RE: [ActiveDir] Robocopy(OT)
I've seen this in NT4, but not recently. In our case, the fix was to share out a parent folder, and delete the offending sub-folder from another machine via the share. Tyson. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Friday, May 05, 2006 9:24 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Robocopy(OT) Subinacl,Xacls(which I stated I used already, Brian),and Setowner all give the same error- "The system cannot find the file specified". Chkdsk with a reboot didn't help at all. Thanks On 5/5/06, Brian Desmond [EMAIL PROTECTED] wrote: Cacls Xcacls Subinacl Format q c: rm rf / a consultant google set ownership tools perhaps too Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Friday, May 05, 2006 9:14 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Robocopy(OT) How can I take ownership of it? It doesn't have a security tab and xcacls doesn't "see" the folder.. Thanks On 5/4/06, joe [EMAIL PROTECTED] wrote: Wonder if you have a dorked up ACL, what happens if you try to take ownership of it? O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Sunday, April 30, 2006 8:58 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Robocopy(OT) Well, I've rebooted the server,ran a chkdsk, and still the dir will not disappear. I've run Process Explorer and Filemon and nothing is acessing this dir. Yet I can delete it and its missing the security tab(its on an ntfs vol). How the heck cn I get rid of this dir? Has anyone had an issue like this? Thanks again 4/6/06, Bruyere, Michel [EMAIL PROTECTED] wrote: Hi, I got something similar but with a PDF file. The solution was to reboot the server From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Thursday, April 06, 2006 9:18 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Robocopy(OT) No one has this folder open. I've run Process Explorer and Filemon and nothing is accessing this folder. I can't delete i or share it out and its missing the security tab. anything else I should look for? Thanks On 4/5/06, Mark Parris [EMAIL PROTECTED] wrote: I have seen this if another PC has explorer open on that folder and you try and delete from another.Mark-Original Message-From: "Steve Rochford" [EMAIL PROTECTED]Date: Wed, 5 Apr 2006 16:37:03To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Robocopy(OT)This seems to happen when the folder is in the process of being deleted but hasn't quite gone. Sometimes, just waiting a while will clear the problem - I suspect that a process is holding open the folder (or, possibly, a file in the folder). More than once I've hit this and gone to use Sysinternals process explorer to find out which process is guilty. By the time I've run up the program and searched for the folder name there's nothing there. going back to the folder finds that it's either gone or can now be deleted. In your case, I'd guess that robocopy had started creating folders and when it got interrupted, something took a while for things to get tidied up - if the helpdesk guy hasn't yet unmapped the drives he was using then I think that this might help. SteveFrom: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] ] On Behalf Of Tom KernSent: 05 April 2006 15:45To: activedirectory Subject: [ActiveDir] Robocopy(OT)I have a strange issue.I had a help desk admin robocopy a dir from one server to another. During the copy, for whatever reason, he canceled the robocopy job.When he went to the target server a empty dir was created which now cannot be deleted.I can't delete it through explorer or the command console at the server and get an error of "cannot delete file:cannot read from the source file or disk". If i do a RD /s, i get "The system cannot find the file specified."However the dir shows up in a dir listing or explorer.The weird thing is also, the dir has no "security" tab(and its on an ntfs file system). Some backround on the robocopy job-the admin mapped 2 drives from his local box(win2k).One drive to the root of the volume on the source server and another to the root on the target.he then CD'ed to the source and ran robocopy with the "/E" and "/V" switches. after sometime, he killed the job and now I'm stuck with this undeletable DIR.Any insight would be great.thanks
RE: [ActiveDir] Asset Inventory (OT)
We use an app called RADAR. (http://www.network-radar.com/) Licensed per site, I think we paid about $1100 CDN, and we use it on about 2500 desktops. Call it from the login script, it takes a few seconds to run, and puts together detailed inventories for each workstation and nice summaries. It's got it's quirks, but for what we paid, it's been fantastic. Cheers, Tyson. From: Rimmerman, Russ [mailto:[EMAIL PROTECTED] Sent: Monday, May 01, 2006 5:39 PMTo: ActiveDir@mail.activedir.orgSubject: Asset Inventory (OT) What does everyone use for Asset Inventory purposes? We're thinking of having some sort of script run via GPO at logon to grab WMI info and software inventory info for our helpdesk in order to be "more armed" with information when troubleshooting end-user info. What's everyone else using for this? Thanks
