RE: [ActiveDir] AD and RIS
Title: RE: [ActiveDir] Sites to restrict traffic, For your first question: Verify these two settings: 1. Open up your ristndrd.sif in \\(RISSERVER)\REMINST\Setup\English\Images\(ImageName)\i386\templates Under the [UserData] section there should be a line that reads: ComputerName = %MACHINENAME% 2. Open the properties of the RIS server computer object in AD Select the Remote Install tab Click the Advanced Settings button On the "New Clients" tab (default), you will have the option to generate the computer name using a variety of different options. One will not work properly withouttheother, so you have to be sure that both have been set. Also, if you do a bit of research you can enable to the custom.osc menu when booting into RIS which will allow you to be able to specify the computer name, the OU you would like the computer object to be created in and pretty much anything else you can think of. I hope that helps. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan StanfordSent: Friday, June 10, 2005 5:48 AMTo: ActiveDir@mail.activedir.orgSubject: AD and RIS One for all you RIS experts out there. When I rebuild a workstation, usingthe same name, it creates a new duplicate entry in the default computers "OU", instead of using the existing entry. Secondly, I'd like to set a default OU for newly built machines. I've tried setting it in the RIS properties in the AD - but again, it creates two entries - one in computers, and one in the specified OU. Ideally I'd like to be able to enter this on the RIS setup screens - but that might be pushing it? TIA Dan. The contents of this email and any attachments do not necessarily represent the views or policies of Ibstock Place School, its employees or pupils. They are intended for the confidential use by the named recipient only and may be legally privileged and should not be communicated to, or relied upon by, any other party without our written consent. Although this message is believed to be virus free, Ibstock Place School does not accept liability for any damage, loss or cost caused by software viruses. If received in error, please advise the sender immediately and delete all record of it from your system.
RE: [ActiveDir] AD and RIS
Title: RE: [ActiveDir] Sites to restrict traffic, Yes there is but it is a static option. The option is MachineObjectOU and can be entered under the [Identification] section of the ristndrd.sif file. The better choice may be to use a customized custom.osc if you have multiple possibleOU's for the machine object to be created in. Download the Windows XP SP2 Deployment Tools from MS website, the archive includes ref.chm which includes documentation for all RIS preferences. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan StanfordSent: Friday, June 10, 2005 9:11 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD and RIS These are as you say - they are the default settings, but I still have the problem. Also, there has to be an entry in the .sif file for anything you want to manipulate with variables - not sure the OU one is possible, but I may be wrong Dan. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael WassellSent: 10 June 2005 13:35To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD and RIS For your first question: Verify these two settings: 1. Open up your ristndrd.sif in \\(RISSERVER)\REMINST\Setup\English\Images\(ImageName)\i386\templates Under the [UserData] section there should be a line that reads: ComputerName = %MACHINENAME% 2. Open the properties of the RIS server computer object in AD Select the Remote Install tab Click the Advanced Settings button On the "New Clients" tab (default), you will have the option to generate the computer name using a variety of different options. One will not work properly withouttheother, so you have to be sure that both have been set. Also, if you do a bit of research you can enable to the custom.osc menu when booting into RIS which will allow you to be able to specify the computer name, the OU you would like the computer object to be created in and pretty much anything else you can think of. I hope that helps. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan StanfordSent: Friday, June 10, 2005 5:48 AMTo: ActiveDir@mail.activedir.orgSubject: AD and RIS One for all you RIS experts out there. When I rebuild a workstation, usingthe same name, it creates a new duplicate entry in the default computers "OU", instead of using the existing entry. Secondly, I'd like to set a default OU for newly built machines. I've tried setting it in the RIS properties in the AD - but again, it creates two entries - one in computers, and one in the specified OU. Ideally I'd like to be able to enter this on the RIS setup screens - but that might be pushing it? TIA Dan. The contents of this email and any attachments do not necessarily represent the views or policies of Ibstock Place School, its employees or pupils. They are intended for the confidential use by the named recipient only and may be legally privileged and should not be communicated to, or relied upon by, any other party without our written consent. Although this message is believed to be virus free, Ibstock Place School does not accept liability for any damage, loss or cost caused by software viruses. If received in error, please advise the sender immediately and delete all record of it from your system. The contents of this email and any attachments do not necessarily represent the views or policies of Ibstock Place School, its employees or pupils. They are intended for the confidential use by the named recipient only and may be legally privileged and should not be communicated to, or relied upon by, any other party without our written consent. Although this message is believed to be virus free, Ibstock Place School does not accept liability for any damage, loss or cost caused by software viruses. If received in error, please advise the sender immediately and delete all record of it from your system.
RE: [ActiveDir] Ocra
http://www.winisp.net/astebner/bin/orca.msi -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rubix cube Sent: Sunday, May 01, 2005 4:34 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Ocra Hi, I need Ocra to edit an MSI file, the only way it seems I can get it is by downloading the whole SDK (400 MegaBytes), its not even on TechNet, does any one know of a way to get only Ocra file. Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Branch Office Guide
http://tinyurl.com/2qr55 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah EigerSent: Thursday, March 31, 2005 1:34 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Branch Office Guide Hi Am I correct that the most recent AD Branch Office Guide from Microsoft is the Windows 2000 version? I could not find a 2003-specific guide. Thanks. -- nme
RE: [ActiveDir] Using GPO to install an MSI package
cough job security /cough Yes that would make application deployments much easier :-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crawford, ScottSent: Tuesday, February 15, 2005 4:29 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Using GPO to install an MSI package Envision my utopia all apps, in order to get a Designed for XP logo need to meet some requirements: Come with an MSI installer or have one thats easily extractable from an EXE. Come with an .ADM file for configuring options Run under a non-privileged user account. How nice would that be? Think about it, you spent several hours preparing your package, and tracking down the required permissions. Multiply that by all the admins that would like to run in a secure environment and multiply that by all the apps that need special perms to run. Add to that all the time spent making MSIs of legacy installs. Then youll get some idea of the YEARS of man hours wasted trying to make things manageable in a secure enterprise environment. Compare this to the comparatively miniscule amount of additional time needed to build things right. It would take relatively no time for developers to issue their installs as MSIs in addition to EXEs. It might take a bit of time to create an ADM file, but still relatively little since they have intimate knowledge of the app and where it reads settings from. The biggest issue would be redesigning their apps to work as non-privileged users, but even that could be mitigated if they would at least publish a list of special perms needed or at the very least, every file and registry entry thats part of their app so that we could give full control to Users over those objects. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason BSent: Tuesday, February 15, 2005 3:00 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Using GPO to install an MSI package I really appreciate everyone's input on my situation. I did get it to work, in short, because of everyone's help here. Thanks! Here's what I did: I contacted Intuit (maker of Quickbooks) and wasted 55 minutes on hold and another 10 minutes on hold after a rep answered the call only to find out absolutely nothing other than what a waste it is to have a "support" contract with Intuit. Apparently the employees in product development are too busy improperly coding new programs to talk to those who actually [try to] use their stuff. I determined that I needed to find out if the program explicitly looks for the user to be a local PU or Admin, since, if it did, as someone pointed out, we'd be SOL.I created a test OU, created a test GPO and applied it to that OU. I created a test group and a test user and put him in the group, and added the user (and test machine) to that OU. I then gave the test group full permissions to the C:\ drive (FS)and \\classes_root \\machine \\user(registry) and logged in as the test user on the test box to see if it could run under the non-PU and non-Admin context. It worked. Now that that was known, it was time to filter down. I removed the permissions for C:\ (FS), \\machine and \\user and tried again - it still worked, so now I have to figure out which keys were being written to in classes_root, so I ran regmon and after an hour of trying to decipher what it used and what it didn't, and making a long list in the test GPO permissions, I got it to work. I think it took longer to enter the registry keys in the GPO than it did to find out what was needed as far as permissions go (sigh). Did I mention how much I hate Intuit products? - Original Message - From: Jason B To: ActiveDir@mail.activedir.org Sent: Tuesday, February 15, 2005 8:44 AM Subject: [ActiveDir] Using GPO to install an MSI package Okay, our environment is that all our clients are running Windows XP SP2, and our servers are Windows 2003. The situation is that our Accounting department uses Quickbooks, and about 70 of our employees need to use an application that comes with Quickbooks called "QB Timer". It's free for use for our employees and it integrates with Quickbooks without requiring a Quickbooks install on each machine. Now, the quandry: according to Intuit/Quickbooks, the program requires at least Power User permissions to install and run. Neither I, nor our CIO are willing to give local Power User permissions for these users, as that opens things up to too many potential problems, but our CFO and COO are REQUIRING the use of this application, or a similar one that integrates with Quickbooks. Now, the QBTimer is free, which is good, so that's the *preferred* app to use. It comes as an exe with a few other files, so I used WinInstall LE 2003 on a clean XP SP2 machine to package it into an MSI file. That worked well, and I can install
RE: [ActiveDir] Automate Computer Name Changes
Is it safe to assume that RIS is not an option? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Monday, February 14, 2005 3:44 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Automate Computer Name Changes Dan- You can certainly script this with netdom. If you want to use sysprep, you could set the compnay name to be that dny01pd, and then sysprep will populate the rest with random crap. --Brian Desmond[EMAIL PROTECTED]Payton on the web! www.wpcp.orgv - 773.534.0034 x135f - 773.534.8101 From: [EMAIL PROTECTED] on behalf of Dan DeStefanoSent: Mon 2/14/2005 2:04 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Automate Computer Name Changes I have not been able to find a way to sufficiently solve the following problem: automatically changing computer names after imaging. I would like to reassign computer names based on a company naming convention plus variable. So a computer name would be something like dny01pd***, with the asterisks representing an automatically assigned number. As far as I know, Sysprep does not allow this; it will only allow you to assign a random name, which is not acceptable. I am not using unattended installations so I cannot use .udb files to assign computer names. I have been using GhostWalker to rename and join the PCs to a domain after imaging, but it just randomly-assigns numbers for the variables. This is a little better, but GhostWalker doesnt increment the numbers, nor does it check the network for duplicate names (or so Im told by Symantec support). Ideally, what I would like is some program or script or whatever, that can be run after imaging that will assign computer names consecutively or will consult a file for a list of names; then go and check on the network for a duplicate name preferably by fqdn and ideally, be able to join the PC to a domain and assign it to a specific OU as icing on the cake. Does anyone know of a tool that will do this? (Are you working on something like this, Joe?) I am also curious about how others currently handle imaging and automatic computer naming. Dan DeStefano
RE: [ActiveDir] RIS Unattended (Was: Automate Computer Name Changes)
You may want to do a bit of research into RIS Dan, more specifically the [Components] portion if that is the type of customization you are referring to. Here is a URL that I keep handy: http://tinyurl.com/3p8g9 As for any registry changes, that can be scripted fairly easily. Software deployment can be accomplished a number of ways. If you want to keep it simple you could use Riprep but I personally am not very keen on it. Keep in mind though, your machines have to have PXE-compatible nic's, or a NIC that is supported by the RIS boot floppy. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crawford, ScottSent: Monday, February 14, 2005 4:30 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] RIS Unattended (Was: Automate Computer Name Changes) Id be interested in the customizations youre unable to make using RIS. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefanoSent: Monday, February 14, 2005 3:23 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Automate Computer Name Changes I would prefer not to use RIS as there are a lot of customizations that I make to the OS, many of which cannot be done with unattended installation via RIS (or, at least I do not know or any way). Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael WassellSent: Monday, February 14, 2005 3:48 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Automate Computer Name Changes Is it safe to assume that RIS is not an option? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Monday, February 14, 2005 3:44 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Automate Computer Name Changes Dan- You can certainly script this with netdom. If you want to use sysprep, you could set the compnay name to be that dny01pd, and then sysprep will populate the rest with random crap. --Brian Desmond[EMAIL PROTECTED]Payton on the web! www.wpcp.orgv - 773.534.0034 x135f - 773.534.8101 From: [EMAIL PROTECTED] on behalf of Dan DeStefanoSent: Mon 2/14/2005 2:04 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Automate Computer Name Changes I have not been able to find a way to sufficiently solve the following problem: automatically changing computer names after imaging. I would like to reassign computer names based on a company naming convention plus variable. So a computer name would be something like dny01pd***, with the asterisks representing an automatically assigned number. As far as I know, Sysprep does not allow this; it will only allow you to assign a random name, which is not acceptable. I am not using unattended installations so I cannot use .udb files to assign computer names. I have been using GhostWalker to rename and join the PCs to a domain after imaging, but it just randomly-assigns numbers for the variables. This is a little better, but GhostWalker doesnt increment the numbers, nor does it check the network for duplicate names (or so Im told by Symantec support). Ideally, what I would like is some program or script or whatever, that can be run after imaging that will assign computer names consecutively or will consult a file for a list of names; then go and check on the network for a duplicate name preferably by fqdn and ideally, be able to join the PC to a domain and assign it to a specific OU as icing on the cake. Does anyone know of a tool that will do this? (Are you working on something like this, Joe?) I am also curious about how others currently handle imaging and automatic computer naming. Dan DeStefano
RE: [ActiveDir] Crazy question
Title: Message This should help http://www.google.com/search?q=migrate+NT4+to+2003sourceid=mozilla-searchstart=0start=0ie=utf-8oe=utf-8client=firefox-arls=org.mozilla:en-US:official From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary SmithSent: Thursday, January 13, 2005 12:09 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Crazy question I have been asked this from a friend of mine and wasn't sure of the outcome even though I have told him not to go ahead. I was just interested in the implications and whether it can be done. He has a customer with an existing NT4 domain one PDC that's it. He has bought a brand new box and installed W2K3 dcpromo'd the thing and set up users, thinking he could just add the box to the existing domain and everything would be okay to migrate the users and data over. I know this sounds pretty crazy, but it got me thinking what would the implications of doing this and what is thebestprocedure for him at this stage. If any. Gary
RE: [ActiveDir] OT: helpdesk software
Liberum is a nice, free alternative if open-source is an option, although production on the project has slowed quite a bit over these past few months the software is still very functional and does meet all of the requirements that you mentioned. http://www.liberum.org/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Benway Sent: Tuesday, November 02, 2004 10:19 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] OT: helpdesk software I'm looking into helpdesk software. I need integration into active directory, a web interface, and the biggest issue. I want to be able to use email to open and track the tickets. I want the user to be able to send an email to an internal email address, the tech replies to the email which gets sent back to the helpdesk app. The tech and the user can continue to use email to correspond back and forth. Each time the emails pass though the helpdesk software and the thread is tracked so it can be viewed in the helpdesk app. Anyone seen/use anything like this? Thanks,jb List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Stopping Pop-Ups and Spyware Enterprise wide
A lot of people have turned away from PestPatrol since CA bought them out. Also, there has been a lot of discussion over on the Sunbelt lists about a corporate spyware suite that is approaching its final stages of development you might want to look into that. http://www.sunbelt-software.com/ Stu dropped a little hint a while ago... http://beta.sunbelt-software.com/ If you click Register you can request to be a Beta tester for a software package called CounterSpy. That may be something you want to look into. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario Sent: Wednesday, October 27, 2004 3:39 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Stopping Pop-Ups and Spyware Enterprise wide PestPatrol www.pestpatrol.com See what you think. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Orlando Sent: Wednesday, October 27, 2004 1:59 PM To: Active Directory Mailing List Subject: [ActiveDir] Stopping Pop-Ups and Spyware Enterprise wide What are all of the the hard core administrators out there doing about the pop-ups and spyware? I need a good enterprise wide solution. Mark Orlando Systems Administrator I.T. Department Linden Public Schools List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ *** The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. *** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Service Pack 2
Yeah I noticed this as well with 1 of my test machines using SP2. It seems like SP2 might detect an ACPI Power Button device, while pre-SP2 machines do not. Go figure :-P From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pelle, JoeSent: Monday, October 11, 2004 5:08 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Service Pack 2 Hello! We have recently been testing SP2 on our machines and have found some weird issues post install Specifically, Windows prompts the user for the New Hardware Found Wizard In some cases, after 4 or 5 reboots, the hardware is found and installed. In other cases the only quick fix is to roll the system back to a state before the SP2 install. Has anyone else run into this problem? Weve had several successful installs and there really doesnt appear to be any consistency with this issue. Any help is greatly appreciated! Thanks! Joe Pelle Infrastructure Architect Information Technology Valassis / IT 19975 Victor Parkway Livonia, MI 48152 Tel 734.591.7324 Fax 734.632.6151 [EMAIL PROTECTED] http://www.valassis.com/ This message may have included proprietary or protected information. This message and the information contained herein are not to be further communicated without my express written consent.
[ActiveDir] Exclusive GPO Processing
Is anyone aware of any way to force a GPO to only process for a user on a specific machine? For example: User A logs onto Machine A and GPO does not apply User A logs onto Machine B and GPO applies Real world scenario: User A logs onto Desktop and Default Domain GPO applies. Roaming GPO does not apply. User A logs onto Laptop, Default Domain GPO does not apply, Roaming GPO applies which causes My Documents to redirect back to the local user profile. I have tried to create a WMI filter which checks the local machine to see of a PCMCIA slot exists, but that does not seem to be working. I have also tried to assign user accounts and computer accounts membershipto seperate security groups and have the GPO only apply to those security groups but that does not work either. (I know why but I was hoping the GPO would see the WMI filter and stop there, no such luck ;-)) Thanks!
RE: [ActiveDir] Exclusive GPO Processing
Just so everyone knows, My Documents redirection takes place on the HKCU hive, so the GPO processing would have to apply to the user account based on which machine they log onto. Life's a b*tch... (sometimes) Moving the computer objects toseperate OU's and linking seperate GPO's wouldn't work because that would only apply to computer (HKLM) objects (obviously):-( I've been doing a bit of reading into GPO loopback processing but I don't know too much about it and I havn't done any testing, could that be a possibility? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael WassellSent: Friday, October 08, 2004 9:44 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Exclusive GPO Processing Is anyone aware of any way to force a GPO to only process for a user on a specific machine? For example: User A logs onto Machine A and GPO does not apply User A logs onto Machine B and GPO applies Real world scenario: User A logs onto Desktop and Default Domain GPO applies. Roaming GPO does not apply. User A logs onto Laptop, Default Domain GPO does not apply, Roaming GPO applies which causes My Documents to redirect back to the local user profile. I have tried to create a WMI filter which checks the local machine to see of a PCMCIA slot exists, but that does not seem to be working. I have also tried to assign user accounts and computer accounts membershipto seperate security groups and have the GPO only apply to those security groups but that does not work either. (I know why but I was hoping the GPO would see the WMI filter and stop there, no such luck ;-)) Thanks!
