RE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT

[Dave Wade]

 
If you want to query Notes and AD in the same script you don't need to use 
LotusScript you can use VBSCRIPT. There is a a set of objects that allow access 
to NOTES provided you have the notes client installed. They are documented in 
the Notes help file. Basically they are the same as the interfaces LotusScript 
uses. I seem to recall that LotusScript is virtually the same as VB Script/VBA 
but tweaked enough so Lotus/IBM does not have to pay MS license for 
VBA/Vbscript.
 
I used to have some examples to do that and if you need them I could probably 
fish them out...
 
Dave.
 


From: [EMAIL PROTECTED] on behalf of Joe Kaplan
Sent: Fri 26/01/2007 22:50
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT



I'd be pretty surprised if you can get ADSI to query Domino via LDAP, as
ADSI likes to use Windows auth by default and depends on the LDAP directory
to support the LDAP V3 subschemaSubentry rootDSE attribute to express its
abstract schema in order for ADSI to map LDAP data types to COM datatypes.
It might work, but I'd be more surprised if it did than didn't.  A lower
level LDAP tool like ADFind might make more progress, though.

Having done a lot of Domino programming back in "the day", my suggestion
would be to write a LotusScript program that goes against the NAB and gets
the addresses that way.  It would probably be less effort in the long run.
If I was asked to do the exact same thing, that is definitely how I'd do it.

If you do get ADSI/LDAP via VBScript to work against Domino, I'd be curious
to hear about it.  :)

Joe K.

- Original Message -
From: Douglas W Stelley
To: ActiveDir@mail.activedir.org
Sent: Friday, January 26, 2007 3:13 PM
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT



I really don't see that much in the enterprise version of MIIS that'll
justify the cost. We have some tools/program files that query LDAP for valid
email addresses (GFI for one). I'd just like to be able to pull all email
addresses out of Lotus/Domino so I can populate AD correctly. Of course I
could do it manually. And Domino does support and use LDAP, but I don't have
enough experience with Domino to build a script.


Douglas Stelley
IT Engineer
Seneca Nation Health Department
(716)532-5582 x5404
[EMAIL PROTECTED]


"Laura A. Robinson" <[EMAIL PROTECTED]>
Sent by: <[EMAIL PROTECTED]>
01/26/2007 12:51 PM Please respond to


To
cc
SubjectRE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT







Have you looked at MIIS?

Laura



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Douglas W Stelley
Sent: Friday, January 26, 2007 10:19 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT


Same topic, but this one is for Notes Admin/Gurus as well.

I populate the mail attribute in AD with the Notes Users primary internet
address. Does anyone have a script or method that will allow me to publish
in AD the same info for groups and other addresses for users.

Even something that can query Domino for all users and groups and return all
addresses into a file, I can use that as a basis to update AD with proxy
info etc.
Thanks in advance.

Douglas Stelley
IT Engineer
Seneca Nation Health Department
(716)532-5582 x5404
[EMAIL PROTECTED]

"Brian Cline" <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
01/26/2007 09:47 AM
Please respond to
ActiveDir@mail.activedir.org

To
cc
SubjectRE: [ActiveDir] How to find non-primary SMTP addresses?









Ah, yes, good call. Almost forgot that it changes that, too.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Wells, James
Arthur
Sent: Friday 26 January 2007 08:44
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses?

It should also update the 'mail' attribute to the new primary SMTP:
address.


--James

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Cline
Sent: Friday, January 26, 2007 7:38 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses?

Out of curiosity, when setting a different primary e-mail address to an
address that already exists as a secondary, does ADUC do anything more
than change the prefix on the old primary address from 'SMTP' to 'smtp'
and vice-versa for the new primary?


Brian Cline, Applications Developer
Department of Information Technology
G&P Trucking Company, Inc.
803.936.8595 Direct Line
800.922.1147 Toll-Free (x8595)
803.739.1176 Fax


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan
Sent: Thursday 25 January 2007 19:52
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to find non-primary SMTP addresses?

In addition to what Ulf said, there also isn't any practical way to
query
for users that have seco

RE: [ActiveDir] Policy Failing to apply

[Dave Wade]

I have checked and there is no folder redirection in place, either by policy, 
or manually applied:-( 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
> Sent: 15 January 2007 22:48
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Policy Failing to apply
> 
> Just to add the detail to prove I am not totally mad.
> 
> http://support.microsoft.com/kb/888254
> 
> "You cannot set the Folder Redirection policy setting on a 
> Windows XP SP2-based computer that also uses Group Policy 
> settings to customize Internet Explorer"
> 
> Note: Group Policy settings that can customize Internet 
> Explorer include Proxy Settings and Start Page.
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
> Sent: 15 January 2007 17:15
> To: ActiveDir.org
> Subject: Re: [ActiveDir] Policy Failing to apply
> 
> Do you use Folder redirection too?
> 
> I have come across an issue a couple of times where IE  is 
> customised in some way and folder redirection is enabled - 
> this can cause GP not to be applied.
> 
> There is a hotfix but I cannot look it up at the moment and I 
> am not sure if it was fixed in SP2 or not.
> 
> 
> 
> 
> Regards,
> 
> Mark Parris
> 
> Base IT Ltd
> Active Directory Consultancy
> Tel +44(0)7801 690596
> 
> 
> -Original Message-
> From: "Dave Wade" <[EMAIL PROTECTED]>
> Date: Mon, 15 Jan 2007 16:30:37
> To:
> Subject: RE: [ActiveDir] Policy Failing to apply
> 
> Oh yes, no one can surf the net without it. We do get 
> occasional issues where it does not apply, and some times we 
> set it manually while we sort the problem out. Normally if we 
> do this the settings "stick" and don't get wiped when the 
> policy refreshes. However in this case they are wiped when 
> the user logs in. It appears to be some issue with the users 
> settings as the problem "follows" her from PC to PC.
>  
>  
> 
>  From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Darren Mar-Elia
> Sent: 15 January 2007 15:24
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Policy Failing to apply
> 
>  
>  
>  
> Dave-
>  
> Does that same proxy policy work for any other users correctly? 
>  
> 
> Darren
>  
>  
>  
>  
>  
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade
> Sent: Monday, January 15, 2007 3:49 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Policy Failing to apply
>  
>  
>  
>  
> Folks,
>  
>  
>  
>  
>  
>  I have a user for whom the Internet Explorer Proxy settings 
> are not applying correctly. They are set in the user portion 
> of the Default Domain Policy. I have checked with "Group 
> Policy Results" tool in the Group Policy Management snap in 
> and it reports that they have been applied. But when the user 
> tries to surf the net they can't, and on checking in IE the 
> proxy fields are blank.
>  
>  
>  
>  
>  
> To make matters worse if I manually set the proxy, and then 
> do a "gpupdate /force" they are cleared. 
>  
>  
>  
>  
>  
> I have checked the event log on the machine and there is 
> nothing obvious amiss there. Has any one any idea why this is 
> happening before I start turning on userenv debugging?
>  
>  
>  
>  
>  
> Not this is an isolated incident, and it appears to follow 
> the user rather than being machine specific.
>  
>  
>  
>  
> Dave Wade
>  
> 0161 474 5456
>  
>   
>  
>  
>  
>  
>  
>  
> 
> 
> **
> This email, and any files transmitted with it, is 
> confidential and intended solely for the use of the 
> individual or entity to whom they are addressed. As a public 
> body, the Council may be required to disclose this email, or 
> any response to it, under the Freedom of Information Act 
> 2000, unless the information in it is covered by one of the 
> exemptions in the Act. 
> 
> If you receive this email in error please notify Stockport 
> e-Services via [EMAIL PROTECTED] and then 
> permanently remove it from your system. 
> 
> Thank you.
> 
> http://www.stockport.gov.uk
> **
> .Š†ÿÁŠŠƒ²§²B§Ã¶v®Š
§²rz§Ã¶v®k}µ
> 
> 
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: htt

RE: [ActiveDir] Policy Failing to apply

[Dave Wade]

Darren,
 
 Thanks for the suggestion of looking in the log. I'll check that out. She does 
have a roaming profile, but as the error follows her to a new machine, I think 
its most likely her server profile has become damaged in some way. This seems 
pretty common even though we have UPH clean loaded on most machines. I was 
trying to avoid re-building her profile as she has a lot of odd apps installed 
and It might take a while to get everything right.
 
Dave Wade
0161 474 5456



From: [EMAIL PROTECTED] on behalf of Darren Mar-Elia
Sent: Mon 15/01/2007 16:51
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Policy Failing to apply



Ok. If this user has a roaming profile, you might try deleting any locally 
cached copies of her profile and letting the roaming one download anew. That 
might free things up. Outside of some profile issue, you could check the IE 
Maintenance logs to see what is going on. If you open up her profile on the 
local machine and go into Application Data\Microsoft\Internet Explorer, there 
should be a log file called brndlog.txt that will contain the events that IE 
Maintenance generates at application time.

 

Darren

 

 

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade
Sent: Monday, January 15, 2007 8:31 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Policy Failing to apply

 

Oh yes, no one can surf the net without it. We do get occasional issues where 
it does not apply, and some times we set it manually while we sort the problem 
out. Normally if we do this the settings "stick" and don't get wiped when the 
policy refreshes. However in this case they are wiped when the user logs in. It 
appears to be some issue with the users settings as the problem "follows" her 
from PC to PC.

 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren 
Mar-Elia
Sent: 15 January 2007 15:24
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Policy Failing to apply

Dave-

Does that same proxy policy work for any other users correctly? 


Darren

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade
Sent: Monday, January 15, 2007 3:49 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Policy Failing to apply

 

Folks,

 

 I have a user for whom the Internet Explorer Proxy settings are not 
applying correctly. They are set in the user portion of the Default Domain 
Policy. I have checked with "Group Policy Results" tool in the Group Policy 
Management snap in and it reports that they have been applied. But when the 
user tries to surf the net they can't, and on checking in IE the proxy fields 
are blank.

 

To make matters worse if I manually set the proxy, and then do a 
"gpupdate /force" they are cleared. 

 

I have checked the event log on the machine and there is nothing 
obvious amiss there. Has any one any idea why this is happening before I start 
turning on userenv debugging?

 

Not this is an isolated incident, and it appears to follow the user 
rather than being machine specific.

 

Dave Wade

0161 474 5456

 
<https://scnowa1.stockport.gov.uk/exchange/dave.wade/Drafts/RE:%20%5BActiveDir%5D%20Policy%20Failing%20to%20apply.EML/1_multipart/image001.jpg>
 

 

 



**
This email, and any files transmitted with it, is confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to 
disclose this email, or any response to it, under the Freedom of Information 
Act 2000, unless the information in it is covered by one of the exemptions in 
the Act. 

If you receive this email in error please notify Stockport e-Services 
via [EMAIL PROTECTED] and then permanently remove it from your system. 

Thank you.

http://www.stockport.gov.uk
**

<>

RE: [ActiveDir] Policy Failing to apply

[Dave Wade]

Oh yes, no one can surf the net without it. We do get occasional issues
where it does not apply, and some times we set it manually while we sort
the problem out. Normally if we do this the settings "stick" and don't
get wiped when the policy refreshes. However in this case they are wiped
when the user logs in. It appears to be some issue with the users
settings as the problem "follows" her from PC to PC.




From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: 15 January 2007 15:24
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Policy Failing to apply



Dave-

Does that same proxy policy work for any other users correctly? 


Darren

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade
Sent: Monday, January 15, 2007 3:49 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Policy Failing to apply

 

Folks,

 

 I have a user for whom the Internet Explorer Proxy settings are
not applying correctly. They are set in the user portion of the Default
Domain Policy. I have checked with "Group Policy Results" tool in the
Group Policy Management snap in and it reports that they have been
applied. But when the user tries to surf the net they can't, and on
checking in IE the proxy fields are blank.

 

To make matters worse if I manually set the proxy, and then do a
"gpupdate /force" they are cleared. 

 

I have checked the event log on the machine and there is nothing
obvious amiss there. Has any one any idea why this is happening before I
start turning on userenv debugging?

 

Not this is an isolated incident, and it appears to follow the
user rather than being machine specific.

 

Dave Wade

0161 474 5456

 

 

 




**
This email, and any files transmitted with it, is confidential
and
intended solely for the use of the individual or entity to whom
they
are addressed. As a public body, the Council may be required to
disclose this email, or any response to it, under the Freedom of
Information Act 2000, unless the information in it is covered by one of
the exemptions in the Act. 

If you receive this email in error please notify Stockport
e-Services via [EMAIL PROTECTED] and then permanently remove
it from your system. 

Thank you.

http://www.stockport.gov.uk

**

<>

[ActiveDir] Policy Failing to apply

[Dave Wade]

Folks,
 
 I have a user for whom the Internet Explorer Proxy settings are not
applying correctly. They are set in the user portion of the Default
Domain Policy. I have checked with "Group Policy Results" tool in the
Group Policy Management snap in and it reports that they have been
applied. But when the user tries to surf the net they can't, and on
checking in IE the proxy fields are blank.
 
To make matters worse if I manually set the proxy, and then do a
"gpupdate /force" they are cleared. 
 
I have checked the event log on the machine and there is nothing obvious
amiss there. Has any one any idea why this is happening before I start
turning on userenv debugging?
 
Not this is an isolated incident, and it appears to follow the user
rather than being machine specific.
 
Dave Wade
0161 474 5456
  
 


**
This email, and any files transmitted with it, is confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this 
email,  or any response to it,  under the Freedom of Information Act 2000, 
unless the information in it is covered by one of the exemptions in the Act. 

If you receive this email in error please notify Stockport e-Services via 
[EMAIL PROTECTED] and then permanently remove it from your system. 

Thank you.

http://www.stockport.gov.uk
**

<>

RE: [ActiveDir] How to change login authentication

[Dave Wade]

You need sites. Check out:-
 
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technolog
ies/directory/activedirectory/stepbystep/adsrv.mspx#EFE

Sorry if the URL its a bit long you may have to glue it back together
...



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ajay Kumar
Sent: 10 January 2007 14:18
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] How to change login authentication



Hi all,

 

I have one Domain Contoller (name dc01) in India and other one
DC (name dc02) in remote location. Bothe DC can Communication. I have
told to change user login authentication from DC01 to DC02.

So how I can perform this task. Pls  help me. I din't find any
doc related this.

 

Thanks,

Ajay 



**
This email, and any files transmitted with it, is confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this 
email,  or any response to it,  under the Freedom of Information Act 2000, 
unless the information in it is covered by one of the exemptions in the Act. 

If you receive this email in error please notify Stockport e-Services via 
[EMAIL PROTECTED] and then permanently remove it from your system. 

Thank you.

http://www.stockport.gov.uk
**

RE: [ActiveDir] Roaming Profiles not updating

[Dave Wade]

Check the event log to see why the profile doe not unload. On our
machines something keeps the registry open. Installing this fix seems to
cure it for us...

http://www.microsoft.com/downloads/details.aspx?familyid=1B286E6D-8912-4
E18-B570-42470E2F3582&displaylang=en

Dave.

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Ernesto Nieto
> Sent: 08 January 2007 15:13
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Roaming Profiles not updating
> 
> I'm having some problems with roaming profiles.
> I have several users that use 3 different computers.
> 1 is a table pc, and two are workstations, and sometimes the 
> OS on the workstation can be XP or win2k.
> 
> The users keep telling me that when they delete icons from 
> their desktop, the settings stay, but maybe a week or two 
> later, all those desktop icons that they deleted return.  
> What I can't pinpoint is the why the profile doesn't update.  
> I think the old profile returns when the tablet is used.
> The tablet PC is wireless too, which they take home.
> 
> Any ideas?
> 
> Ernesto
> 
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
> 
> 


**
This email, and any files transmitted with it, is confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this 
email,  or any response to it,  under the Freedom of Information Act 2000, 
unless the information in it is covered by one of the exemptions in the Act. 

If you receive this email in error please notify Stockport e-Services via 
[EMAIL PROTECTED] and then permanently remove it from your system. 

Thank you.

http://www.stockport.gov.uk
**

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP servers? (or how do you find it?)

[Dave Wade]

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Javier Jarava
> Sent: 08 January 2007 12:20
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Likely OT: :) Managing/preventing 
> "rogue" DHCP servers? (or how do you find it?)
> 
> Hi all!
> 
> Just wondering, is there a way to "prevent" a rogue DCHP 
> server from playing havoc with a network?
> 
> I have been digging into "dhcp security" but I haven't really 
> found anything that makes it possible to auth. a DHCP server, 
> so that the clients don't fall for a rogue one.
> 
> >From what I've seen, the approach MS follows is that IF your DHCP 
> >server is
> Windows-based, you have to "auth" it on the Domain. That 
> prevents the AD/infrastructure admins from shooting 
> themselves on the foot by having too many/improperly 
> configured servers.. But that won't stop a rogue VM from 
> being a nuisance...
> 
> I've found this problem in one of our customers sites. They 
> use static IP addressing, but we were setting up a few of 
> their computers with a different sw load and configuration, 
> and they wanted to use DHCP to make config changes more 
> dynamic. When running on an isolated netowork segment, all 
> was fine, but once we moved "into" their network (to do a 
> pilot test) we found a DHCP server serving a range outside 
> their own, and really messing things up.

You could try using DHCP classid. If you set it on your clients when you
build them they will ignore anything with the "wrong" classid. I think
you can also control via group policy.


> What's more, nmap'ing the server, it had a VMWARE-owned MAC 
> and no open ports whatsoever (tcp/udp), at least that I could 
> find. Strange ;)
>

Probably an XP system with the firewall on. A real pain to manage
 
> We managed to overcome the issuse because the software load 
> included an IP filtering component, so we decided to block 
> UDP/67 and UDP/68 traffic from all IP addresses and only 
> allow it for 255.255.255.255 and the IP address of the 
> servers we were going to use... But using a whitelist is a 
> bit of a PITA, so I was wondering if there was some other 
> "cleaner" way to do it..
> 
> Thank a lot in advance
> 
>   Javier J
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
> 
> 


**
This email, and any files transmitted with it, is confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this 
email,  or any response to it,  under the Freedom of Information Act 2000, 
unless the information in it is covered by one of the exemptions in the Act. 

If you receive this email in error please notify Stockport e-Services via 
[EMAIL PROTECTED] and then permanently remove it from your system. 

Thank you.

http://www.stockport.gov.uk
**

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] OT: Vista Activation and KMS

[Dave Wade]

I have read all this, and it seems any thing but straight forward to me.
It looks like we are going to have to invest a lot more money in
managing licenses.
 
I could also find nothing about what happens if we need to re-install
Windows. It appears we need to re-activate, and it appears as its a new
sid it will use a second license... Any one any pointers on this?
 




From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A.
Robinson
Sent: 05 December 2006 00:57
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Vista Activation and KMS


Actually, it is clearly documented, along with a lot more
information on KMS, MAK and Vista Volume Activation (btw, Volume
Licensing doesn't exist in Vista; VL and VA are not the same things).
You probably don't want to get me started on a big long explanation of
how volume activation works, so I'll just point you to this site:
http://www.microsoft.com/technet/windowsvista/plan/volact.mspx
:-)
 
I highly recommend both the FAQ and the step-by-step guide. The
latter provides information on how to change from KMS to MAK and vice
versa (there are several ways), as well as documentation of defaults,
configuration options, etc.
 
Laura
 
 




From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander Kooi
Sent: Monday, December 04, 2006 2:44 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Vista Activation and KMS



You need to go to Control Panel > System then at the
bottom select Change Product Key. This will allow you to enter your VL
key which will result in Vista activating via the web. Definitely not
well documented unfortunately.

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Cline
Sent: Monday, December 04, 2006 11:45 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: Vista Activation and KMS

 

I was testing out the RTM of Vista Enterprise last night
and noticed I didn't have to enter a key at any point during the
install. When Windows tried to activate, it told me there was a DNS
error, so I suspected it looks for a local activation server by default.
Sure enough, in the DNS cache was a lookup for a nonexistent
_vlmcs._tcp.domain.com. Upon further research, it appears Microsoft has
not released KMS yet, and I couldn't find any option to activate
directly with Microsoft. For the moment, is telephone activation the
only option?

Brian Cline, Applications Developer 
Department of Information Technology 
G&P Trucking Company, Inc. 
803.936.8595 Direct Line 
800.922.1147 Toll-Free (x8595) 
803.739.1176 Fax 


--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.6/567 -
Release Date: 12/4/2006 7:18 AM



--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date:
12/4/2006 7:18 AM




**
This email, and any files transmitted with it, is confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this 
email,  or any response to it,  under the Freedom of Information Act 2000, 
unless the information in it is covered by one of the exemptions in the Act. 

If you receive this email in error please notify Stockport e-Services via 
[EMAIL PROTECTED] and then permanently remove it from your system. 

Thank you.

http://www.stockport.gov.uk
**

RE: [ActiveDir] Maybe OT: Shared Calendars w/o using Exchange? Tips/Suggestions/Recommedations?

[Dave Wade]

My two cents (these could euro cents or dollar cents). Exchange and Outlook are 
designed to work together. Despite having declared MAPI dead several times 
Microsoft continues to enhance and expand it, for example with RPC over HTTP. I 
am pretty sure you will either see reduced functionality, or face additional 
work on the clients to install add-ins if you go with a non-exchange based 
server. That is I support your conclusion that "getting the real" thing is the 
way to go.

As for "infrastructure" well I am not sure about the amount of resilience 
that’s needed. If you set the users up to use OST files they may be able to 
tolerate short breaks in comms on your DSL, as they will still be able to read 
existing mails, compose new mails and meetings.

