RE: [ActiveDir] push a URL in the trusted zone with GPO...
User configuration, windows settings, internet explorer maint, security/security zones and content ratings, security zones and privacy, sites in this zone. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, > Michel > Sent: Friday, January 05, 2007 3:37 PM > To: ActiveDir@mail.activedir.org > Subject: push a URL in the trusted zone with GPO... > > Hi, > I have a brain cramp actually, I can't remember how I can push a > URL in the trusted zone and intranet zone for all the stations using a > GPO, anybody can help? > > Thanks > > > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] how to list permissions applied to a directory tree
And after reading your post a bit moreperhaps just xcopy it over, make your changes and leave the old one in place hidden as your documentation until you know it all is working as you intended. Happy New Year! How do I create a list of all permissions that are currently applied to a directory tree? I have to move a directory tree and change permissions to it and I want to ensure that I document all active permissions within this tree before I move it. Thanks! __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
RE: [ActiveDir] how to list permissions applied to a directory tree
http://www.scriptlogic.com/products/securityexplorer/ Love it here. Happy New Year! How do I create a list of all permissions that are currently applied to a directory tree? I have to move a directory tree and change permissions to it and I want to ensure that I document all active permissions within this tree before I move it. Thanks! __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
RE: [ActiveDir] OT: Exchange Design Question
If you use OWA for remote mail access number 1 is the best choice. You then publish your OWA through the ISA server. If your incoming smtp is only from messagelabs and you do not need/use OWA then I would consider skipping to choice three, with nothing out front and only allow port 25 from messagelabs. > -Original Message- > From: [EMAIL PROTECTED] [mailto:ActiveDir- > [EMAIL PROTECTED] On Behalf Of Mark Parris > Sent: Tuesday, December 05, 2006 11:42 AM > To: ActiveDir.org > Subject: [ActiveDir] OT: Exchange Design Question > > A friend of mine has asked me to ask the group the following Exchange > related question. > > An Exchange 2003 environment that has been upgraded from Exchange 2000 > needs to have SMTP reconfigured for outbound mail. There are two > proposals on the table but they are not sure of the best approach. > > 1 Exchange Frontend/Backend configuration with both servers on the > internal network and an ISA server in the perimeter network publishing > internal SMTP to the internet or in this case messagelabs > > or > > 2 Exchange Frontend/Backend configuration with both servers on the > internal network and an SMTP server in the DMZ relaying to messagelabs > > Messagelabs host the MX records and cleanses most viruses out of the > emails but may change in the future though there is no current > managment thinking to do so. > > Given these two scenarios which one would most people choose and if so > why? > > The environment is approx 2000 users and there are eight sites and the > chosen SMTP configuration will be repeated in another site for > resilience. > > Many thanks as always, > > > > > Regards, > > Mark Parris > > Base IT Ltd > Active Directory Consultancy > Tel +44(0)7801 690596 > .+Šw†ÛÿüÁ§Š÷Šºƒò²Ö§²ÑB§ÿö+v*®ŠË§²Örz§ÿà > ŠVryÊý§Š÷Š¹ŠV¶+v*
RE: [ActiveDir] [OT] how to access blocked site.
We don't know that. He could be an admin that is trying to figure out how his users are getting past his blocking system. There did seem to be a language issue in his original post. > -Original Message- > From: [EMAIL PROTECTED] [mailto:ActiveDir- > [EMAIL PROTECTED] On Behalf Of joe > However from the standpoint of the user and his company he is trying to > assume risk that he doesn't have authority to assume (or else he > wouldn't > have to post List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Why we go for exchange 2003 server
The Outlook Web Access makes Exchange 2003 worth getting, if you use it. However, Exchange 2007 might be worth waiting for at this point. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ajay Kumar Sent: Monday, October 30, 2006 8:36 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Why we go for exchange 2003 server Hi, Can any one pls tell me why I should implement exchange 2003 enterprise server instead of 2000 enterprise server In my organization. Becoz Exchange 2000 having Messenging serivces but 2003 doesn't have. Actually My main intention is why I go for 2003 exchagne server. Pls suggest me. Regards, Ajay pardeshi
[ActiveDir] OT Internet restrictions. Was Blocking IE7
I can’t speak for a University edu, but as a public K-12 we most certainly can restrict internet access. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves Sent: Thursday, October 19, 2006 1:49 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Blocking IE7 Since you're in an educational environment, things can be a little dicey there. You can't restrict the internet (government funds thing)
RE: [ActiveDir] DHCP Problem
Starting to sound like you have an old DNS or WINS record out there for the old server. > -Original Message- > From: Bob Anderson > > Neil, > When I add a new Authorization record it ads it with the old > server name. I think my problem is that I have given my new server the > same IP address as the old one that died > > > Bob > IT Guy > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: Monday, October 16, 2006 10:39 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] DHCP Problem > > If I understand this post correctly, you may need to add a new DHCP > authorisation record for the new server, with the correct name and IP > address. You may also need to re-configure routers so that BOOTP > packets > are forwarded to the correct IP address and/or MAC address. > > You didn't state what was not working after the change so it's hard to > know what to suggest :) > > neil > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Bob Anderson > Sent: 16 October 2006 15:12 > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] DHCP Problem > > Good Morning, > I have a bad DHCP problem. > > I have replaced our Primary Domain Computer and I think I have messed > DHCP up badly. The new Domain Controller has been given the same IP > address as the old on and when I go into DHCP console the old server > name shows up for the DHCP computer. > > > This was an emergency switch as the old DC has died. > > Thanks in advance for all your help. > > Bob Anderson > IT Guy > Kent Sporting Goods > 433 Park Ave. S > New London OH 44851 > 419-929-7021 x315 > email: [EMAIL PROTECTED] > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > > > > PLEASE READ: The information contained in this email is confidential > and > intended for the named recipient(s) only. If you are not an intended > recipient of this email please notify the sender immediately and delete > your copy from your system. You must not copy, distribute or take any > further action in reliance on it. Email is not a secure method of > communication and Nomura International plc ('NIplc') will not, to the > extent permitted by law, accept responsibility or liability for (a) the > accuracy or completeness of, or (b) the presence of any virus, worm or > similar malicious or disabling code in, this message or any > attachment(s) to it. If verification of this email is sought then > please > request a hard copy. Unless otherwise stated this email: (1) is not, > and > should not be treated or relied upon as, investment research; (2) > contains views or opinions that are solely those of the author and do > not necessarily represent those of NIplc; (3) is intended for > informational purposes only and is not a recommendation, solicitation > or > offer to buy or sell securities or related financial instruments. > NIplc > does not provide investment services to private customers. Authorised > and regulated by the Financial Services Authority. Registered in > England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St > Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of > companies. > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Folder Redirection Issue
“Office was deployed to the workstations via group policy using an AIP and MST transform.” Bet you will find something in that MST that is pointing to the wrong location. Blow out an Outlook profile on one as a test. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano Sent: Wednesday, October 04, 2006 11:02 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Folder Redirection Issue I am having a weird problem with folder redirection. I have set the My Documents redirection to the subfolder of the root drive option and set the path to the homefolders directory (\\servername\homefolders$). This is supposed to redirect users my documents to \\servername\homefolders$\%username%\my documents and it does. The users log onto their PCs and open their My Documents folder fine – and looking at the properties of their my documents folder confirms that the redirection is working properly. The problem is that in certain applications, namely Outlook 2003 (all latest patches and SPs applied). When a user goes to save an attachment, for example, and clicks on my documents in the save dialog, they receive the error “cannot access \\servername\homefolders$, which makes sense since the users do not have access to the homefolders$ share, just to their subfolder. So Outlook, for some reason, is not drilling down into the users my documents in the home folder, but instead is trying to access the root of the homefolders$ share. In other Office apps, the my documents works fine. There are also no event log entries that reference this issue. I am stuck here as I am unable to find any KB articles that discuss this. Does anyone have any suggestions? I have not yet reinstalled Outlook because all other Office apps work fine. Office was deployed to the workstations via group policy using an AIP and MST transform. Any help would be greatly appreciated. Dan DeStefano Info-lution Corporation [EMAIL PROTECTED] http://www.info-lution.com Office: 727 546-9143 FAX: 727 541-5888 If you have received this message in error please notify the sender, disregard any content and remove it from your possession.