RE: [ActiveDir] Exclusive GPO Processing
Yes I actually already have that KB article open in a seperate window lol. Okay thanks for your sugestion Darren. I'll look into it. P.S. - Please disregard the other email (gpoguy), you have already answered it. Thanks again. Michael From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-EliaSent: Friday, October 08, 2004 11:44 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Exclusive GPO Processing Michael- What your describing is essentially what loopback policy is for. Enabling loopback on a computer (loopback is a computer-specific policy) will let you say, "Apply a different user policy for this machine only". There are some good docs on Microsoft's site describing how to implement loopback. Check out KB 231287 as a starting point. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael WassellSent: Friday, October 08, 2004 6:58 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Exclusive GPO Processing Just so everyone knows, My Documents redirection takes place on the HKCU hive, so the GPO processing would have to apply to the user account based on which machine they log onto. Life's a b*tch... (sometimes) Moving the computer objects toseperate OU's and linking seperate GPO's wouldn't work because that would only apply to computer (HKLM) objects (obviously):-( I've been doing a bit of reading into GPO loopback processing but I don't know too much about it and I havn't done any testing, could that be a possibility? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael WassellSent: Friday, October 08, 2004 9:44 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Exclusive GPO Processing Is anyone aware of any way to force a GPO to only process for a user on a specific machine? For example: User A logs onto Machine A and GPO does not apply User A logs onto Machine B and GPO applies Real world scenario: User A logs onto Desktop and Default Domain GPO applies. Roaming GPO does not apply. User A logs onto Laptop, Default Domain GPO does not apply, Roaming GPO applies which causes My Documents to redirect back to the local user profile. I have tried to create a WMI filter which checks the local machine to see of a PCMCIA slot exists, but that does not seem to be working. I have also tried to assign user accounts and computer accounts membershipto seperate security groups and have the GPO only apply to those security groups but that does not work either. (I know why but I was hoping the GPO would see the WMI filter and stop there, no such luck ;-)) Thanks!
[ActiveDir] Screensaver GPO not applying?
I posted this elsewhere but have gotten no responses yet. Thought I would post it here also to try to gather some opinions. Workstations are mixed 2000 / XP professional. DC's are Windows 2003 and domain is running in Windows 2003 native mode. Desired screensaver is logon.scr. Default installation path for logon.scr is %SYSTEMROOT%\System32\. Path is not specified in GPO, only filename. RSoP shows that the policies are processing properly. The setting seems to apply properly to XP machines but not to 2000 machines. Has anyone else seen or heard of this problem before? I did find a MSKB article regarding the symptom, but itonly mentions that the symptom occurs in Windows 2000 domains, and pre-SP3 Windows 2000 machines, neither of which are the case. For anyone curious here is a link: http://support.microsoft.com/?kbid=305357 Michael Wassell Network Administrator PT Marketing Group Pittsburgh, Pennsylvania 15222 Phone: 412-471-8995 / Fax: 412-471-8695
RE: [ActiveDir] Screensaver GPO not applying?
Hmm.. I thought if the files were located in that location the path did not need to be specified. I'll give it a shot... Thanks! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.Sent: Monday, October 04, 2004 12:24 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Screensaver GPO not applying? You must have in the GPO %systemroot%\system32\logon.scr for this to work correctly. Just having the file name will not work. This is how I do it and I have no problems. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael WassellSent: Monday, October 04, 2004 12:12 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Screensaver GPO not applying? I posted this elsewhere but have gotten no responses yet. Thought I would post it here also to try to gather some opinions. Workstations are mixed 2000 / XP professional. DC's are Windows 2003 and domain is running in Windows 2003 native mode. Desired screensaver is logon.scr. Default installation path for logon.scr is %SYSTEMROOT%\System32\. Path is not specified in GPO, only filename. RSoP shows that the policies are processing properly. The setting seems to apply properly to XP machines but not to 2000 machines. Has anyone else seen or heard of this problem before? I did find a MSKB article regarding the symptom, but itonly mentions that the symptom occurs in Windows 2000 domains, and pre-SP3 Windows 2000 machines, neither of which are the case. For anyone curious here is a link: http://support.microsoft.com/?kbid=305357 Michael Wassell Network Administrator PT Marketing Group Pittsburgh, Pennsylvania 15222 Phone: 412-471-8995 / Fax: 412-471-8695
RE: [ActiveDir] robust alternative to rcmd
Psexec maybe? (Part of the PSTools suite) http://www.sysinternals.com/ CPAU might also come in handy http://www.joeware.net/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Wednesday, September 22, 2004 9:00 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] robust alternative to rcmd I'm looking for a remote command tool - something that I can use in a script from one machine to launch a process like ntbackup on another. RCMD (res kit) keeps dying on the client side. Any ideas of a good alternative? Thanks! Mark List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] robust alternative to rcmd
To expand on what joe said, have you considered using a scheduled task with encrypted credentials? That's why I referred to the CPAU utility. Comes in very handy, especially for task repetition, as opposed to manually executing the task using a remote task execution utility. Also does not require RPC communication as joe mentioned. That would probably make life a lot easier for you, atleast for executing Ntbackup. Just a suggestion :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, September 22, 2004 9:29 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] robust alternative to rcmd Do you know why RCMD keeps dying on the client? PSEXEC is an alternate but the big win is that you simply don't need to have a server side piece already installed, it installs it on the fly (keep that in mind for slow WAN links). The client aspect is going to be the same. Basically it opens a shell on the remote the machine and pipes the stdout/stderr to you and redirects stdin from you to the shell. You might want to look at something that isn't rpc based such as telnet. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Wednesday, September 22, 2004 9:00 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] robust alternative to rcmd I'm looking for a remote command tool - something that I can use in a script from one machine to launch a process like ntbackup on another. RCMD (res kit) keeps dying on the client side. Any ideas of a good alternative? Thanks! Mark List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: DHCP Export
http://support.microsoft.com/default.aspx?scid=kb;en-us;325473 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Wednesday, September 22, 2004 10:31 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] OT: DHCP Export Does anyone know of a way to export information (specifically reservations) from either 2k or 2k3 DHCP server? I tried opening the MDB file from the backups directory with Access - no joy. I tried doing a netsh export from a 2k3 server. The example docs for the netsh DHCP export show a tantalizing output file name of dhcp.txt, but the output file is not text. Viewed in a hex editor, the export file looks sort of like unicode, but notepad won't open it. Any ideas? WMI? Why do I ask? We are considering putting our network printers in DHCP using reservations. I want to make sure I can get to the data back out later if needed. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] program to crate reports...
http://tinyurl.com/an6z maybe? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Monday, September 20, 2004 12:18 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] program to crate reports... Something like what Ecora does? www.ecora.com I don't recall them being inexpensive, but is that the functionality? Check the archives as well as I believe somebody else posted a good reporting tool a few months back. Just can't recall the name. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: Monday, September 20, 2004 12:03 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] program to crate reports... Hi, I'M actually searching for a program that could create reports based on the structure of our AD. There are some nested groups and I would like to get the global view of my AD using some kind of reports. The preferred output would be to have something like arborescence, where I could see the groups and the users memberships. Anyone know a good tool to create such report? I'm looking for already made scripts/softwares that are cheap, if possible. Thanks! M. Bruyere Network/systems administrator CompTIA A+, Network+ The quickest way to find something is to start looking for something else. :-) List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Local admin acct
http://www.joeware.net/win32/index.html CPAU another option possibly? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, August 26, 2004 10:46 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Local admin acct There's a tool called TCQRunAs ... might be helpful to hide the cmd set and the uid/pwd combination. http://www.quimeras.com/default.asp?control=1 -m -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, August 25, 2004 3:39 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Local admin acct Get cusrmgr from the Support Tools (or is it Reskit). Put that in the netlogon share of one of your DCs. Then create a batch file with the following: @Echo off %logonserver\netlogon\cusrmgr -u administrator -P thepassword goto :EOF Now create (or edit) a GPO that assigns a machine Startup Script and tell it to use this batch file. Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Mike Hogenauer Sent: Wed 8/25/2004 11:54 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Local admin acct Curious does anyone have a script that will change the local admin password on all computers in the domain or point me to a good location? Thank You Mike List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Disable the download of SP2 ADM files
http://www.microsoft.com/downloads/details.aspx?FamilyId=8BCE6BBA-EA5D-4 425-89C1-C1CB1CCD463Cdisplaylang=en -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff Sent: Wednesday, August 11, 2004 4:22 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Disable the download of SP2 ADM files I have having problems locating the adm files that allow you to set Group Policy to disable the download and installation of SP2. The MSFT article states - http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2aumng. mspx Group Policy allows IT administrators to centrally and flexibly define and enforce settings across groups of systems and users. This ADM template will allow customers who have implemented Group Policy (a feature of Windows 2000 Server and Windows Server 2003 that is built on Active Directory) to quickly disable and re-enable delivery of Windows XP SP2 to systems across their organizations. The IT administrator imports the provided ADM template using the 'GP Edit' MMC Snap-in which makes available the new Group Policy settings to disable and re-enable delivery of Windows XP SP2 via AU or WU. A Group Policy object with the appropriate setting enabled can then be targeted at the appropriate set of systems and the Group Policy mechanism will automatically configure the target systems appropriately. Apparently, they are provided by MSFT??? Maybe I am not reading this right. Could you point me in the right direction? Thanks, Steve List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Disable the download of SP2 ADM files
Grrr.. Wrapping http://tinyurl.com/4an3w -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Wassell Sent: Wednesday, August 11, 2004 4:21 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Disable the download of SP2 ADM files http://www.microsoft.com/downloads/details.aspx?FamilyId=8BCE6BBA-EA5D-4 425-89C1-C1CB1CCD463Cdisplaylang=en -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff Sent: Wednesday, August 11, 2004 4:22 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Disable the download of SP2 ADM files I have having problems locating the adm files that allow you to set Group Policy to disable the download and installation of SP2. The MSFT article states - http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2aumng. mspx Group Policy allows IT administrators to centrally and flexibly define and enforce settings across groups of systems and users. This ADM template will allow customers who have implemented Group Policy (a feature of Windows 2000 Server and Windows Server 2003 that is built on Active Directory) to quickly disable and re-enable delivery of Windows XP SP2 to systems across their organizations. The IT administrator imports the provided ADM template using the 'GP Edit' MMC Snap-in which makes available the new Group Policy settings to disable and re-enable delivery of Windows XP SP2 via AU or WU. A Group Policy object with the appropriate setting enabled can then be targeted at the appropriate set of systems and the Group Policy mechanism will automatically configure the target systems appropriately. Apparently, they are provided by MSFT??? Maybe I am not reading this right. Could you point me in the right direction? Thanks, Steve List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Fileserver and Self-Executing Programs
The first thing that comes to mind is disabling Windows Installer for non-managed apps via GPO, considering you are already doing something similar as you had mentioned that may be the most viable solution. Otherwise, I'm not sure if its possible or how difficult it would be to implement but you could restrict the use of certain file extensions in the user folder tree which would prevent users from running executables for instance. Just two ideas... I'm sure there will be more From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of EdwinSent: Wednesday, August 04, 2004 8:06 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Fileserver and Self-Executing Programs Within our domain, roaming profiles are used. The roaming profiles are limited to 10MB by means of a GPO. The user is also given a networked drive (K:\) that gives them an additional 40MB which gives them a grand total of 50MB of usable space when on their workstations. The 50MB limit is then enforced by Disk Quotas. The roaming profile data and the networked drive are both on the same machine. The user logging into their workstation is not able to install applications unless first approved. What I have noticed however is that users within the domain are still managing to run unauthorized pieces of software. They are doing this by copying the files K:\ The application that they want to use is a self executing program that does not need to write data to the registry or modify the system in any way. In one case, I noticed that a user is using FireFox. I installed the software with under the same user privileges and was able to do so but with a warning that the application may not install correctly without Admin rights. The application did install to the K:\ and worked correctly when was opened. The good thing about this was that anything that was written to the registry was access denied. So here is the question. How can I prevent users from installing these type of applications to the K:\? When they do this, they are using resources on the remote machine that shouldnt be. I could care less that they are using more drive space since it will only affect them and their ability to write more files to the remote machine or will prevent them from logging off of their desktop until the space is cleared. I dont have a problem putting fear into those who are doing this, but I would rather just cut them off and keep my mouth shut if a solution is available. Any thoughts? Thanks everyone for your replies, Edwin
RE: [ActiveDir] KIX script and Active Directory
Title: Message I'm sorry in advanceI don't mean to be rude, this is just a suggestion. I really think that your making this more difficult than it has to be by querying AD for specific user properties.Is there a reason why you can't use a simple security group, assign membership according to user locationand use the InGroup function to determine what to do for whom and build off of that accordingly? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jacqui HurstSent: Friday, July 23, 2004 3:04 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] KIX script and Active Directory Sorry, After a long day I dont think I explained myself very well. Really what I was getting at was that I no longer had the domain name to use as an identifier to where a users local office was as they were now merged. The attribute/variable items were possible thoughts on where I could store new information about the users local office code eg. LN. This could then be used to identify their local server e.g. LN-fileserver-01. I think I have now found a way within kix using $Object = Create(ADSystemInfo) which returns me the username of the user. This identifies their OU which Im hoping with a little trimming etc I will be able to extract their OU, this identifying their location. Im still open to suggestions as I guess my code wont be the best in the world! I was hoping to be able to read a different user attribute eg. Physicaldeliveryofficename or employeeID but I have given up on that for now. Jacqui From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken CornetetSent: 22 July 2004 22:14To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] KIX script and Active Directory I don't understand your question fully. You say you want to "set a variable" which will control drive mappings, but then you go on to say that you want to look up an attribute in AD to set the location. What attribute would that be? Can you be more specific? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jacqui HurstSent: Thursday, July 22, 2004 2:31 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] KIX script and Active Directory I am working on a migration from NT4 to Windows 2003 which includes the collapsing of a number of domains into a single domain. Part of the existing NT4 login script uses the NT4 domain as a variable to setup things like users drive mappings e.g. xx-fileserver-01 where xx is the domain code. These scripts are written in KIX. As Im not the worlds greatest code writer and there are a fair few login scripts I am looking for a way to set a variable that can be used by the login script to set the users location without rewriting all of the scripts. I dont really want to use group membership if I have to I would rather use an attribute in the active directory and look this up. Has anyone got any advice? Many thanks in advance Jacqui
RE: [ActiveDir] KIX script and Active Directory
Title: Message
Yes that's true also, administration will be a pain but as
long as the scripts do not have to be changed frequently for any reason then you
should just be able to set it and forget it (no pun intended)
;-)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Perdue David J
Contr InDyne/Enterprise ITSent: Friday, July 23, 2004 10:27
AMTo: '[EMAIL PROTECTED]'Subject: RE:
[ActiveDir] KIX script and Active Directory
If your users are organized by OU, you can create different
GPOs for each OU and then use the Logon Script setting to give each one a
different batch file.
Dave
-- David J.
PerdueMCSE 2000, MCSE NT, MCSA, MCP+INetworkSecurity Engineer,
InDyne IncComm: (805)
606-4597 DSN: 276-4597 [EMAIL PROTECTED]--
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jacqui
HurstSent: Friday, July 23, 2004 7:11 AMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] KIX script and
Active Directory
Please don't apologise,
I agree with you.
I have been tasked with
trying to avoid the use of the groups for some reason. They didn't respond to
the suggestion of the use of additional groups hence the reason for looking for
the alternate method.
If only life were
simple J
Jacqui
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Michael WassellSent: 23 July 2004 14:15To:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] KIX script and
Active Directory
I'm sorry in
advanceI don't mean to be rude, this is just a
suggestion.
I really think that
your making this more difficult than it has to be by querying AD for specific
user properties.Is there a reason why you can't use a simple
security group, assign membership according to user locationand use the
InGroup function to determine what to do for whom and build off of that
accordingly?
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jacqui HurstSent: Friday, July 23, 2004 3:04
AMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] KIX script and
Active Directory
Sorry, After a
long day I don't think I explained myself very well. Really what I was getting
at was that I no longer had the domain name to use as an identifier to where a
users local office was as they were now merged. The attribute/variable
items were possible thoughts on where I could store new information about the
users local office code eg. LN. This could then be used to identify their
local server e.g. LN-fileserver-01.
I think I have now
found a way within kix using $Object = Create("ADSystemInfo) which returns me
the username of the user. This identifies their OU which I'm hoping with a
little trimming etc I will be able to extract their OU, this identifying their
location.
I'm still open to
suggestions as I guess my code won't be the best in the world! I was
hoping to be able to read a different user attribute eg.
Physicaldeliveryofficename or employeeID but I have given up on that for
now.
Jacqui
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ken CornetetSent: 22 July 2004 22:14To:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] KIX script and
Active Directory
I don't understand your
question fully. You say you want to "set a variable" which will control drive
mappings, but then you go on to say that you want to look up an attribute in AD
to set the location. What attribute would that
be?
Can you be more
specific?
-Original
Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Jacqui
HurstSent: Thursday, July
22, 2004 2:31 PMTo:
[EMAIL PROTECTED]Subject: [ActiveDir] KIX script and
Active Directory
I am working on a migration from
NT4 to Windows 2003 which includes the collapsing of a number of domains into
a single domain. Part of the existing NT4 login script uses the NT4
domain as a variable to setup things like users drive mappings e.g.
xx-fileserver-01 where xx is the domain code. These scripts are written in
KIX. As I'm not the worlds greatest code writer and there are a fair few
login scripts I am looking for a way to set a variable that can be used by the
login script to set the users location without rewriting all of the
scripts.
I don't really want to use group
membership if I have to I would rather use an attribute in the active
directory and look this up.
Has anyone got any
advice?
