Re: [ActiveDir] Specifying builtin accounts in GPO settings.
I think we discovered the problem... things were just locked down a *tad* too much.On 9/13/06, Akomolafe, Deji [EMAIL PROTECTED] wrote: Look at your default recipient policy. What's set there? Just curious. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Matt HargravesSent: Wed 9/13/2006 8:58 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Specifying builtin accounts in GPO settings. Non-Exchange privileged users can't access OWA. I thought it was related to the fact that they had removed the M: drive, but that was only a small number of servers, the rest (that also aren't working) are having accessability issues to OWA (though they can still access their mailbox through Outlook). On 9/13/06, Brian Desmond [EMAIL PROTECTED] wrote: On W2000 running OWA on a DC this was an issue … only case I know of. What are the issues you're having? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:mailto:[EMAIL PROTECTED]] On Behalf Of Matt Hargraves Sent: Wednesday, September 13, 2006 10:49 PM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Specifying builtin accounts in GPO settings. We're having some issues with Exchange OWA and MS said something about IWAM when we called them. We're not granting them 'logon via terminal services', just testing 'log on locally', but if it works, that just creates an entire mess that we'd like to avoid. On 9/13/06, Brian Desmond [EMAIL PROTECTED] wrote: No it wouldn't. Why are you giving an IWAM account access to a remote machine? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: mailto:[EMAIL PROTECTED] [mailto:mailto:[EMAIL PROTECTED]] On Behalf Of Matt Hargraves Sent: Wednesday, September 13, 2006 9:35 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Specifying builtin accounts in GPO settings. Would something like IWAM_%servername% or something like that work? I really don't want to go throuh and specify 45 account names in the Log on locally right for an OU if I can do it with a more simple command. I'll try just about anything :) Thanks,Matt On 9/12/06, Brian Desmond [EMAIL PROTECTED] wrote: And if you think about it they couldn't – if you have two DCs running IIS they both have IUSR and IWAM accounts in AD, so SIDs have to be different. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: mailto:[EMAIL PROTECTED] [mailto:mailto:[EMAIL PROTECTED]] On Behalf Of Darren Mar-Elia Sent: Tuesday, September 12, 2006 2:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Specifying builtin accounts in GPO settings. Matt- I don't think these accounts have well-known SIDs, so I'm not sure that's going to help.You can easily verify using psgetsid from Sysinternals. I checked a couple accounts here (though they were domain accounts) and they were not well-knownSIDs. Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out http://www.gpoguy.com/-- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guide ,the definitiveresource for Group Policy information. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt HargravesSent: Tuesday, September 12, 2006 10:00 AMTo: ActiveDir@mail.activedir.org Subject: [ActiveDir] Specifying builtin accounts in GPO settings. I am trying to specify the builtin IWAM/IUSR accounts in GPO settings. We have a set of servers within an OU where they require the account to have rights on the local servers, call them Server1, Server2, Server3. We obviously don't want to create the setting for IWAM_Server1, IWAM_Server2, etc I believe that this account has a common SID, if I simply do a browse for the account on one machine, will it resolve to SID and apply the setting for all accounts, or is there another way to do this (like specifying Builtin\Administrator would work for the builtin Administrator account) no matter what the name happens to be on a local machine?
RE: [ActiveDir] Specifying builtin accounts in GPO settings.
