPO-based computer startup script so that it runs when
no users are logged on.

 

 

Darren

 

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mohan Rajput
Sent: Sunday, December 03, 2006 4:30 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Script to delete unwanted profiles form desktop

 

Hi guys,

 

I need a Script, which deletes unwanted profiles from the desktops and I
need to run that script through Domain Policy for computers?

-- 
Thanks & Regards
Mohan Kumar
Mob:- (+91)981-195-7926 
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED] 

RE: [ActiveDir] Exclude Vista from GPO

[Darren Mar-Elia]

I'll check it on Vista. I don't think I tested it on Vista but you can run
it remotely on an XP box.

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon
Sent: Tuesday, November 28, 2006 1:35 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Exclude Vista from GPO

 

Hmm.does the wmiftest.exe work on Vista?  Gives me an Index error.

 

Well, that string may have worked as I did a gporesult and it stated that it
was filtered out.

 

The following GPOs were not applied because they were filtered out

 ---

 CA Unicenter

 Filtering:  Denied (WMI Filter)

 WMI Filter: SWS XP Computers

 

 Symantec Rollout

 Filtering:  Denied (WMI Filter)

 WMI Filter: All Computers Except Vista

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Tuesday, November 28, 2006 3:47 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Exclude Vista from GPO

 

Ok. So, you could also use this:

 

Select * from Win32_OperatingSystem Where BuildNumber< 6000

 

Since Vista's build # is 6000, that should exclude all Vista systems. Just
an FYI that I have a little utility that I wrote that you can download, that
lets you test WMI Filters against live systems to see how they will
evaluate. Its at www.gpoguy.com/wmiftest.htm

 

Darren

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon
Sent: Tuesday, November 28, 2006 10:15 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Exclude Vista from GPO

 

Well, I want the GPO to run on ALL machines EXCEPT Vista.   I also want it
to be dynamic (I don't want to manually add computers to groups)

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Tuesday, November 28, 2006 12:24 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Exclude Vista from GPO

 

Right, or security group filtering where you create a security group that
includes all your Vista machines and deny it Apply Group Policy rights on
that GPO. If you use a WMI Filter, then, assuming all the targets are XP,
you would do something like this:

 

Select * from Win32_OperatingSystem Where Caption = "Microsoft Windows XP
Professional" (or you could query on Build Number)

 

Darren

 

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson
Sent: Tuesday, November 28, 2006 9:06 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Exclude Vista from GPO

 

WMI filtering.

 


  _  


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon
Sent: Tuesday, November 28, 2006 11:51 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Exclude Vista from GPO

I have a GPO set to install Symantec CE 10 on all machines on startup.  The
problem is there is a different version for Vista and I want to exclude that
GPO from running on Vista machines.  How can I do this?

 

-Devon

 


  _  


This message (including any attachments) is intended only for the use of the
individual or entity to which it is addressed and may contain information
that is non-public, proprietary, privileged, confidential, and exempt from
disclosure under applicable law or may constitute as attorney work product.
If you are not the intended recipient, you are hereby notified that any use,
dissemination, distribution, or copying of this communication is strictly
prohibited. If you have received this communication in error, notify us
immediately by telephone and (i) destroy this message if a facsimile or (ii)
delete this message immediately if this is an electronic communication. 
Thank you. 

--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.14.19/555 - Release Date: 11/27/2006
6:09 PM

 

--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.14.19/555 - Release Date: 11/27/2006
6:09 PM

 

  _  

This message (including any attachments) is intended only for the use of the
individual or entity to which it is addressed and may contain information
that is non-public, proprietary, privileged, confidential, and exempt from
disclosure under applicable law or may constitute as attorney work product.
If you are not the intended recipient, you are hereby notified that any use,
dissemination, distribution, or copying of this communication is strictly
prohibited. If you have received this communication in error, notify us
immediately by telephone and (i) destroy this message if a facsimile or (ii)
delete this message immediately if this is an electronic communication. 
Thank you. 

 

  _  

This message (including any attachments) is intended only for the use of the
individual or entity to which it is addressed and may contain information
that is non-public, proprietary, pri

RE: [ActiveDir] Exclude Vista from GPO

[Darren Mar-Elia]

Ok. So, you could also use this:

 

Select * from Win32_OperatingSystem Where BuildNumber< 6000

 

Since Vista's build # is 6000, that should exclude all Vista systems. Just
an FYI that I have a little utility that I wrote that you can download, that
lets you test WMI Filters against live systems to see how they will
evaluate. Its at www.gpoguy.com/wmiftest.htm

 

Darren

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon
Sent: Tuesday, November 28, 2006 10:15 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Exclude Vista from GPO

 

Well, I want the GPO to run on ALL machines EXCEPT Vista.   I also want it
to be dynamic (I don't want to manually add computers to groups)

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Tuesday, November 28, 2006 12:24 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Exclude Vista from GPO

 

Right, or security group filtering where you create a security group that
includes all your Vista machines and deny it Apply Group Policy rights on
that GPO. If you use a WMI Filter, then, assuming all the targets are XP,
you would do something like this:

 

Select * from Win32_OperatingSystem Where Caption = "Microsoft Windows XP
Professional" (or you could query on Build Number)

 

Darren

 

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson
Sent: Tuesday, November 28, 2006 9:06 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Exclude Vista from GPO

 

WMI filtering.

 


  _  


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon
Sent: Tuesday, November 28, 2006 11:51 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Exclude Vista from GPO

I have a GPO set to install Symantec CE 10 on all machines on startup.  The
problem is there is a different version for Vista and I want to exclude that
GPO from running on Vista machines.  How can I do this?

 

-Devon

 


  _  


This message (including any attachments) is intended only for the use of the
individual or entity to which it is addressed and may contain information
that is non-public, proprietary, privileged, confidential, and exempt from
disclosure under applicable law or may constitute as attorney work product.
If you are not the intended recipient, you are hereby notified that any use,
dissemination, distribution, or copying of this communication is strictly
prohibited. If you have received this communication in error, notify us
immediately by telephone and (i) destroy this message if a facsimile or (ii)
delete this message immediately if this is an electronic communication. 
Thank you. 

--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.14.19/555 - Release Date: 11/27/2006
6:09 PM

 

--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.14.19/555 - Release Date: 11/27/2006
6:09 PM

 

  _  

This message (including any attachments) is intended only for the use of the
individual or entity to which it is addressed and may contain information
that is non-public, proprietary, privileged, confidential, and exempt from
disclosure under applicable law or may constitute as attorney work product.
If you are not the intended recipient, you are hereby notified that any use,
dissemination, distribution, or copying of this communication is strictly
prohibited. If you have received this communication in error, notify us
immediately by telephone and (i) destroy this message if a facsimile or (ii)
delete this message immediately if this is an electronic communication. 
Thank you. 

RE: [ActiveDir] MS / Desktopstandard

[Darren Mar-Elia]

Nathan-
I can't speak specifically about what DesktopStandard's plans are but
frankly, when I asked MS about supporting existing 3rd party CSEs in Vista a
while ago, they said that there should not be any issues. Of course, it is
up to the vendor to test and support this, and since that vendor is now
Microsoft, I would suggest contacting your MS rep to get the official story.
However, us GP MVPs meet with the GP product team on a monthly basis and the
next meeting is Friday so I will ask then what the story is. Also, just an
FYI but I highly doubt the time they would take to do this is 18 months. I
don't know all the details, but I know its not that long.

Darren


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Nathan Casey
Sent: Tuesday, November 28, 2006 9:54 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] MS / Desktopstandard

Does anyone have an idea when Microsoft will update the DesktopStandard
Policy Maker product to support Windows Vista? The support staff at
DesktopStandard isn't sure about "Policy Maker" product updates now that MS
owns them but said they heard that it could be 18 months. This would
basically prevent us from deploying a single Vista PC for 18 months..

Nathan Casey
Network Analyst
WGS-ISD County of Sonoma
[EMAIL PROTECTED]
(707) 565-3519

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Exclude Vista from GPO

[Darren Mar-Elia]

Right, or security group filtering where you create a security group that
includes all your Vista machines and deny it Apply Group Policy rights on
that GPO. If you use a WMI Filter, then, assuming all the targets are XP,
you would do something like this:

 

Select * from Win32_OperatingSystem Where Caption = "Microsoft Windows XP
Professional" (or you could query on Build Number)

 

Darren

 

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson
Sent: Tuesday, November 28, 2006 9:06 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Exclude Vista from GPO

 

WMI filtering.

 


  _  


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon
Sent: Tuesday, November 28, 2006 11:51 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Exclude Vista from GPO

I have a GPO set to install Symantec CE 10 on all machines on startup.  The
problem is there is a different version for Vista and I want to exclude that
GPO from running on Vista machines.  How can I do this?

 

-Devon

 


  _  


This message (including any attachments) is intended only for the use of the
individual or entity to which it is addressed and may contain information
that is non-public, proprietary, privileged, confidential, and exempt from
disclosure under applicable law or may constitute as attorney work product.
If you are not the intended recipient, you are hereby notified that any use,
dissemination, distribution, or copying of this communication is strictly
prohibited. If you have received this communication in error, notify us
immediately by telephone and (i) destroy this message if a facsimile or (ii)
delete this message immediately if this is an electronic communication. 
Thank you. 

--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.14.19/555 - Release Date: 11/27/2006
6:09 PM

 

--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.14.19/555 - Release Date: 11/27/2006
6:09 PM

RE: [ActiveDir] Granting rights to 'Manage GPOs'

[Darren Mar-Elia]

Neil-

Assuming the setgpocreationpermissions script didn't fail in some way, I
think the next step would be to check the perms on the various objects that
should get this right. Namely, the service account you're granting access to
should have the  Create GroupPolicyContainer right over the
cn=policies,cn=system container in AD and, similarly on the SYSVOL Policies
folder, it should have Change rights over that container.

 

Darren

 

 

Darren Mar-Elia

For comprehensive Windows Group Policy Information, check out
<http://www.gpoguy.com/> www.gpoguy.com-- the best source for GPO FAQs,
video training, tools and whitepapers. Also check out the
<http://www.amazon.com/gp/product/0735622175/qid=1122367169/sr=8-1/ref=pd_bb
s_1/104-1133146-9411929?v=glance&n=283155> Windows Group Policy Guide, the
definitive resource for Group Policy information. 

 

Group Policy Management solutions at  <http://www.sdmsoftware.com/> SDM
Software

 

 

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Friday, November 24, 2006 6:57 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Granting rights to 'Manage GPOs'

 

I am attempting to assign rights to a service account [sys-zzz], used by a
Group Policy Management tool (3rd party) so that the service account has the
necessary rights to 'manage' all GPOs in the domain.

Aside from app specific rights, I have assigned the following rights using
GPMC scripts [scripts shown below]: 

1. Create/edit GPO links at the root of the domain and all child containers 
cscript "%programfiles%\gpmc\scripts\SetSOMPermissions.wsf" xxx.yyy
xxx\sys-zzz /Permission:linkgpos /Inherit /Domain:xxx.yyy

2. Create new GPOs in the domain 
cscript "%programfiles%\gpmc\scripts\SetGPOCreationPermissions.wsf"
xxx\sys-zzz /Domain:xxx.yyy 

3. Edit, delete and mod security rights to all existing GPOs in the domain 
cscript "%programfiles%\gpmc\scripts\GrantPermissionOnAllGPOs.wsf"
xxx\sys-zzz /Permission:fulledit /Domain:xxx.yyy 

 

To cut a long story short, step 2 does not appear to grant the required
'create' right [GP mgmt tool complains of an "access denied" issue].
However, if I manually (using GPMC) add the service account to the list of
objects permitted to create GPOs in the domain [instead of using the script
in step 2], then the GP Management app functions fine.

Has anyone encountered a similar issues? Are there newer version of the GPMC
scripts? [I have GPMC with SP1] 

Just to add to the strangeness of this issue, if I execute the same scripts
above but against a different domain (same service account) the 3rd party
app functions fine in that other domain :/

Any comments? 

Thanks, 
neil 

PLEASE READ: The information contained in this email is confidential and 

intended for the named recipient(s) only. If you are not an intended 

recipient of this email please notify the sender immediately and delete your


copy from your system. You must not copy, distribute or take any further 

action in reliance on it. Email is not a secure method of communication and 

Nomura International plc ('NIplc') will not, to the extent permitted by law,


accept responsibility or liability for (a) the accuracy or completeness of, 

or (b) the presence of any virus, worm or similar malicious or disabling 

code in, this message or any attachment(s) to it. If verification of this 

email is sought then please request a hard copy. Unless otherwise stated 

this email: (1) is not, and should not be treated or relied upon as, 

investment research; (2) contains views or opinions that are solely those of


the author and do not necessarily represent those of NIplc; (3) is intended 

for informational purposes only and is not a recommendation, solicitation or


offer to buy or sell securities or related financial instruments. NIplc 

does not provide investment services to private customers. Authorised and 

regulated by the Financial Services Authority. Registered in England 

no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, 

London, EC1A 4NP. A member of the Nomura group of companies. 

RE: [ActiveDir] computer policy processing -retry behaviour

[Darren Mar-Elia]

Hey, since when is GP not related to AD? GP is the reason AD is so
popular... Anyone shoots you down for it, they'll have to answer to the
gpoguy :-)

In Win2K, XP, and 2003, if there is no connectivity to a DC when computer
*foreground* processing occurs (this is the processing that occurs at
computer startup) then GP processing simply fails. After that, you're
correct to say that during the next scheduled background processing cycle,
GP will refresh. This could be as long as 120 minutes (90 minutes plus up to
30 minute randomized value). Note that you can reduce this background
interval to as low as every 7 seconds (not that you'd want to) via policy.
However, its important to note that some policy requires a foreground
processing cycle (software installation or startup scripts in some cases
come to mind) so if the DC is never available during boot, these policies
will never process.

Now, Vista does something new. Vista has something called an "NLA refresh"
(well that's what I call it). Vista uses an entirely different, and more
dynamic mechanism for detecting the presence of a DC. What Vista says with
respect to GP refresh is, "if the last GP processing cycle failed, then as
soon as I detect that the DC is back online, I will trigger a background
policy refresh". So, it doesn't help with the foreground issues stated
above, but does significantly reduce the refresh time of up to 120 minutes.
Hope that helps.
 

Darren


Darren Mar-Elia
For comprehensive Windows Group Policy Information, check out www.gpoguy.com
-- the best source for GPO FAQs, video training, tools and whitepapers. Also
check out the Windows Group Policy Guide, the definitive resource for Group
Policy information. 

Group Policy Management solutions at www.sdmsoftware.com





-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner
Sent: Wednesday, November 22, 2006 4:46 AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] computer policy processing -retry behaviour 

this is query re processing of computer group policies. i note that not
strictly AD
related so i hope not to get 'shot down' !

i wanted to get a view on the 'retry' behaviour of the WIndows 2000 group
policy
engine, in a scenario of a user-initiated VPN, in which domain controller
connectivity is not available until some time after user logon.

this will impact the processing of computer polices that would normally be
downloaded and processed prior to CTRL-ALT-DEL

presumably, the initial computer policy processing would fail and only
refresh on
the next scheduled interval ??

OR does the GP engine attempt more aggressively to download policies on the
basis of
an initial failure ?

if not it seems there are going to be major issues in endpoint config on the
basis
of any machine policies not being processed some way after user logon

Help on this gladly received.

GT


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Locating empty GPOs in a domain / forest

[Darren Mar-Elia]

Yes and quickly the way this works is, when a client processes registry
policy, it takes all the registry policy from all the GPOs and merges it
into an "archive" file. It applies all those items in the archive file to
the registry--both tattooing "preferences" and true "policies" (as defined
by the 4 keys Laura listed). Then, the next time the client processes
registry policy, it reads that archive file before it does anything, and
removes those policies found in it (but not the preferences). Then it builds
a new archive file composed of any policies that now apply, then it applies
those as before. 
 
I also have a reasonably in-depth discussion of this here:
www.gpoguy.com/faqs/tattoo.htm
 
 
Darren 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, November 16, 2006 5:42 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest


Thanks, Laura.
 
I rarely deal with the out of the box GPO stuff and focus on writing my own
ADM files. I guess a different set of rules applies there [tattooing] as you
suggest.
 
neil

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson
Sent: 16 November 2006 13:30
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest


Darren is correct. A quick and simple test- create the following policy and
link it to an OU where you've placed a test user account:
 
1. User Configuration\Administrative Templates\Start Menu and Taskbar\Remove
Documents menu from Start menu- set to enabled
 
2. Run gpupdate if you're logged on with the test account (this assumes the
test account has the appropriate permissions to create the GPO), or log off
and log on as your test user.
 
3. Click on Start button and note disappearance of Documents menu.
 
4. Edit policy and change setting to "Not configured".
 
5. Repeat step 2.
 
6. Repeat step 3 and note reappearance of Documents menu.
 
Having said all of the above, any settings that don't write to one of the
following locations *will* tattoo the registry:
 
HKEY_LOCAL_MACHINE \SOFTWARE\policies

HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Windows\CurrentVersion\policies 

HKEY_CURRENT_USER \SOFTWARE\policies

HKEY_ CURRENT_USER \SOFTWARE\Microsoft\Windows\CurrentVersion\policies

A very good tutorial can be found here:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/
management/gp/admtgp.mspx

 
Laura
  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, November 16, 2006 4:27 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest



I thought 'Not Defined' meant 'ignore this setting and apply it as set
elsewhere in other GPOs'. i.e. if it were set and then later set to not
defined, the clients would continue to use the setting and ignore the change
from enabled to 'not defined'.
 
e.g. wallpaper set to A, originally. Then wallpaper set to 'not defined'. I
always believed clients would ignore any 'not defined' settings and thus
continue to use wallpaper A.
 
Am I wrong?
 
neil

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: 15 November 2006 18:38
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest


If I set an Admin template policy from "Enabled" to "Not Configured", then
that GPO with "Not Configured" needs to be processed at least once by the
target in order to remove the setting. So, even though GPMC might report "No
Settings" (and frankly I haven't look at how it reports other areas besides
Admin. templates. For example, you can "remove" a software installation
package but it is left in the GPO so that clients can process the removal.
Does that mean that the GPO has "no settings"?) you might still want that
GPO around to be able to undo the client--if only for a limited period of
time.
 
Darren

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Wednesday, November 15, 2006 9:39 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest


>>>if a GPO had settings and doesn't anymore, it may be needed by users and
computers processing GP to undo settings that were previously applied
 
IMHO, no settings means all settings in the GPO are set to "Not Defined".
Wouldn't it, for the case you mention, need to have reverse settings or
original settings and thus have settings?
 
jorge
 

Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC

RE: [ActiveDir] Locating empty GPOs in a domain / forest

[Darren Mar-Elia]

If I set an Admin template policy from "Enabled" to "Not Configured", then
that GPO with "Not Configured" needs to be processed at least once by the
target in order to remove the setting. So, even though GPMC might report "No
Settings" (and frankly I haven't look at how it reports other areas besides
Admin. templates. For example, you can "remove" a software installation
package but it is left in the GPO so that clients can process the removal.
Does that mean that the GPO has "no settings"?) you might still want that
GPO around to be able to undo the client--if only for a limited period of
time.
 
Darren

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Wednesday, November 15, 2006 9:39 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest


>>>if a GPO had settings and doesn't anymore, it may be needed by users and
computers processing GP to undo settings that were previously applied
 
IMHO, no settings means all settings in the GPO are set to "Not Defined".
Wouldn't it, for the case you mention, need to have reverse settings or
original settings and thus have settings?
 
jorge
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : 

  _  

From: [EMAIL PROTECTED] on behalf of Darren Mar-Elia
Sent: Wed 2006-11-15 17:04
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest


Well, it depends upon the purpose of you quest, but you're correct. For
example, you may not want to delete a GPO that has no settings (but does
have versionNumber >0) because that may be a desirable state for it. In
other words, if a GPO had settings and doesn't anymore, it may be needed by
users and computers processing GP to undo settings that were previously
applied. Unless you know for sure that those settings have been undone, then
you can't be sure the GPO is unused.
 