Many thanks in
advance
Jacqui
RE: [ActiveDir] KIX script and Active Directory
If you want to continue using Kix scripting you can create security groups and assign the appropriate users to those security groups, afterwards use the InGroup (Kix) function and assign drive mappings etc. accordingly Atleast that's one way of doing it From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jacqui HurstSent: Thursday, July 22, 2004 3:31 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] KIX script and Active Directory I am working on a migration from NT4 to Windows 2003 which includes the collapsing of a number of domains into a single domain. Part of the existing NT4 login script uses the NT4 domain as a variable to setup things like users drive mappings e.g. xx-fileserver-01 where xx is the domain code. These scripts are written in KIX. As Im not the worlds greatest code writer and there are a fair few login scripts I am looking for a way to set a variable that can be used by the login script to set the users location without rewriting all of the scripts. I dont really want to use group membership if I have to I would rather use an attribute in the active directory and look this up. Has anyone got any advice? Many thanks in advance Jacqui
RE: [ActiveDir] How to change the computer name of a Domain contr oller
Title: Message Yeah I did notice that there were a few records that were left after the procedure had been completed. Make sure you check all of the application directory partitions (_msdcs etc.) in DNS for any invalid records and delete if so. It would be best to look through your entire DNS to make sure that all of the obsolete records were removed properly, it would also help to have secure dynamic updating enabled, that should help with some of the overlapping. Also something worth mentioning, any DNS alias being used to direct requests to the servers' previous DNS name will have to be manually updated. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tieman, Harold A Mr ANOSC/FCBSSent: Monday, June 28, 2004 9:27 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] How to change the computer name of a Domain contr oller I did this recently in a lab environment. DNS is left dirty after the process. Sort of a good/bad thing. Both names can be resolved to the same IP (old/new). Some cleanup will be in order eventually. Definitely suggest testing in a lab first. -Al -Original Message-From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Monday, June 28, 2004 5:35 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] How to change the computer name of a Domain contr oller Just thought I'd chime in. I have accomplished doing this only by first demoting the DC, forcing a domain sync, renaming (I chose to rebuild, as opposed to rename), and promoting afterwards with the new name. From what I read MS doesn't support renaming a DC, only renaming the domain. Not sure if this would apply, but, I think MS released a tool that modifies all of the registry/schema entries for Exchange after a server has been renamed, if it were me I wouldn't mess with it, but pick your poison. I renamed an Exchange server as well and I just ended up rebuilding/patching the server and the IS mounted fine afterwards. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Manbinder Pal SinghSent: Monday, June 28, 2004 8:15 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] How to change the computer name of a Domain contr oller I have to still try what others told me on this alias. BTW its rename of host and not the rename of domain. Both are different. Thank You Manbinder From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kemokai, SaffaSent: Monday, June 28, 2004 5:21 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] How to change the computer name of a Domain contr oller Yes but on W2K3 server as far as I know. Google for "domainrename" tool. If you can't find it, I can send it to you! /Saffa/ -Original Message-From: Manbinder Pal Singh [mailto:[EMAIL PROTECTED] Sent: Sunday, June 27, 2004 2:12 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] How to change the computer name of a Domain controller How to change the computer name of a Domain controller? Is it possible to change? If yes then is there any tool or step by step guide to do that? Is the process different if DC is on w2k or w2k3? Thank You Manbinder
[ActiveDir] OT: LDAP routing through relay
I sent this question into a friend at Microsoft because it has me completely stumped. I thought I'd post it here as well to see if anyone else might have an idea. I have a problem that should theoretically have been a simple resolution, but for the life of me I have not been able to figure it out. I have a server that is used to host the Intranet for the company, which also serves as a closed relay to relay mail from an internal application to the Exchange server. It is a Windows 2003 server w/ IIS 6. A few months back I configured everything and it has been running fine ever since, as of yesterday afternoon it suddenly stopped working with no explanation. There are no errors logged, the mail is not backing up in the Exchange queue, the mail just seems to disappear once it is sent from the relay. I have tried enabling diagnostic logging on the Exchange server, but that was a no go. It doesn't even appear as though the mail is routed to the Exchange server at all. I have tried manually relaying a message by telnetting to SMTP on the server (as well as others which I have configured for testing) and all of which are unable to relay. I have also tried changing the authentication methods, and using a different user account (including my own). The bugger is, I can relay directly through the mail server itself without any problems but I can't relay to it. I'm about ready to pull out my hair on this one. Thanks in advance!
[ActiveDir] Roaming GPO
Concern: One of the senior managers bought a laptop for herself to use as a home PC, as well as bring into the office regularly to use for convenience purposes. Problem: The problem was aside from the obvious security issues involved with doing that,domain-level GPO's which restrict users from access to command prompt, opening certain applications from within the Help application, as well as quite a few other Windows utilities that could potentially be harmful have been blocked and enforced. The problem was particularly relating to the restrictive GPO applying to the user account when logging into the desktop, as opposed to logging into the laptop. Instead of having 2 seperate user profiles and confusing the user as to which user profile should be used and where, I did this: Solution: 1.Created a domain-wide GPO that applied to a specific security group in ADto reverse certain restrictions if certain conditions are met 2. Assign the computer and user permissions to the group (to be sure that the GPO is controlled and only appliesfor aspecific user on a specific computer) 3.Write a simple WMI filter to only apply to computers with a PCMCIA controller (to prevent the policy from applying on the desktop). And of course I "bulletproofed" the laptop as best I could to make sure that it's not going to become a mobile virus hive...However, I do not expect that the user will become infected as the only email she receives is from Verizon and from the company network, and she is not prone to visiting obscure websites or opening any suspicious attachments. Reason for doing this was mainly because the same solution can be used for more than a single user with minimal configuration on the same laptop or on seperate laptops without any issues and minimal security concerns. I am wondering if there may be a better way of doing this? Thanks in advance!
RE: [ActiveDir] OT: Exchange 2003 SP1
Oddly enough I was JUST looking at that last night before signing off for the evening :-) But yes, it does look like a very handy tool. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, May 27, 2004 7:47 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Exchange 2003 SP1 Yep, good thing to publish. Another cool thing, something I actually was involved in a lot of the testing over the last year or so is http://www.microsoft.com/downloads/details.aspx?FamilyId=3D0884E6-C603-4 91D- BF57-ACF03E046BFEdisplaylang=en This is the autoaccept agent for conference rooms. You give your conference rooms mailboxes in exchange and then use this tool and it will process the meeting requests for you. That way you can have automated calendar management of conference rooms (or other resources say you have a projector or generic laptop or whatever) without people fighting over the conference room and deleting each others entries This could put some people out of work as I know there are some folks whose whole job in life is to manage calendars like that. You used to do this with scripts, that of course was on the slow side. I recall seeing a busy server taking 10-20 minutes to respond when running with a script but the agent is dot net code that rock and rolls and the response is in your inbox about as fast as you hit send on the request. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer Sent: Tuesday, May 25, 2004 10:47 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] OT: Exchange 2003 SP1 Also continuing the OT note, it seems that the long-awaited server-side spam filtering system (IMF) is available too: http://www.microsoft.com/exchange/downloads/2003/imf/default.asp Apologies if this has already been posted. Cheers Ken ~~ From: Tony Murray [EMAIL PROTECTED] Subject: [ActiveDir] OT: Exchange 2003 SP1 : Is now out. : : http://tinyurl.com/35ddy : : Tony ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] OT: Exchange 2003 SP1 documentation
Has anyone managed to find complete documentation of all of the changes made with Exchange 2003 SP1? The release notes fall short of mentioning exactly what updates/changes were made although I have looked briefly and there seems to be more control available to the user through OWA (Options category) and the icons shown in System Manager seem to have been sharpened (:-P). The issue with Exchange services hanging during a shutdown without being stopped beforehand still seems to be a problem so I guess the hopes for a resolve are still "pending". As far as interface changes I can't imagine much more has been changed, but possibly a list of hot fixes which were previously unpublished except maybe to MVP's? Any idea? Although, the package is 100mb~ and it did take a few minutes to complete the update procedures which required stopping all Exchange, IISand related services (including third-party components), all went well. TIA!
RE: [ActiveDir] Mixed network PC and Mac - AD or XServe
Regarding the PERC 2 issue joe, what was your resolve? I have a PERC 2 card in one of the DC's for my test domain I can't find a compatible firmware update ANYWHERE I could have sworn that the card was not a PERC 2 at all and I'm all ears to verify that conclusion :-D From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Tuesday, May 18, 2004 9:17 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Mixed network PC and Mac - AD or XServe LOL. I have had really good luck with Dell. My biggest complaints with Dell were always based with their service. However after dealing with IBM service, it is almost a joy to work with Dell again. I can't recall an Perc issues other than about 6 or 7 years ago with the Perc II which wasn't the Perc 2 and the documentation was W wrong. It was the one time I worked with using an external disk subsystem for a DC and will never repeat that mistake again. My last experience with the Perc cards were with some, I think 6500s with I think Perc 3 cards where I worked out how to runRaid 10 and that thing was smoking fast, my complaint was I could only put 6 disks in the box. What experiences have you had with the Perc that give you that feeling about them? joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brent WestmorelandSent: Tuesday, May 18, 2004 7:02 AMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] Mixed network PC and Mac - AD or XServe You would genuinely use anything that has a perc raid controller? ewww, I feel dirty all of a sudden.On May 18, 2004, at 12:44 AM, joe wrote: I was laughing pretty good even before I got to the information on the new bookOut of the hardware vendors mentioned I would say I like Dell the best. I really dislike IBM unless you like to overpay for everything plus I have seen hellacious motherboard failures and the RSA solution is only about 5-10 years behind the DRAC solution from Dell. Haven't even seen an ACER in like 8-10 years, and would have thrown something at one at that pointas they were ~= to packard bell.Also if building check out newegg.com pricing. I have built some very nice systems very cheaply through newegg.As for Exchange. I would have to agree unless thecustomer wants the integrated calendaring or the integrated IM or the other little things that Exchange adds on. At that point Exchange starts winning. Mostly the calendaring is the big thing.From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brent WestmorelandSent: Monday, May 17, 2004 7:09 PMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] Mixed network PC and Mac - AD or XServeIn regard to cost estimates you probably can get Dell hardware to fulfill that role, you can also get some Gateway servers, and probably Acer has some offerings as well. For that matter, you could even build your own clone servers and save a pantload from pricewatch.com. There are always ways to leverage costs with Intel Based hardware. Personally, I wouldn't implement the smallest of server projects with less than IBM or HP hardware, but that is a personal preference. And even with those options, you could probably still find some cost comparable options. I didn't get quotes from 3 vendors before posting to the list. In regard to exchange, If you want it then don't even consider going apple. Exchange needs Active Directory, so a duplication of directories in this instance would be fruitless.In regard to file service performance, it depends on who you ask... pc vendors will tell you that theirs is faster, Apple puts this up:http://www.apple.com/xserve/performance.htmlIn the end file services are file services, its pretty much like taking an airplane from washington to newark or taking a train from washington to newark, either way your trip will take about the same. Now as a stickler you can benchmark the f*_k out of it and say either a x86 is faster by 3 microseconds or a mac is faster by 4, but we're talking about 70 users!?!?! Now, lets talk about AFP. Dump it... Get rid of it... it is as 80's as Ferris Bueller and while it may work in movies, technology needs upgrades. (chicka chicka... chicka chicka... omp omp O Yeahhh! Sorry little bit of 'yellow fever') No wonder Microsoft is getting rid of it, Apple should too. Macs do great with smb:// cifs:// ftp://, etc. , I haven't noticed any difference in file services to smb shares between a pc and a mac connected to the same share over the same network. Yes, you can setup AD to authorize mac and pc machines to file services, it requires a little tweaking and if you end up needing assistance with it I'll answer any questions you might have.For planning resources on the OS X side, hit www.macwindows.comwww.macosxlabs.organd you will definitely need the os x manuals
[ActiveDir] OT: explorer.exe hangs on folder access
This is a very strange problem I experienced a few weeks ago and just yesterday I've noticed it happen again. This only happens with a single folder, all others are fine. This particular instance the folder is completely empty except for "My Pictures" being automatically created within. Expected cause: User Personal (My Documents) folders are redirected to a central location on the file server. User is not granted exclusive rights to their user folders rights are inherited from parent. User folders are automatically created when user first logs into the domain. Symptom: When user attempts to log in the explorer.exe process hangs and the desktop is never created. User can log off by using Task Manager, or forcing a logoff/shutdown using shutdown.exe. Explorer.exe hangs when any PC attempts to access the user folder (including locally on the server). Strangely enough, I am able to copy the contents of the folder elsewhere using the explorer interface and am able to retrieve a directory listing using command prompt. Taking ownership of the folder does not resolve the issue. Desktop.inishowsbeing accessed by whichever user is attempting to access the folder, visible using computer management mmc snap-in. Forcibely closing all instances does not resolve the issue. Resolution: Restarting the server resolves the issue. Does anyone have ANY clue what this might be? Server is running Windows Server 2003 Std. Ive considering calling M$FT on the issue but I'm sure they'll suggest that I restart the server. TIA for any input.
RE: [ActiveDir] Mixed network PC and Mac - AD or XServe
Yeah my mistake I was referring to the PERC-II card ;-) I have a PE3200 which has a PERC-II in it. I managed to get 2k3 installed on it using a MegaRAID 2000 driver (Win2k driver) but I have not managed to obtain a compatible firmware update yet... maybe some day From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Tuesday, May 18, 2004 10:03 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Mixed network PC and Mac - AD or XServe Again it was the Perc II, not the Perc 2. That was the Perc card prior to the Perc 2. It was in the x100 and some x200 seriesmachines. The issue was that the documentation said something was possible (it was a really bad idea of spanning a single logical drive across the internal and external enclosure) and when we went to do exactly what the docs said, it, thank god, didn't work. We called Dell and kept getting, how odd right up until we hit a "Real" engineer who (rightfully) dressed me up and down for even considering doing something like that. Not only was I not pissed off for being chewed out and treated like a dumbass, I thanked him profusely for teaching me about something I knew very little to nothing about. If you look at the BIOS start up on the card it will say something like PERC-II... not PERC-2. There were barely compatible firmware and drivers for 2K for those things... I did get one to work with K3 with the latest available firmware from Dell and the 2K drivers though I think Dell said it was unsupported. IfI recall the last firmware available was from like April 2000. Something like U84 / A02 or something like that. Can't recall any other details... I think maybe I have learned too much and now as I learn more I forget the old stuff as it rolls out of the log... I shouldn't have played and beat Assult Mech this last week or so... Forgetting how to do useful things. :o) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael WassellSent: Tuesday, May 18, 2004 9:25 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Mixed network PC and Mac - AD or XServe Regarding the PERC 2 issue joe, what was your resolve? I have a PERC 2 card in one of the DC's for my test domain I can't find a compatible firmware update ANYWHERE I could have sworn that the card was not a PERC 2 at all and I'm all ears to verify that conclusion :-D From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Tuesday, May 18, 2004 9:17 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Mixed network PC and Mac - AD or XServe LOL. I have had really good luck with Dell. My biggest complaints with Dell were always based with their service. However after dealing with IBM service, it is almost a joy to work with Dell again. I can't recall an Perc issues other than about 6 or 7 years ago with the Perc II which wasn't the Perc 2 and the documentation was W wrong. It was the one time I worked with using an external disk subsystem for a DC and will never repeat that mistake again. My last experience with the Perc cards were with some, I think 6500s with I think Perc 3 cards where I worked out how to runRaid 10 and that thing was smoking fast, my complaint was I could only put 6 disks in the box. What experiences have you had with the Perc that give you that feeling about them? joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brent WestmorelandSent: Tuesday, May 18, 2004 7:02 AMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] Mixed network PC and Mac - AD or XServe You would genuinely use anything that has a perc raid controller? ewww, I feel dirty all of a sudden.On May 18, 2004, at 12:44 AM, joe wrote: I was laughing pretty good even before I got to the information on the new bookOut of the hardware vendors mentioned I would say I like Dell the best. I really dislike IBM unless you like to overpay for everything plus I have seen hellacious motherboard failures and the RSA solution is only about 5-10 years behind the DRAC solution from Dell. Haven't even seen an ACER in like 8-10 years, and would have thrown something at one at that pointas they were ~= to packard bell.Also if building check out newegg.com pricing. I have built some very nice systems very cheaply through newegg.As for Exchange. I would have to agree unless thecustomer wants the integrated calendaring or the integrated IM or the other little things that Exchange adds on. At that point Exchange starts winning. Mostly the calendaring is the big thing.From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brent WestmorelandSent: Monday, May 17, 2004 7:09 PMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] Mixed network PC and Mac - AD or XServeIn regard to cost estimates you probably can get Dell hardware to fulfill that role, you can also get some Gateway servers, and probably Acer has some offerings as well. For that
RE: [ActiveDir] OT: explorer.exe hangs on folder access
There is nothing abnormal shown in the event logs onclient or server with any relevance :-( From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Tuesday, May 18, 2004 11:18 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: explorer.exe hangs on folder access Log entries? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael WassellSent: Tuesday, May 18, 2004 10:27 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] OT: explorer.exe hangs on folder access This is a very strange problem I experienced a few weeks ago and just yesterday I've noticed it happen again. This only happens with a single folder, all others are fine. This particular instance the folder is completely empty except for "My Pictures" being automatically created within. Expected cause: User Personal (My Documents) folders are redirected to a central location on the file server. User is not granted exclusive rights to their user folders rights are inherited from parent. User folders are automatically created when user first logs into the domain. Symptom: When user attempts to log in the explorer.exe process hangs and the desktop is never created. User can log off by using Task Manager, or forcing a logoff/shutdown using shutdown.exe. Explorer.exe hangs when any PC attempts to access the user folder (including locally on the server). Strangely enough, I am able to copy the contents of the folder elsewhere using the explorer interface and am able to retrieve a directory listing using command prompt. Taking ownership of the folder does not resolve the issue. Desktop.inishowsbeing accessed by whichever user is attempting to access the folder, visible using computer management mmc snap-in. Forcibely closing all instances does not resolve the issue. Resolution: Restarting the server resolves the issue. Does anyone have ANY clue what this might be? Server is running Windows Server 2003 Std. Ive considering calling M$FT on the issue but I'm sure they'll suggest that I restart the server. TIA for any input.