RE: [ActiveDir] Sharepoint in the DMZ
Title: Sharepoint in the DMZ Fire him, unless he shares the drugs he is on. A child domain for one server? Open an SQL port on your outside firewall? Ok on second thought, just fire him no matter how good the drugs are. . From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Group, Russ Sent: Tuesday, September 12, 2006 10:45 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Sharepoint in the DMZ Hi all I have a consultant that wants to put Sharepoint into our DMZ. Here is what he is proposing to do: Create a child domain and put the Sharepoint computer account in the child domain Put Sharepoint server in our DMZ. Open up the same ports for Sharepoint that we would open for Outlook Web Access Also open port 1433 for SQL Since I don’t know much about Sharepoint, I was hoping someone would be to let me know if this has been done in the past and if it's safe. Thank you Russ
[ActiveDir] Moving user accounts.
I am I correct that to delegate moving user accounts from OU to OU I will have to allow them the ability to delete accounts. It appears accounts work similar to documents, a move is really a copy then delete.
RE: [ActiveDir] (OT) Exchange Mail Delivery Delays
Recipients include Universal groups? If so check access to a global catalog from the exchange server. Avoid Universal groups if possible on distribution lists. > -Original Message- > From: [EMAIL PROTECTED] [mailto:ActiveDir- > [EMAIL PROTECTED] On Behalf Of Robert Rutherford > Sent: Wednesday, August 23, 2006 10:58 AM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] (OT) Exchange Mail Delivery Delays > > Hi All, > > Sorry for the OT... > > I've got an Exch2003 server, SP2 with the following issue :- > > An External mail user sends a mail to many internal recipients, some > users receive immediately. The remaining users receive the mail hours > later, sometime 12 hours+ later. > > Before I up all the logging and spend hours.. has anyone see this and > resolved? > > I've attached an example message tracking log. > > Cheers, > > Rob > > Robert Rutherford > QuoStar Solutions Limited > > T:+44 (0) 8456 440 331 > F:+44 (0) 8456 440 332 > M:+44 (0) 7974 249 494 > E:[EMAIL PROTECTED] > W:www.quostar.com > > > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] joe - please say it isn't so!
Double check the date of the entry. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Monday, August 14, 2006 3:28 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] joe - please say it isn't so! So here I went to take a look at Dean’s article, and I find this: http://blog.joeware.net/cat/recipes/ , expecting to find more of joe’s great adfind codes. At first, I thought it got misfiled and should have been filed under “humor” but I suspect this is hardly funny. Joe, are you pulling our collective legs? Please tell me this blog is a poor Michigander’s joke! If not, please take me with you to New Zealand – I need to see first hand that the Brown Trout there are bigger than they are in Michigan! ;-) Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 2:02 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] joe said "pretty decent" http://blog.joeware.net/2006/06/08/400/ I think thats an understatement ;-) However, my profuse thanks to joe too. I wasnt aware of the article until he blogged it. M@ On 8/14/06, Dean Wells <[EMAIL PROTECTED]> wrote: Why thank you … but who said otherwise? ;0) -- Dean Wells MSE technology * Email: [EMAIL PROTECTED] http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 2:35 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] http://searchwinit.techtarget.com/originalContent/0,289142,sid1_gci1192821,00.html?track=NL-463&ad=554811USCA&ad=554808 I dont care what anyone says. Thats a damn fine article. I couldnt possibly thank Dean enough for that info. M@ On 8/14/06, Graham Turner <[EMAIL PROTECTED]> wrote: Alter ego ! my thanks are due worked out a treat - so the GC's are not so ***'d as i thought any info on the concept of the phantoms though ?? GT > Hey Robert, > > In the article you posted, the registry key is incorrect in the KB > content. It lists the registry key as: > HKCU\Software\Policies\Microsoft\Windows\Directory > > However, the correct registry key is: > HKCU\Software\Policies\Microsoft\Windows\Directory UI > > I've sent a comment to my former employer to ask for them to fix the > article...next time, test it *before* you post! > > Your Alter Ego, > Robert Williams > > -Original Message- > From: [EMAIL PROTECTED] > [mailto: [EMAIL PROTECTED]] On Behalf Of Williams, > Robert > Sent: Monday, August 14, 2006 9:28 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] > > Hey Graham, > > This may not be what you're experiencing, but it could be worth it to > check to see how many members you have in the group(s) in question. By > default, if the group has over 500 members in it, the user icons inside > the group will turn grey. Check out this article for more information: > http://support.microsoft.com/kb/q281923/ > > Let us know if that turned out to be the cause. > > Have a great day! > > Robert Williams > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto: [EMAIL PROTECTED]] On Behalf Of Graham Turner > Sent: Monday, August 14, 2006 9:01 AM > To: activedir@mail.activedir.org > Subject: [ActiveDir] > > Dear all, am experiencing issues that i think attributable to the > concept of Active > Directory phantoms > > the symptom is that when we open certain global groups the membership > list comes out > with grey icons > > this is not all groups - affected ones being - Domain Users / Domain > computers > > must confess to not a full understanding of the issue here -but it seems > this > relates in some way to GC lookup ?? > > i can for sure confirm that the GC port 3268 is open on the GC's > > not sure why as the group / user members are in the same domain ? > > after the understanding of what is going on here is, of course 'HOW DO > WE FIX' ?? > > technet seems to reference a concept of 'phantom clean up task' - a > process that > runs on the server running 'INFRASTRUCURE MASTER' fsmo role on a > scheduled basis to > resolve the directory issue. > > would seem not in this case ? > > as a point to note, neither netdiag or dcdiag are coming up with nothing > concliusive > in this respect. > > help as always gladly received > > GT > > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.acti
RE: [ActiveDir]
To be more accurate….change their smtp address to a bunch of gibberish. From: Kennedy, Jim Sent: Wednesday, August 09, 2006 3:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remove their external smtp address and then set the send to permissions in the account to just me. Then disable the account. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of HBooGz Sent: Wednesday, August 09, 2006 3:35 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Hey All - How do you disable an AD account and deny mail delivery. There are some users that are disabled but when i send an email to their smtp address i don't get a sys admin error, it appears to send it to the respective store. how do you all disable an AD account,not remove, and prevent it from receiving mail ? -- HBooGz:\>
RE: [ActiveDir]
Remove their external smtp address and then set the send to permissions in the account to just me. Then disable the account. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of HBooGz Sent: Wednesday, August 09, 2006 3:35 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Hey All - How do you disable an AD account and deny mail delivery. There are some users that are disabled but when i send an email to their smtp address i don't get a sys admin error, it appears to send it to the respective store. how do you all disable an AD account,not remove, and prevent it from receiving mail ? -- HBooGz:\>
RE: [ActiveDir] Replication from ASP
WAG. Skin it from the other direction. Make sure the ASP age creates the account on the Peoplesoft DC. How…I dunno, but even replication could take too long if you could trigger it. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, Bryan Sent: Friday, August 04, 2006 2:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Replication from ASP Anyone have any thoughts on this? Thanks, Bryan Lucas Server Administrator Texas Christian University From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, Bryan Sent: Monday, July 31, 2006 4:12 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Replication from ASP Does anyone know how I force replication through ASP 2.0? My DC’s are all local (no WANs) and 2003 SP1. I have a web page that does account creation and then points the user to a portal which attempts to authenticate against AD. The portal software (Peoplesoft) can only attempt against a single DC, so if that user didn’t create his account there it doesn’t work right away. Bryan Lucas Server Administrator Texas Christian University