RE: [ActiveDir] Active Directory wish list
In our case (empty root, 4 child domains, 3500 users), it wasprimarily politics.We brought in two consultants (one from a VAR, one from Microsoft), and the decision was that the best way to go, based on politics,geographical location of the offices, and division of administration, was the empty root and 4 child domains. Password policies was a small factor, but not a driving force... That said, I personally would love to see the ability to havemultiple password policies within a single domain. Tyson. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil RenoufSent: Wednesday, October 05, 2005 1:37 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Active Directory wish list My question would be: for a small directory of 5000 users, why do you have 3 domains? If it is for separate password policies, then perhaps a better wish list item would be the ability to have multiple password policies in one domain. Phil On 10/5/05, Rich Milburn [EMAIL PROTECTED] wrote: I think the biggest reason people want to be able to run multipledomains on one server is the same reason practically no one (except for SBS) installs just one DC, and the same reason we always install aminimum of 2 for a domain.We have a forest root and 2 child domainsmodel, and it takes us 6 servers to run that - for basically 2directories and fewer than 5000 users.That seems like a waste of hardware in some situations - especially if you have multiple orgs thatyou run.The parallel might be for a web hosting company to have 2 fullweb servers for each domain they host - in case 1 goes down, they still have a second.VS is an answer, yes, although you still need a fullserver license for each VM.The thing with domains is you don't want toonly have 1 online copy of the directory.MS didn't seem too convinced there was a good reason to have an online second server - they citedbackups as a good solution to the issue.In a big org the cost of anadditional server to provide redundancy is negligible, but is having anonline copy (second DC) really the BEST way to do this?And it doesn'thelp SBS users, since they can (correct me if I'm wrong) only have 1 DC.I realize it may be the best way we have with W2K3, but how could theissue of redundancy be addressed with AD differently than having 2 DCsminimum per domain?Anyone have any ideas?Rich-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of joeSent: Tuesday, October 04, 2005 9:20 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Active Directory wish listYeah I can say that it isn't in Longhorn. As the dev guys put it, thisis atough one. It wouldn't just be a nobrainer if they had separate instances ofAD, there are just tons of other things involved that make it extremelydifficult. It was something that was brought up in the summit though,notsure how much I can say around it other than no, it won't be there. MS feels the focus of this is dramatically reduced now as well due tothefact that VS is available and can run DCs. Also the Server Core DCshelpshere as well as the DCs will have a smaller footprint. If folks are NOT inagreement with that assessment, definitely speak up, it is too late forLonghorn but possibly the opportunity exists to convince them forBlackComb.joe-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Charlie Kaiser Sent: Tuesday, October 04, 2005 9:37 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Active Directory wish listI'd also like to see the ability to run DCs for multiple domains on the sameserver. SMBs with limited resources balk at having to buy additionalserverhardware for redundancy on multiple domains, especially when the AD loadonthe DCs is minimal. This feature sounds like an offshoot of your list below.If you can run AD as a service, it might not be that hard to allowmultipledomains similar to multiple websites/DBs on one server...I remember discussing this with Stuart Kwan at DEC a couple of years ago. Ihope it makes it into the mix...**Charlie KaiserW2K3 MCSA/MCSE/Security, CCNASystems EngineerEssex Credit / Brickwalk510 595 5083** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of joe Sent: Tuesday, October 04, 2005 4:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list Vista is the client OS. I don't believe they have named Longhorn Server yet.I am voting for something like Windows Server 5.4.0 or something like that. I realize that the marketing group would have something to say about it but I figure the best thing from them is if they pronounced their thoughts from the bottom of Lake Washington. People don't install servers because they
RE: [ActiveDir] User account and home directory management