RE: [ActiveDir] OT: explorer.exe hangs on folder access
I don't think so I think I've seen this happen before also though, it was due to a corrupt Internet Explorer installation and once repaired it worked fine. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dale, Rick Sent: Tuesday, May 18, 2004 11:09 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT: explorer.exe hangs on folder access I have had a similar problem with this. I don't know if it's related or not but when a user put some pictures in their My Pictures folder, every time they opened the directory in explorer it would give a C++ Runtime error (don't remember what one). So I changed the default folder layout from Thumbnails to Details (or whatever) and it opened just fine... Delete the pic's and (even the sample ones) and it works just fine. Rick T. Dale Computer Services General Council Credit Union http://gccu.ag.org/ \|/ (@ @) ---oOO--(_)--OOo--- ``` ''' This e-mail and any files transmitted with it are the property of General Council Credit Union and/or its affiliates, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient's or otherwise have reason to believe that you have received this message in error, please notify the sender. Any other use, retention, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited. From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 18, 2004 9:27 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] OT: explorer.exe hangs on folder access This is a very strange problem I experienced a few weeks ago and just yesterday I've noticed it happen again. This only happens with a single folder, all others are fine. This particular instance the folder is completely empty except for My Pictures being automatically created within. Expected cause: User Personal (My Documents) folders are redirected to a central location on the file server. User is not granted exclusive rights to their user folders rights are inherited from parent. User folders are automatically created when user first logs into the domain. Symptom: When user attempts to log in the explorer.exe process hangs and the desktop is never created. User can log off by using Task Manager, or forcing a logoff/shutdown using shutdown.exe. Explorer.exe hangs when any PC attempts to access the user folder (including locally on the server). Strangely enough, I am able to copy the contents of the folder elsewhere using the explorer interface and am able to retrieve a directory listing using command prompt. Taking ownership of the folder does not resolve the issue. Desktop.ini shows being accessed by whichever user is attempting to access the folder, visible using computer management mmc snap-in. Forcibely closing all instances does not resolve the issue. Resolution: Restarting the server resolves the issue. Does anyone have ANY clue what this might be? Server is running Windows Server 2003 Std. Ive considering calling M$FT on the issue but I'm sure they'll suggest that I restart the server. TIA for any input. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: explorer.exe hangs on folder access
The only events logged are informational success notifications and success audit security logs I do not see any relevant Warning or Error events logged :-( Serverspecs:2xPIII 600, 1GB RAM, 2 RAID-1 arrays The server functions as a file/print server as well as a DC holding all roles for the domain. Domain has100 +/-users/groups. Backup client installed, exchange admin tools, resource kit tools, support tools From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Tuesday, May 18, 2004 1:38 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: explorer.exe hangs on folder access Any relevance? Does that mean there is nothing or nothing that seems related? If there is something else going on, it would be helpful to know. I'd be particularly interested in anything in the system log. While we're investigating the scope of this, what else is on the machine? How is the machine configured? Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael WassellSent: Tuesday, May 18, 2004 12:14 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: explorer.exe hangs on folder access There is nothing abnormal shown in the event logs onclient or server with any relevance :-( From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Tuesday, May 18, 2004 11:18 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: explorer.exe hangs on folder access Log entries? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael WassellSent: Tuesday, May 18, 2004 10:27 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] OT: explorer.exe hangs on folder access This is a very strange problem I experienced a few weeks ago and just yesterday I've noticed it happen again. This only happens with a single folder, all others are fine. This particular instance the folder is completely empty except for "My Pictures" being automatically created within. Expected cause: User Personal (My Documents) folders are redirected to a central location on the file server. User is not granted exclusive rights to their user folders rights are inherited from parent. User folders are automatically created when user first logs into the domain. Symptom: When user attempts to log in the explorer.exe process hangs and the desktop is never created. User can log off by using Task Manager, or forcing a logoff/shutdown using shutdown.exe. Explorer.exe hangs when any PC attempts to access the user folder (including locally on the server). Strangely enough, I am able to copy the contents of the folder elsewhere using the explorer interface and am able to retrieve a directory listing using command prompt. Taking ownership of the folder does not resolve the issue. Desktop.inishowsbeing accessed by whichever user is attempting to access the folder, visible using computer management mmc snap-in. Forcibely closing all instances does not resolve the issue. Resolution: Restarting the server resolves the issue. Does anyone have ANY clue what this might be? Server is running Windows Server 2003 Std. Ive considering calling M$FT on the issue but I'm sure they'll suggest that I restart the server. TIA for any input.
RE: [ActiveDir] OT: explorer.exe hangs on folder access
I have a feeling that it has something to do with the desktop.ini stored within the folder itself because of the strangebehaviour when a user attempts to access the folder as shown on the the compmgmt snap-in. I really don't think that it has anything to do with hardware because of the strangeness of the symptom, considering all other user folders are functioning perfectly and they are all on the same network segment. That definately leads me to believe that it is a software issue somewhere but where is the hard thing to figure out :-) Users are not across a slow link I have 100mbit run to the desktops. Also, considering I have attempted to access this folder from different workstations as well as locally on the server and have experienced the same symptom everywhere that really leads me to believe that it has something to do with the folder itself. Vey confusing :-( From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Tuesday, May 18, 2004 2:55 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: explorer.exe hangs on folder access I wonder if something in the directory is damaged then. That's an odd behavior to say the least. Since this is across the network for the user, was there an antivirus program on the server? What about the NIC? Are there any other devices, such as a router or firewall between the server and the user? Is it multi-homed? Are the users across a slow link? I'm wondering about the network connection since it could very well be something at that level. What about other GPO's? Anything trying to be applied that isn't working? Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael WassellSent: Tuesday, May 18, 2004 2:42 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: explorer.exe hangs on folder access Doesn't appear so :-( I took a look through every log for the past 3 days and there doesn't seem to be anything abnormal happening (not logged atleast). Would a corruptedMFT entry restore itself upon restart? I appreciate all of the help by the way Al. Like I said this has happened once before and coincidentally it happened to my boss so I spent a few hours scratching my head trying to figure it out and sure enough I restarted the server that evening and everything was fine afterwards. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Tuesday, May 18, 2004 2:29 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: explorer.exe hangs on folder access Nothing in there about disk errors that might explain something about a corrupted MFT entry maybe? Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael WassellSent: Tuesday, May 18, 2004 2:11 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: explorer.exe hangs on folder access The only events logged are informational success notifications and success audit security logs I do not see any relevant Warning or Error events logged :-( Serverspecs:2xPIII 600, 1GB RAM, 2 RAID-1 arrays The server functions as a file/print server as well as a DC holding all roles for the domain. Domain has100 +/-users/groups. Backup client installed, exchange admin tools, resource kit tools, support tools From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Tuesday, May 18, 2004 1:38 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: explorer.exe hangs on folder access Any relevance? Does that mean there is nothing or nothing that seems related? If there is something else going on, it would be helpful to know. I'd be particularly interested in anything in the system log. While we're investigating the scope of this, what else is on the machine? How is the machine configured? Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael WassellSent: Tuesday, May 18, 2004 12:14 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: explorer.exe hangs on folder access There is nothing abnormal shown in the event logs onclient or server with any relevance :-( From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Tuesday, May 18, 2004 11:18 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: explorer.exe hangs on folder access Log entries? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael WassellSent: Tuesday, May 18, 2004 10:27 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] OT: explorer.exe hangs on folder access This is a very strange problem I experienced a few weeks ago and just yesterday I've noticed it happen again. This only happens with a single folder, all others are fine. This particular instance the folder is completely empty except for "My Pictures" being automatically created within. Expected cause: User Personal (My Documents) folders are redirected to a central location on the file server. User is not granted exclusive rights to their user folders
RE: [ActiveDir] OT: explorer.exe hangs on folder access
Hello Chuck; Microsoft offers guidelines for allowing administrator access to redirected user folders as mentioned in http://support.microsoft.com/default.aspx?scid=kb;en-us;288991. In the article it is mentioned not to allow users exclusive access, rather allow permissions to inheritfrom the "CREATOR OWNER" object which will give the user "exclusive" access, so I suppose the term "exclusive" is trivial :-) I'm sorry I was unclear regarding "copying folder contents". I was referring to while I was logged on locally as administrator equivalent I was able to copy the folder elsewhere using the explorer interface (without attempting to browse the folder contents). I was also able to retrieve a directory listing using a command prompt which is also confusing. It's very interesting to see everyone's thoughts on the issue I am greatful for all of the help :-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck OppermannSent: Tuesday, May 18, 2004 3:24 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: explorer.exe hangs on folder access Everything Ive learned about redirected folders is that users should have exclusive rights to their own folder. When you say that the desktop is never created do you mean that items that are located in the desktop folder are never shown? It would seem that if desktop isnt being created that explorer is having problems accessing that location. Maybe its being redirected as well? If you can, when the user experiences this problem, DO NOT have them logon again. Instead, as administrator, review the machines registry. In particular, find the users profile and examine the entries in their \Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\ key. Do those reflect valid locations that the user has rights to? Im confused that you say you can copy the folder contents using Explorer, but Explorer.exe hangs when any PC attempts to access the user folder (including locally on the server). If this only happens when users (vs. admins) access the folder, then its almost certainly a permissions issue. Of course, Explorer.exe shouldnt hang. Thats a bug. It should gracefully exit and log errors, but thats another discussion. Best practices: http://www.microsoft.com/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/sag_sp_bestprac_foldred.asp ---Chuck From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael WassellSent: Tuesday, May 18, 2004 7:27 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] OT: explorer.exe hangs on folder access This is a very strange problem I experienced a few weeks ago and just yesterday I've noticed it happen again. This only happens with a single folder, all others are fine. This particular instance the folder is completely empty except for "My Pictures" being automatically created within. Expected cause: User Personal (My Documents) folders are redirected to a central location on the file server. User is not granted exclusive rights to their user folders rights are inherited from parent. User folders are automatically created when user first logs into the domain. Symptom: When user attempts to log in the explorer.exe process hangs and the desktop is never created. User can log off by using Task Manager, or forcing a logoff/shutdown using shutdown.exe. Explorer.exe hangs when any PC attempts to access the user folder (including locally on the server). Strangely enough, I am able to copy the contents of the folder elsewhere using the explorer interface and am able to retrieve a directory listing using command prompt. Taking ownership of the folder does not resolve the issue. Desktop.inishowsbeing accessed by whichever user is attempting to access the folder, visible using computer management mmc snap-in. Forcibely closing all instances does not resolve the issue. Resolution: Restarting the server resolves the issue. Does anyone have ANY clue what this might be? Server is running Windows Server 2003 Std. Ive considering calling M$FT on the issue but I'm sure they'll suggest that I restart the server. TIA for any input.
[ActiveDir] OT: Extract via message ID
Is anyone aware of a utility that can be used to extract a message from the Exchange IS using the message ID as the search criteria (which is visible from the Message Tracking center)? I am looking for autility similar to Exmerge with the ability to extract a message from the IS, but which is not associated to a mailbox. I would assume thatthe message ID string is unique for each message so I thought there might be something but I am having problems finding anything with that functionality. I know with the older version of Exmerge (command-line based) it does not prompt for a mailbox and searches the entire IS, but is this older version compatible with Exchange 2003? TIA!
RE: [ActiveDir] Storage of AD passwords???
Quoted from: http://www.techinterviews.com/index.php?p=12 What hashing algorithms are used in Windows 2003 Server? RSA Data Security's Message Digest 5 (MD5), produces a 128-bit hash, and the Secure Hash Algorithm 1 (SHA-1), produces a 160-bit hash. Maybe that will help -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Thursday, April 29, 2004 11:16 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Storage of AD passwords??? The issue isn't understanding the standards. We've got that part more than covered. We're just trying to find what hash type is used to store the passwords in AD. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Lou Vega [mailto:[EMAIL PROTECTED] Sent: Thursday, April 29, 2004 10:49 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Storage of AD passwords??? This link (http://csrc.nist.gov/CryptoToolkit/tkhash.html) will provide further information regarding the FIBS PUB 180-2 and SHA-256 standard. The PDF file at that location may provide you with the information you're looking for. Just FYI - FIPS = Federal Information Processing Standards. r/ Lou -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Thursday, April 29, 2004 10:31 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Storage of AD passwords??? That really doesn't cover the specifics. We're wondering what type and strength of encryption is used. We've got an RFP from a customer who's security requirements require the use of some asinine level of crypto for password storage[1], and we can't find a single instance of an OS that uses that leve, so we're thinking they're not even meeting their own requirements there... Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. [1] Password hash must use the SHA-256 standard: compliant with FIPS PUB 180-2 -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Thursday, April 29, 2004 10:16 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Storage of AD passwords??? Here's some background information http://groups.google.com/groups?hl=enlr=ie=UTF-8oe=UTF-8th readm=uNoVmrCr AHA.1552%40tkmsftngp04rnum=6prev=/groups%3Fq%3Dmicrosoft%252 0active%2520di rectory%2520%2522password%2520storage%2522%26hl%3Den%26lr%3D%2 6ie%3DUTF-8%26 oe%3DUTF-8%26sa%3DN%26tab%3Dwg -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Thursday, April 29, 2004 10:03 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Storage of AD passwords??? Funny - had that same question come up the other day from my security guy. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Douglas M. Long [mailto:[EMAIL PROTECTED] Sent: Thursday, April 29, 2004 9:33 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Storage of AD passwords??? I have been looking for how Active Directory stores passwords, and have had no luck. Does anyone know what format the password is stored (eg crypt, md5)? Also, what is the password attribute (is it userPassword)? TYIA List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] OT: Exchange 2003 April rollup
Just saw these in another list boys. Thought I'd pass it along. My apoligies if it is a double post. http://support.microsoft.com/?kbid=838236 http://support.microsoft.com/common/canned.aspx?H=Microsoft%20Exchange%202003%20post-RTM%20Store%20UpdateQuery=kbExchange2003preSP1fixCDID=EN-US-KBLCID=1033product=exch2003
RE: [ActiveDir] SUS 2.0 Beta
Did anyone else receive an Unknown Error when registering for WUS open beta (during Step 4) or was it just me? :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Thursday, April 15, 2004 9:00 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUS 2.0 Beta Glad Rod passed on the pointer to susserver.com. Some of the new name suggestions are hilarious mc List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] SUS 2.0 Beta
I did notice that after I cranked down my browser security and revisited I received an Already Confirmed notification, so maybe the form has an error I guess we'll see -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christopher Hummert Sent: Thursday, April 15, 2004 11:12 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUS 2.0 Beta Yea I did too and I was never able to register. I'm kind of disappointed. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Wassell Sent: Thursday, April 15, 2004 7:24 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUS 2.0 Beta Did anyone else receive an Unknown Error when registering for WUS open beta (during Step 4) or was it just me? :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Thursday, April 15, 2004 9:00 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUS 2.0 Beta Glad Rod passed on the pointer to susserver.com. Some of the new name suggestions are hilarious mc List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Office2003 Rollout
The short answer would be yes. I would suggest doing it as a Published Application with an .MST answer file, as opposed to an Assigned application because my first concern would be extended log on periods during which users would think they're computers were hung/not responding and doing something vulgar ;-) That's just one of the hurdles though. I'm sure there will be others. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GARY SMITH Sent: Thursday, April 15, 2004 12:16 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Office2003 Rollout I have to roll out Office 2003 onto around 350 desktops. Any great in site into the best approach here. I have been looking at some third party applications in particularly Altiris, but I was wondering if it could be done through Group Policy / Software deployment. All desktops are W2K. Gary Smith List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Assigned software deployment via GPO
Hmm.. that's interesting Roger. It does seem to work perfectly as I had mentioned in a test environment, withexactly the same settings. The only differences between environmentsare obvious ones, server names, usernames, security groups, production workstations are mixed 2000/XP machines. Inherited GPO permissions allow read access to Authenticated Users, which worked fine in test environment so I don't see how any of that could be a problem. I have reviewed all of the settings for the GPO hiearchy and everything seems to be fine. The biggest kicker is that everything appear's to install fine when viewed from Event Viewer, but registry keys are not created, and files are not registered. Nothing seems to happen at all other than the Installer keys are created with the correct Product ID. If the users add the application manually through a/r programs (published application) everything installs fine. Switching the exact same application object to be an Assigned application is a no go. Very strange From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Monday, April 12, 2004 9:39 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Assigned software deployment via GPO IIRC, assigning to a user doesn't actually install it until the application is launched for the first time. I'd have to check that for sure, though. It should create any shortcuts at the outset however. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 06, 2004 2:55 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Assigned software deployment via GPO Okay guys, I am at my wit's end here I've been trying to distribute an .MSI package via GPO as an Assigned application to an OU in AD. Test environment: Worked perfectly fine in my test environment, I copied theinstallpackage to a share on the server, set permissions, assigned the application to a GPO and that was it. Worked perfectly ever since. Production environment:Exact replica of permissions, shared folder names, the file is the same, the usernames/security groupsare different and the name/properties ofthe GPOused to deploy the application are different. Will not work for the life of me. Thinking that it might be a problem with the GPO I created a test OU and blocked inheritance (without linking any other GPO's), test user account, test GPO and assigned the application in the new GPO, redeployed the application. Still no go. The deployment works fine if the application is published, but my boss wants 0 user interaction (I.E. install at logon). The weirdest thing is that the event viewer shows that the application is installed successfully, but it isnt actually installed anywhere (no registry keys, or program files etc.). Which makes no sense because it works perfectly in the test environment. This should be something that is very simple but it has been the biggest pain in the NECK!!! (for lack of a better term) Anyone with any idea's, I'm ALL ears :-)
RE: [ActiveDir] OT: Server-side address list Public folder
Yeah I kinda figured that :-) I figured the best way to do a bulk import from fields exported from Outlook was to format the fields using CSVDE syntax and import from that. That worked perfectly, now all I have to figure out is what the best way to exclude those contacts from the GAL (when mail-enabled) and show them in another address list. Then delegate permissions to the managers for that OU and we should be laughin' :-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Monday, April 12, 2004 9:54 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: Server-side address list Public folder Nope. The contents of public folders are not exposed via LDAP (which makes sense when you think about it). You can. however, use something like CDONTS or some of the other MAPI programatic interfaces to enumerate the contents of the PF. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 07, 2004 1:11 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] OT: Server-side address list Public folder I'm not sure if this is possible or not. I can't seem to find any reference of it anywhere. Would anyone care to enlighten me onif it is possible to populate an address list stored server-side (similar to GAL) using an LDAP query to query the contents of a public folder? I know that it is possible to add a public folder to each individual outlook config by opening Properties (of folder) Outlook Address Book Show this folder... But, I am wondering if is possible to remove that process and have it stored on server so users can simply address an email and choose the correct contact from their Outlook without manually adding the folder to their AB's. I have played around with it a little bit and I have been able to limit an LDAP query within Exchange to return only the folder that contains the contacts, but have yet to be able to return the contacts stored within that folder. TIA
