RE: [ActiveDir] push a URL in the trusted zone with GPO...

[Kennedy, Jim]

 User configuration, windows settings, internet explorer maint,
security/security zones and content ratings, security zones and privacy,
sites in this zone.


> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere,
> Michel
> Sent: Friday, January 05, 2007 3:37 PM
> To: ActiveDir@mail.activedir.org
> Subject: push a URL in the trusted zone with GPO...
> 
> Hi,
>   I have a brain cramp actually, I can't remember how I can push a
> URL in the trusted zone and intranet zone for all the stations using a
> GPO, anybody can help?
> 
> Thanks
> 
> 
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] how to list permissions applied to a directory tree

[Kennedy, Jim]

And after reading your post a bit moreperhaps just xcopy it over, make your 
changes and leave the old one in place hidden as your documentation until you 
know it all is working as you intended.
 
 
Happy New Year!
 
How do I create a list of all permissions that are currently applied to a 
directory tree?  I have to move a directory tree and change permissions to it 
and I want to ensure that I document all active permissions within this tree 
before I move it.
 
Thanks!

__
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

RE: [ActiveDir] how to list permissions applied to a directory tree

[Kennedy, Jim]

 
http://www.scriptlogic.com/products/securityexplorer/
 
Love it here.
 
 
 
 
Happy New Year!
 
How do I create a list of all permissions that are currently applied to a 
directory tree?  I have to move a directory tree and change permissions to it 
and I want to ensure that I document all active permissions within this tree 
before I move it.
 
Thanks!

__
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

RE: [ActiveDir] OT: Exchange Design Question

[Kennedy, Jim]

If you use OWA for remote mail access number 1 is the best choice. You then 
publish your OWA through the ISA server.

If your incoming smtp is only from messagelabs and you do not need/use OWA then 
I would consider skipping to choice three, with nothing out front and only 
allow port 25 from messagelabs.


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Mark Parris
> Sent: Tuesday, December 05, 2006 11:42 AM
> To: ActiveDir.org
> Subject: [ActiveDir] OT: Exchange Design Question
> 
> A friend of mine has asked me to ask the group the following Exchange
> related question.
> 
> An Exchange 2003 environment that has been upgraded from Exchange 2000
> needs to have SMTP reconfigured for outbound mail. There are two
> proposals on the table but they are not sure of the best approach.
> 
> 1 Exchange Frontend/Backend configuration with both servers on the
> internal network and an ISA server in the perimeter network publishing
> internal SMTP to the internet or in this case messagelabs
> 
> or
> 
> 2 Exchange Frontend/Backend configuration with both servers on the
> internal network and an SMTP server in the DMZ relaying to messagelabs
> 
> Messagelabs host the MX records and cleanses most viruses out of the
> emails but may change in the future though there is no current
> managment thinking to do so.
> 
> Given these two scenarios which one would most people choose and if so
> why?
> 
> The environment is approx 2000 users and there are eight sites  and the
> chosen SMTP configuration will be repeated in another site for
> resilience.
> 
> Many thanks as always,
> 
> 
> 
> 
> Regards,
> 
> Mark Parris
> 
> Base IT Ltd
> Active Directory Consultancy
> Tel +44(0)7801 690596
> .+Šw†ÛÿüÁ§Š÷Šºƒò²Ö§²ÑB§ÿö+v*®ŠË
§²Örz§ÿÃ
>   ŠVryÊý§Š÷Š¹ŠV¶+v*

RE: [ActiveDir] [OT] how to access blocked site.

[Kennedy, Jim]

We don't know that. He could be an admin that is trying to figure out
how his users are getting past his blocking system. There did seem to be
a language issue in his original post.


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of joe


> However from the standpoint of the user and his company he is trying
to
> assume risk that he doesn't have authority to assume (or else he
> wouldn't
> have to post

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Why we go for exchange 2003 server

[Kennedy, Jim]

The Outlook Web Access makes Exchange 2003 worth getting, if you
use it.

 

However, Exchange 2007 might be worth waiting for at this point.

 

 

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Ajay Kumar
Sent: Monday, October 30, 2006 8:36 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Why we go for exchange 2003 server





 



Hi,





 





Can any one pls tell me why I should implement exchange
2003 enterprise server instead of 2000 enterprise
server In my organization.





Becoz Exchange 2000 having Messenging serivces
but 2003 doesn't have.





Actually My main intention is why I go for 2003 exchagne
server.





Pls suggest me.





 





 





Regards,





Ajay pardeshi





 

[ActiveDir] OT Internet restrictions. Was Blocking IE7

[Kennedy, Jim]

I can’t speak for a University edu, but as a public K-12
we most certainly can restrict internet access.

 

 







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves
Sent: Thursday, October 19, 2006 1:49 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Blocking IE7





 



Since you're in an educational environment, things can be a little dicey
there.  You can't restrict the internet (government funds thing) 

 

RE: [ActiveDir] DHCP Problem

[Kennedy, Jim]

Starting to sound like you have an old DNS or WINS record out there for
the old server.


> -Original Message-
> From: Bob Anderson
> 
> Neil,
>   When I add a new Authorization record it ads it with the old
> server name. I think my problem is that I have given my new server the
> same IP address as the old one that died
> 
> 
> Bob
> IT Guy
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> [EMAIL PROTECTED]
> Sent: Monday, October 16, 2006 10:39 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] DHCP Problem
> 
> If I understand this post correctly, you may need to add a new DHCP
> authorisation record for the new server, with the correct name and IP
> address. You may also need to re-configure routers so that BOOTP
> packets
> are forwarded to the correct IP address and/or MAC address.
> 
> You didn't state what was not working after the change so it's hard to
> know what to suggest :)
> 
> neil
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Bob Anderson
> Sent: 16 October 2006 15:12
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] DHCP Problem
> 
> Good Morning,
>   I have a bad DHCP problem.
> 
> I have replaced our Primary Domain Computer and I think I have messed
> DHCP up badly. The new Domain Controller has been given the same IP
> address as the old on and when I go into DHCP console the old server
> name shows up for the DHCP computer.
> 
> 
> This was an emergency switch as the old DC has died.
> 
> Thanks in advance for all your help.
> 
> Bob Anderson
> IT Guy
> Kent Sporting Goods
> 433 Park Ave. S
> New London OH 44851
> 419-929-7021 x315
> email: [EMAIL PROTECTED]
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
> 
> 
> 
> PLEASE READ: The information contained in this email is confidential
> and
> intended for the named recipient(s) only. If you are not an intended
> recipient of this email please notify the sender immediately and
delete
> your copy from your system. You must not copy, distribute or take any
> further action in reliance on it. Email is not a secure method of
> communication and Nomura International plc ('NIplc') will not, to the
> extent permitted by law, accept responsibility or liability for (a)
the
> accuracy or completeness of, or (b) the presence of any virus, worm or
> similar malicious or disabling code in, this message or any
> attachment(s) to it. If verification of this email is sought then
> please
> request a hard copy. Unless otherwise stated this email: (1) is not,
> and
> should not be treated or relied upon as, investment research; (2)
> contains views or opinions that are solely those of the author and do
> not necessarily represent those of NIplc; (3) is intended for
> informational purposes only and is not a recommendation, solicitation
> or
> offer to buy or sell securities or related financial instruments.
> NIplc
> does not provide investment services to private customers.  Authorised
> and regulated by the Financial Services Authority.  Registered in
> England no. 1550505 VAT No. 447 2492 35.  Registered Office: 1 St
> Martin's-le-Grand, London, EC1A 4NP.  A member of the Nomura group of
> companies.
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Folder Redirection Issue

[Kennedy, Jim]

“Office
was deployed to the workstations via group policy using an AIP and MST
transform.”

 

Bet
you will find something in that MST that is pointing to the wrong location.
Blow out an Outlook profile on one as a test.

 

 





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano
Sent: Wednesday, October 04, 2006 11:02 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Folder Redirection Issue





 

I
am having a weird problem with folder redirection. I have set the My Documents
redirection to the subfolder of the root drive option and set the path to the
homefolders directory (\\servername\homefolders$). This is supposed to redirect
users my documents to \\servername\homefolders$\%username%\my documents and it
does. The users log onto their PCs and open their My Documents folder fine
– and looking at the properties of their my documents folder confirms
that the redirection is working properly. The problem is that in certain
applications, namely Outlook 2003 (all latest patches and SPs applied). When a
user goes to save an attachment, for example, and clicks on my documents in the
save dialog, they receive the error “cannot access
\\servername\homefolders$, which makes sense since the users do not have access
to the homefolders$ share, just to their subfolder. So Outlook, for some
reason, is not drilling down into the users my documents in the home folder,
but instead is trying to access the root of the homefolders$ share. In other
Office apps, the my documents works fine. There are also no event log entries
that reference this issue.

