RE: DirectAccess HowTo?
+1 Tom does a great job posting relevant and useful DirectAccess info there. -Malcolm -Original Message- From: Thomas W Shinder MD [mailto:tshin...@tacteam.net] Sent: Tuesday, March 15, 2011 07:36 To: NT System Admin Issues Subject: RE: DirectAccess HowTo? Also, make sure to check my Edge Man blog for a ton of tips and tricks - http://blogs.technet.com/b/tomshinder/ Like Exchange, DirectAccess isn't something you can just slap together - you have to have a basic understanding of the underlying infrastructure, otherwise you'll chase your tail looking for ghosts :) Once you understand the key infrastructure basics, everything flows pretty nicely. Tom -Original Message- From: Malcolm Reitz [mailto:malcolm.re...@live.com] Sent: Monday, March 14, 2011 11:41 AM To: NT System Admin Issues Subject: RE: DirectAccess HowTo? This doc gives a good step-by-step on configuring UAG DA. It's based on a lab scenario, but the steps are relevant to a production deployment. http://www.microsoft.com/downloads/en/details.aspx?FamilyID=71be4b7b-e 0e9-42 04-b2b5-ac7f3c23b16d -Malcolm -Original Message- From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Monday, March 14, 2011 09:39 To: NT System Admin Issues Subject: DirectAccess HowTo? Does anyone have a favorite/very easy to use set of instructions for configuring DirectAccess? I've got the product documentation, but I'm asking for something you LIKE and found easy to use. I'd rather not spend two days setting up a DA lab if I can avoid it. Thanks. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt- software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: DirectAccess HowTo?
This doc gives a good step-by-step on configuring UAG DA. It's based on a lab scenario, but the steps are relevant to a production deployment. http://www.microsoft.com/downloads/en/details.aspx?FamilyID=71be4b7b-e0e9-42 04-b2b5-ac7f3c23b16d -Malcolm -Original Message- From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Monday, March 14, 2011 09:39 To: NT System Admin Issues Subject: DirectAccess HowTo? Does anyone have a favorite/very easy to use set of instructions for configuring DirectAccess? I've got the product documentation, but I'm asking for something you LIKE and found easy to use. I'd rather not spend two days setting up a DA lab if I can avoid it. Thanks. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: DirectAccess HowTo?
Be sure you install the DirectAccess Connectivity Assistant on your client PCs. It provides some good troubleshooting logs that will help considerably if you have client connectivity failures. It also provides a visual indicator of DA connectivity in the system tray. DCA 1.5 is part of the UAG SP1 download. http://technet.microsoft.com/en-us/library/gg313782.aspx -Malcolm -Original Message- From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Monday, March 14, 2011 09:39 To: NT System Admin Issues Subject: DirectAccess HowTo? Does anyone have a favorite/very easy to use set of instructions for configuring DirectAccess? I've got the product documentation, but I'm asking for something you LIKE and found easy to use. I'd rather not spend two days setting up a DA lab if I can avoid it. Thanks. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Hyper-V NIC utilization
1. How many NICs you use depends on the load and bandwidth requirements of your VMs. Use one NIC for managing the host and one or more for the virtual network connections (aggregated or dedicated to specific VMs). 2. I would enable static addresses for all, or at least DHCP reservations. 3. You can only have one default gateway. You have to configure the routing for the rest of the NICs with the route command line. From: Jay Dale [mailto:jd...@unetek.com] Sent: Friday, March 11, 2011 09:14 To: NT System Admin Issues Subject: Hyper-V NIC utilization Hey all, I am setting up a new Hyper-V server for a company where I am P2V'ing 3 of their physical servers. Currently I want to just set up one virtual network, and if they add servers down the road I will add another. The physical host machine comes with 4 NIC's. My questions are these: 1. Should I utilize all 4 NIC's on one virtual network, or use only 1 or 2 of them and leave the rest disconnected? 2. I'm attaching the host to their domain, should I have all the NIC's utilize static IP's or just one static with one IP and let the rest have DHCP addresses? 3. When I attempt to configure 2 NIC's with static IP's, I get the multiple gateways message - is that a bad thing or disregard it? Thanks for any advice you can pass on! Jay Jay Dale Senior Systems Administrator Unetek, Inc. Mobile: 832.373.7883 Email:jd...@unetek.com Confidentiality Notice: This e-mail, including any attached files, may contain confidential and/or privileged information for the sole use of the intended recipient. If you are not the intended recipient, you are hereby notified that any review, dissemination or copying of this e-mail and attachments, if any, or the information contained herein, is strictly prohibited. If you are not the intended recipient (or authorized to receive information for the intended recipient), please contact the sender by reply e-mail and delete all copies of this message. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Multiple Olk 2010 Signatures / Quick Parts
Not sure what you are seeing. I have 3 signatures and OL2010 lets me choose a default, but change that to any one of them when I create a new message (from ribbon option or right-clicking the default inserted signature). To me, it looks like the same functionality I saw in OL2007and 2003. -Malcolm From: Sam Cayze [mailto:sca...@gmail.com] Sent: Tuesday, February 22, 2011 14:36 To: NT System Admin Issues Subject: Multiple Olk 2010 Signatures / Quick Parts So, Outlook 2010 decided that you can now insert only one signature in a message, where older versions allowed more than one. (Don't get me started on how stupid I think this limitation is) For over 10 years, my employees have about 30 signatures each that they use for inserting canned messages in an email. Now, before I upgrade to 2010, I have to find a new system. 1. Is there a way to remove the limitation created by Outlook to insert more than 1 signature? 2. Is there a method to convert hmtl sig files to Outlooks new Quick Parts? (Where are these stored?) Googling so far has just found multiple links where people are expressing the same frustration :( Thanks! Sam ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: RE: Multiple Olk 2010 Signatures / Quick Parts
Ah, OK, I didn't understand the use case. Can't say I tried that in earlier Outlook versions. However, I did notice that, in OL2010, if the message is formatted as plain text, you are able to insert all the signatures you want. HTML and RTF messages always seem to want to rewrite the existing signature. -Malcolm From: Sam Cayze [mailto:sca...@gmail.com] Sent: Wednesday, February 23, 2011 10:39 To: NT System Admin Issues Subject: Re: RE: Multiple Olk 2010 Signatures / Quick Parts Now try adding 2 of those signatures to an email so they both exist there at the same time. On Feb 23, 2011 8:56 AM, Malcolm Reitz malcolm.re...@live.com wrote: Not sure what you are seeing. I have 3 signatures and OL2010 lets me choose a default, but change that to any one of them when I create a new message (from ribbon option or right-clicking the default inserted signature). To me, it looks like the same functionality I saw in OL2007and 2003. -Malcolm From: Sam Cayze [mailto:sca...@gmail.com] Sent: Tuesday, February 22, 2011 14:36 To: NT System Admin Issues Subject: Multiple Olk 2010 Signatures / Quick Parts So, Outlook 2010 decided that you can now insert only one signature in a message, where older versions allowed more than one. (Don't get me started on how stupid I think this limitation is) For over 10 years, my employees have about 30 signatures each that they use for inserting canned messages in an email. Now, before I upgrade to 2010, I have to find a new system. 1. Is there a way to remove the limitation created by Outlook to insert more than 1 signature? 2. Is there a method to convert hmtl sig files to Outlooks new Quick Parts? (Where are these stored?) Googling so far has just found multiple links where people are expressing the same frustration :( Thanks! Sam ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: SEP Symantec Endpoint Protection
Without praising or condemning SEP, if you have a large installation, it is well worth your while to get Symantec support to assist you. There is no simple answer to your query; SEP is a complex product with a lot of configuration options and every installation environment is different. Talk to your Symantec account manager about getting their 3rd-level support involved. We eventually were forced to do this during our upgrade from SAV CE to SEP and it would have helped cut our deployment much shorter had we done this in the beginning. -Malcolm From: Michael Miller [mailto:burner...@gmail.com] Sent: Friday, February 11, 2011 06:14 To: NT System Admin Issues Subject: SEP Symantec Endpoint Protection We are installing SEP on servers. Some are taking a short time, some are going on for a long time (1, 3, 5 Hours.) I am looking for someone with a similar situation. It is an upgraded install, its on a phyical box. For some it installs fast, for others it is very lengthy. For such a huge company and so many servers we cant have it taking so long. If you have any thoughts shoot them my way. Thanks! Miller ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Patch management, revisited
You are being too kind J That said, once up, the SCCM infrastructure is pretty solid. The continual struggle we have is with client health. -Malcolm From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Friday, February 04, 2011 14:40 To: NT System Admin Issues Subject: RE: Patch management, revisited Like I said - it can be a little finicky to install. J Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: David Lum [mailto:david@nwea.org] Sent: Friday, February 04, 2011 3:32 PM To: NT System Admin Issues Subject: RE: Patch management, revisited You teach SCCM classes? Good to know, because I can't even get it to install - it dies at Setup failed to install SMS provider: error which IIRC means I need to do some setspn thing. Dave From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Friday, February 04, 2011 10:50 AM To: NT System Admin Issues Subject: RE: Patch management, revisited If you don't do third party patches, SCCM is _almost_ exactly like WSUS. It is based on the WSUS engine as a matter of fact, and you have to install WSUS on the Software Update Point. J Doing the SCCM installation can be a little finicky; but once you set it up - it just RUNS. The challenge with SCCM in my eyes is that it can do SO MUCH, that unless you break it up into pieces (which is what I do when I teach classes on it), it can seem utterly overwhelming. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Jonathan [mailto:ncm...@gmail.com] Sent: Friday, February 04, 2011 1:43 PM To: NT System Admin Issues Subject: Patch management, revisited Ok, guys gals, I've sifted through the threads for the past year searching on patch management and SCCM, and not found exactly what I'm looking for... In my new gig, the team gets to choose what we will use to handle patches and updates, as there is nothing set in stone right now. Two options have been mentioned by the team: SCCM and Big Fix. I don't know anything about Big Fix, except hat they were just recently gobbled up by IBM and are now part of Tivoli. What I've heard about SCCM is that it is a bear to learn and manage. Right now we've got between 700 and 1,000 nodes (including servers, both virtual and physical), and potentially slated for continued growth. Some of the engineers have laptops that are NOT members of AD, and they run as local Admins. That is probably NOT going to change. Also, we may or may not be looking at needing to handle 3rd party updates as well. I've run WSUS, but only for a few hundred nodes, and really only for windows OS updates and nothing else. Finally, we need decent reporting tools that can provide us with compliance reports on where we stand with patch management. I've seen Shavlik, Kace/K-Box, WSUS, SCCM, GFI LANGuard all mentioned here... 1. Am I missing anything any products that I should be looking into? 2. Are any of these apps not well suited for the numbers of nodes I'm talking about (either over or under-powered for 700-2000 nodes)? 3. What's going to be the easiest learning curve/least administrative overhead? Thanks, -- Jonathan, A+, MCSA, MCSE ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Some thoughts for your DR Plan
James, Glad to hear things are getting better and back to a sort-of-normal for you. Thanks for taking the time to write down and share your thoughts. I passed your note on to our DR planning team, who appreciated your insights as they say they get great value from hearing real-world experiences such as yours. -Malcolm From: James Hill [mailto:james.h...@superamart.com.au] Sent: Sunday, January 30, 2011 20:06 To: NT System Admin Issues Subject: Some thoughts for your DR Plan We now have the majority of things restored and up and running. Below are just some initial thoughts and ideas that I wanted to share with the list. It is in no way any form of DR plan nor is it meant to indicate what we did or didn't have. It's simply my experiences from our recent DR experience written down for the benefits of others. Some or none of this may apply to you. I certainly do not regard myself as any form of DR expert nor am I the first to have been through a real DR experience. However if I am able to provide any info that can assist others than I am more than happy to do so. .Don't ever think it can't happen, it can. .You do need a DR location, a live one if possible. Convince management of this! .Build redundancy into your designs of everything. Thanks to this all our stores were able to continue to trade even though the data centre was under water. .If you have something in your environment that isn't in your backup schedule, add it now, no matter how small it may be. .Consider that staff with specific duties in your DR plan may not be able to assist as they are tending to their own personal issues or physical access is simply not available. .Services you take for granted may simply be not available. There were power outages (some for weeks) and communication network outages. Phone systems quickly become overloaded in a Disaster, especially mobile/cell networks. .Make allowance for the following in your DR location(for relocation of office staff) o Furniture for staff o Computers and comms o Power, can the circuits handle the extra load you will be adding to the site? o Bandwidth o Air conditioning/heating .Have remote visibility of your data centre and its surroundings o A camera or two would have shown us the level of the water and we could have saved much more equipment. .Add sensors to your data centre that shuts off the power if water is detected. .Exchange cached mode and offline files provide quick access to much critical information. .Keep critical infrastructure/server build/networking documentation in multiple places. o I had a recent backup at my personal residence. It was invaluable in the early stages of our Recovery. .Data restores o Do test restores regularly. Environments change all the time and maybe something hasn't been added to the backup list for that server. o Ensure that you can retrieve critical data quickly. Restores take time. o Tapes - do anything to avoid them, if you have to use them have multiple tape drives available so that restores can be conducted more quickly. o Have backup backup servers. Especially with the tape catalogues available. We saw cataloguing of tapes take 14 hours plus. o Have an offsite location authorised as a delivery point with your Offsite Tape holder. .Check your emotions at the door. Remain calm and logical, consider others needs. The people that are true leaders(that doesn't necessarily mean all Managers) should be running the show. Everyone else will be looking to them for guidance. .Fire and water make fantastic servants, they are horrible masters. James. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: AD Migration from 2003 to 2008
Put the Windows install files on a bootable USB flash drive. Much faster than DVD drives, too. -Malcolm From: Stephen Wimberly [mailto:riverside...@gmail.com] Sent: Thursday, January 27, 2011 05:26 To: NT System Admin Issues Subject: Re: AD Migration from 2003 to 2008 Make sure you have DVD drives! We did an in place upgrade of all our domain controllers to get the fine grained password policies; recently one of the domain controllers hosed up and the repair from the DVD would have been a very helpful utility, but without a DVD ROM in the server we were left to rebuild the server from scratch and then a restore from backup, a much longer process than it should have been. If you're planning on using Server 2008 for file services, keep in mind that Microsoft has changed the basic default NTFS security rights over the file sharing services. Read up on that before you start messing with the defaults to force what they used to be, don't skip it because it's just file sharing. -My 2 cents worth- ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Web filter?