 
 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, November 15, 2006 7:21 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest


Thanks Darren - that assumes the GPO is empty and always was empty, of
course :)
 
neil

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: 15 November 2006 15:05
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest


Another option is  to perform an LDAP search on the cn=policies, cn=system
container for GPC objects, and on each GPC object, look for a versionNumber
attribute == 0. Its probably slightly faster than first generating the HTML
report and then parsing it.
 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, November 15, 2006 5:54 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest


Thanks horhay :-^
 
I'd found the GPMC script but your extra logic is very useful :)
 
neil

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: 15 November 2006 12:19
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest


http://blogs.dirteam.com/blogs/jorge/archive/2006/11/15/Finding-unused-GPOs.
aspx
 
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : 

  _  

From: [EMAIL PROTECTED] on behalf of
[EMAIL PROTECTED]
Sent: Wed 2006-11-15 11:22
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Locating empty GPOs in a domain / forest



Does anyone have a script or know of a process which can be used to locate
empty GPOs? i.e. GPOs which have no settings enabled or set.

The customer has hundreds of GPOs so viewing them one by one using GPMC is
not a viable option :/ 

Many thanks, 
neil 

PLEASE READ: The information contained in this email is confidential and 
intended for the named recipient(s) only. If you are not an intended 
recipient of this email please notify the sender immediately and delete your

copy from your system. You must not copy, distribute or take any further 
action in reliance on it. Email is not a secure method of communication and 
Nomura International plc ('NIplc') will not, to the extent permitted by law,

accept responsibility or liability for (a) the accuracy or completeness of, 
or (b) the presence 

RE: [ActiveDir] Locating empty GPOs in a domain / forest

[Darren Mar-Elia]

Title: Locating empty GPOs in a domain / forest



Well, it depends upon the purpose of you quest, but you're 
correct. For example, you may not want to delete a GPO that has no settings 
(but does have versionNumber >0) because that may be a desirable state for 
it. In other words, if a GPO had settings and doesn't anymore, it may be needed 
by users and computers processing GP to undo settings that were previously 
applied. Unless you know for sure that those settings have been undone, then you 
can't be sure the GPO is unused.
 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Wednesday, November 15, 2006 7:21 
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
Locating empty GPOs in a domain / forest

Thanks Darren - that assumes the GPO is empty and always 
was empty, of course :)
 
neil


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Darren 
Mar-EliaSent: 15 November 2006 15:05To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Locating empty 
GPOs in a domain / forest

Another option is  to perform an LDAP search on the 
cn=policies, cn=system container for GPC objects, and on each GPC object, look 
for a versionNumber attribute == 0. Its probably slightly faster than first 
generating the HTML report and then parsing it.
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Wednesday, November 15, 2006 5:54 
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
Locating empty GPOs in a domain / forest

Thanks horhay :-^
 
I'd found the GPMC script but your extra logic is very 
useful :)
 
neil


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, 
Jorge deSent: 15 November 2006 12:19To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Locating empty 
GPOs in a domain / forest


http://blogs.dirteam.com/blogs/jorge/archive/2006/11/15/Finding-unused-GPOs.aspx

 
 


Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 

LogicaCMG 
Nederland B.V. (BU RTINC Eindhoven)
(   Tel 
: +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : 


From: [EMAIL PROTECTED] on 
behalf of [EMAIL PROTECTED]Sent: Wed 2006-11-15 
11:22To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
Locating empty GPOs in a domain / forest

Does anyone have a script or know of a process which 
can be used to locate empty GPOs? i.e. GPOs which have no settings enabled or 
set.
The customer has hundreds of GPOs so viewing them one 
by one using GPMC is not a viable option :/ 
Many thanks, neil 
PLEASE READ: The 
information contained in this email is confidential and 
intended for the 
named recipient(s) only. If you are not an intended 
recipient of this 
email please notify the sender immediately and delete your 
copy from your 
system. You must not copy, distribute or take any further 
action in reliance 
on it. Email is not a secure method of communication and 
Nomura International 
plc ('NIplc') will not, to the extent permitted by law, 
accept 
responsibility or liability for (a) the accuracy or completeness of, 

or (b) the presence 
of any virus, worm or similar malicious or disabling 
code in, this 
message or any attachment(s) to it. If verification of this 
email is sought then 
please request a hard copy. Unless otherwise stated 
this email: (1) is 
not, and should not be treated or relied upon as, 
investment research; 
(2) contains views or opinions that are solely those of 
the author and do 
not necessarily represent those of NIplc; (3) is intended 
for informational 
purposes only and is not a recommendation, solicitation or 
offer to buy or sell 
securities or related financial instruments. NIplc 
does not provide 
investment services to private customers. Authorised and 
regulated by the 
Financial Services Authority. Registered in England 
no. 1550505 VAT No. 
447 2492 35. Registered Office: 1 St Martin's-le-Grand, 
London, EC1A 4NP. A 
member of the Nomura group of companies. 
PLEASE READ: The 
information contained in this email is confidential and 
intended for the 
named recipient(s) only. If you are not an intended 
recipient of this 
email please notify the sender immediately and delete your 
copy from your 
system. You must not copy, distribute or take any further 
action in reliance 
on it. Email is not a secure method of communication and 
Nomura International 
plc ('NIplc') will not, to the extent permitted by law, 
accept 
responsibility or liability for (a) the accuracy or completeness of, 

or (b) the presence 
of any virus, worm or similar malicious or disabling 
code in, this 
message or any attachment(s) to it. If verification of this 
email is sought then 
please request a hard copy. Unless otherwise stated 
this email: (1) is 
not, and should not be treated or relied upon as, 
investment research; 
(2) contains views or opinions that are sole

RE: [ActiveDir] Locating empty GPOs in a domain / forest

[Darren Mar-Elia]

Title: Locating empty GPOs in a domain / forest



Another option is  to perform an LDAP search on the 
cn=policies, cn=system container for GPC objects, and on each GPC object, look 
for a versionNumber attribute == 0. Its probably slightly faster than first 
generating the HTML report and then parsing it.
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Wednesday, November 15, 2006 5:54 
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
Locating empty GPOs in a domain / forest

Thanks horhay :-^
 
I'd found the GPMC script but your extra logic is very 
useful :)
 
neil


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, 
Jorge deSent: 15 November 2006 12:19To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Locating empty 
GPOs in a domain / forest


http://blogs.dirteam.com/blogs/jorge/archive/2006/11/15/Finding-unused-GPOs.aspx

 
 


Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 

LogicaCMG 
Nederland B.V. (BU RTINC Eindhoven)
(   Tel 
: +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : 


From: [EMAIL PROTECTED] on 
behalf of [EMAIL PROTECTED]Sent: Wed 2006-11-15 
11:22To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
Locating empty GPOs in a domain / forest

Does anyone have a script or know of a process which 
can be used to locate empty GPOs? i.e. GPOs which have no settings enabled or 
set.
The customer has hundreds of GPOs so viewing them one 
by one using GPMC is not a viable option :/ 
Many thanks, neil 
PLEASE READ: The 
information contained in this email is confidential and 
intended for the 
named recipient(s) only. If you are not an intended 
recipient of this 
email please notify the sender immediately and delete your 
copy from your 
system. You must not copy, distribute or take any further 
action in reliance 
on it. Email is not a secure method of communication and 
Nomura International 
plc ('NIplc') will not, to the extent permitted by law, 
accept 
responsibility or liability for (a) the accuracy or completeness of, 

or (b) the presence 
of any virus, worm or similar malicious or disabling 
code in, this 
message or any attachment(s) to it. If verification of this 
email is sought then 
please request a hard copy. Unless otherwise stated 
this email: (1) is 
not, and should not be treated or relied upon as, 
investment research; 
(2) contains views or opinions that are solely those of 
the author and do 
not necessarily represent those of NIplc; (3) is intended 
for informational 
purposes only and is not a recommendation, solicitation or 
offer to buy or sell 
securities or related financial instruments. NIplc 
does not provide 
investment services to private customers. Authorised and 
regulated by the 
Financial Services Authority. Registered in England 
no. 1550505 VAT No. 
447 2492 35. Registered Office: 1 St Martin's-le-Grand, 
London, EC1A 4NP. A 
member of the Nomura group of companies. 
PLEASE READ: The 
information contained in this email is confidential and 
intended for the 
named recipient(s) only. If you are not an intended 
recipient of this 
email please notify the sender immediately and delete your 
copy from your 
system. You must not copy, distribute or take any further 
action in reliance 
on it. Email is not a secure method of communication and 
Nomura International 
plc ('NIplc') will not, to the extent permitted by law, 
accept 
responsibility or liability for (a) the accuracy or completeness of, 

or (b) the presence 
of any virus, worm or similar malicious or disabling 
code in, this 
message or any attachment(s) to it. If verification of this 
email is sought then 
please request a hard copy. Unless otherwise stated 
this email: (1) is 
not, and should not be treated or relied upon as, 
investment research; 
(2) contains views or opinions that are solely those of 
the author and do 
not necessarily represent those of NIplc; (3) is intended 
for informational 
purposes only and is not a recommendation, solicitation or 
offer to buy or sell 
securities or related financial instruments. NIplc 
does not provide 
investment services to private customers. Authorised and 
regulated by the 
Financial Services Authority. Registered in England 
no. 1550505 VAT No. 
447 2492 35. Registered Office: 1 St Martin's-le-Grand, 
London, EC1A 4NP. A 
member of the Nomura group of companies. 

RE: [ActiveDir] Timeout period on object moves?

[Darren Mar-Elia]

Thanks Joe. I suspect you're right, though I'm not sure where/why it would
be cached. I did fire up Insight for AD and didn't specifically see the
query I would have expected, so I guess it is being cached--strange part is
that it seemed to pick up the change right away the first time I moved the
object. Maybe just dumb luck. In any case, thanks for confirming that it is
not something server-side. Didn't make sense.
 
 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, November 13, 2006 2:23 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Timeout period on object moves?


Hey Darren, I have looked at some of the source for GPO processing and while
I don't recall any client side caching, I wouldn't be surprised to hear it
had it. Certainly there is nothing on the AD side that I have seen that
could ever make me think a specially formed query for GPOs was responded to
in a special way and the code I did see didn't build a special query, it
just sent a simple query. 
 
I would validate by using wireshark or some other sniffer type tool or
Insight for AD to watch the actual LDAP queries generated. I expect you will
see that when it is not updating, the client isn't even querying AD.
 
  joe
 
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 
 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Monday, November 13, 2006 4:23 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Timeout period on object moves?


I moved a computer account from OU A to OU B, then fired up gpupdate on that
computer. Sure enough, it found the new OU and calculated GP accordingly.
Then I moved it back to OU A. On this final move, after issuing both a
gpupdate and gpupdate /force, the workstation failed to find its new OU. I
could see in userenv.log that it was still referring to its DN at the OU B
location. Strangely, sometime after that, on a background refresh of GP, the
new OU (A) was seen. 
 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Monday, November 13, 2006 12:27 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Timeout period on object moves?


Can you explain the steps you've taken?
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : 

  _____  

From: [EMAIL PROTECTED] on behalf of Darren Mar-Elia
Sent: Mon 2006-11-13 18:23
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Timeout period on object moves?


All-
I'm trying to track down some interesting behavior in GP processing. I am
wondering how AD deals with object moves. Specifically, I am moving a
computer object around between OUs and it appears that the computer itself
is not picking up every move during GP processing as I would expect. I don't
see where the behavior could be coming from on the client side (I even
deleted the value in the registry where GP stores the DN of the object) and
so I'm wondering if AD is doing something here when it returns the results
of the LDAP query that the client does during GP processing to determine its
location in AD. Its almost as if AD is caching the previous location of the
object to dampen excessive object moves. Sounds weird but I'm wondering if
anyone has an explanation to this?
 
Darren
 
Darren Mar-Elia
For comprehensive Windows Group Policy Information, check out www.gpoguy.com
<http://www.gpoguy.com/> -- the best source for GPO FAQs, video training,
tools and whitepapers. Also check out the Windows
<http://www.amazon.com/gp/product/0735622175/qid=1122367169/sr=8-1/ref=pd_bb
s_1/104-1133146-9411929?v=glance&n=283155> Group Policy Guide, the
definitive resource for Group Policy information.
 
 

This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.


<>

RE: [ActiveDir] OT: "new" ms-Sysinternals utils: .exe size gone up like crazy!

[Darren Mar-Elia]

Which tool and what is the prompt? One thing I've done in the past, when
asked for 'y' or 'n', is simply do this:

Command | echo y

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Monday, November 13, 2006 2:04 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: "new" ms-Sysinternals utils: .exe size gone up
like crazy!

Better question ... is there an "accept" switch to use?  If you try a tool
in a loop against a set of servers, it prompts for every one of them...

:m:dsm:cci:mvp | marcusoh.blogspot.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
Sent: Monday, November 13, 2006 4:05 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: "new" ms-Sysinternals utils: .exe size gone up
like crazy!

We had to compile in bbisw.lib (Big Brother Is Watching).  You might think
that's against your rights, but you signged them away when you accepted the
5k larger eula.txt below (which you didn't read).

Cheers,
BrettSh [EMAIL PROTECTED] <-- I've decided its funny when I use it.

Just b/c I know this kind of thing can go rabbidly out of control, _YES, I
WAS KIDDING._

On Mon, 13 Nov 2006, Steve Egan (Temp) wrote:

> Back in my days of programming in C, if we used the C-Worthy Interface 
> Library (CWIL), a simple three-line program would be a MINIMUM of 170K.
> Maybe it's because a GUI is now included, or somesuch??
> 
> Steve Egan
> Purcell Systems
> System/Network Administrator
> desk 509 755-0341 x110
> cell 509 475-7682
> fax 509 755-0345
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
> Sent: Monday, November 13, 2006 10:33 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] OT: "new" ms-Sysinternals utils: .exe size 
> gone up like crazy!
> 
> I think MS may have signed them all. Dunno if that increases size. 
> 
> Thanks,
> Brian Desmond
> [EMAIL PROTECTED]
> 
> c - 312.731.3132
> 
> 
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:ActiveDir- 
> > [EMAIL PROTECTED] On Behalf Of Javier Jarava
> > Sent: Monday, November 13, 2006 12:47 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: [ActiveDir] OT: "new" ms-Sysinternals utils: .exe size gone
> up
> > like crazy!
> > 
> > Hi!
> > 
> > Just a quick question to the list, to see what the honrable members
> > (tm)
> > think.
> > 
> > I have just d/l some of the the updated sysinternals tools from MS 
> > (filemon, regmon, autoruns and pstools to be precise), and I have 
> > noticed that most if not all the utils have grown in size A LOT.
> > 
> > As an example, this is the change I see from pstools v2.34 and v2.4:
> > 
> > Archive:  SYSINTERNALS PsTools v2.34 -20060710- PsTools.zip
> >   Length Date   TimeName
> >     
> >122880  20/03/06 16:19   psshutdown.exe
> > 94208  02/08/05 11:14   pskill.exe
> > 65536  30/03/06 10:05   psloglist.exe
> > 49152  27/03/06 13:07   psloggedon.exe
> >106496  21/07/05 10:22   psgetsid.exe
> >146704  26/07/00 12:00   pdh.dll
> > 57344  06/04/06 14:52   psservice.exe
> > 53248  30/12/05 03:15   psfile.exe
> >135168  11/07/06 09:00   psexec.exe
> > 63786  08/07/06 11:10   Pstools.chm
> >135168  13/12/05 09:51   Psinfo.exe
> >106496  07/11/03 14:42   pssuspend.exe
> > 86016  01/12/04 17:27   pslist.exe
> > 57344  16/05/04 08:36   pspasswd.exe
> >  1969  11/02/06 09:22   Eula.txt
> >39  10/07/06 13:58   version.txt
> >     ---
> >   1281554   16 files
> > 
> > Archive:  SYSINTERNALS PsTools v2.4 -20061101- PsTools.zip
> >   Length Date   TimeName
> >     
> >412472  01/11/06 13:07   psexec.exe
> >166712  01/11/06 13:06   psfile.exe
> >322360  01/11/06 13:07   psgetsid.exe
> >428856  01/11/06 13:07   Psinfo.exe
> >318264  01/11/06 13:07   pskill.exe
> >191288  01/11/06 13:06   pslist.exe
> >162616  01/11/06 13:06   psloggedon.exe
> >187192  01/11/06 13:06   psloglist.exe
> >170808  01/11/06 13:06   pspasswd.exe
> >179000  01/11/06 13:06   psservice.exe
> >404280  01/11/06 13:07   psshutdown.exe
> >375608  01/11/06 13:07   pssuspend.exe
> > 63786  08/07/06 11:10   Pstools.chm
> >38  15/10/06 16:32   psversion.txt
> >153672  01/11/06 13:05   pdh.dll
> >  7005  28/07/06 08:32   Eula.txt
> >     ---
> >   3543957   16 files
> > 
> > Just wondering outloud what is the reason for the size change.
> > Different
> > compiler, maybe?
> > 
> > 
> > Thanks a lot for your time in reading thus far.
> > 
> > Javier Jarava
> > 
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive:
> http://www.mail-archive.com/activedir@mail.activedir.

RE: [ActiveDir] how to access blocked site.

[Darren Mar-Elia]

Hey, it *could* be an office in "China" :)

In any case, I think you're fighting a losing battle protecting yourself by
attempting to control or expecting good behavior from others-- others being
defined as people who don't work for/with you. They will always find the
information or the means elsewhere if you don't help them. I'm familiar with
the notion that the traditional DMZ firewall is going the way of the dodo,
but reality is that it is still the main way we protect ourselves from
*external* behavior. There's no doubt that internal behavior has become more
risky, hence the need for islands of isolation internally, but I still think
the reality of someone else's *external* behavior somehow affecting all of
us (in the absence of our own stupid behavior, that is) is the exception
rather than the rule. In any case, I approach security based on the fact
that I can only control what I have control of, and everyone else is
implicitly evil (strictly from a security perspective, of course :-)). 

Darren



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Monday, November 13, 2006 12:29 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] how to access blocked site.

He didn't ask "from behind the Government controlled firewall in China" 
he said "from an Office".  :-)

I'm assuming there's a reasonable tinfoily admin there.  And you know.. 
you can always ask if you want a site unblocked that you think has a
reasonable 'business' need?  Most of the time we're reasonable people that
if you tell us a business need for something, we'll enable it.

I was more referring to the statement of does he work on my network.  In a
bizarre way.. all of us work on each others networks.  Your patch policy of
your servers, if they are Internet web facing servers, affects little ol'
me. 

My XP workstations are my front line... and where they surf and what happens
when they do impacts me.

The Future of Secure Access : The perimeter isn't what it used to be:
http://blogs.technet.com/futuresecurity/archive/2006/11/12/the-perimeter-isn
-t-what-it-used-to-be.aspx

(true story... I set up firewall blocking with a error page that would
indicate that the person in the office was "busted" and to test it out I put
Victoria's Secret.com on there then added the additional 'banned' pages
and then forgot that I left that "banned" site on... 
around Valentine's of the following year I was asked why I considered that
page inappropriate.  Oops.  :-)  So I re-enabled it.  We're an open org
here.. the sites I ban are those I've had issues with... myspace.com for
example... when a Secretary abused her Internet access inside a firm if
there are sites being bannedtypically there's a reason.  If you think
you have a business justification for a web site, ask. 

If you are in China or insert Country of your choice, that's a tougher
call but if he was I'd strongly recommend that he not ask about it on a
public listserve that could be easily found later.


Darren Mar-Elia wrote:
> Hmm. That's a dubious stretch. Does that mean all those folks in China 
> that find ways to bypass their government-controlled proxy are 
> endangering us all and should be stopped? There may be lots of 
> legitimate reasons why someone needs to do this. I don't think it 
> should be assumed that suddenly we are all at risk.
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Susan 
> Bradley, CPA aka Ebitz - SBS Rocks [MVP]
> Sent: Monday, November 13, 2006 8:29 AM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] how to access blocked site.
>
> He's on the Internet isn't he?  If he infects/nails his firm, his firm 
> in turn could be a bot that attacks us all, right?
>
> We're truly all on the same 'party line' here.  We all share the 
> Internet, so yeah... we all have the responsibility of doing what we 
> can to keep the bad guys from turning us into bad guys.
>
> Ramon Linan wrote:
>   
>> LOL, Susan does he really work in your office? 
>>
>> -Original Message-
>> From: [EMAIL PROTECTED]
>> [mailto:[EMAIL PROTECTED] On Behalf Of Susan 
>> Bradley, CPA aka Ebitz - SBS Rocks [MVP]
>> Sent: Monday, November 13, 2006 9:50 AM
>> To: ActiveDir@mail.activedir.org
>> Subject: Re: [ActiveDir] how to access blocked site.
>>
>> As an admin here
>>
>> You do know I could fire your assets if you do this at my office?
>>
>> You are introducing risks that as an employee, you don't have the 
>> right to do at a firm.  There'

RE: [ActiveDir] Timeout period on object moves?