 

I
am stuck here as I am unable to find any KB articles that discuss this. Does
anyone have any suggestions? I have not yet reinstalled Outlook because all
other Office apps work fine. Office was deployed to the workstations via group
policy using an AIP and MST transform.

 

 

Any
help would be greatly appreciated.

 

Dan
DeStefano
Info-lution Corporation
[EMAIL PROTECTED]
http://www.info-lution.com
Office: 727 546-9143
FAX: 727 541-5888

If
you have received this message in error please notify the sender, disregard any
content  and remove it from your possession.

 

RE: [ActiveDir] Sharepoint in the DMZ

[Kennedy, Jim]

Title: Sharepoint in the DMZ 








Fire him, unless he shares the drugs he is on. A child domain
for one server? Open an SQL port on your outside firewall? Ok on second thought,
just fire him no matter how good the drugs are.

 



.



 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Group, Russ
Sent: Tuesday, September 12, 2006 10:45 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Sharepoint in the DMZ 





 

Hi all


I have a
consultant that wants to put Sharepoint into our DMZ.  Here is what he is
proposing to do: 


 Create
 a child domain and put the Sharepoint computer account in the child domain
 
 Put
 Sharepoint server in our DMZ.
 Open
 up the same ports for Sharepoint that we would open for Outlook Web Access
 Also
 open port 1433 for SQL


 

Since I
don’t know much about Sharepoint, I was hoping someone would be to let me
know if this has been done in the past and if it's safe.

Thank you 

Russ 

[ActiveDir] Moving user accounts.

[Kennedy, Jim]

I am I correct that to delegate moving user accounts from
OU to OU I will have to allow them the ability to delete accounts. It appears
accounts work similar to documents, a move is really a copy then delete.

RE: [ActiveDir] (OT) Exchange Mail Delivery Delays

[Kennedy, Jim]

Recipients include Universal groups? If so check access to a global
catalog from the exchange server. Avoid Universal groups if possible on
distribution lists.

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Robert Rutherford
> Sent: Wednesday, August 23, 2006 10:58 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] (OT) Exchange Mail Delivery Delays
> 
> Hi All,
> 
> Sorry for the OT...
> 
> I've got an Exch2003 server, SP2 with the following issue :-
> 
> An External mail user sends a mail to many internal recipients, some
> users receive immediately. The remaining users receive the mail hours
> later, sometime 12 hours+ later.
> 
> Before I up all the logging and spend hours.. has anyone see this and
> resolved?
> 
> I've attached an example message tracking log.
> 
> Cheers,
> 
> Rob
> 
> Robert Rutherford
> QuoStar Solutions Limited
> 
> T:+44 (0) 8456 440 331
> F:+44 (0) 8456 440 332
> M:+44 (0) 7974 249 494
> E:[EMAIL PROTECTED]
> W:www.quostar.com
> 
> 
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] joe - please say it isn't so!

[Kennedy, Jim]

Double check the date of the entry.

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Thommes, Michael M.
Sent: Monday, August 14, 2006 3:28 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] joe - please say it isn't so!





 

So here I went to take a look at Dean’s article, and I find
this: http://blog.joeware.net/cat/recipes/
, expecting to find more of joe’s great adfind codes.  At first, I
thought it got misfiled and should have been filed under “humor”
but I suspect this is hardly funny.  Joe, are you pulling our collective
legs?  Please tell me this blog is a poor Michigander’s joke! 
If not, please take me with you to New Zealand – I need to see first hand
that the Brown Trout there are bigger than they are in Michigan!  ;-)

 

Mike Thommes

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Matheesha Weerasinghe
Sent: Monday, August 14, 2006 2:02 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir]



 



joe said "pretty decent" http://blog.joeware.net/2006/06/08/400/





 





I think thats an understatement ;-)





 





However, my profuse thanks to joe too. I wasnt aware of the
article until he blogged it.





 





M@

 





On 8/14/06, Dean Wells <[EMAIL PROTECTED]> wrote:








Why thank you … but who
said otherwise?  ;0)











--
Dean Wells
MSE technology
* Email: [EMAIL PROTECTED]
http://msetechnology.com











 







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Matheesha Weerasinghe
Sent: Monday, August 14, 2006 2:35 PM






To: ActiveDir@mail.activedir.org





Subject: Re: [ActiveDir] 









 



http://searchwinit.techtarget.com/originalContent/0,289142,sid1_gci1192821,00.html?track=NL-463&ad=554811USCA&ad=554808






 





I dont care what anyone says. Thats a damn fine article.





 





I couldnt possibly thank Dean enough for that info.

M@





 





 





On 8/14/06, Graham Turner <[EMAIL PROTECTED]> wrote: 

Alter ego !

my thanks are due

worked out a treat - so the GC's are not so ***'d as i thought 

any info on the concept of the phantoms though ??

GT

> Hey Robert,
>
> In the article you posted, the registry key is incorrect in the KB 
> content.  It lists the registry key as: 
> HKCU\Software\Policies\Microsoft\Windows\Directory
>
> However, the correct registry key is:
> HKCU\Software\Policies\Microsoft\Windows\Directory UI 
>
> I've sent a comment to my former employer to ask for them to fix the 
> article...next time, test it *before* you post!
>
> Your Alter Ego,
> Robert Williams
>
> -Original Message- 
> From: [EMAIL PROTECTED]
> [mailto:
[EMAIL PROTECTED]] On Behalf Of Williams,
> Robert
> Sent: Monday, August 14, 2006 9:28 AM 
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir]
>
> Hey Graham,
>
> This may not be what you're experiencing, but it could be worth it to 
> check to see how many members you have in the group(s) in
question.  By 
> default, if the group has over 500 members in it, the user icons inside
> the group will turn grey.  Check out this article for more
information: 
> http://support.microsoft.com/kb/q281923/
>
> Let us know if that turned out to be the cause.
>
> Have a great day!
>
> Robert Williams 
>
>
> -Original Message- 
> From: [EMAIL PROTECTED]
> [mailto:
[EMAIL PROTECTED]] On Behalf Of Graham Turner
> Sent: Monday, August 14, 2006 9:01 AM
> To: activedir@mail.activedir.org
> Subject: [ActiveDir] 
>
> Dear all, am experiencing issues that i think attributable to the
> concept of Active
> Directory phantoms
>
> the symptom is that when we open certain global groups the membership 
> list comes out
> with grey icons
>
> this is not all groups - affected ones being - Domain Users / Domain
> computers
>
> must confess to not a full understanding of the issue here -but it seems 
> this
> relates in some way to GC lookup ??
>
> i can for sure confirm that the GC port 3268 is open on the GC's
>
> not sure why as the group / user members are in the same domain ?
>
> after the understanding of what is going on here is, of course 'HOW DO
> WE FIX' ??
>
> technet seems to reference a concept of 'phantom clean up task' - a
> process that
> runs on the server running 'INFRASTRUCURE MASTER' fsmo role on a 
> scheduled basis to
> resolve the directory issue.
>
> would seem not in this case ?
>
> as a point to note, neither netdiag or dcdiag are coming up with nothing
> concliusive
> in this respect.
>
> help as always gladly received
>
> GT
>
>
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx

> List archive: http://www.activedir.org/ml/threads.aspx
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx

> List archive: http://www.activedir.org/ml/threads.aspx
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx

> List archive: http://www.acti

RE: [ActiveDir]

[Kennedy, Jim]

To be more accurate….change their smtp address to a bunch of
gibberish.

 







From: Kennedy, Jim 
Sent: Wednesday, August 09, 2006 3:45 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 





 

Remove their external smtp address and then set the send to
permissions in the account to just me. Then disable the account.

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of HBooGz
Sent: Wednesday, August 09, 2006 3:35 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] 





 

Hey All -

How do you disable an AD account and deny mail delivery. There are some users
that are disabled but when i send an email to their smtp address i don't get a
sys admin error, it appears to send it to the respective store. 

how do you all disable an AD account,not remove, and prevent it from receiving
mail ?

-- 
HBooGz:\> 

RE: [ActiveDir]

[Kennedy, Jim]

Remove their external smtp address and then set the send to
permissions in the account to just me. Then disable the account.

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of HBooGz
Sent: Wednesday, August 09, 2006 3:35 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] 





 

Hey All -

How do you disable an AD account and deny mail delivery. There are some users
that are disabled but when i send an email to their smtp address i don't get a
sys admin error, it appears to send it to the respective store. 

how do you all disable an AD account,not remove, and prevent it from receiving
mail ?

-- 
HBooGz:\> 

RE: [ActiveDir] Replication from ASP

[Kennedy, Jim]

WAG. Skin it from the other direction. Make sure the ASP age
creates the account on the Peoplesoft DC. How…I dunno, but even
replication could take too long if you could trigger it.