We've used Microsoft's Windows SteadyState tool to lock down an XP desktop in kiosk mode. This has worked well to control what users can do and what web sites they can access through these kiosk machines. In looking up a link for this, though, I notice that Microsoft has pulled the tool as of 31 December. They do claim that there are native Windows 7 tools for the same purpose; I haven't tried them. -Malcolm From: Eric Brouwer [mailto:ithelp.e...@gmail.com] Sent: Monday, January 24, 2011 10:24 To: NT System Admin Issues Subject: Web filter? Greetings, We're looking to deploy PCs at several locations that are to be used strictly for access to a couple of our websites. We're looking for a simple, cheap solution to block internet access to all websites, and then add in the handful of sites we'd like them to access. Any one doing ahtyhing like this? A recommendations? Thank you! Eric ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: WAN Link compression appliances
Same here. We have a pretty far-flung and well-entrenched Riverbed implementation, though, so we haven't looked at anything else recently. -Malcolm From: Carol Fee [mailto:c...@massbar.org] Sent: Monday, January 10, 2011 11:19 To: NT System Admin Issues Subject: RE: WAN Link compression appliances Riverbed CFee From: Jim Holmgren [mailto:jholmg...@xlhealth.com] Sent: Monday, January 10, 2011 12:12 PM To: NT System Admin Issues Subject: WAN Link compression appliances What's everyone using for WAN link compression devices these days? We have an office in Bangalore, currently using Expand Networks devices. They are due for an upgrade and before I pull the trigger on new Expand boxes, I'd like to see what other folks are using. Thanks! Jim Jim Holmgren Senior Manager, Infrastructure Services XLHealth Corporation The Warehouse at Camden Yards 351 West Camden Street, Suite 100 Baltimore, MD 21201 410.625.2200 (main) 443.524.8573 (direct) 443-506.2400 (cell) www.xlhealth.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin CONFIDENTIALITY NOTICE: This email, including attachments, is for the sole use of the intended recipient(s) and may contain confidential and/or protected health information. Under the Federal Law (HIPAA), the intended recipient is obligated to keep this information secure and confidential. Any disclosure to third parties without authorization from the member of as permitted by law is prohibited and punishable under Federal Law. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. NOTA DE CONFIDENCIALIDAD: Este mensaje incluyendo cualquier anejo es para uso exclusivo del (los) destinatario (s) y puede incluir informaci?n confidencial y/o informaci?n de salud protegida. La Ley Federal (HIPAA) establece que el destinatario est? obligado a mantener la informaci?n confidencial y sequra. HIPAA proh?be y castiga cualquier divulgaci?n a terceras personas sin autorizaci?n del afiliado o permitido por ley. Si usted no es el destinatario, redirija esta mensaje al remitente, y destruye cualquier copia existente del mensaje original. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Imaging Computers
Look at Microsoft Deployment Toolkit 2010. It will give you a platform for creating OS and application builds that you can customize to your needs. We use MDT's big brother, SCCM 2007's Operating System Deployment, for our most of PC builds now. Note that this is much easier in Windows 7 than it is in XP, as the tool is more focused on the current OS (plus Win 7's driver model is much easier to work with). -Malcolm From: Chris Blair [mailto:chris_bl...@identisys.com] Sent: Monday, January 10, 2011 14:10 To: NT System Admin Issues Subject: Imaging Computers Running Native 2003 R2 Active Directory, with all XP clients. I am looking to start deploying images of XP, and eventually Win7, instead of hand loading each machine. I have not done much with imaging, so any recommendations, on Low Cost (read free.), solutions would great. Thanks! ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Dell Server Update split ISOs (suu)
I do it infrequently enough that I just go old school with the copy /b command line. Copy/b dell_iso.001+dell_iso.002+dell_iso.003 dell.iso -Malcolm From: Ben N [mailto:bennordlan...@gmail.com] Sent: Monday, January 10, 2011 14:27 To: NT System Admin Issues Subject: Dell Server Update split ISOs (suu) How are all of you that use Dell taking those 3-4 split ISOs, and combining them? I tried using PowerISO, and i have mixed results. Gives me some error about end of file having a problem, but continues to extract. Except i know that every time i run suulauncher.exe when i see this error, i know it will never work. It just hangs, never shows the installation of the updates. My searches haven't given me much luck on this, so hoping some of you maybe have a way to do this 100% of the time. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: WAN Link compression appliances
I like to believe we do _some_ critical thinking and don't just blindly follow Gartner's evaluations. :-) -Malcolm From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Monday, January 10, 2011 13:16 To: NT System Admin Issues Subject: Re: WAN Link compression appliances That's because they all subscribe to Gartner. :) Riverbed is the premiere player here, of course, so I'm not implying that they're not worth it. ASB (My Bio via About.Me http://about.me/Andrew.S.Baker/bio ) Exploiting Technology for Business Advantage... On Mon, Jan 10, 2011 at 2:09 PM, Brian Desmond br...@briandesmond.com wrote: Riverbeds have been the de-facto solution at every large corp customer I've worked in. Thanks, Brian Desmond br...@briandesmond.com c - 312.731.3132 From: Jim Holmgren [mailto:jholmg...@xlhealth.com] Sent: Monday, January 10, 2011 11:12 AM To: NT System Admin Issues Subject: WAN Link compression appliances What's everyone using for WAN link compression devices these days? We have an office in Bangalore, currently using Expand Networks devices. They are due for an upgrade and before I pull the trigger on new Expand boxes, I'd like to see what other folks are using. Thanks! Jim Jim Holmgren Senior Manager, Infrastructure Services XLHealth Corporation The Warehouse at Camden Yards 351 West Camden Street, Suite 100 Baltimore, MD 21201 410.625.2200 (main) 443.524.8573 (direct) 443-506.2400 (cell) www.xlhealth.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Installing SC OM2007 - SQL Server question
Did you run SCOM 2007 R2 Setup on the SQL Server first (just choosing to install the database component only)? -Malcolm From: Sean Rector [mailto:sean.rec...@vaopera.org] Sent: Tuesday, January 04, 2011 11:55 To: NT System Admin Issues Subject: Installing SC OM2007 - SQL Server question I'm installing System Center Operations Manager 2007 R2 and I'm trying to get it to connect to my existing SQL 2008 server, but it won't create a db (it doesn't ask for login info at all). I created a db, and it says the db must be upgraded. Ideas? Sean Rector, MCSE Information Technology Manager Virginia Opera Association E-Mail: mailto:sean.rec...@vaopera.org sean.rec...@vaopera.org Phone:(757) 213-4548 (direct line) {+} Subscriptions and tickets are on sale now! The Valkyrie | Madama Butterfly Visit us online at http://www.vaopera.org/ www.VaOpera.org or call 1-866-OPERA-VA The vision of Virginia Opera is to enrich lives through the powerful integration of music, voice and human drama. _ This e-mail and any attached files are confidential and intended solely for the intended recipient(s). Unless otherwise specified, persons unnamed as recipients may not read, distribute, copy or alter this e-mail. Any views or opinions expressed in this e-mail belong to the author and may not necessarily represent those of Virginia Opera. Although precautions have been taken to ensure no viruses are present, Virginia Opera cannot accept responsibility for any loss or damage that may arise from the use of this e-mail or attachments. {*} ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: GPO for Password Policy question
Yes, it works as you describe. I've done this before by blocking inheritance of the default domain policy (easy to test without fooling with your default domain GPO), but your method is probably easier to manage. -Malcolm From: Christopher Bodnar [mailto:christopher_bod...@glic.com] Sent: Wednesday, December 08, 2010 14:30 To: NT System Admin Issues Subject: GPO for Password Policy question W2K3 FFL domain: Can someone let me know if this is correct: OK, so you have your default domain policy, which is linked to the domain. You have account Password policies configured there. This affects both local SAM accounts and AD accounts. If you decided for some business reason that you didn't want these password policies to apply to local SAM accounts (i.e. password complexity requirements), but only AD accounts, could you remove the password policies from the default domain GPO and apply them to the default Domain controllers GPO, which should then only affect AD accounts? Thanks Chris Bodnar, MCSE Systems Engineer Distributed Systems Service Delivery - Intel Services Guardian Life Insurance Company of America Email: christopher_bod...@glic.com Phone: 610-807-6459 Fax: 610-807-6003 - This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Direct acces and multiple v-lans
You actually don't need IPv6 anywhere inside your network. The DirectAccess server is doing IPv4-IPv6 translations for you. The downside of not enabling IPv6 on your servers is that the IPv4-IPv6 translation is very compute-intensive. That means that, the more translation the DA server is doing, the fewer connections it can support. So, more IPv6 support means fewer DA servers are needed. I have IPv6 turned on for just our Windows 2008 servers and a couple of 2003 servers (just to test). The vast majority of our servers are running 2003 with IPv4 and are accessible via DirectAccess. -Malcolm From: Brumbaugh, Luke [mailto:luke.brumba...@butlerschein.com] Sent: Tuesday, December 07, 2010 12:59 To: NT System Admin Issues Subject: Direct acces and multiple v-lans Has anyone setup direct access with servers on multiple vlans? Do I need IPv6 on all v-lans? And what about windows server 2003? TIA Been googling all morning and not much info. Luke L. Brumbaugh Network Engineer Butler Animal Health Supply Ph:(614) 659-1736 ** CONFIDENTIALITY NOTICE - The information transmitted in this message is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy all copies of this document. Thank you. Butler Schein Animal Health ** ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Direct acces and multiple v-lans
Yes. From: Brumbaugh, Luke [mailto:luke.brumba...@butlerschein.com] Sent: Tuesday, December 07, 2010 13:43 To: NT System Admin Issues Subject: RE: Direct acces and multiple v-lans Are you using the forefront uag server? From: Malcolm Reitz [mailto:malcolm.re...@live.com] Sent: Tuesday, December 07, 2010 2:37 PM To: NT System Admin Issues Subject: RE: Direct acces and multiple v-lans You actually don't need IPv6 anywhere inside your network. The DirectAccess server is doing IPv4-IPv6 translations for you. The downside of not enabling IPv6 on your servers is that the IPv4-IPv6 translation is very compute-intensive. That means that, the more translation the DA server is doing, the fewer connections it can support. So, more IPv6 support means fewer DA servers are needed. I have IPv6 turned on for just our Windows 2008 servers and a couple of 2003 servers (just to test). The vast majority of our servers are running 2003 with IPv4 and are accessible via DirectAccess. -Malcolm From: Brumbaugh, Luke [mailto:luke.brumba...@butlerschein.com] Sent: Tuesday, December 07, 2010 12:59 To: NT System Admin Issues Subject: Direct acces and multiple v-lans Has anyone setup direct access with servers on multiple vlans? Do I need IPv6 on all v-lans? And what about windows server 2003? TIA Been googling all morning and not much info. Luke L. Brumbaugh Network Engineer Butler Animal Health Supply Ph:(614) 659-1736 ** CONFIDENTIALITY NOTICE - The information transmitted in this message is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy all copies of this document. Thank you. Butler Schein Animal Health ** ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: DC logon strangeness
Do you have your AD Sites properly defined? That's what should be controlling where your PCs authenticate. I don't understand why you are blocking access to remote DCs; this has the potential to cause problems and I’m not sure I see any benefit. -Malcolm -Original Message- From: Laurence [mailto:laurence.chi...@jalapeno-bs.co.uk] Sent: Thursday, December 02, 2010 04:00 To: NT System Admin Issues Subject: DC logon strangeness an odd one here i have a client who has 25 sites across the UK plus head office each site has a Domain Controller (DC) to reduce auth traffic etc. over WAN links at each site firewall rules are set so that only the DCs can communicate with the DCs at head office for replication, forcing the local clients to log on to local DC all DCs are windows server 2003 clients are mostly windows XP Pro with a few Windows 7 machines we have 2 issues: 1) the tech support team who have unfettered access across WAN links often authenticate with DCs at the remote sites causing slow logons etc. 2) when laptop users from the remote offices some to head office and plug in they take an age to logon now I'm sure that this will be something to do with domain controller caching on the client machines. is there anyway that i can force these client machines to look for a domain controller every time that they are started? This should hook them in to the local DC wherever they are thanks Laurene ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Editing Office Files from Outlook
I'm with Carl - you have to save the email message after editing the attachment. -Malcolm From: Carl Houseman [mailto:c.house...@gmail.com] Sent: Thursday, December 02, 2010 16:41 To: NT System Admin Issues Subject: RE: Editing Office Files from Outlook It's always worked for me. Of course it's confusing for users, sometimes a message close will prompt to save changes when no changes were apparently made such as viewing a PDF attachment. I get that all the time. Carl From: Roger Wright [mailto:rhw...@gmail.com] Sent: Thursday, December 02, 2010 5:12 PM To: NT System Admin Issues Subject: Re: Editing Office Files from Outlook But will that work consistently? Roger Wright ___ Life isn't like a box of chocolates. It's more like a jar of jalapenos: what you do today might burn your butt tomorrow. On Thu, Dec 2, 2010 at 5:08 PM, Carl Houseman c.house...@gmail.com wrote: After saving with Word/Excel, one must also close and save changes to the mail message from which the attachment sprang. Carl From: Roger Wright [mailto:rhw...@gmail.com] Sent: Thursday, December 02, 2010 4:03 PM To: NT System Admin Issues Subject: Editing Office Files from Outlook I occasionally have users who receive Word or Excel attachments, open them, make edits, and save, only to discover all their changes are lost when they reopen the attachment. The problem is, sometimes opening and editing within Outlook sometimes works, but most often, not. I've explained several times that the best way to avoid this is to first save the attachment elsewhere and THEN open it for editing. Why is it that sometimes they're able to make the edits without difficulty and others, all changes are lost? Is it that when it does work it's only due to an anomaly and is an unsupported feature? Roger Wright ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: DC logon strangeness