It looks like they've changed things since I used it last, but there was a tool from ADMWin (http://www.admwin.com/default.htm) that would do exactly what you're looking for. I believe the one that will do what you want is now calledSetupBatcher. It's pretty straight forward, you enter the list of users (it can be imported from file), enter user info (name, location, username, passwords, descriptions, etc.), enter groups, mailbox info, etc, and specify home directories, including the server to create the directories, shares, and set permissions on. It's definitely changed since I used it last (over three years ago), but it looks like everything is still there. The place I used it at last was a school board, with over 200 schools. We used to build the scripts and send them out to the schools. They just had to supply the student info and a server name. We had scripts to create everything for September, and remove everything in June,and they worked very well. HTH, Tyson. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan StanfordSent: Monday, June 06, 2005 6:37 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] User account and home directory management Hi to all on the list. Forgive me if this subject has been covered, as I am new to the list. I manage a school network, and one of the issues I face is that an AD user account, the user profile and the user's home directory share are inextricably linked. I need to be able to create users and shares in on go, so that the account is set up, the share and profilecreated, and permissions set, and the details entered into the AD object. Does anyone know of any software or scripts that would accomplish this? I would ideally like to be able to do it for individual users or in bulk. Thanks in advance, Dan Stanford.
RE: [ActiveDir] Password complexity requirements
I think you might have misinterpreted the example. It was a bit of a stretch, but use your imagination... :) The resource in the example is the server room. If the server room has more than one door, you would expect them to all abide by the same rules. Thus, regardless of which door you use to get in to that resource, you still have to meet the same criteria. You are talking about domain accounts. It does not matter which machine you are logging into, if you are using a domain account, the policy is the same. Thus, if your super-secret researcher goes to a secretaries computer, he will still log into his own domain, and be bound by the same rules. A domain only allows one set of password policies. That is it. If you want different policies, create another domain. It sucks, but as mentioned, get in line if you want to complain... You can set *workstation* password policies all over the place, but they only apply to accounts created on the local workstation. Tyson. -- Tyson Leslie Senior Network Analyst Colt Engineering Corporation (403) 258-8153 [EMAIL PROTECTED] -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kurt Hill Sent: Tuesday, April 12, 2005 1:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Password complexity requirements You can link a GPO to an OU with a different set of password requirements than the domain policy -- you can block the OU from inheriting the Default Domain Policy as well, so AFAIK, you can have many OU's, each with different password complexity requirements (or more generally, each OU with it's own computer/user GPO settings). The statement about you certainly don't want policies attached to 2000 users also makes no sense -- the GPO is created once, and attaches itself to the user or computer as appropriate for the OU... And finally -- let me suggest that were I running Los Alamos, I would want my super-gee-whiz nuclear weapons researches to have complex passwords. I WOULD NOT WANT THEM GOING TO A SECRETARIES COMPUTER AND CHANGING THEIR PASSWORD TO foo. Passwords are properties of a user, not a computer. Think about this another way -- it is the user that has rights to resources on the network. Those resources may be sensitive, so it really should not matter what computer the user is at when changing their password. That particular users password should always be complex -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, April 11, 2005 2:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Password complexity requirements If I have a rule that says Kurt Hill must know the lock code to the server room, where should I put the lock and set the code? On Kurt Hill, or on the Server Room door? If I put the lock on (with the code) on Kurt, and Kurt goes to the server room, who will validate and enforce the rule? I know that analogies are bad, but . think about that. The password requirement has to be enforced somewhere. If it's a domain-wide requirement and you have 2000 users, you certainly don't want the policies attached to the users - and created 2000 times. and have each user check themselves for compliance. You know, that may not be a bad idea. We can then require that the users zap themselves each time they create non-compliant passwords :) If your beef is the fact that there is only one possible domain-wide or computer-specific password policy, then I say welcome to the club, pick a number :) Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Kurt Hill Sent: Mon 4/11/2005 1:42 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Password complexity requirements Can anyone explain why password complexity requirements are a computer, and not a User setting? The scenario I envision for using password complexity requirements is for network admins (Users!!) who I want to force more complex passwords on, but general users (students) do not need this setting. From what I can see, the way MS set it up, I would set password policy on student computers, and admin policy on admin computers, but that means that an admin can go to a student computer and pick a more convenient password!! How does that pass for security?? Any ideas on that one? Thanks, Kurt List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org
