AW: [ActiveDir] Group Membership Update Frequency
Joe, thanks a lot for your helpful reply and sorry that my reply took so long. I am still waiting for a response because of my Microsoft Support ticket. Its my goal to combine GPO´s with Security Groups to manage different actions of the servers in the same OU. For this reason I created some Security groups and distributed the servers to the groups. Then I checked servers by GPRESULT for the group membership and some servers updated it without measurable delay, some servers after a week and some servers never. I cant understand this behaviour and so I started a support request at MS for what I am still waiting for. As soon as I will get a official reply I will let you know. Thomas PS: IS there a another chance to check group membership for a server except GPRESULT -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von joe Gesendet: Sonntag, 10. Dezember 2006 17:41 An: ActiveDir@mail.activedir.org Betreff: RE: [ActiveDir] Group Membership Update Frequency It depends what you mean by this. The off the cuff answer is the server knows what it has based on its local security token so it actually never recognized the change. However Machines and users can have both local security tokens and kerb certs. The kerb certs are refreshed, the security token never is. Plus add in NTLM and if it is used to access remote resources you can have three answers... So the more full answer is It depends. So briefly: If the security group is needed in the local security token, it will never get updated, you need to reboot. This will impact the machine's determination locally of what groups it has if the application is looking at the token OR trying to access something with Windows security locally (say like the group allows it to read a file locally). I have asked several folks inside of MSFT if there is anything that could be used to force this refresh of the security token and no one has been able to tell me there is indeed something that will do it and here is how... If so, I would have written the tool to do it if it were something they could point at. If the security group is needed for remote kerberos operations or someone is reading the kerb cert directly local to the machine, it will occur when the ticket refreshs. You can purge the kerb cache to speed this up. If the security group is needed for remote operations where NTLM is being used (say it is accessing a resource by IP instead of name so it can't do the SPN lookup), it will be used depending on whether or not the DC being used by the remote resource has the group membership or not (whether or not the DC the server itself uses has it or not is immaterial in this case because the server doesn't tell the remote resource what accessed it has, the remote resource asks its DC when it auth's the account). This could be immediately to seconds after the group update or even weeks depending on the OS revs of the DCs and the replication topology and max theoretical latency for the environment. This is all exactly the same as it is for users. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thomas Hess Sent: Thursday, December 07, 2006 7:20 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Group Membership Update Frequency hi there, when does a server recognize that he is part of AD global Security group? Do i have to reboot every system or is there an update frequency where the server checks the AD? I need this to know because i want to use the Security Group Filtering with GPO´s Thanks in advance Thomas List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
AW: [ActiveDir] Bulk of client going to PDC
Hi Kamlesh, first of all, iwould enable the logging of the Netlogon Service. I ve found an article in the WindowsITPro The Netlogon service is one of the key Local Security Authority (LSA) processes that run on every Windows domain controller. When you troubleshoot authentication problems, analyzing the Netlogon service log files can be useful. How do I turn Netlogon service logging on and off, and how do I analyze the content of the Netlogon log files? To turn on Netlogon service logging, type the following Nltest command at the command line: nltest /dbflag:2080 Enabling Netlogon service logging requires that you restart the Netlogon service. To do so, use the Net Stop Netlogon and Net Start Netlogon commands. To disable netlogon service logging, type: nltest /dbflag:0 Then, restart the Netlogon service again. The Netlogon service stores log data in a special log file called netlogon.log, in the %Windir%\debug folder. Two utilities are useful in querying the Netlogon log files: Nlparse.exe and Findstr.exe. Nlparse.exe is a GUI tool that comes with Microsoft Account Lockout tools. You can download Account Lockout tools for free from the Microsoft Web site as part of the Account Lockout and Management Tools ALTools.exe file at http://www.microsoft.com/downloads/details.aspx?FamilyID=7AF2E69C-91F3-4E63 -8629-B999ADDE0B9Edisplaylang=en http://www.microsoft.com/downloads/details.aspx?FamilyID=7AF2E69C-91F3-4E63- 8629-B999ADDE0B9Edisplaylang=en. http://www.winnetmag.com/Files/42850/Figure_01.gif Figure 1 shows the Nlparse GUI, which contains the most common Netlogon error codes and their meaning. Nlparse stores the output of its queries in two files in the %Windir%\debug folder: netlogon.log-out.scv and netlogon.log-summaryout.txt. . . . HtH Thomas _ Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Kamlesh Parmar Gesendet: Donnerstag, 30. November 2006 20:51 An: ActiveDir@mail.activedir.org Betreff: [ActiveDir] Bulk of client going to PDC Hi Guys, We are facing some strange issue, randomly clients from some sites are going to PDCe for group policy refresh,along with screensaver and wallpaper stored in netlogon. Clients are ignoring their nearest DC, and approaching PDCe. All DCs : Win2k3 SP1 All Clients: XP SP2 I verified, 1) DNS entries for site DC are correct. 2) Netlogon and Sysvol folder of site DC are accessible. 3) Verified the clients are authenticating with site DC by : nltest.exe /sc_query:DOMAIN 4) Verified DFS info for netlogon and sysvol on clients is correct : dfsutil.exe /pktinfo I am clueless where else, should I look? -- Kamlesh ~ You teach best what you most need to learn. ~
AW: [ActiveDir] Accessing NT4 resource domain via sIDHistory
Thanks for all of your answer - BUT I know about sIDHistory and how it works. I am looking for how the authentication using sIDHistory works. Does there have to be a secure channel in place between the target AD domain and the not-trusted NT4 resource domain? I also know that as soon as the trust between NT4 account domain and NT4 resource domain breaks accessing resources of the NT4 resource domain permissioned to accounts (SIDs) from the NT4 account domain using the a migrated account of the target AD domain (so via sIDHistory) stops working (I guess you already got such an experience) - so there are dependencies on trusts. Please re-read my questions below... ;-) Regards, Bert -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Rick Kingslan Gesendet: Donnerstag, 12. Mai 2005 07:50 An: ActiveDir@mail.activedir.org Betreff: FW: [ActiveDir] Accessing NT4 resource domain via sIDHistory AND - in addition to what Jorge and Deji said: Target Domain technically needs to be in Native mode to support sIDHistory. -rtk -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Thursday, May 12, 2005 12:39 AM To: '[EMAIL PROTECTED] '; '[EMAIL PROTECTED] '; 'ActiveDir@mail.activedir.org ' Subject: RE: [ActiveDir] Accessing NT4 resource domain via sIDHistory In addition to what Deji said, you need the trust to populate sidhistory and to migrate accounts from the source domain #JORGE# -Original Message- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 5/12/2005 4:29 AM Subject: RE: [ActiveDir] Accessing NT4 resource domain via sIDHistory When you migrate a user with SIDHistory in place, the user (in the new domain) now effectively has 2 SIDs - one from the old domain and one from its new domain. OK. You have resources (say fileshare) in the old domain and the resource was permissioned for users in the old domain. Say the user you migrated above is one of the users who has access to this resource. This means this user's SID is on that list of authorized users. OK. You now migrate this resource from the old domain AND you retained the old permissions. Now, the user you migrated above tries to access the resource you have just migrated. When it requests the resource, he supplies his token which contains (remember?) 2 SIDs. The resources then compares the SIDs inside the token with what it has in its DACL and goes Oh I see that your SID XYZ is on my control list and here it says to grant access for that SID, so I'm all yours. If you now reACL the resource to match the new domain (removing the old permission), this user will now NOT be able to access the resource unless you specifically grant it access. This is because the SID it was using before is now no longer on the list. When you grant this new access (using accounts from the new domain) and this user again tries to access the resource, the resource will go through the motion again and see that the user's new SID in the new domain is also now present in its DACL, so again, the user is able to access the resource using the new SID - even though his old SID is no longer on the list. Users are Security Principals and Security Principals are all about SIDs rather than names or anything else; if you remember that, the above will make sense to you - I think. As an aside, security groups are also security principals and have SIDs, so even if a user's SID is not directly on a resource DACL, a user can still access the resource by virtue of its membership in a security group whose SID is on the DACL Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Bert Skorupski Sent: Wed 5/11/2005 3:43 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Accessing NT4 resource domain via sIDHistory Hey guys, Today I got really confused about trusts and sIDHistory. I always thought that you have to use a trust for accessing resources in an old NT4 resource domain. But today I found a Microsoft technote telling the following: In this way SIDHistory ensures that migrated users can continue to access resources located in a trusting (resource) domain, even though the user's new domain does not have a trust relationship with the resource domain. Can be found here: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/T echRef/9d688a18-15c7-4d4e-9d34-7a763baa50a1.mspx Scenario: NT4 Account Domain -- User migrated to target AD domain including sIDHistory, Trust relationship exists to NT4 resource domain and to target AD domain NT4 Resource Domain -- hosting resources (e.g. files folders) permissioned to users of NT4 account domain, Trust relationship to NT4 account domain