Where is DNS coming from? What exactly do you have the firewalls blocking between the clients and the remote DCs? -Malcolm -Original Message- From: Laurence [mailto:laurence.chi...@jalapeno-bs.co.uk] Sent: Thursday, December 02, 2010 10:29 To: NT System Admin Issues Subject: RE: DC logon strangeness Hi Malcolm Sites are all configured correctly, replication schedules all set etc. Laurence ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: BGINFO
Confusingly enough, in some versions the switch is /accepteula -Malcolm -Original Message- From: Kevin W [mailto:ke...@latenightgeek.com] Sent: Saturday, November 27, 2010 19:05 To: NT System Admin Issues Subject: Re: BGINFO It's also an argument to the executable. /nolicprompt It's not on the download page for some reason but it's in the Command line options... screen under the BGinfo help menu. On 11/27/2010 1:10 AM, Gavin Wilby wrote: Ignore that - its a reg key: HKEY_CURRENT_USER\Software\Sysinternals\BGInfo\eulaAccepted On Sat, Nov 27, 2010 at 9:06 AM, Gavin Wilbygavin.wi...@gmail.com wrote: Hi, I really love this little app, and have started to deploy it to desktops - it makes life a whole lot easier. One question, on first run (like all sysinternal apps) it requires for the end user to accept the license conditions. Bearing in mind I Do accept them, what gets modified to tell the program you have done so, id like it to be silent for the end users if at all poosible. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Workstation names and who it belongs to
We use an asset management and tracking tool to show the assignment of PCs to users. The PC names don't have any relationship to the user. Putting user information in the PC names doesn't scale well, as you note. -Malcolm From: David Lum [mailto:david@nwea.org] Sent: Monday, November 15, 2010 10:53 To: NT System Admin Issues Subject: Workstation names and who it belongs to How do you guys handle matching users to machines? We currently have a PC naming standard of firstinitiallastname-model but this obviously doesn't scale. One possibility is putting the user name in the description field in AD (I do this for %sidejob%), but I was wondering if there was a better way to automatically get a machine -user lookup. How do you guys handle it? David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Screensaver Wallpaper Policies/Options?
Technically, setting the screensaver and background via GPO is trivial. The issue you'll have is with updating or changing them. We have a company background with a calendar printed on it, so it changes every month. We use a mandatory, hidden SCCM advertisement to update the background image (it copies a new BMP to a fixed filename on the PC so we don't have to update the background GPO). If you have a software delivery system, you can do that with both the background and screensaver. Updating those files via logon script or GPO won't be reliable and timely. I wouldn't get too creative with this. After all, if the screensaver is visible (and to a lesser extent, the background), the computer isn't being used so no one is really looking at the screen. -Malcolm From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Wednesday, November 10, 2010 12:04 To: NT System Admin Issues Subject: RE: Screensaver Wallpaper Policies/Options? I can't say I think it's a fantastic idea, however, you go into a bank or somewhere similar and the wallpaper and screensaver is whatever the corporation sets it to be. It's their property and once you get past the I don't like it, I'm not sure I see the problem or the comeback personally. From: Gary Slinger [mailto:gary.slin...@gmail.com] Sent: 10 November 2010 17:49 To: NT System Admin Issues Subject: Re: Screensaver Wallpaper Policies/Options? My (English) company tried this years ago. I told them the moment they did it, I'd file a health safety suit. It's one thing to say you will /not/ display the following... but it's absolutely ridiculous to dictate a desktop setup to folks that spend the day in front of the system (i.e. for kiosks it would be different). _ From: Paul Hutchings paul.hutchi...@mira.co.uk Date: Wed, 10 Nov 2010 17:34:35 - To: NT System Admin Issuesntsysadmin@lyris.sunbelt-software.com ReplyTo: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Subject: Screensaver Wallpaper Policies/Options? At long last we may be going to bring in company wallpaper and screensavers. I'm aware you can do this via GPO but I've not had cause to do more than the basics so far. One thing that's been mentioned is being able to display news/events info as part of either the wallpaper or screensaver. So I'd be looking for an IT solution that once set, would allow another area of the business to either dump some pictures somewhere, or put some web pages somewhere, and those become that day/week's wallpapers and screensaver. Of course there are issues such as controlling who can access the repositories, but focussing purely on how would we do this?, does anyone do anything similar right now, and if so how please? Thanks, Paul _ MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Screensaver Wallpaper Policies/Options?
We just apply the screensaver/background GPOs to our workstations OU; the servers get different policies which simply run the blank screensaver. I learned to be very careful with server screensavers in the NT 4.0 days when everyone wanted to run that cool 3-D Pipes screensaver and then wondered why the servers ran so slowly... -Malcolm From: Steven Peck [mailto:sep...@gmail.com] Sent: Wednesday, November 10, 2010 14:59 To: NT System Admin Issues Subject: Re: Screensaver Wallpaper Policies/Options? Point out to management that if your power settings don't turn off your monitors in a very short time frame, then your systems suck up power which sucks down money. Also, if I recall, such a GPO would affect everything which means any virtualized systems will now be trying to run a screen savor as well. On Wed, Nov 10, 2010 at 12:25 PM, Don Guyer don.gu...@prufoxroach.com wrote: As long as the location and image name stays the same, it will. Don Guyer Systems Engineer - Information Services Prudential, Fox Roach/Trident Group 431 W. Lancaster Avenue Devon, PA 19333 Direct: (610) 993-3299 Fax: (610) 650-5306 don.gu...@prufoxroach.com -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Wednesday, November 10, 2010 3:09 PM To: NT System Admin Issues Subject: RE: Screensaver Wallpaper Policies/Options? Malcolm, personally I agree with not getting too creative, but equally it's good to know the options. I'll try some things when I'm back in the office (no access to GPO stuff right now) but I'm hoping that if you point wallpaper to \\server\share\wallpaper.jpg file:///\\server\share\wallpaper.jpg (for example) that if someone updates wallpaper.jpg, at some point (when the GPO refreshes?) Windows has the sense to re-read the JPG and reload the replaced image? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Terminal Server or VPN?
I would never, ever, allow non-company-managed PCs to connect to our VPN. As you think, that's just asking for all kinds of trouble. Since most of your home users won't have MS Office on their home PCs, they'll get more done if you give them TS access to your standard corporate suite of applications. I'm not sure how you could give the users RDP to their actual desktop PCs if the PCs are in a moving van headed to your new offices. -Malcolm From: David Lum [mailto:david@nwea.org] Sent: Wednesday, November 10, 2010 15:17 To: NT System Admin Issues Subject: Terminal Server or VPN? In a few weeks (Dec 17th) we'll be having a massive work from home day (200-ish users, because we're moving our office to a different city) and we have the option of standing up some Terminal Servers or just running with VPN. Most users are expected to just want MS Office apps and Internet Explorer. Several (a couple dozen) will also want RDP access to their desktops. We have 3 TS servers now (1 2K8, 2 W2K3) but have the capability to stand up more 2008 TS servers. I have no experience setting up TS farms or getting them available for ability to his via Internet, although both of these appear to be pretty straightforward. I am also under the impression that TS via Internet uses less bandwidth than a straight-up VPN connection. VPN is already established but we'll certainly have many users using their home PC that don't currently have VPN configured and would much rather have them connect via Terminal Server than install, configure and then connect an unknown system - from a security/patched/AV standpoint - to VPN. I think it's kind of six of one half dozen of another as far as overall effort, but I REALLY don't want unmanaged home PC's connecting via VPN. David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: User last login info
You need to get PowerShell v2 for your 2003/2008 boxes. Load the AD cmdlets and you'll be good to go. http://technet.microsoft.com/en-us/magazine/ee914610.aspx -Malcolm -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Tuesday, November 02, 2010 13:23 To: NT System Admin Issues Subject: User last login info I have a Server 2003 DC, and a Server 2008 DC (not R2) I've found some Powershell stuff that uses the AD module, but all I can find references R2. Is there a way to get that module for 2008, not R2? Or is there another way of getting the info I'm looking for easily? What I'm trying to find is the last login time for a user, to find out if the account is needed anymore. Doing it one-by-one would be fine, as that's how I'm doing the first step of this process. I am a Powershell noob, but very willing, and desiring to learn more. Thanks. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Office Printers
We have our Xerox WorkCentre machines fixed to only scan to email, not file shares. Users have to log in to the Xerox via their AD account and the machine automatically addresses the email to their mailbox. It is a bit of a pain to log in with the Xerox keyboards (the newer models are better), but it is a lot easier to manage than scan to shared folders and it meets our security needs better. -Malcolm -Original Message- From: John Aldrich [mailto:jaldr...@blueridgecarpet.com] Sent: Tuesday, October 26, 2010 08:15 To: NT System Admin Issues Subject: RE: Office Printers Kyocera can work around this. They integrate with AD by using a specific user to scan. What you could do is create a scanner user that has access to all the network shares and then give each user/department their own share under that and limit permissions to the appropriate person/department for that folder and to the scanner user. -Original Message- From: Joseph L. Casale [mailto:jcas...@activenetwerx.com] Sent: Monday, October 25, 2010 10:28 PM To: NT System Admin Issues Subject: RE: Office Printers I don't get it. What's the issue? Because they scan sensitive/private stuff and unless it works like it used it to with the old office scan app where they save it to their desktop, they won't want it in a publicly accessible folder. As per my other thread about perms, I haven't crafted a way around this. jlc ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: VMWare vs Hyper-V
1) Hyper-V is Windows - whatever drivers you need to run Windows on that hardware is what you need for Hyper-V; no different than any other Windows implementation. If you have a major name server, you'll have the drivers you need from the vendor. 2) I can't speak to paid support from non-EA Microsoft customers, but there's a large and growing amount of Hyper-V knowledge available in the community. -Malcolm -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Tuesday, October 26, 2010 09:24 To: NT System Admin Issues Subject: re: VMWare vs Hyper-V Personally I'd go with vsphere and look at one of the Essentials bundles as that will give you cluster capability as well as central control from vCenter. I don't have anything against Hyper-V as I've never actually used it, but my reservations and reasons for not doing so are two-fold: 1) Hardware compatibility - with vsphere you have a HCL and if it's on that, vmware will supply everything, you just download and insert the media when necessary. With Hyper-V the hardware may be supported but you may still have to go download drivers from Broadcom or whoever before you have a working Hyper-V server. 2) Support - with vsphere you can pay vmware for support, or you can use their forums for free. With Hyper-V unless you have some sort of enterprise agreement my understanding (and it is just an understanding, I could be dead wrong) is that you can't purchase support cheaply just on Hyper-V. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: VMWare vs Hyper-V
I get what you are saying, but I'm not really seeing that as an issue, though. Downloading the VMware ISO with the drivers isn't much different than downloading the Dell PowerEdge driver package for Windows. -Malcolm -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Tuesday, October 26, 2010 10:52 To: NT System Admin Issues Subject: RE: VMWare vs Hyper-V That's exactly my point though, you can end up so dependent upon the right combination of third party drivers on the box running hyper-v vs. download vsphere ISO, put in drive, boot, install, done. -Original Message- From: Malcolm Reitz [mailto:malcolm.re...@live.com] Sent: 26 October 2010 16:30 To: NT System Admin Issues Subject: RE: VMWare vs Hyper-V 1) Hyper-V is Windows - whatever drivers you need to run Windows on that hardware is what you need for Hyper-V; no different than any other Windows implementation. If you have a major name server, you'll have the drivers you need from the vendor. 2) I can't speak to paid support from non-EA Microsoft customers, but there's a large and growing amount of Hyper-V knowledge available in the community. -Malcolm -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Tuesday, October 26, 2010 09:24 To: NT System Admin Issues Subject: re: VMWare vs Hyper-V Personally I'd go with vsphere and look at one of the Essentials bundles as that will give you cluster capability as well as central control from vCenter. I don't have anything against Hyper-V as I've never actually used it, but my reservations and reasons for not doing so are two-fold: 1) Hardware compatibility - with vsphere you have a HCL and if it's on that, vmware will supply everything, you just download and insert the media when necessary. With Hyper-V the hardware may be supported but you may still have to go download drivers from Broadcom or whoever before you have a working Hyper-V server. 2) Support - with vsphere you can pay vmware for support, or you can use their forums for free. With Hyper-V unless you have some sort of enterprise agreement my understanding (and it is just an understanding, I could be dead wrong) is that you can't purchase support cheaply just on Hyper-V. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: VMWare vs Hyper-V