RE: [ActiveDir] OT: Higher Education web access
If I am reading your requirement correctly, WEBDAV is a web interface. Hit the page with IE and there is your network folder. As for the web publishingare they making the sites themselves and then just uploading them? Then publish their website home folder also via WEBDAV./ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul GlennSent: Tuesday, June 20, 2006 9:13 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: Higher Education web access I myself would be more than happy with this scenario. However, when I discuss this with the VP he says we can't take away anything they have now. So that means I have to find a way for them to access their files through some type of web interface (which maybe I can convience him WEBDAV is almost like what they have now) and also be able to publish their own web pages. Paul On 6/20/06, Steve Rochford <[EMAIL PROTECTED]> wrote: We use webdav and publish instructions for staff/students to just add their home folder as a "my network place" on their home computers. This works well - once you've connected it's just another location that appears in explorer or file dialogues. If you're happy to continue with FTP access to the web folder then that's perfectly possible; I'm assuming you're scripting creation of users so it's just a case of adding an extra bit to create and permission a folder somewhere in the IIS folder for each user. Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Paul GlennSent: 19 June 2006 21:27To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Higher Education web access Hello all,Sorry for the OT, but I'm a bit at a loss on parts of the big move. As I've said in the past, I'm in the process of moving our student population from eDirectory to Active Directory. We've overcome several hurdles up to this point. Our next big one is how to give access to our student's files via a web brower and also a way to host their own web pages. Currently we accomplish this via IUAdmin and apache services. IUAdmin is not ported to the Windows platform and Apache for Windows has a few drawbacks. I was wondering if there are any higher education folks out there that wouldn't mind talking with me about their environment. To help give a better idea of what we do, I offer three web pages: Students can login to the following page and gain access to their files.http://locker.uky.edu The next link shows you some screenshots of what you would see if you logged in as bigtest. http://locker.uky.edu/help.htmThen off course we offer a way for them to publish their own webpages (the first link will show you where I get my signature):http://locker.uky.edu/~pglennThanks for any help even if it's just a pointer to another listservPaul-- ***"I've got a fever and the only prescription is more cowbell."--Christopher Walken*** -- ***"I've got a fever and the only prescription is morecowbell."--Christopher Walken ***
RE: [ActiveDir] Machine Password Changes
I think it would be best that SomeProduct should go in SomeTrashCan. http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/580.mspx From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin (ITS)Sent: Monday, June 12, 2006 10:56 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Machine Password Changes Everyone, Our Public Libraries use a software package that handles their patron logins and billing called SomeProduct. The company that makes SomeProduct includes in their suite, a product called SomeDiskProtection. SomeDiskProtection is similar to Windows Disk Protection, GoBack and Deep Freeze. It’s a product that upon reboot, restores the PC to its previously saved state. The problem with this of course is that while the PC is up and running during the day, if it changes its machine account password, the next time the PC is rebooted, it’s back to the old password which results in PCs that can’t log onto the domain. We’ve now spent a week on the phone with SomeCompany and they tell us that their only solution is to completely disable machine password changes for the PCs running their software. I want to ask you all what you think of this solution. How much of a security risk do you think it is? Can you think if a workaround? The frustrating thing is that Windows Disk Protection has a way of handling this. It disables automatic machine password changes, but every time the PC has its saved state updated, it performs a manual password change so that at least it’s being changed SOMETIMES. According to SomeCompany, they have absolutely no plans or desire to update their software to support similar functionality. Thanks, Justin ClayITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573 ITS ENTERPRISE SERVICES EMAIL NOTICEThe information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
RE: [ActiveDir] Image a DC?
I believe there is a free tool to strip SBS servers for imaging, but available only to those that have an OEM relationship with MS. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] > Sent: Thursday, May 11, 2006 12:33 PM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] Image a DC? > > (little voice) > > um.. we do it in SBSland.. but we insanely don't have another > DC around for it to conflict with...but yeah.. even for us > SBSerscertain folks like "~" suck air and get this > horrified look on their face. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: KVM switches
We are happy with the HP units we use. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of John Singler > Sent: Thursday, May 11, 2006 10:48 AM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] OT: KVM switches > > Sorry to rehash this ... > > Looking for opinions on KVM-over-IP switches. > > I have experience with the Raritan Dominion KX line and am > fairly pleased with them but before we buy more i just wanted > to see if there were other players that i may have missed. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Exchange queue(OT)
Had that once with a 1000 user dist. list on our exchange server. It was a bunch of nest groups, along with global groups tossed in. The groups, specifically the global groups seemed to be the cause. Took for ever to enumerate the addresses. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Thursday, May 04, 2006 3:35 PMTo: activedirectorySubject: [ActiveDir] Exchange queue(OT) I have an issue where a user sends an email to about 1800 recipients using Outlook DL's. The email always gets stuck in the "messages awaiting directory lookup" queue for hours(sometimes days). The only thing logged in the app log is- Event Type: WarningEvent Source: MSExchangeTransportEvent Category: Categorizer Event ID: 6004Date: 5/4/2006Time: 3:21:02 PMUser: N/AComputer: EXNYC01Description:The categorizer is unable to categorize messages due to a retryable error. There is not enough space on the disk. For more information, click http://www.microsoft.com/contentredirect.asp. Data:: 70 00 00 00 p... The server has about 80gig of free space. I tried moving the user's mailbox to another server but she still gets the same issue. Has anyone had experience with this error? I'm running Exchange 2k in mixed mode ina AD 2000 native mode enviorment. Thanks
RE: [ActiveDir] Root Place Holder justification