I'm not disregarding what has happened in this thread since Matt asked if he couldwildcardthe IWAM account name. In fact, I can't even answer that question authoritatively, but my gut feeling says that it won't work. Matt can, however, delegate the logon locally right to a group, then add the IWAM accounts to that group. This should be easier that adding every server's IWAM account to the policy. In both cases, you will still have to add any new IWAM accounts, whether it's to the policy or to the group. -Andrew From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, DejiSent: Wednesday, September 13, 2006 11:06 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Specifying builtin accounts in GPO settings. Look at your default recipient policy. What's set there? Just curious. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Matt HargravesSent: Wed 9/13/2006 8:58 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Specifying builtin accounts in GPO settings. Non-Exchange privileged users can't access OWA. I thought it was related to the fact that they had removed the M: drive, but that was only a small number of servers, the rest (that also aren't working) are having accessability issues to OWA (though they can still access their mailbox through Outlook). On 9/13/06, Brian Desmond [EMAIL PROTECTED] wrote: On W2000 running OWA on a DC this was an issue only case I know of. What are the issues you're having? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:mailto:[EMAIL PROTECTED]] On Behalf Of Matt HargravesSent: Wednesday, September 13, 2006 10:49 PM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Specifying builtin accounts in GPO settings. We're having some issues with Exchange OWA and MS said something about IWAM when we called them. We're not granting them 'logon via terminal services', just testing 'log on locally', but if it works, that just creates an entire mess that we'd like to avoid. On 9/13/06, Brian Desmond [EMAIL PROTECTED] wrote: No it wouldn't. Why are you giving an IWAM account access to a remote machine? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: mailto:[EMAIL PROTECTED][mailto:mailto:[EMAIL PROTECTED]] On Behalf Of Matt HargravesSent: Wednesday, September 13, 2006 9:35 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Specifying builtin accounts in GPO settings. Would something like IWAM_%servername% or something like that work? I really don't want to go throuh and specify 45 account names in the "Log on locally" right for an OU if I can do it with a more simple command. I'll try just about anything :) Thanks,Matt On 9/12/06, Brian Desmond [EMAIL PROTECTED] wrote: And if you think about it they couldn't if you have two DCs running IIS they both have IUSR and IWAM accounts in AD, so SIDs have to be different. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: mailto:[EMAIL PROTECTED][mailto:mailto:[EMAIL PROTECTED]] On Behalf Of Darren Mar-EliaSent: Tuesday, September 12, 2006 2:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Specifying builtin accounts in GPO settings. Matt- I don't think these accounts have well-known SIDs, so I'm not sure that's going to help.You can easily verify using psgetsid from Sysinternals. I checked a couple accounts here (though they were domain accounts) and they were not well-knownSIDs. Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out http://www.gpoguy.com/-- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guide ,the definitiveresource for Group Policy information. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt HargravesSent: Tuesday, September 12, 2006 10:00 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Specifying builtin accounts in GPO settings. I am trying to specify the builtin IWAM/IUSR accounts in GPO settings. We have a set of servers within an OU where they require the account to have rights on the local servers, call them Server1, Server2, Server3. We obviously don't want to create the setting for IWAM_Server1, IWAM_Server2, etc I believe that this account has a common SID, if I simply do a browse for the account on o
RE: [ActiveDir] Specifying builtin accounts in GPO settings.
Glad I could help ;) Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Matt HargravesSent: Thu 9/14/2006 8:00 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Specifying builtin accounts in GPO settings. I think we discovered the problem... things were just locked down a *tad* too much. On 9/13/06, Akomolafe, Deji mailto:[EMAIL PROTECTED] wrote: Look at your default recipient policy. What's set there? Just curious. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Matt HargravesSent: Wed 9/13/2006 8:58 PM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Specifying builtin accounts in GPO settings. Non-Exchange privileged users can't access OWA. I thought it was related to the fact that they had removed the M: drive, but that was only a small number of servers, the rest (that also aren't working) are having accessability issues to OWA (though they can still access their mailbox through Outlook). On 9/13/06, Brian Desmond mailto:[EMAIL PROTECTED] wrote: On W2000 running OWA on a DC this was an issue only case I know of. What are the issues you're having? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: mailto:[EMAIL PROTECTED][mailto:mailto:[EMAIL PROTECTED]] On Behalf Of Matt Hargraves Sent: Wednesday, September 13, 2006 10:49 PM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Specifying builtin accounts in GPO settings. We're having some issues with Exchange OWA and MS said something about IWAM when we called them. We're not granting them 'logon via terminal services', just testing 'log on locally', but if it works, that just creates an entire mess that we'd like to avoid. On 9/13/06, Brian Desmond [EMAIL PROTECTED] wrote: No it wouldn't. Why are you giving an IWAM account access to a remote machine? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: mailto:[EMAIL PROTECTED][mailto:mailto:[EMAIL PROTECTED]] On Behalf Of Matt Hargraves Sent: Wednesday, September 13, 2006 9:35 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Specifying builtin accounts in GPO settings. Would something like IWAM_%servername% or something like that work? I really don't want to go throuh and specify 45 account names in the "Log on locally" right for an OU if I can do it with a more simple command. I'll try just about anything :) Thanks,Matt On 9/12/06, Brian Desmond [EMAIL PROTECTED] wrote: And if you think about it they couldn't if you have two DCs running IIS they both have IUSR and IWAM accounts in AD, so SIDs have to be different. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: mailto:[EMAIL PROTECTED][mailto:mailto:[EMAIL PROTECTED]] On Behalf Of Darren Mar-Elia Sent: Tuesday, September 12, 2006 2:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Specifying builtin accounts in GPO settings. Matt- I don't think these accounts have well-known SIDs, so I'm not sure that's going to help.You can easily verify using psgetsid from Sysinternals. I checked a couple accounts here (though they were domain accounts) and they were not well-knownSIDs. Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out http://www.gpoguy.com/-- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guide ,the definitiveresource for Group Policy information. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt HargravesSent: Tuesday, September 12, 2006 10:00 AMTo: mailto:ActiveDir@mail.activedir.orgSubject: [ActiveDir] Specifying builtin accounts in GPO settings. I am trying to specify the builtin IWAM/IUSR accounts in GPO settings. We have a set of servers within an OU where they require the account to have rights on the local servers, call them Server1, Server2, Server3. We obviously don't want to create the setting for IWAM_Server1, IWAM_Server2, etc I believe that this account has a common SID, if I simply do a browse for the account on one machine, will it resolve to SID and apply the setting for all accounts, or is there another way to do this (like specifying "Builtin\Administrator" would work for the builtin Administrator account) no matter what the name happens to be on a local machine?
Re: [ActiveDir] Specifying builtin accounts in GPO settings.
Would something like IWAM_%servername% or something like that work? I really don't want to go throuh and specify 45 account names in the Log on locally right for an OU if I can do it with a more simple command. I'll try just about anything :) Thanks,MattOn 9/12/06, Brian Desmond [EMAIL PROTECTED] wrote: And if you think about it they couldn't – if you have two DCs running IIS they both have IUSR and IWAM accounts in AD, so SIDs have to be different. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Darren Mar-Elia Sent: Tuesday, September 12, 2006 2:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Specifying builtin accounts in GPO settings. Matt- I don't think these accounts have well-known SIDs, so I'm not sure that's going to help.You can easily verify using psgetsid from Sysinternals. I checked a couple accounts here (though they were domain accounts) and they were not well-knownSIDs. Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guide,the definitiveresource for Group Policy information. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Hargraves Sent: Tuesday, September 12, 2006 10:00 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Specifying builtin accounts in GPO settings. I am trying to specify the builtin IWAM/IUSR accounts in GPO settings. We have a set of servers within an OU where they require the account to have rights on the local servers, call them Server1, Server2, Server3. We obviously don't want to create the setting for IWAM_Server1, IWAM_Server2, etc I believe that this account has a common SID, if I simply do a browse for the account on one machine, will it resolve to SID and apply the setting for all accounts, or is there another way to do this (like specifying Builtin\Administrator would work for the builtin Administrator account) no matter what the name happens to be on a local machine?
RE: [ActiveDir] Specifying builtin accounts in GPO settings.
No it wouldnt. Why are you giving an IWAM account access to a remote machine? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves Sent: Wednesday, September 13, 2006 9:35 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Specifying builtin accounts in GPO settings. Would something like IWAM_%servername% or something like that work? I really don't want to go throuh and specify 45 account names in the Log on locally right for an OU if I can do it with a more simple command. I'll try just about anything :) Thanks, Matt On 9/12/06, Brian Desmond [EMAIL PROTECTED] wrote: And if you think about it they couldn't if you have two DCs running IIS they both have IUSR and IWAM accounts in AD, so SIDs have to be different. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Darren Mar-Elia Sent: Tuesday, September 12, 2006 2:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Specifying builtin accounts in GPO settings. Matt- I don't think these accounts have well-known SIDs, so I'm not sure that's going to help.You can easily verify using psgetsid from Sysinternals. I checked a couple accounts here (though they were domain accounts) and they were not well-knownSIDs. Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guide,the definitiveresource for Group Policy information. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Hargraves Sent: Tuesday, September 12, 2006 10:00 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Specifying builtin accounts in GPO settings. I am trying to specify the builtin IWAM/IUSR accounts in GPO settings. We have a set of servers within an OU where they require the account to have rights on the local servers, call them Server1, Server2, Server3. We obviously don't want to create the setting for IWAM_Server1, IWAM_Server2, etc I believe that this account has a common SID, if I simply do a browse for the account on one machine, will it resolve to SID and apply the setting for all accounts, or is there another way to do this (like specifying Builtin\Administrator would work for the builtin Administrator account) no matter what the name happens to be on a local machine?