I'm fully agreed on your last point - use what meets your business needs. Being a fanboy - one way or the other - doesn't really benefit you or your company. -Malcolm -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Tuesday, October 26, 2010 11:09 To: NT System Admin Issues Subject: RE: VMWare vs Hyper-V Fair point too, I just know the hassle we had with one Windows server which would semi-freeze where we were pretty sure the culprit was either EMC Powerpath or the Broadcom NIC teaming drivers but (admittedly perhaps due to lack of time/skill on my part), I would have killed for a install this lot and you know all the versions will play nice together ISO image - in the end we actually gave up on it and stuck it in a VM. Personally I see it as just use what fits your situation best, but to me the two reasons I listed were important. -Original Message- From: Malcolm Reitz [mailto:malcolm.re...@live.com] Sent: 26 October 2010 17:03 To: NT System Admin Issues Subject: RE: VMWare vs Hyper-V I get what you are saying, but I'm not really seeing that as an issue, though. Downloading the VMware ISO with the drivers isn't much different than downloading the Dell PowerEdge driver package for Windows. -Malcolm -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Tuesday, October 26, 2010 10:52 To: NT System Admin Issues Subject: RE: VMWare vs Hyper-V That's exactly my point though, you can end up so dependent upon the right combination of third party drivers on the box running hyper-v vs. download vsphere ISO, put in drive, boot, install, done. -Original Message- From: Malcolm Reitz [mailto:malcolm.re...@live.com] Sent: 26 October 2010 16:30 To: NT System Admin Issues Subject: RE: VMWare vs Hyper-V 1) Hyper-V is Windows - whatever drivers you need to run Windows on that hardware is what you need for Hyper-V; no different than any other Windows implementation. If you have a major name server, you'll have the drivers you need from the vendor. 2) I can't speak to paid support from non-EA Microsoft customers, but there's a large and growing amount of Hyper-V knowledge available in the community. -Malcolm -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Tuesday, October 26, 2010 09:24 To: NT System Admin Issues Subject: re: VMWare vs Hyper-V Personally I'd go with vsphere and look at one of the Essentials bundles as that will give you cluster capability as well as central control from vCenter. I don't have anything against Hyper-V as I've never actually used it, but my reservations and reasons for not doing so are two-fold: 1) Hardware compatibility - with vsphere you have a HCL and if it's on that, vmware will supply everything, you just download and insert the media when necessary. With Hyper-V the hardware may be supported but you may still have to go download drivers from Broadcom or whoever before you have a working Hyper-V server. 2) Support - with vsphere you can pay vmware for support, or you can use their forums for free. With Hyper-V unless you have some sort of enterprise agreement my understanding (and it is just an understanding, I could be dead wrong) is that you can't purchase support cheaply just on Hyper-V. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send
RE: KMS Insanity
The issue is probably the KMS host key you have installed. Did you use a Group A/B/C key? Run cscript slmgr.vbs -dlv on the KMS host itself (not a client). The description line should have a _A, _B or _C somewhere near the end. If it just says KMS, the you need to change the key. https://technet.microsoft.com/en-us/library/ee939271.aspx -Malcolm -Original Message- From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] Sent: Tuesday, October 26, 2010 13:34 To: NT System Admin Issues Subject: KMS Insanity So I put up a Win 7 box as my KMS host a few weeks back and added the Office 2010 update and it is happily activating Win7 clients and Office 2010 clients. So on to phase two which is upgrading some servers to 2008 R2. I was under the impression the Win 7 KMS host would activate the R2 servers without me doing anything to the Win 7 KMS host. I get: c:\Windows\System32cscript slmgr.vbs -ato Microsoft (R) Windows Script Host Version 5.8 Copyright (C) Microsoft Corporation. All rights reserved. Activating Windows Server(R), ServerStandard edition (munged) ... Error: 0xC004F074 The Software Licensing Service reported that the computer could not be activated. The Key Management Service (KMS) is unavailable Google points towards an older problem with 2008 release one servers not having the update for KMS, I can't find anything related to activating 2008 R2 with Win 7. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: WSUS and non public patches
Look for System Center Updates Publisher. http://technet.microsoft.com/en-us/systemcenter/bb741049.aspx -Malcolm From: Crawford, Scott [mailto:crawfo...@evangel.edu] Sent: Monday, October 25, 2010 16:47 To: NT System Admin Issues Subject: RE: WSUS and non public patches Not finding anything on Bing or Google. Do you happen to have a link handy? Or does this require Essentials? From: Brian Desmond [mailto:br...@briandesmond.com] Sent: Monday, October 25, 2010 4:35 PM To: NT System Admin Issues Subject: RE: WSUS and non public patches I believe the System Center Update Packager (SCUP) is available as a free out of band download now. This thing lets you plug stuff in to WSUS. Thanks, Brian Desmond br...@briandesmond.com c - 312.731.3132 From: Joseph L. Casale [mailto:jcas...@activenetwerx.com] Sent: Monday, October 25, 2010 2:41 PM To: NT System Admin Issues Subject: WSUS and non public patches Possible to addin hotfixes you manually download from MS? I have a few I need to apply across the board. Thanks! jlc ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Update servers in DMZ
We do all of our updates through SCCM, though I imagine your question implies you need a non-SCCM-based solution. -Malcolm From: Erik Fog-Morrissette [mailto:e...@systek.dk] Sent: Monday, October 18, 2010 13:28 To: NT System Admin Issues Subject: Update servers in DMZ Hello How do you update servers in your DMZ? Download on a different server, copy updates on a stick and install from there? Regards Erik ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: KMS Best Practices
Check the 1st paragraph under “KMS Activation Thresholds”. http://technet.microsoft.com/en-us/library/ff793434.aspx -Malcolm From: Christopher Bodnar [mailto:christopher_bod...@glic.com] Sent: Thursday, October 14, 2010 07:46 To: NT System Admin Issues Subject: RE: KMS Best Practices I'm not sure this is accurate. It's my understanding that the threshold of (5) still requires physical servers, and does not include virtual machines. If you can point out a MS reference that states otherwise, I'd love to see it. This is a pain for our lab environments that we set up, which primarily run all virtual machines on ESX clusters. Typically we don't have 5 physical Windows hosts in those environments, so the KMS activation issue and a threshold of (5) is always a problem. Thanks Chris Bodnar, MCSE Systems Engineer Distributed Systems Service Delivery - Intel Services Guardian Life Insurance Company of America Email: christopher_bod...@glic.com Phone: 610-807-6459 Fax: 610-807-6003 From:Malcolm Reitz malcolm.re...@live.com To:NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Date:10/13/2010 07:41 PM Subject:RE: KMS Best Practices _ MS made some changes with the last update to KMS. The activation threshold for Server 2008/2008R2 has been moved down to 5 while remaining at 25 for other clients. Virtual machines now count towards the threshold, too. That said, with only 6 servers, Brian is correct in that MAK is the way to go for them. Are you going to have enough workstations to make this worthwhile? I’d put the KMS on a server that will be around longest. -Malcolm From: Brian Desmond [ mailto:br...@briandesmond.com mailto:br...@briandesmond.com] Sent: Wednesday, October 13, 2010 18:27 To: NT System Admin Issues Subject: RE: KMS Best Practices You’ll want to MAK the servers. You need 25 machines of a specific type (e.g. mapped to a specific KMS key) before the KMS activates against MS. Thanks, Brian Desmond mailto:br...@briandesmond.com br...@briandesmond.com c – 312.731.3132 From: Joseph L. Casale [ mailto:jcas...@activenetwerx.com mailto:jcas...@activenetwerx.com] Sent: Wednesday, October 13, 2010 7:17 PM To: NT System Admin Issues Subject: KMS Best Practices Getting ready to roll out a bunch of new stuff at a shop as they now have their OVS keys. I am reading up on setting up a KMS and as trivial as this appears, are there any concerns by people who have set these up that might not be outlined in TechNet? At the place in question, they have ~6 servers and only two would likely be around permanently, the DC and Exchange server. Make sense to install those with a KMS key? Thanks! jlc ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin - This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: KMS Best Practices
MS made some changes with the last update to KMS. The activation threshold for Server 2008/2008R2 has been moved down to 5 while remaining at 25 for other clients. Virtual machines now count towards the threshold, too. That said, with only 6 servers, Brian is correct in that MAK is the way to go for them. Are you going to have enough workstations to make this worthwhile? I'd put the KMS on a server that will be around longest. -Malcolm From: Brian Desmond [mailto:br...@briandesmond.com] Sent: Wednesday, October 13, 2010 18:27 To: NT System Admin Issues Subject: RE: KMS Best Practices You'll want to MAK the servers. You need 25 machines of a specific type (e.g. mapped to a specific KMS key) before the KMS activates against MS. Thanks, Brian Desmond br...@briandesmond.com c - 312.731.3132 From: Joseph L. Casale [mailto:jcas...@activenetwerx.com] Sent: Wednesday, October 13, 2010 7:17 PM To: NT System Admin Issues Subject: KMS Best Practices Getting ready to roll out a bunch of new stuff at a shop as they now have their OVS keys. I am reading up on setting up a KMS and as trivial as this appears, are there any concerns by people who have set these up that might not be outlined in TechNet? At the place in question, they have ~6 servers and only two would likely be around permanently, the DC and Exchange server. Make sense to install those with a KMS key? Thanks! jlc ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: KMS Best Practices
Didn't think about Office 2010 - the activation threshold there is 5. -Malcolm From: Joseph L. Casale [mailto:jcas...@activenetwerx.com] Sent: Wednesday, October 13, 2010 18:39 To: NT System Admin Issues Subject: RE: KMS Best Practices Ah, misunderstood that part in TechNet. They did subscribe to Office Pro Plus and the machines get re-imaged more often than not if problems arise as its faster and easier for meJ Installing a server with a KMS key and adding the Office 2010 KMS Host License Pack would work here (While all the other servers use MAK's) I presume? Thanks Brian! jlc From: Brian Desmond [mailto:br...@briandesmond.com] Sent: Wednesday, October 13, 2010 5:27 PM To: NT System Admin Issues Subject: RE: KMS Best Practices You'll want to MAK the servers. You need 25 machines of a specific type (e.g. mapped to a specific KMS key) before the KMS activates against MS. Thanks, Brian Desmond br...@briandesmond.com c - 312.731.3132 From: Joseph L. Casale [mailto:jcas...@activenetwerx.com] Sent: Wednesday, October 13, 2010 7:17 PM To: NT System Admin Issues Subject: KMS Best Practices Getting ready to roll out a bunch of new stuff at a shop as they now have their OVS keys. I am reading up on setting up a KMS and as trivial as this appears, are there any concerns by people who have set these up that might not be outlined in TechNet? At the place in question, they have ~6 servers and only two would likely be around permanently, the DC and Exchange server. Make sense to install those with a KMS key? Thanks! jlc ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: iPhone and Exchange 2003
It is fairly simple and the iPhone/iPad devices actually work pretty well with Exchange. Here are a few links I found useful: http://www.expta.com/2010/02/how-to-securely-deploy-iphones-with.html http://www.sysadminlab.net/activesync/iphone-os-4-and-exchange-activesync-po licies-what-really-works http://refraction.co.uk/blog/2010/07/19/android-and-iphone-exchange-activesy nc-policies/ -Malcolm From: Mark Robinson [mailto:mark.robin...@cips.org] Sent: Tuesday, October 12, 2010 03:14 To: NT System Admin Issues Subject: iPhone and Exchange 2003 Hello all, I've been tasked with synchronizing our Microsoft Exchange with Apple mobile devices. I imagine that this has already been a hot topic on this forum in recent times so forgive me if I'm covering old ground, but has anyone attempted this in a corporate environment before, and if so please are you able to tell me of any potential pitfalls that I should be aware of? Many thanks, Mark IMPORTANT INFORMATION Internet communications are not secure and therefore CIPS does not accept legal responsibility for the contents of any e-mail message sent via this medium. The content of any e-mail communication is the view of the individual and CIPS does not accept legal liability for the contents. Although this message and any attachments are believed to be free of virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by CIPS for any loss or damage in any way arising from its use. CIPS runs the following software packages: MS Office Suite 2003, MS Visio 2003, MS Project 2002. Please ensure that any files you send are compatible. The Chartered Institute of Purchasing Supply (CIPS) is an organisation incorporated under Royal Charter and is based at Easton House, Easton on the Hill, Stamford, Lincs PE9 3NZ, tel: +44 (0)1780 756777, and is a registered Charity number 1017938. CIPS Services Limited is a wholly owned subsidiary company of CIPS, registered in England under number 2610367 and is registered at the address shown above. Both organisations operate under a group VAT registration number: 3426 489 42. -- Scanned by iCritical. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Most manageable and useable corporate smartphone?