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Lucas, Bryan
Sent: Friday, August 04, 2006 2:05 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Replication from ASP





 

Anyone have any thoughts on this?

 

Thanks,

 



Bryan Lucas

Server Administrator

Texas Christian University











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Lucas, Bryan
Sent: Monday, July 31, 2006 4:12 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Replication from ASP



 

Does
anyone know how I force replication through ASP 2.0?  

 

My
DC’s are all local (no WANs) and 2003 SP1.

 

I
have a web page that does account creation and then points the user to a portal
which attempts to authenticate against AD.  The portal software
(Peoplesoft) can only attempt against a single DC, so if that user didn’t
create his account there it doesn’t work right away.  

 

Bryan
Lucas

Server
Administrator

Texas
Christian University

 

RE: [ActiveDir] OT: Higher Education web access

[Kennedy, Jim]

If I am reading your requirement correctly, WEBDAV is a web 
interface. Hit the page with IE and there is your network folder. As for the web 
publishingare they making the sites themselves and then just uploading 
them?  Then publish their website home folder also via 
WEBDAV./

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Paul 
  GlennSent: Tuesday, June 20, 2006 9:13 AMTo: 
  ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: Higher 
  Education web access
  I myself would be more than happy with this scenario.  
  However, when I discuss this with the VP he says we can't take away anything 
  they have now.  So that means I have to find a way for them to access 
  their files through some type of web interface (which maybe I can convience 
  him WEBDAV is almost like what they have now) and also be able to publish 
  their own web pages. Paul
  On 6/20/06, Steve 
  Rochford <[EMAIL PROTECTED]> 
  wrote:
  


We use 
webdav and publish instructions for staff/students to just add their home 
folder as a "my network place" on their home computers. This works well - 
once you've connected it's just another location that appears in explorer or 
file dialogues.
 
If 
you're happy to continue with FTP access to the web folder then that's 
perfectly possible; I'm assuming you're scripting creation of users so it's 
just a case of adding an extra bit to create and permission a folder 
somewhere in the IIS folder for each user.
 
Steve


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of 
Paul GlennSent: 19 June 2006 21:27To: ActiveDir@mail.activedir.orgSubject: 
[ActiveDir] OT: Higher Education web access

Hello all,Sorry for the OT, but I'm a bit at a loss on 
parts of the big move.  As I've said in the past, I'm in the process of 
moving our student population from eDirectory to Active Directory.  
We've overcome several hurdles up to this point.  Our next big one is 
how to give access to our student's files via a web brower and also a way to 
host their own web pages.  Currently we accomplish this via IUAdmin and 
apache services.  IUAdmin is not ported to the Windows platform and 
Apache for Windows has a few drawbacks.  I was wondering if there are 
any higher education folks out there that wouldn't mind talking with me 
about their environment.  To help give a better idea of what we do, I 
offer three web pages: Students can login to the following page and 
gain access to their files.http://locker.uky.edu 
The next link shows you some screenshots of what you would see if 
you logged in as bigtest. http://locker.uky.edu/help.htmThen off course we 
offer a way for them to publish their own webpages (the first link will show 
you where I get my signature):http://locker.uky.edu/~pglennThanks for 
any help even if it's just a pointer to another listservPaul-- 
***"I've 
got a fever and the only prescription is more 
cowbell."--Christopher 
Walken***
-- 
  ***"I've 
  got a fever and the only prescription is 
  morecowbell."--Christopher Walken 
  ***

RE: [ActiveDir] Machine Password Changes

[Kennedy, Jim]

I think it would be best that SomeProduct should go in 
SomeTrashCan.
 
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/580.mspx

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin 
  (ITS)Sent: Monday, June 12, 2006 10:56 AMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] Machine Password 
  Changes
  
  
  Everyone,
   
  Our Public Libraries use a 
  software package that handles their patron logins and billing called 
  SomeProduct. The company that makes SomeProduct includes in their suite, a 
  product called SomeDiskProtection. SomeDiskProtection is similar to Windows 
  Disk Protection, GoBack and Deep Freeze. It’s a product that upon reboot, 
  restores the PC to its previously saved state. The problem with this of course 
  is that while the PC is up and running during the day, if it changes its 
  machine account password, the next time the PC is rebooted, it’s back to the 
  old password which results in PCs that can’t log onto the domain. We’ve now 
  spent a week on the phone with SomeCompany and they tell us that their only 
  solution is to completely disable machine password changes for the PCs running 
  their software. I want to ask you all what you think of this solution. How 
  much of a security risk do you think it is? Can you think if a 
  workaround?
   
  The frustrating thing is that 
  Windows Disk Protection has a way of handling this. It disables automatic 
  machine password changes, but every time the PC has its saved state updated, 
  it performs a manual password change so that at least it’s being changed 
  SOMETIMES. According to SomeCompany, they have absolutely no plans or desire 
  to update their software to support similar functionality.
   
  Thanks,
   
  Justin 
  ClayITS 
  Enterprise Services 
  Metropolitan 
  Government of Nashville and Davidson County Howard School Building 
  Phone: 
  (615) 880-2573
   
  


  ITS ENTERPRISE SERVICES 
EMAIL NOTICEThe information contained in this email and any 
attachments is confidential and may be subject to copyright or other 
intellectual property protection. If you are not the intended recipient, 
you are not authorized to use or disclose this information, and we 
request that you notify us by reply mail or telephone and delete the 
original message from your mail 
system.

RE: [ActiveDir] Image a DC?

[Kennedy, Jim]

I believe there is a free tool to strip SBS servers for imaging, but
available only to those that have an OEM relationship with MS. 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
> Sent: Thursday, May 11, 2006 12:33 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Image a DC?
> 
> (little voice)
> 
> um.. we do it in SBSland.. but we insanely don't have another 
> DC around for it to conflict with...but yeah.. even for us 
> SBSerscertain folks like "~" suck air and get this 
> horrified look on their face.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: KVM switches

[Kennedy, Jim]

We are happy with the HP units we use. 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of John Singler
> Sent: Thursday, May 11, 2006 10:48 AM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] OT: KVM switches
> 
> Sorry to rehash this ...
> 
> Looking for opinions on KVM-over-IP switches.
> 
> I have experience with the Raritan Dominion KX line and am 
> fairly pleased with them but before we buy more i just wanted 
> to see if there were other players that i may have missed.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Exchange queue(OT)

[Kennedy, Jim]

 
Had that once with a 1000 user dist. list on our exchange 
server. It was a bunch of nest groups, along with global groups tossed in. The 
groups, specifically the global groups seemed to be the cause. Took for ever to 
enumerate the addresses.

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Tom 
  KernSent: Thursday, May 04, 2006 3:35 PMTo: 
  activedirectorySubject: [ActiveDir] Exchange 
  queue(OT)
  
  I have an issue where a user sends an email to about 1800 recipients 
  using Outlook DL's.
   
  The email always gets stuck in the "messages awaiting directory lookup" 
  queue for hours(sometimes days).
   
  The only thing logged in the app log is-
   
  
  Event Type: WarningEvent Source: MSExchangeTransportEvent 
  Category: Categorizer Event 
  ID: 6004Date:  5/4/2006Time:  3:21:02 
  PMUser:  N/AComputer: EXNYC01Description:The 
  categorizer is unable to categorize messages due to a retryable error. There 
  is not enough space on the disk.  
  For more information, click http://www.microsoft.com/contentredirect.asp. 
  Data:: 70 00 00 
  00   
  p...    
   
  The server has about 80gig of free space.
   
  I tried moving the user's mailbox to another server but she still gets the 
  same issue.
   
  Has anyone had experience with this error?
   
  I'm running Exchange 2k in mixed mode ina AD 2000 native mode 
  enviorment.
   
  Thanks

RE: [ActiveDir] Root Place Holder justification

[Kennedy, Jim]

I view number 1 security issues more at the GPO level than the resource
level. Password and lockout policies on accounts.

For example in my environment (public school) I could make a case that
Teachers need a strong password policy and a quick lockout while the
students do not (and should not because they typo passwords so often).
We don't do that and only have a single domain but it is a valid
example.

I could only get the above with teachers in one domain and students in
another. But that is a case for two domains, not the empty root domain
that it seems the OP is being pushed towards.


> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade
> Sent: Wednesday, April 26, 2006 10:29 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Root Place Holder justification
> 
> 
> 
> Number "1" of these really drive me nuts and at this point I 
> usually start shouting. As domains do NOT limit resource 
> access, i.e. users in Domain "A" can access resources in 
> domain "B" (In fact that's the usual reason for have trusts 
> between domains) and together way round, how can you justify 
> different Security Requirments. They are in effect both 
> securing the same objects.
> 
> Number "2" tends to become irrelevant if you have Exchange 
> because that stuffs everything back into the GC that the AD 
> designers took out, and you really needs GCs everywhere.
> 
> Number "3" => Is a good reason to start rationalizing.
> 
> Having said that when I worked for Compaq I produced a number 
> of designs with an Empty Root and as others have said, these 
> were always passed by both Microsoft and Anderson Consulting 
> as they were then. Personally I would like to see the 
> business benefit that all those extra DC's deliver. (That is 
> business benefit to the customer not to the server supplier 
> and Microsoft).
> 
> Dave.
> 
> P.S. Please not the above are my personal views and not those 
> of Stockport Council..
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Kennedy, Jim
> Sent: 26 April 2006 14:56
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Root Place Holder justification
> 
> 
> Your subject is your answer. They need to justify a root 
> domain. Is there an actual reason for it?
> 
> There are only three reasons to have one, imho(cut and 
> pasted from a google search)
> 
> 1. Security requirements are different (password, lockout, 
> and Kerberos policies must be applied at the domain level).
> 2. To control/limit replication (but note the recommendations 
> for number of objects in a domain with slow links - if the 
> slowest link is 56 kbps, the domain should have no more than 
> 100,000 users).
> 3. Because you inherit a multiple domain setup. 
> 
> I question number three myself. I would rather clean it up 
> than continue with a past decision but I guess that depends 
> upon the impact to operations and the complexity of consolidation.
> 
>  
> 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
> > Sent: Wednesday, April 26, 2006 9:37 AM
> > To: ActiveDir.org
> > Subject: [ActiveDir] Root Place Holder justification
> > 
> > Does anyone have any official documentation as to the justification 
> > for a root place holder, pro's and con's ?
> > 
> > Where I am - I have started at one domain and can see no reason to 
> > expand on that - they only have 6 DC's now in a single domain - yet 
> > the partner they have chosen is recomending a root place 
> holder with 5
> 
> > DC's and then 8 in the child domain (they are NOT even supplying the
> > tin) and I wanted some decent amo - a little bit stronger 
> than schema 
> > and Ent admin separation.
> > 
> > I know at DEC the concensus was the desire to eliminate and 
> I believe 
> > Guido and Wook have stated this for the past two DEC's
> > 
> > I have searched this list and can find no relevant articles.
> > 
> > Many thanks
> > 
> > Regards
> > 
> > Mark
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive: 
> > http://www.mail-archive.com/activedir%40mail.activedir.org/
> > 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 
> 
> 
> ***

RE: [ActiveDir] Root Place Holder justification

[Kennedy, Jim]

Your subject is your answer. They need to justify a root domain. Is
there an actual reason for it?

There are only three reasons to have one, imho(cut and pasted from a
google search)

1. Security requirements are different (password, lockout, and Kerberos
policies must be applied at the domain level).
2. To control/limit replication (but note the recommendations for number
of
objects in a domain with slow links - if the slowest link is 56 kbps,
the
domain should have no more than 100,000 users).
3. Because you inherit a multiple domain setup. 

I question number three myself. I would rather clean it up than continue
with a past decision but I guess that depends upon the impact to
operations and the complexity of consolidation.

 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
> Sent: Wednesday, April 26, 2006 9:37 AM
> To: ActiveDir.org
> Subject: [ActiveDir] Root Place Holder justification
> 
> Does anyone have any official documentation as to the 
> justification for a root place holder, pro's and con's ?
> 
> Where I am - I have started at one domain and can see no 
> reason to expand on that - they only have 6 DC's now in a 
> single domain - yet the partner they have chosen is 
> recomending a root place holder with 5 DC's and then 8 in the 
> child domain (they are NOT even supplying the tin) and I 
> wanted some decent amo - a little bit stronger than schema 
> and Ent admin separation.
> 
> I know at DEC the concensus was the desire to eliminate and I 
> believe Guido and Wook have stated this for the past two DEC's
> 
> I have searched this list and can find no relevant articles.
> 
> Many thanks
> 
> Regards
> 
> Mark
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: Vbscript to disconnect and reconnect persistent drive mappings

[Kennedy, Jim]

 
Lot of work and code there to remove drives...try 
this...
 
Option ExplicitDim WshNetwork
 
on error resume next
 
Set WshNetwork = 
WScript.CreateObject("WScript.Network")
 
WshNetwork.RemoveNetworkDrive 
"m:"WshNetwork.RemoveNetworkDrive "n:"WshNetwork.RemoveNetworkDrive 
"o:"WshNetwork.RemoveNetworkDrive "p:"WshNetwork.RemoveNetworkDrive 
"q:"WshNetwork.RemoveNetworkDrive "r:"WshNetwork.RemoveNetworkDrive 
"s:"WshNetwork.RemoveNetworkDrive "t:"WshNetwork.RemoveNetworkDrive 
"u:"WshNetwork.RemoveNetworkDrive "v:"WshNetwork.RemoveNetworkDrive 
"w:"WshNetwork.RemoveNetworkDrive "x:"WshNetwork.RemoveNetworkDrive 
"y:"WshNetwork.RemoveNetworkDrive "z:"
 
...add all the letters you want.  
:)

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Jacqui 
  HurstSent: Wednesday, April 26, 2006 7:26 AMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: _vbscript_ to 
  disconnect and reconnect persistent drive mappings
  
  I am trying to write a quick and 
  dirty script for a test lab which will disconnect and reconnect persistent 
  drive mappings.  The script is as follows:
   
   
  Set objDrvs = 
  GetObject("winmgmts:").InstancesOf("Win32_NetworkConnection")
   
  for each obj in 
  objDrvs
     strDrive = 
  obj.LocalName
     strDMapping = 
  obj.RemoteName
     On Error Resume 
  Next
     
  objWshNet.RemoveNetworkDrive strDrive, True, True  'Force 
  removal
   
  
   If 
  Err<>0 Then
   
     'Log Error 
      
  Wscript.Echo "Error disconnecting"& strDrive
   
     Err.Clear
   End 
  If
   
  
    objWshNet.MapNetworkDrive 
  strDrive, strDMapping
   
  
   If 
  Err<>0 Then
    
     'Log Error
   
  Wscript.Echo "Error remapping "& strDrive & 
  "("& strDMapping &")"
   
  Err.Clear
   
  Else
   
   
  Wscript.Echo "Remapped "& strDrive & "("& strDMapping 
  &")"
   
   End 
  If
   
  Next
   
  The script fails to disconnect any 
  drive mapping and therefore fails to reconnect it.  Can anyone advise me 
  where I am going wrong?  The ERR value is 424 is that make any sense to 
  anyone.   I want to run this on logon but I just running it 
  interativley at the moment.
   
  Cheers
   
  Jacqui
   

RE: [ActiveDir] Setting Wireless Config via GPO

[Kennedy, Jim]

 
Same thing here, AP to AP there is a short drop as it 
reauthenticates. We got questioned on it by new users sometimes but they get 
over it. That downside vs the upside makes it a no brainer for us. What 
system/setup would not have a short drop going from AP to 
AP?
 
Yes using EAP.

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Krenceski, 
  WilliamSent: Wednesday, April 19, 2006 11:33 AMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Setting 
  Wireless Config via GPO
  
  You really got that to work well? 

  I've had great success setting it up as well, 
  however, I have a problem when users roam from one access point to the next. 
  they get dropped for a few seconds for reauthentication which is not 
  acceptable to most users. Are you using EAP? I would love to get more 
  specifics if you do not have the problem I did. 
   
  Using Cisco 1220 x (27) with cisco 350 client cards x 
  (80)
  Thanks. 
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Kennedy, 
  JimSent: Wednesday, April 19, 2006 10:53 AMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Setting 
  Wireless Config via GPO
  
  Only way to fly, imho.
   
  Push it all via GPO, Certs for the users and IAS Radius Auth from our 
  Cisco 1100 AP's.
   
  User needs wireless, I just add them to the user group that allows them 
  to install/request the Cert and I dont have to do anything 
  else.
  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dave 
WadeSent: Wednesday, April 19, 2006 4:29 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Setting Wireless 
Config via GPO

Folks,
 
Is any one setting 
wireless configurations using the features in AD 2003? We currently use the 
3-COM tool and their proprietary security. As they have stopped supporting 
this we need to move on. Thanks for any input on this.
 