AW: [ActiveDir] Accessing NT4 resource domain via sIDHistory
My god... guess I got it at the end... ;-) The sentence I mentioned in the mail below (the one out of the MS technote) was misleading me completely (I'd love to use being a non-native-English speaker as an excuse ;-). I think the sentence below does only mean that there has to be a trust relationship established between NT4 resource and target AD domain, but the target AD domain does not have to trust the NT4 resource domain. So uni-directional NT4 trusting the target AD domain should work. I am happy as everything seems to be as I understood it before...I was simply misled by the wording. Or did I get it wrong again? Cheers, Bert -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Bert Skorupski Gesendet: Donnerstag, 12. Mai 2005 10:16 An: ActiveDir@mail.activedir.org Betreff: AW: [ActiveDir] Accessing NT4 resource domain via sIDHistory Thanks for all of your answer - BUT I know about sIDHistory and how it works. I am looking for how the authentication using sIDHistory works. Does there have to be a secure channel in place between the target AD domain and the not-trusted NT4 resource domain? I also know that as soon as the trust between NT4 account domain and NT4 resource domain breaks accessing resources of the NT4 resource domain permissioned to accounts (SIDs) from the NT4 account domain using the a migrated account of the target AD domain (so via sIDHistory) stops working (I guess you already got such an experience) - so there are dependencies on trusts. Please re-read my questions below... ;-) Regards, Bert -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Rick Kingslan Gesendet: Donnerstag, 12. Mai 2005 07:50 An: ActiveDir@mail.activedir.org Betreff: FW: [ActiveDir] Accessing NT4 resource domain via sIDHistory AND - in addition to what Jorge and Deji said: Target Domain technically needs to be in Native mode to support sIDHistory. -rtk -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Thursday, May 12, 2005 12:39 AM To: '[EMAIL PROTECTED] '; '[EMAIL PROTECTED] '; 'ActiveDir@mail.activedir.org ' Subject: RE: [ActiveDir] Accessing NT4 resource domain via sIDHistory In addition to what Deji said, you need the trust to populate sidhistory and to migrate accounts from the source domain #JORGE# -Original Message- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 5/12/2005 4:29 AM Subject: RE: [ActiveDir] Accessing NT4 resource domain via sIDHistory When you migrate a user with SIDHistory in place, the user (in the new domain) now effectively has 2 SIDs - one from the old domain and one from its new domain. OK. You have resources (say fileshare) in the old domain and the resource was permissioned for users in the old domain. Say the user you migrated above is one of the users who has access to this resource. This means this user's SID is on that list of authorized users. OK. You now migrate this resource from the old domain AND you retained the old permissions. Now, the user you migrated above tries to access the resource you have just migrated. When it requests the resource, he supplies his token which contains (remember?) 2 SIDs. The resources then compares the SIDs inside the token with what it has in its DACL and goes Oh I see that your SID XYZ is on my control list and here it says to grant access for that SID, so I'm all yours. If you now reACL the resource to match the new domain (removing the old permission), this user will now NOT be able to access the resource unless you specifically grant it access. This is because the SID it was using before is now no longer on the list. When you grant this new access (using accounts from the new domain) and this user again tries to access the resource, the resource will go through the motion again and see that the user's new SID in the new domain is also now present in its DACL, so again, the user is able to access the resource using the new SID - even though his old SID is no longer on the list. Users are Security Principals and Security Principals are all about SIDs rather than names or anything else; if you remember that, the above will make sense to you - I think. As an aside, security groups are also security principals and have SIDs, so even if a user's SID is not directly on a resource DACL, a user can still access the resource by virtue of its membership in a security group whose SID is on the DACL Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Bert Skorupski Sent: Wed 5/11/2005 3:43 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Accessing NT4 resource domain via sIDHistory
AW: [ActiveDir] Setting Desktop Settings via Group Policy
Hi Raymond, one thing that didn't get mentioned: If your users dont have a profile right now, you can change the default profile as well instead of assigning a mandatory (where the changes a user make will be lost after every session). The default profile is being used if a profile of the users doesn't exists yet. There are two places where you are able to put your default profile: on every machine or once on the domain. On every machine it's stored underneath documents and settings, but you're also able to store it in the Netlogon-Share on your DCs and the clients will pull that if they don't find a profile for the user. Gruesse - Sincerely, Ulf B. Simon-Weidner -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Raymond McClinnis Gesendet: Dienstag, 8. Juni 2004 01:47 An: [EMAIL PROTECTED] Betreff: [ActiveDir] Setting Desktop Settings via Group Policy Hi all, I need to push out a standard desktop to all users in my company. I found where to set up the Active Desktop and the like, but I can't find where to set things like background color and pattern. I remember in the good ol' days (under NT4) you could set these things up (or at least I thought I remembered). Thanks in Advance, Raymond McClinnis List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
AW: [ActiveDir] Root Hints
Hello Russ, they just get repopulated if you delete all of them (keep one and it doesn't get repopulated). There are multiple instances where you need to change to keep them from repopulating. One instance to change that is the checkbox Dean pointed out, but what I also like is just putting in your internal roothints, e.g. I put the forwarder to the next higher DNS-Servers in the domain hierarchy and put in root hints to the nameservers responsible to the root of the company. Then I'm also able to get rid of the default roothint server, as long as there are entries they won't repopulate. This is even easy to script with dnscmd. Gruesse - Sincerely, Ulf B. Simon-Weidner -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Rimmerman, Russ Gesendet: Dienstag, 8. Juni 2004 22:49 An: '[EMAIL PROTECTED]' Betreff: [ActiveDir] Root Hints We keep wiping out our root hints from our Win2k DNS servers, and they keep repopulating. Is this something that replicates between DNS servers, or will it just not allow our root hints to be blank? Our firewall is a DNSD server and so we forward everything to the firewall for external DNS lookups, but since the roothints keep populating on our Win2k DNS servers, the firewall is generating huge amounts of logs from the internal Win2k servers trying to do external lookups. Any ideas? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
AW: [ActiveDir] Indexing attributes in GC's
Event to it's replication partners if they are W2k? I somewhat heard that WS2k3 - WS2k3 will always particial replicate syncs, while W2k - WS2k(3) will always full sync? -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Dean Wells Gesendet: Mittwoch, 2. Juni 2004 23:51 An: Send - AD mailing list Betreff: RE: [ActiveDir] Indexing attributes in GC's For little more than the sake of clarification, a 2003 DC will full-sync if a partial replica is sourced from a downlevel 2000 DC (this obviously assumes that the forest is not at a functional level sufficient to prohibit the presence of 2000 DCs). Dean -- Dean Wells MSEtechnology * Tel: +1 (954) 501-4307 * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Doug Lawty Sent: Wednesday, June 02, 2004 1:49 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Indexing attributes in GC's (I saw your later post but not until it was too late. :-) ) For the sake of completeness, I have just a minor clarification... Not *any* change to the PAS results in a full sync: *Adding* an attribute to the PAS will cause a Win2k GC to do a full sync. *Removing* an attribute from the PAS is a local operation and will not cause a full sync. (And, as Tony hinted, a Win2k3 GC will not do a full sync in either case.) --Doug -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT) Sent: Wednesday, June 02, 2004 10:40 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Indexing attributes in GC's Thanks Guys, I did correct my post later... Todd -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 