[Darren Mar-Elia]

I moved a computer account from OU A to OU B, then fired up gpupdate on that
computer. Sure enough, it found the new OU and calculated GP accordingly.
Then I moved it back to OU A. On this final move, after issuing both a
gpupdate and gpupdate /force, the workstation failed to find its new OU. I
could see in userenv.log that it was still referring to its DN at the OU B
location. Strangely, sometime after that, on a background refresh of GP, the
new OU (A) was seen. 
 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Monday, November 13, 2006 12:27 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Timeout period on object moves?


Can you explain the steps you've taken?
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : 

  _  

From: [EMAIL PROTECTED] on behalf of Darren Mar-Elia
Sent: Mon 2006-11-13 18:23
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Timeout period on object moves?


All-
I'm trying to track down some interesting behavior in GP processing. I am
wondering how AD deals with object moves. Specifically, I am moving a
computer object around between OUs and it appears that the computer itself
is not picking up every move during GP processing as I would expect. I don't
see where the behavior could be coming from on the client side (I even
deleted the value in the registry where GP stores the DN of the object) and
so I'm wondering if AD is doing something here when it returns the results
of the LDAP query that the client does during GP processing to determine its
location in AD. Its almost as if AD is caching the previous location of the
object to dampen excessive object moves. Sounds weird but I'm wondering if
anyone has an explanation to this?
 
Darren
 
Darren Mar-Elia
For comprehensive Windows Group Policy Information, check out www.gpoguy.com
<http://www.gpoguy.com/> -- the best source for GPO FAQs, video training,
tools and whitepapers. Also check out the Windows
<http://www.amazon.com/gp/product/0735622175/qid=1122367169/sr=8-1/ref=pd_bb
s_1/104-1133146-9411929?v=glance&n=283155> Group Policy Guide, the
definitive resource for Group Policy information.
 
 

This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.


<>

[ActiveDir] Timeout period on object moves?

[Darren Mar-Elia]

All-
I'm trying to track 
down some interesting behavior in GP processing. I am wondering how AD deals 
with object moves. Specifically, I am moving a computer object around between 
OUs and it appears that the computer itself is not picking up every move during 
GP processing as I would expect. I don't see where the behavior could be coming 
from on the client side (I even deleted the value in the registry where GP 
stores the DN of the object) and so I'm wondering if AD is doing something here 
when it returns the results of the LDAP query that the client does during 
GP processing to determine its location in AD. Its almost as if AD is caching 
the previous location of the object to dampen excessive object moves. Sounds 
weird but I'm wondering if anyone has an explanation to 
this?
 
Darren
 
Darren Mar-Elia
For comprehensive 
Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO FAQs, 
video training, tools and whitepapers. Also check out the Windows 
Group Policy Guide, the definitive resource for Group Policy 
information.
 
 

RE: [ActiveDir] how to access blocked site.

[Darren Mar-Elia]

Hmm. That's a dubious stretch. Does that mean all those folks in China that
find ways to bypass their government-controlled proxy are endangering us all
and should be stopped? There may be lots of legitimate reasons why someone
needs to do this. I don't think it should be assumed that suddenly we are
all at risk. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Monday, November 13, 2006 8:29 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] how to access blocked site.

He's on the Internet isn't he?  If he infects/nails his firm, his firm in
turn could be a bot that attacks us all, right?

We're truly all on the same 'party line' here.  We all share the Internet,
so yeah... we all have the responsibility of doing what we can to keep the
bad guys from turning us into bad guys.

Ramon Linan wrote:
> LOL, Susan does he really work in your office? 
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Susan 
> Bradley, CPA aka Ebitz - SBS Rocks [MVP]
> Sent: Monday, November 13, 2006 9:50 AM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] how to access blocked site.
>
> As an admin here
>
> You do know I could fire your assets if you do this at my office?
>
> You are introducing risks that as an employee, you don't have the 
> right to do at a firm.  There's a reason us annoying admins block this
stuff.
>
> Introduce risks at home please, and not on my watch, okay?
>
> Ajay Kumar wrote:
>   
>> Hi all,
>>
>>  
>>
>> It could be wrong question but I want to know
>>
>> about how to acess the restricted or blocked site, which is access 
>> denied from office.
>>
>> I know some tools work like K-PROXY, but it woks on some internet
>> 
> site.
>   
>> So please suggest me how to access blocked site.
>>
>> which can work well.
>>  
>>  
>> Thanks & Regards,
>> Ajay pardeshi
>> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir@mail.activedir.org/
>
>   

--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com

If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will
hunt you down...
http://blogs.technet.com/sbs

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] GPO Error on Domain Controller

[Darren Mar-Elia]

That indicates that something is preventing Admi. Template policy from running. 
Posting the relevants part of userenv.log would be helpful.  

Darren
-Original Message-
From: "Paul G. DaSilva" <[EMAIL PROTECTED]>
Cc: ActiveDir@mail.activedir.org
Sent: 11/10/2006 10:43 AM
Subject: [ActiveDir] GPO Error on Domain Controller

I'm currently getting the following error on my domain controller. 

I'm receiving this on a server that runs, DC; DNS; DHCP services  
(it's  showing on  EventViewer\application every 5 minutes, after trying
to refresh a GPO) 
++ 
Event Type: Error 
Event Source: Userenv 
Event Category: None 
Event ID: 1000 
Date: 9/11/2006 
Time: 9:05:32 PM 
User: NT AUTHORITY\SYSTEM 
Computer:  Domain ControllerNameGoesHere  
Description: 
Windows cannot process extension Registry ProcessGroupPolicy. Return 
value (0x80004005). 


** 

I've enabled script debugging using the KB article 221833 , but now I'm 
lost on whta GPO is causing the issue? Any help would be great ... I can
post 
part of that log file 

-

Disclaimer 
NOTICE: The information contained in this email and any document attached 
hereto is intended only for the named recipient(s). It is the property of the 
BankFive and shall not be used, disclosed or reproduced without the express 
written consent of BankFive. If you are not the intended recipient (or the 
employee or agent responsible for delivering this message in confidence to the 
intended recipient(s), you are hereby notified that you have received this 
transmittal in error, and any review, dissemination, distribution or copying of 
this transmittal or its attachments is strictly prohibited. If you have 
received this transmittal and/or attachments in error, please notify me 
immediately by reply email or telephone and immediately delete this message and 
all its attachments. Thank you


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] OT: M$

[Darren Mar-Elia]

I didn't honestly see anything in the risk factors of the 10Q that any other
software business doesn't declare. I read it as basically saying that
Microsoft has competition from various sources that could threaten its
business model. That's pretty normal. I think its fair to say, based on the
big dividend disbursement they did, I want to say last year, that they have
plenty of spare cash. I can see it as being a big dilemma, actually.
Typically software companies use their cash, among other things, to do
acquisitions. But MS' precarious legal position around the world, I can
imagine, makes it really hard to do acquisitions that won't receive endless
scrutiny. Not that I'm feeling that sorry for them, but, from the
perspective of trying to run and grow the business, I imagine that would
frustrate more than one person in Redmond.

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Thursday, November 09, 2006 1:19 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: M$

Keep reading down to the risk factors..  :-)

Merry, Joel (US - Philadelphia) wrote:
> Hey Susan, not quite sure what report you were looking at, but their
> FY06 10-K shows a net income of $12.6B with EPS of $1.21 and cash 
> dividends of $0.35/common share ... it also shows a positive cash flow 
> of $6.7B ... I'm no CPA, but I'm pretty sure that means they won't be 
> filing for bankruptcy protection anytime soon. :) And speaking of 
> AP/AR, as of that filing, they had $2.9B outstanding in AP and $2.0B 
> in AR for a net difference of $900M ... once again, I would hardly say 
> it's time to raise the red flag... :)
>  
>
>  
> --
> --
> *From:* Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] 
> [mailto:[EMAIL PROTECTED]
> *Sent:* Thu 11/9/2006 3:10 PM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* Re: [ActiveDir] OT: M$
>
> (okay how embarrassing is it when I meant to say "Accounts payables"
> rather than "Accounts receivable")
>
> Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote:
> > Some MVPs use that as well and when asked say they don't realize 
> > that it offends and just use it as slang.  But yeah if it's meant to 
> > imply that Microsoft is rolling in dough.. folks go grab the 10K... 
> > and stop looking at the cash account only, offset that with the 
> > accounts receivable and then go read the "Risk" analysis section of 
> > that annual report.  It's an interesting read.
> >
> > I honestly get more tired of the "oh but they have billions in the 
> > bank" comments.  (is that before the liabilities or after?)
> >
> > BTW...After the Novell deal can we start using $u$e now?  :-)
> >
> > Laura A. Robinson wrote:
> >> Just out of curiosity, what makes people think it's appropriate to 
> >> refer to Microsoft as "M$" on an MS-focused mailing list whose 
> >> participants include Microsoft employees, Microsoft contractors, 
> >> Microsoft MVPs and various other people who may have a relatively 
> >> positive view of Microsoft?
> >> 
> >> Laura
> >>
> >>
> >> 
> --
> --
> >> *From:* [EMAIL PROTECTED]
> >> [mailto:[EMAIL PROTECTED] *On Behalf Of
> >> *Jitendra Kalyankar
> >> *Sent:* Thursday, November 09, 2006 10:16 AM
> >> *To:* ActiveDir@mail.activedir.org
> >> *Subject:* Re: [ActiveDir] Beginner's Book on Scripting - WSH or
> >> VBScript?
> >>
> >> This is the link to M$ to start with...very good info
> >> 
> >> 
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnanc
> hor/html/scriptinga.asp
> >>
> >>
> >> -- Sincerely,
> >> J
> >>
> >>  On 11/9/06, *Stu Packett* <[EMAIL PROTECTED]
> >> > wrote:
> >>
> >> Hello everyone.  After reading through a lot of the posts on
> >> this mailing list, I realize I could make my job easier if I
> >> knew how to script.  I have no experience in scripting, but
> >> would like to know what books do you recommend as a beginner's
> >> book on scripting?  Also, I don't really know the difference
> >> between WSH and VBScript, so if anyone could explain that, I'd
> >> appreciate that.  After browsing through Amazon, I saw several
> >> books on WSH and VBScript, but don't know where I should focus
> >> on.  I'm also open to computer based training (CBT) videos of
> >> any exist.  Thanks in advance.
> >>
> >>
> >>
> >
>
> --
> Letting your vendors set your risk analysis these days? 
> http://www.threatcode.com
>
> If you are a SBSer and you don't subscribe to the SBS Blog... man ... 
> I will hunt you down...
> http://blogs.technet.com/sbs
>
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 

RE: [ActiveDir] Beginner's Book on Scripting - WSH or VBScript?

[Darren Mar-Elia]

Also. Check out Don's site at www.scriptinganswers.com. Lots of 
good resources there. Since you're learning scripting anew, you might even want 
to consider jumping right into PowerShell, which is MS' new scripting 
environment. The TechNet scripting center cited below has links to PowerShell 
info. Books on that should be out shortly (I know you can pre-order on Amazon 
right now).
 
Darren


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Thursday, November 09, 2006 7:34 
AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] 
Beginner's Book on Scripting - WSH or _vbscript_?
_vbscript_ is one of the available 
providers for WSH which is a scripting framework. JScript and _vbscript_ are the 
two languages support out of the box by WSH but Perl and other scripting 
languages can plug into the framework. My number one resource for _vbscript_ is 
the Script Center www.microsoft.com/technet/scriptcenter/default.mspx. Thanks, Andrew 
Fidel 

  
  
"Stu Packett" 
  <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 
  11/09/2006 09:59 AM 
  


  
Please respond 
toActiveDir@mail.activedir.org

  


  
To
  ActiveDir@mail.activedir.org 

  
cc
  

  
Subject
  [ActiveDir] Beginner's 
Book on Scripting - WSH or _vbscript_?
  


  
  Hello 
everyone.  After reading through a lot of the posts on this mailing list, I 
realize I could make my job easier if I knew how to script.  I have no 
experience in scripting, but would like to know what books do you recommend as a 
beginner's book on scripting?  Also, I don't really know the difference 
between WSH and _vbscript_, so if anyone could explain that, I'd appreciate that. 
 After browsing through Amazon, I saw several books on WSH and _vbscript_, 
but don't know where I should focus on.  I'm also open to computer based 
training (CBT) videos of any exist.  Thanks in advance. 

RE: [ActiveDir] Event ID 108

[Darren Mar-Elia]

Yes, if you deleted and recreated the GPO, it would have a 
different GUID. So I'm guessing that one of those packageRegistration objects is 
the package you've deployed and one is a package that has been removed. I can't 
think of any reason why software deployment would just fail like that, across 
GPOs. Can you successfully deploy another package--say adminpak.msi--just to see 
if its something with that media you're using? 
 
Darren
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dan 
DeStefanoSent: Wednesday, November 08, 2006 11:09 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Event ID 
108


I did delete and 
recreate the deployment GPO so that may be the reason for the 2 packages. 
However, since the GPO was deleted and recreated, wouldn’t the new GPO have a 
different GUID? If so, then why would the old package be in the new 
GPO?
Additionally, the MSI 
packages is directly from the Outlook 2003 media that works fine when run 
manually. Also, when I create other software deployment GPOs, they fail as well. 
The AIP that I used to create the GPO is the exact same AIP used on a different, 
w2k3 domain for a different client and it works fine. So I think the problem is 
with software deployment GPOs in genera. Does that make 
sense?
 
OK, I will rename the 
DDP back to the default.
 
 

Dan 
DeStefanoInfo-lution 
Corporation[EMAIL PROTECTED]http://www.info-lution.comOffice: 727 
546-9143FAX: 727 541-5888




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Darren 
Mar-EliaSent: Wednesday, 
November 08, 2006 12:23 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Event ID 
108
 
Dan-
The 2 
packageRegistration objects represent two separate packages. The MSI and MST are 
referenced within the msiFileList attribute on each packageRegistration object. 
Its possible that one of those packageRegistration objects is a "removed" 
package--removed packages don't actually get deleted in AD--they just lie around 
forever :-). So, I'm not sure why you're getting errors since it does appear 
that the packages are getting created properly.
 
Renaming the DDP is not 
a problem for Windows, but it can be confusing to administrators looking at it. 
I would rename it back to "DDP" to avoid any 
confusion.
 
Darren
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Dan 
DeStefanoSent: Wednesday, 
November 08, 2006 8:07 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Event ID 
108
Thanks for your 
help.
When I look in the 
SYSVOL folder, I do see the software deployment policy I have created. I can 
also see the policy in the \System\Policies AD container. There are 2 
packageRegistration objects in the Domain\System\Policies\GUID\Machine\Class Store\Packages 
container. I assume one is for the MSI and one for the MST, correct? 

 
Yes, the “All Users and 
Computers” GPO does begin with “31B2F3…” Also, there is a container named 
“Default Domain Policy” under the System container in 
AD.
Does renaming the DDP 
cause problems? Would it be advisable to name it back to 
DDP?
 
 

Dan 
DeStefanoInfo-lution 
Corporation[EMAIL PROTECTED]http://www.info-lution.comOffice: 727 
546-9143FAX: 727 541-5888




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Darren 
Mar-EliaSent: Tuesday, 
November 07, 2006 11:33 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Event ID 
108
 
Dan-
I would resolve the 
problem before upgrading. It sounds like you have at least two things going 
on. First off, the sw. deployment error sounds like something deeply wrong with 
AD. The software installation data object referred to below is probably 
something called a packageRegistration object, which should exist in AD under 
the GPC portion of the GPO. The fact that you don't seem to have or be able to 
fix the DDP GPO is strange. What is the GUID of the "All Users and 
Workstations" GPO? If it starts with {31B2F3.., then its probably just the DDP 
renamed.
 
Darren
 
 
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Dan 
DeStefanoSent: Monday, 
November 06, 2006 5:38 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Event ID 
108
I am having a problem when deploying 
applications via GPO in a Windows 2000 SP4 AD domain. The clients do not receive 
the package and I receive Event ID 108 "There is no software installation data 
object in the Active Directory". 
I have followed the recommendations 
from http://eventid.net/display.asp?eventid=108&eventno=1181&source=Application%20Management&phase=1, 
as well as from other MSKB articles, but without 
success.
I have deleted/recreated the GPO, 
msi and mst packages, but the problem persists.
 
This is a network I inherited and 
when looking around in AD I noticed that the “Default Domain Policy” has either 
been deleted or renamed because it no longer exists. The only policy bound to 
the domain is one called “All Users and Workstations”, which I do not re

RE: [ActiveDir] Event ID 108

[Darren Mar-Elia]

Dan-
The 2 packageRegistration objects represent two separate 
packages. The MSI and MST are referenced within the msiFileList attribute on 
each packageRegistration object. Its possible that one of those 
packageRegistration objects is a "removed" package--removed packages don't 
actually get deleted in AD--they just lie around forever :-). So, I'm not sure 
why you're getting errors since it does appear that the packages are getting 
created properly.
 
Renaming the DDP is not a problem for Windows, but it can 
be confusing to administrators looking at it. I would rename it back to "DDP" to 
avoid any confusion.
 
Darren


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dan 
DeStefanoSent: Wednesday, November 08, 2006 8:07 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Event ID 
108


Thanks for your 
help.
When I look in the 
SYSVOL folder, I do see the software deployment policy I have created. I can 
also see the policy in the \System\Policies AD container. There are 2 
packageRegistration objects in the Domain\System\Policies\GUID\Machine\Class Store\Packages 
container. I assume one is for the MSI and one for the MST, correct? 

 
Yes, the “All Users and 
Computers” GPO does begin with “31B2F3…” Also, there is a container named 
“Default Domain Policy” under the System container in 
AD.
Does renaming the DDP 
cause problems? Would it be advisable to name it back to 
DDP?
 
 

Dan 
DeStefanoInfo-lution 
Corporation[EMAIL PROTECTED]http://www.info-lution.comOffice: 727 
546-9143FAX: 727 541-5888




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Darren 
Mar-EliaSent: Tuesday, 
November 07, 2006 11:33 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Event ID 
108
 
Dan-
I would resolve the 
problem before upgrading. It sounds like you have at least two things going 
on. First off, the sw. deployment error sounds like something deeply wrong with 
AD. The software installation data object referred to below is probably 
something called a packageRegistration object, which should exist in AD under 
the GPC portion of the GPO. The fact that you don't seem to have or be able to 
fix the DDP GPO is strange. What is the GUID of the "All Users and 
Workstations" GPO? If it starts with {31B2F3.., then its probably just the DDP 
renamed.
 
Darren
 
 
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Dan 
DeStefanoSent: Monday, 
November 06, 2006 5:38 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Event ID 
108
I am having a problem when deploying 
applications via GPO in a Windows 2000 SP4 AD domain. The clients do not receive 
the package and I receive Event ID 108 "There is no software installation data 
object in the Active Directory". 
I have followed the recommendations 
from http://eventid.net/display.asp?eventid=108&eventno=1181&source=Application%20Management&phase=1, 
as well as from other MSKB articles, but without 
success.
I have deleted/recreated the GPO, 
msi and mst packages, but the problem persists.
 
This is a network I inherited and 
when looking around in AD I noticed that the “Default Domain Policy” has either 
been deleted or renamed because it no longer exists. The only policy bound to 
the domain is one called “All Users and Workstations”, which I do not recognize 
as a built-in policy. I have run dcdiag /fix and netdiag /fix on all DCs and 
netdiag /fix on the test-deploy workstations, but this has not solved the 
problem.
 
Everything else with the domain 
including authentication, name resolution, etc.. works fine, but I think this 
error may be evidence of a larger problem with AD.
 
We are planning on upgrading the 
domain to WS2k3 within the next few weeks. Does anyone think that may fix the 
problem? If not, would it be wise to put off the upgrade until this issue is 
resolved?
 
 
Thanks in advance for any 
help,
 
Dan 
DeStefanoInfo-lution 
Corporation[EMAIL PROTECTED]http://www.info-lution.comOffice: 
727 
546-9143FAX: 727 541-5888
If you have received 
this message in error please notify the sender, disregard any content  and 
remove it from your possession.
 