Dave 
Wade
 **This 
email and any files transmitted with it are confidential andintended 
solely for the use of the individual or entity to whom theyare 
addressed. As a public body, the Council may be required to disclose this 
email, or any response to it, under the Freedom of Information Act 2000, 
unless the information in it is covered by one of the exemptions in the Act. 
If you receive this email in error please notify Stockport 
e-Services via [EMAIL PROTECTED] and then permanently remove it 
from your system. Thank 
you.http://www.stockport.gov.uk**
  Confidentiality 
  Notice: The information contained in this message may be legally privileged 
  and confidential information intended only for the use of the individual or 
  entity named above. If the reader of this message is not the intended 
  recipient, or the employee or agent responsible to deliver it to the intended 
  recipient, you are hereby notified that any release, dissemination, 
  distribution, or copying of this communication is strictly prohibited. If you 
  have received this communication in error please notify the author immediately 
  by replying to this message and deleting the original message. Thank 
  you.

RE: [ActiveDir] Setting Wireless Config via GPO

[Kennedy, Jim]

Only way to fly, imho.
 
Push it all via GPO, Certs for the users and IAS Radius 
Auth from our Cisco 1100 AP's.
 
User needs wireless, I just add them to the user group that 
allows them to install/request the Cert and I dont have to do anything 
else.

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Dave 
  WadeSent: Wednesday, April 19, 2006 4:29 AMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] Setting Wireless 
  Config via GPO
  
  Folks,
   
  Is any one setting 
  wireless configurations using the features in AD 2003? We currently use the 
  3-COM tool and their proprietary security. As they have stopped supporting 
  this we need to move on. Thanks for any input on this.
   
  Dave 
  Wade
   **This 
  email and any files transmitted with it are confidential andintended 
  solely for the use of the individual or entity to whom theyare addressed. 
  As a public body, the Council may be required to disclose this email, or any 
  response to it, under the Freedom of Information Act 2000, unless the 
  information in it is covered by one of the exemptions in the Act. If 
  you receive this email in error please notify Stockport e-Services via 
  [EMAIL PROTECTED] and then permanently remove it from your system. 
  Thank 
  you.http://www.stockport.gov.uk**

RE: [ActiveDir] Network browsing slow and not showing all compute rs

[Kennedy, Jim]

We don't allow it. I knew part of the answer/troubleshooting steps
because our techs ghost across subnets. So working master browsers are
something they need for the way they do it. And when we had trouble last
time with their ghosting the symptoms where identical to what the OP
described when I browsed from a server. I am sure there is a better way,
but it is working and causes no problems and I have lots of other stuff
to do.

Like read this list :)

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger
> Sent: Tuesday, April 11, 2006 4:08 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Network browsing slow and not 
> showing all compute rs
> 
>  Continue>
> 
> Do most folks really allow users to browse their networks? 
> What reason would end users have to browse for anything 
> besides servers? (Some might argue there is not reason to 
> actually 'browse' for anything.)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Network browsing slow and not showing all compute rs

[Kennedy, Jim]

As a multiple subnet system that still has this enabled let me amplify
the below. WINS is pretty much mandatory for it to work as you want.
The master browsers on each subnet will register themselves in WINS, and
then be able trade info between the masters on each subnet using the
WINS records.

Browstat.exe in the resource kit is your friend.

If you are using WINS, consider blowing out your WINS databases. We do
that a couple of times a year, it really helps. 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Gorder, Lee E Mr CTNOSC/GD-NS
> Sent: Tuesday, April 11, 2006 3:31 PM
> To: 'ActiveDir@mail.activedir.org'
> Subject: RE: [ActiveDir] Network browsing slow and not 
> showing all compute rs
> 
> If they are on different subnets ensure UDP 137 is allowed 
> through the router.  Are you using WINS?  I doubt this is a 
> problem with your domain controllers or DNS for that matter. 
> 
> Check the following
> - Ensure NetBIOS over TCP is enabled
> - Browser service is running
> - Router/firewall settings
> - Restart master browser
> 
> 
> -Original Message-
> From: Joe Lagreca [mailto:[EMAIL PROTECTED] 
> Sent: Tuesday, April 11, 2006 12:11 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Network browsing slow and not showing 
> all computers
> 
> When I try to browse our domain via the network:
> 
> Start -> My Network Places -> Entire Network -> Microsoft Windows
> Network -> mydomain
> 
> it is very slow, and won't show all active computers.  DNS is
> functioning properly, as I can resolve all names just fine.
> 
> This happens on both windows 2000 and windows xp clients.  Not all
> computers, including the servers, are on the same subnet.  Domain
> controllers are windows 2003.
> 
> I am inclined to think something about our domain controllers isn't
> configured properly.  Has anyone had this problem before, or have an
> idea where I should look for a fix?
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Bulk Import

[Kennedy, Jim]

Ok, I skipped a step, sounds like you need these 200 to go 
to separate OU's. Mass create them in one OU, mass right click them and create 
the mailbox then mass send them an email.
 
The script the move if that is faster/easier than a manual 
drag and drop. So your spreadsheet of users is:
 
firstname  
lastname password  
targetOU
 
convert that to comma text for your script and use the 
first three for the creation and then the first two and last for the 
move.

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Kennedy, 
  JimSent: Wednesday, March 08, 2006 2:16 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Bulk 
  Import
  
  Delegate it to HR.
   
  Short of that get HR or someone to give you a list of the 
  names and script it, provide a default password of their SS number 
  perhaps...must be changed on first log on.
   
  After they are created, in the same OU...mass select them 
  in ADUC and right click them and send them a test email to create the 
  mailbox.
   
   
  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Harding, 
DevonSent: Wednesday, March 08, 2006 2:02 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Bulk 
Import


What’s the fast way for me to 
create 200 user accounts in specific OU’s and create Exchange 
mailboxes?
 
Devon 
Harding
Windows Systems 
Engineer
Southern Wine & 
Spirits - BSG
954-602-2469
 




__This message and any 
attachments are solely for the intendedrecipient and may contain 
confidential or privileged information.If you are not the intended 
recipient, any disclosure, copying, useor distribution of the 
information included in the message and anyattachments is prohibited. If 
you have received this communicationin error, please notify us by reply 
e-mail and immediately andpermanently delete this message and any 
attachments. Thank You.

RE: [ActiveDir] Bulk Import

[Kennedy, Jim]

Delegate it to HR.
 
Short of that get HR or someone to give you a list of the 
names and script it, provide a default password of their SS number 
perhaps...must be changed on first log on.
 
After they are created, in the same OU...mass select them 
in ADUC and right click them and send them a test email to create the 
mailbox.
 
 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Harding, 
  DevonSent: Wednesday, March 08, 2006 2:02 PMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] Bulk 
  Import
  
  
  What’s the fast way for me to 
  create 200 user accounts in specific OU’s and create Exchange 
  mailboxes?
   
  Devon 
  Harding
  Windows Systems 
  Engineer
  Southern Wine & 
  Spirits - BSG
  954-602-2469
   
  
  

  
  __This message and any 
  attachments are solely for the intendedrecipient and may contain 
  confidential or privileged information.If you are not the intended 
  recipient, any disclosure, copying, useor distribution of the information 
  included in the message and anyattachments is prohibited. If you have 
  received this communicationin error, please notify us by reply e-mail and 
  immediately andpermanently delete this message and any attachments. Thank 
  You.

RE: [ActiveDir] Windows Server mailing lists

[Kennedy, Jim]

 
I like this one:
 
http://www.sunbelt-software.com/Community.cfm
 
Couple down on the list, 
NTSYSADMIN.

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Alex 
  FontanaSent: Thursday, March 02, 2006 9:46 PMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] Windows Server 
  mailing lists
  
  Anyone know of any 
  good Windows 2003 mailing lists?
   
  TIA
  -Alex

[ActiveDir] OT - Sample Script

[Kennedy, Jim]

 
Anyone using a script running as a task that looks at the members of an
OU, and modifies their group membership based upon what OU they are in?
I could use a sample to steal your hard work if you don't mind. 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT Exchange 2003

[Kennedy, Jim]

Second one under Microsoft Internet 
Technology..
 
http://e-newsletters.internet.com/discussionlists.html/

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Todd 
  HofertSent: Friday, February 17, 2006 1:17 PMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT Exchange 
  2003
  
  Can anyone 
  recommend a good Exchange 2003 mailing list?
  
  Todd HofertIT 
  DirectorSpartan Graphics, Inc. 
  This e-mail and any attachments may contain confidential and 
  privilegedinformation. If you are not the intended recipient, please 
  notify thesender immediately by return e-mail, delete this e-mail and 
  destroy anycopies. Any dissemination or use of this information by a 
  person otherthan the intended recipient is unauthorized and may be 
  illegal.

RE: [ActiveDir] Automagic Security groups.

[Kennedy, Jim]

Thank you Hunter, I am going with option 2. The immediate 
effect of option one isn't that important and is more work for minimal benefit. 
Option 2 with a scheduled task will work perfectly.
 
JK

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, 
  HunterSent: Tuesday, February 07, 2006 3:43 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Automagic 
  Security groups.
  
  Two options come to mind, I'm sure there are 
  others...
   