Perhaps now is the time to move the query to an Exchange list, there are a 
number of them at Yahoo. Probably :-

http://groups.yahoo.com/group/exchange-2003/


> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Javier Jarava
> Sent: 06 December 2006 16:57
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Maybe OT: Shared Calendars w/o using 
> Exchange? Tips/Suggestions/Recommedations?
> 
> Hi!
> 
> Thanks for the prompt reply...
> 
> As for "hosted" solutions, I guess that I don't much care 
> wether the backend is Exchange, SBS or whatever the hosting 
> company choses to provide ;) From what I've seen 
> (http://www.arsys.es/aplicaciones/correo-exchange.htm,
> http://www.acens.com/seccion.web/correo/acens-exchange/678 - 
> yes, we are based in Spain - or http://www.mi8.com/ to show 
> that I'm looking
> elsewhere) basically what you get is a webbased admin panel 
> and a number of accounts that you configure... not too much 
> control but "good enough" Of course, I'd love to get 
> recommendations for other providers or to be shown that "not 
> all of them are similar" ;)
> 
> As for the lack of a server for 40+ users, well, that's not really
> true: We have an AD (2003) domain (basic setup: single 
> forest, single domain, 2 DCs) for the users, it's just that 
> the email is hosted on a external server, to avoid downtime 
> and lessen the administrative load on "network admin" (we 
> don't have a full time person for that). Also, we currently 
> have 2 main offices in Spain (conneted by DSL) and people 
> working or tele-working in the US, Mexico, Colombia, Germany 
> and the UK (2/3 people on each place at most): I believe that 
> creating the infrastructure (relability-wise) to serve all 
> those locations inhouse would be a tad expensive and (I 
> belive) not really warranted. Of course, I'd love to hear 
> opinions either way...
> 
> As for "control freak", we have an VPS so we have root on the 
> mail server; as a matter of fact the hardest point for the 
> internal acceptance of a hosted solution would probably "lack 
> of root access"
> on the email server...
> 
> I agree with you that to manage that "that many" (ok, those 
> who manage Multi-K domains, please stop laughing) users, AD 
> is a must And, besides, we delvelop security software 
> that runs on top of AD, so I'd be a bit odd if we didn't use 
> our own SW ;)
> 
> In any case, I really am starting to believe that the simpler 
> thing will be to "get the real thing", so the options seem to 
> be: 1) Get an Exchange Server inhouse. But that means making 
> sure that our DSL line doesn't go down, and having the 
> bandwith etc... 2) "House" a server on some co-lo. The comm. 
> problems disappear, but we still have to babysit the thing... 
> 3) Go for a hosted exchange provider. I've seen offers on the 
> range of ~7€/mo/user; I believe that for a limited number of 
> user (~30 ATM, possibly up to 40 in the foreseable future) 
> that makes more sense than doing it all ourselves...
> 
> I'd really love to hear your thoughts on the matter, and also 
> if you could comment/recommend any service providers you'd 
> make my life considerably easier ;)
> 
> In any case, thanks again for reading this far and bearing 
> with my ramblings.
> 
> Happy Christmas for all ;)
> 
>   Javier Jarava
> 
> On 05/12/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] 
> <[EMAIL PROTECTED]> wrote:
> > Hosted SBS with Outlook 2003
> >
> > Office Live  
> > http://office.microsoft.com/en-us/outlook/HA100809831033.aspx
> > Not 2003 without a SBS box on the backend but 2007 uses 
> Office Live to 
> > share calendars.
> >
> > 40 people and you don't have a server... wow.the 
> control freak in 
> > me is freaking out.  We put SBS servers in at 5 to 10 
> people and even less.
> >
> > Shared calendars pushes the sale of many a SBS box I 
> don't know of 
> > non MS solutions.
> >
> >
> > Javier Jarava wrote:
> > > Hi!
> > >
> > > Sorry if this question is a bit off-topic to the list, 
> but I've seen 
> > > some Exchange-related questions here, so I know there is Exchange 
> > > expertise hanging around ;) and I didn't know where to 
> ask; p

RE: [ActiveDir] Help with topology

[Dave Wade]

Why not disable the KCC? 
 
See http://support.microsoft.com/kb/242780


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Drew 
BurchettSent: 14 November 2006 13:27To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Help with topology


I’ll have to look up 
how to set the costs on the links.  That may very well solve my 
problem.  The part that is making Exchange so slow is the System Attendant 
service.  Every 2 minutes it will log Event 1042:  “Metabase Update 
failed to read the Configuration namespace property from the domain 
controller.  Error code is 80040a01.”  This goes on for a couple of 
hours until it finally succeeds in reading whatever it needs and the service 
starts.  Then, and only then, can I start the rest of the Exchange 
services.
 
I attempted to place 
all the branch offices in different sites and use site links to determine which 
of these would replicate with which,  but I quickly found out that a site 
can only belong to one site link, and that pretty well shoots trying to make 
everything link back to the CO.  I did manage to find an article on 
Microsoft’s web site about hub and spoke topology, but it focused strictly on 
determining how many domain controllers you need at each location and formulas 
for determining how much information will be transferred compared to existing 
line speed.  Not one word about how you’re supposed to implement hub and 
spoke, or how you’re supposed to keep the KCC from completely screwing it up 
once you do.
 
Thank you for the 
information,
 

Drew 
Burchett
United Systems & 
Software
Ph:    
(270)527-3293
Fax:  
(270)527-3132
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Bahta, Nathaniel V 
CTR USAF NASIC/SCNASent: 
Tuesday, November 14, 2006 7:01 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Help with topology
 
Why dont you make the 
domain controller at the branch office with the Exchange Server a Global 
Catalog?  Also why not set the cost on the links if you have not 
already?  You can also set the logging level higher in exchange so you can 
see whats taking so long to come online.
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Drew 
BurchettSent: Monday, November 
13, 2006 8:55 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Help with 
topology
I have a client that I’m having 
trouble setting up Active Directory topology for.  The 
layout:
 
1 Central office with two domain 
controllers, 1 Global Catalog, T1 connection
5 Branch offices with 1 domain 
controller and DSL or Cable connections.
1 Branch office with 1 domain controller that is also an Exchange Server, on a 
T1.
 
All the offices are connected to the 
central office through a VPN maintained by a Cisco PIX at each location.  
They are not directly connected to each other.  When I originally set this 
up, I pointed all the machines to the main DNS server at the central 
office.  However, if the VPN or the T1 went down, they were not able to 
access the internet and since they use a third-party application host, this is 
critical for business.  To alleviate this problem, I installed DNS on each 
of the branch office computers.  This worked fine until Exchange 2003 was 
introduced into the picture.  Since all of the sites now register and replicate their DNS information, the slowest sites always end up at the top of 
the list of name servers.  In addition, the KCC is always attempting to 
create links between the Exchange server and all the other sites besides the 
central office.  Thus, whenever I have to restart the Exchange server, it 
takes several hours for it to properly start up.  I assume that this is 
because it is attempting to retrieve DNS information and AD information from the 
slowest links rather than the CO, with which it can readily communicate.  
What I would like to do is set up a topology so that all the branch offices are 
replicating ONLY with the CO and the Exchange server will ALWAYS get its 
information from the CO and nowhere else.  However, first, I don’t know how 
to accomplish this, and second, I don’t know if this will actually solve the 
problem or not.  Any thoughts or suggestions on how to make this 
better?
 
Drew 
Burchett
United Systems & 
Software
Ph:    
(270)527-3293
Fax:  
(270)527-3132
 
-- 
CONFIDENTIALITY NOTICE: This e-mail message, including 
any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, 
disclosure or distribution is prohibited. If you are not the intended recipient, 
please contact the sender by reply e-mail and destroy all copies of the original 
message. 
-- This message has been scanned for viruses and 
dangerous content by MailScanner, and is believed to be clean. 
-- 
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is 
for the sole use of the intended recipient(s) and may contain confidential and 
privileged 

RE: [ActiveDir] how to access blocked site.

[Dave Wade]

I'm with Sue on this one. Attempting to By-Pass the proxy is attempting
to subvert the security systems. In out Policy this is a dismissible
offence, regardless of having accessed any restricted sites.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: 13 November 2006 16:29
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] how to access blocked site.

He's on the Internet isn't he?  If he infects/nails his firm, his firm
in turn could be a bot that attacks us all, right?

We're truly all on the same 'party line' here.  We all share the
Internet, so yeah... we all have the responsibility of doing what we can
to keep the bad guys from turning us into bad guys.

Ramon Linan wrote:
> LOL, Susan does he really work in your office? 
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Susan 
> Bradley, CPA aka Ebitz - SBS Rocks [MVP]
> Sent: Monday, November 13, 2006 9:50 AM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] how to access blocked site.
>
> As an admin here
>
> You do know I could fire your assets if you do this at my office?
>
> You are introducing risks that as an employee, you don't have the 
> right to do at a firm.  There's a reason us annoying admins block this
stuff.
>
> Introduce risks at home please, and not on my watch, okay?
>
> Ajay Kumar wrote:
>   
>> Hi all,
>>
>>  
>>
>> It could be wrong question but I want to know
>>
>> about how to acess the restricted or blocked site, which is access 
>> denied from office.
>>
>> I know some tools work like K-PROXY, but it woks on some internet
>> 
> site.
>   
>> So please suggest me how to access blocked site.
>>
>> which can work well.
>>  
>>  
>> Thanks & Regards,
>> Ajay pardeshi
>> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
http://www.mail-archive.com/activedir@mail.activedir.org/
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir@mail.activedir.org/
>
>   

--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com

If you are a SBSer and you don't subscribe to the SBS Blog... man ... I
will hunt you down...
http://blogs.technet.com/sbs

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/



**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this 
email,  or any response to it,  under the Freedom of Information Act 2000, 
unless the information in it is covered by one of the exemptions in the Act. 

If you receive this email in error please notify Stockport e-Services via 
[EMAIL PROTECTED] and then permanently remove it from your system. 

Thank you.

http://www.stockport.gov.uk
**

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Beginner's Book on Scripting - WSH or VBScript?

[Dave Wade]

Lets swap these round. Windows Scripting Host is an environment in 
which scripts can run. Windows Scripting host provides services that scripts 
written in a variety of languages can access. Microsoft 
provides _vbscript_ and JScript. I seem to recall seeing that REXX was 
available for download. _vbscript_ is a language that can run in in a variety of 
environments including IE client side, IE Server side as well as WSH. Note there 
is also WMI (Windows Management Interface) which allows you to control 
management stuff from WSH scripts. With XP/2003 and later there also many 
non-script command line tools which can be used in traditional batch files, e.g. 
NETSH , NETDOM, DSQUERY/DSMOVE/... etc.
 
If you are going to use WSH to do administrative tasks and you 
like a tutorial approach then I really like Alain lissoir's books which you can 
buy, or you can download the exciting bits from:- 
 
http://users.skynet.be/alain.lissoir/default.html
 
Hope this is not too much information 
overload,
 
Dave Wade
 
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Stu PackettSent: 09 November 2006 
15:00To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
Beginner's Book on Scripting - WSH or _vbscript_?
Hello everyone.  After reading through a lot of the posts on 
this mailing list, I realize I could make my job easier if I knew how to 
script.  I have no experience in scripting, but would like to know what 
books do you recommend as a beginner's book on scripting?  Also, I don't 
really know the difference between WSH and _vbscript_, so if anyone could explain 
that, I'd appreciate that.  After browsing through Amazon, I saw several 
books on WSH and _vbscript_, but don't know where I should focus on.  I'm 
also open to computer based training (CBT) videos of any exist.  Thanks in 
advance. 

**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this email,  or any response to it,  under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. 

If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. 

Thank you.

http://www.stockport.gov.uk
**

RE: [ActiveDir] quota issues

[Dave Wade]

Its not to do with "SIZE ON DISK" against "amount of data"? For small files on 
a large disk the overhead per file on 4k clusters will be on average 2k. If 
there a lot of files of 5K there over head will be typically 3k per file. Not 
sure if quota counts actual data or clusters...
 



From: Antonio Aranda [mailto:[EMAIL PROTECTED] 
Sent: 25 October 2006 15:33
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] quota issues

 

There seems to be mostly small files; 5 to 7 K.

 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Parag Nagwekar
Sent: Tuesday, October 24, 2006 11:26 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] quota issues

 

I guess he is probably trying to write or copy file which is quite big, may be 
more than 200Mb in size. Please tell him to write smaller file on the file 
system where he already using 300MB. 

 

 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Antonio Aranda
Sent: Tuesday, October 24, 2006 12:55 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] quota issues

 

I'm having weird quota issues.  I have a partition that has the default quota 
set to a 500 MB.  There are a good hundred users that wring to that partition 
but only one is having this issue; he keeps running out of quota even though he 
has only written about 300 MB to his subdirectory.  He can only write to that 
subdirectory so why is he running out of space?

 

Antonio Aranda

Network Analyst

UT-Permian Basin

432-552-2413 

 



*
This email is intended only for the addressee named above. As this email may 
contain confidential or privileged information, if you are not the named 
addressee or receive this message in error, please notify us immediately, 
delete it and do not make use of or copy it.

This message is protected by copyright. HML accepts no responsibility for 
viruses found in this message or any file attachment.

Homeloan Management Limited
Registered in England No. 2214839
1 Providence Place, Skipton, North Yorkshire BD23 2HL

**



**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this 
email,  or any response to it,  under the Freedom of Information Act 2000, 
unless the information in it is covered by one of the exemptions in the Act. 

If you receive this email in error please notify Stockport e-Services via 
[EMAIL PROTECTED] and then permanently remove it from your system. 

Thank you.

http://www.stockport.gov.uk
**

<>

RE: [ActiveDir] Apply a Group Policy to all but one user

[Dave Wade]

IMHO Boss's should be included to protect them from their own silliness. Why 
not give him a prived account. You could also use permissions on the GPO but 
thats gets to be a real mess



From: [EMAIL PROTECTED] on behalf of Alberto Oviedo
Sent: Thu 19/10/2006 22:03
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Apply a Group Policy to all but one user


I have 8 users in a OU (including my boss). I need to apply a group policy to 
that OU but leave out my boss.

How can I filter that user without moving him out of the OU?



**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this 
email,  or any response to it,  under the Freedom of Information Act 2000, 
unless the information in it is covered by one of the exemptions in the Act. 

If you receive this email in error please notify Stockport e-Services via 
[EMAIL PROTECTED] and then permanently remove it from your system. 

Thank you.

http://www.stockport.gov.uk
**

<>

RE: [ActiveDir] Assign User rights overs computers with AD

[Dave Wade]

I know its over a week since I sent this, but on thinking its 
probably worth expanding on this. The OU structure is in place to provide two 
functions:-
 
1) Delegation of management and 
administration.
2) Application of Group Policy 
 
Now because the OU structure is the "ONLY" way  to provide delegated admin, that needs to be the 
"Primary" driver when designing the OU Structure. 
 
So if you want different people managing Computer and 
Users, and like me.you like to keep the user and computer policies separate, it 
makes sense to have Computers and Users in separate OU trees. Because you can't 
apply a GPO to the "Users" and "Computers" containers it also makes sense not to 
use these OU.s.
 
On the other hand if you have a very devolved management 
structure, and you are happy with devolved management of the users and 
computers, then it might make sense to have an OU tree where the top levels 
represent management units and you store both computers and users in these 
trees.
 
Personally I don't like this approach, but for some organization 
structures it may be  better...
 
Dave.
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dave 
WadeSent: 23 September 2006 20:50To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Assign User 
rights overs computers with AD


I usually move them out as 
you can't apply GPO at the "computers" level...


From: [EMAIL PROTECTED] on 
behalf of Alberto OviedoSent: Fri 22/09/2006 22:40To: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Assign User 
rights overs computers with AD
Hey Dave. Do you mean separate trees under root "computers"? or Create 
different OU's for computers?
On 9/22/06, Al 
Mulnick < [EMAIL PROTECTED]> 
wrote: 
Separate 
  "Trees"? That seems a little excessive.  Or are we just mixing terms? 
  
  On 9/21/06, Dave 
  Wade < 
  [EMAIL PROTECTED]> wrote: 
  I 
prefer to keep them in seperate trees. In fact we are just doing that at 
present... From: [EMAIL PROTECTED] on behalf of Alberto 
Oviedo Sent: Thu 21/09/2006 17:50To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] 
Assign User rights overs computers with ADThanks for your help. 
really useful.Is it a good practice to move computer objects to OU 
where the user of the computer resides? On 9/20/06, Dave Wade 
<[EMAIL PROTECTED]> 
wrote:Alberto,   
Even though we made our users "PowerUsers" we found that we needed to make a 
number of "tweaks" to cater for poorly written applications. I think we now 
have about a dozen settings for various ill-behaved applications. The 
majority of these are to cater for applications that write to places on the 
"C" drive (other than the windows folders, of course) where applications 
should not write. We also refreshed permissions on the "all users" profile 
to make sure users don't delete items from the "all users" desktop or 
start-menu. I guess 
the last thing to note is that we rolled the policy out in manageable chunks 
of PCs, say 100 at a time, so if there were issues we could cope with the 
service calls,Hope 
this is useful, 
Dave.From: 
[EMAIL PROTECTED] [mailto: 
[EMAIL PROTECTED]] On Behalf Of Al 
MulnickSent: 20 
September 2006 14:13To: 
ActiveDir@mail.activedir.orgSubject: 
Re: [ActiveDir] Assign User rights overs computers with AD 
You can, but 
I've yet to see it be so simple.  The information you're looking 
for is "restricted groups" but I HIGHLY advise you to be careful and to TEST 
that prior to using it on your workstations.  I also highly advise 
that you only apply that type of setting to workstations and not on servers 
(separate them into different OU's). 
Another way to do 
this is with a logon script that adds an account to the local administrators 
group and removes the user from that 
group.The testing is 
a way to ensure that you don't break applications on the 
workstations.  Some of the more poorly written applications 
require special access and as a default prefer administrative access rights. 
They work poorly without them.  You'll want to test thoroughly so 
that you can remove the unneeded rights and still allow your user community 
to work as expected. 
I'm sure there's 
more cautions I can suggest, but you get the 
idea.On 9/20/06, 
Alberto Oviedo < 
[EMAIL PROTECTED] > 
wrote:Hello. 
My name is Alberto, I'm from 
NicaraguaIn 
our company the support team

RE: [ActiveDir] Assign User rights overs computers with AD

[Dave Wade]

I usually move them out as you can't apply GPO at the "computers" level...



From: [EMAIL PROTECTED] on behalf of Alberto Oviedo
Sent: Fri 22/09/2006 22:40
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Assign User rights overs computers with AD


Hey Dave. Do you mean separate trees under root "computers"? or Create 
different OU's for computers?


On 9/22/06, Al Mulnick < [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > wrote: 

Separate "Trees"? That seems a little excessive.  Or are we just mixing 
terms? 



On 9/21/06, Dave Wade < [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > 
wrote: 

I prefer to keep them in seperate trees. In fact we are just 
doing that at present... 



From: [EMAIL PROTECTED] on behalf of Alberto Oviedo 
Sent: Thu 21/09/2006 17:50
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Assign User rights overs computers 
with AD


Thanks for your help. really useful.

Is it a good practice to move computer objects to OU where the 
user of the computer resides? 
    

On 9/20/06, Dave Wade <[EMAIL PROTECTED]> wrote:

Alberto,

   Even though we made our users "PowerUsers" we found 
that we needed to make a number of "tweaks" to cater for poorly written 
applications. I think we now have about a dozen settings for various 
ill-behaved applications. The majority of these are to cater for applications 
that write to places on the "C" drive (other than the windows folders, of 
course) where applications should not write. We also refreshed permissions on 
the "all users" profile to make sure users don't delete items from the "all 
users" desktop or start-menu. 

I guess the last thing to note is that we rolled the 
policy out in manageable chunks of PCs, say 100 at a time, so if there were 
issues we could cope with the service calls,

Hope this is useful, 
Dave.



From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] 
<mailto:[EMAIL PROTECTED]> ] On Behalf Of Al Mulnick
Sent: 20 September 2006 14:13
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Assign User rights overs 
computers with AD 



You can, but I've yet to see it be so simple.  The 
information you're looking for is "restricted groups" but I HIGHLY advise you 
to be careful and to TEST that prior to using it on your workstations.  I also 
highly advise that you only apply that type of setting to workstations and not 
on servers (separate them into different OU's). 

Another way to do this is with a logon script that adds 
an account to the local administrators group and removes the user from that 
group.

The testing is a way to ensure that you don't break 
applications on the workstations.  Some of the more poorly written applications 
require special access and as a default prefer administrative access rights. 
They work poorly without them.  You'll want to test thoroughly so that you can 
remove the unneeded rights and still allow your user community to work as 
expected. 

I'm sure there's more cautions I can suggest, but you 
get the idea.


On 9/20/06, Alberto Oviedo < [EMAIL PROTECTED] 
<mailto:[EMAIL PROTECTED]>  > wrote:

Hello. My name is Alberto, I'm from Nicaragua

In our company the support team has granted 
every user administrator rights over their workstation, We recently migrated to 
Windows 2003 AD and I want to revoke the privileges tha users have on their 
computers. Can I do this through AD?   It's around 300 users and I don't want 
to visit every single one of them. 

Thanks for your help.






**

RE: [ActiveDir] Assign User rights overs computers with AD

[Dave Wade]

I prefer to keep them in seperate trees. In fact we are just doing that at 
present...