That's why the iPhone is more secure than most - try pulling the battery on one of those :-) We're a Blackberry shop now, but I'm keeping an open mind as I'm not too happy with RIM selling out their encryption and security to India/UAE/etc. Maybe Microsoft can figure out how to make a decent, usable and manageable phone. Apple is trying to get a clue, but they aren't close yet. The other smartphones are too dependent upon manufacturer and carrier to standardize on. -Malcolm -Original Message- From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Tuesday, October 12, 2010 12:51 To: NT System Admin Issues Subject: RE: Most manageable and useable corporate smartphone? Honestly, With the lack of security controls available for the smart phones. Remote Wipe ( Not forensically sound) (Can be defeated by just pulling the battery) Encrypt the device ( you are still storing the keys local to device) (will take time, but keys can be recovered and there goes the data again) And the other issues with the Mobile technology ( Information Disclosure, Mobile Malware, Spyware) etc etc. Bussiness are walking a very slippery slope with using these technologies to conduct business, but it's a risk they are willing to accept to keep their work-force connected and mobile. Think about the fun you can have with the a well meaning Trojan application in which I believe either Chase or BOA was touting that can take a picture of your checks and deposit them in your account. ( Plant the malware, steal the routing numbers on the check, and or credentials when they use that silly mobile phone to access their bank-accounts) and its game over. And the new IPAD/IPOD craze is going to raise the risk-bar even higher, and the proverbal game of Russian roulette keeps going on and on. I have been told and seen new initiatives (basically) bring your own mobile device to work and put it on the network ( Mostly the Apple products) and the organization sponsoring this non-sense don't have a clue how to secure, or support this, but the business initiatives over-ride good common sense and sooner than laters the company data will be in the wrong hand, and everyone will be pointing the finger at each other saying NOT MY FAULT.. To bad we all subscribed to the insanity, therefore all are partly responsible when the worst does and will happen. Food for thought, tread lightly... Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:ezi...@lifespan.org Cell:401-639-3505 -Original Message- From: Brian Desmond [mailto:br...@briandesmond.com] Sent: Tuesday, October 12, 2010 1:32 PM To: NT System Admin Issues Subject: RE: Most manageable and useable corporate smartphone? Yeah but it's entirely dependent on the phone enforcing them. Windows Mobile devices do but all the third party ones are a total crapshoot. Thanks, Brian Desmond br...@briandesmond.com c - 312.731.3132 -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Tuesday, October 12, 2010 11:29 AM To: NT System Admin Issues Subject: RE: Most manageable and useable corporate smartphone? Exchange 2010 gives some pretty good controls for you on your phones. Brian Desmond br...@briandesmond.com 10/12/2010 8:48 AM The BlackBerry devices are going to give you the most control via a BES server. They're also going to be the most expensive when it's all added up. You can apply fairly granular controls over native Windows Mobile devices with Exchange but still not nearly to the level as BES provides. Thanks, Brian Desmond br...@briandesmond.com c - 312.731.3132 From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Tuesday, October 12, 2010 9:56 AM To: NT System Admin Issues Subject: Most manageable and useable corporate smartphone? I'm asking both lists as I guess Exchange compatibility is just as important as general management. So, which smartphones would you choose assuming things like mobile network coverage weren't an issue. I've no direct experience of Blackberry, I have (sadly!) too much Nokia experience, and iPhones seem to more or less just work with Exchange but as with Nokia's I'm not aware of any way I as an IT person can sit at my desk, specify an action/policy or something that should apply to all our phones and hit a big button that says make it so - I believe Blackberry can do this? I'm not really asking for a breakdown of everything each does as I can get that from the respective websites, but I think you know where I'm coming at this from once you have a few dozen devices. Thanks. MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You
Set password that doesn't meet complexity policy
I have some special requirements for AD accounts which will need passwords that don't meet our domain's password complexity policy. Is there any good way to create these accounts and with the desired passwords without going through a disable complexity, create account/pw, re-enable complexity procedure? Thanks, -Malcolm ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Set password that doesn't meet complexity policy
That's what I thought. I'm pushing our move to 2008, but it's a long road - lots of older hardware that needs to be replaced. -Malcolm From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Monday, October 04, 2010 12:06 To: NT System Admin Issues Subject: RE: Set password that doesn't meet complexity policy Server 2008 and above - yes http://technet.microsoft.com/en-us/library/cc770842(WS.10).aspx Note: there are loads of utilities around (specifically, check out joeware.net) to make this easier to do. Below that - no. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Malcolm Reitz [mailto:malcolm.re...@live.com] Sent: Monday, October 04, 2010 12:44 PM To: NT System Admin Issues Subject: Set password that doesn't meet complexity policy I have some special requirements for AD accounts which will need passwords that don't meet our domain's password complexity policy. Is there any good way to create these accounts and with the desired passwords without going through a disable complexity, create account/pw, re-enable complexity procedure? Thanks, -Malcolm ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Set password that doesn't meet complexity policy
I'm virtualizing what I can, but I've got stuff spread far outside my data centers. I am starting to put some of the remote sites on 2008 R2 Hyper-V clusters, and I think that is going to work out pretty well. -Malcolm From: Jon Harris [mailto:jk.har...@gmail.com] Sent: Monday, October 04, 2010 18:54 To: NT System Admin Issues Subject: Re: Set password that doesn't meet complexity policy Virtualize what you can in 2008. It has it quirks but it seemed to me to be better than 2003. I have not done any testing on 2008 R2 or 2003 R2. Jon On Mon, Oct 4, 2010 at 2:54 PM, Malcolm Reitz malcolm.re...@live.com wrote: That's what I thought. I'm pushing our move to 2008, but it's a long road - lots of older hardware that needs to be replaced. -Malcolm From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Monday, October 04, 2010 12:06 To: NT System Admin Issues Subject: RE: Set password that doesn't meet complexity policy Server 2008 and above - yes http://technet.microsoft.com/en-us/library/cc770842(WS.10).aspx Note: there are loads of utilities around (specifically, check out joeware.net http://joeware.net/ ) to make this easier to do. Below that - no. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com http://theessentialexchange.com/ From: Malcolm Reitz [mailto:malcolm.re...@live.com] Sent: Monday, October 04, 2010 12:44 PM To: NT System Admin Issues Subject: Set password that doesn't meet complexity policy I have some special requirements for AD accounts which will need passwords that don't meet our domain's password complexity policy. Is there any good way to create these accounts and with the desired passwords without going through a disable complexity, create account/pw, re-enable complexity procedure? Thanks, -Malcolm ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Outbound Email Checking
Are you running it your Proofpoint server(s) in a VM or on an appliance? We're in the process of moving ours to a virtual environment and have had to make some adaptations to the recommended VM configuration to address performance issues. -Malcolm From: Sean Martin [mailto:seanmarti...@gmail.com] Sent: Friday, October 01, 2010 16:20 To: NT System Admin Issues Subject: Re: Outbound Email Checking ProofPoint here. A lot happier with their latest version. - Sean On Fri, Oct 1, 2010 at 11:54 AM, David Mazzaccaro david.mazzacc...@hudsonmobility.com wrote: We use MessageLabs here _ From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Friday, October 01, 2010 3:43 PM To: NT System Admin Issues Subject: RE: Outbound Email Checking You can do pretty much any outbound scanning that you want with Exchange Transport Rules. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com http://theessentialexchange.com/ From: Level Five - List [mailto:li...@levelfive.us] Sent: Friday, October 01, 2010 3:37 PM To: NT System Admin Issues Subject: Outbound Email Checking I have a client who has been tasked with outbound mail scanning for content. I was looking at GFI Mail Security, im pretty sure their older version used to have something where you could stop outbound mail if it had keywords and that mail would get forwarded to their 'manager' who could then approve it to continue. It looks like their latest version is more set on inbound scanning with multi a/v engines etc, so Im back to the drawing board on finding if there is something out there. The client is e2k7sp2. Thx ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin . ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Tower Climbing
No, no, no - 1786 times no - I could not do that. Free-climbing to the top of that tiny pole? I've climbed sailboat masts and that took all I could manage. I love the way the announcer says this is the tricky part when the guy is about 1770 feed up already. -Malcolm From: Crawford, Scott [mailto:crawfo...@evangel.edu] Sent: Wednesday, September 29, 2010 17:09 To: NT System Admin Issues Subject: RE: Tower Climbing That makes my hands sweaty. From: Bob Hartung [mailto:bhart...@wiscoind.com] Sent: Wednesday, September 29, 2010 4:02 PM To: NT System Admin Issues Subject: Tower Climbing We have a pair of 70' towers that we have our wireless bridges mounted on. I think they're really tall. I'd never go up them. Then I see a video like this to put things in perspective. www.break.com/index/climbing-a-1786-tall-tower -- Bob Hartung Wisco Industries, Inc. 736 Janesville St. Oregon, WI 53575 Tel: (608) 835-3106 x215 Fax: (608) 835-7399 e-mail: bhartung(at)wiscoind.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: KMS Help
You guys need to check again. The latest version of the 2003 KMS can support Win7/2008 keys and Office keys at the same time. -Malcolm From: Don Ely - sc thinks I am a good man... [mailto:don@gmail.com] Sent: Wednesday, September 22, 2010 12:23 To: NT System Admin Issues Subject: Re: KMS Help Oh yes, that too. Win7 KMS has to be on 2k8 Sent from my Verizon Wireless BlackBerry _ From: Ken Cornetet ken.corne...@kimball.com Date: Wed, 22 Sep 2010 13:20:02 -0400 To: NT System Admin Issuesntsysadmin@lyris.sunbelt-software.com ReplyTo: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Subject: RE: KMS Help Last I checked, KMS running on server 2003 can't grant licenses for any OS newer than 2003. From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] Sent: Wednesday, September 22, 2010 1:14 PM To: NT System Admin Issues Subject: KMS Help Ok, I am not getting this KMS thing. Windows server 2003 with KMS 1.2 update on it. It is registering in my DNS, seems to be ok there. Now I want it to activate my Win 7 and Office 2010 clients. So I fire the following command: slmgr -IPK MY-WIN7-KEY-IN-HERE and get a pop that says Installed product key successfully. However it does not show after that as a license on the KMS server using -dlv. I have tried -ATO on the Win7 license and that fails. I am missing something obvious here, I think I have made this too complicated in my head. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Intel wants to charge to unlock features already on your CPU