  1) Build a set of scripts and put a web front-end on 
  them, which would allow others to move the user account and as part of the 
  move, the OUone groups would get stripped and the OUtwo groups would get 
  added.
   
  2) Directly delegate the object move (or like above, 
  stick it in a web page). Then have a scheduled task that periodically runs and 
  looks at all user objects in OUone and sets the group membership correctly, 
  same for OUtwo.
   
  Option 1 has a more immediate effect, and that may be an 
  important point. Option 2 has the advantage of consistently enforcing group 
  membership, so even if someone makes an inadvertant change it will get 
  corrected on the next pass of the script. It also makes it easier to change 
  the groups and have all users get updated.
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Kennedy, 
  JimSent: Tuesday, February 07, 2006 12:47 PMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] Automagic Security 
  groups.
  
  I am almost looking for a 
  query based Security Group, similar to Distribution 
  Groups.
   
  It would save me a ton of 
  time if when I moved a user from OUone to OUtwo if it would/could strip that 
  user of all their old groups and drop them into the new groups, based upon 
  what OU the user account currently resides in.
   
  15 schools, students 
  moving from school to school all year longit would save us a ton of time. 
  In fact I could delegate the move and have others do it. It would be the last 
  part of the puzzle to making these moves near zero administrative 
  overhead.
   
  Any 
  ideas?
   
  Jim 
  Kennedy

[ActiveDir] Automagic Security groups.

[Kennedy, Jim]

I am almost looking for a 
query based Security Group, similar to Distribution 
Groups.
 
It would save me a ton of 
time if when I moved a user from OUone to OUtwo if it would/could strip that 
user of all their old groups and drop them into the new groups, based upon what 
OU the user account currently resides in.
 
15 schools, students moving 
from school to school all year longit would save us a ton of time. In fact I 
could delegate the move and have others do it. It would be the last part of the 
puzzle to making these moves near zero administrative 
overhead.
 
Any 
ideas?
 
Jim 
Kennedy

RE: [ActiveDir] OT: Roaming Profiles

[Kennedy, Jim]

I think MS is consistent here. PST are not supposed to be 
used over a lan, they corrupt very easily. The Outlook plug in backs up your 
local PST's to a network drive, so you are not using them over the network, just 
copying them over the network.

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Navroz 
  ShariffSent: Monday, February 06, 2006 4:12 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Roaming 
  Profiles
  
  That's interesting...I have been doing exactly 
  what the article states one can't.
   
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Mark 
  ParrisSent: Monday, February 06, 2006 3:56 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Roaming 
  Profiles
  
  
  Don’t you just love 
  Microsoft……..
   
  Personal 
  folder files are unsupported over a LAN or over a WAN link 
  
   
  http://support.microsoft.com/?kbid=297019 
  
   
  
  
  
  
  From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]] 
  On Behalf Of Navroz 
  ShariffSent: 06 February 
  2006 19:28To: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Roaming 
  Profiles
   
  Frank,
  Below is a link to MS 
  Outlook plugin that when configured, will automatically archive folders to a 
  network share at regular intervals, making it easy to keep all of you Outlook 
  folders safely backed up.
  http://www.microsoft.com/downloads/details.aspx?FamilyId=8B081F3A-B7D0-4B16-B8AF-5A6322F4FD01&displaylang=en
  
  -Nav
  
   
  
  
  
  From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]] 
  On Behalf Of Frank 
  AbagnaleSent: Monday, 
  February 06, 2006 1:22 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Roaming 
  Profiles
  
  No need to apologise, I blame spielberg 
  anyway.
  
   
  
  frank
  
  "Ulf B. Simon-Weidner" 
  <[EMAIL PROTECTED]> 
  wrote:
  
Sorry - wasn't 
sure if it's your real name. If I'd choose a fake name for a community yours 
is in the top10 ;-)

 

Hope you don't 
mind.

 

Ulf
 

  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]] 
  On Behalf Of Frank 
  AbagnaleSent: Friday, 
  February 03, 2006 11:28 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Roaming 
  Profiles
  
  Ulf & 
  everyone,
  
   
  
  thanks for your responses, roaming 
  profiles are mandatory here, if we were to take this away, all hell 
  would break loose.
  
   
  
  I guess educating them to store files elsewhere 
  would be a good start.
  
   
  
  thanks
  
   
  
  Frank
  
   
  
  Ulf - you are not the first to mention Carl 
  Hanratty, you won't be the last!"Ulf B. Simon-Weidner" 
  <[EMAIL PROTECTED]> 
  wrote:
  
Hi 
Frank,
 
with those 
large roaming profiles you need to
1. educate 
your users
2. question 
the use of roaming profiles
 
In fact I've 
seen a lot of companies who tend to stick to local only profiles in the 
recent past. Roaming profiles are great - however I see them in 
infrastructures where people are moving around on multiple computers a 
lot, and where they don't have that much individual applications. I 
would use roaming profiles for the production workers who are spending 
not a lot of time on the computer and might share a pool of computers, 
however for the regular office worker and the board of directors I'd use 
local profiles since they tend to work on the same computer a lot and 
also travel a lot.
Educate them 
not to store their critical data within the profile, and maybe a desktop 
backup software which is taking care of their profile and data when 
connected comes in handy too.

 
Carl 
Hanratty

 

   
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]] 
  On Behalf Of Frank 
  AbagnaleSent: 
  Friday, February 03, 2006 10:51 AMTo: ActiveSubject: [ActiveDir] OT: Roaming 
  Profiles
  
  Hi all,
  
  I have a question regarding Roaming Profiles. 
  Our environment currently have 3500 users which are all roaming 
  profile enabled. Their profiles are stored on the local site server. 
  We have approx 56 sites which are all linked by 256-1mb 
  lines.
  
  I like the concept of roaming profiles, 
  however some of our users have profiles ranging from 5mb - 200mb, some 
  even with 1GB profiles. 
  
  Because alot of our users log on to different 
  computers at different sit

RE: [ActiveDir] Wireless and logon script

[Kennedy, Jim]

Title: Wireless and logon script



What about disabling fastlogon. Just a 
thought.

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Tim 
  HinesSent: Monday, February 06, 2006 2:06 PMTo: 
  ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Wireless and 
  logon script
  
  Are there any errors in the app log?  If so 
  what are they? You may want to enable userenv logging for more detailed 
  info.  Two things come to mind.  One thing is that you may want 
  to disable media sense.  See 239924 How to disable Media Sensing for 
  TCP/IP in Windows http://support.microsoft.com/default.aspx?scid=kb;EN-US;239924 . I've 
  seen this a few times on gigabit nics and wireless nics.
   
  The other is  slow link network 
  detection.  If windows thinks that you have a slow link it 
  won't process logon scripts .  The userenv log would tell you if 
  that is the case.  If someone configured the slow link setting in a 
  policy then that could cause your problem if the nics are not working 
  properly  
  If you want to enable userenv logging try this 
  kb
  221833 How to enable user environment debug 
  logging in retail builds of Windowshttp://support.microsoft.com/default.aspx?scid=kb;EN-US;221833
   
  Tim Hines 
  
  
- Original Message - 
From: 
Creamer, 
Mark 
To: ActiveDir@mail.activedir.org 

Sent: Monday, February 06, 2006 10:48 
AM
Subject: [ActiveDir] Wireless and logon 
script

Can someone explain 
the mechanics of the logon for me, when the user is on a wireless 
connection? We have Cisco Wireless Access Points, and a Cisco ACS, but I 
haven’t been involved with their setup. Basically the deal is 
when a user logs in to a wired LAN connection, the 
logon script always runs. When they log on with wireless, the logon script does not run. To me as a 
casual observer, it looks like the authentication does not happen until 
after a cached logon takes place and the user attempts to reach a resource 
requiring authentication, such as Exchange. 
Thanks,
Mark 
Creamer
Systems Engineer
Cintas 
Corporation | 6800 Cintas Boulevard | Mason, OH  
45040
Email: 
[EMAIL PROTECTED] | http://www.cintas.com
This e-mail transmission 
contains information that is intended to be confidential and privileged. If 
you receive this e-mail and you are not a named addressee you are hereby 
notified that you are not authorized to read, print, retain, copy or 
disseminate this communication without the consent of the sender and that 
doing so is prohibited and may be unlawful. Please reply to the message 
immediately by informing the sender that the message was misdirected. After 
replying, please delete and otherwise erase it and any attachments from your 
computer system. Your assistance in correcting this error is 
  appreciated.

RE: [ActiveDir] ADUC updates - Was Expired Accounts

[Kennedy, Jim]

Title: RE: [ActiveDir] ADUC updates - Was Expired Accounts



Consistently remember the last domain controller I connected to, and 
reconnect to it when I start it back up.
 