From: [EMAIL PROTECTED] on behalf of Alberto Oviedo
Sent: Thu 21/09/2006 17:50
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Assign User rights overs computers with AD


Thanks for your help. really useful.

Is it a good practice to move computer objects to OU where the user of the 
computer resides?


On 9/20/06, Dave Wade <[EMAIL PROTECTED]> wrote: 

Alberto,
 
   Even though we made our users "PowerUsers" we found that we needed 
to make a number of "tweaks" to cater for poorly written applications. I think 
we now have about a dozen settings for various ill-behaved applications. The 
majority of these are to cater for applications that write to places on the "C" 
drive (other than the windows folders, of course) where applications should not 
write. We also refreshed permissions on the "all users" profile to make sure 
users don't delete items from the "all users" desktop or start-menu.
 
I guess the last thing to note is that we rolled the policy out in 
manageable chunks of PCs, say 100 at a time, so if there were issues we could 
cope with the service calls,
 
Hope this is useful,
Dave.



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al 
Mulnick
Sent: 20 September 2006 14:13
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Assign User rights overs computers with AD 



You can, but I've yet to see it be so simple.  The information you're 
looking for is "restricted groups" but I HIGHLY advise you to be careful and to 
TEST that prior to using it on your workstations.  I also highly advise that 
you only apply that type of setting to workstations and not on servers 
(separate them into different OU's). 

Another way to do this is with a logon script that adds an account to 
the local administrators group and removes the user from that group.  

The testing is a way to ensure that you don't break applications on the 
workstations.  Some of the more poorly written applications require special 
access and as a default prefer administrative access rights. They work poorly 
without them.  You'll want to test thoroughly so that you can remove the 
unneeded rights and still allow your user community to work as expected. 

I'm sure there's more cautions I can suggest, but you get the idea. 


On 9/20/06, Alberto Oviedo <[EMAIL PROTECTED] > wrote: 

Hello. My name is Alberto, I'm from Nicaragua

In our company the support team has granted every user 
administrator rights over their workstation, We recently migrated to Windows 
2003 AD and I want to revoke the privileges tha users have on their computers. 
Can I do this through AD?   It's around 300 users and I don't want to visit 
every single one of them. 

Thanks for your help.





**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to 
disclose this email, or any response to it, under the Freedom of Information 
Act 2000, unless the information in it is covered by one of the exemptions in 
the Act. 

If you receive this email in error please notify Stockport e-Services 
via [EMAIL PROTECTED] and then permanently remove it from your system. 

Thank you.

http://www.stockport.gov.uk
**



<>

RE: [ActiveDir] Assign User rights overs computers with AD

[Dave Wade]

Alberto,
 
   Even though we made our users "PowerUsers" we found 
that we needed to make a number of "tweaks" to cater for poorly written 
applications. I think we now have about a dozen settings for various ill-behaved 
applications. The majority of these are to cater for applications that write to 
places on the "C" drive (other than the windows folders, of course) where applications should not write. We also refreshed permissions on the "all users" 
profile to make sure users don't delete items from the "all users" desktop or 
start-menu.
 
I guess the last thing to note is that we rolled the policy out in manageable chunks of PCs, say 100 at a time, so if there were 
issues we could cope with the service calls,
 
Hope this is useful,
Dave.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Al 
MulnickSent: 20 September 2006 14:13To: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Assign User rights overs computers with AD
You can, but I've yet to see it be so simple.  The information 
you're looking for is "restricted groups" but I HIGHLY advise you to be careful 
and to TEST that prior to using it on your workstations.  I also highly 
advise that you only apply that type of setting to workstations and not on servers (separate them into different OU's). Another way to do this is 
with a logon script that adds an account to the local administrators group and 
removes the user from that group.  The testing is a way to ensure 
that you don't break applications on the workstations.  Some of the more 
poorly written applications require special access and as a default prefer administrative access rights. They work poorly without them.  You'll want 
to test thoroughly so that you can remove the unneeded rights and still allow 
your user community to work as expected. I'm sure there's more cautions 
I can suggest, but you get the idea. 
On 9/20/06, Alberto 
Oviedo <[EMAIL PROTECTED] > wrote:

  Hello. My name is Alberto, I'm from NicaraguaIn our company the 
  support team has granted every user administrator rights over their 
  workstation, We recently migrated to Windows 2003 AD and I want to revoke the 
  privileges tha users have on their computers. Can I do this through AD?   
  It's around 300 users and I don't want to visit every single one of them.   Thanks for your help.

**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this email,  or any response to it,  under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. 

If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. 

Thank you.

http://www.stockport.gov.uk
**

RE: [ActiveDir] OT: Protecting against Spyware/Adware

[Dave Wade]

Actually "Vista" is supposed to make things better. It provides "partial 
re-direction" for system folders and registry so applications "think" they are 
writing to system areas, when in fact they are not. I am not sure how well this 
will work in practise, as I have not tried it



From: [EMAIL PROTECTED] on behalf of Susan Bradley, CPA aka Ebitz - SBS Rocks 
[MVP]
Sent: Mon 18/09/2006 19:56
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: Protecting against Spyware/Adware



"We" need to ask the vendor to step up to the plate.  (have I said I'm
big at tilting at windmills?).

"We" made Microsoft care about security it's the rest of our vendors
turn now.

Because Vista is more locked down...it will make it worse for the
vendors... better for us is what I meant.

Crawford, Scott wrote:
> We have to let them though because in many cases there are no
> alternatives and there are not enough alternatives because nobody is
> even asking for them.  Case in point is the Dept. of Ed. software I
> mentioned below.  There's not a big market for alternate free DoE
> software.  We're effectively mandated by law to make our systems
> insecure.
>
> I'm not sure why you think Vista will make things worse.  Things are
> already an awful mess, so I don't see how they could get worse.  On the
> contrary, I think Vista, with it's alternate default user perms will
> start to generate some outcry from other, less cluefull users to the
> vendors.  In any case, the virtualized file/registry writes will make
> tweaking perms less necessary.
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
> CPA aka Ebitz - SBS Rocks [MVP]
> Sent: Monday, September 18, 2006 10:20 AM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] OT: Protecting against Spyware/Adware
>
> If the vendor supported the "Designed for Windows XP" logo they would
> support non admin.
>
> The reality is that these vendors can code in a Win98 world because "we"
>
> the buying public do not care.  As long as we don't care they can
> continued to code exactly the way they are now.
>
> When Vista arrives the problem will only get worse.
>
> "We" as the buying public need to let the vendors know that this is no
> longer acceptable.
>
> Crawford, Scott wrote:
>  
>> I would rephrase that as "The ONLY problem with tweaking permissions
>>
> is that I have to do it at all."  Implicit in that is that the time I
> spend - any time at all - is time I shouldn't have to spend, and would
> rather spend fixing my problems instead of xyz vendor's.  It can also be
> infered that modifying the system beyond what the vendor expects will,
> by definition, almost always put you in an unsupported state.  If it was
> supported, they might as well add the tweaks to their install routine.
>  
>> 
>> If you can reproduce the problem when running as an administrator, you
>>
> should be able to get support.  If you can't, then the program is
> crashing on an access denied, and further tweaks are needed.
>  
>> 
>> One tip that might help you is to run Regmon while installing the
>>
> program and add perms to any key created by the program.  We have some
> software from the Dept. of Ed. that expects access to somewhere around
> 50 HCCR Class keys.  As the program runs, it tries to modify values in
> these keys one-at-a-time.  If it fails, the program exits.  It started
> to get really tedious running Regmon, start the program, crash, find
> Access Denied in Regmon, modify perm, repeat 50 times.  Preemptively
> giving rights to the keys was much faster.
>  
>> 
>>
>> From: [EMAIL PROTECTED] on behalf of Steve Rochford
>> Sent: Mon 9/18/2006 4:56 AM
>> To: ActiveDir@mail.activedir.org
>> Subject: RE: [ActiveDir] OT: Protecting against Spyware/Adware
>>
>>
>>
>> One of the problems with tweaking permissions etc is that it can take
>>
> a
>  
>> long time to get it right and you leave yourself in an unsupported
>> position. As an example, we use a package called QL (from Distinction
>> Systems Limited) for student records. We were told by their helpdesk
>> that in order to get parts of it to work it needed local admin access.
>>
> I
>  
>> tried to use regmon/filemon to get round this but only had limited
>> success and it doesn't fail gracefully if it can't get the access it
>> needs but just collapses in a heap and needs reinstalling. The company
>> was uninterested in fixing the problem and basically said that if you
>> don't run it as admin then you don't get support.
>>
>> Steve
>>
>> -Original Message-
>> From: [EMAIL PROTECTED]
>> [mailto:[EMAIL PROTECTED] On Behalf Of Crawford,
>>
> Scott
>  
>> Sent: 15 September 2006 21:33
>> To: ActiveDir@mail.activedir.org
>> Subject: RE: [ActiveDir] OT: Protecting against Spyware/Adware
>>
>> "Has" = The user running the program needs to be a member of Power
>>
> 

RE: [ActiveDir] Ad Reporting Tools

[Dave Wade]

r\" -f $filter -c 
2>&1";    ($objcount)=((grep(/Objects 
returned/,`$cmd`))[0]=~/(\d+)/);   }  print 
"\"$container\",\"$containername\",\"$approxobjs\",\"$objcount\"\n"; }
 
 
Here are some sample runs so 
you can get an understand of the output
 
All computers in 
domain
 
F:\DEV\Perl\objsum>objsum.pl -default 
(objectcategory=computer)
 
ObjSum V01.00.00pl  Joe Richards ([EMAIL PROTECTED])  January 2004
 
"dn","name","Aprox Child Obj Count","(objectcategory=computer) 
count""CN=Users,DC=test,DC=loc","Users","23","0""CN=Computers,DC=test,DC=loc","Computers","9","9""CN=ForeignSecurityPrincipals,DC=test,DC=loc","ForeignSecurityPrincipals","4","0""OU=Domain 
Controllers,DC=test,DC=loc","Domain 
Controllers","2","2""OU=Users,OU=My,DC=test,DC=loc","Users","2","0""OU=My,DC=test,DC=loc","My","3","0""OU=Groups,OU=My,DC=test,DC=loc","Groups","0","0""OU=TestOU,DC=test,DC=loc","TestOU","3","0""OU=Groups,OU=TestOU,DC=test,DC=loc","Groups","6","0""OU=Email,OU=My,DC=test,DC=loc","Email","1","0""OU=Users,OU=TestOU,DC=test,DC=loc","Users","10","0""OU=Outlook,OU=TestOU,DC=test,DC=loc","Outlook","0","0"
 
 
All disabled users in 
domain
 
F:\DEV\Perl\objsum>objsum.pl -default 
"&(objectcategory=person)(objectclass=user)(useraccountcontrol:AND:=2)"
 
ObjSum V01.00.00pl  Joe Richards ([EMAIL PROTECTED])  January 2004
 
"dn","name","Aprox Child Obj 
Count","&(objectcategory=person)(objectclass=user)(useraccountcontrol:AND:=2) 
count""CN=Users,DC=test,DC=loc","Users","23","2""CN=Computers,DC=test,DC=loc","Computers","9","0""CN=ForeignSecurityPrincipals,DC=test,DC=loc","ForeignSecurityPrincipals","4","0""OU=Domain 
Controllers,DC=test,DC=loc","Domain 
Controllers","2","0""OU=Users,OU=My,DC=test,DC=loc","Users","2","0""OU=My,DC=test,DC=loc","My","3","0""OU=Groups,OU=My,DC=test,DC=loc","Groups","0","0""OU=TestOU,DC=test,DC=loc","TestOU","3","1""OU=Groups,OU=TestOU,DC=test,DC=loc","Groups","6","0""OU=Email,OU=My,DC=test,DC=loc","Email","1","0""OU=Users,OU=TestOU,DC=test,DC=loc","Users","10","1""OU=Outlook,OU=TestOU,DC=test,DC=loc","Outlook","0","0"
All disabled computers in the computers container (and any 
sub containers)
 
F:\DEV\Perl\objsum>objsum.pl cn=computers,dc=test,dc=loc 
"&(objectcategory=computer)(useraccountcontrol:AND:=2)"
 
ObjSum V01.00.00pl  Joe Richards 
([EMAIL PROTECTED])  January 2004
 
"dn","name","Aprox Child Obj 
Count","&(objectcategory=computer)(useraccountcontrol:AND:=2) 
count""CN=Computers,DC=test,DC=loc","Computers","9","1"
 

All enabled computers in the computers container (and any 
sub containers)
 
F:\DEV\Perl\objsum>objsum.pl cn=computers,dc=test,dc=loc 
"&(objectcategory=computer)(!useraccountcontrol:AND:=2)"
 
ObjSum 
V01.00.00pl  Joe Richards ([EMAIL PROTECTED])  January 2004
 
"dn","name","Aprox Child Obj 
Count","&(objectcategory=computer)(!useraccountcontrol:AND:=2) 
count""CN=Computers,DC=test,DC=loc","Computers","9","8"
 
 
 
One 
thing I need to specifically point out is the Approx Child Obj Count. This 
leverages an attribute that is in Windows Server 2003 AD and ADAM that not many 
people are aware of called msDS-Approx-Immed-Subordinates. That is a 
constructed attribute that gives you exactly what is says... an APPROXIMATE 
number of child objects in the container. This number WILL be off at times from 
the actual count. It is to give you rough estimates of how many objects will be 
in a container to help clue you in for other queries or when populating a GUI 
for instance. If you know you have ~45,000 objects in a container, there is a 
good chance you will handle it differently than one with 10 objects. I use it 
here because I find it to

RE: [ActiveDir] Ad Reporting Tools

[Dave Wade]

Joe,
 What about adding a "-summary" flag to "oldcmp" so you can 
see how many (disabled) PCs you have in any part of the OU tree? Might also be 
nice to have an "-onlyactive" rather than "all" or "disabled"... "Managers" 
often want "numbers"
Dave.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: 18 September 2006 14:21To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ad Reporting 
Tools

What features, etc are you looking for that you would 
consider better?
 

--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dave 
WadeSent: Monday, September 18, 2006 6:04 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Ad Reporting 
Tools

Folks,
 
  I am struggling with 
a fairly simple request. We would like a simple report that lists how many PC's 
there are in each OU into an Excel Spreadsheet. Well I have managed to do this 
with CSVDE and the summary report in Excel. Is there a better (low cost) 
solution? 
 
 
Dave 
Wade

E-Services
0161 474 
5456
 
 **This 
email and any files transmitted with it are confidential andintended solely 
for the use of the individual or entity to whom theyare addressed. As a 
public body, the Council may be required to disclose this email, or any response 
to it, under the Freedom of Information Act 2000, unless the information in it 
is covered by one of the exemptions in the Act. If you receive this 
email in error please notify Stockport e-Services via 
[EMAIL PROTECTED] and then permanently remove it from your system. 
Thank 
you.http://www.stockport.gov.uk**

RE: [ActiveDir] Ad Reporting Tools

[Dave Wade]

Folks,
 Thanks for the odd tips. As time was 
pressing I took the output from CSVDE and fed it into a small "C" program 
that produces the summaries I need. The thing that was giving me the 
issues was that I wanted a count. We have both Hyena and Ideal, and they 
will also produce reports listing PC's live CSVDE, but I couldn't get a 
breakdown by OU quickly from any...
Dave.
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Ramon LinanSent: 18 September 2006 
13:55To: ActiveDir@mail.activedir.orgSubject: RE: 
[ActiveDir] Ad Reporting Tools

I will say that you could Hyena, it is pretty good with 
reports and not too expensive.
But of course it would be way more cool if you create your 
own tools scripting, ADSI or CDO.
 
good luck
 
Ramon


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dave 
WadeSent: Monday, September 18, 2006 6:04 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Ad Reporting 
Tools

Folks,
 
  I am struggling with 
a fairly simple request. We would like a simple report that lists how many PC's 
there are in each OU into an Excel Spreadsheet. Well I have managed to do this 
with CSVDE and the summary report in Excel. Is there a better (low cost) 
solution? 
 
 
Dave 
Wade

E-Services
0161 474 
5456
 
 **This 
email and any files transmitted with it are confidential andintended solely 
for the use of the individual or entity to whom theyare addressed. As a 
public body, the Council may be required to disclose this email, or any response 
to it, under the Freedom of Information Act 2000, unless the information in it 
is covered by one of the exemptions in the Act. If you receive this 
email in error please notify Stockport e-Services via 
[EMAIL PROTECTED] and then permanently remove it from your system. 
Thank 
you.http://www.stockport.gov.uk**

[ActiveDir] Ad Reporting Tools

[Dave Wade]

Folks,
 
  I am struggling with 
a fairly simple request. We would like a simple report that lists how many PC's 
there are in each OU into an Excel Spreadsheet. Well I have managed to do this 
with CSVDE and the summary report in Excel. Is there a better (low cost) 
solution? 
 
 
Dave 
Wade

E-Services
0161 474 
5456
 
 

**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this email,  or any response to it,  under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. 

If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. 

Thank you.

http://www.stockport.gov.uk
**

RE: [ActiveDir] OT: Protecting against Spyware/Adware

[Dave Wade]

>-Original Message-
>From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] >On Behalf Of Rob MOIR
>Sent: 15 September 2006 13:50
>To: ActiveDir@mail.activedir.org
>Subject: RE: [ActiveDir] OT: Protecting against Spyware/Adware
>
>> 2) Spy ware hangs around for a long time. Our users used to have
admin 
>> rights so there is a lot of "legacy" spyware around
>
>Create a project to re-build these machines? If you've got a standard
deployment 
>>image for workstations, this might not be too disruptive.

If only! I guess we have nearly 1000 "old" "non-standard" desktops,
which have a range of obsolete hardware, a wide variety of software
packages. The thought of re-building them is a nightmare..
 
>> 3) We still have business critical applications that won't run
without 
>> admin rights. Often these are tightly integrated in a large suite of 
>> applications, e.g. the Call Centre management suit, so we still have 
>> some machines where users have admin rights. I know this sucks but 
>> there is certainly no cash available to replace these apps
>
>Is there a budget to deliver these 'special' apps via Citrix or at
least MS Terminal >server, hence isolating them on a locked down server
which users cannot browse the 
>web from, and allowing you to drop their local workstation access level
down to 
>something sane? Or to virtualise these apps on each desktop, again
isolating them and >allowing you to drop the local workstation access
rights down a notch or two.

Often they are things like the telephony or voice recording apps, or
things which run tills or doors or other oddball hardware. I doubt these
would run on TS or Citrix either Even worse we don't insist that new
apps run without Admin rights :-(



--
Robert Moir
Microsoft MVP for Windows Servers & Security Senior IT Systems Engineer
Luton Sixth Form College
Right vs. Wrong   | Good vs. Evil
God vs. the devil | What side you on?
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this 
email,  or any response to it,  under the Freedom of Information Act 2000, 
unless the information in it is covered by one of the exemptions in the Act. 

If you receive this email in error please notify Stockport e-Services via 
[EMAIL PROTECTED] and then permanently remove it from your system. 

Thank you.

http://www.stockport.gov.uk
**

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] OT: Protecting against Spyware/Adware

[Dave Wade]

Thanks for that pointer. I might be making some nominations.

I have done lots of hacking of registry etc, but at some point you have
to cut your losses. I think when before we started the lock down there
were about 3,500 PC's with local admin rights. We are now down to
between 20 and 30. This is less than 1% of our PCs. Its now a managable
problem and its under control. From being our number one problem its
gone down to being below (well almost below) the radar.

Dave

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: 15 September 2006 14:53
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: Protecting against Spyware/Adware

www.threatcode.com

and those business critical apps are?

Have you tried hacking up the registry to get them to work?

Dave Wade wrote:
> Chris,
> I guess I have three "comments" on this:-
> 1) Putting user in "Power users" does "cut down on the potential", 
> however even on a properly configured machine users can usually 
> install personal browser extensions containing SpyWare.
> 2) Spy ware hangs around for a long time. Our users used to have admin

> rights so there is a lot of "legacy" spyware around
> 3) We still have business critical applications that won't run without

> admin rights. Often these are tightly integrated in a large suite of 
> applications, e.g. the Call Centre management suit, so we still have 
> some machines where users have admin rights. I know this sucks but 
> there is certainly no cash available to replace these apps
> Dave.
>
> --
> --
> *From:* [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] *On Behalf Of *Chris 
> Pohlschneider
> *Sent:* 14 September 2006 20:15
> *To:* ActiveDir@mail.activedir.org
> *Subject:* RE: [ActiveDir] OT: Protecting against Spyware/Adware
>
> I have not done a lot of research on this, but if you have users in 
> either the power users or regular users group, won't that cut down 
> tremendously on the potential of getting adware/spyware?
>
> --
> --
>
> *From:* [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] *On Behalf Of *Chinnery, 
> Paul
> *Sent:* Thursday, September 14, 2006 11:04 AM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* RE: [ActiveDir] OT: Protecting against Spyware/Adware
>
> We're using CounterSpy Enterprise from Sunbelt Software. Like you, we 
> have seen aperformance hit* on computers with just 128 meg of memory 
> but that goes away when we add more memory. The only issue I ran into,

> other than performance, was it blocked a cookie that was necessary for

> our payroll department. However, once I "okayed" that cookie, it was 
> fine.
>
> *According to Sunbelt, the next version is supposed to reduce the 
> performance impact.
>
> -Original Message-
> *From:* [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of *Chris
> Pohlschneider
> *Sent:* Thursday, September 14, 2006 10:44 AM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* [ActiveDir] OT: Protecting against Spyware/Adware
>
> Just curious what other people are using for protecting against
> adware/spyware? We are using Webroot Spysweeper right now, but I
> see some performance hits on computers running this software and
> it does work, but it causes headaches will installing some apps
> that we approve. Any suggestions are appreciated.
>
> Chris Pohlschneider
>
> Holloway Sportswear IT
>
> 937-494-2559
>
> 937-497-7300 (Fax)
>
> [EMAIL PROTECTED]
>
>
>
> **
> This email and any files transmitted with it are confidential and 
> intended solely for the use of the individual or entity to whom they 
> are addressed. As a public body, the Council may be required to 
> disclose this email, or any response to it, under the Freedom of 
> Information Act 2000, unless the information in it is covered by one 
> of the exemptions in the Act.
>
> If you receive this email in error please notify Stockport e-Services 
> via [EMAIL PROTECTED] and then permanently remove it from 
> your system.
>
> Thank you.
>
> http://www.stockport.gov.uk
> **
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] need help

[Dave Wade]

I guess it depends on what you mean by "display". Its pretty easy 
to build a custom MMC console that contains a "Services" snap-in for each DC. 
and then use "runas" to launch with the rights needed. You can still only see 
the services on a single DC at once, but its pretty easy to flip round 
them...