RE: [ActiveDir] Assigned software deployment via GPO
A lot of great information in that thank you Darren :) I'm going to dig deeper into it today and I'm sure something will pop up. I've actually looked in those two locations you mentioned already on one of my test boxes and it seems that the package does install registry keys into both of those locations, but still does not show Installing (package) during logon when both keys are deleted. I've got a few more tricks up my sleeve thanks to your advise now though Darren so hopefully something will work. Or atleast I hope so :) Very much appreciated. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Tuesday, April 06, 2004 4:39 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Assigned software deployment via GPO Michael- SI uses the MSI product code (aka product id) to determine whether an application is installed already or not. I think that if you have an upgrade relationship between v.1 and v.2 and the Product codes are the same, then it will ignore the upgrade. There are a lot of options for troubleshooting this. When an app is deployed via GPO, it is registered in a couple of places (at least). First, if you're doing a per-user deployment, its registered under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy\AppMgmt. Regardless of whether it deployed via GPO, any MSI package gets registered in HKLM or HKCU (depending upon whether its per-machine or per-user) in Software\Microsoft\Installer. If you're trying to deploy your app to machines where its already been deployed, trying clearing it out from these two locations (doing a normal uninstall should do that in the case of the Installer key, but just in case). Also, you can turn on verbose MSI logging via policy to see if something is going wrong during install. That policy is found in Computer Configuration|Administrative Templates|Windows Components|Windows Installer|Logging. Finally, there is a verbose SI logging capability that you can enable. I recently created a custom .adm that lets one enable a variety of GPO logging, including SI. Email me offline and I can send that to you. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Wassell Sent: Tuesday, April 06, 2004 12:27 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Assigned software deployment via GPO Kind of had my hopes up for this one but I just tested it on 4 different computers and still the same outcome :-P I wonder if whatever *was* installed that was shown in the Event Log tainted any further testing that I did afterwards. That wouldn't make much sense though because I am forcing a required upgrade between the GPO's so it should install even if it is detecting that the application is already installed. Or not? I don't think GPO is smart enough to detect if the the version installed is the same version that is being upgraded? Does anyone know? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Wassell Sent: Tuesday, April 06, 2004 3:11 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Assigned software deployment via GPO Yes actually I was. I have done other tests using different machines, but that particular test I used the same machine for. I will try it using a different machine. I did force the GPO to uninstall the assigned application from the previous GPO (eventhough it hadn't actually been installed, but shown in the event log), but it is still worth a try I suppose. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, April 06, 2004 3:03 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Assigned software deployment via GPO Are you testing it on the same PC in the Production OU that you used in the Test OU? -Peter Michael Wassell [EMAIL PROTECTED]To: [EMAIL PROTECTED] omcc: Sent by: Subject: [ActiveDir] Assigned software deployment via GPO [EMAIL PROTECTED] tivedir.org 04/06/2004 02:55 PM Please respond to ActiveDir Okay guys, I am at my wit's end here I've been trying to distribute an .MSI package via GPO as an Assigned application to an OU in AD. Test environment: Worked perfectly fine in my test environment, I copied the install package to a share on the server, set permissions, assigned the application to a GPO and that was it. Worked perfectly ever since. Production environment: Exact replica of permissions, shared folder names, the file is the same, the usernames/security groups are different and the name/properties of the GPO used to deploy the application are different. Will not work for the life
[ActiveDir] OT: Server-side address list Public folder
I'm not sure if this is possible or not. I can't seem to find any reference of it anywhere. Would anyone care to enlighten me onif it is possible to populate an address list stored server-side (similar to GAL) using an LDAP query to query the contents of a public folder? I know that it is possible to add a public folder to each individual outlook config by opening Properties (of folder) Outlook Address Book Show this folder... But, I am wondering if is possible to remove that process and have it stored on server so users can simply address an email and choose the correct contact from their Outlook without manually adding the folder to their AB's. I have played around with it a little bit and I have been able to limit an LDAP query within Exchange to return only the folder that contains the contacts, but have yet to be able to return the contacts stored within that folder. TIA
RE: [ActiveDir] OT: Server-side address list Public folder
As a follow up to my own question. If it is not possible, I suppose I could write ascript that automatically exports the contents of the public folder from Outlookand store it in a CSV format,import them into the AD afterwards using CSVDE as Contact objects in a specific OU and query the OU from Exchange server. But I'm hoping someone may have a better idea :-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael WassellSent: Wednesday, April 07, 2004 1:11 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] OT: Server-side address list Public folder I'm not sure if this is possible or not. I can't seem to find any reference of it anywhere. Would anyone care to enlighten me onif it is possible to populate an address list stored server-side (similar to GAL) using an LDAP query to query the contents of a public folder? I know that it is possible to add a public folder to each individual outlook config by opening Properties (of folder) Outlook Address Book Show this folder... But, I am wondering if is possible to remove that process and have it stored on server so users can simply address an email and choose the correct contact from their Outlook without manually adding the folder to their AB's. I have played around with it a little bit and I have been able to limit an LDAP query within Exchange to return only the folder that contains the contacts, but have yet to be able to return the contacts stored within that folder. TIA
RE: [ActiveDir] OT: Server-side address list Public folder
Okay. I've answered my own question. I've imported all of the contact's into AD as contact objects.I've delegated control of that OU to the managers of the department and they will be instructed how to access/update information for the objects in AD. My question now is, I have created an Address list server-side, but the contact objects in AD do not display in the Address List on the client. "Previewing" the address list from the server returns the correct contact objects, but that doesn't do much good without the client being able to view them from Outlook. Is this by design for Outlook? Is anyone aware of a fix or a workaround to allow Outlook to view contact objects as opposed to only User/Group objects? TIA! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael WassellSent: Wednesday, April 07, 2004 1:22 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: Server-side address list Public folder As a follow up to my own question. If it is not possible, I suppose I could write ascript that automatically exports the contents of the public folder from Outlookand store it in a CSV format,import them into the AD afterwards using CSVDE as Contact objects in a specific OU and query the OU from Exchange server. But I'm hoping someone may have a better idea :-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael WassellSent: Wednesday, April 07, 2004 1:11 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] OT: Server-side address list Public folder I'm not sure if this is possible or not. I can't seem to find any reference of it anywhere. Would anyone care to enlighten me onif it is possible to populate an address list stored server-side (similar to GAL) using an LDAP query to query the contents of a public folder? I know that it is possible to add a public folder to each individual outlook config by opening Properties (of folder) Outlook Address Book Show this folder... But, I am wondering if is possible to remove that process and have it stored on server so users can simply address an email and choose the correct contact from their Outlook without manually adding the folder to their AB's. I have played around with it a little bit and I have been able to limit an LDAP query within Exchange to return only the folder that contains the contacts, but have yet to be able to return the contacts stored within that folder. TIA
RE: [ActiveDir] OT: Server-side address list Public folder
Hmm.. the objects do appear in the Preview pane when viewed from the server. If that's the case then maybe I'll just wait it out :-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, April 07, 2004 3:41 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: Server-side address list Public folder Nope you have a bug or have done something wrong. Outlook will view contacts within Address List just as it views Users and Distribution Groups. Youmay have to wait for the address list to be 'generated' and viewable via Outlook.not sure From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael WassellSent: Wednesday, April 07, 2004 3:28 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: Server-side address list Public folder Okay. I've answered my own question. I've imported all of the contact's into AD as contact objects.I've delegated control of that OU to the managers of the department and they will be instructed how to access/update information for the objects in AD. My question now is, I have created an Address list server-side, but the contact objects in AD do not display in the Address List on the client. "Previewing" the address list from the server returns the correct contact objects, but that doesn't do much good without the client being able to view them from Outlook. Is this by design for Outlook? Is anyone aware of a fix or a workaround to allow Outlook to view contact objects as opposed to only User/Group objects? TIA! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael WassellSent: Wednesday, April 07, 2004 1:22 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: Server-side address list Public folder As a follow up to my own question. If it is not possible, I suppose I could write ascript that automatically exports the contents of the public folder from Outlookand store it in a CSV format,import them into the AD afterwards using CSVDE as Contact objects in a specific OU and query the OU from Exchange server. But I'm hoping someone may have a better idea :-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael WassellSent: Wednesday, April 07, 2004 1:11 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] OT: Server-side address list Public folder I'm not sure if this is possible or not. I can't seem to find any reference of it anywhere. Would anyone care to enlighten me onif it is possible to populate an address list stored server-side (similar to GAL) using an LDAP query to query the contents of a public folder? I know that it is possible to add a public folder to each individual outlook config by opening Properties (of folder) Outlook Address Book Show this folder... But, I am wondering if is possible to remove that process and have it stored on server so users can simply address an email and choose the correct contact from their Outlook without manually adding the folder to their AB's. I have played around with it a little bit and I have been able to limit an LDAP query within Exchange to return only the folder that contains the contacts, but have yet to be able to return the contacts stored within that folder. TIA
[ActiveDir] Assigned software deployment via GPO
Okay guys, I am at my wit's end here I've been trying to distribute an .MSI package via GPO as an Assigned application to an OU in AD. Test environment: Worked perfectly fine in my test environment, I copied theinstallpackage to a share on the server, set permissions, assigned the application to a GPO and that was it. Worked perfectly ever since. Production environment:Exact replica of permissions, shared folder names, the file is the same, the usernames/security groupsare different and the name/properties ofthe GPOused to deploy the application are different. Will not work for the life of me. Thinking that it might be a problem with the GPO I created a test OU and blocked inheritance (without linking any other GPO's), test user account, test GPO and assigned the application in the new GPO, redeployed the application. Still no go. The deployment works fine if the application is published, but my boss wants 0 user interaction (I.E. install at logon). The weirdest thing is that the event viewer shows that the application is installed successfully, but it isnt actually installed anywhere (no registry keys, or program files etc.). Which makes no sense because it works perfectly in the test environment. This should be something that is very simple but it has been the biggest pain in the NECK!!! (for lack of a better term) Anyone with any idea's, I'm ALL ears :-)
RE: [ActiveDir] MSI Deployable apps
GPO's support the use of .MST answer files (transforms), there are also many utilities around that create before/after snapshots and generate an .MSI package from the installed files (WinINSTALL, Wise Studio etc.), so there are a lot of ways to get around what's supported Out-of-the-box and what needs a little bit of effort :) It would probably be better if you were to give a specific application as an example as long as it is not a custom application and someone may be able to relate better to that. That's just my $0.02 though. Someone else may have a better suggestion :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Gauss Sent: Tuesday, April 06, 2004 9:32 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] MSI Deployable apps Is there any site or anything that lists the apps that can be deployed via MSI and Group Policies?? The information contained in this communication may be confidential or legally privileged and may contain confidential health information. This email is intended only for the recipient named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication or its contents is strictly prohibited. Confidential health information is protected by state and federal law, including, but not limited to, the Health Insurance Portability and Accountability Act of 1996 and related regulations. If you have received this communication in error, please immediately advise the sender and delete the original and any copies from your computer system. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Assigned software deployment via GPO
Kind of had my hopes up for this one but I just tested it on 4 different computers and still the same outcome :-P I wonder if whatever *was* installed that was shown in the Event Log tainted any further testing that I did afterwards. That wouldn't make much sense though because I am forcing a required upgrade between the GPO's so it should install even if it is detecting that the application is already installed. Or not? I don't think GPO is smart enough to detect if the the version installed is the same version that is being upgraded? Does anyone know? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Wassell Sent: Tuesday, April 06, 2004 3:11 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Assigned software deployment via GPO Yes actually I was. I have done other tests using different machines, but that particular test I used the same machine for. I will try it using a different machine. I did force the GPO to uninstall the assigned application from the previous GPO (eventhough it hadn't actually been installed, but shown in the event log), but it is still worth a try I suppose. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, April 06, 2004 3:03 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Assigned software deployment via GPO Are you testing it on the same PC in the Production OU that you used in the Test OU? -Peter Michael Wassell [EMAIL PROTECTED]To: [EMAIL PROTECTED] omcc: Sent by: Subject: [ActiveDir] Assigned software deployment via GPO [EMAIL PROTECTED] tivedir.org 04/06/2004 02:55 PM Please respond to ActiveDir Okay guys, I am at my wit's end here I've been trying to distribute an .MSI package via GPO as an Assigned application to an OU in AD. Test environment: Worked perfectly fine in my test environment, I copied the install package to a share on the server, set permissions, assigned the application to a GPO and that was it. Worked perfectly ever since. Production environment: Exact replica of permissions, shared folder names, the file is the same, the usernames/security groups are different and the name/properties of the GPO used to deploy the application are different. Will not work for the life of me. Thinking that it might be a problem with the GPO I created a test OU and blocked inheritance (without linking any other GPO's), test user account, test GPO and assigned the application in the new GPO, redeployed the application. Still no go. The deployment works fine if the application is published, but my boss wants 0 user interaction (I.E. install at logon). The weirdest thing is that the event viewer shows that the application is installed successfully, but it isnt actually installed anywhere (no registry keys, or program files etc.). Which makes no sense because it works perfectly in the test environment. This should be something that is very simple but it has been the biggest pain in the NECK!!! (for lack of a better term) Anyone with any idea's, I'm ALL ears :-) List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Assigned software deployment via GPO
It is actually a per-user assignment in a Windows 2003 domain. So, I have configured it to install at log on as you had mentioned Darren. What this particular application does is install a button on the toolbar of Outlook to access a form that has been published in our Exchange environment. Fairly simple thing, but unfortunately due to the nature there is no file extension associated with the installer, only few .dlls and registry keys that create a button. As I had said, it does install successfully in the test environment with the exact same settings. For some reason, but for some reason it has been giving me a HECK of a lot of grief in the production environment and unfortuantely that's what matters :-( What I may end up doing is publishing the application with Basic UI (this has been tested succesfully in production env.) and instructing users to open their control panel and click Add. I have taken this approach with other applications by restricting Control Panel to only have access to A/R Programs and only have the Add New Programs tab available restricted to Add Programs from your Network. But for some reason the boss frowns on it although the only user interaction is physically clicking the Add button and closing A/R Programs Control Panel afterwards (I think a monkey could do that???). I appreciate the advise though. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Tuesday, April 06, 2004 3:31 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Assigned software deployment via GPO Michael- Are you doing per-user assignment or per-machine? In general, if you do a per-user assignment, the application is only advertised for install on first use at logon, rather than fully installed. The exception to this is that software installation policy in W2K3 supports a new option on user assignment called install this application at logon that will do a full install. That's probably the reason that the event log is saying that the app was successfully installed--it probably was! The way you can confirm this is if this app you've advertised supports any kind of file association or if it puts icons in the Start Menu, you should see those showing up. That is, if you were to open a file or click a shortcut that was associated to this advertised app, that would kick off the application installation at that time. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Wassell Sent: Tuesday, April 06, 2004 12:11 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Assigned software deployment via GPO Yes actually I was. I have done other tests using different machines, but that particular test I used the same machine for. I will try it using a different machine. I did force the GPO to uninstall the assigned application from the previous GPO (eventhough it hadn't actually been installed, but shown in the event log), but it is still worth a try I suppose. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, April 06, 2004 3:03 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Assigned software deployment via GPO Are you testing it on the same PC in the Production OU that you used in the Test OU? -Peter Michael Wassell [EMAIL PROTECTED]To: [EMAIL PROTECTED] omcc: Sent by: Subject: [ActiveDir] Assigned software deployment via GPO [EMAIL PROTECTED] tivedir.org 04/06/2004 02:55 PM Please respond to ActiveDir Okay guys, I am at my wit's end here I've been trying to distribute an .MSI package via GPO as an Assigned application to an OU in AD. Test environment: Worked perfectly fine in my test environment, I copied the install package to a share on the server, set permissions, assigned the application to a GPO and that was it. Worked perfectly ever since. Production environment: Exact replica of permissions, shared folder names, the file is the same, the usernames/security groups are different and the name/properties of the GPO used to deploy the application are different. Will not work for the life of me. Thinking that it might be a problem with the GPO I created a test OU and blocked inheritance (without linking any other GPO's), test user account, test GPO and assigned the application in the new GPO, redeployed the application. Still no go. The deployment works fine if the application is published, but my boss wants 0 user interaction (I.E. install at logon). The weirdest thing is that the event viewer shows that the application is installed successfully, but it isnt actually installed anywhere (no registry keys, or program files
RE: [ActiveDir] OT: Custom .ADM (Code Included)
Thank you for your advice Darren. As a follow-up, this policy is being applied from a GPO which is linked to multiple OU's in the domain. I have verified that the GPO's have replicated to both DC's, the GPO GUID is accessible from both DC's and all permissions have been set to allow authenticated users to read the GPO itself and the folder published from within the GPO for the assigned application. I think that I've narrowed it down to permissions somewhere though, I linked the GPO to the IT OU which contains users with domain admin priviledges and it seems to be working so that atleast tells me that the GPO isn't being completely omitted. I have run testing using GPMC (SP1) and everything seems to be testing fine so that's still confusing me, but Monday is a new day :-) I have just finished rebooting both DC's, so we'll see what happens Monday morning. Hope everyone is having a great weekend. From: [EMAIL PROTECTED] on behalf of Darren Mar-Elia Sent: Sat 4/3/2004 10:46 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Custom .ADM (Code Included) Michael- Anything is possible, so a DC reboot *might* help. A couple of questions. Where are you defining this policy? Is it on a GPO linked to someplace in AD or on the local GPO? If an AD-linked one, then have a look on the DC that the workstation is authenticating to (echo %logonserver% from the workstation). Look under SYSVOL\domain\policies\guid of your GPO\ADM and see if the changes you added to system.adm made it into that file. Also, look in that same folder in the machine sub-folder for a file called registry.pol. That is the file that hold any Admin Template policy you define. Its not quite a text file, but you can open it in notepad nonetheless. You should see a bunch of registry paths in there, which correspond to the settings you've made. Look for the path you've defined to verify its making it into the pol file on that DC. If its not, then look at the same file on your PDC role holder DC to see if its there. If it is, then you could have an FRS replication problem. You could try manually copying the registry.pol file from the PDC to the DC that your test workstation is using and see if that fixes anything. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Wassell Sent: Friday, April 02, 2004 11:46 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Custom .ADM (Code Included) Does anyone think that a reboot of the DC might shed some light? Not that it is even an option right now, but I might be able to sneak one over the weekend 0:-) I've seen stranger things happen and somehow everything comes back to life when the DC is restarted... Perfect example: Boss' personal folder somehow caused explorer.exe to stop responding from any computer when accessed (including the server it was stored on). However, the folder contents could be copied using explorer, and a directory listing could be viewed from command prompt. Restart the DC, BAM! (Emeril style) everything's fine. I couldn't think anything except WTF?!?!?!. For anyone thinking it was probably because the folder had/has a mass abundance of garbage files in it, it wasn't that. Viewing Open Files from the compmgmt snapin on the server showed that desktop.ini was being accessed from within the folder by the hung process, but even closing every instance didn't fix the problem. That was the Monday surprise. Sorry. I had to vent. 2 more hours to go ;-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Wassell Sent: Friday, April 02, 2004 1:58 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Custom .ADM (Code Included) There must be something I'm doing wrong then... I have no idea what it might be but it must be something I guess I'll just go RSOP my brains out and hopefully I'll catch something :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, April 02, 2004 1:49 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Custom .ADM (Code Included) that really is odd i took the text, pasted it into notepad, opened my local policy, imported the adm, filtered the view, enabled it...and it created the registry key fine... are there other settings in the same policy that are getting applied? |-+-- | | Michael Wassell | | | [EMAIL PROTECTED]| | | om| | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 04/02/2004 12:36 PM| | | Please respond to | | | ActiveDir