02, 2004 1:33 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Indexing attributes in GC's I'm with Doug on this one. There is a clear distinction between indexing an attribute and making it part of the PAS. You should also be aware that a change to the PAS results in a GC full sync (at least in W2K AD), so you might want to plan the timing carefully if you have more than one domain in your forest. Tony -- Original Message -- Wrom: OYIYZUNNYCGPKYLEJGDGVCJVTLBXFGGMEP Reply-To: [EMAIL PROTECTED] Date: Wed, 2 Jun 2004 10:21:50 -0700 Todd, I don't think indexing is the right term to use here. I'm sure you're just asking about removing attributes from the partial attribute set (the list of attributes included in the Global Catalog). The answer is yes -- you can un-mark an attribute from being included in the GC and it will be removed. For more information (but not much more) see: 232517 - Global Catalog Attributes and Replication Properties http://support.microsoft.com/default.aspx?scid=kb;EN-US;232517 --Doug -Original Message- Wrom: YOQKEDOTWFAOBUZXUWLSZLKBRNVWWCUFPE [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT) Sent: Wednesday, June 02, 2004 9:35 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Indexing attributes in GC's Greetings all, I have a quick question about indexing attributes in GC's. If you select an attribute to be indexed in a GC. Then decide later to not want the attribute indexed any longer, so you deselect the attribute for indexing in a GC. Will the GC's automatically remove the attribute, or do you need to do some type of cleanup process? Thanks, Todd List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: AW: [ActiveDir] hidding users
list mode won't help you for hiding a specific link from a group's membership list. You'll also have to worry about many other permissions to use list-mode effectivly. E.g. Authenticated Users by default has explicit Read-Permissions on every OU and on every object contained within. So denying permissions from the top via inheritance won't do the trick, as these have lower priority than explicit allows (and the list-permission is part of the default READ permission). A good reason for using the LIST permission is to completely hide an OU from the UI - mainly useful in hosting environments (so that company one, can't see any existance of company 2 in the admin UI or in the GAL, the latter requiring some extra work on Exchange Address book configurations). But it's not really useful for hiding single objects. And if you're not worried about the OU object being visible, then you might as well just remove the READ permissions for Authenticated Users from it (and any other sub-OU) = your users will then not be able to browse or search the OU. However, it's generally a good idea NOT to put your ADMIN accounts into the same OU as your normal accounts. You're best off with a DUAL-account model = put the normal accounts (JoeRich) that your admins use for mail etc. into your general OU for users, and put the admin account for the same user (ADM.JoeRich) into a different OU outside of the scope of delegation for your normal OU. The same is true for groups - once you have implemented a dual-accounts structure, you'll usually not have a reason to add any Admin account to a group containing normal users. As such you don't need to hide them eather = you'll just hide the whole OU that contains the admin accounts and the admin groups... /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Baudino Sent: Donnerstag, 20. Mai 2004 23:48 To: [EMAIL PROTECTED] Subject: Re: AW: [ActiveDir] hidding users AD list mode is interesting enough that we're going to look into it as well. We're also looking into the link below as a way to accomplish this. At this point we haven't tested either so I don't really know yet whether they fill your need (or ours, for that matter). Mike http://searchwin2000.techtarget.com/tip/0,289483,sid1_gci962436,00.html?track=NL-23ad=481969 Ulf B. Simon-Weidner [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent by:cc: [EMAIL PROTECTED] Subject: AW: [ActiveDir] hidding users tivedir.org 05/20/2004 04:34 PM Please respond to ActiveDir Maybe the AD List Mode will be an option for you: http://www.chrisse.se/MAQB.asp?ID=34 Ulf -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Kern, Tom Gesendet: Donnerstag, 20. Mai 2004 20:00 An: ActiveDir (E-mail) Betreff: [ActiveDir] hidding users is there an attribute i can set in adsiedit,ldp,etc to hide a user from appearing in the usual admin gui utlilties like aduc? also when you look in group memebership, to not have s(he) appear there as well? thanls List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ *** PLEASE NOTE *** This E
AW: [ActiveDir] hidding users
Maybe the AD List Mode will be an option for you: http://www.chrisse.se/MAQB.asp?ID=34 Ulf -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Kern, Tom Gesendet: Donnerstag, 20. Mai 2004 20:00 An: ActiveDir (E-mail) Betreff: [ActiveDir] hidding users is there an attribute i can set in adsiedit,ldp,etc to hide a user from appearing in the usual admin gui utlilties like aduc? also when you look in group memebership, to not have s(he) appear there as well? thanls List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: AW: [ActiveDir] hidding users
AD list mode is interesting enough that we're going to look into it as well. We're also looking into the link below as a way to accomplish this. At this point we haven't tested either so I don't really know yet whether they fill your need (or ours, for that matter). Mike http://searchwin2000.techtarget.com/tip/0,289483,sid1_gci962436,00.html?track=NL-23ad=481969 Ulf B. Simon-Weidner [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent by:cc: [EMAIL PROTECTED] Subject: AW: [ActiveDir] hidding users tivedir.org 05/20/2004 04:34 PM Please respond to ActiveDir Maybe the AD List Mode will be an option for you: http://www.chrisse.se/MAQB.asp?ID=34 Ulf -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Kern, Tom Gesendet: Donnerstag, 20. Mai 2004 20:00 An: ActiveDir (E-mail) Betreff: [ActiveDir] hidding users is there an attribute i can set in adsiedit,ldp,etc to hide a user from appearing in the usual admin gui utlilties like aduc? also when you look in group memebership, to not have s(he) appear there as well? thanls List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ *** PLEASE NOTE *** This E-Mail/telefax message and any documents accompanying this transmission may contain privileged and/or confidential information and is intended solely for the addressee(s) named above. If you are not the intended addressee/recipient, you are hereby notified that any use of, disclosure, copying, distribution, or reliance on the contents of this E-Mail/telefax information is strictly prohibited and may result in legal action against you. Please reply to the sender advising of the error in transmission and immediately delete/destroy the message and any accompanying documents. Thank you. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
AW: [ActiveDir] Dial-In Property Sheet and Windows XP SP1
Better this way, it really Bugs me since its buggy. I hope for a new Adminpak with SP1. Ulf Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Fuller, Stuart Gesendet: Freitag, 14. Mai 2004 21:48 An: '[EMAIL PROTECTED]' Betreff: RE: [ActiveDir] Dial-In Property Sheet and Windows XP SP1 Vertraulichkeit: Privat This is one of my pet peeves forthe ADUC in XP. See http://support.microsoft.com/?id=304718and then search for dial-in. Quote: The Dial-in tab that configures Routing and Remote Access dial-in or VPN access and callback settings is removed when the Administration Tools package is installed on Windows XP clients. To remotely manage the RAS dial-in tab in Active Directory Users or Computers or Internet Authentication Server (IAS) from a Windows XP-based computer, use Terminal Services or Remote Desktop to access a Windows 2000-based or Windows Server 2003-based computer. Alternatively, log on to the console of a Windows 2000-based or Windows Server 2003-based computer to configure these settings directly. -Stuart From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 1:38 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Dial-In Property Sheet and Windows XP SP1 Sensitivity: Private Have any problem to view the Dial-In Property Sheetwith Windows XP SP1 ?. Thks. AVISO LEGAL: Esta informacion es privada y confidencial y esta dirigida unicamente a su destinatario. Si usted no es el destinatario original de este mensaje y por este medio pudo acceder a dicha informacion por favor elimine el mensaje. La distribucion o copia de este mensaje esta estrictamente prohibida. Esta comunicacion es solo para propositos de informacion y no debe ser considerada como propuesta, aceptacion ni como una declaracion de voluntad oficial de REPSOL YPF S.A. y/o subsidiarias y/o afiliadas. La transmision de e-mails no garantiza que el correo electronico sea seguro o libre de error. Por consiguiente, no manifestamos que esta informacion sea completa o precisa. Toda informacion esta sujeta a alterarse sin previo aviso. This information is private and confidential and intended for the recipient only. If you are not the intended recipient of this message you are hereby notified that any review, dissemination, distribution or copying of this message is strictly prohibited. This communication is for information purposes only and shall not be regarded neither as a proposal, acceptance nor as a statement of will or official statement from REPSOL YPF S.A. and/or subsidiaries and/or affiliates. Email transmission cannot be guaranteed to be secure or error-free. Therefore, we do not represent that this information is complete or accurate and it should not be relied upon as such. All information is subject to change without notice.