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Paul 
WilliamsSent: 15 September 2006 12:54To: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] need 
help

Look into the Win32_Service class for 
info. on how to view and manage services via script.  Or, if you fancy calling EXEs and not handling everything in code, use the SC.EXE 
tool.
 
 
--Paul

  - Original Message - 
  From: 
  [EMAIL PROTECTED] 
  
  To: ActiveDir@mail.activedir.org 
  
  Sent: Friday, September 15, 2006 12:12 
  PM
  Subject: [ActiveDir] need help
  Guys i need to develop a 
  programe which display the services in all the dc 's , any idea where i can 
  find better help regarding or nay other alternative solution 
  Thanks in advance  
  
  


  "Joe McNicholas" <[EMAIL PROTECTED]> 
Sent by: [EMAIL PROTECTED] 

09/15/2006 09:53 AM 

  
  

  Please respond 
  toActiveDir@mail.activedir.org
  

  
  

  To
 
  

  cc

  

  Subject
[ActiveDir] _vbscript_ Container 
  Security

  
  

I'm trying to create and secure the "LDAP://cn=System 
  Management,cn=System,dc=mydomain,dc=com" container, as required for   SMS[1]. 
  I'm able to create the container successfully, but 
  haven't found any examples of how to assign security to an OU or Container in 
  the AD.  MS Script Centre and a quick google have come up blank, can   anyone point me to any examples? 
  Thanks Joe 
  [1] Ref: https://www.microsoft.com/technet/prodtechnol/sms/smssp2/spsecurity/3df7a6e2-e173-4def-a81a-5bd90fbbf9d8.mspx?mfr=true 
  

**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this email,  or any response to it,  under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. 

If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. 

Thank you.

http://www.stockport.gov.uk
**

RE: [ActiveDir] Block Inheritance on DC OU

[Dave Wade]

Darren,
 While that also seems intuitive to me, patently something odd happens.
It is clearly documented, (well I hope it is, its certainly my
understanding) that you can only set password policy on the Domain in a
top level GPO not one applied directly to the "domain controllers" OU.
Therefore something odd must happen.
Dave.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: 15 September 2006 00:44
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Block Inheritance on DC OU

To me it seems intuitive that GP processing would behave the same way
for DCs as it would for other computers.  And to answer the question,
yes I have confirmed this in testing numerous times over the years-most
recently the day Ben asked the question.

Darren

-Original Message-
From: "Derek Harris" <[EMAIL PROTECTED]>
To: ActiveDir@mail.activedir.org
Sent: 9/14/2006 4:11 PM
Subject: RE: [ActiveDir] Block Inheritance on DC OU

I did it a couple years ago, and found out that it does block the
password policy. It seems intuitive that it shouldn't, but it does.



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade
Sent: Thursday, September 14, 2006 3:54 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Block Inheritance on DC OU


You say  "Obvious" but is this obvious? What happens in the case of
password policy. This can only be set at the top level of the domain.
Does this block actually prevent it being applied? I would guess that is
does, but I wonder if any one has tested it or has any docs on what
actually happens. 
 
 

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Wednesday, September 13, 2006 6:59 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Block Inheritance on DC OU

 

Well, the obvious effect is that it prevents domain-linked policies from
being delivered correctly, including password policy. This is probably
not desirable. I can't think of a good scenario where this would be
useful. 

 

Darren

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Wednesday, September 13, 2006 9:37 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Block Inheritance on DC OU

The company I am currently working for has "block inheritance" enabled
for the Domain Controller's OU and apparently whoever enabled this
setting is no longer with the company (or they won't fess up to why they
did this).

 

Although I am curious, what sort of ramifications does enabling "block
inheritance" on the Domain Controller's OU pose?  And what reason would

[truncated by sender]
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this 
email,  or any response to it,  under the Freedom of Information Act 2000, 
unless the information in it is covered by one of the exemptions in the Act. 

If you receive this email in error please notify Stockport e-Services via 
[EMAIL PROTECTED] and then permanently remove it from your system. 

Thank you.

http://www.stockport.gov.uk
**

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] OT: Protecting against Spyware/Adware

[Dave Wade]

Chris,
   I guess I have three "comments" on 
this:-
 
1) Putting user in "Power users" does "cut down on the potential", 
however even on a properly configured machine users can usually install personal 
browser extensions containing SpyWare. 
 
2) Spy ware hangs around for a long time. Our users used to have 
admin rights so there is a lot of "legacy" spyware around
 
3) We still have business critical applications that won't run 
without admin rights. Often these are tightly integrated in a large suite of 
applications, e.g. the Call Centre management suit, so we still have some 
machines where users have admin rights. I know this sucks but there is certainly 
no cash available to replace these apps
 
Dave.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Chris 
PohlschneiderSent: 14 September 2006 20:15To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Protecting 
against Spyware/Adware


I have not done a lot 
of research on this, but if you have users in either the power users or regular 
users group, won’t that cut down tremendously on the potential of getting 
adware/spyware?
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Chinnery, 
PaulSent: Thursday, September 
14, 2006 11:04 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Protecting 
against Spyware/Adware
 

We're using CounterSpy 
Enterprise from Sunbelt Software.  Like you, we have seen aperformance hit* 
on computers with just 128 meg of memory but that goes away when we add more 
memory.  The only issue I ran into, other than performance, was it blocked 
a cookie that was necessary for our payroll department.  However, once I 
"okayed" that cookie, it was fine.  

 

*According to 
Sunbelt, the next version is supposed to reduce 
the performance impact.

  -Original 
  Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of Chris 
  PohlschneiderSent: Thursday, 
  September 14, 2006 10:44 AMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Protecting 
  against Spyware/Adware
  Just curious what other people are 
  using for protecting against adware/spyware? We are using Webroot Spysweeper 
  right now, but I see some performance hits on computers running this software 
  and it does work, but it causes headaches will installing some apps that we 
  approve. Any suggestions are appreciated. 
   
  Chris 
  Pohlschneider
  Holloway 
  Sportswear IT
  937-494-2559
  937-497-7300   (Fax)
  [EMAIL PROTECTED]
   
   

**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this email,  or any response to it,  under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. 

If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. 

Thank you.

http://www.stockport.gov.uk
**

RE: [ActiveDir] OT: Protecting against Spyware/Adware

[Dave Wade]

Chris,
 
I gather we tweaked ours so it only used a certain % of system 
resources (20% I think) and while it does have some impact on performance it 
does seem "livable with" now they have done that..
 
Dave. 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Chris 
PohlschneiderSent: 14 September 2006 15:44To: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Protecting against Spyware/Adware


Just curious what other people are 
using for protecting against adware/spyware? We are using Webroot Spysweeper 
right now, but I see some performance hits on computers running this software 
and it does work, but it causes headaches will installing some apps that we approve. Any suggestions are appreciated. 
 
Chris 
Pohlschneider
Holloway 
Sportswear IT
937-494-2559
937-497-7300 
(Fax)
[EMAIL PROTECTED]
 
 

**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this email,  or any response to it,  under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. 

If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. 

Thank you.

http://www.stockport.gov.uk
**

RE: [ActiveDir] Block Inheritance on DC OU

[Dave Wade]

You say  "Obvious" but is this obvious? What 
happens in the case of password policy. This can only be set at the top level of 
the domain. Does this block actually prevent it being applied? I would guess 
that is does, but I wonder if any one has tested it or has any docs on what actually happens. 
 
 

 


From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Darren Mar-EliaSent: Wednesday, September 13, 
2006 6:59 PMTo: ActiveDir@mail.activedir.orgSubject: RE: 
[ActiveDir] Block Inheritance on DC OU
 
Well, 
the obvious effect is that it prevents domain-linked policies from being 
delivered correctly, including password policy. This is probably not desirable. 
I can't think of a good scenario where this would be useful. 
 
Darren
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of WATSON, BENSent: Wednesday, September 13, 2006 
9:37 AMTo: ActiveDir@mail.activedir.orgSubject: 
[ActiveDir] Block Inheritance on DC OU
The company I am currently working for has “block 
inheritance” enabled for the Domain Controller’s OU and apparently whoever 
enabled this setting is no longer with the company (or they won’t fess up to why 
they did this).
 
Although I am curious, what sort of ramifications does enabling “block inheritance” on the Domain Controller’s OU pose?  And what 
reason would you have to enable this setting on the Domain Controller’s 
OU?  With any other OU, it would be fairly obvious, but being that these 
are the Domain Controllers it would seem to be a unique 
situation.
 
Thanks as always for your input,
~Ben

**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this email,  or any response to it,  under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. 

If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. 

Thank you.

http://www.stockport.gov.uk
**

RE: [ActiveDir] Block Inheritance on DC OU

[Dave Wade]

It prevents you locking yourself out of DC's due to policy being 
applied at the domain level. I think its a "good thing". Only trouble is I 
am not sure it protects against site policies.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON, 
BENSent: 13 September 2006 17:37To: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Block Inheritance on 
DC OU


The company I am currently working for has “block 
inheritance” enabled for the Domain Controller’s OU and apparently whoever 
enabled this setting is no longer with the company (or they won’t fess up to why 
they did this).
 
Although I am curious, what sort of ramifications does enabling “block inheritance” on the Domain Controller’s OU pose?  And what 
reason would you have to enable this setting on the Domain Controller’s 
OU?  With any other OU, it would be fairly obvious, but being that these 
are the Domain Controllers it would seem to be a unique 
situation.
 
Thanks as always for your input,
~Ben

**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this email,  or any response to it,  under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. 

If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. 

Thank you.

http://www.stockport.gov.uk
**

RE: [ActiveDir] Locking Down Wireless

[Dave Wade]

Wilson,

First, thanks for the suggestion. When I started spent a long time
looking at non-Microsoft solutions, because I wanted to avoid updating
about 100 laptops from W2K to XP-SP2, but I discarded most of them a
long time ago, for a number of reasons. 

Firstly having already being bitten by 3-COM withdrawing support for
their TLS security means that a Vendor solution is not really
acceptable, which did not leave much at all. 

Secondly, as far as I can tell non of them can use the machine
credentials to authenticate, so the machine is not on the network until
a user logs on. This means policies don't get applied and logon scripts
don't run. Then when the user does log on, they don't use the existing
credentials, the user needs to re-enter their password to authenticate
with the Radius server. (The network teap specified PEAP with Domain
Credentials using existing radius servers.)
 
 On top of that whilst a large percentage of the systems are IBM we also
have a number of non-IBM machines Compaq and Toshiba for example. We
also have a large number of IBMs with 3-COM cards (bought to work with
our previous security system) which the IBM Software does not manage. I
did check out the 3com software and on Windows/XP I could not even get
it to work with PEAP and MS-CHAPV2 as specified by the network Team so
reverted to the Wireless Zero Config.

Dave.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of wilson chang
Sent: 12 September 2006 20:57
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Locking Down Wireless

Dave,

Are you averse to a non-Microsoft approach?  I ask because depending on
the make/model of your laptop and/or wireless card, there may be other
options.  For example, ThinkPads come with the Access Connection Manager
- an applet that controls a great many detailed configuration settings
pertaining to both wired & wireless connections.
Specifically, there's an option to only allow Administrators to change
settings.  Once a connection profile is setup, end users will only be
offered those predefined sites and no others!  Of course, if the users
are local admin ... yada yada yada :-)  I believe the Intel ProSet
software package also includes similar functionality.  There may be
others, but these 2 are ones I've used before.  Each one also has the
ability to import/export the connection profiles, as to facilitate
larger rollouts.

Thanks,
Wilson

On 9/12/06, Dave Wade <[EMAIL PROTECTED]> wrote:
>
>  Have I missed something in the "new" XPSP2 wireless configuration 
> stuff. As far as I can see you can't prevent users connecting to 
> non-preferred networks, even with Policy lockdown. Even if you hide 
> the networks page on the adaptor, when the user is in a location where

> this no network, the connection wizard still pops up. Any one any
solution to this?
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx



**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this 
email,  or any response to it,  under the Freedom of Information Act 2000, 
unless the information in it is covered by one of the exemptions in the Act. 

If you receive this email in error please notify Stockport e-Services via 
[EMAIL PROTECTED] and then permanently remove it from your system. 

Thank you.

http://www.stockport.gov.uk
**

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

[ActiveDir] Locking Down Wireless

[Dave Wade]

Folks,
 
 Have I missed 
something in the "new" XPSP2 wireless configuration stuff. As far as I can see 
you can't prevent users connecting to non-preferred networks, even with Policy 
lockdown. Even if you hide the networks page on the adaptor, when the user is in 
a location where this no network, the connection wizard still pops up. Any one 
any solution to this?
 
Dave 
Wade


Stockport MBC
 

**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this email,  or any response to it,  under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. 

If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. 

Thank you.

http://www.stockport.gov.uk
**

RE: [ActiveDir] pw reset domain account

[Dave Wade]

<<< Note insane ramblings follow. These are off the top of my head and
un-tested>>>

If the user name and password are know then there are a whole host of
places you can use the account to conceal your identity. If the user can
logon with it then it must have "logon locally" rights. Wonder if you
can pop a "CMD" window then you can use it in "runas" credentials? Then
isn't there a dodge (left shift key) so that you bypass the startup
programs thingy and so avoid the web page loading? If its going to ask
questions then presumably it needs rights somewhere else, so is going to
have "logon via the network" rights as well, nice that...

Not sure that you could stop users finding the "magic web site" address,
could they than start tampering from there?

Sounds like a real hackers heaven

Dave.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rob MOIR
Sent: 26 June 2006 16:28
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] pw reset domain account

What sort of questions? If you ask people to pick a secret question then
you'll get poor quality questions:

Q. QWERTY
A. UIOP

Or poor quality questions:
DOB? (My friends at work know how old I am, and what day my birthday
is).
Q. What sports team do I support?
A. Right like it isn't obvious from the way I was moaning about their
play yesterday.

Or questions that anyone trying to hack a specific important account
couldn't discover.
Q. What was my first grade teacher
A. Like this isn't documented on Friends Reunited and every silly
myspace quiz you ever took.

Sorry to sound like I'm beating you up on this quite so much, but I've
been down this road already and I'm trying to save you some pain.

Couple of further questions:
What will you do if someone forgets the special password resetting
account's details? Hopefully they won't actually be logging in THAT
often.

What's to stop a 'random passer by' getting on a terminal and playing
with this account?

-Original Message-
From: [EMAIL PROTECTED] on behalf of AWS
Sent: Mon 26/06/2006 15:34
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] pw reset domain account
 
Yes, the latter. This is an account a user would use to login with, then
the pw reset website would automatically run. The website has
challenge/response Q's for them to get their individual acct reset.

On 6/25/06, joe <[EMAIL PROTECTED]> wrote:
>
>  Err, maybe you can fill in more detail. I am not quite sure what you 
> are saying. Are you saying there is a generic ID to log into the 
> website and it can reset anyone's password or are you saying there is 
> a generic ID with rights to reset anyone's password or 
>
> Either of those solutions wouldn't be optimal and I would love to work

> in that company for a day with that implemented and have people point 
> out who the dumbass managers were... Or at least their IDs.  
>
> Oh I just read that again, is this an idea to give a userid/password 
> to everyone so they can get past the GINA and get to the self service
website?
>
>  --
> O'Reilly Active Directory Third Edition - 
> http://www.joeware.net/win/ad3e.htm
>
>
>
>  --
> *From:* [EMAIL PROTECTED] [mailto:
> [EMAIL PROTECTED] *On Behalf Of *AWS
> *Sent:* Sunday, June 25, 2006 6:35 PM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* [ActiveDir] pw reset domain account
>
>
>  There's a proposal at my company for a self service password reset 
> website which uses a shared domain account. It's similar to a kiosk 
> configuration, but the intent is to publicize the account and password

> so that it can be used from any users' pc when needed.
>
> They have an account-specific OU/GPO configuration which locks down 
> the typical stuff you would expect, but my position is that there are 
> too many unknown vectors for such an account to be abused.
>
> Since I don't dabble in the various black hat utils du jour, does 
> anyone have any thoughts on how a globally known domain account could 
> be hacked upon? Conversely, is there any way such an account could be 
> effectively locked down?
>
> Thanks,
> AW
>

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx




**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this 
email,  or any response to it,  under the Freedom of Information Act 2000, 
unless the information in it is covered by one of the exemptions in the Act. 

If you receive this email in error please notify Stockport e-Services via 
[EMAIL PROTECTED] and then permanently remove it from your system. 

Thank you.

http://www.stockport.gov.uk

RE: [ActiveDir] sample vbs script

[Dave Wade]

Even though Compaq "let me go" these are still my favourites...

-Original Message- 
From: [EMAIL PROTECTED] on behalf of Alain Lissoir 
Sent: Tue 06/06/2006 21:41 
To: ActiveDir@mail.activedir.org 
Cc: 
Subject: RE: [ActiveDir] sample vbs script


Look at http://www.lissware.net, White Papers section.
 
February 2000 (Compaq Active Answers):
Part 1 

  - Understanding the Microsoft WSH and the ADSI in Windows 2000 (Script Kit) 

  
Part 2 

  - The powerful combination of WSH and ADSI under Windows 2000 (Script Kit) 

  

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Passo, 
Larry
Sent: Tuesday, June 06, 2006 1:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] sample vbs script



There are several in the TechNet Script Center

 


http://www.microsoft.com/technet/scriptcenter/scripts/ad/users/manage/default.mspx

 

 

 


  _  


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Antonio 
Aranda
Sent: Tuesday, June 06, 2006 12:29 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] sample vbs script

 

Could some one send me a sample vbs script that creates AD user 
accounts?  

 

Thanks

 

Antonio



**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this 
email,  or any response to it,  under the Freedom of Information Act 2000, 
unless the information in it is covered by one of the exemptions in the Act. 

If you receive this email in error please notify Stockport e-Services via 
[EMAIL PROTECTED] and then permanently remove it from your system. 

Thank you.

http://www.stockport.gov.uk
**

<>

RE: [ActiveDir] AD lag sites and replication

[Dave Wade]

Title: AD lag sites and replication



Joe,
I thought" (and its a long time since I looked) that you needed to 
be an enterprise admin to force replication in AD Sites and Services... You can 
force replication in the domain context in replmon. I guess that this begs another question
 
1. Are you trying to stop replication in all replication 
contexts?
 
Dave


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: 31 May 2006 00:27To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD lag sites and 
replication

I am confused by your #2. Are you saying that admins can't 
force replication outside of the normal replication 
periods?


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dave 
WadeSent: Tuesday, May 30, 2006 6:59 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD lag sites and 
replication

Neil,
 
1) If you start setting firewall rules then I am pretty 
sure you will break things as you will block urgent replication. What happens if 
some one changes their password and then goes to the home site? What about group 
membership changes? Do you really 
want to wait two days before you update these?.
 
2) I don't think that "normal admins" can trigger unscheduled 
replication changes. Certainly I am a Domain Admin and I can't trigger 
replication changes on our infrastructure, but it is 
Windows/2000
 
3) IMHO you would be better worrying about getting things to 
replicate when they are supposed to rather than things replicating when they 
shouldn't
 
Dave


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. 
Simon-WeidnerSent: 30 May 2006 11:32To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD lag sites and 
replication

Hi 
Neil,
 
I'd still go for 
a firewall with scheduled rules. IMHO there's no such thing as "locked down replication schedules" - as soon as someone is hitting a switch to force replication across sites. And the firewall will help you to assure no client is 
hitting a lag sites DC.
Gruesse - 
Sincerely, 
Ulf B. 
Simon-Weidner 
  Profile 
& Publications:   http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner  Website: http://www.windowsserverfaq.org
 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  [EMAIL PROTECTED]Sent: Tuesday, May 30, 2006 10:33   AMTo: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] AD lag sites and replication
  
  Thanks Ulf.
   
  I 
  was hoping to avoid NIC disabling and such like. I was looking for a solution 
  which would enforce the replication schedule between sites, such that an admin 
  could not 'over ride' it.
   
  I'd 
  rather handle the situation with procedures and policies than use scripts to 
  disable NICs (or connection objects) at scheduled times :)
   
  neil
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. 
  Simon-WeidnerSent: 30 May 2006 09:01To: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD lag sites 
  and replication
  
  You are able to 
  disable the network interfaces, pretty easy with VMWare or Virtual Server   since you are able to do it from the host via scripting, bit more painfull if 
  you have to do it from the DC itself since you don't have any remote access 
  when the nic is disabled (you could use a scheduled task which runs netsh to 
  activate / deactivate the interface).
   