 

RE: [ActiveDir] DC

[Kennedy, Jim]

I would place it on server 8. I would rather have a 'pure' 
dc somewhere, even if I had to resort to using a beefed up desktop. In fact at 
my last job, a shop similar in size to yours that is exactly what I 
did.
 
If that is not possible, it goes on Server 7 from what I 
see below.

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Kelli 
  DriesengaSent: Wednesday, January 11, 2006 2:14 PMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
  DC
  
  
  All 
  -
   
  We are in the 
  process of updating our network and moving services around a bit.  What I 
  will have is:
   
  Server 1 = 
  Exchange 2003 Ent. Server
  Server 2 = SQL 
  Server also running IIS
  Server 3 = Network 
  controller running our Application Server, License Server (AutoCad), Primary 
  DC, network printers and antivirus
  Server 4 = 
  Disaster Recovery Server
  Server 5 and 6 = 
  NAS
  Server 7 = Backup 
  Server running Veritas Backup Exec
   
  Now my question 
  is, where would you place your secondary DC?  Also, does the layout of 
  services look good?  
   
  
  For clarification - Server 4 is 
  going to be running VMWare workstation on it.  We plan on using P2V to 
  take monthly or bi-monthly (not sure 
  yet) images of our servers and place them here in case any of the other 
  servers go offline because of hardware failure.  We'd be able to turn on 
  the virtual server and run it until we can get the other back online.  
  It's our way of showing TPTB that virtual is the wave of the future.  
  (We're trying to show them that blades and virtual is the way to 
  head.)  If I did put the secondary DC 
  there, it would run along side VMWare Workstation .. not on 
  it.
   
  BTW - We are a very small shop, only 75 users and 
  only one site working 8-5, M-F.  
  Our main product run is Revit (autocad product) which runs a license from the 
  server but the application is run locally.  We don't put too much of a 
  strain on our network overall.  
  
   
  Kelli
  Design+
  Architects + Electrical Engineers + Mechanical Engineers + Landscape 
  Architects + Interior Designers
  201 Ionia Ave S.W. · Grand Rapids, MI · 49503-4136 · 
  616.458.0875 · 
  616.458.2806 fax
   

RE: [ActiveDir] Domain Demotion (Removal) Best Practices

[Kennedy, Jim]

Title: Domain Demotion (Removal) Best Practices



 
The below is exactly what I did, with one addition. When I 
demoted the last DC I also turned off one DC from the remaining domain. I too 
was worried about the process and asked many questions here and elsewhere.  
The whole thing turned out to be a non-event.

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, 
  Jorge deSent: Monday, January 09, 2006 2:37 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Domain 
  Demotion (Removal) Best Practices
  
  
  At the moment you think 
  "I could remove the domain now" don't do that, but shutdown the DCs to see 
  what breaks. Of course you need to ignore errors concerning replication with 
  that domain. If after a while (some days) nothing or nobody has started 
  screaming then you could demote the DCs. Don't forget to remove the DNS 
  delegation and to select the option "this is the last DC of this domain" (or 
  something that sounds like it) when demoting the last DC. Checking this option 
  makes sure the existance of the domain is removed at the domain naming master. 
  So make also sure that FSMO is available.
   
  Jorge
  
  
  From: [EMAIL PROTECTED] on 
  behalf of Ibarra, JuanSent: Mon 2006-01-09 17:49To: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] Domain Demotion 
  (Removal) Best Practices
  
  Hi, we are in the process of 
  removing several old domains that still contain some servers and services 
  accounts on them.  All active users have been migrated off to a new 
  parent domain.   
  Are there any best practices, 
  thins I need to be aware or concerned about before starting this process?
  Thanks,
  Juan
  
  

RE: [ActiveDir] OT: Patch Management

[Kennedy, Jim]

Title: OT: Patch Management



The specs requirements listed seem to be overkill to me. 
Also, you can work around that by approving the updates in groups, or applying 
them to computers in phases.
 
The integration with GPO and the fact you can set it up and 
roll the whole thing out from your chair are worth the 
effort.

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Pohlschneider, 
  ChrisSent: Friday, January 06, 2006 11:39 AMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Patch 
  Management
  
  Does anyone have recommendations for patch management software 
  that could beinstalled on a desktop type system to manage a network with 
  120 nodes forupdates and patches. I was looking at WSUS, but the 
  requirements are thatyou need a server OS, plus the minimum requirements 
  were pretty stout.Thanks in advance for recommendations!!Chris 
  PohlschneiderNetwork 
  AdministratorCenveo-Sidney937-497-2136[EMAIL PROTECTED]Cenveo 
  is your visual communications connection for a broad portfolio ofservices 
  and products including eServices, envelopes, offset and digitalprinting, 
  labels and business 
documents   

RE: [ActiveDir] OT: WMF issue - patch on the 10th

[Kennedy, Jim]

My son is hard core on the security side. He has tested the heck out of
their patch. He claims the patch works and is a clean uninstall. No
comment on if it breaks anything else. 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Jeff 
> Salisbury
> Sent: Tuesday, January 03, 2006 3:41 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] OT: WMF issue - patch on the 10th
> 
> I recommend taking a look at the SANS Internet Storm Center
> (http://isc.sans.org/) write up as well, including 
> information regarding an unofficial patch that is now 
> available in MSI installer format.
> 
> Jeff
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Kennedy, Jim
> Sent: Tuesday, January 03, 2006 12:33 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] OT: WMF issue - patch on the 10th
> 
> 
> 
> http://www.microsoft.com/technet/security/advisory/912840.mspx
> 
> January 10th...is the target. 
> 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Navroz 
> > Shariff
> > Sent: Tuesday, January 03, 2006 3:17 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] OT: WMF issue - patch on the 10th
> > 
> > Regarding the June 10 WMF exploit patch release, can somone please 
> > point me to Microsoft's article regarding the release.
> > 
> > Thanks,
> > 
> > Nav
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of 
> Susan Bradley
> > Sent: Tuesday, January 03, 2006 12:33 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: [ActiveDir] OT: WMF issue - patch on the 10th
> > 
> > What's Microsoft's response to the availability of third 
> party patches 
> > for the WMF vulnerability?
> > Microsoft recommends that customers download and deploy the 
> security 
> > update for the WMF vulnerability that we are targeting for 
> release on 
> > January 10, 2006.
> > 
> > As a general rule, it is a best practice to utilize 
> security updates 
> > for software vulnerabilities from the original vendor of 
> the software. 
> > With Microsoft software, Microsoft carefully reviews and tests 
> > security updates to ensure that they are of high quality 
> and have been 
> > evaluated thoroughly for application compatibility. In addition, 
> > Microsoft's security updates are offered in 23 languages for all 
> > affected versions of the software simultaneously.
> > 
> > Microsoft cannot provide similar assurance for independent 
> third party 
> > security updates.
> > 
> > Why is it taking Microsoft so long to issue a security update?
> > Creating security updates that effectively fix 
> vulnerabilities is an 
> > extensive process. There are many factors that impact the length of 
> > time between the discovery of a vulnerability and the release of a 
> > security update. When a potential vulnerability is reported, 
> > designated product specific security experts investigate 
> the scope and 
> > impact of a threat on the affected product. Once the MSRC knows the 
> > extent and the severity of the vulnerability, they work to 
> develop an 
> > update for every supported version affected. Once the 
> update is built, 
> > it must be tested with the different operating systems and 
> > applications it affects, then localized for many markets 
> and languages 
> > across the globe.
> Confidential
> This e-mail and any files transmitted with it are the 
> property of Belkin Corporation and/or its affiliates, are 
> confidential, and are intended solely for the use of the 
> individual or entity to whom this e-mail is addressed.  If 
> you are not one of the named recipients or otherwise have 
> reason to believe that you have received this e-mail in 
> error, please notify the sender and delete this message 
> immediately from your computer.
> Any other use, retention, dissemination, forwarding, printing 
> or copying of this e-mail is strictly prohibited.
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: WMF issue - patch on the 10th

[Kennedy, Jim]

http://www.microsoft.com/technet/security/advisory/912840.mspx

January 10th...is the target. 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Navroz Shariff
> Sent: Tuesday, January 03, 2006 3:17 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] OT: WMF issue - patch on the 10th
> 
> Regarding the June 10 WMF exploit patch release, can somone 
> please point me to Microsoft's article regarding the release.
> 
> Thanks,
> 
> Nav 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley
> Sent: Tuesday, January 03, 2006 12:33 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] OT: WMF issue - patch on the 10th
> 
> What's Microsoft's response to the availability of third 
> party patches for the WMF vulnerability?
> Microsoft recommends that customers download and deploy the 
> security update for the WMF vulnerability that we are 
> targeting for release on January 10, 2006.
> 
> As a general rule, it is a best practice to utilize security 
> updates for software vulnerabilities from the original vendor 
> of the software. With Microsoft software, Microsoft carefully 
> reviews and tests security updates to ensure that they are of 
> high quality and have been evaluated thoroughly for 
> application compatibility. In addition, Microsoft's security 
> updates are offered in 23 languages for all affected versions 
> of the software simultaneously.
> 
> Microsoft cannot provide similar assurance for independent 
> third party security updates.
> 
> Why is it taking Microsoft so long to issue a security update?
> Creating security updates that effectively fix 
> vulnerabilities is an extensive process. There are many 
> factors that impact the length of time between the discovery 
> of a vulnerability and the release of a security update. When 
> a potential vulnerability is reported, designated product 
> specific security experts investigate the scope and impact of 
> a threat on the affected product. Once the MSRC knows the 
> extent and the severity of the vulnerability, they work to 
> develop an update for every supported version affected. Once 
> the update is built, it must be tested with the different 
> operating systems and applications it affects, then localized 
> for many markets and languages across the globe.
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Persistent Drives

[Kennedy, Jim]

 
Sorry, I missed this part:
 
net config server /autodisconnect:65535
 
On the workstation you want net config workstation /autodisconnect:65535 
I think.