AW: [ActiveDir]
Hi Chris, If you have a backup of that domain - restore. If you don't have a backup, and it was the fist domain in the forest (forest root) then create a new forest and migrate step by step every of the existing domains into the new forest (ADMT or other migration tools from 3rd party vendors will help you here). If it wasn't the forest root domain which blow up, you are able to recreate the domain (under a different name) in the same forest, then you might be able to use the domain rename tool to put the domains which were underneath your lost one underneath the new one. If domain rename will not work, you'll have to create those domains new as well and migrate the ressources of the old domains into the new ones (ADTM or some other migration tools again). The Domain rename depends on your OS and forest and domain level - if it is WS2k3 Native this might be an possibility. However I've never tried what domain rename does if a domain is missing in the forest. If you don't migratie everything into a new forest you'll also have to perform a metadata cleanup. At what time is to be considered in a test environment. If you are able to clean the old domain out of the forest right away and the downlevel domains will still work you'll have much less problems with everything else, and the domain rename tool will work for sure (if you don't have any other stuff which prevents you from using that). Good luck, and remember afterwards that 2nd DCs and Backups are your best friends ;-) Ulf B. Simon-Weidner -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Chris Jones Gesendet: Samstag, 8. Mai 2004 01:13 An: [EMAIL PROTECTED] Betreff: [ActiveDir] Hi guys, I need some help here. We have a single forest with 2 domain trees. One of the domain trees has includes domains. One parent domain and 2 child domains. All three domains have one DC. A few days ago, the DC from the parent domain stopped working because of some h/w issues. So, the whole AD environment is screwed up. Im trying to install another DC for the same domain but it fails. Guess it tries to connect to the faulty DC. I cannot remove that domain as it has 2 child domains. Would it be possible to create another domain tree and change the parent domains for those 2 child domains? Any suggestions on how I can solve this problem?? Chris _ Stop worrying about overloading your inbox - get MSN Hotmail Extra Storage! http://join.msn.com/?pgmarket=en-uspage=hotmail/es2ST=1/go/onm00200362ave/ direct/01/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
AW: [ActiveDir] Dieing forest
Hello Rens, Migrate with ADMTv2, look into the guides MS published for a migration from one forest into another. Since you are able to keep the SID in the SIDHistory you are able to retain permissions, however I'd also look to reAcl the Ressources to the new SIDs. This can be done with ADMT, SIDWalk migration suite or 3rd Party Migration Tools. Ulf Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Rens MeijerGesendet: Donnerstag, 6. Mai 2004 15:07An: [EMAIL PROTECTED]Betreff: [ActiveDir] Dieing forest Hi all, A customer of mine had a forest root domain and a child domain. By disaster the single (i know very bad) DC in the forest root domain has crashed and cannot be restored. All replication within the forest came to a hold. By creating the forest root domain on one of the DNS servers in the child domain, GC and Domain SRV records were registered again and replication between the DC's in the child domain resumed. Accept with the forest root domain DC ofcourse because it is not there anymore. Now they're in a temporarily stable situation, but the question is for how long? Even Microsoft comes with different answers. Does anyone have thoughts about how long an orphaned child domain can sustain on it own? In my opinion the real solution is to create a new forest and migrate all the AD and Exchange data to the new forest. We already installed a new forest, we could create a trust between the 2 domains. Now we want to migrate from W2K-E2K to W2K-E2K and retain all AD, NTFS, share, Exchange permissions. Does anyone know how to accomplish this? TIA, Rens Meijer
AW: [ActiveDir] Variables allowed for creating home folders
Hello Stephen, I don't think so. AFAIK the only variables which you are able to use during logon are the ones which are system variables on the clients plus the %username%. Variables defined in the context of the user are not available at this time. AFAIK2 - the variable username is filled from the logon-box, depends on what the user types in there. I'm not 100% sure if that's still the case, but a long while ago I had issues that the %username% was sometimes uppercase and sometimes lowercase, and it did not depend on the users properties in the directory. I found out that the %username% was exactly in the same spelling the user typed it into the logon-box. But this was either in the late NT4 or early 2000 days, so this behavior might have changed. HTH, Ulf Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Bell, StephenGesendet: Mittwoch, 5. Mai 2004 18:09An: [EMAIL PROTECTED]Betreff: [ActiveDir] Variables allowed for creating home folders My question is this. Is there a variable that I can use when creating user home directories that will resolve to the User Logon Name just as username resolves to the samaccount name or Pre Windows 2000 User Logon Name field? Background: Normally what I use when creating home directories (actually allowing AD to make them I should say) is (location)\username and this creates the home directory using the name shown in the Pre Windows 2000 User Logon Name field (actually the samaccount name I believe). Do to a change in naming conventions I would like to adjust that. The new naming convention is the Pre Windows 2000 User Logon Name field will be a number such as 12345 while the User Logon Name will be the users name. I would prefer to have the home directories name be a little more readable rather than have people having to remember their number. This is only an issue when going though the GUI. Ive all ready got the script that I use to make users in batch mode converted over. I just took the UPN name and stripped off everything after the @ character and used that to name the home directories. Thanks for any help! Steve
AW: [ActiveDir] Cached Domain Credential logon expiry for Win2k/X P
Hi Joe, AFIAK the passwords of the computer accounts are not set to expire, but they are automatically changed. The password change is done from the netlogon service. The default time in NT was 15 days, changed to 30 days in W2k and later. The client might decide to change after the half of the period is over, but has to change when it's over. So technically your NT4 client might change it's password after 7,5 days, the WXP client after 15 days. It like in DHCP - half time of the period is over and it's up to client and server to decide when it's convenient to change. But there's also a registry key underneath Netlogon/Parameters, which sets on the client not to change the password, or vice versa on the DCs to refuse password change requests. So if you have a client who never exchanged his password, it will still work. However, if you have a client which was imaged, backed up, or running in a virtual machine using some roll back to snapshot feature, the following might occur: 1. The state of the client is backuped / snapshotted 2. The client runs in the domain, whenever it decides it'll change his computer password (NT4 earliest 7,5 days after joining the domain/resetting the password, WXP 15 days) 3. After the client changed his password, you roll back the machine. So if there was just one change, the AD remembers the last computer account password. A NT4 Domain does not, so the client in the NT4 Domain is not able to connect to the domain. If there was more than one change of the computer account password between the client and the domain, you can not log on to the domain. You'll need to reset the computer account password first. So especially for your Virtual Machines to test stuff there might be a reason to disable the password change on the client side. If the client does not change, the DC never will. Same as your user account password - if the user never decides to change the password the DC will not send him a mail with his new password ;-). And as I mentioned earlier, I'm quite sure that the password is not set to expire in the domain. Look at KB 154501 (old KB, but AFAIK still valid) on how to disable the password change of the computer account either on the client or the server side. Thinking of it - it would be a great security enhancement to set the computer account passwords to expire after a certain time. Because with the current behavior a client which was out of the domain for ages will always be able to log back onto it - since the client didn't had a contact to the domain it didn't change the password. So the old one is still valid. I believe the computer would not be able to handle the expired passwords, but WTH - if you set the period long enough this will never happens since he's used to change it's password frequently anyways. But since we are not able to do this as of today ... OK - enough for now - just my 0.02 Ulf -Ursprngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von joe Gesendet: Donnerstag, 6. Mai 2004 14:31 An: [EMAIL PROTECTED] Betreff: RE: [ActiveDir] Cached Domain Credential logon expiry for Win2k/X P I am actually starting to wonder on this and how it actually works and now have some new theories. I recently had to troubleshoot an issue and there were machines with passwords that were greater than 600 days old. The password had never been changed from the first day the machines were added to the domain and the machines WERE working fine with the domain. The issue ended up being that NETLOGON service had been disabled on the workstation. This made it so you couldn't use any local principals but you could still logon with a domain ID. The NETLOGON service is what keeps the passwords getting updated as well as the SP level and probably some other things in AD. I am sure there were probably some other things that weren't working quite exactly as expected either but the users seemed to have no issues. As soon as the service was restarted, the password changes started occurring again. I didn't have a chance to really dig into why the accounts kept working whether it was some special flag or not, we just wanted it cleaned up. Since the passwords were that old though and the people could still use the domain, it makes me wonder if the passwords truly break for workstations, if it isn't on the workstation side versus the domain side I.E. The workstation is completely responsible for whole process and you actually have no control from the domain side. I always wondered how the regedit on the workstation could change the functionality, this would explain that. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Thursday, May 06, 2004 7:43 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Cached Domain Credential logon expiry for Win2k/X P Default password aging for machine accounts is 30 days in AD and 7