[ActiveDir] OT: Custom .ADM (Code Included)
In the process of building a custom .ADM file for controlling specific registry keys. The problem I am having is that it does not seem to be modifying the key when the GPO is applied/enforced. I've been pulling my hair out all morning I can't seem to see any reason why this would be happening and I was hoping someone would be kind enough to enlighten me :-) Maybe there is apermissions issue with GPO in the subkey I am trying to modify? I don't know... TIA! (Code below) CLASS MACHINE CATEGORY !!Deployed CATEGORY !!EskerFax POLICY !!EskerPrinterOutputKEYNAME "Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\Lanfax for Outlook Printer\PrinterDriverData"EXPLAIN !!PrinterOutputLocation_HelpPART !!PrinterOutputLocation EDITTEXTREQUIREDVALUENAME "OutputDirectory"END PART END POLICY END CATEGORY END CATEGORY [Strings] Deployed="Deployed Software"EskerFax="Esker Fax Client" EskerPrinterOutput="Esker Fax Client Configuration" PrinterOutputLocation_Help="Printer output temporary file location"PrinterOutputLocation="Printer output temporary file location" AcceptDefaultValue="Default Setting"SpecifyTempLocation="Specify desired log location"
RE: [ActiveDir] OT: Custom .ADM (Code Included)
Unfortunately not in this case Roger :-( Although, I do appreciate the advice. This particular printer is automatically created from an installer, which in turn creates the printer object underneath the HKLM hive. This allows for every user that logs into the workstation to have the printer automatically created, but unfortunately there is a bug causing the properties of the printer object to point to the %USERPROFILE%\Temp folder of the user that installed the client. Hence, insufficient rights when the user attempts to print to the printer object, which is why I'm trying to design the GPO to change the value in the registry to point to a folder all users have rights to (C:\temp). Would this inconsistency prevent the.ADM from functioning properly? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Friday, April 02, 2004 12:50 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: Custom .ADM (Code Included) Printers are per-User configurations, not per system wide in general. Try this as a CLASS USER -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Friday, April 02, 2004 10:37 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] OT: Custom .ADM (Code Included) In the process of building a custom .ADM file for controlling specific registry keys. The problem I am having is that it does not seem to be modifying the key when the GPO is applied/enforced. I've been pulling my hair out all morning I can't seem to see any reason why this would be happening and I was hoping someone would be kind enough to enlighten me :-) Maybe there is apermissions issue with GPO in the subkey I am trying to modify? I don't know... TIA! (Code below) CLASS MACHINE CATEGORY !!Deployed CATEGORY !!EskerFax POLICY !!EskerPrinterOutputKEYNAME "Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\Lanfax for Outlook Printer\PrinterDriverData"EXPLAIN !!PrinterOutputLocation_HelpPART !!PrinterOutputLocation EDITTEXTREQUIREDVALUENAME "OutputDirectory"END PART END POLICY END CATEGORY END CATEGORY [Strings] Deployed="Deployed Software"EskerFax="Esker Fax Client" EskerPrinterOutput="Esker Fax Client Configuration" PrinterOutputLocation_Help="Printer output temporary file location"PrinterOutputLocation="Printer output temporary file location" AcceptDefaultValue="Default Setting"SpecifyTempLocation="Specify desired log location"
RE: [ActiveDir] OT: Custom .ADM (Code Included)
I'm sorry that may be a little confusing, let me clarify. Client is installed as a seperate account with local administrator priviledges. This causes the properties in the printer object to be set to C:\Documents and Settings\Administrator\Temp, when the user logs in under their own username and attempts to print to that location, the driver spools the print job, but the file is not created due to lack of sufficient rights. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael WassellSent: Friday, April 02, 2004 12:58 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: Custom .ADM (Code Included) Unfortunately not in this case Roger :-( Although, I do appreciate the advice. This particular printer is automatically created from an installer, which in turn creates the printer object underneath the HKLM hive. This allows for every user that logs into the workstation to have the printer automatically created, but unfortunately there is a bug causing the properties of the printer object to point to the %USERPROFILE%\Temp folder of the user that installed the client. Hence, insufficient rights when the user attempts to print to the printer object, which is why I'm trying to design the GPO to change the value in the registry to point to a folder all users have rights to (C:\temp). Would this inconsistency prevent the.ADM from functioning properly? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Friday, April 02, 2004 12:50 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: Custom .ADM (Code Included) Printers are per-User configurations, not per system wide in general. Try this as a CLASS USER -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Friday, April 02, 2004 10:37 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] OT: Custom .ADM (Code Included) In the process of building a custom .ADM file for controlling specific registry keys. The problem I am having is that it does not seem to be modifying the key when the GPO is applied/enforced. I've been pulling my hair out all morning I can't seem to see any reason why this would be happening and I was hoping someone would be kind enough to enlighten me :-) Maybe there is apermissions issue with GPO in the subkey I am trying to modify? I don't know... TIA! (Code below) CLASS MACHINE CATEGORY !!Deployed CATEGORY !!EskerFax POLICY !!EskerPrinterOutputKEYNAME "Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\Lanfax for Outlook Printer\PrinterDriverData"EXPLAIN !!PrinterOutputLocation_HelpPART !!PrinterOutputLocation EDITTEXTREQUIREDVALUENAME "OutputDirectory"END PART END POLICY END CATEGORY END CATEGORY [Strings] Deployed="Deployed Software"EskerFax="Esker Fax Client" EskerPrinterOutput="Esker Fax Client Configuration" PrinterOutputLocation_Help="Printer output temporary file location"PrinterOutputLocation="Printer output temporary file location" AcceptDefaultValue="Default Setting"SpecifyTempLocation="Specify desired log location"
RE: [ActiveDir] OT: Custom .ADM (Code Included)
The registry is not being accessed at all from any of myattempts. I've even gone as far as to run a registry monitor to see ifthe registryis even being accessed and it is not.I have modified the system.adm file (created by default) to include thecode and forced the GPO that does not applyeither. I havn't run the registry monitor during boottime, but I have tried restarting numerous times and the registry is not changed in any way. I have modified the code to create a key also to see if the key is created and it is not. As a temporary solution (the application was only distributed to a limited amount of users) I have made the modifications manually to my own registry, extracted themand pushed them out to all of the workstations that are having the problem. Users have not been taught or instructed on how to use the new software yet so I have a bit of time to toy with thankfully. Definately a head scratcher From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Friday, April 02, 2004 1:18 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: Custom .ADM (Code Included) Really... Hmm. Printers are generally profile specific, and the issue you're having sounds like it is user specific. Are you seeing the GPO get applied (verifying the registry settings) but they aren't working, or is the registry not being changed at all? As far as permissions, I believe GPO's are applied as localsystem - so there shouldn't be a perms problem. Not 100% sure what to tell you - other than verify the registry is actually being changed. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Friday, April 02, 2004 12:58 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: Custom .ADM (Code Included) Unfortunately not in this case Roger :-( Although, I do appreciate the advice. This particular printer is automatically created from an installer, which in turn creates the printer object underneath the HKLM hive. This allows for every user that logs into the workstation to have the printer automatically created, but unfortunately there is a bug causing the properties of the printer object to point to the %USERPROFILE%\Temp folder of the user that installed the client. Hence, insufficient rights when the user attempts to print to the printer object, which is why I'm trying to design the GPO to change the value in the registry to point to a folder all users have rights to (C:\temp). Would this inconsistency prevent the.ADM from functioning properly? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Friday, April 02, 2004 12:50 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: Custom .ADM (Code Included) Printers are per-User configurations, not per system wide in general. Try this as a CLASS USER -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Friday, April 02, 2004 10:37 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] OT: Custom .ADM (Code Included) In the process of building a custom .ADM file for controlling specific registry keys. The problem I am having is that it does not seem to be modifying the key when the GPO is applied/enforced. I've been pulling my hair out all morning I can't seem to see any reason why this would be happening and I was hoping someone would be kind enough to enlighten me :-) Maybe there is apermissions issue with GPO in the subkey I am trying to modify? I don't know... TIA! (Code below) CLASS MACHINE CATEGORY !!Deployed CATEGORY !!EskerFax POLICY !!EskerPrinterOutputKEYNAME "Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\Lanfax for Outlook Printer\PrinterDriverData"EXPLAIN !!PrinterOutputLocation_HelpPART !!PrinterOutputLocation EDITTEXTREQUIREDVALUENAME "OutputDirectory"END PART END POLICY END CATEGORY END CATEGORY [Strings] Deployed="Deployed Software"EskerFax="Esker Fax Client" EskerPrinterOutput="Esker Fax Client Configuration" PrinterOutputLocation_Help="Printer output temporary file location"PrinterOutputLocation="Printer output temporary file location" AcceptDefaultValue="Default Setting"SpecifyTempLocation="Specify desired log location"
RE: [ActiveDir] Released! Windows Server 2003 Active Directory Branch Office Guide
http://www.microsoft.com/downloads/details.aspx?FamilyId=9A4C7AC3-185E-4644-9E98-4876B2A477E7displaylang=en I believe this is what you might be looking for? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Thursday, April 01, 2004 8:27 AMTo: [EMAIL PROTECTED]Subject: Possible Spam:RE: [ActiveDir] Released! Windows Server 2003 Active Directory Branch Office Guide It reports: The download you requested is unavailable.If you continue to see this message when trying to access this download, you might try the "Search for a Download" area on the Download Center home page. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric FleischmanSent: Thursday, April 01, 2004 8:25 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Released! Windows Server 2003 Active Directory Branch Office Guide This one works fine for me. http://www.microsoft.com/downloads/details.aspx?FamilyId=9353A4F6-A8A8-40BB-9FA7-3A95C9540112displaylang=en Perhaps youre having line wrapping issues? ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, April 01, 2004 5:27 AMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] Released! Windows Server 2003 Active Directory Branch Office Guide Link appears not to work [for me]. And I haven't been able to find the updated doc on Microsoft's website. Can anyone else get to this link. (anxiously waiting...for almost a year now...) Eric Jones, Senior SEIntel Server Group(W) 336.424.3084(M) 336.457.2591www.vfc.com "David Adner" [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 03/31/2004 11:49 PM Please respond to[EMAIL PROTECTED] To [EMAIL PROTECTED] cc Subject [ActiveDir] Released! Windows Server 2003 Active Directory Branch Office Guide Enjoy.Windows Server 2003 Active Directory Branch Office Guidehttp://www.microsoft.com/downloads/details.aspx?FamilyId=9353A4F6-A8A8-40BB-9FA7-3A95C9540112displaylang=enList info : http://www.activedir.org/mail_list.htmList FAQ : http://www.activedir.org/list_faq.htmList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Released! Windows Server 2003 Active Directory Branch Office Guide
Oh.. so it is :-) My mistake From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Thursday, April 01, 2004 8:48 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Released! Windows Server 2003 Active Directory Branch Office Guide Michael, I think thats the old one, isnt it? mc -Original Message-From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Thursday, April 01, 2004 8:42 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Released! Windows Server 2003 Active Directory Branch Office Guide http://www.microsoft.com/downloads/details.aspx?FamilyId=9A4C7AC3-185E-4644-9E98-4876B2A477E7displaylang=en I believe this is what you might be looking for? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Thursday, April 01, 2004 8:27 AMTo: [EMAIL PROTECTED]Subject: Possible Spam:RE: [ActiveDir] Released! Windows Server 2003 Active Directory Branch Office Guide It reports: The download you requested is unavailable.If you continue to see this message when trying to access this download, you might try the "Search for a Download" area on the Download Center home page. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric FleischmanSent: Thursday, April 01, 2004 8:25 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Released! Windows Server 2003 Active Directory Branch Office Guide This one works fine for me. http://www.microsoft.com/downloads/details.aspx?FamilyId=9353A4F6-A8A8-40BB-9FA7-3A95C9540112displaylang=en Perhaps youre having line wrapping issues? ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, April 01, 2004 5:27 AMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] Released! Windows Server 2003 Active Directory Branch Office Guide Link appears not to work [for me]. And I haven't been able to find the updated doc on Microsoft's website. Can anyone else get to this link. (anxiously waiting...for almost a year now...) Eric Jones, Senior SEIntel Server Group(W) 336.424.3084(M) 336.457.2591www.vfc.com "David Adner" [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 03/31/2004 11:49 PM Please respond to[EMAIL PROTECTED] To [EMAIL PROTECTED] cc Subject [ActiveDir] Released! Windows Server 2003 Active Directory Branch Office Guide Enjoy.Windows Server 2003 Active Directory Branch Office Guidehttp://www.microsoft.com/downloads/details.aspx?FamilyId=9353A4F6-A8A8-40BB-9FA7-3A95C9540112displaylang=enList info : http://www.activedir.org/mail_list.htmList FAQ : http://www.activedir.org/list_faq.htmList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] OT: Desktop faxing solution
In the process of implementing a desktop faxing solution (Esker Fax specifically) for current production environment. Esker Fax has a customized formwhich allowsdirect interface with the server through Outlook clients as one of their solutions. The form has the ability to address a fax directly to "Contact" objects with a "Business Fax" value entered, which works similar to the standard Outlook form to create an email. There are also seperate solutions to include entering specific syntax into the "To" field (eg.(faxnumber)@fax.server.com)of the standardOutlook email form. Another is rolling out acustomizedEsker Fax client (via GPO) to the client PC's which installs a printer object that converts any document into many different faxable formats and uses either the standard Outlook form or the customized Esker form. Currently we are looking to use a combined solution to include multiple different methods for interface with the faxing server for ease of use. Of course however, we are evaluating what would be the easiest/best way to implement with minimal user interaction required. Problem/Question: The solution that stumps me is creating some form of "Universal Contact" medium to be used from within Outlook for the client PC's. The Esker Fax client does offer it's own Address Book to be used, but it does not integrate well with Outlook clients and is not geared for what I am trying to accomplish. My idea's so far are: 1. A. Create a public folder to store contact objects and assignAuthorpermissionsto managers/supervisors B. Develop an automated solution to add the folder to the workstations Address Book list if possible. 2. A. Create a public folder to store contact objects and assign Author permissions to managers/supervisors B. Configure a GAL query to query the public folder and populate with contacts containing a "Business Fax" object class if possible (too much overhead?) If anyone else has any input and/or constructive criticismsi'm all ears :-) Thanks!
[ActiveDir] gc._mscdcs PTR Record
I don't mean to be rude to anyone. Please excuse the double post, this still has me very confused so I thought I would repost it for anyone who may not have seen my previous post this past Friday: Recently I've done some work for the company rebuilding the DC's for concerns of naming conventions including a "_" character. Everything seems to have gone smoothly with the exception of 1 thing that I've recently noticed. In the reverse DNS zone there is a record containing reference to gc._msdcs.(domainname) which refers to the IP of the server I transferred the GC role to during the time I was rebuilding the original holder of the GC and all FSMO roles. This server is no longer a GC and I was wondering if this may be having an unseen effect on authentication. Also, I'm not even sure that that record should exist in the reverse DNS zone?Any help is greatly appreciated.
RE: [ActiveDir] gc._mscdcs PTR Record
Okay it looks like I may have found a resolution to my own question. For whatever reason dynamic updates were not enabled for the reverse DNS zone, so I've enabled secure only updates for that zone and we'll see what happens on the next replication. Again, my apoligies for the double post. Guess I jumped the gun a little bit :-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael WassellSent: Monday, March 08, 2004 11:18 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] gc._mscdcs PTR Record I don't mean to be rude to anyone. Please excuse the double post, this still has me very confused so I thought I would repost it for anyone who may not have seen my previous post this past Friday: Recently I've done some work for the company rebuilding the DC's for concerns of naming conventions including a "_" character. Everything seems to have gone smoothly with the exception of 1 thing that I've recently noticed. In the reverse DNS zone there is a record containing reference to gc._msdcs.(domainname) which refers to the IP of the server I transferred the GC role to during the time I was rebuilding the original holder of the GC and all FSMO roles. This server is no longer a GC and I was wondering if this may be having an unseen effect on authentication. Also, I'm not even sure that that record should exist in the reverse DNS zone?Any help is greatly appreciated.
[ActiveDir] Folder redirection via GPO
Title: Folder redirection via GPO Good morning everyone; Previously a GPO had been configured to redirect users My Documents folders to a network location. This option requires specifying the full UNC path to the server which is to store the data (\\(servername)\(sharename)). As of this past weekend the server which was being used to store the user data was renamed and the UNC name specified in the GPO had been updated to reflect the new server name. Problem: The problem seems to be that the GPO is not updating the clients to reflect the new server name. I thought that it might be the fact that a separate GPO was restricting users from changing the path of their My Documents folder, I also thought that it may be the fact that the Properties setting was removed from the context menu for My Documents. Disabling both of these options has not solved the issue. I have also tested the setting by creating a new OU with a new user account and disabling all GPO settings except folder redirection and there still seems to be a problem. I have implemented a temporary solution to effectively force redirection by using the login script to overwrite the registry key with the new location, but this will become tedious further on if a new user is created by not automatically creating their user shares. Another thing worth mentioning may be that the majority of client PC's are using Windows 2000. I apoligize if this is not clear in advance, if anyone would like further detail please ask and I will do my best to answer. Thanks! Michael
[ActiveDir] KDC Change
Title: KDC Change I'm in the process of demoting a DC in a Windows 2003 domain which was a roleholder for all FSMO roles. I have moved every role (including GC) to the new DC which is going to be the temporary role holder until the previous DC is rebuilt. Running a dcdiag /v shows that the only role referring to the previous DC is the KDC Name role. I am thinking that this has something to do with Kerberos authentication but I am unaware of any method to change the role. I will be researching a solution before I demote the DC of course but I thought that someone may be able to shed some light :-) Have a great weekend everyone!
RE: [ActiveDir] KDC Change
Title: KDC Change Okay I've resolved my own question. A second domain controller being present having all FSMO roles transferred means that clients will continue to be able to authenticate regardless of the fact that the previous FSMO role holder is demoted. I guess it never hurts to have someone expand on it though :-) Please anyone feel free to give your $.02. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael WassellSent: Saturday, February 28, 2004 12:08 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] KDC Change I'm in the process of demoting a DC in a Windows 2003 domain which was a roleholder for all FSMO roles. I have moved every role (including GC) to the new DC which is going to be the temporary role holder until the previous DC is rebuilt. Running a dcdiag /v shows that the only role referring to the previous DC is the "KDC Name" role. I am thinking that this has something to do with Kerberos authentication but I am unaware of any method to change the role. I will be researching a solution before I demote the DC of course but I thought that someone may be able to shed some light :-) Have a great weekend everyone!
RE: [ActiveDir] Suppress reboot of windows update???
Title: Message I don't believe SUS uses a "client" portion, the updates are automatically distributed to client PC'svia administrative shares and then are executed via RPC. The option not to automatically restart can also be specified via GPO rather than manually entering a registry value on each of the clients. But if GPO isn't an option I can see why you might be needing to do something like that :-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. LongSent: Thursday, February 19, 2004 9:13 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Suppress reboot of windows update??? Does the SUS automatic update client have to be installed for this registry key:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\ to be present, orshould it be there with the generic Automatic Update also? I dont have a SUS server (or client) in my environment, and dont see this in my registry. Sorry for questions that many probably think should be common knowledge, but I can't find the answer anywhere else, and you guys have been VERY helpful other times that I have asked questions. Thank you, Doug -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Roger SeielstadSent: Friday, February 13, 2004 9:48 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Suppress reboot of windows update??? http://www.susserver.com/FAQs/FAQ-AutoUpdateSettings.asp The setting you want is called NoAutoRebootWithLoggedOnUsers -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Douglas M. Long [mailto:[EMAIL PROTECTED] Sent: Thursday, February 12, 2004 2:40 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Suppress reboot of windows update??? Is there an easy way to suppress the "automatic rebooting" of Windows Update, when automatically download and installis the selected method? It would really be nice if it automatically downloaded and installed, but required the user to click a button to reboot, instead of it just rebooting in 5minutes. Seems there is a key that I could just add through GP to do this. Any help is highly appreciated. 2000 SP4 domain XP SP1a clients
RE: [ActiveDir] Suppress reboot of windows update???