  Also putting a 
  firewall with scheduled rules in between would work very well, especially   since you can block everything but RDP at the no-sync 
  times.
   
  As long as you 
  don't exceed the tombstone-lifetime I don't see any reasons why this should 
  not be supported since we are just talking about lag-sites without any 
  memberservers / clients / users who log onto those DCs.
  Gruesse - 
  Sincerely, 
  Ulf B.   Simon-Weidner 
    Profile 
  & Publications:   http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner  Website: http://www.windowsserverfaq.org
   
  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Tuesday, May 30, 2006 9:49 
AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
AD lag sites and replication

I'm looking to implement one or more lag sites, 
with staggered replication schedules. (i.e. NYC lag replicates tues and thurs, 2-4 am; LON lag replicates mon, wed and fri 2-4 am).
We're concerned that admins can still force 
replication outside of these hours using repadmin or replmon etc. 

Is there a (supported) way to ensure that 
replication can ONLY occur within the hours described above? 
Thanks, neil 

**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be r

RE: [ActiveDir] AD lag sites and replication

[Dave Wade]

Al,
 
Sorry, I mis-read it. I thought it was just controlling 
bandwith, but now I look its specific lag. However I still think that this could 
be dangerous and cause more problems than it solves.
 
Dave. 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Al 
MulnickSent: 30 May 2006 13:53To: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] AD lag sites and 
replication

I think that's point, isn't it? To be able to have a site that lags the 
rest of them for replication changes? :)
 
FWIW, there is no way that I'm aware of to prevent an admin from triggering 
replication in the sense that an admin could override any changes you make to be 
able that would otherwise allow them to trigger the replication.  
While you may counter that you're just trying to prevent the admin from doing 
something easily i.e. make them work to override the change, I read into this 
that you want to absolutely prevent them from triggering replication. For that, 
you need to look outside the system they have rights on else change them from DA 
to OU admin. The other alternative is to trust them not to make that change without knowing what they're doing.  An easy argument that anyone with DA 
should be able to be that trusted, but reality often differs from desire. 
 
Admins, by design have rights to the system.  As such, they have rights to make those changes that allow them to, well, make changes. 
 
 
Al 
On 5/30/06, Dave Wade 
<[EMAIL PROTECTED]> 
wrote: 

  
  
  Neil,
   
  1) If you 
  start setting firewall rules then I am pretty sure you will break things as 
  you will block urgent replication. What happens if some one changes their   password and then goes to the home site? What about group membership changes? 
   Do you really want to wait two days before you update   these?.
   
  2) I don't think 
  that "normal admins" can trigger unscheduled replication changes. Certainly I 
  am a Domain Admin and I can't trigger replication changes on our 
  infrastructure, but it is Windows/2000 
   
  3) IMHO you would 
  be better worrying about getting things to replicate when they are supposed to 
  rather than things replicating when they shouldn't 
   
  Dave
  
  
  
  From: [EMAIL PROTECTED] [mailto: 
  [EMAIL PROTECTED]] On Behalf Of Ulf B. 
  Simon-Weidner
  Sent: 30 May 2006 11:32
  To: ActiveDir@mail.activedir.orgSubject: RE:   [ActiveDir] AD lag sites and replication
   
  
  
  Hi Neil,
   
  I'd still go for a firewall with 
  scheduled rules. IMHO there's no such thing as "locked down replication   schedules" - as soon as someone is hitting a switch to force replication   across sites. And the firewall will help you to assure no client is hitting a 
  lag sites DC. 
  Gruesse - 
  Sincerely, 
  Ulf B.   Simon-Weidner 
    Profile & 
  Publications:   http://mvp.support.microsoft.com/profile="">      Weblog: http://msmvps.org/UlfBSimonWeidner  Website: http://www.windowsserverfaq.org
   
  


From: [EMAIL PROTECTED] [mailto: 
[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, May 30, 
2006 10:33 AM To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD lag sites and replication  

Thanks 
Ulf.
 
I was hoping to avoid NIC 
disabling and such like. I was looking for a solution which would enforce 
the replication schedule between sites, such that an admin could not 'over 
ride' it. 
 
I'd rather handle the 
situation with procedures and policies than use scripts to disable NICs (or 
connection objects) at scheduled times :)
 
neil
 


From: [EMAIL PROTECTED] [mailto: 
[EMAIL PROTECTED]] On Behalf Of Ulf B. 
Simon-WeidnerSent: 30 May 2006 09:01To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD lag sites and replication 

You are able to disable the network 
interfaces, pretty easy with VMWare or Virtual Server since you are able to 
do it from the host via scripting, bit more painfull if you have to do it 
from the DC itself since you don't have any remote access when the nic is 
disabled (you could use a scheduled task which runs netsh to activate / deactivate the interface). 
 
Also putting a firewall with scheduled 
rules in between would work very well, especially since you can block everything but RDP at the no-sync times.
 
As long as you don't exceed the 
tombstone-lifetime I don't see any reasons why this should not be supported 
since we are just talking about lag-sites without any memberservers / clients / users who log onto those DCs. 
Gruesse - 
Sincerely, 
Ulf B. Simon-Weidner 
  Profile & 
Publications:   http://mvp.support.microsoft.com/profile="">  
    Weblog: http://msmvps.org/UlfBSimonWeidner  Website: 

RE: [ActiveDir] AD lag sites and replication

[Dave Wade]

Title: AD lag sites and replication



Neil,
 
1) If you start setting firewall rules then I am pretty 
sure you will break things as you will block urgent replication. What happens if 
some one changes their password and then goes to the home site? What about group 
membership changes? Do you really 
want to wait two days before you update these?.
 
2) I don't think that "normal admins" can trigger unscheduled 
replication changes. Certainly I am a Domain Admin and I can't trigger 
replication changes on our infrastructure, but it is 
Windows/2000
 
3) IMHO you would be better worrying about getting things to 
replicate when they are supposed to rather than things replicating when they 
shouldn't
 
Dave


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. 
Simon-WeidnerSent: 30 May 2006 11:32To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD lag sites and 
replication

Hi 
Neil,
 
I'd still go for 
a firewall with scheduled rules. IMHO there's no such thing as "locked down replication schedules" - as soon as someone is hitting a switch to force replication across sites. And the firewall will help you to assure no client is 
hitting a lag sites DC.
Gruesse - 
Sincerely, 
Ulf B. 
Simon-Weidner 
  Profile 
& Publications:   http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner  Website: http://www.windowsserverfaq.org
 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  [EMAIL PROTECTED]Sent: Tuesday, May 30, 2006 10:33   AMTo: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] AD lag sites and replication
  
  Thanks Ulf.
   
  I 
  was hoping to avoid NIC disabling and such like. I was looking for a solution 
  which would enforce the replication schedule between sites, such that an admin 
  could not 'over ride' it.
   
  I'd 
  rather handle the situation with procedures and policies than use scripts to 
  disable NICs (or connection objects) at scheduled times :)
   
  neil
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. 
  Simon-WeidnerSent: 30 May 2006 09:01To: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD lag sites 
  and replication
  
  You are able to 
  disable the network interfaces, pretty easy with VMWare or Virtual Server   since you are able to do it from the host via scripting, bit more painfull if 
  you have to do it from the DC itself since you don't have any remote access 
  when the nic is disabled (you could use a scheduled task which runs netsh to 
  activate / deactivate the interface).
   
  Also putting a 
  firewall with scheduled rules in between would work very well, especially   since you can block everything but RDP at the no-sync 
  times.
   
  As long as you 
  don't exceed the tombstone-lifetime I don't see any reasons why this should 
  not be supported since we are just talking about lag-sites without any 
  memberservers / clients / users who log onto those DCs.
  Gruesse - 
  Sincerely, 
  Ulf B.   Simon-Weidner 
    Profile 
  & Publications:   http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner  Website: http://www.windowsserverfaq.org
   
  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Tuesday, May 30, 2006 9:49 
AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
AD lag sites and replication

I'm looking to implement one or more lag sites, 
with staggered replication schedules. (i.e. NYC lag replicates tues and thurs, 2-4 am; LON lag replicates mon, wed and fri 2-4 am).
We're concerned that admins can still force 
replication outside of these hours using repadmin or replmon etc. 

Is there a (supported) way to ensure that 
replication can ONLY occur within the hours described above? 
Thanks, neil 
PLEASE READ: The 
information contained in this email is confidential and 
intended for the 
named recipient(s) only. If you are not an intended 
recipient of 
this email please notify the sender immediately and delete your 

copy from your 
system. You must not copy, distribute or take any further 

action in 
reliance on it. Email is not a secure method of communication and 

Nomura 
International plc ('NIplc') will not, to the extent permitted by law, 
accept 
responsibility or liability for (a) the accuracy or completeness of, 

or (b) the 
presence of any virus, worm or similar malicious or disabling 

code in, this 
message or any attachment(s) to it. If verification of this 

email is sought 
then please request a hard copy. Unless otherwise stated 

this email: (1) 
is not, and should not be treated or relied upon as, 
investment 
research; (2) contains views or opinions that are solely those of 

the author and 
do not necessarily r

RE: [ActiveDir] Regarding Exchange problem

[Dave Wade]

for your organization.

If on NT... get on 2k3.
If on 2000.. we're starting to get to that ..h 
are we getting to 
that time frame that maybe we need to wait for 2007 if 
we are willing to
be an early adopter and jump soon after it ships and 
not wait for
Exchange 2007 sp1?

But I'm not an unbiased person here.. I have Software 
Assurance so it's 
already proven that I'm insane.

But I'm still not sure of what's the reason for the 
question?  As an
admin point of view ..the System Manager between the 2k 
and 2k3 looks
pretty close to one another.. it's the Monad era stuff 
in Exchange 2007 
that will be the learning curve era for me.





Ajay Kumar wrote:
> Susan Bradley,
>
> Can U tell me different in exchnage *in term of 
feature* ?.
> And thanks for giving me details in same. 
>
>
> Regards,
> Ajay
>
>
> On 5/29/06, *Dave Wade* <[EMAIL PROTECTED] 
> mailto:[EMAIL PROTECTED]> 
>> wrote:
>
> I usually answer "3" to questions like this. 
Why? Well its too 
> general an open ended for a list like this. You 
know whats
> important in your deployemnt, we can only guess. 
So:- 
>
> 1. If you want general info there is a wealth of 
information on 
> the MS web site, read it taking care to 
concentrate on the bits
> that you are interested in.
>
> 2, If you are considering an upgrade describe 
your existing system 
> and ask whats in it for you, or highlight areas 
of concern 
>
> 3. If you are considering a new deployment, 
deploy 2003.
>
> Dave Wade
>
> -Original Message- 
> From: [EMAIL PROTECTED]
> <mailto:[EMAIL PROTECTED] > on behalf of Ajay 
Kumar
> Sent: Sun 28/05/2006 07:00
> To: ActiveDir@mail.activedir.org 
<mailto:ActiveDir@mail.activedir.org >
> Cc:
> Subject: [ActiveDir] Different between Exchange 
2000 and 2003 
>
>
>
>Hi all,
>
>Can any one pls tell me what's deffernet 
between Exchange 
> 2000 and 2003.
>
>
>Regards,
>
>Ajay. 
>
>
>
> 
**
> This email and any files transmitted with it are 
confidential and 
> intended solely for the use of the individual or 
entity to whom they 
> are addressed. As a public body, the Council may 
be required to
> disclose this email,  or any response to it,  
under the Freedom of 
> Information Act 2000, unless the information in 
it is covered by 
> one of the exemptions in the Act.
>
> If you receive this email in error please notify 
Stockport
> e-Services via [EMAIL PROTECTED]
> <mailto:[EMAIL PROTECTED]> and then permanently 
remove 
> it from your system. 
>
> Thank you.
 

RE: [ActiveDir] Different between Exchange 2000 and 2003

[Dave Wade]

I usually answer "3" to questions like this. Why? Well its too general an 
open ended for a list like this. You know whats important in your deployemnt, 
we can only guess. So:-
 
1. If you want general info there is a wealth of information on the MS web 
site, read it taking care to concentrate on the bits that you are interested in.
 
2, If you are considering an upgrade describe your existing system and ask 
whats in it for you, or highlight areas of concern
 
3. If you are considering a new deployment, deploy 2003.
 
Dave Wade
 
-Original Message- 
From: [EMAIL PROTECTED] on behalf of Ajay Kumar 
Sent: Sun 28/05/2006 07:00 
To: ActiveDir@mail.activedir.org 
Cc: 
Subject: [ActiveDir] Different between Exchange 2000 and 2003



Hi all,
 
Can any one pls tell me what's deffernet between Exchange 2000 and 2003.
 
 
Regards,
 
Ajay.



**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this 
email,  or any response to it,  under the Freedom of Information Act 2000, 
unless the information in it is covered by one of the exemptions in the Act. 

If you receive this email in error please notify Stockport e-Services via 
[EMAIL PROTECTED] and then permanently remove it from your system. 

Thank you.

http://www.stockport.gov.uk
**

<>

RE: [ActiveDir] [OT] RAID 5 Best Practice

[Dave Wade]

Title: RE: [ActiveDir] [OT] RAID 5 Best Practice



Joe,
 
 Well all agree on that, however we are pretty much stuck 
with the apps in question "as-is" as the software is supplied "from 
above" (e.g. the stuff from www.ncer.org). 
These days I copy the database onto a users PC and they run the reports and 
analysis locally, as that's what the software supplier tells them to do, and the 
users are happy with that.
 
Dave.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: 23 May 2006 04:38To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [OT] RAID 5 Best 
Practice

Access is crap to use for a multiuser app. Don't discount 
the fact that the perf could be simply related to that. 
 

--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dave 
WadeSent: Thursday, May 18, 2006 7:08 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [OT] RAID 5 Best 
Practice

Its the one thing that seems to give us performance issues. Last time I 
investigated things running slow, client was quiet (low CPU short disk queue, 
minimal paging) , network was quiet yet response was slow. Conclusion was 
that server was some how bottle neck. I must admit I didn't do much work on 
investigation. I think they should use appropriate tool such as msde (only a few 
users) but program is provided by central government, so we are stuck with it. I 
wonder if it was just running same time as backups perhaps...

  -Original Message- From: 
  [EMAIL PROTECTED] on behalf of Brian Desmond 
  Sent: Thu 18/05/2006 23:34 To: 
  ActiveDir@mail.activedir.org Cc: Subject: RE: 
  [ActiveDir] [OT] RAID 5 Best Practice
  
  Access database 
  will likely get cached on the client in memory, in any case it’d be all read 
  ops. Access doesn’t cache report output. 
   
  
  Thanks,Brian 
  Desmond
  [EMAIL PROTECTED]
   
  c - 
  312.731.3132
   
   
  
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Dave WadeSent: Thursday, May 18, 2006 6:22 
  PMTo: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] [OT] RAID 5 Best Practice
   
  
  For file sharing, I would 
  consider 0Ư but 5 would be more likely since youprobably want/need the 
  space more than the speed. File sharing doesn'treally beat the disks up 
  relative to a busy DC even in large multi-thousanduser file servers I have 
  seen. 
  
   
  
  What about when 
  some idiot user sets up an Access database on one and runs 
  "inappropriate" reports against it.. 
  
   
  
   
  
   
  
  It is why most normal server admins reallyhave no 
  clue what to look for in terms of IO load on servers but anyExchange Admin 
  worth anything is looking at that right away in a problemsituation and 
  able to quote IOPS stats off the top of their head and knowwhat they can 
  get from the underlying disk subsystem. Exchange disk configsare 
  critical.
  
  **
  
  This email and any files transmitted with it are 
  confidential and
  
  intended solely for the use of the individual or entity to 
  whom they
  
  are addressed. As a public body, the Council may be 
  required to disclose this email, or any response to it, under the Freedom of 
  Information Act 2000, unless the information in it is covered by one of the 
  exemptions in the Act. 
  
  If you receive this email in error please notify Stockport 
  e-Services via [EMAIL PROTECTED] 
  and then permanently remove it from your system. 
  
  Thank you.
  
  http://www.stockport.gov.uk
  
  **

RE: [ActiveDir] [OT] RAID 5 Best Practice

[Dave Wade]

1) Exchange Hard Drive Config.
 
a) Many Drives, prefereably Raid 0+1. At least one miror pair per 250 users 
for database.
b) Seperate data that is accessed sequentially (logs) from random access 
data (data bases)
c) Use one of the manufactueres tools. I know the HP one (see below) will 
consider both size and I/O.
 
2) Troubleshoot
 
a) Look at the I/O queue length. I seem to remeber being told that 6 was a 
good benchmark, but I may be wrong. If you get large I/O queue length, 
especially on the log files, you are in trouble.
 
b) Take a look at the HP storage calculator. I know its only HP storage, 
but will give you an idea if your config is reasonable:-
 
http://h71019.www7.hp.com/activeanswers/Secure/116756-0-0-0-121.html
 
 

  -Original Message- From: 
  [EMAIL PROTECTED] on behalf of HBooGz 
  Sent: Thu 18/05/2006 23:55 To: 
  ActiveDir@mail.activedir.org Cc: Subject: Re: 
  [ActiveDir] [OT] RAID 5 Best PracticeSorry to bounce off 
  topic.But what would you recommend for Exchange hard drive config 
  ?even better where i can look for information on how to troubleshoot ( 
  what to look for ) the diisk subsystem on an exchange box. 
  Thanks.
  On 5/18/06, joe 
  <[EMAIL PROTECTED]> 
  wrote: 
  Classic 
Exchange type design. ;o)For AD, I pretty generally recommend people 
do a single 0Ư/10[1] first andthen 5 second and go with either because 
usually they don't have enoughslots for the disk internally to break it 
all up into a bunch of 1's and I prefer the disk internal for AD and you 
want as many spindles in the set aspossible.The good thing is 
that 0Ư will stand up to the IO (mostly DIT read) loadthat you get out 
of even really busy DCs. I may change my thoughts after I start seeing 
big x64 machines cruising along, haven't seen any yet incustomer sites. 
The log load on DCs is usually miniscule except in cases Ihave heard of 
~Eric testing some funky stuff in EEC and actually getting log write ops 
into triple digits. Ditto for OS too unless you are doing a bunchof 
other stuff on the DC.For file sharing, I would consider 0Ư but 5 
would be more likely since youprobably want/need the space more than the 
speed. File sharing doesn't really beat the disks up relative to a busy 
DC even in large multi-thousanduser file servers I have seen. It is why 
most normal server admins reallyhave no clue what to look for in terms 
of IO load on servers but any Exchange Admin worth anything is looking 
at that right away in a problemsituation and able to quote IOPS stats 
off the top of their head and knowwhat they can get from the underlying 
disk subsystem. Exchange disk configs are critical.Anyway, I 
don't have a problem with 5 for file servers. There is definitelya hit 
on rebuild but you have to ask yourself how often you expect that 
andwhether or not it is acceptable that you take a hit when you are in 
that mode. I consider the fault tolerance for emergencies, not something 
I haveto deal with weekly. If there are other benefits I want from 5 
(say reducedcost for the space) and having slower rebuild is acceptable 
then that is perfectly fine. If you need something that is entirely 
transparent then youlook at other solutions and you start spending more 
money.As for logically partitioning the underlying disk. Not 
sure what kind of security gains you are expecting there. Nothing I can 
think of off the topof my head. No perf gain except for the possible 
perf gains in doing avolume chkdsk or backup/restore of individual 
volumes maybe. Thepartitioning for logical separate of binaries in data 
can be a good thing.Kind of nice to know that you absolutely need the D 
drive back but the Ccould be a complete fresh 
rebuild.   joe[1] Assuming they wouldn't 
consider a straight stripe set, recall DCs are all duplicates and a big 
stripe set is going to be the fastest...--O'Reilly 
Active Directory Third Edition -http://www.joeware.net/win/ad3e.htm 
-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] 
] On Behalf Of Carlos MagalhaesSent: Thursday, May 18, 2006 2:02 
PMTo: ActiveDir@mail.activedir.orgSubject: 
Re: [ActiveDir] [OT] RAID 5 Best PracticeI know this is not exactly 
the RAID 5 Best practices but this is how Iusually setup and recommend 
the customers to setup their disks (if they canafford the 
hardware)RAID1 for the OSRAID1 for the logsRAID0Ư for the 
databaseCarlosBrian Desmond wrote:>> I always 
do 12GB for C and the rest for D for 'Data'. I can format C> and not 
worry about the Data.>> *Thanks,**> *Brian Desmond** 
>> [EMAIL PROTECTED] [EMAIL PROTECTED]>>> 
*c - 312.731.3132*>> 
-- 
> -->> *From:* [EMAIL PROTECTED]> 
[mailto:[EMAIL PROTECTED] 
] *On Behalf Of *Timothy

RE: [ActiveDir] [OT] RAID 5 Best Practice

[Dave Wade]

Its the one thing that seems to give us performance issues. Last time I 
investigated things running slow, client was quiet (low CPU short disk queue, 
minimal paging) , network was quiet yet response was slow. Conclusion was that 
server was some how bottle neck. I must admit I didn't do much work on 
investigation. I think they should use appropriate tool such as msde (only a 
few users) but program is provided by central government, so we are stuck with 
it. I wonder if it was just running same time as backups perhaps...

-Original Message- 
From: [EMAIL PROTECTED] on behalf of Brian Desmond 
Sent: Thu 18/05/2006 23:34 
To: ActiveDir@mail.activedir.org 
Cc: 
Subject: RE: [ActiveDir] [OT] RAID 5 Best Practice



Access database will likely get cached on the client in memory, in any 
case it’d be all read ops. Access doesn’t cache report output. 