Re: [ActiveDir] Specifying builtin accounts in GPO settings.
We're having some issues with Exchange OWA and MS said something about IWAM when we called them. We're not granting them 'logon via terminal services', just testing 'log on locally', but if it works, that just creates an entire mess that we'd like to avoid. On 9/13/06, Brian Desmond [EMAIL PROTECTED] wrote: No it wouldn't. Why are you giving an IWAM account access to a remote machine? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matt Hargraves Sent: Wednesday, September 13, 2006 9:35 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Specifying builtin accounts in GPO settings. Would something like IWAM_%servername% or something like that work? I really don't want to go throuh and specify 45 account names in the Log on locally right for an OU if I can do it with a more simple command. I'll try just about anything :) Thanks, Matt On 9/12/06, Brian Desmond [EMAIL PROTECTED] wrote: And if you think about it they couldn't – if you have two DCs running IIS they both have IUSR and IWAM accounts in AD, so SIDs have to be different. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Darren Mar-Elia Sent: Tuesday, September 12, 2006 2:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Specifying builtin accounts in GPO settings. Matt- I don't think these accounts have well-known SIDs, so I'm not sure that's going to help.You can easily verify using psgetsid from Sysinternals. I checked a couple accounts here (though they were domain accounts) and they were not well-knownSIDs. Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com -- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guide ,the definitiveresource for Group Policy information. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Hargraves Sent: Tuesday, September 12, 2006 10:00 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Specifying builtin accounts in GPO settings. I am trying to specify the builtin IWAM/IUSR accounts in GPO settings. We have a set of servers within an OU where they require the account to have rights on the local servers, call them Server1, Server2, Server3. We obviously don't want to create the setting for IWAM_Server1, IWAM_Server2, etc I believe that this account has a common SID, if I simply do a browse for the account on one machine, will it resolve to SID and apply the setting for all accounts, or is there another way to do this (like specifying Builtin\Administrator would work for the builtin Administrator account) no matter what the name happens to be on a local machine?
RE: [ActiveDir] Specifying builtin accounts in GPO settings.
On W2000 running OWA on a DC this was an issue only case I know of. What are the issues youre having? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves Sent: Wednesday, September 13, 2006 10:49 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Specifying builtin accounts in GPO settings. We're having some issues with Exchange OWA and MS said something about IWAM when we called them. We're not granting them 'logon via terminal services', just testing 'log on locally', but if it works, that just creates an entire mess that we'd like to avoid. On 9/13/06, Brian Desmond [EMAIL PROTECTED] wrote: No it wouldn't. Why are you giving an IWAM account access to a remote machine? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matt Hargraves Sent: Wednesday, September 13, 2006 9:35 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Specifying builtin accounts in GPO settings. Would something like IWAM_%servername% or something like that work? I really don't want to go throuh and specify 45 account names in the Log on locally right for an OU if I can do it with a more simple command. I'll try just about anything :) Thanks, Matt On 9/12/06, Brian Desmond [EMAIL PROTECTED] wrote: And if you think about it they couldn't if you have two DCs running IIS they both have IUSR and IWAM accounts in AD, so SIDs have to be different. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Darren Mar-Elia Sent: Tuesday, September 12, 2006 2:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Specifying builtin accounts in GPO settings. Matt- I don't think these accounts have well-known SIDs, so I'm not sure that's going to help.You can easily verify using psgetsid from Sysinternals. I checked a couple accounts here (though they were domain accounts) and they were not well-knownSIDs. Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com -- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guide ,the definitiveresource for Group Policy information. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Hargraves Sent: Tuesday, September 12, 2006 10:00 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Specifying builtin accounts in GPO settings. I am trying to specify the builtin IWAM/IUSR accounts in GPO settings. We have a set of servers within an OU where they require the account to have rights on the local servers, call them Server1, Server2, Server3. We obviously don't want to create the setting for IWAM_Server1, IWAM_Server2, etc I believe that this account has a common SID, if I simply do a browse for the account on one machine, will it resolve to SID and apply the setting for all accounts, or is there another way to do this (like specifying Builtin\Administrator would work for the builtin Administrator account) no matter what the name happens to be on a local machine?