I view number 1 security issues more at the GPO level than the resource level. Password and lockout policies on accounts. For example in my environment (public school) I could make a case that Teachers need a strong password policy and a quick lockout while the students do not (and should not because they typo passwords so often). We don't do that and only have a single domain but it is a valid example. I could only get the above with teachers in one domain and students in another. But that is a case for two domains, not the empty root domain that it seems the OP is being pushed towards. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade > Sent: Wednesday, April 26, 2006 10:29 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Root Place Holder justification > > > > Number "1" of these really drive me nuts and at this point I > usually start shouting. As domains do NOT limit resource > access, i.e. users in Domain "A" can access resources in > domain "B" (In fact that's the usual reason for have trusts > between domains) and together way round, how can you justify > different Security Requirments. They are in effect both > securing the same objects. > > Number "2" tends to become irrelevant if you have Exchange > because that stuffs everything back into the GC that the AD > designers took out, and you really needs GCs everywhere. > > Number "3" => Is a good reason to start rationalizing. > > Having said that when I worked for Compaq I produced a number > of designs with an Empty Root and as others have said, these > were always passed by both Microsoft and Anderson Consulting > as they were then. Personally I would like to see the > business benefit that all those extra DC's deliver. (That is > business benefit to the customer not to the server supplier > and Microsoft). > > Dave. > > P.S. Please not the above are my personal views and not those > of Stockport Council.. > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Kennedy, Jim > Sent: 26 April 2006 14:56 > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Root Place Holder justification > > > Your subject is your answer. They need to justify a root > domain. Is there an actual reason for it? > > There are only three reasons to have one, imho(cut and > pasted from a google search) > > 1. Security requirements are different (password, lockout, > and Kerberos policies must be applied at the domain level). > 2. To control/limit replication (but note the recommendations > for number of objects in a domain with slow links - if the > slowest link is 56 kbps, the domain should have no more than > 100,000 users). > 3. Because you inherit a multiple domain setup. > > I question number three myself. I would rather clean it up > than continue with a past decision but I guess that depends > upon the impact to operations and the complexity of consolidation. > > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris > > Sent: Wednesday, April 26, 2006 9:37 AM > > To: ActiveDir.org > > Subject: [ActiveDir] Root Place Holder justification > > > > Does anyone have any official documentation as to the justification > > for a root place holder, pro's and con's ? > > > > Where I am - I have started at one domain and can see no reason to > > expand on that - they only have 6 DC's now in a single domain - yet > > the partner they have chosen is recomending a root place > holder with 5 > > > DC's and then 8 in the child domain (they are NOT even supplying the > > tin) and I wanted some decent amo - a little bit stronger > than schema > > and Ent admin separation. > > > > I know at DEC the concensus was the desire to eliminate and > I believe > > Guido and Wook have stated this for the past two DEC's > > > > I have searched this list and can find no relevant articles. > > > > Many thanks > > > > Regards > > > > Mark > > List info : http://www.activedir.org/List.aspx > > List FAQ: http://www.activedir.org/ListFAQ.aspx > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > ***
RE: [ActiveDir] Root Place Holder justification
Your subject is your answer. They need to justify a root domain. Is there an actual reason for it? There are only three reasons to have one, imho(cut and pasted from a google search) 1. Security requirements are different (password, lockout, and Kerberos policies must be applied at the domain level). 2. To control/limit replication (but note the recommendations for number of objects in a domain with slow links - if the slowest link is 56 kbps, the domain should have no more than 100,000 users). 3. Because you inherit a multiple domain setup. I question number three myself. I would rather clean it up than continue with a past decision but I guess that depends upon the impact to operations and the complexity of consolidation. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris > Sent: Wednesday, April 26, 2006 9:37 AM > To: ActiveDir.org > Subject: [ActiveDir] Root Place Holder justification > > Does anyone have any official documentation as to the > justification for a root place holder, pro's and con's ? > > Where I am - I have started at one domain and can see no > reason to expand on that - they only have 6 DC's now in a > single domain - yet the partner they have chosen is > recomending a root place holder with 5 DC's and then 8 in the > child domain (they are NOT even supplying the tin) and I > wanted some decent amo - a little bit stronger than schema > and Ent admin separation. > > I know at DEC the concensus was the desire to eliminate and I > believe Guido and Wook have stated this for the past two DEC's > > I have searched this list and can find no relevant articles. > > Many thanks > > Regards > > Mark > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Vbscript to disconnect and reconnect persistent drive mappings
Lot of work and code there to remove drives...try this... Option ExplicitDim WshNetwork on error resume next Set WshNetwork = WScript.CreateObject("WScript.Network") WshNetwork.RemoveNetworkDrive "m:"WshNetwork.RemoveNetworkDrive "n:"WshNetwork.RemoveNetworkDrive "o:"WshNetwork.RemoveNetworkDrive "p:"WshNetwork.RemoveNetworkDrive "q:"WshNetwork.RemoveNetworkDrive "r:"WshNetwork.RemoveNetworkDrive "s:"WshNetwork.RemoveNetworkDrive "t:"WshNetwork.RemoveNetworkDrive "u:"WshNetwork.RemoveNetworkDrive "v:"WshNetwork.RemoveNetworkDrive "w:"WshNetwork.RemoveNetworkDrive "x:"WshNetwork.RemoveNetworkDrive "y:"WshNetwork.RemoveNetworkDrive "z:" ...add all the letters you want. :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jacqui HurstSent: Wednesday, April 26, 2006 7:26 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: _vbscript_ to disconnect and reconnect persistent drive mappings I am trying to write a quick and dirty script for a test lab which will disconnect and reconnect persistent drive mappings. The script is as follows: Set objDrvs = GetObject("winmgmts:").InstancesOf("Win32_NetworkConnection") for each obj in objDrvs strDrive = obj.LocalName strDMapping = obj.RemoteName On Error Resume Next objWshNet.RemoveNetworkDrive strDrive, True, True 'Force removal If Err<>0 Then 'Log Error Wscript.Echo "Error disconnecting"& strDrive Err.Clear End If objWshNet.MapNetworkDrive strDrive, strDMapping If Err<>0 Then 'Log Error Wscript.Echo "Error remapping "& strDrive & "("& strDMapping &")" Err.Clear Else Wscript.Echo "Remapped "& strDrive & "("& strDMapping &")" End If Next The script fails to disconnect any drive mapping and therefore fails to reconnect it. Can anyone advise me where I am going wrong? The ERR value is 424 is that make any sense to anyone. I want to run this on logon but I just running it interativley at the moment. Cheers Jacqui
RE: [ActiveDir] Setting Wireless Config via GPO
Same thing here, AP to AP there is a short drop as it reauthenticates. We got questioned on it by new users sometimes but they get over it. That downside vs the upside makes it a no brainer for us. What system/setup would not have a short drop going from AP to AP? Yes using EAP. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Krenceski, WilliamSent: Wednesday, April 19, 2006 11:33 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Setting Wireless Config via GPO You really got that to work well? I've had great success setting it up as well, however, I have a problem when users roam from one access point to the next. they get dropped for a few seconds for reauthentication which is not acceptable to most users. Are you using EAP? I would love to get more specifics if you do not have the problem I did. Using Cisco 1220 x (27) with cisco 350 client cards x (80) Thanks. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kennedy, JimSent: Wednesday, April 19, 2006 10:53 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Setting Wireless Config via GPO Only way to fly, imho. Push it all via GPO, Certs for the users and IAS Radius Auth from our Cisco 1100 AP's. User needs wireless, I just add them to the user group that allows them to install/request the Cert and I dont have to do anything else. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave WadeSent: Wednesday, April 19, 2006 4:29 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Setting Wireless Config via GPO Folks, Is any one setting wireless configurations using the features in AD 2003? We currently use the 3-COM tool and their proprietary security. As they have stopped supporting this we need to move on. Thanks for any input on this. Dave Wade **This email and any files transmitted with it are confidential andintended solely for the use of the individual or entity to whom theyare addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. Thank you.http://www.stockport.gov.uk** Confidentiality Notice: The information contained in this message may be legally privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any release, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error please notify the author immediately by replying to this message and deleting the original message. Thank you.