 

Thanks,
Brian Desmond

[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> 

 

c - 312.731.3132

 

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade
Sent: Thursday, May 18, 2006 6:22 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] RAID 5 Best Practice

 


For file sharing, I would consider 0Ư but 5 would be more likely since 
you
probably want/need the space more than the speed. File sharing doesn't
really beat the disks up relative to a busy DC even in large 
multi-thousand
user file servers I have seen. 

 

What about when some idiot user sets up an Access database on one and 
runs "inappropriate" reports against it.. 

 

 

 

It is why most normal server admins really
have no clue what to look for in terms of IO load on servers but any
Exchange Admin worth anything is looking at that right away in a problem
situation and able to quote IOPS stats off the top of their head and 
know
what they can get from the underlying disk subsystem. Exchange disk 
configs
are critical.

**

This email and any files transmitted with it are confidential and

intended solely for the use of the individual or entity to whom they

are addressed. As a public body, the Council may be required to 
disclose this email, or any response to it, under the Freedom of Information 
Act 2000, unless the information in it is covered by one of the exemptions in 
the Act. 

If you receive this email in error please notify Stockport e-Services 
via [EMAIL PROTECTED] and then permanently remove it from your system. 

Thank you.

http://www.stockport.gov.uk

**

<>

RE: [ActiveDir] [OT] RAID 5 Best Practice

[Dave Wade]

For file sharing, I would consider 0Ư but 5 would be more likely since you
probably want/need the space more than the speed. File sharing doesn't
really beat the disks up relative to a busy DC even in large multi-thousand
user file servers I have seen. 
 
What about when some idiot user sets up an Access database on one and runs 
"inappropriate" reports against it.. 
 
 
 
It is why most normal server admins really
have no clue what to look for in terms of IO load on servers but any
Exchange Admin worth anything is looking at that right away in a problem
situation and able to quote IOPS stats off the top of their head and know
what they can get from the underlying disk subsystem. Exchange disk configs
are critical.




**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this 
email,  or any response to it,  under the Freedom of Information Act 2000, 
unless the information in it is covered by one of the exemptions in the Act. 

If you receive this email in error please notify Stockport e-Services via 
[EMAIL PROTECTED] and then permanently remove it from your system. 

Thank you.

http://www.stockport.gov.uk
**

<>

RE: [ActiveDir] [OT] RAID 5 Best Practice

[Dave Wade]

because you want something to work if no domain is available, perhaps

-Original Message- 
From: [EMAIL PROTECTED] on behalf of Abouelnasr, Jerry 
Sent: Thu 18/05/2006 21:16 
To: ActiveDir@mail.activedir.org 
Cc: 
Subject: RE: [ActiveDir] [OT] RAID 5 Best Practice



What’s a reason for using a local group or account on a file server? 

 

 


  _  


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade
Sent: Thursday, May 18, 2006 11:42 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] RAID 5 Best Practice

 

I said "may" not "typically". There are reasons for using local 
accounts (or groups)...

-Original Message- 
From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED] 
Sent: Thu 18/05/2006 19:29 
To: ActiveDir@mail.activedir.org 
Cc: 
Subject: RE: [ActiveDir] [OT] RAID 5 Best Practice

>>>but then you may have issues with the permissions on the 
second drive
if you get a different SID on the re-build

On a file server? Do you typically use local file server 
accounts for your
permissioning?


Sincerely,
   _   
  (, /  |  /)   /) /)  
/---| (/_  __   ___// _   //  _
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /) 
   (/  
Microsoft MVP - Directory Services
www.readymaids.com <http://www.readymaids.com>  - we know IT
www.akomolafe.com <http://www.akomolafe.com>
Do you now realize that Today is the Tomorrow you were worried 
about
Yesterday? -anon




From: [EMAIL PROTECTED] on behalf of Dave Wade
Sent: Thu 5/18/2006 11:12 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] RAID 5 Best Practice


These days I am much more curious as to the benifits of RAID5? 
It slows the
I/O down. It can really crawl if you loose a drive and the 
server has to
rebuild the missing volume?

As for multiple partitions, I can't actually see any real 
advantage on a file
server. You can easily move the files to any drive and just 
re-share the
folders. I guess it does make for an easier wipe and build, but 
then you may
have issues with the permissions on the second drive if you get 
a different
SID on the re-build.

-Original Message-
From: [EMAIL PROTECTED] on behalf of Timothy Foster
Sent: Thu 18/05/2006 18:28
To: ActiveDir@mail.activedir.org
Cc:
Subject: RE: [ActiveDir] [OT] RAID 5 Best Practice
   
   
Thanks, Brian.  That makes sense.

So if I have a 4 disk array on a single backplane, and 
given that I
want the benefits of RAID 5, is there any argument for 
configuring more than
one partition on the array?  I realize that this is potentially 
too much of
an open-ended question, but I'm curious :-).  The basic premise 
is that this
server would be a workhorse domain member/file server.  Would 
one partition -
C: - combined with carefully configured share and NTFS 
permissions provide
adequate security? Or is it better to put the OS on C: and the 
shares on D: ?
Or does the benefit of partitions lie somewhere else - for 
example, if I
wanted to wipe C: and reinstall the OS without touching D: ?  
(I'm not sure
if I like this idea, but as I mentioned, I'm curious...).

Thanks,

Tim



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Thursday, May 18, 2006 12:53 PM
To: ActiveDir@mail.activedir.o

RE: [ActiveDir] [OT] RAID 5 Best Practice

[Dave Wade]

I said "may" not "typically". There are reasons for using local accounts (or 
groups)...

-Original Message- 
From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED] 
Sent: Thu 18/05/2006 19:29 
To: ActiveDir@mail.activedir.org 
Cc: 
Subject: RE: [ActiveDir] [OT] RAID 5 Best Practice



>>>but then you may have issues with the permissions on the second 
drive
if you get a different SID on the re-build

On a file server? Do you typically use local file server accounts for 
your
permissioning?


Sincerely,
   _   
  (, /  |  /)   /) /)  
/---| (/_  __   ___// _   //  _
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /) 
   (/  
Microsoft MVP - Directory Services
www.readymaids.com <http://www.readymaids.com>  - we know IT
www.akomolafe.com <http://www.akomolafe.com>
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon




From: [EMAIL PROTECTED] on behalf of Dave Wade
Sent: Thu 5/18/2006 11:12 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] RAID 5 Best Practice


These days I am much more curious as to the benifits of RAID5? It slows 
the
I/O down. It can really crawl if you loose a drive and the server has to
rebuild the missing volume?

As for multiple partitions, I can't actually see any real advantage on 
a file
server. You can easily move the files to any drive and just re-share the
folders. I guess it does make for an easier wipe and build, but then 
you may
have issues with the permissions on the second drive if you get a 
different
SID on the re-build.

-Original Message-
From: [EMAIL PROTECTED] on behalf of Timothy Foster
Sent: Thu 18/05/2006 18:28
To: ActiveDir@mail.activedir.org
Cc:
Subject: RE: [ActiveDir] [OT] RAID 5 Best Practice
   
   
Thanks, Brian.  That makes sense.

So if I have a 4 disk array on a single backplane, and given 
that I
want the benefits of RAID 5, is there any argument for configuring more 
than
one partition on the array?  I realize that this is potentially too 
much of
an open-ended question, but I'm curious :-).  The basic premise is that 
this
server would be a workhorse domain member/file server.  Would one 
partition -
C: - combined with carefully configured share and NTFS permissions 
provide
adequate security? Or is it better to put the OS on C: and the shares 
on D: ?
Or does the benefit of partitions lie somewhere else - for example, if I
wanted to wipe C: and reinstall the OS without touching D: ?  (I'm not 
sure
if I like this idea, but as I mentioned, I'm curious...).

Thanks,

Tim



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Thursday, May 18, 2006 12:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] RAID 5 Best Practice
   
   

Tim-



It doesn't really matter. The RAID controller has no idea about 
the
partition table. It just presents a LUN to the OS and the OS writes to 
it.



Thanks,
Brian Desmond

[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>



c - 312.731.3132







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Timothy Foster
Sent: Thursday, May 18, 2006 12:19 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] [OT] RAID 5 Best Practice



Using a RAID controller's configuration utility I can build and
initialize a RAID 5 container.  When installing the OS, I can, if I 
choose,
create a partition.  Is this a good or bad idea?  In other words, if I
partition RAID 5 container during the OS install will it m

RE: [ActiveDir] [OT] RAID 5 Best Practice

[Dave Wade]

Sorry for grotty format OWA2000...

-Original Message- 
From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED] 
Sent: Thu 18/05/2006 20:52 
To: ActiveDir@mail.activedir.org 
Cc: 
Subject: Re: [ActiveDir] [OT] RAID 5 Best Practice



One advantage of RAID 5 over RAID 1 mirroring is that with a RAID 5 hot 
spare, 2 drives can fail and you don't lose the data which is not possible with 
2 RAID 1 mirrored drives.  
 
If the second drive fails before the Raid 5 array has re-built you will 
loose data.. A mirror will often re-build much quicker than Raid 5. Raid=5 
performance is usually horrid while a re-build is in progress.
 
However RAID 5 is faster. 
Don't you mean raid 1 is faster. And by a long way for write 
performance. 
 
Another advantage is that you have to buy double the disks for RAID 1 
as compared with RAID 5.  
Disks are cheaper than servers. The extra perfromance on a mirror measn 
you may be able to get more users on the server.
 
Chuck



**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this 
email,  or any response to it,  under the Freedom of Information Act 2000, 
unless the information in it is covered by one of the exemptions in the Act. 

If you receive this email in error please notify Stockport e-Services via 
[EMAIL PROTECTED] and then permanently remove it from your system. 

Thank you.

http://www.stockport.gov.uk
**

<>

RE: [ActiveDir] [OT] RAID 5 Best Practice

[Dave Wade]

These days I am much more curious as to the benifits of RAID5? It slows the I/O 
down. It can really crawl if you loose a drive and the server has to rebuild 
the missing volume? 
 
As for multiple partitions, I can't actually see any real advantage on a file 
server. You can easily move the files to any drive and just re-share the 
folders. I guess it does make for an easier wipe and build, but then you may 
have issues with the permissions on the second drive if you get a different SID 
on the re-build.

-Original Message- 
From: [EMAIL PROTECTED] on behalf of Timothy Foster 
Sent: Thu 18/05/2006 18:28 
To: ActiveDir@mail.activedir.org 
Cc: 
Subject: RE: [ActiveDir] [OT] RAID 5 Best Practice


Thanks, Brian.  That makes sense.
 
So if I have a 4 disk array on a single backplane, and given that I 
want the benefits of RAID 5, is there any argument for configuring more than 
one partition on the array?  I realize that this is potentially too much of an 
open-ended question, but I'm curious :-).  The basic premise is that this 
server would be a workhorse domain member/file server.  Would one partition - 
C: - combined with carefully configured share and NTFS permissions provide 
adequate security? Or is it better to put the OS on C: and the shares on D: ?  
Or does the benefit of partitions lie somewhere else - for example, if I wanted 
to wipe C: and reinstall the OS without touching D: ?  (I'm not sure if I like 
this idea, but as I mentioned, I'm curious...).
 
Thanks,
 
Tim

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian 
Desmond
Sent: Thursday, May 18, 2006 12:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] RAID 5 Best Practice



Tim-

 

It doesn’t really matter. The RAID controller has no idea about the 
partition table. It just presents a LUN to the OS and the OS writes to it.

 

Thanks,
Brian Desmond

[EMAIL PROTECTED]  

 

c - 312.731.3132

 

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Timothy 
Foster
Sent: Thursday, May 18, 2006 12:19 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] [OT] RAID 5 Best Practice

 

Using a RAID controller's configuration utility I can build and 
initialize a RAID 5 container.  When installing the OS, I can, if I choose, 
create a partition.  Is this a good or bad idea?  In other words, if I 
partition RAID 5 container during the OS install will it make any difference if 
I ever need to replace a drive and rebuild the array?  Will the partition table 
be recognized during the rebuild?

 

Thanks for your input.

 

Tim

 

 



**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this 
email,  or any response to it,  under the Freedom of Information Act 2000, 
unless the information in it is covered by one of the exemptions in the Act. 

If you receive this email in error please notify Stockport e-Services via 
[EMAIL PROTECTED] and then permanently remove it from your system. 

Thank you.

http://www.stockport.gov.uk
**

<>

RE: [ActiveDir] OT: Overriding local computer logon scripts - anyway to do it?

[Dave Wade]

It does not even have to be a logon script. I remember years ago some
one put a trojan on one of our Pr1me's. It was a simple game, unless you
ran it from a privileged account. All was well until the operators ran
it at 2am from an operators account. It removed all the ACL's from the
file system. Very nice. Took days to sort

I guess the answer is simple. Don't logon locally using your admin
account. Use the normal best practise to logon with a non-priv  account,
then use "runas" to do anything you need with privs. Only problem I have
with this is you can't get an explorer window like this and I hate
setting ACLs from the command line...

>-Original Message-
>From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On >Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
>Sent: 18 May 2006 01:22
>To: ActiveDir@mail.activedir.org
>Subject: Re: [ActiveDir] OT: Overriding local computer logon scripts -
anyway to do it?
>
>Wasn't one of the infamous Dr. J stories about how they had attempted
to gain access to >one of the msn servers by having a boobie trap script
like that.  If a person had logged >in with certain creds it was indeed
set to fire off a script?
>
>Pen test proof of concept story?
>
>joe wrote:



**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this 
email,  or any response to it,  under the Freedom of Information Act 2000, 
unless the information in it is covered by one of the exemptions in the Act. 

If you receive this email in error please notify Stockport e-Services via 
[EMAIL PROTECTED] and then permanently remove it from your system. 

Thank you.

http://www.stockport.gov.uk
**

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Is there a way to force users to logon to domain?

[Dave Wade]

Providing you have up to date scripting engines loaded you can encrypt
the script to keep casual eyes away:-

http://www.microsoft.com/downloads/details.aspx?FamilyId=E7877F67-C447-4
873-B1B0-21F0626A6329&displaylang=en 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Riley, Devin
Sent: 16 May 2006 17:57
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is there a way to force users to logon to
domain?

You can use the following script as a startup script to change the local
Admin password. There is an obvious security issue with this, since you
will be storing the script in a Sysvol share for machines to read. You
can prevent users from browsing to and opening the file by restricting
access to "Domain Computers" and relevant IT Admin staff.

The script works even if the local Admin account name has been changed.

I don't recall where I got the original copy of the script.

Devin


=
Option Explicit

Dim objShell, objNet, sNewPassword, sComputer, sAdminName, oUserAccounts
Dim oUser

On Error Resume Next

Set objShell = WScript.CreateObject("WScript.Shell")
Set objNet = CreateObject("WScript.Network")

sNewPassword = "PutSomeReallyLongPasswordHere"

sComputer = objNet.ComputerName
sAdminName = GetAdministratorName

Set oUser = GetObject("WinNT://" & sComputer & "/" & sAdminName &
",user")
oUser.SetPassword sNewPassword
oUser.SetInfo
On Error Goto 0

objShell.LogEvent 4, "LP startup script LP04 run record."

'===
===
' Get Admin Account Name
'===
===

Function GetAdministratorName()
Dim sUserSID, objNet, oUserAccount
Set objNet = CreateObject("WScript.Network")
Set oUserAccounts = GetObject( _
 "winmgmts://" & objNet.ComputerName & "/root/cimv2") _
 .ExecQuery("Select Name, SID from Win32_UserAccount" _
   & " WHERE Domain = '" & objNet.ComputerName & "'")

On Error Resume Next
For Each oUserAccount In oUserAccounts
  If Left(oUserAccount.SID, 9) = "S-1-5-21-" And _
 Right(oUserAccount.SID, 4) = "-500" Then
GetAdministratorName = oUserAccount.Name
Exit For
  End if
Next
End Function


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe Lagreca
Sent: Tuesday, May 16, 2006 8:31 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Is there a way to force users to logon to
domain?

Sergio,

That is the approach we are going to take.  Write a script to run at
start up to delete all local accounts, except administrator, which only
we should know the password for.

Do you have any ideas on how to change local account passwords via GPO
or remotely?  We would like to change the administrator passwords
initially, and probably like to change it on a continual basis.

Thank you.

Joe


On 5/16/06, Olivarez, Sergio J Mr CTNOSC/GD-NS
<[EMAIL PROTECTED]> wrote:
> Yeah, disregard what I said about just leaving Admins on the "allow 
> logon locally" setting, that's my bad.  I guess best thing to do would

> be delete all existing local user accounts.
>
> -Sergio
> -Original Message-
> From: Joe Lagreca [mailto:[EMAIL PROTECTED]
> Sent: Monday, May 15, 2006 7:33 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Is there a way to force users to logon to
domain?
>
> Al and others,
>
> We are retrofitting previously deployed workstations.  Some have local

> logins, while others do not.  I was just wondering if there is a way, 
> via GPO, to force all users to log into the domain, instead of giving 
> them the option to log into their local machine.
>
> I have been told that "In a GPO set the cached logon setting to "0"
> and make sure "allow logon locally" is only set to Admins." will not 
> work.  However I still need to test this myself.  I was told "allow 
> logon locally" will make it so all unlisted users will not be able to 
> login from that workstation, whether its locally or to the domain.
>
> I realize their profiles wouldn't copy, and we can deal with that 
> afterwards.
>
> Thanks.
>
> Joe
>
>
> On 5/15/06, Al Mulnick <[EMAIL PROTECTED]> wrote:
> > I think you've seen several ways of achieving something similar to 
> > what you've asked for.  But I'm curious as to what you really want 
> > to accomplish.  You've put something very specific, but what makes 
> > you want to force the logon?  What's the backstory?
> >
> > Al
> >
> > On 5/15/06, Joe Lagreca <[EMAIL PROTECTED]> wrote:
> > > Is there a way to force users to logon to domain, or to disable 
> > > loging
> into
> > > local computer accounts via GPO?
> > >
> > > Thanks.
> > >
> >
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http:

RE: [ActiveDir] Is there a way to force users to logon to domain?

[Dave Wade]

You can set the password in the startup script, but it's a bit open to
hacking. You can use an encrypted VB Script but those are pretty easy to
decrypt. There is also a tool around that will let you do it remotely.
You could also assign the "logon locally" rights to say "domain users" &
"administrator".  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe Lagreca
Sent: 16 May 2006 16:31
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Is there a way to force users to logon to
domain?

Sergio,

That is the approach we are going to take.  Write a script to run at
start up to delete all local accounts, except administrator, which only
we should know the password for.

Do you have any ideas on how to change local account passwords via GPO
or remotely?  We would like to change the administrator passwords
initially, and probably like to change it on a continual basis.

Thank you.

Joe


On 5/16/06, Olivarez, Sergio J Mr CTNOSC/GD-NS
<[EMAIL PROTECTED]> wrote:
> Yeah, disregard what I said about just leaving Admins on the "allow 
> logon locally" setting, that's my bad.  I guess best thing to do would

> be delete all existing local user accounts.
>
> -Sergio
> -Original Message-
> From: Joe Lagreca [mailto:[EMAIL PROTECTED]
> Sent: Monday, May 15, 2006 7:33 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Is there a way to force users to logon to
domain?
>
> Al and others,
>
> We are retrofitting previously deployed workstations.  Some have local

> logins, while others do not.  I was just wondering if there is a way, 
> via GPO, to force all users to log into the domain, instead of giving 
> them the option to log into their local machine.
>
> I have been told that "In a GPO set the cached logon setting to "0"
> and make sure "allow logon locally" is only set to Admins." will not 
> work.  However I still need to test this myself.  I was told "allow 
> logon locally" will make it so all unlisted users will not be able to 
> login from that workstation, whether its locally or to the domain.
>
> I realize their profiles wouldn't copy, and we can deal with that 
> afterwards.
>
> Thanks.
>
> Joe
>
>
> On 5/15/06, Al Mulnick <[EMAIL PROTECTED]> wrote:
> > I think you've seen several ways of achieving something similar to 
> > what you've asked for.  But I'm curious as to what you really want 
> > to accomplish.  You've put something very specific, but what makes 
> > you want to force the logon?  What's the backstory?
> >
> > Al
> >
> > On 5/15/06, Joe Lagreca <[EMAIL PROTECTED]> wrote:
> > > Is there a way to force users to logon to domain, or to disable 
> > > loging
> into
> > > local computer accounts via GPO?
> > >
> > > Thanks.
> > >
> >
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/



**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this 
email,  or any response to it,  under the Freedom of Information Act 2000, 
unless the information in it is covered by one of the exemptions in the Act. 

If you receive this email in error please notify Stockport e-Services via 
[EMAIL PROTECTED] and then permanently remove it from your system. 

Thank you.

http://www.stockport.gov.uk
**

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Image a DC?

[Dave Wade]

Surely its OK to image a base install, sysprep, & DC promo?
Also this says :-

"In order to keep a good backup of the Domain Controller, this process should 
be repeated periodically so that the image available for redeployment"

Assuming this is for backup purposes, is this a BAD idea. Its been so long 
since I had to think about deletion tombstones and all those other nice 
things


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, 
Guido
Sent: 11 May 2006 15:28
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Image a DC?

ahhh, hmmm, e - I think I have to talk to some folks in the blades 
division...  