RE: [ActiveDir] remote desktop sharing tool
If you like VNC, I would suggest you look at TightVNC. Regular VNC is a resource hog, TightVNC is much more efficient... Tyson. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Boghici Sent: Saturday, December 18, 2004 4:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] remote desktop sharing tool Thank you all guys. I'll use vnc, I just tested one server and 5 clients in my LAN and is beautiful. Best regards. Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Sunday, December 19, 2004 1:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] remote desktop sharing tool NetOp would be my recommendation. We have it in all the labs here. It has a learning curve for the operator, but, once you know what you're doing, it is a very powerful tool. Thanks. --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Chris Lynch Sent: Saturday, December 18, 2004 2:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] remote desktop sharing tool -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 You can use other 3rd party tools, like WebEx, to create a conference. You could also use something like NetOp Remote Control. You could also use VNC. If you were thinking of Terminal Services, Terminal Services currently does not support that type of functionality. Maybe when Longhorn is released. Only the ICA protocol (Citrix MetaFrame) supports that. Chris From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Boghici Sent: Saturday, December 18, 2004 9:35 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] remote desktop sharing tool Hi Is there any tool that can give me the possibility to give other domain users to access my screen and in the same time to edit (my and every body else that I give access) the documents that I am working on. It is very helpful for projects and training sessions. May be if there is not such tool for the domain users one could be for the same scenario but everybody to log with the same user and password ( more connections). Best regards, Dan -BEGIN PGP SIGNATURE- Version: PGP 8.0.3 Comment: Public PGP Key for Chris Lynch iQA/AwUBQcSQkm9fg+xq5T3MEQKYrQCg1CTQIY7hPeyH310Y0C7lDm9r+K4AoKq+ W1x8bYWwsQ3/cK0OXJCWs+Lv =yyLD -END PGP SIGNATURE- List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Inventory Software
We use a product called RADAR (http://www.network-radar.com/index.htm) It does a pretty good job of inventorying. We call it from the login script, and it pulls a complete list of all software installed, along with hardware details, IP info, user info, etc, and saves it to a back end server. You can view the results by user or PC, or you can view the list of software, and see which machines are running any given software package. All configuration is done via a web interface. I think it was about $1000 CDN for a site license. It's extremely simple to set up, we've been fairly pleased with it... Tyson. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Tuesday, December 14, 2004 1:21 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] OT: Inventory Software Does any one know of a good Product that I can use to scan my networked PCs and conduct a software inventory? Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] wireless AP scanner
Title: Account name as Common Name It depends on how your network is built. If you have a fully switched network, you can look for ports with multiple MAC addresses. You can also look for MAC addresses that may belong to AP vendors or wireless nics, but that's a tad cumbersome, and quite unreliable. The best way though, is to grab your laptop and go for a walk... TL From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. LongSent: Sunday, December 12, 2004 5:28 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] wireless AP scanner It looks as though you have to walk around looking for APs with this. Are there scanners that actually scan the network and detect wireless devices with some sort of pre-determined footprinting that has been done? From: [EMAIL PROTECTED] on behalf of Gil KirkpatrickSent: Fri 12/10/2004 10:52 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] wireless AP scanner NetStumbler http://www.netstumbler.com/downloads/ -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. LongSent: Thursday, December 09, 2004 11:16 PMTo: [EMAIL PROTECTED]Subject: OT: wireless AP scanner Does anyone know of any free wireless access point scanners. Is it even possible to detect a wireless access point on the network without wardriving?