RE: [ActiveDir] Setting Wireless Config via GPO
Only way to fly, imho. Push it all via GPO, Certs for the users and IAS Radius Auth from our Cisco 1100 AP's. User needs wireless, I just add them to the user group that allows them to install/request the Cert and I dont have to do anything else. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave WadeSent: Wednesday, April 19, 2006 4:29 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Setting Wireless Config via GPO Folks, Is any one setting wireless configurations using the features in AD 2003? We currently use the 3-COM tool and their proprietary security. As they have stopped supporting this we need to move on. Thanks for any input on this. Dave Wade **This email and any files transmitted with it are confidential andintended solely for the use of the individual or entity to whom theyare addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. Thank you.http://www.stockport.gov.uk**
RE: [ActiveDir] Network browsing slow and not showing all compute rs
We don't allow it. I knew part of the answer/troubleshooting steps because our techs ghost across subnets. So working master browsers are something they need for the way they do it. And when we had trouble last time with their ghosting the symptoms where identical to what the OP described when I browsed from a server. I am sure there is a better way, but it is working and causes no problems and I have lots of other stuff to do. Like read this list :) > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger > Sent: Tuesday, April 11, 2006 4:08 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Network browsing slow and not > showing all compute rs > > Continue> > > Do most folks really allow users to browse their networks? > What reason would end users have to browse for anything > besides servers? (Some might argue there is not reason to > actually 'browse' for anything.) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Network browsing slow and not showing all compute rs
As a multiple subnet system that still has this enabled let me amplify the below. WINS is pretty much mandatory for it to work as you want. The master browsers on each subnet will register themselves in WINS, and then be able trade info between the masters on each subnet using the WINS records. Browstat.exe in the resource kit is your friend. If you are using WINS, consider blowing out your WINS databases. We do that a couple of times a year, it really helps. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Gorder, Lee E Mr CTNOSC/GD-NS > Sent: Tuesday, April 11, 2006 3:31 PM > To: 'ActiveDir@mail.activedir.org' > Subject: RE: [ActiveDir] Network browsing slow and not > showing all compute rs > > If they are on different subnets ensure UDP 137 is allowed > through the router. Are you using WINS? I doubt this is a > problem with your domain controllers or DNS for that matter. > > Check the following > - Ensure NetBIOS over TCP is enabled > - Browser service is running > - Router/firewall settings > - Restart master browser > > > -Original Message- > From: Joe Lagreca [mailto:[EMAIL PROTECTED] > Sent: Tuesday, April 11, 2006 12:11 PM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] Network browsing slow and not showing > all computers > > When I try to browse our domain via the network: > > Start -> My Network Places -> Entire Network -> Microsoft Windows > Network -> mydomain > > it is very slow, and won't show all active computers. DNS is > functioning properly, as I can resolve all names just fine. > > This happens on both windows 2000 and windows xp clients. Not all > computers, including the servers, are on the same subnet. Domain > controllers are windows 2003. > > I am inclined to think something about our domain controllers isn't > configured properly. Has anyone had this problem before, or have an > idea where I should look for a fix? > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Bulk Import
Ok, I skipped a step, sounds like you need these 200 to go to separate OU's. Mass create them in one OU, mass right click them and create the mailbox then mass send them an email. The script the move if that is faster/easier than a manual drag and drop. So your spreadsheet of users is: firstname lastname password targetOU convert that to comma text for your script and use the first three for the creation and then the first two and last for the move. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kennedy, JimSent: Wednesday, March 08, 2006 2:16 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Bulk Import Delegate it to HR. Short of that get HR or someone to give you a list of the names and script it, provide a default password of their SS number perhaps...must be changed on first log on. After they are created, in the same OU...mass select them in ADUC and right click them and send them a test email to create the mailbox. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Wednesday, March 08, 2006 2:02 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Bulk Import What’s the fast way for me to create 200 user accounts in specific OU’s and create Exchange mailboxes? Devon Harding Windows Systems Engineer Southern Wine & Spirits - BSG 954-602-2469 __This message and any attachments are solely for the intendedrecipient and may contain confidential or privileged information.If you are not the intended recipient, any disclosure, copying, useor distribution of the information included in the message and anyattachments is prohibited. If you have received this communicationin error, please notify us by reply e-mail and immediately andpermanently delete this message and any attachments. Thank You.
RE: [ActiveDir] Bulk Import
Delegate it to HR. Short of that get HR or someone to give you a list of the names and script it, provide a default password of their SS number perhaps...must be changed on first log on. After they are created, in the same OU...mass select them in ADUC and right click them and send them a test email to create the mailbox. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Wednesday, March 08, 2006 2:02 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Bulk Import What’s the fast way for me to create 200 user accounts in specific OU’s and create Exchange mailboxes? Devon Harding Windows Systems Engineer Southern Wine & Spirits - BSG 954-602-2469 __This message and any attachments are solely for the intendedrecipient and may contain confidential or privileged information.If you are not the intended recipient, any disclosure, copying, useor distribution of the information included in the message and anyattachments is prohibited. If you have received this communicationin error, please notify us by reply e-mail and immediately andpermanently delete this message and any attachments. Thank You.
RE: [ActiveDir] Windows Server mailing lists
I like this one: http://www.sunbelt-software.com/Community.cfm Couple down on the list, NTSYSADMIN. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex FontanaSent: Thursday, March 02, 2006 9:46 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Windows Server mailing lists Anyone know of any good Windows 2003 mailing lists? TIA -Alex
[ActiveDir] OT - Sample Script
Anyone using a script running as a task that looks at the members of an OU, and modifies their group membership based upon what OU they are in? I could use a sample to steal your hard work if you don't mind. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT Exchange 2003
Second one under Microsoft Internet Technology.. http://e-newsletters.internet.com/discussionlists.html/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd HofertSent: Friday, February 17, 2006 1:17 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT Exchange 2003 Can anyone recommend a good Exchange 2003 mailing list? Todd HofertIT DirectorSpartan Graphics, Inc. This e-mail and any attachments may contain confidential and privilegedinformation. If you are not the intended recipient, please notify thesender immediately by return e-mail, delete this e-mail and destroy anycopies. Any dissemination or use of this information by a person otherthan the intended recipient is unauthorized and may be illegal.
RE: [ActiveDir] Automagic Security groups.