RE: [ActiveDir] Event ID 108

[Darren Mar-Elia]

Dan-
I would resolve the problem before upgrading. 
It sounds like you have at least two things going on. First off, the sw. 
deployment error sounds like something deeply wrong with AD. The software 
installation data object referred to below is probably something called a 
packageRegistration object, which should exist in AD under the GPC portion of 
the GPO. The fact that you don't seem to have or be able to fix the DDP GPO 
is strange. What is the GUID of the "All Users and Workstations" GPO? If it 
starts with {31B2F3.., then its probably just the DDP 
renamed.
 
Darren
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dan 
DeStefanoSent: Monday, November 06, 2006 5:38 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Event ID 
108


I am having a problem when deploying 
applications via GPO in a Windows 2000 SP4 AD domain. The clients do not receive 
the package and I receive Event ID 108 "There is no software installation data 
object in the Active Directory". 
I have followed the recommendations 
from http://eventid.net/display.asp?eventid=108&eventno=1181&source=Application%20Management&phase=1, 
as well as from other MSKB articles, but without 
success.
I have deleted/recreated the GPO, 
msi and mst packages, but the problem persists.
 
This is a network I inherited and 
when looking around in AD I noticed that the “Default Domain Policy” has either 
been deleted or renamed because it no longer exists. The only policy bound to 
the domain is one called “All Users and Workstations”, which I do not recognize 
as a built-in policy. I have run dcdiag /fix and netdiag /fix on all DCs and 
netdiag /fix on the test-deploy workstations, but this has not solved the 
problem.
 
Everything else with the domain 
including authentication, name resolution, etc.. works fine, but I think this 
error may be evidence of a larger problem with AD.
 
We are planning on upgrading the 
domain to WS2k3 within the next few weeks. Does anyone think that may fix the 
problem? If not, would it be wise to put off the upgrade until this issue is 
resolved?
 
 
Thanks in advance for any 
help,
 
Dan 
DeStefanoInfo-lution 
Corporation[EMAIL PROTECTED]http://www.info-lution.comOffice: 727 546-9143FAX: 
727 
541-5888
If you have 
received this message in error please notify the sender, disregard any 
content  and remove it from your possession.
 

RE: [ActiveDir] OT: Folder Redirection query

[Darren Mar-Elia]

Mark-
That sounds like you're users are being created from some pre-created
template user? Normally, when FR occurs, it would not append the
administrator's account to those folders. 

Darren 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Thursday, November 02, 2006 3:58 AM
To: ActiveDir.org
Subject: [ActiveDir] OT: Folder Redirection query

Hello,

I have an issue that I have been meaning to resolve for a while - but keep
forgetting to ask for assistance.

When a users has home drive mapped to H: and my documents folder redirection
enabled to the root of H: when they logon the domain for the first time the
home drive has two sub directories created Documents and Music. 

My issue is that these directories are prefixed with Administrator's not the
user name. Is there a method to fix this, for newly created accounts?

I have searched but cannot find the answer.



Regards,

Mark Parris

Base IT Ltd
Active Directory Consultancy
Tel +44(0)7801 690596
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Change default User-Account-Control behavior

[Darren Mar-Elia]

This article,
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/exten
ding_the_user_interface_for_directory_objects.asp, describes display
specifiers, which is what Guido is referring to here. It is possible to add,
for example, a context menu item to an object class in ADUC that calls a
script. So you could, for example, extend the OU container with a "New
Custom User" menu item that calls your custom user creation script. That's
pretty straightforward and doesn't require any programming outside of
writing the script and tweaking some display specifier objects in AD.

Darren

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido
Sent: Thursday, November 02, 2006 12:05 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Change default User-Account-Control behavior

Well, the tabs and even the user account creation dialog in AD can be
extended, it's just not an easy task to do for the normal administrator.
Some dev-work with c-programming would be involved. I'm not aware of
mechanisms to extend the UI or dialogs for local accounts.

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Schofield
Sent: Thursday, November 02, 2006 7:29 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Change default User-Account-Control behavior

Thanks Joe for the verification.  I couldn't find anything but figured if
anyone knew if it could be done.   They would be on this list.  :)

Steve Schofield
Windows Server MVP - IIS
ASPInsider Member - MCP

http://www.orcsweb.com/
Managed Complex Hosting
#1 in Service and Support


- Original Message -
From: "joe" <[EMAIL PROTECTED]>
To: 
Sent: Wednesday, November 01, 2006 5:58 PM
Subject: RE: [ActiveDir] Change default User-Account-Control behavior


> Nope. Scripts, batch files, and custom tools for you. :)
>
>
> --
> O'Reilly Active Directory Third Edition - 
> http://www.joeware.net/win/ad3e.htm
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Steve 
> Schofield
> Sent: Tuesday, October 31, 2006 2:38 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Change default User-Account-Control behavior
>
> Is it possible to change the default behavior when creating local or 
> AD user
>
> accounts?  I would like to set certain options when creating accounts 
> using normal tools without having to write a script.  Any tips / 
> advice is certainly appreciated.
>
> Steve Schofield
>
>
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir@mail.activedir.org/
>
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir@mail.activedir.org/
>


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Assign User rights overs computers with AD

[Darren Mar-Elia]

Minor nit below. Otherwise, spot on 
observations.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Matt 
HargravesSent: Friday, October 06, 2006 7:56 AMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Assign User 
rights overs computers with AD

Just to cover some things:GPOs can make adjustments to computer 
*or* user object policies.  The only way to override these settings is to 
use the 'loopback processing' option (this can be ugly and I prefer to avoid 
it).  If you have computer settings set on a GPO on an OU, it will only 
apply to computer objects within that OU, user settings only apply to users 
within that OU (again, excepting loopback processing within that GPO).  
This is one of the big reasons why people usually only put computer *or* user 
objects within a particular OU.  It allows you to disable the portion of 
the GPO that isn't going to get applied to the objects within the OU (disable 
user settings on GPOs for computer OUs - unless you're using loopback processing 
and disable computer settings for GPOs on user OUs).  There's really no 
reason to have a computer downloading user settings when it's not necessary and 
vice-versa.  
This 
won't happen regardless. A computer account would never "download" user settings, even if the user side 
of a GPO is enabled. Disabling a GPO side is somewhat meaningless because if the 
side has no policy in it (i.e. its version is 0) then it won't be processed 
anyway. The only time this is useful is if you have settings on a side and you, 
for whatever reason, don't want them to be processed. Its kind of a way of 
blocking settings that would otherwise be applied by disabling them. 
This way, you end up with managing your computer settings 
separately from your user settings.  Common computer settings: Disabling 
security-related settings, adjusting auditing (event logs, etc) ACLing 
directories.  Common user settings: Setting environmental variables 
(default home page, home directory, application settings like Office settings, 
etc...).  Usually the only time you want to put user settings on a computer 
OU (and enable loopback processing) is for kiosk type computers and then you 
probably want to make sure that you do something to make sure that it doesn't 
apply for Administrators.  It's usually easier to put these settings on an 
OU for accounts that will be used for that type of workstation though, so you 
don't have to worry about loopback. As many other people stated though, 
trying to restrict administrators on workstations will as often as not end up 
with a series of headaches because of applications that require the user to be a 
local administrator on the computer.  Whether this is because of poor 
programming on the part of the application developers or something else, it 
doesn't matter.  Unless you know that your users won't need to be local 
admins, you may want to handle this in a very controlled and well tested manner, 
possibly testing all of your applications with a non-admin account before 
pushing this setting out to the users. 
On 9/29/06, Dave Wade 
<[EMAIL PROTECTED]> 
wrote:

  
  I know its over a 
  week since I sent this, but on thinking its probably worth expanding on this. 
  The OU structure is in place to provide two functions:-
   
  1) Delegation of 
  management and administration.
  2) Application of 
  Group Policy 
   
  Now because the 
  OU structure is the "ONLY" way  to 
  provide delegated admin, that needs to be the "Primary" driver when designing 
  the OU Structure. 
   
  So if 
  you want different people managing Computer and Users, and like me.you 
  like to keep the user and computer policies separate, it makes sense to have 
  Computers and Users in separate OU trees. Because you can't apply a GPO to the 
  "Users" and "Computers" containers it also makes sense not to use these 
  OU.s.
   
  On the other hand 
  if you have a very devolved management structure, and you are happy with 
  devolved management of the users and computers, then it might make sense to 
  have an OU tree where the top levels represent management units and you store 
  both computers and users in these trees.
   
  Personally I 
  don't like this approach, but for some organization structures it may 
  be  better...
   
  Dave.
   
   
  
  
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dave 
  WadeSent: 23 September 2006 20:50To: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] Assign User rights overs computers with 
  AD
  
  
  I usually move them out as 
  you can't apply GPO at the "computers" level...
  
  
  From: [EMAIL PROTECTED] on behalf of Alberto 
  OviedoSent: Fri 22/09/2006 22:40To: ActiveDir@mail.activedir.orgSubject: Re: 
  [ActiveDir] Assign User rights overs computers with 
  AD
  Hey Dave. Do you mean separate trees under root 
  "computers"? or Create different OU's for computers?
  On 9/22/06, Al Mulnick < [EMAIL PROTECTED]> 
  wrote: 
  Sep

RE: [ActiveDir] Disk Space Hogs

[Darren Mar-Elia]

I've used/liked FolderSizes (www.foldersizes.com)
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Comeau
Sent: Friday, October 06, 2006 8:01 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Disk Space Hogs

Is there a tool or utility out there that I can find out who/what/when has
been eating up disk space on the server?  I would like to see who is hogging
up space with a parameter of "by date".

Thank you.

Steve Comeau
IT Manager
Rutgers Athletics
83 Rockefeller Road
Piscataway, NJ  08854
732-445-7802
732-445-4623 (fax)
www.scarletknights.com


***  This message contains confidential information and is intended only for
the individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and delete
this e-mail from your system. E-mail transmission cannot be guaranteed to be
secure or error-free as information could be intercepted, corrupted, lost,
destroyed, arrive late or incomplete, or contain viruses. The sender
therefore does not accept liability for any errors or omissions in the
contents of this message, which arise as a result of e-mail transmission. If
verification is required please request a hard-copy version. Rutgers
University - DIA, 83 Rockafeller Road, Piscataway, NJ
www.scarletknights.com ***


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] OT: wikis

[Darren Mar-Elia]

You mean Jet Blue doesn't have TV on their flights??? 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
Sent: Thursday, October 05, 2006 10:12 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: wikis

Except when 99% of the common wisdom about something is wrong, like in the
case of ESE / JET Blue ... ;-)

Cheers,
-BrettSh

On Thu, 5 Oct 2006, Greg Nims wrote:

> 
> > It's funny how we quote wikis as definitive sources of information, 
> > when they can be edited by anyone and everyone :)
> >
> > Who vets the edits and how much does that person know about the 
> > subject matter??
> 
> Anyone can edit, which is why they are generally correct.  When 
> 100,000 people view a record, and 2 people want to change it to be 
> incorrect,
> 999,998 will want to correct it.
> 
> I wouldn't use a wiki as a great historical or technical source.  But 
> for encyclopedia entries, which give a good summation of a subject, 
> they are great.
> 
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Folder Redirection Issue

[Darren Mar-Elia]

Dan-
Have you 
tried running FileMon on a problem workstation, filtered on Outlook.exe? That 
might show you what is going on. Its possible that Outlook needs some 
permissions on the root (e.g. List Folder Contents) when it does its attachment 
saving? FileMon should show you where you're getting the Access 
Denied.
 
Darren
 
Darren Mar-Elia
For comprehensive 
Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO FAQs, 
video training, tools and whitepapers. Also check out the Windows 
Group Policy Guide, the definitive resource for Group Policy 
information.
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dan 
DeStefanoSent: Wednesday, October 04, 2006 8:02 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Folder Redirection 
Issue


I am having a weird problem with 
folder redirection. I have set the My Documents redirection to the subfolder of 
the root drive option and set the path to the homefolders directory 
(\\servername\homefolders$). This is supposed to redirect users my documents to 
\\servername\homefolders$\%username%\my documents and it does. The users log 
onto their PCs and open their My Documents folder fine – and looking at the 
properties of their my documents folder confirms that the redirection is working 
properly. The problem is that in certain applications, namely Outlook 2003 (all 
latest patches and SPs applied). When a user goes to save an attachment, for 
example, and clicks on my documents in the save dialog, they receive the error 
“cannot access \\servername\homefolders$, which makes sense since the users do 
not have access to the homefolders$ share, just to their subfolder. So Outlook, 
for some reason, is not drilling down into the users my documents in the home 
folder, but instead is trying to access the root of the homefolders$ share. In 
other Office apps, the my documents works fine. There are also no event log 
entries that reference this issue.
 
I am stuck here as I am unable to 
find any KB articles that discuss this. Does anyone have any suggestions? I have 
not yet reinstalled Outlook because all other Office apps work fine. Office was 
deployed to the workstations via group policy using an AIP and MST 
transform.
 
 
Any help would be greatly 
appreciated.
 
Dan 
DeStefanoInfo-lution 
Corporation[EMAIL PROTECTED]http://www.info-lution.comOffice: 727 546-9143FAX: 
727 
541-5888
If you have 
received this message in error please notify the sender, disregard any 
content  and remove it from your possession.
 

RE: RE: [ActiveDir] OT: DesktopStandard acquired by Microsoft

[Darren Mar-Elia]

Swimming upstream makes you stronger right? Or is it that 
you swim upstream to spawn and die? Hmmm. Well, anyway, long time in coming Al. 
I figured now it was time to put up or shut up :)
 
Darren
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Al 
MulnickSent: Monday, October 02, 2006 1:39 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: RE: [ActiveDir] OT: 
DesktopStandard acquired by Microsoft
Oh sure, swim upstream why don't you? When did/does this come 
about Darren?  Congratulations - and we look forward to some high-quality 
tools coming from you. I do at least. :)
On 10/2/06, Darren 
Mar-Elia <[EMAIL PROTECTED]> 
wrote:
Haha. 
  This is the first time I've been on the receiving end Deji. You can't blame ME 
  for this one :). Just for the record, I'm not going to MS ( 
  http://blogs.dirteam.com/blogs/gpoguy/archive/2006/10/02/DesktopStandard-acquired-by-Microsoft.aspx)Darren-Original 
  message-From: [EMAIL PROTECTED] Date: 
  Mon,  2 Oct 2006 15:11:37 -0400To: ActiveDir@mail.activedir.orgSubject: 
  RE: [ActiveDir] OT: DesktopStandard acquired by Microsoft> What's 
  with you and acquisitions, dude? :-p >>> 
  Sincerely,>_>   (, 
  /  |  /)   
  /) /)> /---| 
  (/_  __   ___// _   
  //  _>  ) /|_/(__(_) // 
  (_(_)(/_(_(_/(__(/_> 
  (_/ 
  /) 
  >(/> 
  Microsoft MVP - Directory Services> www.akomolafe.com 
  http://www.akomolafe.com >  - 
  > we> know IT> -5.75, -3.23> Do you now realize that 
  Today is the Tomorrow you were worried about> Yesterday? 
  -anon>> ____>> From: 
  [EMAIL PROTECTED] 
  on behalf of Darren Mar-Elia> Sent: Mon 10/2/2006 9:47 AM> To: 
  ActiveDir@mail.activedir.org 
  > Subject: [ActiveDir] OT: DesktopStandard acquired by 
  Microsoft>>>> http://www.desktopstandard.com/PressReleases/02Oct2006.aspx 
  >>> In case anyone is 
  interested...>>> Darren Mar-Elia> For 
  comprehensive Windows Group Policy Information, check out > www.gpoguy.com > <http://www.gpoguy.com/> -- the best 
  source for GPO FAQs, video > training,> tools and whitepapers. Also 
  check out the Windows Group Policy Guide> < http://www.amazon.com/gp/product/0735622175/qid=1122367169/sr=8-1/re> 
  f=pd_bbs> _1/104-1133146-9411929?v=glance&n=283155> , the 
  definitive resource > for Group > Policy 
  information.>>> List info   : http://www.activedir.org/List.aspx> 
  List FAQ: http://www.activedir.org/ListFAQ.aspx> 
  List archive: http://www.activedir.org/ml/threads.aspxList 
  info   : http://www.activedir.org/List.aspxList 
  FAQ: http://www.activedir.org/ListFAQ.aspxList 
  archive: http://www.activedir.org/ml/threads.aspx 
  

Re: RE: [ActiveDir] OT: DesktopStandard acquired by Microsoft

[Darren Mar-Elia]

Haha. This is the first time I've been on the receiving end Deji. You can't 
blame ME for this one :). Just for the record, I'm not going to MS 
(http://blogs.dirteam.com/blogs/gpoguy/archive/2006/10/02/DesktopStandard-acquired-by-Microsoft.aspx)

Darren

-Original message-
From: [EMAIL PROTECTED]
Date: Mon,  2 Oct 2006 15:11:37 -0400
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: DesktopStandard acquired by Microsoft

> What's with you and acquisitions, dude? :-p
>  
> 
> Sincerely, 
>_
>   (, /  |  /)   /) /)   
> /---| (/_  __   ___// _   //  _ 
>  ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
> (_/ /)  
>(/   
> Microsoft MVP - Directory Services
> www.akomolafe.com http://www.akomolafe.com>  - > we
> know IT
> -5.75, -3.23
> Do you now realize that Today is the Tomorrow you were worried about
> Yesterday? -anon
> 
> ________
> 
> From: [EMAIL PROTECTED] on behalf of Darren Mar-Elia
> Sent: Mon 10/2/2006 9:47 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] OT: DesktopStandard acquired by Microsoft
> 
> 
>  
> http://www.desktopstandard.com/PressReleases/02Oct2006.aspx
>  
>  
> In case anyone is interested...
>  
>  
> Darren Mar-Elia
> For comprehensive Windows Group Policy Information, check out > www.gpoguy.com
> <http://www.gpoguy.com/> -- the best source for GPO FAQs, video > training,
> tools and whitepapers. Also check out the Windows Group Policy Guide
> <http://www.amazon.com/gp/product/0735622175/qid=1122367169/sr=8-1/re> 
> f=pd_bbs
> _1/104-1133146-9411929?v=glance&n=283155> , the definitive resource > for 
> Group
> Policy information.
>  
>  
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

[ActiveDir] OT: DesktopStandard acquired by Microsoft

[Darren Mar-Elia]

 
http://www.desktopstandard.com/PressReleases/02Oct2006.aspx
 
 
In case anyone is 
interested...
 
 
Darren Mar-Elia
For comprehensive 
Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO FAQs, 
video training, tools and whitepapers. Also check out the Windows 
Group Policy Guide, the definitive resource for Group Policy 
information.
 
 

RE: [ActiveDir] Struggling to find AD authentication code

[Darren Mar-Elia]

You actually shouldn't have to use Interop or 
PInvoke like that to authenticate to AD using VB.Net. I do it all the time 
in WinForms using the DirectoryEntry class, which allows you to pass creds 
to your AD connection. You just need to front those creds with a simple form and 
away you go. Just check out the VS docs on DirectoryEntry. Also, if you plan to 
do a lot of .Net programming against AD, I would highly suggest this book: http://www.amazon.com/Developers-Directory-Programming-Microsoft-Development/dp/0321350170/sr=8-1/qid=1159285094/ref=pd_bbs_1/102-7103604-3390566?ie=UTF8&s=books
 
Darren


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Steven 
WoodSent: Tuesday, September 26, 2006 7:40 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Struggling to 
find AD authentication code


Thanks for that. Great blog by the 
way.
 




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: 26 September 2006 15:13To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Struggling to find 
AD authentication code
 
Look 
at the example for calling the LogonUser() API on my website – scroll down a bit www.briandesmond.com.
 

Thanks,
Brian 
Desmond
[EMAIL PROTECTED]smond.com
 
c 
- 312.731.3132
 



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Steven WoodSent: Tuesday, September 26, 2006 5:39 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Struggling to find AD 
authentication code
 
Hi,
 
Can anyone point me in the direction 
of some VB.Net examples of authenticating users 
against AD using a Windows form and not asp.net? All the examples I can find are forms based 
authentication for asp.net. I’ve 
loaded the template ‘Login Form’ included with VB 2005 unfortunately there 
appears to be no sample code of AD authentication that I can 
see.
 
Any help very much 
appreciated.
 