AW: [ActiveDir] Replication issues
Hi Russ, there's a additional tool which would be able to help you here.If you register theAcctInfo.dll on the Computers running Active Directory Users and Computers it extends the property pages of a useraccount by a Tab "Additional Account Information". On this tab you can see some more informations like the SID, when the Password was last changed and when it expires, but more important for you it provides you with an interface to detect in which site the user last logged on and to change the p Password there. If the user traveled, you are able to enter any computeraccount in the windows and the tool will detect on which site the user is currently. You'll find the acctinfo.dll in the Account Lockout Tools at http://go.microsoft.com/fwlink/?linkid=16174 You'll find more informations about acctinfo.dll on the following page (search for acctinfo.dll - it's like 80% down on the document) http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx HTH. Ulf Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Rimmerman, RussGesendet: Dienstag, 27. April 2004 15:07An: '[EMAIL PROTECTED]'Betreff: [ActiveDir] Replication issues We have always been having weird issues with replication. We have about 30 AD sites all over the world. When we change or reset a password here for a user at a remote site, it takes quite a long time (30-60 minutes or more) to replicate to the users site. So, we are having to connect to their local domain contoller and reset the password there. What is the best practice for setting up and tuning replication and resetting passwords, and what tools are recommended (replmon?) for "testing" it, and how long should it take? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~
AW: [ActiveDir] help querying for groups
Hi Mark, first thing which comes to my eyes is that the base it not started and ended with "" and "", but the whole query including base, filter and scope is. So what I'd try is modifying the line beginning with strBase with strBase = "LDAP://dc=my,dc=domain,dc=com;" and the line starting with set objRS with Set ObjRS = objConn.Execute("" strBase strFilter strScope "") HTH, Ulf Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Creamer, MarkGesendet: Freitag, 30. April 2004 22:31An: [EMAIL PROTECTED]Betreff: [ActiveDir] help querying for groups Hi, can someone help me troubleshoot this script? Im trying to return all of the global groups in the domain whose name starts with RPT. All Im getting is the error: Provider: Unspecified error strBase = "LDAP://dc=my,dc=domain,dc=com;" strFilter = "((objectCategory=group)(name=RPT*));" strScope = "Subtree" Set objConn = CreateObject("ADODB.Connection") objConn.Open "Provider=ADsDSOObject" Set ObjRS = objConn.Execute(strBase strFilter strScope) objRS.MoveFirst While Not ObjRS.EOF WScript.Echo objRS.Fields(0).Value objRS.MoveNext Wend Im trying to do this by altering one of the recipes in Robbie Allens book. Thanks! Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do
AW: [ActiveDir] DNS replication
Hi there, That's my problem: 15 minutes is too slow. Is there any chance to make a kind of urgent replication like it was on a NT4 domain when you disable a user? Cu, Alex -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Gesendet: Mittwoch, 26. März 2003 15:10 An: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Betreff: Re: [ActiveDir] DNS replication it's mixed in with your normal AD replication This can be set under AD sites and services - Internet-Site transports I think (double check). BR Robert Rutherford Storf Alexander [EMAIL PROTECTED]To: [EMAIL PROTECTED] m cc: Sent by: Subject: [ActiveDir] DNS replication [EMAIL PROTECTED] tivedir.org 26/03/2003 14:01 Please respond to ActiveDir Hi, We have a application which has very special needs on our DNS configuration: Entries in any DNS Server (all zones are AD integrated) should be replicated as fast as possible (DHCP leased addresses for our clients). Now they are replicated every 15 minutes, which is far too slow. 1 minute is acceptable for our application. Where can this replication interval be modified? Thanks in advance, Alex List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This E-mail and any files transmitted with it are in commercial confidence and intended solely for the use of the individual or entity to whom they are addressed. If you have received this E-mail in error please notify the Administrator by E-mail ([EMAIL PROTECTED]). Any views or opinions expressed are solely those of the author and do not necessarily represent those of DEK International., or its affiliates. This footnote signifies that this message has been checked for viruses by MailswpUK1 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: AW: [ActiveDir] DNS replication
You can do it though sites and services. best to use Replication Monitor from the support tools. These can be found on the 2000 server disk, under the support directory if I remember. BR Robert Rutherford Storf Alexander [EMAIL PROTECTED]To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] m cc: Sent by: Subject: AW: [ActiveDir] DNS replication [EMAIL PROTECTED] tivedir.org 26/03/2003 14:41 Please respond to ActiveDir Hi there, That's my problem: 15 minutes is too slow. Is there any chance to make a kind of urgent replication like it was on a NT4 domain when you disable a user? Cu, Alex -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Gesendet: Mittwoch, 26. März 2003 15:10 An: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Betreff: Re: [ActiveDir] DNS replication it's mixed in with your normal AD replication This can be set under AD sites and services - Internet-Site transports I think (double check). BR Robert Rutherford Storf Alexander [EMAIL PROTECTED]To: [EMAIL PROTECTED] m cc: Sent by: Subject: [ActiveDir] DNS replication [EMAIL PROTECTED] tivedir.org 26/03/2003 14:01 Please respond to ActiveDir Hi, We have a application which has very special needs on our DNS configuration: Entries in any DNS Server (all zones are AD integrated) should be replicated as fast as possible (DHCP leased addresses for our clients). Now they are replicated every 15 minutes, which is far too slow. 1 minute is acceptable for our application. Where can this replication interval be modified? Thanks in advance, Alex List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This E-mail and any files transmitted with it are in commercial confidence and intended solely for the use of the individual or entity to whom they are addressed. If you have received this E-mail in error please notify the Administrator by E-mail ([EMAIL PROTECTED]). Any views or opinions expressed are solely those of the author and do not necessarily represent those of DEK International., or its affiliates. This footnote signifies that this message has been checked for viruses by MailswpUK1 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This E-mail and any files transmitted
AW: [ActiveDir] changing the Pre-Windows 2000 computer name
I dont seem to have much luck with my posts to this list...have I upset anyone ? have I been blacklisted for some reason ? Do I smell bad ? Tosupport my post regarding changing the Pre-Windows 2000 name of a members server I found this in the Microsoft documentation (URL-http://www.microsoft.com/windows2000/en/server/help/default.asp?url=""> Computer accounts Each computer account created in Active Directory has a relative distinguished name , a pre-Windows2000 computer name (security account manager account name), a primary DNS suffix, a DNS host name and a service principal name. The administrator enters the computer name when creating the computer account. This computer name is used as the LDAP relative distinguished name. Active Directory suggests the pre-Windows2000 name using the first 15 bytes of the relative distinguished name. The administrator can change the pre-Windows2000 name at any time. # Am I under the misapprehension that a W2K members servers have both a pre-w2k name and a different name in AD ? If I am, then please except my apologies and I'll never darken your doors again. If I am not a misguided fool, please can someone please point me or throw me in the direction of the steps I need to take to change the pre-w2k name which Microsoft say "The administrator can change the pre-Windows2000 name at any time." Many, manythanks, Mark Abbiss -Ursprüngliche Nachricht-Von: Rick Kingslan [mailto:[EMAIL PROTECTED]Gesendet: Montag, 24. März 2003 20:28An: [EMAIL PROTECTED]Betreff: RE: [ActiveDir] changing the Pre-Windows 2000 computer name Pardons to all! I re-read the originalmessage from Mark, and I may have read WAAAY too much into this. If you're only looking to change the name of a member server, it's a bit easier - DCs however, are pretty touch to change. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Monday, March 24, 2003 1:00 PMTo: [EMAIL PROTECTED] Mark, With all due respect, the Pre-Windows 2000 (or NetBIOS name) is the ONLY one that cannot be changed - regardless of what ever level of mess you want to go through. You can change the domain name (the FQDN) of a domain - provided it is still in mixed, by using NT 4.0 DCs to back out Windows 2000 completely (see Q292541). This is not a supported solution, but it can be done. There are other ways, (VBS script was posted here a few weeks to a month ago)but this seems to be the most straight-forward and least complex (IMHO, they all are messy, and generally suck). As to changing the NetBIOS name - that's another story all together. I've never seen that done, and would be interested in seeing detail from someone who has successfully done it. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, MarkSent: Monday, March 24, 2003 9:49 AMTo: '[EMAIL PROTECTED]' Dear All, I know it can be done (because I have read it in the Microsoft documentation) but I can find where to do it. Please could someone let me know how I can change the pre-windows 2000 name for a computer ! Many thanks, Mark Abbiss EADS Headquarters 81663 Muenchen Deutschland Phone : +49 (0)89 607-34776 Email:[EMAIL PROTECTED]