Re: [ActiveDir] Specifying builtin accounts in GPO settings.
Non-Exchange privileged users can't access OWA. I thought it was related to the fact that they had removed the M: drive, but that was only a small number of servers, the rest (that also aren't working) are having accessability issues to OWA (though they can still access their mailbox through Outlook). On 9/13/06, Brian Desmond [EMAIL PROTECTED] wrote: On W2000 running OWA on a DC this was an issue … only case I know of. What are the issues you're having? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matt Hargraves Sent: Wednesday, September 13, 2006 10:49 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Specifying builtin accounts in GPO settings. We're having some issues with Exchange OWA and MS said something about IWAM when we called them. We're not granting them 'logon via terminal services', just testing 'log on locally', but if it works, that just creates an entire mess that we'd like to avoid. On 9/13/06, Brian Desmond [EMAIL PROTECTED] wrote: No it wouldn't. Why are you giving an IWAM account access to a remote machine? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matt Hargraves Sent: Wednesday, September 13, 2006 9:35 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Specifying builtin accounts in GPO settings. Would something like IWAM_%servername% or something like that work? I really don't want to go throuh and specify 45 account names in the Log on locally right for an OU if I can do it with a more simple command. I'll try just about anything :) Thanks, Matt On 9/12/06, Brian Desmond [EMAIL PROTECTED] wrote: And if you think about it they couldn't – if you have two DCs running IIS they both have IUSR and IWAM accounts in AD, so SIDs have to be different. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Darren Mar-Elia Sent: Tuesday, September 12, 2006 2:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Specifying builtin accounts in GPO settings. Matt- I don't think these accounts have well-known SIDs, so I'm not sure that's going to help.You can easily verify using psgetsid from Sysinternals. I checked a couple accounts here (though they were domain accounts) and they were not well-knownSIDs. Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com -- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guide ,the definitiveresource for Group Policy information. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Hargraves Sent: Tuesday, September 12, 2006 10:00 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Specifying builtin accounts in GPO settings. I am trying to specify the builtin IWAM/IUSR accounts in GPO settings. We have a set of servers within an OU where they require the account to have rights on the local servers, call them Server1, Server2, Server3. We obviously don't want to create the setting for IWAM_Server1, IWAM_Server2, etc I believe that this account has a common SID, if I simply do a browse for the account on one machine, will it resolve to SID and apply the setting for all accounts, or is there another way to do this (like specifying Builtin\Administrator would work for the builtin Administrator account) no matter what the name happens to be on a local machine?
RE: [ActiveDir] Specifying builtin accounts in GPO settings.
Look at your default recipient policy. What's set there? Just curious. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Matt HargravesSent: Wed 9/13/2006 8:58 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Specifying builtin accounts in GPO settings. Non-Exchange privileged users can't access OWA. I thought it was related to the fact that they had removed the M: drive, but that was only a small number of servers, the rest (that also aren't working) are having accessability issues to OWA (though they can still access their mailbox through Outlook). On 9/13/06, Brian Desmond [EMAIL PROTECTED] wrote: On W2000 running OWA on a DC this was an issue only case I know of. What are the issues you're having? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:mailto:[EMAIL PROTECTED]] On Behalf Of Matt HargravesSent: Wednesday, September 13, 2006 10:49 PM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Specifying builtin accounts in GPO settings. We're having some issues with Exchange OWA and MS said something about IWAM when we called them. We're not granting them 'logon via terminal services', just testing 'log on locally', but if it works, that just creates an entire mess that we'd like to avoid. On 9/13/06, Brian Desmond [EMAIL PROTECTED] wrote: No it wouldn't. Why are you giving an IWAM account access to a remote machine? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: mailto:[EMAIL PROTECTED][mailto:mailto:[EMAIL PROTECTED]] On Behalf Of Matt HargravesSent: Wednesday, September 13, 2006 9:35 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Specifying builtin accounts in GPO settings. Would something like IWAM_%servername% or something like that work? I really don't want to go throuh and specify 45 account names in the "Log on locally" right for an OU if I can do it with a more simple command. I'll try just about anything :) Thanks,Matt On 9/12/06, Brian Desmond [EMAIL PROTECTED] wrote: And if you think about it they couldn't if you have two DCs running IIS they both have IUSR and IWAM accounts in AD, so SIDs have to be different. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: mailto:[EMAIL PROTECTED][mailto:mailto:[EMAIL PROTECTED]] On Behalf Of Darren Mar-EliaSent: Tuesday, September 12, 2006 2:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Specifying builtin accounts in GPO settings. Matt- I don't think these accounts have well-known SIDs, so I'm not sure that's going to help.You can easily verify using psgetsid from Sysinternals. I checked a couple accounts here (though they were domain accounts) and they were not well-knownSIDs. Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out http://www.gpoguy.com/-- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guide ,the definitiveresource for Group Policy information. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt HargravesSent: Tuesday, September 12, 2006 10:00 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Specifying builtin accounts in GPO settings. I am trying to specify the builtin IWAM/IUSR accounts in GPO settings. We have a set of servers within an OU where they require the account to have rights on the local servers, call them Server1, Server2, Server3. We obviously don't want to create the setting for IWAM_Server1, IWAM_Server2, etc I believe that this account has a common SID, if I simply do a browse for the account on one machine, will it resolve to SID and apply the setting for all accounts, or is there another way to do this (like specifying "Builtin\Administrator" would work for the builtin Administrator account) no matter what the name happens to be on a local machine?