Regards
 
Steven 
 
 
 
 
 ---This 
email is from Oldham Sixth Form College, but expresses the viewsof the 
sender and not necessarily the views of the college. The emailand any files 
transmitted with it are confidential to the intendedrecipient at the e-mail 
address to which it has been addressed. It maynot be disclosed or used by 
any other than that addressee, nor may itbe copied in any way. If received 
in error, please notify[EMAIL PROTECTED] quoting the name of the 
sender.This message has been scanned for viruses by F-Secure 
Anti-Virus.Please note that we cannot accept any responsibility for 
anytransmitted viruses. It is, therefore, your responsibility to 
scanattachments (if any).

RE: [ActiveDir] Replace UNC by DFS path in Group Policy

[Darren Mar-Elia]

That can be pretty complicated. I am assuming that you have those paths
sprinkled through lots of different policy areas? The answer to that will
depend upon how complicated the problem is. If its just folder redirection
and then the path defined in AD on each user object for home drive and
profile then its less of a GP problem than an AD problem. 

If not, and you have to change the path throughout lots of policy areas,
then one thing you could try is using a migration table. Migration tables
come with GPMC and are designed to replace things like security principals
and paths when you migrating a GPO from one forest or domain to another.
Problem is that I think it would be pretty invasive doing it this way
because essentially you need to backup your existing GPOs and then re-import
the changed ones over them.  

Darren

Darren Mar-Elia
For comprehensive Windows Group Policy Information, check out
www.gpoguy.com-- the best source for GPO FAQs, video training, tools and
whitepapers. Also check out the Windows Group Policy Guide, the definitive
resource for Group Policy information.
 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Lev Zdenek
Sent: Monday, September 25, 2006 4:14 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Replace UNC by DFS path in Group Policy


Hello evr.
What is the simplest way (not manualy edit) to replace UNC path (folder
redirection, Home drive, profile path) by new W2K3 R2 DFS path in my Group
policy. I have about 200 group policy with this "problem"
THX


Zdenek Lev



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] DC Establishing Session to client on TCP139

[Darren Mar-Elia]

Brian-
You might want to run TCPView on the DC (http://www.sysinternals.com/Utilities/TcpView.html). 
It will tell you which process owns the communication on that port. 

 
Darren


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Al 
MulnickSent: Thursday, September 21, 2006 12:17 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] DC Establishing 
Session to client on TCP139
And it's not the computer browser service that's initiating the 
calls? 
On 9/21/06, Brian 
Desmond <[EMAIL PROTECTED] 
> wrote:

  
  
  Yeah this is an 
  internal firewall and the hosts are well known. I'm certainly not allowing NBT 
  traffic from the Internet to anything…
   
  Thanks,
  Brian 
  Desmond
  [EMAIL PROTECTED]
   
  c - 
  312.731.3132
   
  
  
  
  From: [EMAIL PROTECTED] [mailto: 
  [EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, 
  September 21, 2006 12:01 PM
  To: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] DC Establishing Session to client on TCP139
  
  
   
  Its very to 
  extremely common to see this traffic hitting a firewall. Its one of the first 
  places nmap, nessus, et. al. will look. Best practice would be to block this 
  unnecessary traffic from the internet segment both incomming and outgoing. 
  Unless your connecting directly through the Internet to another site. Then I'd 
  suggest using an encrypted VPN. For fun you can see what DShield, part of ISC SANS 
  has reported via firewall logs to them from around the world. Heres the link 
  for port 137: http://isc.sans.org/port_details.php?port=137&repax=1&tarax=2&srcax=2&percent=N&days=40 
  You check all your favorite ports this 
  way. As you can see your not alone in seeing a great deal of interest on this 
  port, eventhough it didn't make todays 'Top 10'Brent EadsEmployee 
  Technology Solutions, Inc.Office: (312) 762-9224Fax:     
  (312) 762-9275The contents contain privileged and/or confidential 
  information intended for the named recipient of this email. ETSI (Employee 
  Technology Solutions, Inc.) does not warrant that the contents of any 
  electronically transmitted information will remain confidential. If the reader 
  of this email is not the intended recipient you are hereby notified that any 
  use, reproduction, disclosure or distribution of the information contained in 
  the email in error, please reply to us immediately and delete the document. 
  Viruses, Malware, Phishing and other known and unknown electronic 
  threats: It is the recipient/client's duties to perform virus scans and 
  otherwise test the information provided before loading onto any computer 
  system. No warranty is made that this material is free from computer virus or 
  any other defect.Any loss/damage incurred by using this material is 
  not the sender's responsibility. Liability will be limited to resupplying the 
  material.
  


  
"Brian Desmond" <[EMAIL PROTECTED]> Sent 
by: [EMAIL PROTECTED] 
09/21/2006 09:36 AM 

  
  

  Please respond toActiveDir@mail.activedir.org
  

  
  

  To

   
  
  

  cc

  

  Subject

  RE: [ActiveDir] DC Establishing 
  Session to client on TCP139
 

  
  


  Yeah I know 
  about going client à DC. I'm trying to figure out why 
  the *DC* is establishing connections to the client.   Thanks, Brian Desmond 
  [EMAIL PROTECTED]   c - 312.731.3132 
    
  From: [EMAIL PROTECTED] [mailto: 
  [EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, 
  September 21, 2006 6:05 AMTo: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] DC Establishing Session to client on TCP139   netbios-ns      137/tcp   
   NETBIOS Name Service    netbios-ns     
   137/udp    NETBIOS Name Service    netbios-dgm 
      138/tcp    NETBIOS Datagram Servicenetbios-dgm 
      138/udp    NETBIOS Datagram Servicenetbios-ssn 
      139/tcp    NETBIOS Session Servicenetbios-ssn 
      139/udp    NETBIOS Session Service It's been a while, but you may find that 
  all 3 are needed.   If memory serves - 137 is used to resolve 
  names; 138 to send/receive data; 139 to establish and maintain the 
  session.     neil 
   
  
  
  
  From: [EMAIL PROTECTED] [mailto: 
  [EMAIL PROTECTED]] On Behalf Of Paul 
  WilliamsSent: 21 September 2006 09:30To: ActiveDir@mail.activedir.orgSubject: Re: 
  [ActiveDir] DC Establishing Session to client on TCP139 It's probably SMB (CIFS).  The NT5.x client service 
  attempts to establish SMB sessions using both 445 and 137/8/9 (whichever one). 
   The first to reply is what is used.  If 445, it's SMB over TCP/IP. 
   If the NetBT 3, then it's SMB over NetBIOS over TCP/IP (NetBT). 
    

RE: [ActiveDir] I'm Baaaaaaack!

[Darren Mar-Elia]

I smell sulfur... ;-)


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, 
DejiSent: Thursday, September 21, 2006 11:49 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] I'm 
Baaack!


Yikes! Is it Halloween 
yet?
 


Sincerely,    
_    
  (, /  |  
/)   
/) /)       /---| (/_  
__   ___// _   //  _  ) 
/    |_/(__(_) // 
(_(_)(/_(_(_/(__(/_(_/ 
/)  
   
(/   Microsoft MVP - Directory 
Serviceswww.akomolafe.com - we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you 
were worried about Yesterday? 
-anon


From: Rick KingslanSent: Thu 
9/21/2006 11:00 AMTo: ActiveDir@mail.activedir.orgSubject: 
[ActiveDir] I'm Baaack!
Be afraid  Be very afraid!  :-)



Rick

_
Be seen and heard with Windows Live Messenger and Microsoft LifeCams 
http://clk.atdmt.com/MSN/go/msnnkwme002001msn/direct/01/?href=""

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Block Inheritance on DC OU

[Darren Mar-Elia]

I hear you joe. I think it depends upon the environment and 
its goals. I'm generally against implicit stuff like blocking flags because its 
hard for people to troubleshoot. I'm also not terribly thrilled with the notion, 
in large environments, of having to manage 10s or 100s of gplinks and their 
attendant flags (enabled, disabled, enforced) separately when the target is the 
entire domain anyway, esp. if you have lots of nested OUs because then you have 
to expect people to make consistent decisions about where in the hierarchy they 
need to link, and over time, it just gets messy. But frankly security group 
filtering can suffer the same complexity problems and groups are probably less 
well maintained than OU structure in most orgs. I think security group filtering 
is best used as an exception mechanism rather than a normal course of things. As 
an exception mechanism, I tend to prefer it over blocking or enforcing. 

 
d.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Friday, September 15, 2006 6:24 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Block 
Inheritance on DC OU

For a point / counter point kind of discussion. I am 
against, generally speaking[1], group filtering on GPOs as I have seen it go 
horribly wrong[2] and would rather look at putting the links on the OUs. I don't 
find that to be a particularly painful task, especially considering that I 
usually push for a very fixed OU structure such that when a new site or what not 
is spun up, there is a script that sets the entire OU structure up including 
needed admin groups, any delegation, and any gPLinks. 
 
  joe
 
 
[1] Meaning I am not absolutely against it but it needs to 
be a great reason. Say something for auto deploying certs and you have no 
matching OU structure for the deployment you want to implement. 

 
[2]  Once saw an ACL reset on GPOs when a script that 
worked perfectly in the lab blew up in production and the resultant set of 
policies was a completely locked down kiosk that was applied to 
hundreds of thousands of users and machines (both workstations and servers) 
across the world. Thankfully it occurred on a Wednesday evening 6PM EST so the 
fallout was not 100% but mostly only on the west coast of the US and 
Australia/New Zealand. Nope, I didn't write the script. ;o)  I have seen 
lesser issues and heard of some other folks who have run into some fun with 
them. 
 

--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Darren 
Mar-EliaSent: Friday, September 15, 2006 6:48 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Block 
Inheritance on DC OU

Yes, but there are times when you want to affect all 
machines or users in a domain and its a pain to have to link those policies to 
every OU. Domain-linked GPOs are useful but you do have to be explicitly aware 
of what you're targeting. That's why I like using explicit security group 
filtering rather than implicit blocking or enforcing. Its easier to troubleshoot 
(esp. on Win2K without RSOP). 
 
Darren
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Derek 
HarrisSent: Friday, September 15, 2006 3:14 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Block 
Inheritance on DC OU

It seems to me that a better solution is to only put the 
password policy into the default domain GPO, and create a separate GPO for any 
other settings to apply to the OUs. 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh 
ParmarSent: Friday, September 15, 2006 2:38 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Block 
Inheritance on DC OU
Well at one of the customers, they have around 10 to 15 GPOs applied 
at domain level, for various purposes ranging from software deployment to other 
settings.So they didn't wanted many of those GPOs to be applied to domain 
controllers. Above that, they have "block inheritance" enabled at various 
sub-OU levels.So only thing we could come up with to achieve what we 
wanted was to.1) Block policy at DC OU2) Create Password Policy at 
Domain level and enforce it. This helped for keeping a consistent 
password policy across all OUs and Domain.And also "saving" DCs from domain 
level general purpose GPOs.Long term, soln is to rethink the OU 
structure.Kamlesh
On 9/13/06, Darren 
Mar-Elia <[EMAIL PROTECTED]> 
wrote: 

  
  
  Well, the 
  obvious effect is that it prevents domain-linked policies from being delivered 
  correctly, including password policy. This is probably not desirable. I can't 
  think of a good scenario where this would be useful. 
   
  Darren
  
  
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of 
  WATSON, BENSent: Wednesday, September 13, 2006 9:37 
  AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
  Block Inheritanc

RE: [ActiveDir] Block Inheritance on DC OU

[Darren Mar-Elia]

Yes, but there are times when you want to affect all 
machines or users in a domain and its a pain to have to link those policies to 
every OU. Domain-linked GPOs are useful but you do have to be explicitly aware 
of what you're targeting. That's why I like using explicit security group 
filtering rather than implicit blocking or enforcing. Its easier to troubleshoot 
(esp. on Win2K without RSOP). 
 
Darren
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Derek 
HarrisSent: Friday, September 15, 2006 3:14 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Block 
Inheritance on DC OU

It seems to me that a better solution is to only put the 
password policy into the default domain GPO, and create a separate GPO for any 
other settings to apply to the OUs. 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh 
ParmarSent: Friday, September 15, 2006 2:38 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Block 
Inheritance on DC OU
Well at one of the customers, they have around 10 to 15 GPOs applied 
at domain level, for various purposes ranging from software deployment to other 
settings.So they didn't wanted many of those GPOs to be applied to domain 
controllers. Above that, they have "block inheritance" enabled at various 
sub-OU levels.So only thing we could come up with to achieve what we 
wanted was to.1) Block policy at DC OU2) Create Password Policy at 
Domain level and enforce it. This helped for keeping a consistent 
password policy across all OUs and Domain.And also "saving" DCs from domain 
level general purpose GPOs.Long term, soln is to rethink the OU 
structure.Kamlesh
On 9/13/06, Darren 
Mar-Elia <[EMAIL PROTECTED]> 
wrote: 

  
  
  Well, the 
  obvious effect is that it prevents domain-linked policies from being delivered 
  correctly, including password policy. This is probably not desirable. I can't 
  think of a good scenario where this would be useful. 
   
  Darren
  
  
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of 
  WATSON, BENSent: Wednesday, September 13, 2006 9:37 
  AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
  Block Inheritance on DC OU
  
  
  
  The company I am currently working for has "block inheritance" enabled for 
  the Domain Controller's OU and apparently whoever enabled this setting is no 
  longer with the company (or they won't fess up to why they did this).
   
  Although I am curious, what sort of ramifications does enabling "block 
  inheritance" on the Domain Controller's OU pose?  And what reason would 
  you have to enable this setting on the Domain Controller's OU?  With any 
  other OU, it would be fairly obvious, but being that these are the Domain 
  Controllers it would seem to be a unique situation.
   
  Thanks as always for your input,
  ~Ben
  -- 
~Short-term actions X time = long-term 
accomplishments.~ 

RE: [ActiveDir] Block Inheritance on DC OU

[Darren Mar-Elia]

I just prefer using sec. Group filtering over block and enforced flags. In your 
scenario I would have added explicit denies for the DC group to those GPOs that 
should not have applied rather than block inheritance.

-Original Message-
From: "Kamlesh Parmar" <[EMAIL PROTECTED]>
To: ActiveDir@mail.activedir.org
Sent: 9/15/2006 1:38 PM
Subject: Re: [ActiveDir] Block Inheritance on DC OU

Well at one of the customers, they have around 10 to 15 GPOs applied at
domain level, for various purposes ranging from software deployment to other
settings.
So they didn't wanted many of those GPOs to be applied to domain
controllers.
Above that, they have "block inheritance" enabled at various sub-OU levels.

So only thing we could come up with to achieve what we wanted was to.
1) Block policy at DC OU
2) Create Password Policy at Domain level and enforce it.

This helped for keeping a consistent password policy across all OUs and
Domain.
And also "saving" DCs from domain level general purpose GPOs.

Long term, soln is to rethink the OU structure.

Kamlesh

On 9/13/06, Darren Mar-Elia <[EMAIL PROTECTED]> wrote:
>
>  Well, the obvious effect is that it prevents domain-linked policies from
> being delivered correctly, including password policy. This is probably not
> desirable. I can't think of a good scenario where this would be useful.
>
> Darren
>
>  --
> *From:* [EMAIL PROTECTED] [mailto:
> [EMAIL PROTECTED] *On Behalf Of *WATSON, BEN
> *Sent:* Wednesday, September 13, 2006 9:37 AM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* [ActiveDir] Block Inheritance on DC OU
>
>  The company I am currently working for has "block inheritance" enabled
> for the Domain Controller's OU and apparently whoever enabled this setting
> is no longer with the company (or they won't fess up to why they did this).
>
>
>
> Although I am curious, what sort of ramifications does enabling "block
> inheritance" on the Domain Controller's OU pose?  And what reason would you
> have to enable this setting on the Domain Controller's OU?  With any other
> OU, it would be fairly obvious, but being that these are the Domain
> Controllers it would seem to be a unique situation.
>
>
>
> Thanks as always for your input,
>
> ~Ben
>



-- 
~
Short-term actions X time = long-term accomplishments.
~


[truncated by sender]
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Block Inheritance on DC OU

[Darren Mar-Elia]

To me it seems intuitive that GP processing would behave the same way for DCs 
as it would for other computers.  And to answer the question, yes I have 
confirmed this in testing numerous times over the years-most recently the day 
Ben asked the question.

Darren

-Original Message-
From: "Derek Harris" <[EMAIL PROTECTED]>
To: ActiveDir@mail.activedir.org
Sent: 9/14/2006 4:11 PM
Subject: RE: [ActiveDir] Block Inheritance on DC OU

I did it a couple years ago, and found out that it does block the
password policy. It seems intuitive that it shouldn't, but it does.



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade
Sent: Thursday, September 14, 2006 3:54 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Block Inheritance on DC OU


You say  "Obvious" but is this obvious? What happens in the case of
password policy. This can only be set at the top level of the domain.
Does this block actually prevent it being applied? I would guess that is
does, but I wonder if any one has tested it or has any docs on what
actually happens. 
 
 

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Wednesday, September 13, 2006 6:59 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Block Inheritance on DC OU

 

Well, the obvious effect is that it prevents domain-linked policies from
being delivered correctly, including password policy. This is probably
not desirable. I can't think of a good scenario where this would be
useful. 

 

Darren

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Wednesday, September 13, 2006 9:37 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Block Inheritance on DC OU

The company I am currently working for has "block inheritance" enabled
for the Domain Controller's OU and apparently whoever enabled this
setting is no longer with the company (or they won't fess up to why they
did this).

 

Although I am curious, what sort of ramifications does enabling "block
inheritance" on the Domain Controller's OU pose?  And what reason would

[truncated by sender]
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Block Inheritance on DC OU

[Darren Mar-Elia]

Well, the obvious effect is that it prevents domain-linked 
policies from being delivered correctly, including password policy. This is 
probably not desirable. I can't think of a good scenario where this would be 
useful. 
 
Darren


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON, 
BENSent: Wednesday, September 13, 2006 9:37 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Block Inheritance on 
DC OU


The company I am currently working for has “block 
inheritance” enabled for the Domain Controller’s OU and apparently whoever 
enabled this setting is no longer with the company (or they won’t fess up to why 
they did this).
 
Although I am curious, what sort of ramifications does 
enabling “block inheritance” on the Domain Controller’s OU pose?  And what 
reason would you have to enable this setting on the Domain Controller’s 
OU?  With any other OU, it would be fairly obvious, but being that these 
are the Domain Controllers it would seem to be a unique 
situation.
 
Thanks as always for your input,
~Ben

RE: [ActiveDir] Specifying builtin accounts in GPO settings.

[Darren Mar-Elia]

Matt-
I don't think these accounts have well-known SIDs, so I'm 
not sure that's going to help. You can easily verify using psgetsid from 
Sysinternals. I checked a couple accounts here (though they were domain 
accounts) and they were not well-known SIDs.
 
Darren
 

Darren Mar-Elia
For comprehensive 
Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO FAQs, 
video training, tools and whitepapers. Also check out the Windows 
Group Policy Guide, the definitive resource for Group Policy 
information.
  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Matt 
HargravesSent: Tuesday, September 12, 2006 10:00 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Specifying builtin 
accounts in GPO settings.
I am trying to specify the builtin IWAM/IUSR accounts in GPO 
settings.  We have a set of servers within an OU where they require the 
account to have rights on the local servers, call them Server1, Server2, 
Server3.  We obviously don't want to create the setting for IWAM_Server1, 
IWAM_Server2, etc I believe that this account has a common SID, if I simply 
do a browse for the account on one machine, will it resolve to SID and apply the 
setting for all accounts, or is there another way to do this (like specifying 
"Builtin\Administrator" would work for the builtin Administrator account) no 
matter what the name happens to be on a local machine? 

RE: [ActiveDir] OT: Management Solutions

[Darren Mar-Elia]

Alan-
I ran one of these evalutions a while back for a 25,000 
desktop environment. I would highly advise putting together a spreadsheet of 
your *real* requirements prior to narrowing the vendor list. Don't let the 
vendor tell you what you need or the choice will become obvious. Apart from that 
the following list (in no particular order) includes most of the larger vendors 
in this space. Most if not all of them include the features you're 
looking for, at varying levels of integration. You should at least compare 
features across these to your requirements before 
evaluating:
 
-- BMC Marimba
-- Microsoft SMS (or Deployment Manager or whatever its 
called now :-))
-- HP Novadigm
-- Attachmate WinInstall
-- Managesoft
 
There are probably a dozen smaller companies out there 
doing this. Its a crowded market so it pays to shop around. 
 