AW: [ActiveDir] Running progam automatically at logon
Title: Nachricht Well, the best place to control user logon actions would be to write a custom ms-gina dll. This way you can even let your program decide who is allowed to log in. There have already been some mails about ms-gina programming. This way you are able to do some actions right after the login process or just before that. But here again a link: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/Security/winlogon_and_gina_reference.asp -Ursprüngliche Nachricht-Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Im Auftrag von Fleenor ToddGesendet: Donnerstag, 2. Mai 2002 17:31An: '[EMAIL PROTECTED]'Betreff: [ActiveDir] Running progam automatically at logon I am looking for suggestions on the best place to run a program that monitors Administrator personell logging into Domain controllers. This program asks the user to type in the reason for the login session. This could be run from a login script or a Group Policy, but I'd rather not depend on either of those. It could also be placed into the RUN registery key for windows. What are some other ways to run a program just after someone has logged in? I'd rather this run just before the login script if possible. Thanks for any suggestions!
AW: [ActiveDir] Service monitoring tools
Depending on how deep you want to get into monitoring and how complex your network is, a good product is RoboMon by Heroix. Can do what you need and a whole lot morewe are just about to install it here after comapring it with NetIQ and MOM Mark -Ursprüngliche Nachricht- Von: Al Lilianstrom [mailto:[EMAIL PROTECTED]] Gesendet: Mittwoch, 3. April 2002 15:45 An: [EMAIL PROTECTED] Betreff: [ActiveDir] Service monitoring tools I'm looking for a recommendation on a tool or tools to monitor our DCs. I already have some basic health tools in place but I'm looking for something that not only monitors the running services but can also note when a service changes state (say from disabled to manual and then from stopped to running) and when a new service is added. Anything like that out there? tia, al -- Al Lilianstrom CD/OSS/CSI [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: AW: [ActiveDir] Service monitoring tools
Abbiss, Mark wrote: Depending on how deep you want to get into monitoring and how complex your network is, a good product is RoboMon by Heroix. Can do what you need and a whole lot morewe are just about to install it here after comapring it with NetIQ and MOM Mark I thought about Robomon. We had taken a look at a previous version a couple of years back and felt it consumed too much of the resources of the servers it was supposed to be monitoring. Maybe the current version is less intrusive. I'll have to look again. al -- Al Lilianstrom CD/OSS/CSI [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
AW: [ActiveDir] Introductions...
We have been trying for almost a year now to link 2 sites !!! the POLITICS are the killer. Just wait until you get to who has the FSMO roleschildren, children. good luck and make sure you have a reservation for a berakdown sometime early in the New Year. Mark -Ursprüngliche Nachricht- Von: Paul Sobey [mailto:[EMAIL PROTECTED]] Gesendet: Mittwoch, 3. April 2002 16:35 An: [EMAIL PROTECTED] Betreff: [ActiveDir] Introductions... Hello everyone, After lurking for a week or so, just wanted to send a quick note to introduce myself. I'm an admin for a firm in London, currently designing an AD structure for our group, to be rolled out this year, and very nervous about it! Our AD structure will cover 15 sites, linked via VPN in an arrangement with 3 hubs and 12 spokes. Needless to say. each site currently has its own NT4 domain with different naming/security policy, so I'm using this as an opportunity to bind everyone together into a common structure. I have a feeling the politics will be harder than the techinical bits by the end :) Nice to meet you all... Cheers, Paul List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
AW: [ActiveDir] Clusters - Good or Bad idea?
Is it a big price difference btwn. BigIP and Win2K NLBS? -Ursprüngliche Nachricht- Von: Ayers, Diane [mailto:[EMAIL PROTECTED]] Gesendet: Dienstag, 5. März 2002 18:09 An: '[EMAIL PROTECTED]' Betreff: RE: [ActiveDir] Clusters - Good or Bad idea? We've used both the NT 4.0 WLBS and WIn2K NLBS and we gave both up for a hardware based solution. We went with BigIP. It gave us a better solution with more options. Diane -Original Message- From: Jason Benway [mailto:[EMAIL PROTECTED]] Sent: Tuesday, March 05, 2002 8:50 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Clusters - Good or Bad idea? We are doing this in our current environment. We are using Win2K load balance. We have some clusters and some load balance clusters. Both work great! Let me know if you would like more details jb -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, March 05, 2002 11:08 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Clusters - Good or Bad idea? Hi All, I am currently specing out a number of new file and printers servers for our HQ with about 700 users (at the moment). I'm considering using W2K Advanced server to cluster machines. My first questions is, is this a good idea? Can you load balance across servers? Where I am coming from is I want the users at the site, to be able to connect to the machine(s) with one name using the same disk array. There could be 4 or more servers in the cluster, if one of the servers fails, the users get moved over to one of the working machines. Also, can it load balances itself across the machines. For expandability, if we find we need more storage or disk capacity, we can just add another server to the cluster or more disk to the external device? Is this possible in a File and Print only environment, or am I living in a dream world? Thanks for you comments Jamie Simcox PC Network Technician J C Bamford Excavators Ltd ___ J. C. Bamford Excavators Ltd. Registered Office: Rocester, Staffordshire, England. ST14 5JP Registered No. 561597 England ___ The contents of this Email communication are confidential to the addressee. If you are not the intended recipient you may not disclose or distribute this communication in any form but should immediately contact the Sender. The information, images, documents and views expressed in this Email are personal to the Sender and do not expressly or implicitly represent official positions and policies of the J C B group of companies (JCB) and no authority exists on behalf of JCB to make any agreements, representations or other binding commitment by means of Email. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
AW: [ActiveDir] DNS question
Thank you everybody for your help!! It has been reported (though I've not personally experienced it) that the DNS client tends to preference either the public servers or the alternate server ... this being the case, resolution against the zone(s) representing Active Directory will eventually fail. I've experienced this and have concluded that putting an external (non-AD) DNS server in the clients' alternates list for DNS servers is something to avoid. I have experienced the same - that's why I wasn't sure about. Rather use forwarding to help the internal server(s) resolve the names. Right-click the server in DNS MMC, do properties...forwarders tab, add your favoured external DNS servers there. The only problem was that I couldn't configure the DNS to use forwarders unless I would DELETE THE . DOMAIN :-) = Thanks to Joshua Morgan to study Q260371! It seems to work now!! Stay Active ;-) Mike List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
AW: [ActiveDir] Can't join a server to an existing domain