RE: [ActiveDir] Making a user a Domain Administrator
You can set this up via group policy, but beware - unlike most GPO settings, setting the admin group membership is a permanent change, and will overwrite whatever the existing group membership is. TL -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oluwaseyi Owoeye Sent: Monday, December 13, 2004 3:10 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Making a user a Domain Administrator Hi Guys, By Default the Domain Admin is an administrator on every client system in the domain. Suppose I want to extend this functionality, i.e. having a particular user who is not a domain administrator but has administrator rights on every client machine in the domain. How can I achieve this? Cheers Seyi List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Give access to Admin shares admin$ without making them Admin
Does it have to be the admin share? Why not create another share, at the same point? The built-in admin shares are for... (you guessed it), admins. :) Tyson. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sanz de Leon, Juan Carlos Sent: Monday, November 29, 2004 9:51 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Give access to Admin shares admin$ without making them Admin Dear gurus, I´m trying to give an Aplication access to an Admin Share Admin$ on a Windows 2000 DC, however, I do not want to make this service account user and Administrator. When I look at the properties of the Admin$, it is not possible to change any settings. On the other side, I can´t change the share the application needs... In this case it is admin$. Any ideas would be greatly appreciated? Are there any GPO that would allow me to do so...? Thanks in advance, JCS List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Give access to Admin shares admin$ without making them Admin
I should have read closer - this has to be on a DC? Look at Andrew's suggestions. Personally, I would fight back that if it requires this level of access, it cannot be installed on a DC. If you only have one server... Good luck. TL -Original Message- From: Tyson Leslie Sent: Monday, November 29, 2004 12:30 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Give access to Admin shares admin$ without making them Admin Does it have to be the admin share? Why not create another share, at the same point? The built-in admin shares are for... (you guessed it), admins. :) Tyson. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sanz de Leon, Juan Carlos Sent: Monday, November 29, 2004 9:51 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Give access to Admin shares admin$ without making them Admin Dear gurus, I´m trying to give an Aplication access to an Admin Share Admin$ on a Windows 2000 DC, however, I do not want to make this service account user and Administrator. When I look at the properties of the Admin$, it is not possible to change any settings. On the other side, I can´t change the share the application needs... In this case it is admin$. Any ideas would be greatly appreciated? Are there any GPO that would allow me to do so...? Thanks in advance, JCS List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Master Browser
Do you still suggest turning it off on all servers and workstations (as per your KB article), even in an all W2K or better environment? We have done so (via group policy) for quite some time, but recently ended up having to defend this decision to an admin in one of our other offices, because he was encountering browse list issues in his domain. (We have left it running on the Domain Controllers only.) Tyson. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ASB Sent: Monday, November 15, 2004 10:46 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Master Browser Turning off the service is a *much* better approach and doesn't generate any errors in the EventLog. - ASB Cheap, Fast, Secure -- Pick Any TWO. http://www.ultratech-llc.com/KB/ On Mon, 15 Nov 2004 12:34:06 -0500, Craig Cerino [EMAIL PROTECTED] wrote: I wouldn't turn of the service - -I would ( and do) go into the registry and tell the box it is NOT a Master Browser and NOT to maintain a list From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adams, Kenneth W (Ken) Sent: Monday, November 15, 2004 12:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Master Browser To stop this error message, you will need to turn off the Computer Browser service. The error message is actually an informational message telling you about the browser status of computer CCDC01. Ken Adams -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jacob Stabl Sent: Monday, November 15, 2004 12:01 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Master Browser One of my DC's is returning the following error and I'm not sure what to do: The browser has received a server announcement indicating that the computer CCDC01 is a master browser, but this computer is not a master browser. Event ID 8005 This DC holds none of the FSMO roles so I'm not sure what I need to tell this server so I don't get this error anymore. Thanks Jake List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GPO applying.