Darren
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Alan J. 
GendronSent: Monday, September 11, 2006 12:16 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Management 
Solutions


I would love some feedback from 
those that actually use some of these products.  We initially started 
looking at a Helpdesk solution.  It has now evolved into an asset 
management, OS deployment, patch management and license compliance 
package.  I can’t tell you whether it’s evolved to this because the package 
we are looking at has it or because it was decided we could use the additional 
functionality.  The current front-runner is Altiris.  Could anyone 
provide some helpful insight into this package or a comparable solution we could 
look at?  If we’re going to spend the money, I’d like to see us spend it 
wisely.  Thank you in advance.
 
Alan
Alan 
J. Gendron
Senior 
Network Specialist
 Lutheran 
Church 
Extension Fund
Sunset 
Corporate Center
10733 
Sunset Office 
Drive
St. 
Louis, MO 63127-1219
314.885.6596
 

RE: [ActiveDir] OT: admin account in Vista

[Darren Mar-Elia]

safe location == post-it note on the side of 
CPU


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Al 
MulnickSent: Thursday, September 07, 2006 10:36 AMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: admin 
account in Vista

"Write down your username and password and store it in a safe 
location."
 
That's an interesting departure from the usual recommendations. 
;-)
 
On 9/6/06, Susan Bradley, 
CPA aka Ebitz - SBS Rocks [MVP] <[EMAIL PROTECTED]> wrote: 
Windows 
  Vista Security : Built-in Administrator Account Disabled:http://blogs.msdn.com/windowsvistasecurity/archive/2006/08/27/windowsvistasecurity_.aspx--Letting 
  your vendors set your risk analysis these days?http://www.threatcode.com If you 
  are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you 
  down...http://blogs.technet.com/sbsList 
  info   : http://www.activedir.org/List.aspxList 
  FAQ: http://www.activedir.org/ListFAQ.aspxList 
  archive: http://www.activedir.org/ml/threads.aspx 
  

RE: [ActiveDir] adm file management

[Darren Mar-Elia]

Sure. On XP or 2003, when you open an admin. Template policy, you see at the
bottom that it says, "Supported On" and then shows the minimum OS or app
level required that supports that policy. Those are the supported tags. In
GP Editor you can do View, Filtering and filter by Supported level so that,
for example, you see only policies that support XP, SP2. It's a handy
feature that was intro'd in XP. 

The good (or reasonably good) news on all of this, is that with the
introduction of Vista, the whole ADM and ADM management story changes. No
longer will ADM (called ADMX in Vista) files be stored within each GPO and
no longer will they be automatically updated. You will have a "central
store" that holds all ADMXs and you can update it centrally and
purposefully.

Darren

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner
Sent: Wednesday, September 06, 2006 10:35 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] adm file management

Darren, i value your (and all others who help me) correspondence from the
mailing list and also the content of your web site.

'clear as mud' sums it up !!

final qu - you referenced a concept of 'supported tags' - is it easy 4 u to
explain in a nutshell

GT

> Graham-
> Yes, the dates can be confusing. I typically take these as groupings. 
> So, all of the ADMs that ship with a given OS/Service Pack should stay
together.
> The reality is that the two conf.adm files you list below are 
> identical in content (windiff is a good tool for this), even though 
> their dates are not identical. In the case of system.adm 2003/SP1 
> added some additional policies for the secure mode IE stuff that 
> wasn't in XP,SP2, but otherwise it was identical (I list out the 
> differences between the XP,SP2 and 2003, SP1 ADMs at 
> www.gpoguy.com/admdiffs.htm). To answer your question, yes, if you are 
> managing GP from a 2003 server machine, then you could certainly have 
> ADMs from XP, SP2 in your GPOs. By default, the ADMs in 2003's 
> c:\windows\inf folder will auto-update each GPO you edit so over time, 
> unless you change that default behavior, your GPOs will be "upgraded" 
> to 2003,SP1, but in general, as long as you are on 2003, SP1 or XP, SP2,
you should be good to go.
>
> Clear as mud?
>
> Darren
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner
> Sent: Wednesday, September 06, 2006 8:21 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] adm file management
>
> Darren, thanks 4 mail back
>
> in the interim i dug into the 'versioning' of these ADM's and it seems 
> that "most recent" versions are not always in the same OS
>
> i cite comparison of ADM version (ie dates) on different OS
>
> conf.adm - 22/2/03 (2003/SP1) - 17/7/04 (xp sp2) system.adm -  
> 18/02/05
> (2003 / sp1)  - 17/07/04 (xp / sp2)
>
> so if i read this tight it would seem the rule of latest OS is not 
> strict - hence my view to come back to the 'most recent' ??
>
> i assume if the 'admin' workstation is running windows server 2003 we 
> are ok to put in the ADM files shipped with say XP sp2, assuming of 
> course as above they are more recent ?
>
>
>
>
>
>> Graham-
>> You are correct on both counts. ADMs are typically supersets of each 
>> other--2003, SP1 is a superset of XP,SP2, XP is a superset of 2000, 
>> etc. And it is definitely best to manage such a mixed environment 
>> from the latest platform (e.g. XP). The key of course, is to pay 
>> attention to the "Supported" tags in the newer ADMs.
>>
>> Darren
>>
>> Darren Mar-Elia
>> For comprehensive Windows Group Policy Information, check out
>> www.gpoguy.com-- the best source for GPO FAQs, video training, tools 
>> and whitepapers. Also check out the Windows Group Policy Guide, the 
>> definitive resource for Group Policy information.
>>
>>
>>
>> -Original Message-
>> From: [EMAIL PROTECTED]
>> [mailto:[EMAIL PROTECTED] On Behalf Of Graham 
>> Turner
>> Sent: Wednesday, September 06, 2006 7:41 AM
>> To: activedir@mail.activedir.org
>> Subject: [ActiveDir] adm file management
>>
>> quick question (hopefully not too daft) ref ADM file management
>>
>> it seems different OS's ship with different versions of the 'standard'
>> ADM files that include conf.adm / interes.adm / system.adm ...
>>
>> say if you are maintaining policies that link to containers holding 
>> say XP , 2000,
>> 2003 computers it would not be unreasonable to manage them a

RE: [ActiveDir] adm file management

[Darren Mar-Elia]

Graham-
Yes, the dates can be confusing. I typically take these as groupings. So,
all of the ADMs that ship with a given OS/Service Pack should stay together.
The reality is that the two conf.adm files you list below are identical in
content (windiff is a good tool for this), even though their dates are not
identical. In the case of system.adm 2003/SP1 added some additional policies
for the secure mode IE stuff that wasn't in XP,SP2, but otherwise it was
identical (I list out the differences between the XP,SP2 and 2003, SP1 ADMs
at www.gpoguy.com/admdiffs.htm). To answer your question, yes, if you are
managing GP from a 2003 server machine, then you could certainly have ADMs
from XP, SP2 in your GPOs. By default, the ADMs in 2003's c:\windows\inf
folder will auto-update each GPO you edit so over time, unless you change
that default behavior, your GPOs will be "upgraded" to 2003,SP1, but in
general, as long as you are on 2003, SP1 or XP, SP2, you should be good to
go.

Clear as mud? 

Darren

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner
Sent: Wednesday, September 06, 2006 8:21 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] adm file management

Darren, thanks 4 mail back

in the interim i dug into the 'versioning' of these ADM's and it seems that
"most recent" versions are not always in the same OS

i cite comparison of ADM version (ie dates) on different OS

conf.adm - 22/2/03 (2003/SP1) - 17/7/04 (xp sp2) system.adm -  18/02/05
(2003 / sp1)  - 17/07/04 (xp / sp2)

so if i read this tight it would seem the rule of latest OS is not strict -
hence my view to come back to the 'most recent' ??

i assume if the 'admin' workstation is running windows server 2003 we are ok
to put in the ADM files shipped with say XP sp2, assuming of course as above
they are more recent ?





> Graham-
> You are correct on both counts. ADMs are typically supersets of each 
> other--2003, SP1 is a superset of XP,SP2, XP is a superset of 2000, 
> etc. And it is definitely best to manage such a mixed environment from 
> the latest platform (e.g. XP). The key of course, is to pay attention 
> to the "Supported" tags in the newer ADMs.
>
> Darren
>
> Darren Mar-Elia
> For comprehensive Windows Group Policy Information, check out
> www.gpoguy.com-- the best source for GPO FAQs, video training, tools 
> and whitepapers. Also check out the Windows Group Policy Guide, the 
> definitive resource for Group Policy information.
>
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner
> Sent: Wednesday, September 06, 2006 7:41 AM
> To: activedir@mail.activedir.org
> Subject: [ActiveDir] adm file management
>
> quick question (hopefully not too daft) ref ADM file management
>
> it seems different OS's ship with different versions of the 'standard' 
> ADM files that include conf.adm / interes.adm / system.adm ...
>
> say if you are maintaining policies that link to containers holding 
> say XP , 2000,
> 2003 computers it would not be unreasonable to manage them all from a 
> single host on which you edit policies.
>
> am i correct to say that in maintaining the settings in these files 
> are always cumulative - if that's the right word
>
> if so then it is correct working practice to always use the MOST 
> RECENT version of an ADM file with no fear of breaking previously 
> functional GPO's ???
>
> GT
>
>
>
>
>
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
>
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
>


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] adm file management

[Darren Mar-Elia]

Graham-
You are correct on both counts. ADMs are typically supersets of each
other--2003, SP1 is a superset of XP,SP2, XP is a superset of 2000, etc. And
it is definitely best to manage such a mixed environment from the latest
platform (e.g. XP). The key of course, is to pay attention to the
"Supported" tags in the newer ADMs.

Darren

Darren Mar-Elia
For comprehensive Windows Group Policy Information, check out
www.gpoguy.com-- the best source for GPO FAQs, video training, tools and
whitepapers. Also check out the Windows Group Policy Guide, the definitive
resource for Group Policy information.
 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner
Sent: Wednesday, September 06, 2006 7:41 AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] adm file management

quick question (hopefully not too daft) ref ADM file management

it seems different OS's ship with different versions of the 'standard' ADM
files that include conf.adm / interes.adm / system.adm ...

say if you are maintaining policies that link to containers holding say XP ,
2000,
2003 computers it would not be unreasonable to manage them all from a single
host on which you edit policies.

am i correct to say that in maintaining the settings in these files are
always cumulative - if that's the right word

if so then it is correct working practice to always use the MOST RECENT
version of an ADM file with no fear of breaking previously functional GPO's
???

GT





List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] management of group policy links (GPMC)

[Darren Mar-Elia]

Graham-
The Inheritance and Delegation tabs (when you're sitting on a container
object like an OU in GPMC) provides the information indicated below. I guess
I'm wondering what you're missing from that? Its true that GPMC
backup/restore does not restore links, link order or Enforced flags, but
there are 3rd party products that can do this, combining GPO restore with
the AD parts of that.

Darren 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner
Sent: Wednesday, August 23, 2006 10:05 AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] management of group policy links (GPMC)

Dear all, as i recall / understand group policy links are stored as an
attribute
(gplink) of the OU.

It seems that GPMC is fine at summarising the links on a per OU basis as you
step down the forest / domain structure.

However it seems to lack a summary of OU / linked GPO(s) / link order /
security filtering / delegation

Would seem to be helpful in the context of a documentation of an Active
Directory, especially given the scenario of restore of a GPO which does not
look to restore links, let alone the link order which would need to be
restored somehow in the event of GPO restore.

Thanks, as always

GT

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Active Directory Delegation & Management tools...

[Darren Mar-Elia]

Glad to help. I can't say enough how important it is 
to really have your requirements locked down before going into this process, and 
absolutely don't make a decision until you evaluate your short list of products 
in your own labs, without the vendor standing over your shoulder. Experience as 
both a customer and vendor has taught me that customers tend to think they need 
everything and vendors tend to tell you they can do everything. Somewhere in 
between is the truth. Evaluate a vendor's products not only their features (both 
stated and real) but also on the company's understanding of what they are 
selling. In other words, if you're buying AD products and the vendor's folks 
understand AD and its problems less than you do, then that is probably a 
good indicator of how they will support you down the line. 



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Teo De Las 
HerasSent: Wednesday, August 23, 2006 5:26 AMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Active Directory 
Delegation & Management tools...

Darren, 
Thanks for the insight!!  We're in the same boat as well and currently 
developing an RFI.  We're also considering ScriptLogic, Quest, NetIQ and 
NetPro.
 
Teo 
On 8/23/06, Darren 
Mar-Elia <[EMAIL PROTECTED]> 
wrote: 
James-Its 
  been a while, but since it was my job to know this stuff, I can give you some 
  general comments here. First off, its important to know your requiirements 
  before asking the various vendors how they can help. What do you need to 
  manage AD here? One thing I can tell you about the Scriptlogic tool vs. the 
  tools from NetIQ and Quest is that Active Administrator attempts to combine a 
  number of different management functions into a single tool. For example, AA 
  includes AD delegation, Group Policy change control, AD restore and some 
  reporting into a single console. Compared to this, the DRA and ActiveRoles 
  products (there are two versions of ActiveRoles--I'm talking about the server 
  version here) are primarily geared towards controlled management of AD data 
  (although both include some resource management as well). In order to get all 
  of the basic functionality that AA provides from these other vendors you would 
  have to buy several of their other products for things like GP management, AD 
  restore, etc.. However, I think what you'll find is that the AA 
  functionality is pretty basic across each of the categories, so its important 
  to know what you need in each area. Also, from an architectural 
  perspective,  the Scriptlogic product is a client-based solution,and 
  the NetIQ and Quest products are client-server based. Given that, the 
  Scriptlogic product is more geared towards small environments and does an OK 
  job in each of the categories they provide solutions for. But the NetIQ and 
  Quest products are built with larger enterprises in mind and have features 
  that accomodate those kinds of environments better. I would also take 
  a look at what NetPro has to offer in these areas. I know they have some 
  offering around AD management, depending upon your requirements.Hope 
  that helps. Again, its really all about your requirements. If you have some 
  specific requirements that you would care to share here, I can probably give 
  you more pointed advice. Darren-Original 
  message-From: James Carter [EMAIL PROTECTED]Date: 
  Wed, 23 Aug 2006 05:31:40 -0400To: ActiveDir@mail.activedir.orgSubject: 
  [ActiveDir] Active Directory Delegation & Management 
  tools...>>   Hi 
  everyone,>>   Does anyone have any experience with a 
  product called Active Administrator from Scriptlogic? 
  >>   How does it compare with products such as NetIQ 
  DRA or Quests Active Roles?>>   What type of questions 
  should I be asking the vendor regarding this 
  product?>>   thanks> >   
  James>>> -> Do you 
  Yahoo!?>  Everyone is raving about the  all-new 
  Yahoo! Mail.List info   : http://www.activedir.org/List.aspxList 
  FAQ: http://www.activedir.org/ListFAQ.aspxList 
  archive: http://www.activedir.org/ml/threads.aspx 
  

Re: [ActiveDir] Active Directory Delegation & Management tools...

[Darren Mar-Elia]

James-
Its been a while, but since it was my job to know this stuff, I can give you 
some general comments here. First off, its important to know your requiirements 
before asking the various vendors how they can help. What do you need to manage 
AD here? One thing I can tell you about the Scriptlogic tool vs. the tools from 
NetIQ and Quest is that Active Administrator attempts to combine a number of 
different management functions into a single tool. For example, AA includes AD 
delegation, Group Policy change control, AD restore and some reporting into a 
single console. Compared to this, the DRA and ActiveRoles products (there are 
two versions of ActiveRoles--I'm talking about the server version here) are 
primarily geared towards controlled management of AD data (although both 
include some resource management as well). In order to get all of the basic 
functionality that AA provides from these other vendors you would have to buy 
several of their other products for things like GP management, AD restore, 
etc.. However, I think what you'll find 
is that the AA functionality is pretty basic across each of the categories, so 
its important to know what you need in each area. Also, from an architectural 
perspective,  the Scriptlogic product is a client-based solution,and the NetIQ 
and Quest products are client-server based. Given that, the Scriptlogic product 
is more geared towards small environments and does an OK job in each of the 
categories they provide solutions for. But the NetIQ and Quest products are 
built with larger enterprises in mind and have features that accomodate those 
kinds of environments better.

I would also take a look at what NetPro has to offer in these areas. I know 
they have some offering around AD management, depending upon your requirements.

Hope that helps. Again, its really all about your requirements. If you have 
some specific requirements that you would care to share here, I can probably 
give you more pointed advice.

Darren 



-Original message-
From: James Carter [EMAIL PROTECTED]
Date: Wed, 23 Aug 2006 05:31:40 -0400
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Active Directory Delegation & Management tools...

>  
>   Hi everyone,
>
>   Does anyone have any experience with a product called Active Administrator 
> from Scriptlogic?
>
>   How does it compare with products such as NetIQ DRA or Quests Active Roles?
>
>   What type of questions should I be asking the vendor regarding this 
> product? 
>
>   thanks
>
>   James
> 
>   
> -
> Do you Yahoo!?
>  Everyone is raving about the  all-new Yahoo! Mail.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Viewing GPO processing

[Darren Mar-Elia]

No, verbose userenv logging simply tells you what is happening during each
step of GP processing. It doesn't log what is happening as the user is
executing commands that may run into policy. We actually had a conversation
with the GP team at MS about this particular issue because it is very
difficult to troubleshoot. I don't think a network trace is going to help
since the problem is not during policy application but when the policy has
already been applied and there is some unexpected reaction between an
application and what could be a totally unrelated (usually) shell
restriction. For example, back in the NT 4 days I spent hours trying to
troubleshoot why a particular 16-bit app would throw weird errors whenever
we tried starting it. Through a process of elimination, I figured that it
was choking on the "Hide Drives" policy that hid certain drive letters from
Explorer. This was primarily due to the fact that the particular API the app
was using was relying on the visibility of the drive letter, rather than a
more standard way of accessing that information. So, its really hard to pin
this kind of stuff down unless you get lucky with Regmon or just remove one
policy item at a time until you find the problematic one.

Darren

Darren Mar-Elia
For comprehensive Windows Group Policy Information, check out
www.gpoguy.com-- the best source for GPO FAQs, video training, tools and
whitepapers. Also check out the Windows Group Policy Guide, the definitive
resource for Group Policy information.
 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ernesto Nieto
Sent: Monday, August 21, 2006 8:52 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Viewing GPO processing

Darren,
Thanks yes, that's what I want to find out.  I did read something in
previous emails about using network trace on the group policy, but I have no
clue on how to do that.  Would enabling verbose userenv logging help, you
think?



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Monday, August 21, 2006 10:23 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Viewing GPO processing

Assuming its XP, then you can use GPMC to get a GP Results report that tells
you what GPOs and what settings were applied to a given user or computer.
However, I think what you're asking is, is there any log that tells you when
a particular operation gets blocked by a particular GPO setting, and the
answer to that is no. Depending upon what the operation is, you may be able
to see what registry values are getting queried (assuming it's an admin.
Template policy that is causing the problem) by using Sysinternals Regmon to
spy on the registry I/O while you are doing the particular operation
described below. However, outside of that its trial and error to find why
the operation is getting stopped. 


Darren



Darren Mar-Elia
For comprehensive Windows Group Policy Information, check out
www.gpoguy.com-- the best source for GPO FAQs, video training, tools and
whitepapers. Also check out the Windows Group Policy Guide, the definitive
resource for Group Policy information.
 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ernesto Nieto
Sent: Monday, August 21, 2006 8:05 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Viewing GPO processing

Is there anyway to see when a GPO is being applied.  Is there a log
somewhere that shows what was applied and what wasn't?  Like the log that's
created when one logs into w2k in safe mode.  In that log, you can see what
drivers are loaded.  I need to see what policy is causing an error when
users log on.  The error is about installing an .INF file, access is denied.

Thank you


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Viewing GPO processing

[Darren Mar-Elia]

Assuming its XP, then you can use GPMC to get a GP Results report that tells
you what GPOs and what settings were applied to a given user or computer.
However, I think what you're asking is, is there any log that tells you when
a particular operation gets blocked by a particular GPO setting, and the
answer to that is no. Depending upon what the operation is, you may be able
to see what registry values are getting queried (assuming it's an admin.
Template policy that is causing the problem) by using Sysinternals Regmon to
spy on the registry I/O while you are doing the particular operation
described below. However, outside of that its trial and error to find why
the operation is getting stopped. 