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Kennedy, 
  JimSent: Monday, December 12, 2005 10:53 AMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Persistent 
  Drives
  
   
  The persistent command you are using does not keep the 
  drive connected when logged onit makes the mapping stick the next time the 
  user logs on. Same as the 'reconnect at logon' box if you do the mapping 
  manually via my computer.
   
  I would advise against that setting in your logon script. 
  If you go to move a users mapped folder and redo their logon file.the old 
  drive might still be there in XP and it often won't be replaced. So you have 
  to add 'net use * /delete /y' to clear the old mappings. And that can even be 
  hit or miss if you are using fastlogon with XP.
   
  As for your  disconnect problem take a look at the 
  net config server/workstation commands on the workstation. XP auto disconnects 
  mapped drives after a certain period of inactivity and reconnect if the user 
  access it. This will confuse some programs to think the drive is no 
  longer there.
   
  net config workstation ?
  net config server ?
   
  to see the syntax.
   
  JK
   
   
  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of George 
ArezinaSent: Monday, December 12, 2005 10:43 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Persistent 
Drives


Hi 
folks,
Scenario: Scripts run 
at logon on Windows XP desktops, defined through a GPO (Windows 2003 AD). 
Within the scripts I have mapped certain 
drives:
Example: 

NET USE P: \\X\Bob 
/persistent:yes
NET USE I: \\X\Joe 
/persistent:yes
NET USE M: \\X\Dick 
/persistent:yes
 
However, after a 
certain amount of time, the mapped drives lose connections. I have run the 
following command on my W3K server and XP box: net config server 
/autodisconnect:65535. However, users still lose their connections after a 
certain period. Is there anyway to make the above connections persistent? 
Persistency is required because one applications pulls certain data from 
these drives.
 
Thanks in 
advance.
George 

 Informacija 
sa Stedionica Opportunity International A.D. Novi Sad putem e-maila je bez 
garancije. Zakljucivanje pravnih poslova putem ovog medija nije dozvoljeno. 
Ovaj e-mail moze sadrzati poverljive i/ili povlascene informacije. Ukoliko 
ste ovaj e-mail primili greskom, ovim putem vas obavestavamo da je svako 
otkrivanje, kopiranje, distribucija ili preduzimanje bilo kakvih aktivnosti 
u vezi njegovog sadrzaja strogo zabranjeno i moze biti nezakonito. Ukoliko 
ste e-mail primili greskom, molimo Vas da nas odmah obavestite tako sto cete 
odgovoriti na ovaj email, a zatim ga izbrisite iz vaseg 
sistema.The 
exchange of messages with Stedionica Opportunity International A.D. Novi Sad 
via e-mail is not binding. Declarations regarding legal transactions must 
not be exchanged via this medium. The information contained in this e-mail 
message is confidential and intended exclusively for the addressee. Persons 
receiving this e-mail message who are not the named addressee (or his/her 
co-workers, or persons authorized to take delivery) must not use, forward or 
reproduce its contents. If you have received this e-mail message by mistake, 
please contact us immediately and delete this email message beyond 
retrieval.

RE: [ActiveDir] Persistent Drives

[Kennedy, Jim]

 
The persistent command you are using does not keep the 
drive connected when logged onit makes the mapping stick the next time the 
user logs on. Same as the 'reconnect at logon' box if you do the mapping 
manually via my computer.
 
I would advise against that setting in your logon script. 
If you go to move a users mapped folder and redo their logon file.the old 
drive might still be there in XP and it often won't be replaced. So you have to 
add 'net use * /delete /y' to clear the old mappings. And that can even be hit 
or miss if you are using fastlogon with XP.
 
As for your  disconnect problem take a look at the net 
config server/workstation commands on the workstation. XP auto disconnects 
mapped drives after a certain period of inactivity and reconnect if the user 
access it. This will confuse some programs to think the drive is no longer 
there.
 
net config workstation ?
net config server ?
 
to see the syntax.
 
JK
 
 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of George 
  ArezinaSent: Monday, December 12, 2005 10:43 AMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] Persistent 
  Drives
  
  
  Hi 
  folks,
  Scenario: Scripts run at 
  logon on Windows XP desktops, defined through a GPO (Windows 2003 AD). Within 
  the scripts I have mapped certain drives:
  Example: 
  
  NET USE P: \\X\Bob 
  /persistent:yes
  NET USE I: \\X\Joe 
  /persistent:yes
  NET USE M: \\X\Dick 
  /persistent:yes
   
  However, after a certain 
  amount of time, the mapped drives lose connections. I have run the following 
  command on my W3K server and XP box: net config server /autodisconnect:65535. 
  However, users still lose their connections after a certain period. Is there 
  anyway to make the above connections persistent? Persistency is required 
  because one applications pulls certain data from these 
  drives.
   
  Thanks in 
  advance.
  George 
  
   Informacija 
  sa Stedionica Opportunity International A.D. Novi Sad putem e-maila je bez 
  garancije. Zakljucivanje pravnih poslova putem ovog medija nije dozvoljeno. 
  Ovaj e-mail moze sadrzati poverljive i/ili povlascene informacije. Ukoliko ste 
  ovaj e-mail primili greskom, ovim putem vas obavestavamo da je svako 
  otkrivanje, kopiranje, distribucija ili preduzimanje bilo kakvih aktivnosti u 
  vezi njegovog sadrzaja strogo zabranjeno i moze biti nezakonito. Ukoliko ste 
  e-mail primili greskom, molimo Vas da nas odmah obavestite tako sto cete 
  odgovoriti na ovaj email, a zatim ga izbrisite iz vaseg 
  sistema.The 
  exchange of messages with Stedionica Opportunity International A.D. Novi Sad 
  via e-mail is not binding. Declarations regarding legal transactions must not 
  be exchanged via this medium. The information contained in this e-mail message 
  is confidential and intended exclusively for the addressee. Persons receiving 
  this e-mail message who are not the named addressee (or his/her co-workers, or 
  persons authorized to take delivery) must not use, forward or reproduce its 
  contents. If you have received this e-mail message by mistake, please contact 
  us immediately and delete this email message beyond 
retrieval.

[ActiveDir] Decomission a domain

[Kennedy, Jim]

 
Two domains in a forest, not a child/parent. Keeping the root of course,
and want to 'un'-dcpromo the last two DC's in the other. All the
computers and accounts and groups were moved over. The domain going away
was the domain that had Exchange. Exchange was also moved over to the
root domain.

Any sage advise before I do this? Gotcha's I should be prepared for? We
keep a DC offline, should I bring it up before I do thisor leave it
off in case of a disaster.

Anyone done this, I really don't want 1500 XP machines hung at startup
looking for the old domain. Not sure why, but this final step has me a
bit anxious.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] OT? Remote Assistance.

[Kennedy, Jim]

Trouble getting Remote Assistance going. XP w/ SP2 in a 2K3 domain. XP
firewall disabled on both boxes.

Two computers for test. Both in the same OU. GPO forces offer and invite
enabled with a group having the permissions. RSOP on both machines shows
it is all taking effect. Both logged on users are local admins, and are
in fact domain admins.  Invitations for Assistance work fine, in both
directions. However Offer Assistance fails with 'Permission Denied'.

Been through everything here:
http://support.microsoft.com/default.aspx?scid=kb;en-us;310629  Simple
file sharing off and verified the groups and members are being passed
down.

This one does not apply, that group policy is undefined. Tried defining
it with the fix anyway, no change.
http://support.microsoft.com/?kbid=884910


http://support.microsoft.com/default.aspx?scid=kb;en-us;889248


Even fired up all the disabled services on both machines.




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/