Where is Stu when you need him to kill a thread? This one veered off in to the weeds at least 95 messages ago and I suspect I'm not the only one tired of hitting the delete key. Let it go. -Malcolm From: William Robbins [mailto:dangerw...@gmail.com] Sent: Wednesday, September 22, 2010 12:52 To: NT System Admin Issues Subject: Re: Intel wants to charge to unlock features already on your CPU Which comments do you object to personally then? I'm not in need of justification either. - WJR On Wed, Sep 22, 2010 at 12:45, Paul Hutchings paul.hutchi...@mira.co.uk wrote: If you think that warrants some of your comments so be it, personally I don't. From: William J. Robbins [mailto:dangerw...@gmail.com] Sent: 22 September 2010 18:42 To: NT System Admin Issues Subject: Re: Intel wants to charge to unlock features already on your CPU And I'm all for that...right up until I get an off list, uninvited mind you, reply in my inbox. At that point you've crossed over whether or not someone is wrong on the Internet Queue -sc with the XKCD link. WJR - from my Crackberry. If you find yourself in a fair fight, your tactics suck. _ From: Paul Hutchings paul.hutchi...@mira.co.uk Date: Wed, 22 Sep 2010 18:31:47 +0100 To: NT System Admin Issuesntsysadmin@lyris.sunbelt-software.com ReplyTo: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Subject: RE: Intel wants to charge to unlock features already on your CPU You know I haven't been on this list too long but is this honestly what we want to see? If the guy's wrong he's wrong, big deal, life's a little too short to get too hung up on who's right out there on the internet. From: Steven M. Caesare [mailto:scaes...@caesare.com] Sent: 22 September 2010 18:23 To: NT System Admin Issues Subject: RE: Intel wants to charge to unlock features already on your CPU This conclusion is eerily like the Application vs. OS ending. I'm beginning to see a trend here. -sc From: William Robbins [mailto:dangerw...@gmail.com] Sent: Wednesday, September 22, 2010 12:52 PM To: NT System Admin Issues Subject: Re: Intel wants to charge to unlock features already on your CPU You realize, of course, Mr. Carpet has already said Good Day! right? - WJR On Wed, Sep 22, 2010 at 10:53, Steven M. Caesare scaes...@caesare.com wrote: The difference being, is that you don't tend to support your opinions (which you tend to assert strongly) with reason or facts. When given a solid reason that challenges your assertion, instead of addressing it, you alter the discussion, often using analogies that merely serve to re-state your existing opinion, rather than addressing the underlying challenge to your opinion. In this case, multiple experienced people explained why this model would be beneficial to you. Yet, AFAIK, you didn't acknowledge any of those logic cases, and instead went for the overused car analogy, and then eventually shifted your argument to being concerned that the consumer wouldn't be adequately educated about the potential upgrade options (which is quite different than your initial concern). You keep making assertions that don't stand up to facts and then bail. Why? -sc -Original Message- From: John Aldrich [mailto:jaldr...@blueridgecarpet.com] Sent: Wednesday, September 22, 2010 11:19 AM To: NT System Admin Issues Subject: RE: Intel wants to charge to unlock features already on your CPU *shrug* This discussion has gone on for awhile and neither side is going to be able to sway the other. I see no need to drag it out and keep it going when we're just going to disagree. I've stated my position, I've tried various examples to explain why I think it's a bad idea, and vice versa, but neither side has budged their position. Why drag it out and risk getting hateful over it? You're entitled to your opinion, I'm entitled to mine. We're both entitled to try and convince the other that they are wrong, but in the end, if we can't convince each other, the best thing to do is agree to disagree. From: William Robbins [mailto:dangerw...@gmail.com] Sent: Wednesday, September 22, 2010 11:02 AM To: NT System Admin Issues Subject: Re: Intel wants to charge to unlock features already on your CPU Nice cop out. - WJR On Wed, Sep 22, 2010 at 08:56, John Aldrich jaldr...@blueridgecarpet.com wrote: I think we're going to have to agree to disagree. -Original Message- From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Wednesday, September 22, 2010 9:45 AM To: NT System Admin Issues Subject: RE: Intel wants to charge to unlock features already on your CPU -Original Message- From: John Aldrich [mailto:jaldr...@blueridgecarpet.com] Sent: Wednesday, 22 September 2010 8:52 PM To: NT System Admin Issues Subject: RE: Intel wants to charge to unlock features already on your CPU Here's something I thought of... Sure you'll be able to buy an
RE: PowerShell - pipeline input help
Awesome -thanks Michael. -Malcolm From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Monday, September 20, 2010 17:06 To: NT System Admin Issues Subject: RE: PowerShell - pipeline input help Close. get-aduser -filter * -searchbase OU=Test,OU=User Accounts,DC=fabrikam,DC=com |% { add-adgroupmember groupname $_.samaccountname } .will do what you want. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Malcolm Reitz [mailto:malcolm.re...@live.com] Sent: Monday, September 20, 2010 5:42 PM To: NT System Admin Issues Subject: PowerShell - pipeline input help I'm trying to write a simple PS script to put the membership of an OU in to a security group. I can do this with a bit of code like below, which seems to work fine. $users = get-aduser -filter * -searchbase OU=Test, OU=User Accounts, DC=fabrikam, DC=com foreach($user in $users) { add-adgroupmember groupname $user } However, for my PowerShell education, I tried just piping the output of get-aduser in to add-adgroupmember. get-aduser -filter * -searchbase OU=Test, OU=User Accounts, DC=fabrikam, DC=com | add-adgroupmember groupname * This fails miserably. I'm guessing I don't have the correct parameter syntax for add-adgroupmember? Can any of our PS pros point me in the right direction for the answer? Thanks, -Malcolm ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Email retention
Annoyingly enough, SOX doesn't specify any retention period. However, it does implicitly require a formalized and structured retention policy to be applied. Of course, SOX doesn't apply to non-publicly-traded companies anyway. Even without SOX or other regulatory requirements, a retention policy based on what information is useful to your company, is a good thing to implement anyway. -Malcolm -Original Message- From: John Aldrich [mailto:jaldr...@blueridgecarpet.com] Sent: Tuesday, September 21, 2010 09:05 To: NT System Admin Issues Subject: Email retention What's the standard for email retention for companies which are NOT publicly traded? What's the SOX rules on email retention? I just helped one of our managers open some Outlook data files dating back to 2007 which got me thinking about the wisdom of retaining information that long and I wasn't sure what the norm is for retaining that info. Thanks... Thanks, John Aldrich IT Manager, Blueridge Carpet 706-276-2001, Ext. 2233 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
PowerShell - pipeline input help
I'm trying to write a simple PS script to put the membership of an OU in to a security group. I can do this with a bit of code like below, which seems to work fine. $users = get-aduser -filter * -searchbase OU=Test, OU=User Accounts, DC=fabrikam, DC=com foreach($user in $users) { add-adgroupmember groupname $user } However, for my PowerShell education, I tried just piping the output of get-aduser in to add-adgroupmember. get-aduser -filter * -searchbase OU=Test, OU=User Accounts, DC=fabrikam, DC=com | add-adgroupmember groupname * This fails miserably. I'm guessing I don't have the correct parameter syntax for add-adgroupmember? Can any of our PS pros point me in the right direction for the answer? Thanks, -Malcolm ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: BES install question
You have set up domain admin accounts with mailboxes? You will run in to this problem with the BESAdmin permissions on those accounts: http://www.blackberry.com/btsc/search.do?cmd=displayKCdocType=kcexternalId =KB12309 -Malcolm -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Wednesday, September 15, 2010 17:13 To: NT System Admin Issues Subject: RE: BES install question Ok, so in our AD structure, all our normal users would be under one OU, and various sub-OUs. But, our domain admin users are located in a different OU. Is it possible to run this command twice, to include the different OUs? Or do I have to have all accounts under the one? Charlie Kaiser charl...@golden-eagle.org 9/15/2010 1:54 PM Actually, it's more the other way around; it's providing the BESAdmin account with rights to send as users in the OU. For example, in section A: you're adding an inherited perm to user accounts below the OU level. You're allowing BESAdmin to send as any account in that OU. PS: You spelled identity wrong (indentity). Section B is providing the same rights but to a specific CN, so BESAdmin could send as whatever account you specify in CN=. So you'd want to set the OU in section A to the full DN of the OU where your blackberry users reside. Let's hope it's a true OU and not a container for various reasons. So let's say you had an OU named employees where all your users reside and it's in yourdomain.local. Here's what you'd need: Add-ADPermission -InheritedObjectType User - InheritanceType Descendents -ExtendedRights Send-As -User BESAdmin -Identity OU=employees,DC=yourdomain,DC=local The BESAdmin account needs that right to be able to do its job within the mailboxes. Hope that helps. *** Charlie Kaiser charl...@golden-eagle.org Kingman, AZ *** -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Wednesday, September 15, 2010 1:34 PM To: NT System Admin Issues Subject: BES install question Doing pre-installation tasks for BES and Exchange 2010. I've created the BESAdmin mailbox, and I'm now configuring the Exchange 2010 permissions. It's asking me to type one of the following commands within the Exchange Management Shell. I'm not sure what exactly the commands are trying to do, so I'm not sure how to fill in the blanks. Can someone take a look and help me? Do one of the following: a) To set the permissions at the organizational unit level, type Add-ADPermission - InheritedObjectType User - InheritanceType Descendents -ExtendedRights Send-As - User BESAdmin -Indentity OU=organizational unit,DC=domain_1,DC=domain_2,DC=domain_3 where domain_1,domain_2, and domain_3 form the name of the domain. b) To set the permissions at the common name level, type Add-ADPermission - InheritedObjectType User - InheritanceType Descendents -ExtendedRights Send-As - User BESAdmin -Indentity CN=common_name,DC=domain_1,DC=domain_2,DC=domain_3 where domain_1,domain_2, and domain_3 form the name of the domain. If I'm correct, these commands setup who can Send As the BESAdmin account, correct? The documentation doesn't explain it, and I need to know exactly, so I know what to put in as organizational unit or common_name. Thanks, Joe Heaton ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: IE9 beta
Ah, but there is now (IE9 and 64-bit). http://labs.adobe.com/downloads/flashplayer10.html -Malcolm -Original Message- From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Wednesday, September 15, 2010 17:47 To: NT System Admin Issues Subject: RE: IE9 beta Well duh. That's not available for ANY version of ie. Install the 32-bit version. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com -Original Message- From: James Edwards [mailto:jedwa...@mail.sdsu.edu] Sent: Wednesday, September 15, 2010 6:46 PM To: NT System Admin Issues Subject: RE: IE9 beta Nope, installed the 64 bit version. No Flash player available for it yet 8~( Jim Freedom begins when you tell Mrs. Grundy to go fly a kite. -Original Message- From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Wednesday, September 15, 2010 14:37 To: NT System Admin Issues Subject: IE9 beta Am I the only one that has installed the IE-9 beta? I like the minimalism. Even more minimal than Chrome...it seems to work pretty well with most sites. FB can crash it, though, when not in compatibility mode... Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt- software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Does Windows 2008 R2 Server Core support running applications in Compatibility Mode?