Many thanksproblem solved...i only half configured DNS !! Mark Abbiss EADS Headquarters 81663 Muenchen Deutschland Phone : +49 (0)89 607-34776 Email:[EMAIL PROTECTED] -Ursprüngliche Nachricht- Von: David Lloyd [mailto:[EMAIL PROTECTED]] Gesendet: Mittwoch, 16. Januar 2002 14:30 An: [EMAIL PROTECTED] Betreff: RE: [ActiveDir] Can't join a server to an existing domain Is sounds like the issue is related back to DNS. 1) Firstly with the first server did you tell it to auto configure DNS for you? And if so is the new server pointing the first server for its DNS services. 2) If you did not let it auto configure have you got DNS installed somewhere? And if so are the first server and second server both pointing to it? And did the SRV records register correctly (sub folder such as MSDAC + LDAP should be within the zone file) for the first server (force again trough command ipconfig /registerdns or just reboot)? 3) If the first server is not registering correctly ensure things such as 'Append domain name to Suffix' is selected in the TCP/IP properties or that Dynamic DNS is enabled on the DNS Server. Cheers David -Original Message- From: Abbiss, Mark [mailto:[EMAIL PROTECTED]] Sent: Wednesday, 16 January 2002 1:17 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Can't join a server to an existing domain I must be missing something obvious !! I am setting up a small test environment and have hit a problem. I have completed a basic vanilla install of W2K Server on one machine and promoted it to a domain controller. In the process, I called the new domain W2KTEST.CORP. I have configured nothing else on the machine at all. All I have done is given it a static IP address of 192.168.1.1 and the NetBIOS name is W2KSERVER01 I then completed a new installation of W2K server on another machine and immediately want to promote it to a domain controller and add it to the W2KTEST.CORP When using the AD Wizard I select the required options to create a new DC in an existing domain and am asked for the necessary information (account, password and domain). Here I enter administrator, password and W2KTEST.CORP but I keep getting a message saying that the DC of W2KTEST.CORP does not exist or that W2KTEST.CORP is not an AD domain. So I tried to add the new server as a child of the W2KTEST.CORP domain and get the same error message ! Do I need to set up any other resources on the first DC in W2KTEST.CORP ? Do I need to complete any other configuration steps before it will accept new DC's ? Many thanks for any pointers. Mark List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.313 / Virus Database: 174 - Release Date: 2/01/2002 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.313 / Virus Database: 174 - Release Date: 2/01/2002 The British Land Company PLC 10 Cornwall Terrace, Regent's Park, London, NW1 4QP Registered in England Registered number 621920 --- This email and attachments are confidential. If you are not the intended recipient, any use, disclosure or copying of this document is unauthorised. If you have received this document in error please immediately notify the sender on +44 (0)20 7486 4466 and delete this email from your computer. Thank you. --- List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
AW: [ActiveDir] AD Policy Logon Error
I have now found out, that this problem occurs if I install pcAnywhere on the workstation. I will follow this path and will try to find out what happens on the workstation during install. mike -Ursprüngliche Nachricht- Von: OFFORD, Vivian [mailto:[EMAIL PROTECTED]] Gesendet: Donnerstag, 10. Januar 2002 12:36 An: Mike Tonazzi Betreff: RE: [ActiveDir] AD Policy Logon Error Do you get any event log error messages? Check the Application log for Event ID 1000 from Source:UserInit. If you have set the script to run in group policy is it correct that the script is in the netlogon share. Normally these are automatically in the Sysvol share in a folder with a GUID as a folder name. Do you run any other scripts configured in the AD such as site scripts? If so do these run? In case there is a problem with the workstations account in the AD try removing it from the domain and adding it back in again. Is there anything different about the network connectivity for the affected workstations? Is there a slow or congested link to the domain controllers? If the logon process detects a slow link it can (by default I think) disable the running of scripts. You can set the GPO to ignore slow links and run the scripts regardless. Are the affected workstations being authenticated by different domain controllers to the working workstations. This could point to a problem on those DCs - possibly with replication of the scripts. Viv Offord -Original Message- From: Mike Tonazzi [mailto:[EMAIL PROTECTED]] Sent: 09 January 2002 00:00 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD Policy Logon Error If I double click the vb script (after I have been logged in) it runs wonderful. The only thing is the script is not executed during the login process (as it is defined in the group policy). The script is saved in the \\server\netlogon file://\\server\netlogon directory, but I have also tried other directorys (wiht full access). -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] im Auftrag von Jacqui Hurst Gesendet: Di 08.01.2002 22:45 An: [EMAIL PROTECTED] Cc: Betreff: RE: [ActiveDir] AD Policy Logon Error Have any changes been made to security of these workstations that would prevent VB scripts from executing? Have any changes been made to the workstations? -Original Message- From: [EMAIL PROTECTED] [ mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ]On Behalf Of Mike Tonazzi Sent: 07 January 2002 06:17 To: [EMAIL PROTECTED] Subject: AW: [ActiveDir] AD Policy Logon Error We are using DHCP. I checked the DNS entries and they are correct. mike -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [ mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] Im Auftrag von Jacqui Hurst Gesendet: Samstag, 5. Januar 2002 12:05 An: [EMAIL PROTECTED] Betreff: RE: [ActiveDir] AD Policy Logon Error Have you checked the DNS settings on these workstations are correct. We had a similar problem when workstations were added without the correct DNS suffix Jacqui -Original Message- From: Mike Tonazzi [ mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] On Behalf Of Mike Tonazzi Sent: 04 January 2002 07:38 To: ActiveDir Mailinglist (E-Mail) Subject: AD Policy Logon Error Hi Guys Hope you started your 2002 well I have the following problem: I have created several group policies related to OU's. In the group policy I have configured to execute a vb logon script when users logging on. So far so good. Everything worked fine for at least nine months. But since two weeks or so, some workstations don't execute the logon script no more. If I try to logon with the same user on an other workstation it works fine! Any Idea? Best Regards, Mike List info : http://www.activedir.org/mail_list.htm http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ http://www.mail-archive.com/activedir%40mail.activedir.org/ ___ This email is confidential and intended solely for the use of the individual to whom it is addressed. Any views or opinions presented are solely those of the author and do not necessarily represent those of SchlumbergerSema. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing
AW: [ActiveDir] Server availability/monitoring/management tools
Unfortunately our budget wont stretch the prices NetIQ are quoting ! Mark Abbiss EADS Headquarters 81663 Muenchen Deutschland Phone : +49 (0)89 607-34776 Email:[EMAIL PROTECTED] -Ursprüngliche Nachricht- Von: Flanagan, Kevin [mailto:[EMAIL PROTECTED]] Gesendet: Donnerstag, 10. Januar 2002 14:59 An: '[EMAIL PROTECTED]' Betreff: RE: [ActiveDir] Server availability/monitoring/management tools Well, MOM is really an AD only tool, and a framework that you can plug other things into, IE: NT4 modules from NetIQ. I think that those modules are more or less based on NetIQ Appmanager. I've really liked Appmanager where we used it at my last job. -Original Message- From: Abbiss, Mark [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 10, 2002 8:53 AM To: '[EMAIL PROTECTED]' Subject: AW: [ActiveDir] Server availability/monitoring/management tools Thanks, looking at it right now..anything else out there ? Mark Abbiss EADS Headquarters 81663 Muenchen Deutschland Phone : +49 (0)89 607-34776 Email:[EMAIL PROTECTED] -Ursprüngliche Nachricht- Von: Strand, Ted [mailto:[EMAIL PROTECTED]] Gesendet: Donnerstag, 10. Januar 2002 14:51 An: '[EMAIL PROTECTED]' Betreff: RE: [ActiveDir] Server availability/monitoring/management tools You might want to look at Microsoft MOM. It is similar to a lighter version of NETIQ and I think it is less expensive. -Original Message- From: Abbiss, Mark [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 10, 2002 8:46 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Server availibility/monitoring/management tools Does anyone have any strong recommendations for a good Windows 2K server monitoring/management tool ? We are ideally looking for something that can monitor a range of running services and server availability and take remedial action if anything goes wrong (restart server or service) and notify support staff by email, SMS or pager. A flexible reporting tool that can be directly accessed via a browser is also required. Have looked at NetIQ but it is SO expensive ! Regards, Mark Abbiss List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
AW: [ActiveDir] AD Policy Logon Error
We are using DHCP. I checked the DNS entries and they are correct. mike -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Im Auftrag von Jacqui Hurst Gesendet: Samstag, 5. Januar 2002 12:05 An: [EMAIL PROTECTED] Betreff: RE: [ActiveDir] AD Policy Logon Error Have you checked the DNS settings on these workstations are correct. We had a similar problem when workstations were added without the correct DNS suffix Jacqui -Original Message- From: Mike Tonazzi [mailto:[EMAIL PROTECTED]] On Behalf Of Mike Tonazzi Sent: 04 January 2002 07:38 To: ActiveDir Mailinglist (E-Mail) Subject: AD Policy Logon Error Hi Guys Hope you started your 2002 well I have the following problem: I have created several group policies related to OU's. In the group policy I have configured to execute a vb logon script when users logging on. So far so good. Everything worked fine for at least nine months. But since two weeks or so, some workstations don't execute the logon script no more. If I try to logon with the same user on an other workstation it works fine! Any Idea? Best Regards, Mike List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
AW: [ActiveDir] a small problem.