Have you tried re-applying the default security template? (using Secedit, or the Security Config Analysis MMC snapin...) What functionality appears to be broken? (Most policy settings are not permanent...) Tyson. From: Cothern Jeff D. Team EITC [mailto:[EMAIL PROTECTED] Sent: Thursday, October 07, 2004 5:33 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] GPO applying. Mixture. There were security options etc set. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-EliaSent: Thursday, October 07, 2004 6:11 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] GPO applying. What kind of policy was it Jeff? Admin Templates? Other? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITCSent: Thursday, October 07, 2004 2:33 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] GPO applying. A server we were working on was inadvertently moved into an OU that had a policy applied to it. That GPO had some settings that we are not sure which that broke some functionality of the server we are still in the process of developing fully. The Server was moved out of that ou back into the standard Computer ou but the Policy still appears to be affecting it. Is there a way to clear any policies that are applying to the machine? Jeff
RE: [ActiveDir] Removing A W2K Domain Where The Host Server No Lo nger Exists
Title: Removing A W2K Domain Where The Host Server No Longer Exists Check this article: http://support.microsoft.com/default.aspx?scid=kb;en-us;216498 There is another one that I can't find at the moment, if I do I'll send it along too. Tyson. From: McLaughlin, Seamus [mailto:[EMAIL PROTECTED] Sent: Thursday, September 23, 2004 10:27 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Removing A W2K Domain Where The Host Server No Longer Exists I am in the process of promoting 2 W2K3 servers as domain controllers in an existing W2K Native Mode domain. The dcpromo for both of these boxes has been successful. One of these boxes has been set up to have the Global Catalog but this fails, I get the following Event ID's in the Directory Services event log: 1559, 1578, 1809, 1110. The event ID 1559 refers to a domain called PUBLIC.COM. Apparently this domain was created in error by a bored support guy, who then in his wisdom trashed the server without demoting it. All I want to do is delete this domain so the GC will load correctly but I do not get the option to delete this domain in AD Domains and Trusts. I would appreciate any suggestions. Cheers Séamus This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
RE: [ActiveDir] Unauthorized DHCP Requests
We were looking into exactly this problem, and came across a few options. If you want to get fancy, (with a fair bit more work), you could go with an 802.1x solution, and automatically VLAN people (or not) as they connect to the network. We alsostumbled across a neat solution, that requires much less effort: SAFE DHCP, from MetaInfo. (http://www.metainfo.com/index.cfm/page/safedhcp) We haven't actually implemented it yet, so I can't vouch for how well it works, but there's a couple of layers of authentication you can use (MAC and 2-factor with an A-key). AFAIK, you cannot base rules on names, just given MAC addresses. HTH, Tyson. From: Edwin [mailto:[EMAIL PROTECTED] Sent: Thursday, September 09, 2004 4:21 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Unauthorized DHCP Requests Our domain is using a Win2K3 server which is also a domain controller as its DHCP solution. Often I look at the DHCP tables and notice that there are unauthorized machines that connect to our network. This seems to occur from employees who bring in their laptop during the weekend when the workload is light and management does not have as much a presence. The workstations within the domain all follow a naming scheme. For example, ORL-RM3-204-2 which means, the server is located in Orlando, physically located in Room3, desk number 204 and the number of times that that particular workstation has been replaced. So if I see a workstation in the DHCP tables that does not follow that naming scheme, then I know that something else has managed to get an IP Address from the network. Is there a way to prevent unauthorized machines from retrieving an IP address? If so, is there also a way to make an exception to the rule should a non-standard naming convention machine require authorized access to the network? Thank you all for your replies. Edwin
RE: [ActiveDir] GPO