Thank you Hunter, I am going with option 2. The immediate effect of option one isn't that important and is more work for minimal benefit. Option 2 with a scheduled task will work perfectly. JK From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, HunterSent: Tuesday, February 07, 2006 3:43 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Automagic Security groups. Two options come to mind, I'm sure there are others... 1) Build a set of scripts and put a web front-end on them, which would allow others to move the user account and as part of the move, the OUone groups would get stripped and the OUtwo groups would get added. 2) Directly delegate the object move (or like above, stick it in a web page). Then have a scheduled task that periodically runs and looks at all user objects in OUone and sets the group membership correctly, same for OUtwo. Option 1 has a more immediate effect, and that may be an important point. Option 2 has the advantage of consistently enforcing group membership, so even if someone makes an inadvertant change it will get corrected on the next pass of the script. It also makes it easier to change the groups and have all users get updated. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kennedy, JimSent: Tuesday, February 07, 2006 12:47 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Automagic Security groups. I am almost looking for a query based Security Group, similar to Distribution Groups. It would save me a ton of time if when I moved a user from OUone to OUtwo if it would/could strip that user of all their old groups and drop them into the new groups, based upon what OU the user account currently resides in. 15 schools, students moving from school to school all year longit would save us a ton of time. In fact I could delegate the move and have others do it. It would be the last part of the puzzle to making these moves near zero administrative overhead. Any ideas? Jim Kennedy
[ActiveDir] Automagic Security groups.
I am almost looking for a query based Security Group, similar to Distribution Groups. It would save me a ton of time if when I moved a user from OUone to OUtwo if it would/could strip that user of all their old groups and drop them into the new groups, based upon what OU the user account currently resides in. 15 schools, students moving from school to school all year longit would save us a ton of time. In fact I could delegate the move and have others do it. It would be the last part of the puzzle to making these moves near zero administrative overhead. Any ideas? Jim Kennedy
RE: [ActiveDir] OT: Roaming Profiles
I think MS is consistent here. PST are not supposed to be used over a lan, they corrupt very easily. The Outlook plug in backs up your local PST's to a network drive, so you are not using them over the network, just copying them over the network. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Navroz ShariffSent: Monday, February 06, 2006 4:12 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Roaming Profiles That's interesting...I have been doing exactly what the article states one can't. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark ParrisSent: Monday, February 06, 2006 3:56 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Roaming Profiles Don’t you just love Microsoft…….. Personal folder files are unsupported over a LAN or over a WAN link http://support.microsoft.com/?kbid=297019 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Navroz ShariffSent: 06 February 2006 19:28To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Roaming Profiles Frank, Below is a link to MS Outlook plugin that when configured, will automatically archive folders to a network share at regular intervals, making it easy to keep all of you Outlook folders safely backed up. http://www.microsoft.com/downloads/details.aspx?FamilyId=8B081F3A-B7D0-4B16-B8AF-5A6322F4FD01&displaylang=en -Nav From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Frank AbagnaleSent: Monday, February 06, 2006 1:22 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Roaming Profiles No need to apologise, I blame spielberg anyway. frank "Ulf B. Simon-Weidner" <[EMAIL PROTECTED]> wrote: Sorry - wasn't sure if it's your real name. If I'd choose a fake name for a community yours is in the top10 ;-) Hope you don't mind. Ulf From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Frank AbagnaleSent: Friday, February 03, 2006 11:28 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Roaming Profiles Ulf & everyone, thanks for your responses, roaming profiles are mandatory here, if we were to take this away, all hell would break loose. I guess educating them to store files elsewhere would be a good start. thanks Frank Ulf - you are not the first to mention Carl Hanratty, you won't be the last!"Ulf B. Simon-Weidner" <[EMAIL PROTECTED]> wrote: Hi Frank, with those large roaming profiles you need to 1. educate your users 2. question the use of roaming profiles In fact I've seen a lot of companies who tend to stick to local only profiles in the recent past. Roaming profiles are great - however I see them in infrastructures where people are moving around on multiple computers a lot, and where they don't have that much individual applications. I would use roaming profiles for the production workers who are spending not a lot of time on the computer and might share a pool of computers, however for the regular office worker and the board of directors I'd use local profiles since they tend to work on the same computer a lot and also travel a lot. Educate them not to store their critical data within the profile, and maybe a desktop backup software which is taking care of their profile and data when connected comes in handy too. Carl Hanratty From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Frank AbagnaleSent: Friday, February 03, 2006 10:51 AMTo: ActiveSubject: [ActiveDir] OT: Roaming Profiles Hi all, I have a question regarding Roaming Profiles. Our environment currently have 3500 users which are all roaming profile enabled. Their profiles are stored on the local site server. We have approx 56 sites which are all linked by 256-1mb lines. I like the concept of roaming profiles, however some of our users have profiles ranging from 5mb - 200mb, some even with 1GB profiles. Because alot of our users log on to different computers at different sit
RE: [ActiveDir] Wireless and logon script
Title: Wireless and logon script What about disabling fastlogon. Just a thought. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim HinesSent: Monday, February 06, 2006 2:06 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Wireless and logon script Are there any errors in the app log? If so what are they? You may want to enable userenv logging for more detailed info. Two things come to mind. One thing is that you may want to disable media sense. See 239924 How to disable Media Sensing for TCP/IP in Windows http://support.microsoft.com/default.aspx?scid=kb;EN-US;239924 . I've seen this a few times on gigabit nics and wireless nics. The other is slow link network detection. If windows thinks that you have a slow link it won't process logon scripts . The userenv log would tell you if that is the case. If someone configured the slow link setting in a policy then that could cause your problem if the nics are not working properly If you want to enable userenv logging try this kb 221833 How to enable user environment debug logging in retail builds of Windowshttp://support.microsoft.com/default.aspx?scid=kb;EN-US;221833 Tim Hines - Original Message - From: Creamer, Mark To: ActiveDir@mail.activedir.org Sent: Monday, February 06, 2006 10:48 AM Subject: [ActiveDir] Wireless and logon script Can someone explain the mechanics of the logon for me, when the user is on a wireless connection? We have Cisco Wireless Access Points, and a Cisco ACS, but I haven’t been involved with their setup. Basically the deal is when a user logs in to a wired LAN connection, the logon script always runs. When they log on with wireless, the logon script does not run. To me as a casual observer, it looks like the authentication does not happen until after a cached logon takes place and the user attempts to reach a resource requiring authentication, such as Exchange. Thanks, Mark Creamer Systems Engineer Cintas Corporation | 6800 Cintas Boulevard | Mason, OH 45040 Email: [EMAIL PROTECTED] | http://www.cintas.com This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
RE: [ActiveDir] ADUC updates - Was Expired Accounts
Title: RE: [ActiveDir] ADUC updates - Was Expired Accounts Consistently remember the last domain controller I connected to, and reconnect to it when I start it back up.