In my experience a pc that shows this behaviour has a mapping to a network drive that doesn't exist anymore. Sometimes a defect CD-Rom shows similar behaviour. The box tries to access it but without success. After a while it gives it up and then shows the available network drives. mike -Ursprungliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]Im Auftrag von [EMAIL PROTECTED] Gesendet: Mittwoch, 14. November 2001 15:07 An: [EMAIL PROTECTED] Betreff: [ActiveDir] a small problem. Hey all, I know this isn't particularly related but wondered if anyone else has encountered this little problem: Whenever anyone on the network goes to open/save a document from standard app's such as Office it can take up to 2 minutes to drop down the drives list. Any Ideas? Thanks in advance Robert Rutherford This E-mail and any files transmitted with it are in commercial confidence and intended solely for the use of the individual or entity to whom they are addressed. If you have received this E-mail in error please notify the Administrator by E-mail ([EMAIL PROTECTED]). Any views or opinions expressed are solely those of the author and do not necessarily represent those of DEK Printing Machines Ltd., or its affiliates. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
AW: [ActiveDir] ActiveDir and DNS
My domain runs fine without MS DNS. All I use is a DNS forwarder to my internet provider. -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Im Auftrag von Giovanni Bianchini Gesendet: Dienstag, 13. November 2001 16:25 An: [EMAIL PROTECTED] Betreff: [ActiveDir] ActiveDir and DNS Group: A customer asked this question. They run a proxied inet connection with DNS provided by proxy. They do not connect to any untrusted domains nor do they browse AD. Does AD required MS DNS to be running to maintain machine and user information for login? From the Desk of Giovanni Bianchini This e-mail is virus free This message from Owltech Network Consulting Inc. (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
AW: [ActiveDir] How do I grant user with rights to logon as a service on local machine.
In Windows you can grant and deny rights. If you deny someone the right To logon as a service and later on you grant him this right, then he'll Still don't have the right to logon as a service. This is what the Effective column says. Your Local Policy column probably says grant this Right to the specified user, but your Effective column doesn't Because you denied him somewhere else this right. Because there are local and global security policies it is very difficult to say what policy setting is actually going to be applied to a user. So there is the Effective column that tells you what the final setting will be. You'll have to check all your policies to find out why the right is denied. I guess, your user is a member of a group which this right is denied. -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Im Auftrag von Balderman, Avishay Gesendet: Dienstag, 31. Juli 2001 07:52 An: '[EMAIL PROTECTED]' Betreff: [ActiveDir] How do I grant user with rights to logon as a service on local machine. When I change the logon account for a service on an Active Directory DC machine to a specific user, I get a message saying that the user was granted with rights to logon as a service. I want to grant this right manually without setting the user as a logon account to a service. If I go to the Local Computer Policy, and look for the Logon as a service right, there are two columns: 1. Local Policy Setting 2. Effective Policy Setting The effective setting is read only and cannot be changed, but this is the right that is needed to be updated. Can anybody tell me how to turn on the Effective right? Thank you, Avishay Balderman List info: http://www.activedir.org/mail_list.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info: http://www.activedir.org/mail_list.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
AW: [ActiveDir] How do I grant user with rights to logon as a service on local machine.
If you deny someone a certain right and later on you grant him this right (i.e. via a group membership) then the denial has always precedence over the granted rights. In your case I can't really tell what is going on (or wrong). I heard of Some Microsoft Tools from the resource kit or the server cd that can help You with the effective group policy. But I can't tell you more about those Tools. I just had a look at my domain policy: Open the MMC with your Active Directory User- and Computers-Settings. Open the Group Policy for your domain. Go to Computer Settings\Windows Settings\Security\Local Policy\User Rights. (these are not the real names cause I had to translate them from a german windows) There should be the right Logon as a service listed. Try to change something here if you haven't done this yet. This is all I can tell you about it. -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Im Auftrag von Balderman, Avishay Gesendet: Dienstag, 31. Juli 2001 12:43 An: [EMAIL PROTECTED] Betreff: RE: [ActiveDir] How do I grant user with rights to logon as a se rvice on local machine. Tom-The-Bomb thank you, I checked your suggestion, but is still not clear. for every account, in the first time we add it to be a logon account of a service, we get the message that it was granted with rights to login as a service. So does it mean that all users are denied for this right in default? I also tested all the places I know where this right is being handled, and could not see any deny. Avishay -Original Message- From: Tom-The-Bomb [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 31, 2001 2:32 PM To: [EMAIL PROTECTED] Subject: AW: [ActiveDir] How do I grant user with rights to logon as a service on local machine. In Windows you can grant and deny rights. If you deny someone the right To logon as a service and later on you grant him this right, then he'll Still don't have the right to logon as a service. This is what the Effective column says. Your Local Policy column probably says grant this Right to the specified user, but your Effective column doesn't Because you denied him somewhere else this right. Because there are local and global security policies it is very difficult to say what policy setting is actually going to be applied to a user. So there is the Effective column that tells you what the final setting will be. You'll have to check all your policies to find out why the right is denied. I guess, your user is a member of a group which this right is denied. -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Im Auftrag von Balderman, Avishay Gesendet: Dienstag, 31. Juli 2001 07:52 An: '[EMAIL PROTECTED]' Betreff: [ActiveDir] How do I grant user with rights to logon as a service on local machine. When I change the logon account for a service on an Active Directory DC machine to a specific user, I get a message saying that the user was granted with rights to logon as a service. I want to grant this right manually without setting the user as a logon account to a service. If I go to the Local Computer Policy, and look for the Logon as a service right, there are two columns: 1. Local Policy Setting 2. Effective Policy Setting The effective setting is read only and cannot be changed, but this is the right that is needed to be updated. Can anybody tell me how to turn on the Effective right? Thank you, Avishay Balderman List info: http://www.activedir.org/mail_list.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info: http://www.activedir.org/mail_list.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info: http://www.activedir.org/mail_list.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info: http://www.activedir.org/mail_list.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
AW: [ActiveDir] Win2K Server install - driving me crazy !
Thanks to everyone who offered help and advice. In the end the vital piece of missing advice was plug the network card of your 'to-be-installed' domain controller, into some other network device such as a hub or another pc´s network card. After I did that the instalation of AD worked fine and now I have my little test environment.. Now why couldn´t Microsoft put that in their step-by-step guide !!! Way to go Microsoft. Thanks again, Mark Abbiss application/ms-tnef