Permissions on a policy will not modify the user's ability to log onto a domain controller. There is likely a setting in the policy itself that is allowing Authenticated Users the right to log on to the DCs. Windows Settings\Security\Local Policies\User Rights, and the Log On Locally item, IIRC... TL From: George Arezina [mailto:[EMAIL PROTECTED] Sent: Monday, July 12, 2004 7:36 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] GPO Hi folks, I have a problem with default domain policy and default domain controller policy. I have given read and apply permissions to authenticated users on both policies. However, an authenticated user is able to logon to the DC. Can someone please direct me in the right direction and tell me how to configure so that the only people able to logon on the DC are administrators? Thanks Informacija sa Opportunity International Serbia putem e-maila je bez garancije. Zakljucivanje pravnih poslova putem ovog medija nije dozvoljeno. Ovaj e-mail moze sadrzati poverljive i/ili povlascene informacije. Ukoliko ste ovaj e-mail primili greskom, ovim putem vas obavestavamo da je svako otkrivanje, kopiranje, distribucija ili preduzimanje bilo kakvih aktivnosti u vezi njegovog sadrzaja strogo zabranjeno i moze biti nezakonito. Ukoliko ste e-mail primili greskom, molimo Vas da nas odmah obavestite tako sto cete odgovoriti na ovaj email, a zatim ga izbrisite iz vaseg sistema.The exchange of messages with Opportunity International Serbia via e-mail is not binding. Declarations regarding legal transactions must not be exchanged via this medium. The information contained in this e-mail message is confidential and intended exclusively for the addressee. Persons receiving this e-mail message who are not the named addressee (or his/her co-workers, or persons authorized to take delivery) must not use, forward or reproduce its contents. If you have received this e-mail message by mistake, please contact us immediately and delete this email message beyond retrieval.
RE: [ActiveDir] DNS Design question
My preference would be option 3, but more details would help... Tyson From: Rimmerman, Russ [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 23, 2004 8:07 AMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] DNS Design question We're still trying to determine what is the best option for DNS design. Best as far as security, network load, etc. Design 1 Put Win2k DNS server on DMZ with root hints configured. All internal AD root controllers have forwarder to that box. Design 2 Put forwarders on all 4 AD root controllers (on private network)to our ISPs external DNS and all child DCs forward to the 4 root controllers. Design 3 Put root hints on all root controllers and let them resolve externally and have all child DCs forward to the 4 root DCs. Any suggestions? ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~
RE: [ActiveDir] Non DR migration of AD
It works well, we have done it. We took a DC from our root domain, plus DCs from two of the (four) child domains. If you have multiple domains, I would suggest that make sure your DCs are GC servers before you take them offline. This caused us a few difficulties when we tried to make the server a GC after-the-fact, as it complained that it did not have up-to-date about the other two domains that we did not take offline. When we get time, I would like to do it again, using virtual servers. I think that would provide a bit more flexibility... Tyson. Tyson Leslie Senior Network Analyst Colt Engineering Corporation (403) 258-8153 [EMAIL PROTECTED] -Original Message- From: Rutherford, Robert [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 9:21 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Non DR migration of AD Bring up a new DC.. Take it off the production domain and into the lab... Seize the roles? You will have to do some clean up but it's the easiest way if it's not going to be linked to your production domain. Rob -Original Message- From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: 10 June 2004 16:00 To: [EMAIL PROTECTED] Subject: [ActiveDir] Non DR migration of AD All, We are in the process of constructing a Lab to mimic the production AD system as closely as possible. Doing a full DR into this environment is certainly an option, however we have been looking into simply migrating the AD structure and using this as a test bed to cleanup AD (OU's, objects, permissions, policies etc). Is anyone aware of tools or procedures to get the major AD configuration components into a lab using an approach that can be scripted / automated ? (we may want to do this every few months or so). For example, we have used LDIFDE to extract the OU structure, users and groups and re-imported these into the test lab. By and large this has worked very well (took some tweaking of the LDIFDE commands to resolve some constraint violations etc), however items such as OU security and policies is causing a bit more of a headache. Any thoughts ? TIA Glenn List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes. The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/