RE: [ActiveDir] DC
I would place it on server 8. I would rather have a 'pure' dc somewhere, even if I had to resort to using a beefed up desktop. In fact at my last job, a shop similar in size to yours that is exactly what I did. If that is not possible, it goes on Server 7 from what I see below. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kelli DriesengaSent: Wednesday, January 11, 2006 2:14 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DC All - We are in the process of updating our network and moving services around a bit. What I will have is: Server 1 = Exchange 2003 Ent. Server Server 2 = SQL Server also running IIS Server 3 = Network controller running our Application Server, License Server (AutoCad), Primary DC, network printers and antivirus Server 4 = Disaster Recovery Server Server 5 and 6 = NAS Server 7 = Backup Server running Veritas Backup Exec Now my question is, where would you place your secondary DC? Also, does the layout of services look good? For clarification - Server 4 is going to be running VMWare workstation on it. We plan on using P2V to take monthly or bi-monthly (not sure yet) images of our servers and place them here in case any of the other servers go offline because of hardware failure. We'd be able to turn on the virtual server and run it until we can get the other back online. It's our way of showing TPTB that virtual is the wave of the future. (We're trying to show them that blades and virtual is the way to head.) If I did put the secondary DC there, it would run along side VMWare Workstation .. not on it. BTW - We are a very small shop, only 75 users and only one site working 8-5, M-F. Our main product run is Revit (autocad product) which runs a license from the server but the application is run locally. We don't put too much of a strain on our network overall. Kelli Design+ Architects + Electrical Engineers + Mechanical Engineers + Landscape Architects + Interior Designers 201 Ionia Ave S.W. · Grand Rapids, MI · 49503-4136 · 616.458.0875 · 616.458.2806 fax
RE: [ActiveDir] Domain Demotion (Removal) Best Practices
Title: Domain Demotion (Removal) Best Practices The below is exactly what I did, with one addition. When I demoted the last DC I also turned off one DC from the remaining domain. I too was worried about the process and asked many questions here and elsewhere. The whole thing turned out to be a non-event. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge deSent: Monday, January 09, 2006 2:37 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Domain Demotion (Removal) Best Practices At the moment you think "I could remove the domain now" don't do that, but shutdown the DCs to see what breaks. Of course you need to ignore errors concerning replication with that domain. If after a while (some days) nothing or nobody has started screaming then you could demote the DCs. Don't forget to remove the DNS delegation and to select the option "this is the last DC of this domain" (or something that sounds like it) when demoting the last DC. Checking this option makes sure the existance of the domain is removed at the domain naming master. So make also sure that FSMO is available. Jorge From: [EMAIL PROTECTED] on behalf of Ibarra, JuanSent: Mon 2006-01-09 17:49To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Domain Demotion (Removal) Best Practices Hi, we are in the process of removing several old domains that still contain some servers and services accounts on them. All active users have been migrated off to a new parent domain. Are there any best practices, thins I need to be aware or concerned about before starting this process? Thanks, Juan
RE: [ActiveDir] OT: Patch Management
Title: OT: Patch Management The specs requirements listed seem to be overkill to me. Also, you can work around that by approving the updates in groups, or applying them to computers in phases. The integration with GPO and the fact you can set it up and roll the whole thing out from your chair are worth the effort. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pohlschneider, ChrisSent: Friday, January 06, 2006 11:39 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Patch Management Does anyone have recommendations for patch management software that could beinstalled on a desktop type system to manage a network with 120 nodes forupdates and patches. I was looking at WSUS, but the requirements are thatyou need a server OS, plus the minimum requirements were pretty stout.Thanks in advance for recommendations!!Chris PohlschneiderNetwork AdministratorCenveo-Sidney937-497-2136[EMAIL PROTECTED]Cenveo is your visual communications connection for a broad portfolio ofservices and products including eServices, envelopes, offset and digitalprinting, labels and business documents
RE: [ActiveDir] OT: WMF issue - patch on the 10th
My son is hard core on the security side. He has tested the heck out of their patch. He claims the patch works and is a clean uninstall. No comment on if it breaks anything else. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Jeff > Salisbury > Sent: Tuesday, January 03, 2006 3:41 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] OT: WMF issue - patch on the 10th > > I recommend taking a look at the SANS Internet Storm Center > (http://isc.sans.org/) write up as well, including > information regarding an unofficial patch that is now > available in MSI installer format. > > Jeff > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Kennedy, Jim > Sent: Tuesday, January 03, 2006 12:33 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] OT: WMF issue - patch on the 10th > > > > http://www.microsoft.com/technet/security/advisory/912840.mspx > > January 10th...is the target. > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Navroz > > Shariff > > Sent: Tuesday, January 03, 2006 3:17 PM > > To: ActiveDir@mail.activedir.org > > Subject: RE: [ActiveDir] OT: WMF issue - patch on the 10th > > > > Regarding the June 10 WMF exploit patch release, can somone please > > point me to Microsoft's article regarding the release. > > > > Thanks, > > > > Nav > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of > Susan Bradley > > Sent: Tuesday, January 03, 2006 12:33 PM > > To: ActiveDir@mail.activedir.org > > Subject: [ActiveDir] OT: WMF issue - patch on the 10th > > > > What's Microsoft's response to the availability of third > party patches > > for the WMF vulnerability? > > Microsoft recommends that customers download and deploy the > security > > update for the WMF vulnerability that we are targeting for > release on > > January 10, 2006. > > > > As a general rule, it is a best practice to utilize > security updates > > for software vulnerabilities from the original vendor of > the software. > > With Microsoft software, Microsoft carefully reviews and tests > > security updates to ensure that they are of high quality > and have been > > evaluated thoroughly for application compatibility. In addition, > > Microsoft's security updates are offered in 23 languages for all > > affected versions of the software simultaneously. > > > > Microsoft cannot provide similar assurance for independent > third party > > security updates. > > > > Why is it taking Microsoft so long to issue a security update? > > Creating security updates that effectively fix > vulnerabilities is an > > extensive process. There are many factors that impact the length of > > time between the discovery of a vulnerability and the release of a > > security update. When a potential vulnerability is reported, > > designated product specific security experts investigate > the scope and > > impact of a threat on the affected product. Once the MSRC knows the > > extent and the severity of the vulnerability, they work to > develop an > > update for every supported version affected. Once the > update is built, > > it must be tested with the different operating systems and > > applications it affects, then localized for many markets > and languages > > across the globe. > Confidential > This e-mail and any files transmitted with it are the > property of Belkin Corporation and/or its affiliates, are > confidential, and are intended solely for the use of the > individual or entity to whom this e-mail is addressed. If > you are not one of the named recipients or otherwise have > reason to believe that you have received this e-mail in > error, please notify the sender and delete this message > immediately from your computer. > Any other use, retention, dissemination, forwarding, printing > or copying of this e-mail is strictly prohibited. > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: WMF issue - patch on the 10th