Title: Message Sorry, please ignore my last response. My head was in another place and I havn't had any coffee yet :-P From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clay PerrineSent: Thursday, February 19, 2004 9:19 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Suppress reboot of windows update??? There is a group policy that will do this. You have to add the ADM file for SUS, but when you do, the policy becomes available. Then you can set the suppress reboot with the policy. Clay Perrine, MCSE Microsoft Active Directory Support. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. LongSent: Thursday, February 19, 2004 8:13 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Suppress reboot of windows update??? Does the SUS automatic update client have to be installed for this registry key:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\ to be present, orshould it be there with the generic Automatic Update also? I dont have a SUS server (or client) in my environment, and dont see this in my registry. Sorry for questions that many probably think should be common knowledge, but I can't find the answer anywhere else, and you guys have been VERY helpful other times that I have asked questions. Thank you, Doug -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Roger SeielstadSent: Friday, February 13, 2004 9:48 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Suppress reboot of windows update??? http://www.susserver.com/FAQs/FAQ-AutoUpdateSettings.asp The setting you want is called NoAutoRebootWithLoggedOnUsers -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Douglas M. Long [mailto:[EMAIL PROTECTED] Sent: Thursday, February 12, 2004 2:40 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Suppress reboot of windows update??? Is there an easy way to suppress the "automatic rebooting" of Windows Update, when automatically download and installis the selected method? It would really be nice if it automatically downloaded and installed, but required the user to click a button to reboot, instead of it just rebooting in 5minutes. Seems there is a key that I could just add through GP to do this. Any help is highly appreciated. 2000 SP4 domain XP SP1a clients
RE: [ActiveDir] Exchange 2003 Migration Question
Title: Exchange 2003 Migration Question I have used the Exchange 2003 Migration Wizard (bundled with the installation), granted that my migration scenario was Exchange 2000 Exchange 2003, but I don't suppose there would be much difference as far as the IS is concerned. The only dilemma involved was the period of downtime while the migration was taking place, the emails received destined for user mailboxes after the migration had taken place for that mailbox but before DNS had been updated to reflect the new MX record were lost. The migration took place on a Saturday afternoon so it was projected to be few if any messages to be lost, but the possibility was there. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kent MaxwellSent: Thursday, February 19, 2004 10:19 AMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Exchange 2003 Migration Question I know this isn't quite an Active Directory question... I am working on finding a way to migrate private mailboxes and public folders stored in an Exchange 5.5 server to a Exchange 2003 server. The Exchange Organization is different for both servers. The user accounts that were associated with the mailboxes in the Exchange 5.5 have been migrated to the new ADS running on Windows 2003 with the SIDHistory intact. Can any one give me suggestions on what has worked for you to migrate accounts in a situation similar to this? I am looking for anything...even if it will cost me money. Thanks, Kent ---This e-mail is intended for the use of the addressee (s) only and may contain privileged, confidential, or proprietary information that is exempt from disclosure under law. If you have received this message in error, please inform us promptly by reply e-mail, then delete the e-mail and destroy any printed copy. Thank you.
RE: [ActiveDir] Exchange 2003 Migration Question
Title: Exchange 2003 Migration Question They were in 2 seperate domains in 2 seperate forests, therefore not in the same exchange organization. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.Sent: Thursday, February 19, 2004 12:24 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Exchange 2003 Migration Question Why would you lose e-mails, since both are in the same exchange organization, SMTP and the IMS/MTA should have been able to deliver e-mails to anyone regardless of which server was sent the message based on what version of the MX record the sender used. -Original Message-From: Michael Wassell [mailto:[EMAIL PROTECTED]Sent: Thursday, February 19, 2004 10:29 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Exchange 2003 Migration Question I have used the Exchange 2003 Migration Wizard (bundled with the installation), granted that my migration scenario was Exchange 2000 Exchange 2003, but I don't suppose there would be much difference as far as the IS is concerned. The only dilemma involved was the period of downtime while the migration was taking place, the emails received destined for user mailboxes after the migration had taken place for that mailbox but before DNS had been updated to reflect the new MX record were lost. The migration took place on a Saturday afternoon so it was projected to be few if any messages to be lost, but the possibility was there. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kent MaxwellSent: Thursday, February 19, 2004 10:19 AMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Exchange 2003 Migration Question I know this isn't quite an Active Directory question... I am working on finding a way to migrate private mailboxes and public folders stored in an Exchange 5.5 server to a Exchange 2003 server. The Exchange Organization is different for both servers. The user accounts that were associated with the mailboxes in the Exchange 5.5 have been migrated to the new ADS running on Windows 2003 with the SIDHistory intact. Can any one give me suggestions on what has worked for you to migrate accounts in a situation similar to this? I am looking for anything...even if it will cost me money. Thanks, Kent ---This e-mail is intended for the use of the addressee (s) only and may contain privileged, confidential, or proprietary information that is exempt from disclosure under law. If you have received this message in error, please inform us promptly by reply e-mail, then delete the e-mail and destroy any printed copy. Thank you.
RE: [ActiveDir] Exchange 2003 Migration Question
Title: Exchange 2003 Migration Question Your welcome. I'm sorry I didn't clarify that :-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.Sent: Thursday, February 19, 2004 1:23 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Exchange 2003 Migration Question Oh okay, thanks -Original Message-From: Michael Wassell [mailto:[EMAIL PROTECTED]Sent: Thursday, February 19, 2004 1:06 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Exchange 2003 Migration Question They were in 2 seperate domains in 2 seperate forests, therefore not in the same exchange organization. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.Sent: Thursday, February 19, 2004 12:24 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Exchange 2003 Migration Question Why would you lose e-mails, since both are in the same exchange organization, SMTP and the IMS/MTA should have been able to deliver e-mails to anyone regardless of which server was sent the message based on what version of the MX record the sender used. -Original Message-From: Michael Wassell [mailto:[EMAIL PROTECTED]Sent: Thursday, February 19, 2004 10:29 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Exchange 2003 Migration Question I have used the Exchange 2003 Migration Wizard (bundled with the installation), granted that my migration scenario was Exchange 2000 Exchange 2003, but I don't suppose there would be much difference as far as the IS is concerned. The only dilemma involved was the period of downtime while the migration was taking place, the emails received destined for user mailboxes after the migration had taken place for that mailbox but before DNS had been updated to reflect the new MX record were lost. The migration took place on a Saturday afternoon so it was projected to be few if any messages to be lost, but the possibility was there. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kent MaxwellSent: Thursday, February 19, 2004 10:19 AMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Exchange 2003 Migration Question I know this isn't quite an Active Directory question... I am working on finding a way to migrate private mailboxes and public folders stored in an Exchange 5.5 server to a Exchange 2003 server. The Exchange Organization is different for both servers. The user accounts that were associated with the mailboxes in the Exchange 5.5 have been migrated to the new ADS running on Windows 2003 with the SIDHistory intact. Can any one give me suggestions on what has worked for you to migrate accounts in a situation similar to this? I am looking for anything...even if it will cost me money. Thanks, Kent ---This e-mail is intended for the use of the addressee (s) only and may contain privileged, confidential, or proprietary information that is exempt from disclosure under law. If you have received this message in error, please inform us promptly by reply e-mail, then delete the e-mail and destroy any printed copy. Thank you.
[ActiveDir] Stale UUID's created by replication
I'm sure this is true, but does the AD Garbage Collection process clean up stale UUID's left by demoted DC's from replication?
[ActiveDir] IE6 SP1 MSI Wrapper
As mentioned in: http://support.microsoft.com/default.aspx?scid=kb;en-us;810011 Does anyone have another source for this package? I would much prefer downloading the package through an external sourceas opposed to having to jumpover hurdles to get to the right person at MS.
RE: [ActiveDir] IE6 SP1 MSI Wrapper
Works for me :-) Thanks. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, February 16, 2004 12:24 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] IE6 SP1 MSI Wrapper I would much prefer downloading the package through an external source I have one. But how would you know it's clean? Will you check to be sure it's not Trojanized? jump over hurdles to get to the right person at MS There is no hurdle to jump through. You call MS (since you are in the US, try 800-936-4900), you pick the option for hotfix, you get directly to a live person. You give the person the Q article number. The person sends you whatever you need. QED Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Active Directory www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Michael Wassell Sent: Mon 2/16/2004 7:58 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] IE6 SP1 MSI Wrapper As mentioned in: http://support.microsoft.com/default.aspx?scid=kb;en-us;810011 Does anyone have another source for this package? I would much prefer downloading the package through an external source as opposed to having to jump over hurdles to get to the right person at MS. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Stale GPO GUID in SYSVOL
Following up to my own question, I found this KB article this morning. Might be good to have on hand for anyone if they were to run into this sort of situation. Took alot of digging :-) http://support.microsoft.com/default.aspx?scid=kb;EN-US;216359 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael WassellSent: Wednesday, February 11, 2004 9:56 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Stale GPO GUID in SYSVOL This is going to be hard to explain but I thought I would give it a shot and put it in a nutshell. Before I started my position the previous admin decided to rollout internal software using GPO. A mistake was made and an attempted rollback was performed. The GPO was then deleted by the rollback process, but the process errored out and the GUID remained within SYSVOL. This caused the original software packages which were being published by the deleted GPO to continue distributing to the clients, but the GPO could not be modified through the Group Policy Editor snap-in. I researched the issue and could not seem to find any relevant KB articles or mention of this problem happening in any other environments, which meant the range of solutions were unfortunately few. The easiest solution was to of course delete the files which were being published but that was highly unfavourable from an administration standpoint. But, to make a long story short. That problem was "patched up" at best (by creating a new default GPO and forcing no override),a domain migration was planned from the existing Windows 2000 AD structure to a seperate domain using a Windows 2003 AD structure. Which pretty much meant the stale GPO GUID and messy schema went out the window with the previous structure. Fine and dandy, although it seems the GPO still appears in the workstations rsop. This isn't causing any problem, and is only a result of my being anal. Does anyone have any idea what my next step could be in removing this curse? Hope this all makes sense! Thanks!
RE: [ActiveDir] ADUC - User logon name (is empty)
I believe if you browse through ADSI Edit you will be able to extract the pre-Win2k login name field and the field you wish to populate using LDIFDE (Included in the Windows 20/03 ResKit) and change the values in the exported plain-text file and import afterwards. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Monday, February 09, 2004 12:28 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] ADUC - User logon name (is empty) Hey, guys this is my first? On here so here we go. AD users and computers User account properties Accounts tab. User logon name (field) is empty but the User logon name (pre-windows 2000) has the proper user account name. Is there anything that would allow me to copy the pre windows 2000 field which holds the user account name, to the User log on name field (where it should be). I think we have been running into authentication issues because that field isnt populated. I.e. Isa server prompts for username and password to get outside access and AD account info should be used to authenticate, I believe its due to the User log on name field being blank. Thanks for your time, Phil This electronic mail and any attachments are intended only for the use of the intended recipient and may contain trade secrets, privileged or otherwise confidential information. Unauthorized review, use or dissemination of this electronic mail or the information contained herein or attached hereto by any person other than the intended recipient is prohibited. If you have received this message in error, or believe you are not authorized to receive this message, please contact: Yellow Book USA Help Desk at [EMAIL PROTECTED]
RE: [ActiveDir] ADUC - User logon name (is empty)
I think the problem you may be having Phil is that
("ADsPath") may need a value specified. Here is a link from MSDN
explaining the syntax of ADsPath.
http://msdn.microsoft.com/library/default.asp?url="">
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of [EMAIL PROTECTED]Sent: Monday, February
09, 2004 3:50 PMTo: [EMAIL PROTECTED]Subject:
RE: [ActiveDir] ADUC - User logon name (is empty)
Thanks for all the help
all,
I dont think the user
log on name is related to the isa server issue some pointed this out to
me.
JOE P. I like your
script looks good, only wish I could get pass that line 22 error I keep getting
in my test box with it. But Ill work on figuring it out; it cant be that hard
to find the problem.
PS. I love this mailing
list thing.
From: Joe
Pochedley [mailto:[EMAIL PROTECTED] Sent: Monday, February 09, 2004 2:03
PMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] ADUC - User logon
name (is empty)
This is very common in
domains that were upgraded from NT4. The new Login name is called the
Universal Principal Name (UPN) and basically allows the user to specify an email
style login ([EMAIL PROTECTED])instead
of the NT4 style Username, Password, Domain ( or Domain\Username) style...
Here's a script that I wrote that will do exactly what you
want...
Be sure to replace the
YourDomainand localentries with your actual domain name for the LDAP
query and the UPN suffix areas (in the ObjUserUPN= line) Also be sure to
change the path to the logfile to a directory you have
available...
If you want to see
what items are going to be changed, comment out the line with " objUser.SetInfo
"by putting a ' at the beginning, then you can review the logfile to see
the changes.
Finally, I don't
believe that ISA server relies on the UPN name being present for authentication,
so I don't know if this will help your problem (we ran ISA just fine without UPN
names for many months).
(Watch for
wrapping!)
' ---
BeginScripthere
Const ForReading =
1Const ForWriting = 2Const ForAppending =
8
logfile =
"C:\TEMP\BatchAddUPN.log"
Set fso =
CreateObject("Scripting.FileSystemObject")Set fsOut =
fso.OpenTextFile(logfile, ForAppending, True)
Set objConnection =
CreateObject("ADODB.Connection")Set objConnection =
CreateObject("ADODB.Connection")objConnection.Open "Provider=ADsDSOObject;"
Set objCommand =
CreateObject("ADODB.Command")objCommand.ActiveConnection = objConnection
objCommand.CommandText
= "LDAP://dc=YourDomain,dc=local;"
_
"((objectCategory=person)(objectClass=user));"
"ADsPath;subtree" objCommand.Properties("Page Size") = 1Set
objRecordSet = objCommand.Execute
While Not
objRecordset.EOFstrADsPath = objRecordset.Fields("ADsPath")Set objUser =
GetObject(strADsPath)If objUser.userPrincipalName = "" ThenObjUserUPN =
objUser.samaccountname "@YourDomain.local"
fsOut.WriteLine (objUser.name " UPN Set to ")
ObjUserUPN objuser.Put "userPrincipalName",
ObjUserUPN objUser.SetInfo End if
objrecordset.MoveNextWend
objConnection.Close
fsOut.CloseWScript.Echo
"Script Complete!"
' End of
Script
Joe
Pochedley Weiler's
Law - Nothing
is impossible for the man who doesn't have to do it himself.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, February 09, 2004 12:28
PMTo:
[EMAIL PROTECTED]Subject: [ActiveDir] ADUC - User logon name
(is empty)
Hey, guys this is my first? On here
so here we go.
AD users and computers User
account properties Accounts tab.
User logon name (field) is empty but
the User logon name (pre-windows 2000) has the proper user account name.
Is there anything that would allow
me to copy the pre windows 2000 field which holds the user account name, to the
User log on name field (where it should be).
I think we have been running into
authentication issues because that field isnt populated. I.e. Isa server
prompts for username and password to get outside access and AD account info
should be used to authenticate, I believe its due to the User log on name field
being blank.
Thanks for your
time,
Phil
This electronic mail and any
attachments are intended only for the use of the intended recipient and may
contain trade secrets, privileged or otherwise confidential information.
Unauthorized review, use or dissemination of this electronic mail or the
information contained herein or attached hereto by any person other than the
intended recipient is prohibited. If you have received this message in error, or
believe you are not authorized to receive this message, please contact:
Yellow Book USA Help Desk at
[EMAIL PROTECTED]
This electronic mail and any attachments are intended
only for the use of the intended recipient and may contain trade secrets,
privileged or otherwise confidential information. Unauthorized review, use or
dissemination of this electronic mail or the information contained herein or
attached hereto by any person
RE: [ActiveDir] computer account issues
A little bit unclear, but I have browsed through the Microsoft KB regarding that event id and this article was a match. http://support.microsoft.com/default.aspx?scid=kb;en-us;823659 Search in the page for 5723 (without quotes). It is under the digitally sign communication (always) category. That may be a first step to determining the cause? I also noticed that this error can be generated by SQL Server. Is this error being generated in the event log on the server? Or on the machine itself? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of J0mb Sent: Friday, February 06, 2004 8:43 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] computer account issues good morning list, I am getting a weird problem lately. Our AD architecture is made of 1 forest, 1 domain, 4 sites spanned through WAN links. There are approx. 2500 nodes in the forest, there are 2 DCs at each site, a DC is configured as GC at each site. Randomly, with no apparent recurrent pattern, we get the eventID 5723(netlogon) error from some machines (i would say some 4-5 a day). -- The session setup from the computer computer name failed because there is no trust account in the security database for this computer. The name of the account referenced in the security database is computer name$. The error code is 0xC18B -- The client is not able to authenticate to the DC anymore. The only (to me) known resolution is to rejoin the machine to the domain. Would anyone suggest me a resolution, or correct steps for troubleshooting? I've already checked on eventid.net, and looks like none of the suggestion is relevant with my architecture. We're running a native mode windows 2000 domain. The error code states that the computer account has been deleted. How can it this happen? How can i audit operation attempts on computer accounts? Thanks!! Alex List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] computer account issues
From reading the detailed error messages it would seem that the workstations are timing out for one reason or another when synchronizing, you may want to research increasing timeout values for network services (Browser service, Server service etc.). Also, have you attempted to verify server communication via the WAN links to verify that there are no timeout issues occuring? Try pinging with an -l switch to increase the ICMP data being sent with the -t switch and watch for any timeouts or significant ping response time increases. Something you might want to consider is implementing independent child domains for each of your sites. I believe it would significantly decrease your network traffic across your WAN links to allow for more prioritized processing of network traffic to take place. However, that would likely be a large project so a more temporary solution would be to determine the cause of the current issue. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of J0mb Sent: Friday, February 06, 2004 10:00 AM To: [EMAIL PROTECTED] Subject: R: [ActiveDir] computer account issues thanks for reply and sorry for being unclear. The eventID 5723 as per my previous post is generated on the domain controller. These are the events generated on the client side: (please note they were translated from a non-english system, hopefully they're clear enough: Source: LSASRV Category: SPNEGO EventID: 40961 Protection System could not establish a secured connection with server cifs/dc.domain.local. No authentication protocol was available Source: NETLOGON Category: None EventID: 5721 Session installation on Windows NT or Windows 2000 domain controller \\dc.domain.local was unsuccesful because domain controller has no computer account for the computer computername Source: W32time Category: none EventID: 18 NtpClient time provider was unable to establish a trust relation from this machine to domain domain.local in order to syncronize time in protected mode. Trust relation between this workstation and the primary domain was unsuccesful (0x800706FD). One of the DCs has a SQL server to support a SMS 2.0 installation but i can't figure any interactions with a client authentication. I am about to thoroughly read the Q article you suggested me. From a quick check, the only relevant policy i could find is microsoft network server: digitally sign up communication if client agrees set ENABLED on the default DC policy. I have been working on this issue for a short time. People working here for longer says this might have happened exclusively (or mainly) on winXP workstations, but take this as an unreliable piece of information. Please let me know if you need more detailed information. I appreciate your support. Thanks!! -Messaggio originale- Da: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Per conto di Michael Wassell Inviato: venerdì 6 febbraio 2004 15.09 A: [EMAIL PROTECTED] Oggetto: RE: [ActiveDir] computer account issues A little bit unclear, but I have browsed through the Microsoft KB regarding that event id and this article was a match. http://support.microsoft.com/default.aspx?scid=kb;en-us;823659 Search in the page for 5723 (without quotes). It is under the digitally sign communication (always) category. That may be a first step to determining the cause? I also noticed that this error can be generated by SQL Server. Is this error being generated in the event log on the server? Or on the machine itself? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of J0mb Sent: Friday, February 06, 2004 8:43 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] computer account issues good morning list, I am getting a weird problem lately. Our AD architecture is made of 1 forest, 1 domain, 4 sites spanned through WAN links. There are approx. 2500 nodes in the forest, there are 2 DCs at each site, a DC is configured as GC at each site. Randomly, with no apparent recurrent pattern, we get the eventID 5723(netlogon) error from some machines (i would say some 4-5 a day). -- The session setup from the computer computer name failed because there is no trust account in the security database for this computer. The name of the account referenced in the security database is computer name$. The error code is 0xC18B -- The client is not able to authenticate to the DC anymore. The only (to me) known resolution is to rejoin the machine to the domain. Would anyone suggest me a resolution, or correct steps for troubleshooting? I've already checked on eventid.net, and looks like none of the suggestion is relevant with my architecture. We're running a native mode windows 2000 domain. The error code states that the computer account has been deleted. How can it this happen? How can i audit operation attempts on computer
RE: [ActiveDir] Moved DC out of DMZ
Not a bad idea... lol -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler Sent: Friday, February 06, 2004 10:40 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moved DC out of DMZ Speaking of beer.. a sampler platter tonight at Applebee's sounds great! I really love those riblets!! -Original Message- From: Rich Milburn [mailto:[EMAIL PROTECTED] Sent: Friday, February 06, 2004 10:21 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moved DC out of DMZ Sounds like you're doing pretty well over there, well done. And you thought you'd be spending the weekend on it :) -Original Message- From: Frank Buechler [mailto:[EMAIL PROTECTED] Sent: Friday, February 06, 2004 9:13 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moved DC out of DMZ Never mind... duh. I figured it out. (It's a 2 cup morning...) :^) -Original Message- From: Frank Buechler Sent: Friday, February 06, 2004 9:46 AM To: ActiveDir (E-mail) Subject: [ActiveDir] Moved DC out of DMZ One more questions guys.. As you know, I successfully moved a DC out of the DMZ. I have other 2000 servers sitting in the DMZ that no longer can see a DC. How do I force them to see the DC that is on the inside now that there is no longer a DC in the DMZ? TIA List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Moving Schema Master (continued...)