Darren



Darren Mar-Elia
For comprehensive Windows Group Policy Information, check out
www.gpoguy.com-- the best source for GPO FAQs, video training, tools and
whitepapers. Also check out the Windows Group Policy Guide, the definitive
resource for Group Policy information.
 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ernesto Nieto
Sent: Monday, August 21, 2006 8:05 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Viewing GPO processing

Is there anyway to see when a GPO is being applied.  Is there a log
somewhere that shows what was applied and what wasn't?  Like the log that's
created when one logs into w2k in safe mode.  In that log, you can see what
drivers are loaded.  I need to see what policy is causing an error when
users log on.  The error is about installing an .INF file, access is denied.

Thank you


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] [OT] Longhorn Beta

[Darren Mar-Elia]

bit torrent? (just kidding)


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON, 
BENSent: Thursday, August 17, 2006 8:35 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] [OT] Longhorn 
Beta


Outside of my MSDN account is there 
a preferred way to obtain Longhorn Beta’s for 
testing?
 
~Ben

Re: RE: [ActiveDir] Computer bootup speeds

[Darren Mar-Elia]

Probably for now-- just remember to turn it back on when you upgrade to Vista 
:-)

-Original message-
From: "Rimmerman, Russ" [EMAIL PROTECTED]
Date: Wed,  9 Aug 2006 22:18:23 -0400
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Computer bootup speeds

> 
> We aren't using Windows Firewall, we're using the firewall that comes
> with our desktop antivirus solution.  So I guess we're OK turning off
> NLA (via GPO)?
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
> Sent: Wednesday, August 09, 2006 5:29 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Computer bootup speeds
> 
> Yes, good point Susan. NLA is used to let Windows know that a network
> connection state has changed. So if you're using Windows Firewall and
> have
> both domain and standard profiles, by disabling NLA, you prevent that
> state
> change from notifying the firewall that it may need to switch from one
> profile to another.  
> 
> See this article for reference:
> 
> http://www.microsoft.com/technet/community/columns/cableguy/cg0504.mspx#
> EUC
> 
> Darren
> 
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
> CPA
> aka Ebitz - SBS Rocks [MVP]
> Sent: Wednesday, August 09, 2006 2:58 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Computer bootup speeds
> 
> I wouldn't disable that but put it on manual. We've found that on rare
> occasion we've had to enable NLA to get the XP sp2 firewall to
> consistently
> know that the machine was domain joined and thus use the domain profile.
> 
> Test first.
> 
> Rimmerman, Russ wrote:
> > Well I think we figured it out. If we disable the "Network Location 
> > Awareness (NLA)" service, it cuts the time down by about 90%. I guess 
> > we'll disable this service via a GPO, cuz it looks like we don't need 
> > it anyway.
> >
> > --
> > --
> > *From:* [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] *On Behalf Of *Condra, 
> > Jerry W Mr HP
> > *Sent:* Wednesday, August 09, 2006 2:42 PM
> > *To:* ActiveDir@mail.activedir.org
> > *Subject:* RE: [ActiveDir] Computer bootup speeds
> >
> > I'd also verify what server my machines are authenticating to using 
> > "Set L" from a command prompt and making sure they are hitting the 
> > correct ones. Sounds like the IP range may not be defined in Sites and
> 
> > Services.
> >
> > --
> > --
> >
> > *From:* [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] *On Behalf Of *Krenceski, 
> > William
> > *Sent:* Wednesday, August 09, 2006 2:22 PM
> > *To:* ActiveDir@mail.activedir.org
> > *Subject:* RE: [ActiveDir] Computer bootup speeds
> >
> > I had this happen once and for the life of me could not figure it out.
> 
> > It was happening to computers pointed to one router in particular as 
> > they're default gateway. It was one of 3 of our Gateway routers so I 
> > swapped DHCP settings to a different one and they all started working 
> > like they should.
> >
> > --
> > --
> >
> > *From:* [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] *On Behalf Of *Kevin 
> > Brunson
> > *Sent:* Wednesday, August 09, 2006 2:57 PM
> > *To:* ActiveDir@mail.activedir.org
> > *Subject:* RE: [ActiveDir] Computer bootup speeds
> >
> > First thing I would check is the DNS settings on the client. Are they 
> > pointing at a valid DNS server, and is it responding?
> >
> > --
> > --
> >
> > *From:* [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] *On Behalf Of *Rimmerman, 
> > Russ
> > *Sent:* Wednesday, August 09, 2006 1:44 PM
> > *To:* ActiveDir@mail.activedir.org
> > *Subject:* RE: [ActiveDir] Computer bootup speeds
> >
> > No, just local.
> >
> > --
> > --
> >
> > *From:* [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] *On Behalf Of 
> > [EMAIL PROTECTED]
> > *Sent:* Wednesday, August 09, 2006 1:37 PM
> > *To:* ActiveDir@mail.activedir.org
> > *Subject:* Re: [ActiveDir] Computer bootup speeds
> >
> >
> > Do you have roamin

Re: RE: [ActiveDir] Computer bootup speeds

[Darren Mar-Elia]

The DNS suffix of the active connection definitely plays a role in determining 
which Firewall profile is in use, if that's what you're referring to. 

Darren

-Original message-
From: "Rimmerman, Russ" [EMAIL PROTECTED]
Date: Wed,  9 Aug 2006 22:23:43 -0400
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Computer bootup speeds

> 
> Here's a thought - 
> 
> Our DHCP is assigning the DNS domain name (015) of our old NT4 domain
> still, not the name of our new AD domain.  Would that cause this?
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
> Sent: Wednesday, August 09, 2006 5:29 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Computer bootup speeds
> 
> Yes, good point Susan. NLA is used to let Windows know that a network
> connection state has changed. So if you're using Windows Firewall and
> have
> both domain and standard profiles, by disabling NLA, you prevent that
> state
> change from notifying the firewall that it may need to switch from one
> profile to another.  
> 
> See this article for reference:
> 
> http://www.microsoft.com/technet/community/columns/cableguy/cg0504.mspx#
> EUC
> 
> Darren
> 
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
> CPA
> aka Ebitz - SBS Rocks [MVP]
> Sent: Wednesday, August 09, 2006 2:58 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Computer bootup speeds
> 
> I wouldn't disable that but put it on manual. We've found that on rare
> occasion we've had to enable NLA to get the XP sp2 firewall to
> consistently
> know that the machine was domain joined and thus use the domain profile.
> 
> Test first.
> 
> Rimmerman, Russ wrote:
> > Well I think we figured it out. If we disable the "Network Location 
> > Awareness (NLA)" service, it cuts the time down by about 90%. I guess 
> > we'll disable this service via a GPO, cuz it looks like we don't need 
> > it anyway.
> >
> > --
> > --
> > *From:* [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] *On Behalf Of *Condra, 
> > Jerry W Mr HP
> > *Sent:* Wednesday, August 09, 2006 2:42 PM
> > *To:* ActiveDir@mail.activedir.org
> > *Subject:* RE: [ActiveDir] Computer bootup speeds
> >
> > I'd also verify what server my machines are authenticating to using 
> > "Set L" from a command prompt and making sure they are hitting the 
> > correct ones. Sounds like the IP range may not be defined in Sites and
> 
> > Services.
> >
> > --
> > --
> >
> > *From:* [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] *On Behalf Of *Krenceski, 
> > William
> > *Sent:* Wednesday, August 09, 2006 2:22 PM
> > *To:* ActiveDir@mail.activedir.org
> > *Subject:* RE: [ActiveDir] Computer bootup speeds
> >
> > I had this happen once and for the life of me could not figure it out.
> 
> > It was happening to computers pointed to one router in particular as 
> > they're default gateway. It was one of 3 of our Gateway routers so I 
> > swapped DHCP settings to a different one and they all started working 
> > like they should.
> >
> > --
> > --
> >
> > *From:* [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] *On Behalf Of *Kevin 
> > Brunson
> > *Sent:* Wednesday, August 09, 2006 2:57 PM
> > *To:* ActiveDir@mail.activedir.org
> > *Subject:* RE: [ActiveDir] Computer bootup speeds
> >
> > First thing I would check is the DNS settings on the client. Are they 
> > pointing at a valid DNS server, and is it responding?
> >
> > --
> > --
> >
> > *From:* [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] *On Behalf Of *Rimmerman, 
> > Russ
> > *Sent:* Wednesday, August 09, 2006 1:44 PM
> > *To:* ActiveDir@mail.activedir.org
> > *Subject:* RE: [ActiveDir] Computer bootup speeds
> >
> > No, just local.
> >
> > --
> > --
> >
> > *From:* [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] *On Behalf Of 
> > [EMAIL PROTECTED]
> > *Sent:* Wednesday, August 09, 2006 1:37 PM
> > *To:* ActiveDir@mail.activedir.org
> > *Subject:* Re: [A

RE: [ActiveDir] Computer bootup speeds

[Darren Mar-Elia]

Yes, good point Susan. NLA is used to let Windows know that a network
connection state has changed. So if you're using Windows Firewall and have
both domain and standard profiles, by disabling NLA, you prevent that state
change from notifying the firewall that it may need to switch from one
profile to another.  

See this article for reference:

http://www.microsoft.com/technet/community/columns/cableguy/cg0504.mspx#EUC

Darren



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Wednesday, August 09, 2006 2:58 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Computer bootup speeds

I wouldn't disable that but put it on manual. We've found that on rare
occasion we've had to enable NLA to get the XP sp2 firewall to consistently
know that the machine was domain joined and thus use the domain profile.

Test first.

Rimmerman, Russ wrote:
> Well I think we figured it out. If we disable the "Network Location 
> Awareness (NLA)" service, it cuts the time down by about 90%. I guess 
> we'll disable this service via a GPO, cuz it looks like we don't need 
> it anyway.
>
> --
> --
> *From:* [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] *On Behalf Of *Condra, 
> Jerry W Mr HP
> *Sent:* Wednesday, August 09, 2006 2:42 PM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* RE: [ActiveDir] Computer bootup speeds
>
> I'd also verify what server my machines are authenticating to using 
> "Set L" from a command prompt and making sure they are hitting the 
> correct ones. Sounds like the IP range may not be defined in Sites and 
> Services.
>
> --
> --
>
> *From:* [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] *On Behalf Of *Krenceski, 
> William
> *Sent:* Wednesday, August 09, 2006 2:22 PM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* RE: [ActiveDir] Computer bootup speeds
>
> I had this happen once and for the life of me could not figure it out. 
> It was happening to computers pointed to one router in particular as 
> they're default gateway. It was one of 3 of our Gateway routers so I 
> swapped DHCP settings to a different one and they all started working 
> like they should.
>
> --
> --
>
> *From:* [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] *On Behalf Of *Kevin 
> Brunson
> *Sent:* Wednesday, August 09, 2006 2:57 PM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* RE: [ActiveDir] Computer bootup speeds
>
> First thing I would check is the DNS settings on the client. Are they 
> pointing at a valid DNS server, and is it responding?
>
> --
> --
>
> *From:* [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] *On Behalf Of *Rimmerman, 
> Russ
> *Sent:* Wednesday, August 09, 2006 1:44 PM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* RE: [ActiveDir] Computer bootup speeds
>
> No, just local.
>
> --
> --
>
> *From:* [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] *On Behalf Of 
> [EMAIL PROTECTED]
> *Sent:* Wednesday, August 09, 2006 1:37 PM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* Re: [ActiveDir] Computer bootup speeds
>
>
> Do you have roaming profiles?
>
> Andrew Fidel
>
> *"Rimmerman, Russ" <[EMAIL PROTECTED]>* Sent by: 
> [EMAIL PROTECTED]
>
> 08/09/2006 02:29 PM
>
> Please respond to
> ActiveDir@mail.activedir.org
>
>   
>
> To
>
>   
>
> 
>
> cc
>
>   
>
> Subject
>
>   
>
> [ActiveDir] Computer bootup speeds
>
>   
>
>
>
>
>
> Is there any easy way to determine why it's taking so long for PCs in 
> our AD to boot up? It sits at applying settings for quite awhile, so 
> I'm thinking it may have something to do with GPOs, but most computers 
> only have 2 or 3 GPOs applied to them. I wouldn't think the GPOs would 
> take that long to apply though. Sometimes it literally sits at 
> applying settings for 4 or 5 minutes!
> I guess I could move a computer to an OU with no GPOs and see, but is 
> there any other ways?
>
> Thanks
>
> ~~
> This e-mail is confidential, may contain proprietary information of 
> Cameron and its operating Divisions and may be confidential or 
> privileged.
>
> This e-mail should be read, copied, disseminated and/or used only by 
> the addressee. If you have received this message in error please 
> delete it, together with any attachments, from your system.
> ~~
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
>
> ~~
> This e-mail is confidential, may contain proprietary information 

RE: [ActiveDir] Computer bootup speeds

[Darren Mar-Elia]

That's a new one on me. Its kind of ironic because in 
Vista, the NLA service replaces ICMP slow link detection for GP 
processing...
 
Darren


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, 
RussSent: Wednesday, August 09, 2006 2:14 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Computer bootup 
speeds

Well I think we figured it out.  If we disable the 
"Network Location Awareness (NLA)" service, it cuts the time down by about 
90%.  I guess we'll disable this service via a GPO, cuz it looks like we 
don't need it anyway. 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Condra, Jerry W 
Mr HPSent: Wednesday, August 09, 2006 2:42 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Computer bootup 
speeds


I’d also 
verify what server my machines are authenticating to using “Set L” from a 
command prompt and making sure they are hitting the correct ones. Sounds like 
the IP range may not be defined in Sites and Services.
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Krenceski, 
WilliamSent: Wednesday, August 
09, 2006 2:22 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Computer bootup 
speeds
 
I had this happen once 
and for the life of me could not figure it out. It was happening to computers 
pointed to one router in particular as they're default gateway. It was one of 3 
of our Gateway routers so I swapped DHCP settings to a different one and they 
all started working like they should. 
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Kevin 
BrunsonSent: Wednesday, August 
09, 2006 2:57 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Computer bootup 
speeds
First thing I would 
check is the DNS settings on the client.  Are they pointing at a valid DNS 
server, and is it responding?
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Rimmerman, 
RussSent: Wednesday, August 
09, 2006 1:44 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Computer bootup 
speeds
 
No, just 
local.
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of 
[EMAIL PROTECTED]Sent: Wednesday, August 09, 2006 1:37 
PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Computer bootup 
speeds
Do you have roaming 
profiles? Andrew Fidel 

  
  

  "Rimmerman, 
  Russ" <[EMAIL PROTECTED]> 
  Sent by: 
  [EMAIL PROTECTED] 
  08/09/2006 02:29 
  PM 
  


  
Please respond 
toActiveDir@mail.activedir.org
  

  


  
To
  
 


  
cc
  
 

  
Subject
  
[ActiveDir] Computer 
bootup speeds
   
  


  
 
  
 
  
Is there any easy way to determine why it's taking so long 
for PCs inour AD to boot up? 
 It sits at applying settings for quite awhile, soI'm thinking it may have something to do with GPOs, but most 
computersonly have 2 or 3 GPOs 
applied to them.  I wouldn't think the GPOs wouldtake that long to apply though.  Sometimes it literally 
sits at applyingsettings for 4 or 5 
minutes!  I guess I could move 
a computer to an OU with no GPOs and see, but isthere any other ways?  Thanks~~This e-mail is confidential, may contain proprietary 
informationof Cameron and its 
operating Divisions and may be confidentialor privileged.This e-mail should be read, copied, disseminated and/or used 
onlyby the addressee. If you have 
received this message in error pleasedelete it, together with any attachments, from your 
system.~~List info   : 
http://www.activedir.org/List.aspxList FAQ    : 
http://www.activedir.org/ListFAQ.aspxList archive: 
http://www.activedir.org/ml/threads.aspx

  
  

  ~~This 
  e-mail is confidential, may contain proprietary informationof Cameron 
  and its operating Divisions and may be confidentialor 
  privileged.This e-mail should be read, copied, disseminated and/or 
  used onlyby the addressee. If you have received this message in error 
  pleasedelete it, together with any attachments, from your 
  system.~~
 
Confidentiality 
Notice: The information contained in this message may be legally privileged and 
confidential information intended only for the use of the individual or entity 
named above. If the reader of this message is not the intended recipient, or the 
employee or agent responsible to deliver it to the intended recipient, you are 
hereby notified that any release, dissemination, distribution, or copying of 
this communication is strictly prohibited. If you have re

RE: [ActiveDir] re: Computer bootup speeds

[Darren Mar-Elia]

There's lot of reasons for slow boot up, as folks have 
indicated. Enabling userenv logging and observing the time stamps will give you 
a clue as to whether its related to user profiles or group policy. Also, as per 
the network issues, check out http://support.microsoft.com/default.aspx?scid=kb;en-us;840669
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Scott 
KlassenSent: Wednesday, August 09, 2006 1:23 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] re: Computer bootup 
speeds

I've seen something 
similar in the past due to network issues.  Specifically Spanning Tree 
Protocol and/or link speed autosense on both the computer NIC and the switch 
port it is connected to.
 
Scott 
Klassen

RE: [ActiveDir] machine GP load

[Darren Mar-Elia]

Several things might prevent that, including security 
filters that are denying access to the GPO from the machines, network timing 
issues (esp. if its only machine GPOs that are causing the problem). I would use 
GPMC to run a GP Results Wizard against the machine and just verify that the 
GPOs are not denied for some reason that you can control. If the component 
status shows that GP Infrastructure processing Failed, then its probably 
something other than the obvious and we can go from there.
 
Darren
 

Darren Mar-Elia
For comprehensive 
Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO FAQs, 
video training, tools and whitepapers. Also check out the Windows 
Group Policy Guide, the definitive resource for Group Policy 
information.
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Antonio 
ArandaSent: Wednesday, August 09, 2006 1:53 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] machine GP 
load


I have a few machines 
that will not load the machine GP.  I’m pretty sure that it’s an issue with 
the workstations but just to cover butt, is there any thing that on the GP or AD 
that would prevent the GP from loading?
 
Antonio
Confidentiality 
Notice: The information contained in this message may be legally privileged and 
confidential information intended only for the use of the individual or entity 
named above. If the reader of this message is not the intended recipient, or the 
employee or agent responsible to deliver it to the intended recipient, you are 
hereby notified that any release, dissemination, distribution, or copying of 
this communication is strictly prohibited. If you have received this 
communication in error please notify the author immediately by replying to this 
message and deleting the original message. Thank 
you.

RE: [ActiveDir] Moving Sysvol .

[Darren Mar-Elia]

I hear what you're saying with respect to DOS attacks and 
filling up the disk with Ghost images but I think what you're talking about is 
trying to design around dumb mistakes. When has that ever been a task without 
end ? :-) I'm all for designing for performance, availability, etc. but I think 
you also need systems (disk quotas, monitoring, auditing come to mind in this 
scenario) to keep your administrators honest. 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Paul 
WilliamsSent: Tuesday, August 08, 2006 8:22 AMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Moving Sysvol 
.

I believe the school of thought here is 
that the person has write access to the same volume as the DIT, which means he/ 
she can easily perform DOS attacks, etc. by filling up the disk.  
I agree it's unlikely, but there you 
go.  Take the [real] examples of where people with write access to SYSVOL 
have decided to replicate ghost images, etc. which not only trashes FRS, but 
fills the disk so that only the 20MB reserve files are left (which can easily be 
used up with dodgy custom synchronisation scripts that don't know what an USN is 
[past experience showing?] ;-)
 
I don't believe the recommendations for 
Logs and DIT go either.  Yes, the logs are predominently write, while most 
of the DIT usage is read, but the logs are circular.  Why waste a mirrored 
set for < 100 MB of disk even if disk is cheap?  Plus, as already stated 
in the same argument, most of the activity is read, so is there really 
performance to be gained by having nano-second better response times on the file 
writes?  Other than implementation or re-provisioning or restoration, I 
can't see the need to separate the logs.
 
I'm involved with a design at the moment 
that has a 30+ GB DIT (~320,000 users at the moment) and I'm using my earlier 
recommendations for the disks for DCs.  We're arguing over whether RAID10 
or RAID5 for the logical disk(s) that conatin the non-OS volumes should be used, 
but there's not much difference there on a 4 - 6 disk set -the argument is 
political to do with different standards for the management people.  But 
then, the SYSVOL volume is also a scratch area for administrators.  The DIT 
and OS volumes are very much off limits, and secured thus.
 
 
--Paul
 

  - Original Message - 
  From: 
  Darren Mar-Elia 
  
  To: ActiveDir@mail.activedir.org 
  
  Sent: Tuesday, August 08, 2006 3:58 
  PM
  Subject: RE: [ActiveDir] Moving Sysvol 
  .
  