RE: [ActiveDir] Specifying builtin accounts in GPO settings.
Matt- I don't think these accounts have well-known SIDs, so I'm not sure that's going to help.You can easily verify using psgetsid from Sysinternals. I checked a couple accounts here (though they were domain accounts) and they were not well-knownSIDs. Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guide,the definitiveresource for Group Policy information. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt HargravesSent: Tuesday, September 12, 2006 10:00 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Specifying builtin accounts in GPO settings. I am trying to specify the builtin IWAM/IUSR accounts in GPO settings. We have a set of servers within an OU where they require the account to have rights on the local servers, call them Server1, Server2, Server3. We obviously don't want to create the setting for IWAM_Server1, IWAM_Server2, etc I believe that this account has a common SID, if I simply do a browse for the account on one machine, will it resolve to SID and apply the setting for all accounts, or is there another way to do this (like specifying "Builtin\Administrator" would work for the builtin Administrator account) no matter what the name happens to be on a local machine?
RE: [ActiveDir] Specifying builtin accounts in GPO settings.
They do not have well known SIDs Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Tuesday, September 12, 2006 2:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Specifying builtin accounts in GPO settings. Matt- I don't think these accounts have well-known SIDs, so I'm not sure that's going to help.You can easily verify using psgetsid from Sysinternals. I checked a couple accounts here (though they were domain accounts) and they were not well-knownSIDs. Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guide,the definitiveresource for Group Policy information. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves Sent: Tuesday, September 12, 2006 10:00 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Specifying builtin accounts in GPO settings. I am trying to specify the builtin IWAM/IUSR accounts in GPO settings. We have a set of servers within an OU where they require the account to have rights on the local servers, call them Server1, Server2, Server3. We obviously don't want to create the setting for IWAM_Server1, IWAM_Server2, etc I believe that this account has a common SID, if I simply do a browse for the account on one machine, will it resolve to SID and apply the setting for all accounts, or is there another way to do this (like specifying Builtin\Administrator would work for the builtin Administrator account) no matter what the name happens to be on a local machine?
RE: [ActiveDir] Specifying builtin accounts in GPO settings.
And if you think about it they couldnt if you have two DCs running IIS they both have IUSR and IWAM accounts in AD, so SIDs have to be different. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Tuesday, September 12, 2006 2:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Specifying builtin accounts in GPO settings. Matt- I don't think these accounts have well-known SIDs, so I'm not sure that's going to help.You can easily verify using psgetsid from Sysinternals. I checked a couple accounts here (though they were domain accounts) and they were not well-knownSIDs. Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guide,the definitiveresource for Group Policy information. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves Sent: Tuesday, September 12, 2006 10:00 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Specifying builtin accounts in GPO settings. I am trying to specify the builtin IWAM/IUSR accounts in GPO settings. We have a set of servers within an OU where they require the account to have rights on the local servers, call them Server1, Server2, Server3. We obviously don't want to create the setting for IWAM_Server1, IWAM_Server2, etc I believe that this account has a common SID, if I simply do a browse for the account on one machine, will it resolve to SID and apply the setting for all accounts, or is there another way to do this (like specifying Builtin\Administrator would work for the builtin Administrator account) no matter what the name happens to be on a local machine?