While it is certainly known that imaging DCs is an absolute no-no, I am 
somewhat unsure about some of the statements made in this doc => they use many 
terms for this RDP image in conjuction with different technologies: scripts / 
disk imaging / backup etc (potentially meaning to use the backup to promote 
another DC via IFM).

But quite confusing - thanks Mark for bringing this up. 

And no, pls. don't image any DC for deployment - no matter what you read.

/Guido

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Donnerstag, 11. Mai 2006 16:07
To: ActiveDir.org
Subject: [ActiveDir] Image a DC?

Am I reading this correctly - HP is stating I should create an image of a DC 
and then deploy this DC image to all new DC's ?
Or does something happen under the hood?

Page 16.

Mark

http://docs.hp.com/en/eclass-is-platform/eclass-is-platform.pdf
 

Double-click on Create Image and enter the path and file name to store the new 
disk image. Since this image is of a Domain Controller, the image data should 
be stored in a secure location. If the local file system does not suffice for 
this purpose, then select something other than ".\images\."
Otherwise, type in a name and location such as ".\images\adimage.img." Click 
Finish to save the task. (Figure 11).

 Drag and drop this script to the server assigned as an Active Directory server 
through the deployment console. This causes the Domain Controller to be imaged. 
In order to keep a good backup of the Domain Controller, this process should be 
repeated periodically so that the image available for redeployment
(should this be necessary) is as up-to-date as 
possible..+Šw†ÛÿüÁ§Š÷Šºƒò²Ö§²ÑB§ÿö+v*®ŠË
§²Örz§ÿà   
ŠVryÊý§Š÷Š¾™¨i˽箊
[EMAIL PROTECTED]   Vry&-4ibb



**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this 
email,  or any response to it,  under the Freedom of Information Act 2000, 
unless the information in it is covered by one of the exemptions in the Act. 

If you receive this email in error please notify Stockport e-Services via 
[EMAIL PROTECTED] and then permanently remove it from your system. 

Thank you.

http://www.stockport.gov.uk
**

RE: OT [ActiveDir] Optimize Exchange Pagefile

[Dave Wade]

Dan,
 
 Yes $300 seems a large amount until the loss of a drive results in a lost 
order for $50k. For most organizations these days mail is mission critical. I 
guess from what you say they are NOT proposing a hot spare. In that case I 
strongly susgest that you run the thing in tetst in degraded mode (i.e. with 
only two drives) and see how it performs before you pop it into production. You 
may get a nasty shock. As I said below I did, and we had less than 20 users on 
the system.
 
As for SATA drives, I have had no personal experience, but the few reports I 
have read implied that the RAID features were often poorly implemented and 
again I would not trust these with Exchange.
 
Dave.

-Original Message- 
From: [EMAIL PROTECTED] on behalf of Dan DeStefano 
Sent: Mon 08/05/2006 14:54 
To: ActiveDir@mail.activedir.org 
Cc: 
Subject: RE: OT [ActiveDir] Optimize Exchange Pagefile 



I understand what you are saying and, in a perfect world, I would 
always recommend mirrored/duplexed arrays to hold at least the exchange log 
files. However, most of my clients are small businesses with which money is 
more of an object than performance. And at $300+ per SCSI disk, it is difficult 
to justify having 2 or more disks that aren’t used to store data.

All that being said, I will discuss this with the people in my 
organization as I do not like using RAID5 especially where Exchange is 
concerned.

Does anyone have any experience with using SATA II drives in 
applications as I have described? With their new NCQ and 3Gb/s features, 
combined with their cost/GB, they make an attractive alternative to SCSI for 
small businesses.


Dan


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade
Sent: Monday, May 08, 2006 4:59 AM
To: ActiveDir@mail.activedir.org
Subject: RE: OT [ActiveDir] Optimize Exchange Pagefile

Al,

 I still think that interesting (i.e. BAD) things might happen if the 
RAID-5 ever flips into degraded mode(i.e. runs on two drives.) The first proper 
Exchange Server I built (yes it was 5.0 RTM) was designed for a similar 
situation. We were a small business without about 20 people and the server was 
a Dual Pentium Pro (I guess with NT4) with a third party raid card (I can't 
remember the make). Any way I built it the same way as Dan proposes, and it ran 
fine for a while. However we had some issues with temperature control in the 
server room and we lost a drive from the array. These days I would have taken 
the server off line and allowed the re-build to complete. I didn't and the RAID 
card could just not cope with re-building the array and the minimal load we 
placed on it. To cut a long story short I spent a long time sorting out the 
mess it made of the databases .

Since then I have been very wary of such configs. In " theory" they 
should work. In my experience, and yes it was a long time ago, and hardware 
should have improved, it may not.

Dave.



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al 
Mulnick
Sent: 05 May 2006 19:06
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Optimize Exchange Pagefile

yeah, there would be some general disagreement from me.  Why? Only 
because this is SBS box vs. an enterprise Exchange server hosting 5K users.

My laptop (crud that it is) could host 20 heavy exchange users with 
usable/good performance with that amount of memory.  I don't think the focus of 
a machine that will only ever have <75 users should be optimized for more than 
space in most situations.  It would be a waste of money that could be spent on 
other things like better backups, better coffee, etc.

I don't believe there's any value in buying a system such as SBS and 
then having to make adjustments to things like pagefile size.  That's counter 
to the product's reason for being.

Saying that, Dave is correct that optimizing the disk layout has the 
biggest benefit, but it's SBS and as such it's "special".  Just ask SBS-Lady ;)

Al

On 5/4/06, Dave Wade <[EMAIL PROTECTED]> wrote:
> If you have 4gig of RAM then you should get minimal paging. (I know
> this is a great generalization)
>
> 1) Log file access is sequential, database is random
> 2) Keeping Log files write queue down is key to performance
> 3) log files are write only
> 4) raid-5 tends to have poor write performance (again greate 
generalization).
>
  

RE: OT [ActiveDir] Optimize Exchange Pagefile

[Dave Wade]

Al,

 I still think that interesting (i.e. BAD) things might happen if the RAID-5 
ever flips into degraded mode(i.e. runs on two drives.) The first proper 
Exchange Server I built (yes it was 5.0 RTM) was designed for a similar 
situation. We were a small business without about 20 people and the server was 
a Dual Pentium Pro (I guess with NT4) with a third party raid card (I can't 
remember the make). Any way I built it the same way as Dan proposes, and it ran 
fine for a while. However we had some issues with temperature control in the 
server room and we lost a drive from the array. These days I would have taken 
the server off line and allowed the re-build to complete. I didn't and the RAID 
card could just not cope with re-building the array and the minimal load we 
placed on it. To cut a long story short I spent a long time sorting out the 
mess it made of the databases .

Since then I have been very wary of such configs. In " theory" they should 
work. In my experience, and yes it was a long time ago, and hardware should 
have improved, it may not.

Dave.



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: 05 May 2006 19:06
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Optimize Exchange Pagefile

yeah, there would be some general disagreement from me.  Why? Only because this 
is SBS box vs. an enterprise Exchange server hosting 5K users.

My laptop (crud that it is) could host 20 heavy exchange users with usable/good 
performance with that amount of memory.  I don't think the focus of a machine 
that will only ever have <75 users should be optimized for more than space in 
most situations.  It would be a waste of money that could be spent on other 
things like better backups, better coffee, etc.

I don't believe there's any value in buying a system such as SBS and then 
having to make adjustments to things like pagefile size.  That's counter to the 
product's reason for being.

Saying that, Dave is correct that optimizing the disk layout has the biggest 
benefit, but it's SBS and as such it's "special".  Just ask SBS-Lady ;)

Al

On 5/4/06, Dave Wade <[EMAIL PROTECTED]> wrote:
> If you have 4gig of RAM then you should get minimal paging. (I know 
> this is a great generalization)
>
> 1) Log file access is sequential, database is random
> 2) Keeping Log files write queue down is key to performance
> 3) log files are write only
> 4) raid-5 tends to have poor write performance (again greate generalization).
>
> So I would try and get another drive in the box so I could have a mirrored 
> pair for OS & LOGS, and a mirrored pair for Databases. . Putting these on 
> seperate drives will do far more for performance than changing the page file. 
> RAID-5 is a real bad performer on write. These days I woudl avoid as far as 
> possible...
>
> I am sure other folks may disagree...
>
>-Original Message-
>From: [EMAIL PROTECTED] on behalf of Dan DeStefano
>Sent: Thu 04/05/2006 21:36
>To: ActiveDir@mail.activedir.org
>Cc:
>Subject: RE: [ActiveDir] Optimize Exchange Pagefile
>
>
>
>Yes, far less than 100, on this box it is under 20.
>
>You do not think it is necessary to mess with the page file, even if 
> only to make it static?
>
>
>
>
>
>Dan
>
>
>
>
>
>
>
>
>  _
>
>
>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave 
> Wade
>Sent: Thursday, May 04, 2006 4:06 PM
>To: ActiveDir@mail.activedir.org
>Subject: RE: [ActiveDir] Optimize Exchange Pagefile
>
>
>
>There is no point in messing about with memory config if you only have 
> a three drive RAID 5 array. Disk config is critical. How many users do you 
> want to put on this box. less than 100?
>
>
>
>
>
>-Original Message-
>From: [EMAIL PROTECTED] on behalf of Dan DeStefano
>Sent: Thu 04/05/2006 20:16
>To: ActiveDir@mail.activedir.org
>Cc:
>Subject: [ActiveDir] Optimize Exchange Pagefile
>
>I was wondering if anyone can point me to any MS document that 
> discusses optimizing the page file on an Exchange box. I found 
> http://support.microsoft.com/kb/815372, but this article does not discuss the 
> page file. I am running SBS 2003 on a 3 GHZ Xeon with 4GB physical memory and 
> a 3-disk RAID5 array with 2 logical drives. I plan on installing the Exchange 
> binaries on the first logical drive (which will also contain the system and 
> boot partitions) and the Exchange databases, logs, queues, etc on the second 
> logical drive.
>
>
>
>The way I no

RE: [ActiveDir] Optimize Exchange Pagefile

[Dave Wade]

why don't you ask on the Exchange2000 or Exchange2003 Yahoo group..

-Original Message- 
From: [EMAIL PROTECTED] on behalf of Dan DeStefano 
Sent: Thu 04/05/2006 20:16 
To: ActiveDir@mail.activedir.org 
Cc: 
Subject: [ActiveDir] Optimize Exchange Pagefile



I was wondering if anyone can point me to any MS document that 
discusses optimizing the page file on an Exchange box. I found 
http://support.microsoft.com/kb/815372, but this article does not discuss the 
page file. I am running SBS 2003 on a 3 GHZ Xeon with 4GB physical memory and a 
3-disk RAID5 array with 2 logical drives. I plan on installing the Exchange 
binaries on the first logical drive (which will also contain the system and 
boot partitions) and the Exchange databases, logs, queues, etc on the second 
logical drive.

 

The way I normally set the pagefile on my systems is to set it to be 
static and 1.5x physical RAM. I also create a pagefile on each disk and let 
Windows choose the best one (which will be the second logical drive). I do not 
want to disable the pagefile on C: because, from what I understand, this will 
disable crash dumps, which I do not want. However, I set the crash dump to 
kernel only, not the entire pagefile. That being said, would it be appropriate 
to set the pagefile on C: to something small like 256MB since the OS will be 
using the one on the second drive anyway?

 

Also, other than not using the /3GB switch, are there any other 
differences between the memory/pagefile settings on a regular Exchange box 
running WS2k3 and the SBS2k3 version?

 

I would appreciate any guidance.

 

 

Dan DeStefano

Info-lution Corporation

www.info-lution.com

MCSE - 2073750

 

Dan DeStefano
Info-lution Corporation
[EMAIL PROTECTED]
http://www.info-lution.com  
Office: 727 546-9143
FAX: 727 541-5888

If you have received this message in error please notify the sender, disregard 
any content  and remove it from your possession.

 



**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this 
email,  or any response to it,  under the Freedom of Information Act 2000, 
unless the information in it is covered by one of the exemptions in the Act. 

If you receive this email in error please notify Stockport e-Services via 
[EMAIL PROTECTED] and then permanently remove it from your system. 

Thank you.

http://www.stockport.gov.uk
**

<>

RE: [ActiveDir] Optimize Exchange Pagefile

[Dave Wade]

If you have 4gig of RAM then you should get minimal paging. (I know this is a 
great generalization)
 
1) Log file access is sequential, database is random
2) Keeping Log files write queue down is key to performance
3) log files are write only
4) raid-5 tends to have poor write performance (again greate generalization).
 
So I would try and get another drive in the box so I could have a mirrored pair 
for OS & LOGS, and a mirrored pair for Databases. . Putting these on seperate 
drives will do far more for performance than changing the page file. RAID-5 is 
a real bad performer on write. These days I woudl avoid as far as possible...
 
I am sure other folks may disagree... 

-Original Message- 
From: [EMAIL PROTECTED] on behalf of Dan DeStefano 
Sent: Thu 04/05/2006 21:36 
To: ActiveDir@mail.activedir.org 
Cc: 
Subject: RE: [ActiveDir] Optimize Exchange Pagefile



Yes, far less than 100, on this box it is under 20.

You do not think it is necessary to mess with the page file, even if 
only to make it static?

 

 

Dan

 

 

 


  _  


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade
Sent: Thursday, May 04, 2006 4:06 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Optimize Exchange Pagefile

 

There is no point in messing about with memory config if you only have 
a three drive RAID 5 array. Disk config is critical. How many users do you want 
to put on this box. less than 100?

 

 

-Original Message- 
From: [EMAIL PROTECTED] on behalf of Dan DeStefano 
Sent: Thu 04/05/2006 20:16 
To: ActiveDir@mail.activedir.org 
Cc: 
Subject: [ActiveDir] Optimize Exchange Pagefile

I was wondering if anyone can point me to any MS document that 
discusses optimizing the page file on an Exchange box. I found 
http://support.microsoft.com/kb/815372, but this article does not discuss the 
page file. I am running SBS 2003 on a 3 GHZ Xeon with 4GB physical memory and a 
3-disk RAID5 array with 2 logical drives. I plan on installing the Exchange 
binaries on the first logical drive (which will also contain the system and 
boot partitions) and the Exchange databases, logs, queues, etc on the second 
logical drive.

 

The way I normally set the pagefile on my systems is to set it 
to be static and 1.5x physical RAM. I also create a pagefile on each disk and 
let Windows choose the best one (which will be the second logical drive). I do 
not want to disable the pagefile on C: because, from what I understand, this 
will disable crash dumps, which I do not want. However, I set the crash dump to 
kernel only, not the entire pagefile. That being said, would it be appropriate 
to set the pagefile on C: to something small like 256MB since the OS will be 
using the one on the second drive anyway?

 

Also, other than not using the /3GB switch, are there any other 
differences between the memory/pagefile settings on a regular Exchange box 
running WS2k3 and the SBS2k3 version?

 

I would appreciate any guidance.

 

 

Dan DeStefano

Info-lution Corporation

www.info-lution.com

MCSE - 2073750

 

**

This email and any files transmitted with it are confidential and

intended solely for the use of the individual or entity to whom they

are addressed. As a public body, the Council may be required to 
disclose this email, or any response to it, under the Freedom of Information 
Act 2000, unless the information in it is covered by one of the exemptions in 
the Act. 

If you receive this email in error please notify Stockport e-Services 
via [EMAIL PROTECTED] and then permanently remove it from your system. 

Thank you.

http://www.stockport.gov.uk

**

Dan DeStefano
Info-lution Corporation
[EMAIL PROTECTED]
http://www.info-lution.com <http://www.info-lution.com/> 
Office: 727 546-9143
FAX: 727 541-5888

If you have received this message in error please notify the sender, disregard 
any content  and remove it from your possession.

 

Dan DeStefano
Info-lution Corporation
[EMAIL PROTECTED]
http://www.info-lution.com <http://www.info-lution.com/> 
Office: 727 546-9143
FAX: 727 541-5888

If you have received this message in error please notify the sender, disregard 
any content  and remove it from your possession.

 

<>

RE: [ActiveDir] Optimize Exchange Pagefile

[Dave Wade]

There is no point in messing about with memory config if you only have a three 
drive RAID 5 array. Disk config is critical. How many users do you want to put 
on this box. less than 100?
 
 
-Original Message- 
From: [EMAIL PROTECTED] on behalf of Dan DeStefano 
Sent: Thu 04/05/2006 20:16 
To: ActiveDir@mail.activedir.org 
Cc: 
Subject: [ActiveDir] Optimize Exchange Pagefile



I was wondering if anyone can point me to any MS document that 
discusses optimizing the page file on an Exchange box. I found 
http://support.microsoft.com/kb/815372, but this article does not discuss the 
page file. I am running SBS 2003 on a 3 GHZ Xeon with 4GB physical memory and a 
3-disk RAID5 array with 2 logical drives. I plan on installing the Exchange 
binaries on the first logical drive (which will also contain the system and 
boot partitions) and the Exchange databases, logs, queues, etc on the second 
logical drive.

 

The way I normally set the pagefile on my systems is to set it to be 
static and 1.5x physical RAM. I also create a pagefile on each disk and let 
Windows choose the best one (which will be the second logical drive). I do not 
want to disable the pagefile on C: because, from what I understand, this will 
disable crash dumps, which I do not want. However, I set the crash dump to 
kernel only, not the entire pagefile. That being said, would it be appropriate 
to set the pagefile on C: to something small like 256MB since the OS will be 
using the one on the second drive anyway?

 

Also, other than not using the /3GB switch, are there any other 
differences between the memory/pagefile settings on a regular Exchange box 
running WS2k3 and the SBS2k3 version?

 

I would appreciate any guidance.

 

 

Dan DeStefano

Info-lution Corporation

www.info-lution.com

MCSE - 2073750

 

Dan DeStefano
Info-lution Corporation
[EMAIL PROTECTED]
http://www.info-lution.com  
Office: 727 546-9143
FAX: 727 541-5888

If you have received this message in error please notify the sender, disregard 
any content  and remove it from your possession.

 



**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this 
email,  or any response to it,  under the Freedom of Information Act 2000, 
unless the information in it is covered by one of the exemptions in the Act. 

If you receive this email in error please notify Stockport e-Services via 
[EMAIL PROTECTED] and then permanently remove it from your system. 

Thank you.

http://www.stockport.gov.uk
**

<>

RE: [ActiveDir] How do you add assistant information to an AD user account?

[Dave Wade]

This was a bug in the schema in 2000. The OID is still the same, 
which is I think what the Outlook Addres Book uses but the LDAP names have changed.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: 26 April 2006 
23:50To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
How do you add assistant information to an AD user account?

In honor of today 
being Administrative Professionals day, I have an related Active 
Directory/Exchange question.
 
In the old Exchange 
5.5 days, the GUI had a place to type in information for a particular mailbox's 
assistant and assistant phone number.  This information was then displayed 
in the Outlook Address Book next to the appropriate assistant fields.  Once 
we had the Active Directory Connector put in, we were able to update the 
msExchAssistantName and telephoneAssistant AD attributes which in 
turn updated the Outlook Address Book as well.  This worked well at 
the time.
 
Ever since we fully 
migrated to Exchange 2003 this no longer appears to work.  The data is still in the proper attributes, but it is not displayed in the Outlook Address 
Book.  After some investigation with ADSIEdit I discovered the assistant 
and secretary attributes under the covers.  However, these are in 
Distinguished Name format which means they expect the whole CN=blah, OU=blah 
syntax.  Although I could type this in for each of our users needing this 
information, it seemed like a pain so I started looking for a way to do it with 
the Exchange GUI tools.  No such luck.
 
Does anyone know of 
a way to add assistant information to an AD user account without typing the CN 
information?  I must be missing something basic.  Any help you can 
provide would be greatly appreciated.
 
jasonjordan MCSE, 
MCP+I, MCP
Manager
Security, Audit, and 
Recovery Team
Data 
Center Services
Emerson 
Process Management, LLLP
(512) 
832-3191
 

**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this email,  or any response to it,  under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. 

If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. 

Thank you.

http://www.stockport.gov.uk
**

RE: [ActiveDir] Root Place Holder justification

[Dave Wade]

As an Ex-Teacher, I think the problems of Pupils messing with other
Pupils accounts means they should have the same settings as teachers. If
they forget the password it should be worksheets for three weeks!

However point take, there are some accounts that should have higher
security settings, perhaps this is a real design flaw in AD,

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kennedy, Jim
Sent: 26 April 2006 15:44
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Root Place Holder justification


I view number 1 security issues more at the GPO level than the resource
level. Password and lockout policies on accounts.

For example in my environment (public school) I could make a case that
Teachers need a strong password policy and a quick lockout while the
students do not (and should not because they typo passwords so often).
We don't do that and only have a single domain but it is a valid
example.

I could only get the above with teachers in one domain and students in
another. But that is a case for two domains, not the empty root domain
that it seems the OP is being pushed towards.


> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade
> Sent: Wednesday, April 26, 2006 10:29 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Root Place Holder justification
> 
> 
> 
> Number "1" of these really drive me nuts and at this point I usually 
> start shouting. As domains do NOT limit resource access, i.e. users in

> Domain "A" can access resources in domain "B" (In fact that's the 
> usual reason for have trusts between domains) and together way round, 
> how can you justify different Security Requirments. They are in effect

> both securing the same objects.
> 
> Number "2" tends to become irrelevant if you have Exchange because 
> that stuffs everything back into the GC that the AD designers took 
> out, and you really needs GCs everywhere.
> 
> Number "3" => Is a good reason to start rationalizing.
> 
> Having said that when I worked for Compaq I produced a number of 
> designs with an Empty Root and as others have said, these were always 
> passed by both Microsoft and Anderson Consulting as they were then. 
> Personally I would like to see the business benefit that all those 
> extra DC's deliver. (That is business benefit to the customer not to 
> the server supplier and Microsoft).
> 
> Dave.
> 
> P.S. Please not the above are my personal views and not those of 
> Stockport Council..
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Kennedy, Jim
> Sent: 26 April 2006 14:56
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Root Place Holder justification
> 
> 
> Your subject is your answer. They need to justify a root domain. Is 
> there an actual reason for it?
> 
> There are only three reasons to have one, imho(cut and pasted from

> a google search)
> 
> 1. Security requirements are different (password, lockout, and 
> Kerberos policies must be applied at the domain level).
> 2. To control/limit replication (but note the recommendations for 
> number of objects in a domain with slow links - if the slowest link is

> 56 kbps, the domain should have no more than 100,000 users).
> 3. Because you inherit a multiple domain setup. 
> 
> I question number three myself. I would rather clean it up than 
> continue with a past decision but I guess that depends upon the impact

> to operations and the complexity of consolidation.
> 
>  
> 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
> > Sent: Wednesday, April 26, 2006 9:37 AM
> > To: ActiveDir.org
> > Subject: [ActiveDir] Root Place Holder justification
> > 
> > Does anyone have any official documentation as to the justification 
> > for a root place holder, pro's and con's ?
> > 
> > Where I am - I have started at one domain and can see no reason to 
> > expand on that - they only have 6 DC's now in a single domain - yet 
> > the partner they have chosen is recomending a root place
> holder with 5
> 
> > DC's and then 8 in the child domain (they are NOT even supplying the
> > tin) and I wanted some decent amo - a little bit stronger
> than schema
> > and Ent admin separation.
> > 
> > I know at DEC the concensus was the desire to eliminate and
> I believe
> > Guido and Wook have stated this for the past two DEC's
> > 
> > I have searched this list and can find no relevant ar

RE: [ActiveDir] Root Place Holder justification

[Dave Wade]

Number "1" of these really drive me nuts and at this point I usually
start shouting. As domains do NOT limit resource access, i.e. users in
Domain "A" can access resources in domain "B" (In fact that's the usual
reason for have trusts between domains) and together way round, how can
you justify different Security Requirments. They are in effect both
securing the same objects.

Number "2" tends to become irrelevant if you have Exchange because that
stuffs everything back into the GC that the AD designers took out, and
you really needs GCs everywhere.

Number "3" => Is a good reason to start rationalizing.

Having said that when I worked for Compaq I produced a number of designs
with an Empty Root and as others have said, these were always passed by
both Microsoft and Anderson Consulting as they were then. Personally I
would like to see the business benefit that all those extra DC's
deliver. (That is business benefit to the customer not to the server
supplier and Microsoft).

Dave.

P.S. Please not the above are my personal views and not those of
Stockport Council..


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kennedy, Jim
Sent: 26 April 2006 14:56
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Root Place Holder justification


Your subject is your answer. They need to justify a root domain. Is
there an actual reason for it?

There are only three reasons to have one, imho(cut and pasted from a
google search)

1. Security requirements are different (password, lockout, and Kerberos
policies must be applied at the domain level).
2. To control/limit replication (but note the recommendations for number
of objects in a domain with slow links - if the slowest link is 56 kbps,
the domain should have no more than 100,000 users).
3. Because you inherit a multiple domain setup. 

I question number three myself. I would rather clean it up than continue
with a past decision but I guess that depends upon the impact to
operations and the complexity of consolidation.

 

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
> Sent: Wednesday, April 26, 2006 9:37 AM
> To: ActiveDir.org
> Subject: [ActiveDir] Root Place Holder justification
> 
> Does anyone have any official documentation as to the justification 
> for a root place holder, pro's and con's ?
> 
> Where I am - I have started at one domain and can see no reason to 
> expand on that - they only have 6 DC's now in a single domain - yet 
> the partner they have chosen is recomending a root place holder with 5

> DC's and then 8 in the child domain (they are NOT even supplying the 
> tin) and I wanted some decent amo - a little bit stronger than schema 
> and Ent admin separation.
> 
> I know at DEC the concensus was the desire to eliminate and I believe 
> Guido and Wook have stated this for the past two DEC's
> 
> I have searched this list and can find no relevant articles.
> 
> Many thanks
> 
> Regards
> 
> Mark
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/




**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this 
email,  or any response to it,  under the Freedom of Information Act 2000, 
unless the information in it is covered by one of the exemptions in the Act. 

If you receive this email in error please notify Stockport e-Services via 
[EMAIL PROTECTED] and then permanently remove it from your system. 

Thank you.

http://www.stockport.gov.uk
**

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] ACtive directory Trusts and firewall configuration

[Dave Wade]

He says he wants :-

"people can use resources in both domains" 

So if you lock down RPC won't you need to lock down RPC on all servers? I guess 
it depends on the resources. 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mylo
Sent: 24 April 2006 21:25
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] ACtive directory Trusts and firewall configuration

Jan,

Just to add to what's been said..

1. Your success and mileage may vary according to the type of firewall you're 
using (e.g... FW1/PIX/ISA2004 - easy'ish, ISA2K - forget it) 2. Constraining 
RPC (by limiting communicating ports above 1024) should be considered an 
absolute must ... this'll need a registry change on every DC 3. You'll need to 
allow all 8 Domain A DC's to communicate thru the firewall to Domain B (and 
obviously vice-versa) as each'll need to set a secure channel to the target 
domain 4. If applying ACL's between domains (say on file and print servers), 
bear in mind that the FAP's will also require visibility to the target domain 
as well thru the firewall, i.e. rules as well 5. Are you planning on using 
MIIS/IIFP to GAL Synch between the 2 domains?

Regards,
Mylo


Dave Wade wrote:

>  1) I think firewall config is beyond the scope of this group. However 
> my thoughts are that
> a) if you trust the other party enough to trust their 
> domains, then
> b) you should trust their firewall enough to keep nasty's 
> out fro their side so
> c) The firewall should allow all ports from the VPN.
> << However your level of paranoia may higher or lower than mine is
> today>>>
>  
>  2) If I remember properly down level (non-kerberos) trusts go to the 
> PDC emulator. At least we tend to loose ours when the PDC emulator 
> goes sick...
>  
> --
> --
> *From:* [EMAIL PROTECTED] on behalf of 
> [EMAIL PROTECTED]
> *Sent:* Mon 2006-04-24 12:28
> *To:* ActiveDir@mail.activedir.org
> *Subject:* [ActiveDir] ACtive directory Trusts and firewall 
> configuration
>
> Dear list!
>  
> I'm in the need of setting up trust between two existing Active 
> directory domains and i have a few questions regarding this. the goal 
> is that people can logon form either domains with their user 
> credentials and that people can use resources in both domains, we also 
> need the exchange addressbooks in both domain to replicate to each 
> other but thats maybe a different list.
> Domain A has 8 domain controllers where as the operation master roles 
> are spread on different servers, domain b has only 1 domain controller.
>  
> We have configured a VPN between the networks so the communication is 
> up and running.
>  
> My questions are:
> What ports do i need to open in the firewall to achive this?
> And do i have to open trust from domain B to all of my DC's in domain 
> A or is it enough to open towards any DC or a specific DC? (wich 
> server roles does it need)
>  
> Many thanks in advance.
>  
>
> Med vennlig hilsen / Best regards
>  
> *Jan Wilhelmsen*
> IT-Technician
>  
> *Bilia Personbil as*
> Økernveien 115
> 0510, Oslo
> Norway
> Tel:  +47 22882546
> Mob:+47 95928392
> Fax: +47 22970387
> Mail: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
> MSN: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
> Gmail: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
>
>  
>  
>
>
> **
> This email and any files transmitted with it are confidential and 
> intended solely for the use of the individual or entity to whom they 
> are addressed. As a public body, the Council may be required to 
> disclose this email, or any response to it, under the Freedom of 
> Information Act 2000, unless the information in it is covered by one 
> of the exemptions in the Act.
>
> If you receive this email in error please notify Stockport e-Services 
> via [EMAIL PROTECTED] and then permanently remove it from 
> your system.
>
> Thank you.
>
> http://www.stockport.gov.uk
> **
>
>---
>-
>
>No virus found in this incoming message.
>Checked by AVG Free Edition.
>Version: 7.1.385 / Virus Database: 268.4.5/322 - Release Date: 
>22/04/2006
>  
>

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] ACtive directory Trusts and firewall configuration

[Dave Wade]

Title: Replication and branch office considerations



 1) I think firewall config is beyond the scope of this 
group. However my thoughts are that 
    
a) if you trust the other party enough to trust their domains, then 

    
b) you should trust their firewall enough to keep nasty's out fro their side 
so
    
c) The firewall should allow all ports from the VPN.
<< However your level of paranoia may higher or lower than 
mine is today>>>
 
 2) If I remember properly down level (non-kerberos) trusts 
go to the PDC emulator. At least we tend to loose ours when the PDC emulator 
goes sick...
 



From: 
[EMAIL PROTECTED] on behalf of 
[EMAIL PROTECTED]Sent: Mon 2006-04-24 12:28To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] ACtive directory 
Trusts and firewall configuration

Dear list!
 
I'm in the need of setting up trust between two existing 
Active directory domains and i have a few questions regarding this. the goal is 
that people can logon form either domains with their user credentials and that 
people can use resources in both domains, we also need the exchange addressbooks 
in both domain to replicate to each other but thats maybe a different 
list.
Domain A has 8 domain controllers where as the operation 
master roles are spread on different servers, domain b has only 1 domain 
controller.
 
We have configured a VPN between the networks so the 
communication is up and running.
 
My questions are:
What ports do i need to open in the firewall to achive 
this?
And do i have to open trust from domain B to all of 
my DC's in domain A or is it enough to open towards any DC or a 
specific DC? (wich server roles does it need)
 
Many thanks in advance.
 
Med vennlig hilsen / Best 
regards   
Jan 
Wilhelmsen IT-Technician   Bilia Personbil as Økernveien 115 
0510, Oslo 
Norway 
Tel:  +47 
22882546 Mob:+47 95928392 Fax: +47 22970387 Mail: [EMAIL PROTECTED] MSN: [EMAIL PROTECTED] Gmail: [EMAIL PROTECTED] 

 
 

**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this email,  or any response to it,  under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. 

If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. 

Thank you.

http://www.stockport.gov.uk
**

RE: [ActiveDir] Can We configure Romaing Profiles using Script

[Dave Wade]

Ravi,
 
 I wonder if you could probably do this the old fashioned way with the NET 
command. You could have a "MKPROF.BAT" file something like:-
 
NET USER %1% /PROFILE //server/profiles/%1% /DOMAIN
 
Then if you export all the users to a second file and edit it so that each line 
contains :-
 
CALL MKPROF username1
 
Provided the users can create folders in the //server/profiles directory they 
will get a roaming profile created when they log off 
 
Dave.
P.S. You originally said thin client. If you want to set the TS profile 
seperately I don't think this works...
 
 

-Original Message- 
From: [EMAIL PROTECTED] on behalf of Ravi Dogra 
Sent: Sat 22/04/2006 21:04 
To: ActiveDir@mail.activedir.org 
Cc: 
Subject: Re: [ActiveDir] Can We configure Romaing Profiles using Script



Hi Ulf,

I want to minimize the effort to accomplish this task. i dont want to
configure it for each and every user one by one.

--
Ravi Dogra
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/





**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this 
email,  or any response to it,  under the Freedom of Information Act 2000, 
unless the information in it is covered by one of the exemptions in the Act. 

If you receive this email in error please notify Stockport e-Services via 
[EMAIL PROTECTED] and then permanently remove it from your system. 

Thank you.

http://www.stockport.gov.uk
**

<>

RE: [ActiveDir] Setting Wireless Config via GPO (Also update schema to 2003 level....)

[Dave Wade]

More questions in line 
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Jef KazimerSent: 20 April 2006 
14:10To: ActiveDir@mail.activedir.orgSubject: RE: 
[ActiveDir] Setting Wireless Config via GPO

Dave,
 
The certs can be used in fifferent ways.  If you are using EAP-TLS which uses the Certs to authenticate the user and the server,  you will need a CA to issue 
this.  This would require a PKI solution to be in 
place.  While not hard or impossible in 2003, just something you want to be 
cautious about.
 
The 
thought of a complete PKI has put us off this
 
using EAP-PEAP method, the Cert is only used to identify the server 
to the client, and open a secure tunnel so the password credentials can be sent 
over.  Once the user is authenticated,  then the connection is secured 
through the 2 choices of wireless encryption.  You do not need a CA For 
this, and can request an IAS certificate from Verisign I believe still. 
 
This 
seems O.K. We 
generated a cert internally,  
and this is how we intend to 
proceed...
 
Yes,  XP SP2 would be great, especially being able 
to configure GPOs in the domains.
 
You 
still seem to need to run the GPO Editor on a W2003 Server. Is there a way to 
run this on an XP-SP2 Workstation? I have not found one. And since my original 
post I have been looking at what is needed to update the Schema to the 
Windows2003 Level. This seems to be really horrid. Has any one any good pointers 
on how-to and gotcha articles on this? The more I read the more nervous I get, 
and the further up the scale the risk assessment on my draft change request goes... 
 
With IAS as the middleman between the WLAN device and the directory, you can set Access policies from 
as simple as "If useri s member of 
domain grant access, else deny" kind of stuff, to more granular rules. 
 
Does 
this still work for domains in 2K mode. I don't seem to get any access unless the "remote access" flag is on in AD even though I have set policies on 
IAS... 
 
Now one thing though,  where I am, we use Dell for our laptops which 
come standard with the built in WiFi Modem (1450 
card).  Dell has their own client tool that can utilize PEAP as well.  The one benefit is the Dell cllient does have a GINA addition, which allows a pre-logon 
WLAN authentication.   Some people like this so 
their logon script runs, etc.  So while not needed, it's a 3rd party tool 
some people like.  It also allows us to do EAP-PEAP on WIndows 2k boxes which do not support it natively. 
 
1. If 
you allow the machine to authenticate, won't policy apply and logon scripts run 
any way? (That is set to machine access with user re-authentication in the GPO). 

 
2. I 
have not tried any W2k boxes, but I have not managed to get any XP boxes to authenticate with WPA/EAP-PEAP when using third party tools to config the cards. 
I have tried IBM, Intel & 3-COM cards but all seem to fail to authenticate. 
As soon as I enable the Zero Config windows takes over and all works 
fine...
 
Jef
Dave,
Hoping some of this makes 
sense, 

**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this email,  or any response to it,  under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. 

If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. 

Thank you.

http://www.stockport.gov.uk
**

RE: [ActiveDir] Setting Wireless Config via GPO

[Dave Wade]

Thanks for the input so far, and sorry I left the "read 
receipt" on on the e-mail. I guess I will be getting those for years to come. (I 
did that on an internal list two years ago and still get receipts from that 
one...)
 
I don't want people on my Wireless who are not on the 
domain. I assume I stop that happening with certificates? I was also going 
to make sure all the laptops were on XP SP2 so I didn't need any third party 
utilities...


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Jef 
KazimerSent: 19 April 2006 17:07To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Setting Wireless 
Config via GPO

We are using IAS, with PEAP 
authentication to AD.   This allows them to use 
their logged on user credentials to the workstations to authenticate to the 
WLAN.  The whole authentication is behind the scenes 
if they are in the Domain.  I still have some network folks who fear being 
a domain, so they get prompted to relogon periodically but 
too bad for them :)
 
So far from what I hear, the response has been excellent since all the people 
have to do is walk into a conference room and they get access to the WLAN if their radio is on.
 
Jef

  
  Subject: RE: [ActiveDir] Setting Wireless Config via GPODate: Wed, 19 Apr 
  2006 11:32:32 -0400From: [EMAIL PROTECTED]To: 
  ActiveDir@mail.activedir.org
  
  You really got that to work well? 

  I've had great success setting it up as well, 
  however, I have a problem when users roam from one access point to the next. 
  they get dropped for a few seconds for reauthentication which is not 
  acceptable to most users. Are you using EAP? I would love to get more 
  specifics if you do not have the problem I did. 
   
  Using Cisco 1220 x (27) with cisco 350 client cards x 
  (80)
  Thanks. 
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Kennedy, 
  JimSent: Wednesday, April 19, 2006 10:53 AMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Setting 
  Wireless Config via GPO
  
  Only way to fly, imho.
   
  Push it all via GPO, Certs for the users and IAS Radius Auth from our 
  Cisco 1100 AP's.
   
  User needs wireless, I just add them to the user group that allows them 
  to install/request the Cert and I dont have to do anything 
  else.
  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dave 
WadeSent: Wednesday, April 19, 2006 4:29 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Setting Wireless 
Config via GPO

Folks,
 
Is any one setting 
wireless configurations using the features in AD 2003? We currently use the 
3-COM tool and their proprietary security. As they have stopped supporting 
this we need to move on. Thanks for any input on this.
 
Dave 
Wade
 **This 
email and any files transmitted with it are confidential andintended 
solely for the use of the individual or entity to whom theyare 
addressed. As a public body, the Council may be required to disclose this 
email, or any response to it, under the Freedom of Information Act 2000, 
unless the information in it is covered by one of the exemptions in the Act. 
If you receive this email in error please notify Stockport 
e-Services via [EMAIL PROTECTED] and then permanently remove it 
from your system. Thank 
you.http://www.stockport.gov.uk**
  Confidentiality 
  Notice: The information contained in this message may be legally privileged 
  and confidential information intended only for the use of the individual or 
  entity named above. If the reader of this message is not the intended 
  recipient, or the employee or agent responsible to deliver it to the intended 
  recipient, you are hereby notified that any release, dissemination, 
  distribution, or copying of this communication is strictly prohibited. If you 
  have received this communication in error please notify the author immediately 
  by replying to this message and deleting the original message. Thank 
  you.

[ActiveDir] Setting Wireless Config via GPO

[Dave Wade]

Folks,
 
Is any one setting wireless 
configurations using the features in AD 2003? We currently use the 3-COM tool 
and their proprietary security. As they have stopped supporting this we need to 
move on. Thanks for any input on this.
 
Dave 
Wade
 

**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this email,  or any response to it,  under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. 

If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. 

Thank you.

http://www.stockport.gov.uk
**

Re: [ActiveDir] OU's Structure

[Dave Wade]

Joe,
 The problem is that, as some 
one else mentioned your OU structure serveves two purposes:-
 
1) To delegate 
authourity
2) To apply rights and restrictions 
via GPO's
 
Now if you are going to delegate 
authourity, as far as I can see, the only way to do that is via OU's. You could 
apply specific rights to indivual users, but thats messy to manage and 
impractical. On the other hand users get many rights already because of group 
membership, so its  (more?) natural to apply GPOs based on group membership 
rather than having rights or restrictions "drop on you from above" because of 
where you are in AD. Mind you of course NTFS rights may also descend from 
above.
 
Dave.
 

  As a general rule, I am much more a fan of setting up 
  my GPO structure on an OU basis versus a group filtering basis. If anything 
  applying a bunch of GPOs to an OU a user is in and then filtering out which 
  ones they really have access to with groups would be slower than having 
  multiple OU levels because there are more GPOs to loop through and check. I 
  doubt it would add very much overhead but there would certainly be more than a 
  deployment based on the hierarchical structure would 
  have.

Re: [ActiveDir] Selectively overriding hierarchical lookup

[Dave Wade]

You can't. Its one of the things thats changed in 
2003. Prior to that is was vanilla domain lookups

  - Original Message - 
  From: 
  Milton 
  Sancho 
  To: ActiveDir@mail.activedir.org 
  
  Sent: Friday, March 31, 2006 4:48 
AM
  Subject: Re: [ActiveDir] Selectively 
  overriding hierarchical lookup
  What would happen if am running MS DNS on Win Server 2000 ? 
  We create recently a corporate domain on win 2003 enviroment, but our 
  production domain is running on win 2000 , all client computers are pointing 
  to the production domain... mainly we need to find a way to do the process you 
  explained on a MS DNS 2000Thanks comments
  On 3/30/06, David 
  Adner <[EMAIL PROTECTED]> wrote:
  

Assuming 
I understood you correctly, if your MS DNS server is running on Windows 
Server 2003 then you could leverage stub zones or conditional 
forwarders.  With either method you could, for example, say any queries 
for "linux.com" (or whatever it's 
called) go to your Linux DNS server while all other queries that cannot be 
resolved locally are sent to forwarders/root hints.

  
  
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of 
  Milton SanchoSent: Thursday, March 30, 2006 8:41 
  PMTo: ActiveDir@mail.activedir.orgSubject: 
  [ActiveDir] Selectively overriding hierarchical 
lookup

How can one override a recursive lookup for a domain not hosted 
on a Microsoft DNS Server?The scenario is a local network with a 
Microsoft DNS Server running both as an authoritative server for some local 
domains and as a DNS solver for all the internal clients.So far, so 
good.- For reasons outside the scope of this query, a separate 
authoritative server (djbdns on linux) was set up for certain domains 
belonging to the company. This server has a private IP where the domains 
are being published for internal use, and it would be preferable for the 
Microsoft DNS Server to query this server directly for all these domains, 
rather than resolving hierarchically down from a root server.- The 
local linux guys say this can be done easily on djbdns, just telling the 
cache the ips of the servers which all queries related to a domain should be 
directed to.The question is: How can you tell a Microsoft DNS Server 
which servers to query for a certain domain, thus selectively bypassing the 
usual TLD-SLD-LD lookup?Thanks comments