True, that response didn't make a lot of sense. I'd think it more likely that Compatibility mode isn't supported due to the GUI limitations and the fact that Compatibility mode is largely targeted at interactive apps, something Server Core definitely isn't designed for. -Malcolm -Original Message- From: Brian Desmond [mailto:br...@briandesmond.com] Sent: Thursday, September 02, 2010 20:26 To: NT System Admin Issues Subject: RE: Does Windows 2008 R2 Server Core support running applications in Compatibility Mode? I'd need to do some digging to verify this but I don't immediately buy it really. This stuff happens at a much lower level. Application Server is a role which maps back to IIS really so I don't think that reply remotely has anything to do with this. Thanks, Brian Desmond br...@briandesmond.com c - 312.731.3132 -Original Message- From: Christopher Bodnar [mailto:christopher_bod...@glic.com] Sent: Wednesday, September 01, 2010 8:28 AM To: NT System Admin Issues Subject: re: Does Windows 2008 R2 Server Core support running applications in Compatibility Mode? If any one is interested: I opened a case for this with MS, to get an official answer. Here is their reply: *** Issue Definition: Does W2k8 R2 Server Core support running applications in Compatibility mode? Answer: Application server is not one of the intended/supported roles. Here is a list of roles that windows 2008 R2 core supports. http://www.microsoft.com/windowsserver2008/en/us/r2-compare-core-installation.aspx If you have any further questions or concerns, please don't hesitate to contact me. *** I'm a little disappointed in this. So it's inferred that it's not a supported feature since Application server is not a supported role? Chris ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Windows 7: buy PCs with license or withhout
The KMS has no idea about how many licenses you own. All it does is act as an internal activation service. -Malcolm From: Tom Miller [mailto:tmil...@hnncsb.org] Sent: Thursday, September 02, 2010 13:31 To: NT System Admin Issues Subject: re: Windows 7: buy PCs with license or withhout Microsoft charity licensing is excellent and I usually use that. But the potential problem is how do I tie OEM licenses to a volume license since I'd use a volume license in my image? I don't want Windows 7 machines built with my image halting due to licensing issues as the KMS system doesn't realize it has enough licenses. Apologies if this is not clear - hope I using the correct terminology. Paul Hutchings paul.hutchi...@mira.co.uk 9/2/2010 2:19 PM Unless you're on an enterprise agreement or something where you have the pricing sorted, I've never known it be cheaper to not buy OEM - the price difference has usually made it a no-brainer. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin Confidentiality Notice: This e-mail message, including attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Certificate and PEAP
If you haven’t already resolved this… Don’t use the DC template. What you want is the RAS and IAS Servers template. This certificate template needs to be permissioned and configured properly one time. You may also need to adjust your default domain policy. Then you add your NPS server to the RAS and IAS Servers AD group and your server will autoenroll the correct cert. http://technet.microsoft.com/en-us/library/cc754198.aspx -Malcolm From: Jay Dale [mailto:jd...@emlogis.com] Sent: Saturday, August 28, 2010 10:15 To: NT System Admin Issues Subject: RE: Certificate and PEAP No one have any ideas? This one must be a toughie – I put in on EE which typically gets a quick response but nothing there yet either…L Jay Dale Senior Systems Administrator o:713.785.0960 x290 From: Jay Dale [mailto:jd...@emlogis.com] Sent: Friday, August 27, 2010 9:55 AM To: NT System Admin Issues Subject: Certificate and PEAP Hey all, I’m trying to set up a Cisco Wifi Access Point on our network and use NPS with PEAP authentication so it will connect the users via their user account or computer account. I’ve set up a CA on Windows Ent. 2008 64bit and gone through all the steps on creating the GPO, setting up NPS for Wired Authentication, etc. However, I have one sticking point. When I go into NPS and look at the properties of the network wifi policy, then under Constraints, then PEAP and choose Edit, I get the error: “A certificate could not be found that can be used with this Extensible Authentication Protocol”. So, no worries. I go into the Certificates console, request a Domain Controller certificate, then when I go back and edit the cert shows up and the clients can connect fine. Problem is, later on I lose connection and go back and check this setting and I get the error again, meaning the cert isn’t sticking. Is there a way to keep this cert from getting removed and keeping it there? Thanks, Jay Description: Description: http://www.emlogis.com/images/image3.jpg Jay Dale Senior Systems Administrator P 713.785.0960 Ext 290 | F 713.785.0986 | C 832.373.7883 jd...@emlogis.com | www.emlogis.com http://www.emlogis.com/ Service Desk C 877.523.5896 | E mailto:supp...@emlogis.com supp...@emlogis.com Description: Description: http://www.emlogis.com/images/imageEmail3.jpg This Email is covered by the Electronic Communications Privacy Act, 18 U.S.C. งง 2510-2521 and is legally privileged. The information contained in this Email is intended only for use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately notify us by telephone (toll-free) at 877-523-5896, and destroy the original message. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- You are currently subscribed to ntsysadmin as: malcolm.re...@live.com. To unsubscribe click here: http://lyris.sunbelt-software.com/u?id=8227716.c81258d7c7cab9dce5605ee9468e1 a65 http://lyris.sunbelt-software.com/u?id=8227716.c81258d7c7cab9dce5605ee9468e 1a65n=Tl=ntsysadmino=9077695 n=Tl=ntsysadmino=9077695 (It may be necessary to cut and paste the above URL if the line is broken) or send a blank email to leave-9077695-8227716.c81258d7c7cab9dce5605ee9468e1...@lyris.sunbelt-softwar e.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadminimage001.jpgimage002.jpg
RE: Windows 7: buy PCs with license or withhout
Didn't mean to imply differently. In licensing matters, it's usually best to assume someone is watching all the time :-) -Malcolm From: Don Guyer [mailto:don.gu...@prufoxroach.com] Sent: Thursday, September 02, 2010 14:58 To: NT System Admin Issues Subject: RE: Windows 7: buy PCs with license or withhout But, once you start activating them, check out the count that now shows up under your MVLS website. Someone's watching you. J Don Guyer Systems Engineer - Information Services Prudential, Fox Roach/Trident Group 431 W. Lancaster Avenue Devon, PA 19333 Direct: (610) 993-3299 Fax: (610) 650-5306 don.gu...@prufoxroach.com From: Malcolm Reitz [mailto:malcolm.re...@live.com] Sent: Thursday, September 02, 2010 3:56 PM To: NT System Admin Issues Subject: RE: Windows 7: buy PCs with license or withhout The KMS has no idea about how many licenses you own. All it does is act as an internal activation service. -Malcolm From: Tom Miller [mailto:tmil...@hnncsb.org] Sent: Thursday, September 02, 2010 13:31 To: NT System Admin Issues Subject: re: Windows 7: buy PCs with license or withhout Microsoft charity licensing is excellent and I usually use that. But the potential problem is how do I tie OEM licenses to a volume license since I'd use a volume license in my image? I don't want Windows 7 machines built with my image halting due to licensing issues as the KMS system doesn't realize it has enough licenses. Apologies if this is not clear - hope I using the correct terminology. Paul Hutchings paul.hutchi...@mira.co.uk 9/2/2010 2:19 PM Unless you're on an enterprise agreement or something where you have the pricing sorted, I've never known it be cheaper to not buy OEM - the price difference has usually made it a no-brainer. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin Confidentiality Notice: This e-mail message, including attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Wireless Machine Authentication
If you are using AD credentials for your users, the easiest thing is to just use AD credentials for the computers as well. I assume you have your users in some AD groups that are authenticated by RADIUS. Create another group (or use Domain Computers) that is also authenticated by RADIUS. Add the PCs you want to that group. Make sure the wireless 802.1x configuration on the PCs is set properly so the authentication mode is user or computer. That should do it. -Malcolm From: Kelsey, John [mailto:jckel...@drmc.org] Sent: Friday, August 20, 2010 09:07 To: NT System Admin Issues Subject: RE: Wireless Machine Authentication I'm still striking out on making this work. I'm probably making it harder than what it is. I have mostly domain computers that need to authenticate by machine. Do I need to create a machine certificate for each individual machine? Then map that same cert to the computer AD account? From: Malcolm Reitz [mailto:malcolm.re...@live.com] Sent: Monday, August 02, 2010 11:12 AM To: NT System Admin Issues Subject: RE: Wireless Machine Authentication We used the machine AD credentials, as that is the path of least resistance. It is a pretty simple GPO configuration to set it all up, too. -Malcolm From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Monday, August 02, 2010 10:03 To: NT System Admin Issues Subject: RE: Wireless Machine Authentication You can either use machine certs or machine credentials (against AD, if the machines have credentials in AD.) Cheers Ken From: Kelsey, John [mailto:jckel...@drmc.org] Sent: Friday, 30 July 2010 10:36 PM To: NT System Admin Issues Subject: FW: Wireless Machine Authentication All Cisco LWAP access points using a 5508 wireless controller. We have PEAP set up so users can authenticate on the wireless network using their AD login.peachy. BUT.we have some machines that need to authenticate on the wireless before the user logs on (so they get can group policies and such). I thought we could just provide a generic credential and it would work but no such luck. How the heck do you make this work? The workstations are XP SP3 with intel wireless cards. This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Dell - IDRAC6 Enterprise vs IDRAC6 Express
We've found the remote media mount to be very useful. We have rebuilt servers remotely just via the DRAC. The DRACs, on a whole, have been quite reliable for us. -Malcolm -Original Message- From: Fred Sawyer [mailto:fr...@sunbelt-software.com] Sent: Tuesday, August 17, 2010 12:40 To: NT System Admin Issues Subject: Dell - IDRAC6 Enterprise vs IDRAC6 Express Is anyone using either the IDRAC6 Enterprise or Express. From what I am reading the Express card offers a basic web-interface that can be used to remotely reboot that machine. Where the Enterprise version offers remote ability to mount media as well as direct console access. I am trying to figure out how reliable the Enterprise card is for remotely supporting a server. From a cost analysis the IDRAC Enterprise options is more affordable then a TCP/IP KVM such as a Raritan. All feedback is greatly appreciated! Cheers, Fred .. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Using proxy.pac
My favorite site on this, www.returnproxy.com, seems to be offline, but here are a couple of sites which cover the basics of a simple proxy.pac functions: http://helpdeskgeek.com/networking/proxy-pac-file/ http://www.aspfree.com/c/a/BrainDump/Controlling-Internet-Access-using-a-Pac -File/ -Malcolm From: James Rankin [mailto:kz2...@googlemail.com] Sent: Tuesday, August 10, 2010 07:09 To: NT System Admin Issues Subject: Using proxy.pac Anyone have a link to a nice step-by-step procedure for setting up a proxy.pac file for IE to deliver a proxy internally and go direct externally? I'm trying to explain the process to a friend of mine with his own business and we're getting kind of lost as he's not very technical...he's just going to store the proxy.pac files local to his users' laptops, so there's no need for any complex stuff involving web servers. I've been Googling about and all the articles I can find seem to be old or convolutedis there a link to a nice MS procedure somewhere I'm missing, or any such like? TIA, JRR -- On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Volume Licensing
One of the things I like about KMS is that it doesn't expose our corporate license keys. With a MAK, users could take your key and use it on unauthorized PCs (i.e. home, family, friends, etc.). KMS keeps the key where it can only be used when the computers attach to your network. KMS is also pretty much a set and forget type tool that requires little operational effort. -Malcolm From: Cameron Cooper [mailto:ccoo...@aurico.com] Sent: Tuesday, August 10, 2010 11:22 To: NT System Admin Issues Subject: RE: Volume Licensing What are the pros and cons of a KMS over MAK? _ Cameron Cooper Network Administrator | CompTIA A+ Certified Aurico Reports, Inc Phone: 847-890-4021 | Fax: 847-255-1896 ccoo...@aurico.com | www.aurico.com From: Brian Desmond [mailto:br...@briandesmond.com] Sent: Tuesday, August 10, 2010 11:00 AM To: NT System Admin Issues Subject: RE: Volume Licensing I'd just use a KMS assuming you are going to migrate to Win7 and/or Office 2010 relatively quickly. Thanks, Brian Desmond br...@briandesmond.com c - 312.731.3132 From: Cameron Cooper [mailto:ccoo...@aurico.com] Sent: Tuesday, August 10, 2010 11:01 AM To: NT System Admin Issues Subject: Volume Licensing All, We are new to the Volume Licensing through Microsoft and would like to know which key (KMS or MAK) to use in our environment for migrating to Windows 7 and Office 2010? Environment: -Currently have 60 computers all running Windows XP Pro and a mixture of Office 2003/2007 -Currently have 5 Servers running Windows Server 2003 and 2003 R2 (which won't be migrated over to Server 2008 R2 yet) From what I understand is that KMS is hosted on one machine (server or computer) and the clients renew their activation with that machine. Whereas with MAK, each computer activates to MS. _ Cameron Cooper Network Administrator | CompTIA A+ Certified Aurico Reports, Inc Phone: 847-890-4021 | Fax: 847-255-1896 ccoo...@aurico.com | www.aurico.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Moving Volume Activation Management Tool
No need to copy any files - the KMS server doesn't really track anything (it keeps the last 50 activations as a rolling list, but that's it). If you're worried about meeting the minimum number of systems for activation, note that when you reinstall the KMS key on the same KMS server, you will reset the counters, so moving the data files makes no sense anyway. You should be able to just remove the key from your existing KMS server, delete it from DNS, and then install the KMS service and key on a new server. Here's a write-up that looks good: http://social.technet.microsoft.com/Forums/en-US/itprovistaactivation/thread /cd4177bd-8df5-4a66-afdc-c760398b7e7f Don't do this often, though, as your KMS key is only good for 6 installations; more than that and you'll have to call MS Licensing. If you ever think you'll use your KMS to activate software such as Windows 7 and, especially, Office 2010, I would suggest you put the KMS on something besides a Server 2008 box. Office 2010 activations only work from a KMS on Server 2003 or 2008 R2, not plain 2008. http://support.microsoft.com/default.aspx?scid=kb;EN-US;981859 -Malcolm From: Mayo, Bill [mailto:bem...@pittcountync.gov] Sent: Friday, August 06, 2010 13:59 To: NT System Admin Issues Subject: Moving Volume Activation Management Tool Does anyone have any experience with relocating the VAMT (Volume Activation Management Tool) used for proxy activiations of Windows Server 2008, et al? We have a modest amount of Windows Server 2008 boxes, and the VAMT was the best tool for us to handle the activations. I need to move this function from the server it is currently on (2003 Server) to a new server (which will itself be 2008). I have tried to do some searching to determine if there is any particular migration methodology required, but my google-fu has failed me. The only things that look like data in the application directory have an extension of xrm-ms. Plus, there is the CIL (Computer Information List) file which apparently stores information on the activations that have been performed. I am thinking that I can just copy the files over to another server and be fine, as I am guessing that no critical information is stored within the application. Can anyone confirm/deny this is the case, or provide any other information? TIA, Bill Mayo ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Wireless Machine Authentication