  Yea, I'm not sure why one has to do with the other (GPO 
  delegation and security of the DIT). GPO delegation simply involves granting 
  permissions on a individual GPC objects in AD and individual folders in the 
  GPT (SYSVOL). The only risk I can see is that it is marginally 
  easier to fill up a disk by writing a ton of data into SYSVOL than 
  it is to do that by generating millions of AD objects (both of which a 
  "lesser" admin can do), but if either happens, you probably have bigger 
  problems than the disk with the DIT on it 
  filling up.
   
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  [EMAIL PROTECTED]Sent: Tuesday, August 08, 2006 6:58 
  AMTo: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] Moving Sysvol .
  
  ... but then there's the school of thought that says you 
  should:
   
   - 
  Place DIT and logs on separate spindles, since DIT is read intensive and logs are write intensive
   
  Since SYSVOL is also read intensive, I'd prefer to place SYSVOL with 
  the DIT. 
   
  To 
  be honest, I don't follow the delegation argument...GPOs exists in SYSVOL and 
  AD so if delegating access to GPOs, surely there is an argument for placing 
  SYSVOL and DIT on the *same* disk(?)
   
   
  neil
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Paul 
  WilliamsSent: 08 August 2006 13:35To: 
  ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Moving Sysvol 
  .
  
  Yes, you can relocate the SYSVOL.  
  It's just a little more involved (couple of extra steps, not difficult) than 
  moving the DIT.  See:
   -- http://support.microsoft.com/?id=842162
   
   
  However, if I might be so bold as to 
  make a suggestion here, I would recommed you leave SYSVOL where it is, giving 
  you:
   
  0: Windows
  1: DIT and Logs
  2: SYSVOL
   
   
  You don't want SYSVOL on the same disk 
  as the database.  Especially if you are delegating things like GPO 
  modification, etc. to non-admins or lesser admins.
   
   
  --Paul
  
- Original Message - 
From: 
Yann 
To: ActiveDir@mail.activedir.org 

Sent: Tuesday, August 08, 2006 1:14 
PM
Subject: [ActiveDir] Moving Sysvol 
.

Hello :)
 
I have my AD w2k3sp1 hard disk configured as this:
hdd1: AD logs.
hdd2: ntds.dit + sysvol.
 
I would like to chang

RE: [ActiveDir] Moving Sysvol .

[Darren Mar-Elia]

Yea, I'm not sure why one has to do with the other (GPO 
delegation and security of the DIT). GPO delegation simply involves granting 
permissions on a individual GPC objects in AD and individual folders in the GPT 
(SYSVOL). The only risk I can see is that it is marginally easier to 
fill up a disk by writing a ton of data into SYSVOL than it is to do 
that by generating millions of AD objects (both of which a "lesser" admin can 
do), but if either happens, you probably have bigger problems than the 
disk with the DIT on it filling up.
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Tuesday, August 08, 2006 6:58 
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
Moving Sysvol .

... but then there's the school of thought that says you 
should:
 
 - 
Place DIT and logs on separate spindles, since DIT is read intensive and logs are write intensive
 
Since 
SYSVOL is also read intensive, I'd prefer to place SYSVOL with the DIT. 

 
To be 
honest, I don't follow the delegation argument...GPOs exists in SYSVOL and AD so 
if delegating access to GPOs, surely there is an argument for placing SYSVOL and 
DIT on the *same* disk(?)
 
 
neil



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Paul 
WilliamsSent: 08 August 2006 13:35To: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Moving Sysvol 
.

Yes, you can relocate the SYSVOL.  
It's just a little more involved (couple of extra steps, not difficult) than 
moving the DIT.  See:
 -- http://support.microsoft.com/?id=842162
 
 
However, if I might be so bold as to make 
a suggestion here, I would recommed you leave SYSVOL where it is, giving 
you:
 
0: Windows
1: DIT and Logs
2: SYSVOL
 
 
You don't want SYSVOL on the same disk as 
the database.  Especially if you are delegating things like GPO 
modification, etc. to non-admins or lesser admins.
 
 
--Paul

  - Original Message - 
  From: 
  Yann 
  To: ActiveDir@mail.activedir.org 
  
  Sent: Tuesday, August 08, 2006 1:14 
  PM
  Subject: [ActiveDir] Moving Sysvol 
.
  
  Hello :)
   
  I have my AD w2k3sp1 hard disk configured as this:
  hdd1: AD logs.
  hdd2: ntds.dit + sysvol.
   
  I would like to change my hdd2, so i move the ntds.dit in hdd1 and that's 
  ok. But how to move the sysvol folder in hdd1 ? is there a way to do this 
  ?
   
  Thanks for your replies.
   
  Yann
   
  
  
  Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet 
  ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et 
  vos expériences. Cliquez 
  ici. 
PLEASE READ: The 
information contained in this email is confidential and 
intended for the 
named recipient(s) only. If you are not an intended 
recipient of this 
email please notify the sender immediately and delete your 
copy from your 
system. You must not copy, distribute or take any further 
action in reliance 
on it. Email is not a secure method of communication and 
Nomura International 
plc ('NIplc') will not, to the extent permitted by law, 
accept 
responsibility or liability for (a) the accuracy or completeness of, 

or (b) the presence 
of any virus, worm or similar malicious or disabling 
code in, this 
message or any attachment(s) to it. If verification of this 
email is sought then 
please request a hard copy. Unless otherwise stated 
this email: (1) is 
not, and should not be treated or relied upon as, 
investment research; 
(2) contains views or opinions that are solely those of 
the author and do 
not necessarily represent those of NIplc; (3) is intended 
for informational 
purposes only and is not a recommendation, solicitation or 
offer to buy or sell 
securities or related financial instruments. NIplc 
does not provide 
investment services to private customers. Authorised and 
regulated by the 
Financial Services Authority. Registered in England 
no. 1550505 VAT No. 
447 2492 35. Registered Office: 1 St Martin's-le-Grand, 
London, EC1A 4NP. A 
member of the Nomura group of companies. 

RE: [ActiveDir] Revoke domain administrator's right to create GPO?

[Darren Mar-Elia]

Alex-
I think you've proved my point by saying, "having 
local admin rights is definitely a bad thing as far as security is concerned". 
:-). But of course you are pointing out the underlying dilemma that 
administrators have faced while trying to create a least-privileged user 
environment. Frankly, I agree with you. It is easier to grant local admin. 
rights in some cases rather than trying to work around it. I have had to do that 
myself in a past life. But I also managed to create and support an environment 
for around 20,000 users (in NT 3.5 and 4.0 no less) that did not require 
most users to have local admin rights. But it was not easy and it was not a 
secure solution--it basically involved relaxing file system and registry 
permissions as needed to allow specific apps to run. Yes the problem is 
absolutely with how the OS and most applications are written--generally badly. 
And yes, the problem becomes a lot less painful to manage with Vista and UAC. 
But in the meantime, as the Internet has exposed the soft underbelly of an 
all-admin environment, people continue to get worms and other malware that has a 
serious effect on their business and its security. Frankly, I think that with 
some of the recent advances in ISV solutions around this--with products that let 
you selectively elevate privileges by application, that this problem can be 
managed. But then of course, you do have to spend money on it! 

 
Vista will provide an in-the-box solution that I suspect 
many will find irritating, but effective. 
 
Darren
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Alex 
AlborzfardSent: Wednesday, August 02, 2006 1:40 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Revoke domain 
administrator's right to create GPO?


>No, I think the bigger problem 
with having lots of over-privileged admins is the same problem we have with 
organizations that make all of their users admins on their local 
>machines--that of over-privileged users being targets for malware that take 
advantage of their privileges to do nasty things. 
 >… And, while your at it, how about 
removing administrator rights from all of your end 
users
 
I don’t agree with your 
point regarding local admin rights. Yes I agree; having local admin rights is 
definitely a bad thing as far as security is concerned, but I can speak from 
experience that many times as much as I dreaded doing it, I had to give it to 
users. The reason was users were simply not able to do their work. Runas, etc. 
did not work or worked half of the time, and no matter how much time I spent, 
the quickest and most simple solution was to just give them admin rights. 

I tend to think most of 
the problem lies with MSFT & Windows application developers for designing an 
OS and writing code, which require “all or nothing” admin 
privileges.
Ironically most of 
those users were application developers themselves!
 
 

Alex




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Darren 
Mar-EliaSent: Tuesday, August 
01, 2006 4:10 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Revoke domain 
administrator's right to create GPO?
 
Thanks Joe. 
Interestingly, I agree with what you're saying here, but not for 
exactly the same reason. I happen to think that the "badness" of having 
lots of over-privileged admins is not the accidental stupidity (hmmm...is that 
an oxymoron?), although we know that happens. This actually gets to the heart of 
what I think is wrong with how some Windows shops are managed. When I worked in 
larger environments that had mainframes, there was rigorous change control over 
absolutely every little thing that was done. So, no matter how privileged an 
administrator was, nothing that they did went unseen, untested and didn't come 
with a rock-solid back out plan. Enter the distributed world of Windows and all 
bets are off. Having lots of domain admins is not a problem, in and of itself, 
if you follow good change management practices, because presumably none of those 
DAs would dare make a change for fear of having their heads chopped off. But 
that is a cultural thing that does not exist in most Windows shops. No, I think 
the bigger problem with having lots of over-privileged admins is the same 
problem we have with organizations that make all of their users admins on their 
local machines--that of over-privileged users being targets for malware that 
take advantage of their privileges to do nasty things. I'd be much less worried 
from a DA that accidentally deletes an OU than I would be from a DA who 
accidentally clicks on that website that downloads malicious code that is smart 
enough to take advantage of that user's DA status to get at or 
modify corporate directory data that compromises security, privacy or other 
critical business stuff. I have yet to see such a targeted attack but I am 
guessing its only a matter of time. 
 
So, yes, absolutely get 
rid of all those extra DAs, but

RE: [ActiveDir] OT: XP exploit

[Darren Mar-Elia]

This is silly. At least on XP, a normal, non-admin user cannot add AT jobs.
So, yes, this would work if the user is local admin., but big deal. At that
point, who cares? Is the point here that I can elevate from Administrator to
LocalSystem? I'm not really sure that's a revelation...

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Derek Harris
Sent: Tuesday, August 01, 2006 7:20 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: XP exploit

Use GPO to prevent users from running the scheduler.  Need to do a reg hack
to block local accounts.
http://www.projectstreamer.com/users/r0t0r00t3r/xp_priv_esc/xp_priv_esc.
html 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Revoke domain administrator's right to create GPO?

[Darren Mar-Elia]

Thanks Joe. Interestingly, I agree with what you're saying 
here, but not for exactly the same reason. I happen to think that the 
"badness" of having lots of over-privileged admins is not the accidental 
stupidity (hmmm...is that an oxymoron?), although we know that happens. This 
actually gets to the heart of what I think is wrong with how some Windows shops 
are managed. When I worked in larger environments that had mainframes, there was 
rigorous change control over absolutely every little thing that was done. So, no 
matter how privileged an administrator was, nothing that they did went unseen, 
untested and didn't come with a rock-solid back out plan. Enter the distributed 
world of Windows and all bets are off. Having lots of domain admins is not a 
problem, in and of itself, if you follow good change management practices, 
because presumably none of those DAs would dare make a change for fear of having 
their heads chopped off. But that is a cultural thing that does not exist in 
most Windows shops. No, I think the bigger problem with having lots of 
over-privileged admins is the same problem we have with organizations that make 
all of their users admins on their local machines--that of over-privileged users 
being targets for malware that take advantage of their privileges to do nasty 
things. I'd be much less worried from a DA that accidentally deletes an OU than 
I would be from a DA who accidentally clicks on that website that downloads 
malicious code that is smart enough to take advantage of that user's DA status 
to get at or modify corporate directory data that compromises security, 
privacy or other critical business stuff. I have yet to see such a targeted 
attack but I am guessing its only a matter of time. 
 
So, yes, absolutely get rid of all those extra DAs, but not 
just because they do stupid admin tricks, but also because they open up your AD 
to all kinds of nasty attacks. And, while your at it, how about removing 
administrator rights from all of your end users
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Monday, July 31, 2006 7:34 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Revoke domain 
administrator's right to create GPO?

Yeah I know where you are coming from Darren but absolutely 
can't say it is ok because I do not believe it is ok at all. I think saying it 
is ok or that it is understandable will relax people about it and people 
absolutely should not be relaxed about it or feel that they can't do anything 
about it and that it isn't their responsibility to try and get corrected. It is 
a very bad thing and they need to always have that spectre over them where they 
know it. That helps, I think, in making it so it isn't a surprise when something 
inevitably screws up and no one can sit there saying, wow, I had no idea it was 
that bad of a thing. People need to be working towards locking down their 
environment every moment and looking for bad things and removing them every 
second. It is a long slow climb uphill but if the work isn't done, it will never 
happen until maybe, hopefully not, something absolutely blows and everyone has 
to jump and try to figure out how to do it in one fell 
swoop.
 
I saw the same logic of  "the people really don't know 
what they can do"... used for running an Enterprise Data Center back in 1999 and 
this was with hundreds of NT servers and many domains and application owners 
were just given admin rights over all of these boxes and it was status quo; none 
of the people had a clue what kind of rights they had and figured anything bad 
they were actually protected from doing because it would be stupid to let them 
be able to do something bad Everyone said it was fine and didn't cause 
issues until I came in and started looking at it and got sick of running around 
working on stupid preventable stuff so started making sure every issue was 
reported and floated up. While it made me and my group look bad initially 
because the availability of the servers appeared to have plummetted from where 
it was before, it was only that it appeared that way because we actually 
reported the problems where the previous folks hid everything under the carpet 
and that slowly became apparent. It slowly gave us the permission to fix stupid 
things that the previous group said was impossible to get changed. It was a lot 
of hard work but by the end of it, things actually did run well and stable. I 
know probably better than most the politics and the outright pain and difficulty 
involved because I lived through 80 and 100+ hour weeks of it in a very high 
pressure Fortune 5 environment where I had plant managers and VPs of 
manufacturing who had no problem screaming at me but I also realize the huge 
benefits you get out of that work and I think any admins who are serious about 
doing a good job will keep it up and keep trying to fight the good fight. 
In the long run, they will look better for it,

Re: [ActiveDir] schema extensions for Vista wireless networking GP support

[Darren Mar-Elia]

		No, this is for the new Wireless policy features that are specific to Vista. R2 does not include them. Server 2003 included the schema extensions for Wireless policy that first appeared in XP, but this is new stuff.
		

From: "Matt Hargraves" <[EMAIL PROTECTED]>Sent: Monday, July 31, 2006 5:38 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] schema extensions for Vista wireless networking GP support
		
		I thought all that stuff was part of the Server 2003 R2 schema extensions and would work in XP also.On 7/28/06, Darren Mar-Elia < [EMAIL PROTECTED]> wrote:In case anyone is interested, here's a doc that describes the AD schema extensions that will be required to support the new wireless networking Group Policy stuff in Vista: http://www.microsoft.com/technet/itsolutions/network/wifi/vista_ad_ext.mspx  Darren  Darren Mar-EliaFor comprehensive Windows Group Policy Information, check outwww.gpoguy.com-- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guide, the definitive resource for Group Policy information.  

RE: [ActiveDir] Revoke domain administrator's right to create GPO?

[Darren Mar-Elia]

I 
think we all know how bad it is to have hoards of DAs. We also know that it is 
the reality in many large and small orgs. and we also know that it is sometimes 
unavoidable for purely non-technical reasons. The bottom line is that many of 
those DAs probably don't know how to undo something that you take away from 
them, so security by obscurity, while pretty awful, sometimes 
actually works. 



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Monday, July 31, 2006 1:58 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Revoke domain 
administrator's right to create GPO?

Hehe. Wrong list for this kind of question. Put on a 
helmet.
 
But... yes you can, for as long as the DAs decide to let it 
be that way. They will have no issues switching it right back. You CANNOT 
prevent DAs from doing anything they want in the domain or the forest. You can 
try like like a duckling can try and put out the flames of a volcanoe with 
the beating of his wings and you will be just as successful. There is no such 
thing as Domain Administrator and Super Domain Administrator. Once you get even 
administrator rights on a DC, you pretty much do what you want when you want. It 
really doesn't even take that much but we will start there. 
 
The answer you are looking for is to reduce the number of 
DAs in the entire forest to 5 or less. You don't work for a large enough company 
to actually qualify to use LOTS of Domain Administrators unless there are lots 
of forests and only a few DAs in each. AD should be delegated or 
provisioned, it shouldn't have a bunch of folks with native high level rights. 
No this isn't impossible to do, some of us have done it in Fortune 5 companies 
and of course also in smaller companies. 
 
  joe
 

--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Andy 
WangSent: Monday, July 31, 2006 3:42 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Revoke domain 
administrator's right to create GPO?
Hi,I 
have a Group Policy delegation question. By default, only domain administrators, 
enterprise administrators, Group Policy Creator Owners, and the operating system 
can create new Group Policy objects. Since our company has lots of domain 
administrators, I'm thinking revoke domain administrators rights to create GPOs, 
then add only several of them to enterprise admin group / Group Policy Creator Owners. Is it possible? Thanks 
in advance.Andy

RE: [ActiveDir] Revoke domain administrator's right to create GPO?

[Darren Mar-Elia]

Andy-
Yes, its possible. There are actually two steps here. If 
you have GPMC, highlight the Group Policy Objects node on your domain and choose 
the Delegation tab. From here, you can delegate which groups can create GPOs in 
the domain. However, even if you remove Domain Admins from this list, what you 
will notice is that, when a GPO gets created by someone legitimately, the Domain 
Admins group will still have edit rights over that GPO. This is because the 
defaultSecurityDescriptor attribute on the groupPolicyContainer schema class 
object includes this group when any new objects are created. In order to change 
this, you will need to modify this attribute in the schema (e.g. using ADSIEdit) 
to remove that group from the SDDL list stored in that 
attribute.
 
Darren
 

Darren Mar-Elia
For comprehensive 
Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO FAQs, 
video training, tools and whitepapers. Also check out the Windows 
Group Policy Guide, the definitive resource for Group Policy 
information.
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Andy 
WangSent: Monday, July 31, 2006 12:42 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Revoke domain 
administrator's right to create GPO?
Hi,I 
have a Group Policy delegation question. By default, only domain administrators, 
enterprise administrators, Group Policy Creator Owners, and the operating system 
can create new Group Policy objects. Since our company has lots of domain 
administrators, I'm thinking revoke domain administrators rights to create GPOs, 
then add only several of them to enterprise admin group / Group Policy Creator Owners. Is it possible? Thanks 
in advance.Andy

[ActiveDir] schema extensions for Vista wireless networking GP support

[Darren Mar-Elia]

In case anyone is 
interested, here's a doc that describes the AD schema extensions that will be 
required to support the new wireless networking Group Policy stuff in 
Vista:
 
http://www.microsoft.com/technet/itsolutions/network/wifi/vista_ad_ext.mspx
 
Darren
 
 
Darren Mar-Elia
For comprehensive 
Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO FAQs, 
video training, tools and whitepapers. Also check out the Windows 
Group Policy Guide, the definitive resource for Group Policy 
information.
 
 

RE: [ActiveDir] Firewall block Group Policy

[Darren Mar-Elia]

Check out this article for restricting the range of dynamic 
ports used by RPC/DCOM.
 
http://msdn.microsoft.com/library/default.asp?url="">
 
Darren
 

Darren Mar-Elia
For comprehensive 
Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO FAQs, 
video training, tools and whitepapers. Also check out the Windows 
Group Policy Guide, the definitive resource for Group Policy 
information.
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Andy 
WangSent: Thursday, July 27, 2006 12:02 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Firewall block Group 
Policy
Hi,When user on VPN network, they can not apply Group Policy 
since there is a firewall between VPN network and Internal network. Now, I need 
to find out how many ports are required to allow clients to successfully apply 
group policy.Based on KB832017, "To successfully apply Group Policy, a 
client must be able to contact a domain controller over the DCOM, ICMP, LDAP, 
SMB, and RPC protocols."Here is the list port 
information:Application protocol    
Protocol    PortsDCOM    TCP + 
UDP    random port number between 1024 - 65534ICMP 
(ping)    ICMP    20LDAP    
TCP    389SMB    TCP    
445RPC    TCP    135, random port number 
between 1024 - 65534It is not feasible to open up so many high ports 
(1024 - 65534). So do you have any recommendation for this issue?Thanks 
in advance!Andy