Your very welcome Frank. Yes you can demote a DC running Exchange 2000. However, I'm not sure what effect that will have on the Exchange installation. I would do this in a test environment before doing that sort of thing in a production environment. Just curious, why would you want to do this? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler Sent: Thursday, February 05, 2004 12:11 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Can I demote a DC running Exchange 2000? I know this is not supported with Exchange 2003, but I can't find any literature regarding 2000. Again, thanks for your help Michael (and everyone!) -Original Message- From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 11:40 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Yes you should be able to do it without rebuilding anything. It may require a domain synchronize to take effect. But you could force that. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler Sent: Thursday, February 05, 2004 11:38 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Can I do this without having to rebuild the server in the DMZ? -Original Message- From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 11:28 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) I thought I would throw this out there. A good option for you may be to use ntdsutil to enter the metabase to see if there is a tombstoned record in your metabase. After which you could delete the old record and manually enter a new record or seize the role with the internal DC. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler Sent: Thursday, February 05, 2004 10:18 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) I've done a little more research.. turns out I missed something. After running dcdiag /test:Knowsofroleholders /v, it turns out the server in the DMZ fails. What I get is this: Warning: CN=NTDS Settings ...blah blah.. is the Schema Owner, but is deleted Warning: CN=NTDS Settings ...blah blah.. is the Domain Owner, but is deleted PDC, RID, and Infrastructure Update Owner all passed, seeing the internal server as the role holders. I'm still researching this, but I think I'm getting closer the the problem... -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 8:29 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Moving Schema Master (continued...) I figured you knew that... Sorry. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Frank Buechler [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 8:15 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Hm Not a bad idea shipmate. -Original Message- From: Adams, Kenneth W (Ken) [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 04, 2004 6:55 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Don't you have a desktop PC that you could temporarily use? If not, you might want to consider moving your internal DC into the DMZ long enough to move the FSMO instead of the other way around. Kenneth W. (Ken) Adams, MCSA, MCSE -Original Message- From: Frank Buechler [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 04, 2004 4:26 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Wish I could.. Roger had the same idea, placing a server in the DMZ, moving the role, then bringing the server inside to transfer it to a trusted DC. He called it a swing server. Great idea, but I don't have another box to do that with. -Original Message- From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 04, 2004 2:33 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Moving Schema Master (continued...) Have you tried standing up a server in the DMZ next to the Schema Master Server (IE. New server in the DMZ). Then transfer the FSMO role to new server. Just an Idea, Todd -Original Message- From: Frank Buechler [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 04, 2004 12:46 PM To: ActiveDir (E-mail) Subject: [ActiveDir] Moving Schema Master (continued...) Greetings All If you have been following this thread, you know that I am having problems moving the Schema Master role from a server sitting in my DMZ to one sitting in trusted. I have opened up all ports between these two servers
RE: [ActiveDir] Moving Schema Master (continued...)
Okay I would say your first step would be to seize the Schema Master role to the DC on the Internal network before considering anything else. All the while leaving the Exchange server running in the DMZ, it wont do much harm that hasn't already been done by it being there. Meaning, if the metabase already shows that the record has been deleted than it seems the server doesn't know it's a role holder to anything else but itself. Once you have done that it all depends on how you expect to migrate the data between the existing Exchange Server and the new Exchange server for your next hurtle? I'm sorry Frank. I don't mean to pry the subject, but where do you plan on finding the system to run the new Exchange server without taking down the existing server? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler Sent: Thursday, February 05, 2004 12:35 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Here's the scenario: I am upgrading this shop across the board to 2003, including Exchange. I want to get a 2003 DC in place before putting Exchange on a 2003 stand-alone server. To do this, I need to prep the domain for the new 2003 schema, and I need to do this on the 2000 server acting as the schema master. Maybe I am looking at this wrong. What do you think? -Original Message- From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 12:19 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Your very welcome Frank. Yes you can demote a DC running Exchange 2000. However, I'm not sure what effect that will have on the Exchange installation. I would do this in a test environment before doing that sort of thing in a production environment. Just curious, why would you want to do this? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler Sent: Thursday, February 05, 2004 12:11 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Can I demote a DC running Exchange 2000? I know this is not supported with Exchange 2003, but I can't find any literature regarding 2000. Again, thanks for your help Michael (and everyone!) -Original Message- From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 11:40 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Yes you should be able to do it without rebuilding anything. It may require a domain synchronize to take effect. But you could force that. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler Sent: Thursday, February 05, 2004 11:38 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Can I do this without having to rebuild the server in the DMZ? -Original Message- From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 11:28 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) I thought I would throw this out there. A good option for you may be to use ntdsutil to enter the metabase to see if there is a tombstoned record in your metabase. After which you could delete the old record and manually enter a new record or seize the role with the internal DC. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler Sent: Thursday, February 05, 2004 10:18 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) I've done a little more research.. turns out I missed something. After running dcdiag /test:Knowsofroleholders /v, it turns out the server in the DMZ fails. What I get is this: Warning: CN=NTDS Settings ...blah blah.. is the Schema Owner, but is deleted Warning: CN=NTDS Settings ...blah blah.. is the Domain Owner, but is deleted PDC, RID, and Infrastructure Update Owner all passed, seeing the internal server as the role holders. I'm still researching this, but I think I'm getting closer the the problem... -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 8:29 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Moving Schema Master (continued...) I figured you knew that... Sorry. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Frank Buechler [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 8:15 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Hm Not a bad idea shipmate. -Original Message- From: Adams, Kenneth W (Ken) [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 04, 2004 6:55 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master
RE: [ActiveDir] Moving Schema Master (continued...)
From what I gather if you have run a dcdiag on the server not in the DMZ and it returns that it does not know of a schema master role holder that would mean that for some reason the AD has somehow seen that the old schema role holder as a stale record and therefore deleted it from the metabase. So, the answer is yes, you should be able to seize the role with the internal DC if there aren't existing role holders. Please anyone feel free to correct me if I'm wrong. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler Sent: Thursday, February 05, 2004 1:25 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) I have a new HP Prolient coming in, supposed to be here within the next couple of days. That will be a new DC/File server. I want to introduce that into the domain first. I will transfer all services and what-not off the existing file server, wipe it, and install it into the network as a 2003 stand-alone server. This will be the new 2003 Exchange server. Once the Exchange move is completed, and all other services are moved from the 2000 DC currently in the DMZ, I will remove it from the AD, wipe it, and install 2003 on it to act as an internal apps server. There are more servers than this in the loop, but I've only covered it from a DC perspective. Now, just so I understand, you're saying that I should be able to seize the schema master role on the internal 2000 DC without it adversely affecting the server in the DMZ because that server thinks it's been deleted anyway? -Original Message- From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 12:47 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Okay I would say your first step would be to seize the Schema Master role to the DC on the Internal network before considering anything else. All the while leaving the Exchange server running in the DMZ, it wont do much harm that hasn't already been done by it being there. Meaning, if the metabase already shows that the record has been deleted than it seems the server doesn't know it's a role holder to anything else but itself. Once you have done that it all depends on how you expect to migrate the data between the existing Exchange Server and the new Exchange server for your next hurtle? I'm sorry Frank. I don't mean to pry the subject, but where do you plan on finding the system to run the new Exchange server without taking down the existing server? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler Sent: Thursday, February 05, 2004 12:35 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Here's the scenario: I am upgrading this shop across the board to 2003, including Exchange. I want to get a 2003 DC in place before putting Exchange on a 2003 stand-alone server. To do this, I need to prep the domain for the new 2003 schema, and I need to do this on the 2000 server acting as the schema master. Maybe I am looking at this wrong. What do you think? -Original Message- From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 12:19 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Your very welcome Frank. Yes you can demote a DC running Exchange 2000. However, I'm not sure what effect that will have on the Exchange installation. I would do this in a test environment before doing that sort of thing in a production environment. Just curious, why would you want to do this? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler Sent: Thursday, February 05, 2004 12:11 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Can I demote a DC running Exchange 2000? I know this is not supported with Exchange 2003, but I can't find any literature regarding 2000. Again, thanks for your help Michael (and everyone!) -Original Message- From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 11:40 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Yes you should be able to do it without rebuilding anything. It may require a domain synchronize to take effect. But you could force that. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler Sent: Thursday, February 05, 2004 11:38 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Can I do this without having to rebuild the server in the DMZ? -Original Message- From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 11:28 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) I thought I would throw this out there. A good option for you may
RE: [ActiveDir] Moving Schema Master (continued...)
I would suggest doing a bit of homework first then :-) I am going on theory at this point. Anything could potentially happen and unfortunately I think it will be very difficult to regenerate this situation in a testing environment due to its nature. I would research ntdsutil to see the potential impact of deleting an existing role holder and demoting the dc aftewards before doing anything eventhough the existing role holder is not communicating with the AD. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler Sent: Thursday, February 05, 2004 2:19 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Should I demote the DMZ server first? I have to tell you, the thought of doing either (demoting, or seizing the roles) scares the you know what out of me because that server is so important to this organization. Any down time while I recover the thing will be a very_bad_thing. -Original Message- From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 2:09 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) From what I gather if you have run a dcdiag on the server not in the DMZ and it returns that it does not know of a schema master role holder that would mean that for some reason the AD has somehow seen that the old schema role holder as a stale record and therefore deleted it from the metabase. So, the answer is yes, you should be able to seize the role with the internal DC if there aren't existing role holders. Please anyone feel free to correct me if I'm wrong. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler Sent: Thursday, February 05, 2004 1:25 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) I have a new HP Prolient coming in, supposed to be here within the next couple of days. That will be a new DC/File server. I want to introduce that into the domain first. I will transfer all services and what-not off the existing file server, wipe it, and install it into the network as a 2003 stand-alone server. This will be the new 2003 Exchange server. Once the Exchange move is completed, and all other services are moved from the 2000 DC currently in the DMZ, I will remove it from the AD, wipe it, and install 2003 on it to act as an internal apps server. There are more servers than this in the loop, but I've only covered it from a DC perspective. Now, just so I understand, you're saying that I should be able to seize the schema master role on the internal 2000 DC without it adversely affecting the server in the DMZ because that server thinks it's been deleted anyway? -Original Message- From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 12:47 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Okay I would say your first step would be to seize the Schema Master role to the DC on the Internal network before considering anything else. All the while leaving the Exchange server running in the DMZ, it wont do much harm that hasn't already been done by it being there. Meaning, if the metabase already shows that the record has been deleted than it seems the server doesn't know it's a role holder to anything else but itself. Once you have done that it all depends on how you expect to migrate the data between the existing Exchange Server and the new Exchange server for your next hurtle? I'm sorry Frank. I don't mean to pry the subject, but where do you plan on finding the system to run the new Exchange server without taking down the existing server? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler Sent: Thursday, February 05, 2004 12:35 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Here's the scenario: I am upgrading this shop across the board to 2003, including Exchange. I want to get a 2003 DC in place before putting Exchange on a 2003 stand-alone server. To do this, I need to prep the domain for the new 2003 schema, and I need to do this on the 2000 server acting as the schema master. Maybe I am looking at this wrong. What do you think? -Original Message- From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 12:19 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Your very welcome Frank. Yes you can demote a DC running Exchange 2000. However, I'm not sure what effect that will have on the Exchange installation. I would do this in a test environment before doing that sort of thing in a production environment. Just curious, why would you want to do this? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler Sent: Thursday, February 05, 2004 12:11 PM
RE: [ActiveDir] Moving Schema Master (continued...)
Not sure how reassuring this will be. But, been there, done that, as I'm sure many people in this field have :-) Of course, not for this exact situation. My second day on the job (just happened to be a Friday) the companies primary Exchange servers' hard drives died, and they just happened to be in a RAID 0. Which mean basically meant no more Exchange server. Thankfully the data was stored on the second array which was in a RAID 1. So I spent the weekend day and night rebuilding the Exchange server and Monday morning it was like nothing happened. Of course, I hadn't gotten much sleep so I don't remember much of what happened aftewards. I was very relaxed however :-) Sadly there is no exaggeration. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler Sent: Thursday, February 05, 2004 2:44 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Thanks again Michael. I will research this, thoroughly! In the meantime, before I do anything else, I am going to get the most comprehensive back-up of that server that I can possibly obtain tonight. Tomorrow, I will plunge into action. Doing what, I don't know yet. But I have to bust a move and make something happen. Worse case, I have the weekend to recover. -Original Message- From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 2:28 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) I would suggest doing a bit of homework first then :-) I am going on theory at this point. Anything could potentially happen and unfortunately I think it will be very difficult to regenerate this situation in a testing environment due to its nature. I would research ntdsutil to see the potential impact of deleting an existing role holder and demoting the dc aftewards before doing anything eventhough the existing role holder is not communicating with the AD. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler Sent: Thursday, February 05, 2004 2:19 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Should I demote the DMZ server first? I have to tell you, the thought of doing either (demoting, or seizing the roles) scares the you know what out of me because that server is so important to this organization. Any down time while I recover the thing will be a very_bad_thing. -Original Message- From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 2:09 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) From what I gather if you have run a dcdiag on the server not in the DMZ and it returns that it does not know of a schema master role holder that would mean that for some reason the AD has somehow seen that the old schema role holder as a stale record and therefore deleted it from the metabase. So, the answer is yes, you should be able to seize the role with the internal DC if there aren't existing role holders. Please anyone feel free to correct me if I'm wrong. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler Sent: Thursday, February 05, 2004 1:25 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) I have a new HP Prolient coming in, supposed to be here within the next couple of days. That will be a new DC/File server. I want to introduce that into the domain first. I will transfer all services and what-not off the existing file server, wipe it, and install it into the network as a 2003 stand-alone server. This will be the new 2003 Exchange server. Once the Exchange move is completed, and all other services are moved from the 2000 DC currently in the DMZ, I will remove it from the AD, wipe it, and install 2003 on it to act as an internal apps server. There are more servers than this in the loop, but I've only covered it from a DC perspective. Now, just so I understand, you're saying that I should be able to seize the schema master role on the internal 2000 DC without it adversely affecting the server in the DMZ because that server thinks it's been deleted anyway? -Original Message- From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 12:47 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Okay I would say your first step would be to seize the Schema Master role to the DC on the Internal network before considering anything else. All the while leaving the Exchange server running in the DMZ, it wont do much harm that hasn't already been done by it being there. Meaning, if the metabase already shows that the record has been deleted than it seems the server doesn't know it's a role holder to anything else but itself. Once you have done that it all depends on how you expect to migrate the data
RE: [ActiveDir] GPO explanations
Or maybe this one? http://www.ptmarketing.com/PolicySettings.zip From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Doug HampshireSent: Tuesday, February 03, 2004 1:57 PMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] GPO explanations This what you're looking for? - Original Message - From: Celone, Mike To: '[EMAIL PROTECTED]' Sent: Tuesday, February 03, 2004 10:30 AM Subject: [ActiveDir] GPO explanations I seem to remember someone on the list had a Excel spreadsheet that had a listing of with all the settings in the default GPOs and explanations for each one. I could of swore I found it on Microsoft's site but I can't now. Anyone have this handy?
RE: [ActiveDir] GPO explanations
Yeah sorry. A link was posted afterwards referencing the same file through the Microsoft site. My apoligies :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Celone, MikeSent: Tuesday, February 03, 2004 3:15 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] GPO explanations Dead link Mike From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 03, 2004 3:00 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] GPO explanations Or maybe this one? http://www.ptmarketing.com/PolicySettings.zip From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Doug HampshireSent: Tuesday, February 03, 2004 1:57 PMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] GPO explanations This what you're looking for? - Original Message - From: Celone, Mike To: '[EMAIL PROTECTED]' Sent: Tuesday, February 03, 2004 10:30 AM Subject: [ActiveDir] GPO explanations I seem to remember someone on the list had a Excel spreadsheet that had a listing of with all the settings in the default GPOs and explanations for each one. I could of swore I found it on Microsoft's site but I can't now. Anyone have this handy?