http://www.microsoft.com/technet/security/advisory/912840.mspx January 10th...is the target. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Navroz Shariff > Sent: Tuesday, January 03, 2006 3:17 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] OT: WMF issue - patch on the 10th > > Regarding the June 10 WMF exploit patch release, can somone > please point me to Microsoft's article regarding the release. > > Thanks, > > Nav > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley > Sent: Tuesday, January 03, 2006 12:33 PM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] OT: WMF issue - patch on the 10th > > What's Microsoft's response to the availability of third > party patches for the WMF vulnerability? > Microsoft recommends that customers download and deploy the > security update for the WMF vulnerability that we are > targeting for release on January 10, 2006. > > As a general rule, it is a best practice to utilize security > updates for software vulnerabilities from the original vendor > of the software. With Microsoft software, Microsoft carefully > reviews and tests security updates to ensure that they are of > high quality and have been evaluated thoroughly for > application compatibility. In addition, Microsoft's security > updates are offered in 23 languages for all affected versions > of the software simultaneously. > > Microsoft cannot provide similar assurance for independent > third party security updates. > > Why is it taking Microsoft so long to issue a security update? > Creating security updates that effectively fix > vulnerabilities is an extensive process. There are many > factors that impact the length of time between the discovery > of a vulnerability and the release of a security update. When > a potential vulnerability is reported, designated product > specific security experts investigate the scope and impact of > a threat on the affected product. Once the MSRC knows the > extent and the severity of the vulnerability, they work to > develop an update for every supported version affected. Once > the update is built, it must be tested with the different > operating systems and applications it affects, then localized > for many markets and languages across the globe. > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Persistent Drives
Sorry, I missed this part: net config server /autodisconnect:65535 On the workstation you want net config workstation /autodisconnect:65535 I think. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kennedy, JimSent: Monday, December 12, 2005 10:53 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Persistent Drives The persistent command you are using does not keep the drive connected when logged onit makes the mapping stick the next time the user logs on. Same as the 'reconnect at logon' box if you do the mapping manually via my computer. I would advise against that setting in your logon script. If you go to move a users mapped folder and redo their logon file.the old drive might still be there in XP and it often won't be replaced. So you have to add 'net use * /delete /y' to clear the old mappings. And that can even be hit or miss if you are using fastlogon with XP. As for your disconnect problem take a look at the net config server/workstation commands on the workstation. XP auto disconnects mapped drives after a certain period of inactivity and reconnect if the user access it. This will confuse some programs to think the drive is no longer there. net config workstation ? net config server ? to see the syntax. JK From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of George ArezinaSent: Monday, December 12, 2005 10:43 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Persistent Drives Hi folks, Scenario: Scripts run at logon on Windows XP desktops, defined through a GPO (Windows 2003 AD). Within the scripts I have mapped certain drives: Example: NET USE P: \\X\Bob /persistent:yes NET USE I: \\X\Joe /persistent:yes NET USE M: \\X\Dick /persistent:yes However, after a certain amount of time, the mapped drives lose connections. I have run the following command on my W3K server and XP box: net config server /autodisconnect:65535. However, users still lose their connections after a certain period. Is there anyway to make the above connections persistent? Persistency is required because one applications pulls certain data from these drives. Thanks in advance. George Informacija sa Stedionica Opportunity International A.D. Novi Sad putem e-maila je bez garancije. Zakljucivanje pravnih poslova putem ovog medija nije dozvoljeno. Ovaj e-mail moze sadrzati poverljive i/ili povlascene informacije. Ukoliko ste ovaj e-mail primili greskom, ovim putem vas obavestavamo da je svako otkrivanje, kopiranje, distribucija ili preduzimanje bilo kakvih aktivnosti u vezi njegovog sadrzaja strogo zabranjeno i moze biti nezakonito. Ukoliko ste e-mail primili greskom, molimo Vas da nas odmah obavestite tako sto cete odgovoriti na ovaj email, a zatim ga izbrisite iz vaseg sistema.The exchange of messages with Stedionica Opportunity International A.D. Novi Sad via e-mail is not binding. Declarations regarding legal transactions must not be exchanged via this medium. The information contained in this e-mail message is confidential and intended exclusively for the addressee. Persons receiving this e-mail message who are not the named addressee (or his/her co-workers, or persons authorized to take delivery) must not use, forward or reproduce its contents. If you have received this e-mail message by mistake, please contact us immediately and delete this email message beyond retrieval.
RE: [ActiveDir] Persistent Drives
The persistent command you are using does not keep the drive connected when logged onit makes the mapping stick the next time the user logs on. Same as the 'reconnect at logon' box if you do the mapping manually via my computer. I would advise against that setting in your logon script. If you go to move a users mapped folder and redo their logon file.the old drive might still be there in XP and it often won't be replaced. So you have to add 'net use * /delete /y' to clear the old mappings. And that can even be hit or miss if you are using fastlogon with XP. As for your disconnect problem take a look at the net config server/workstation commands on the workstation. XP auto disconnects mapped drives after a certain period of inactivity and reconnect if the user access it. This will confuse some programs to think the drive is no longer there. net config workstation ? net config server ? to see the syntax. JK From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of George ArezinaSent: Monday, December 12, 2005 10:43 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Persistent Drives Hi folks, Scenario: Scripts run at logon on Windows XP desktops, defined through a GPO (Windows 2003 AD). Within the scripts I have mapped certain drives: Example: NET USE P: \\X\Bob /persistent:yes NET USE I: \\X\Joe /persistent:yes NET USE M: \\X\Dick /persistent:yes However, after a certain amount of time, the mapped drives lose connections. I have run the following command on my W3K server and XP box: net config server /autodisconnect:65535. However, users still lose their connections after a certain period. Is there anyway to make the above connections persistent? Persistency is required because one applications pulls certain data from these drives. Thanks in advance. George Informacija sa Stedionica Opportunity International A.D. Novi Sad putem e-maila je bez garancije. Zakljucivanje pravnih poslova putem ovog medija nije dozvoljeno. Ovaj e-mail moze sadrzati poverljive i/ili povlascene informacije. Ukoliko ste ovaj e-mail primili greskom, ovim putem vas obavestavamo da je svako otkrivanje, kopiranje, distribucija ili preduzimanje bilo kakvih aktivnosti u vezi njegovog sadrzaja strogo zabranjeno i moze biti nezakonito. Ukoliko ste e-mail primili greskom, molimo Vas da nas odmah obavestite tako sto cete odgovoriti na ovaj email, a zatim ga izbrisite iz vaseg sistema.The exchange of messages with Stedionica Opportunity International A.D. Novi Sad via e-mail is not binding. Declarations regarding legal transactions must not be exchanged via this medium. The information contained in this e-mail message is confidential and intended exclusively for the addressee. Persons receiving this e-mail message who are not the named addressee (or his/her co-workers, or persons authorized to take delivery) must not use, forward or reproduce its contents. If you have received this e-mail message by mistake, please contact us immediately and delete this email message beyond retrieval.
[ActiveDir] Decomission a domain
Two domains in a forest, not a child/parent. Keeping the root of course, and want to 'un'-dcpromo the last two DC's in the other. All the computers and accounts and groups were moved over. The domain going away was the domain that had Exchange. Exchange was also moved over to the root domain. Any sage advise before I do this? Gotcha's I should be prepared for? We keep a DC offline, should I bring it up before I do thisor leave it off in case of a disaster. Anyone done this, I really don't want 1500 XP machines hung at startup looking for the old domain. Not sure why, but this final step has me a bit anxious. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] OT? Remote Assistance.
Trouble getting Remote Assistance going. XP w/ SP2 in a 2K3 domain. XP firewall disabled on both boxes. Two computers for test. Both in the same OU. GPO forces offer and invite enabled with a group having the permissions. RSOP on both machines shows it is all taking effect. Both logged on users are local admins, and are in fact domain admins. Invitations for Assistance work fine, in both directions. However Offer Assistance fails with 'Permission Denied'. Been through everything here: http://support.microsoft.com/default.aspx?scid=kb;en-us;310629 Simple file sharing off and verified the groups and members are being passed down. This one does not apply, that group policy is undefined. Tried defining it with the fix anyway, no change. http://support.microsoft.com/?kbid=884910 http://support.microsoft.com/default.aspx?scid=kb;en-us;889248 Even fired up all the disabled services on both machines. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/