If you set the XP SP3 802.1x authentication mode back to its default, you should get what you want. The default authentication mode allows a computer to authenticate with PEAP under its computer account credentials. When a user logs in to the computer, the auth process is repeated, this time with the user's credentials. -Malcolm From: Kelsey, John [mailto:jckel...@drmc.org] Sent: Friday, July 30, 2010 09:36 To: NT System Admin Issues Subject: FW: Wireless Machine Authentication All Cisco LWAP access points using a 5508 wireless controller. We have PEAP set up so users can authenticate on the wireless network using their AD login.peachy. BUT.we have some machines that need to authenticate on the wireless before the user logs on (so they get can group policies and such). I thought we could just provide a generic credential and it would work but no such luck. How the heck do you make this work? The workstations are XP SP3 with intel wireless cards. Thanks all! * John C. Kelsey DuBois Regional Medical Center (: 814.375.3073 2 : 814.375.4005 *:mailto:jckel...@drmc.org jckel...@drmc.org * This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Wireless Machine Authentication
We used the machine AD credentials, as that is the path of least resistance. It is a pretty simple GPO configuration to set it all up, too. -Malcolm From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Monday, August 02, 2010 10:03 To: NT System Admin Issues Subject: RE: Wireless Machine Authentication You can either use machine certs or machine credentials (against AD, if the machines have credentials in AD.) Cheers Ken From: Kelsey, John [mailto:jckel...@drmc.org] Sent: Friday, 30 July 2010 10:36 PM To: NT System Admin Issues Subject: FW: Wireless Machine Authentication All Cisco LWAP access points using a 5508 wireless controller. We have PEAP set up so users can authenticate on the wireless network using their AD login.peachy. BUT.we have some machines that need to authenticate on the wireless before the user logs on (so they get can group policies and such). I thought we could just provide a generic credential and it would work but no such luck. How the heck do you make this work? The workstations are XP SP3 with intel wireless cards. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Anyone using Forefront UAG and Direct Access
First - There's more to it than just translating IPv4 addresses to IPv6 and back. Let me rephrase my statement and see if this works any better: Applications that depend on protocols implementations (such as the version of SIP used in MS Communicator) which don't work over IPv6 will not work over DirectAccess. In this case, you could have a completely IPv6-only local area network, with no DirectAccess involved, and Communicator will still not work. Second - DirectAccess clients are supplied with a Name Resolution Policy Table. In the NRPT, you tell the client if you are looking to resolve an *.internal.mycorp.com name, use these (internal) DNS servers and, by extension, route the traffic to that address across the secure intranet tunnel. So, by supplying the client with an name, you've given DirectAccess the information it needs to determine if the destination desired is through the intranet tunnel or to the outside world. If you only supply your client with an IP address, the lack of a name to resolve means the NRPT isn't consulted and DirectAccess assumes the destination to be in the outside world. The Cable Guy blog on TechNet has a lot of good discussion on these topics and DirectAccess in general. http://technet.microsoft.com/en-us/library/ff576611.aspx -Malcolm -Original Message- From: Jason Gauthier [mailto:jgauth...@lastar.com] Sent: Tuesday, July 27, 2010 07:58 To: NT System Admin Issues Subject: RE: Anyone using Forefront UAG and Direct Access A few question on this topic: Applications that don't work across a DirectAccess link are those which won't work over IPv6. The first one I came across was the Communicator IM client. I think VoIP apps that rely on the SIP protocol fall in to this category as well. Are you using ForeFront UAG? My understanding what that the NAT64/DNS64 and Forefront UAG product complimented this so that you could access IPv4 only systems. In reviewing my email with Tom Shinder, over at the DA team, he mentions that an IPv6 only network can be used with only DA. However, IPv4 resources need the UAG to be reachable. This doesn't specifically contradict what you are saying, but I'd say it's doable. Also, internal applications that you access by IP address only will be a problem. This is because DirectAccess makes it routing decisions based on name resolution, not IP destination. Say your corporate network is using the 10.x.x.x IPv4 address space and a domain name of internal.mycorp.com. DNS works by IP. How can you reach the DNS servers if what you are saying above is true? Thanks! Jason -Original Message- From: Malcolm Reitz [mailto:malcolm.re...@live.com] Sent: Monday, July 26, 2010 10:13 AM To: NT System Admin Issues Subject: RE: Anyone using Forefront UAG and Direct Access Smart cards are optional for DirectAccess, not required. What I was trying (poorly) to say was that Microsoft's internal implementation of DirectAccess is set up to require smart card authentication (e.g. MSFT employees must use smart cards). Our DirectAccess implementation currently does not require the users to have a smart card. Smart cards (we use .NET cards - Gemalto is the major vendor in the market) are a quite useful security tool, but they require a distribution/maintenance infrastructure that complicates their use. Applications that don't work across a DirectAccess link are those which won't work over IPv6. The first one I came across was the Communicator IM client. I think VoIP apps that rely on the SIP protocol fall in to this category as well. Also, internal applications that you access by IP address only will be a problem. This is because DirectAccess makes it routing decisions based on name resolution, not IP destination. Say your corporate network is using the 10.x.x.x IPv4 address space and a domain name of internal.mycorp.com. You can tell DirectAccess to send all traffic to *.internal.mycorp.com over the tunnel to your corporate network, but you can't tell it to route all traffic to any 10.x.x.x address across the tunnel. The only way around this is to force all communications across the tunnel (that is, disable split-tunneling). Unfortunately, this has performance implications, as it makes DirectAccess use a less-efficient protocol and increases the load on the DirectAccess servers, not to mention it sends all Internet-bound traffic from the client the long way through the corporate network and out the corporate Internet connection. Hope that makes sense... -Malcolm -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Friday, July 23, 2010 17:43 To: NT System Admin Issues Subject: Re: Anyone using Forefront UAG and Direct Access O... Actual field experience! Did not know about the smart card requirement. That's good to know. What smart card technology are you using, if you can say? What kind of apps have you run into that don't play nice with it? Kurt On Fri, Jul
RE: Anyone using Forefront UAG and Direct Access
Smart cards are optional for DirectAccess, not required. What I was trying (poorly) to say was that Microsoft's internal implementation of DirectAccess is set up to require smart card authentication (e.g. MSFT employees must use smart cards). Our DirectAccess implementation currently does not require the users to have a smart card. Smart cards (we use .NET cards - Gemalto is the major vendor in the market) are a quite useful security tool, but they require a distribution/maintenance infrastructure that complicates their use. Applications that don't work across a DirectAccess link are those which won't work over IPv6. The first one I came across was the Communicator IM client. I think VoIP apps that rely on the SIP protocol fall in to this category as well. Also, internal applications that you access by IP address only will be a problem. This is because DirectAccess makes it routing decisions based on name resolution, not IP destination. Say your corporate network is using the 10.x.x.x IPv4 address space and a domain name of internal.mycorp.com. You can tell DirectAccess to send all traffic to *.internal.mycorp.com over the tunnel to your corporate network, but you can't tell it to route all traffic to any 10.x.x.x address across the tunnel. The only way around this is to force all communications across the tunnel (that is, disable split-tunneling). Unfortunately, this has performance implications, as it makes DirectAccess use a less-efficient protocol and increases the load on the DirectAccess servers, not to mention it sends all Internet-bound traffic from the client the long way through the corporate network and out the corporate Internet connection. Hope that makes sense... -Malcolm -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Friday, July 23, 2010 17:43 To: NT System Admin Issues Subject: Re: Anyone using Forefront UAG and Direct Access O... Actual field experience! Did not know about the smart card requirement. That's good to know. What smart card technology are you using, if you can say? What kind of apps have you run into that don't play nice with it? Kurt On Fri, Jul 23, 2010 at 13:29, Malcolm Reitz malcolm.re...@live.com wrote: I won’t say DirectAccess is just another VPN, because it isn’t, but it is a VPN technology with pretty robust security. It isn’t an easy setup, as it requires working with IPv6 and certificates, however, once it is running, it is really slick in operation. Just connecting your laptop to the Internet and being instantly able to map corporate file shares and open intranet web apps or RDP sessions is great. Downsides to it are that not everything works with it, as not everything plays nice with IPv6, and the hardware requirements are more significant than for a traditional IPsec VPN. It also only works with Windows 7 clients. Microsoft has enhanced security on their DirectAccess implementation by requiring their people to use smart cards for DirectAccess authentication. We may do that as well. I can say that everyone using my DirectAccess POC setup is liking it so far. Because of its “always on” nature, I think it will be a great boon to our management of remote computers (they always be connected for patching, AV updates, inventory, etc.). -Malcolm From: Brumbaugh, Luke [mailto:luke.brumba...@butlerschein.com] Sent: Friday, July 23, 2010 14:51 To: NT System Admin Issues Subject: Anyone using Forefront UAG and Direct Access Thoughts? Is it a big security hole? Luke L. Brumbaugh Network Engineer Butler Animal Health Supply Ph:(614) 659-1736 ** CONFIDENTIALITY NOTICE - The information transmitted in this message is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy all copies of this document. Thank you. Butler Schein Animal Health ** ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Anyone using Forefront UAG and Direct Access
I won't say DirectAccess is just another VPN, because it isn't, but it is a VPN technology with pretty robust security. It isn't an easy setup, as it requires working with IPv6 and certificates, however, once it is running, it is really slick in operation. Just connecting your laptop to the Internet and being instantly able to map corporate file shares and open intranet web apps or RDP sessions is great. Downsides to it are that not everything works with it, as not everything plays nice with IPv6, and the hardware requirements are more significant than for a traditional IPsec VPN. It also only works with Windows 7 clients. Microsoft has enhanced security on their DirectAccess implementation by requiring their people to use smart cards for DirectAccess authentication. We may do that as well. I can say that everyone using my DirectAccess POC setup is liking it so far. Because of its always on nature, I think it will be a great boon to our management of remote computers (they always be connected for patching, AV updates, inventory, etc.). -Malcolm From: Brumbaugh, Luke [mailto:luke.brumba...@butlerschein.com] Sent: Friday, July 23, 2010 14:51 To: NT System Admin Issues Subject: Anyone using Forefront UAG and Direct Access Thoughts? Is it a big security hole? Luke L. Brumbaugh Network Engineer Butler Animal Health Supply Ph:(614) 659-1736 ** CONFIDENTIALITY NOTICE - The information transmitted in this message is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy all copies of this document. Thank you. Butler Schein Animal Health ** ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Internet Proxy - Group Policy Question
How do you have the proxy defined? What browser are you using? There are ways to configure the proxy setting so the same setting will work on or off your network. -Malcolm From: Gavin Wilby [mailto:gavin.wi...@gmail.com] Sent: Monday, July 12, 2010 07:38 To: NT System Admin Issues Subject: Re: Internet Proxy - Group Policy Question Noone else uses the proxy outside of the office, as he is the only one with a domain connected laptop. All other users are static. Gavin. On Mon, Jul 12, 2010 at 1:21 PM, Maglinger, Paul pmaglin...@scvl.com wrote: And other users are able to connect just fine when they are out of the office? Is he running the local firewall on his system and possibly blocked your proxy? From: Gavin Wilby [mailto:gavin.wi...@gmail.com] Sent: Monday, July 12, 2010 7:16 AM To: NT System Admin Issues Subject: Re: Internet Proxy - Group Policy Question Hi Paul, At the moment its one user yes, the problem occurs when he leaves the Company LAN, so he then looses his Internet regardless of the network he uses. On Mon, Jul 12, 2010 at 12:57 PM, Maglinger, Paul pmaglin...@scvl.com wrote: So this just the one user and is it anywhere he uses it where he's not in your building, or is it a problem just where he is staying? From: Gavin Wilby [mailto:gavin.wi...@gmail.com] Sent: Monday, July 12, 2010 6:08 AM To: NT System Admin Issues Subject: Internet Proxy - Group Policy Question Good Afternoon all, I have a quick question regarding Internet Proxys. I have a site that has a GPO that forces all users to to run through the Message Labs proxy server. The policy forces it so it cannot be turned off, and there are one or two exceptions in that policy. Now this is all well and good right up until the point that one of the users (a director) takes his laptop out of the building, and then disappears abroad with it without telling us. The internet then stops working for him, as Im guessing that its trying to use a proxy server that it can neither find, nor authenticate to. Due to the policy being forced he, as an end user cant turn it off, and we have resorted to manually changing the registry to get it working again. The GPO mentioned above is of course a USER based policy, so I cant omit his laptop from it, and although I could omit HIM from it, I dont really want to, as it means he has free rein on every PC he logs into. No doubt Im missing something blindingly obvious here, but whats going to be the best solution? -- Gavin Wilby, Twitter: http://twitter.com/gavin_wilby -- Gavin Wilby, Twitter: http://twitter.com/gavin_wilby GSXR Blog: http://www.stoof.co.uk -- Gavin Wilby, Twitter: http://twitter.com/gavin_wilby GSXR Blog: http://www.stoof.co.uk ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Internet Proxy - Group Policy Question
That's what I was getting at. Very easy to publish wpad.dat or proxy.pac via DHCP option 252 to all clients. Make sure you point to the wpad.dat/proxy.pac by FQDN, not IP, so the proxy is gracefully ignored when the PC is off the corporate network. -Malcolm -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Monday, July 12, 2010 09:27 To: NT System Admin Issues Subject: Re: Internet Proxy - Group Policy Question IMHO, this is not the most effective way of going about it. I would instead enforce that IE (and if you can, any other browsers) to automatically detect proxy settings, then set up http://wpad.example.com/wpad.dat, then configure wpad.dat with the settings you want. That way, if the above URL isn't available - because they're outside your perimeter, for example - then the browser is free to go direct, and not use the proxy. Kurt On Mon, Jul 12, 2010 at 04:08, Gavin Wilby gavin.wi...@gmail.com wrote: Good Afternoon all, I have a quick question regarding Internet Proxys. I have a site that has a GPO that forces all users to to run through the Message Labs proxy server. The policy forces it so it cannot be turned off, and there are one or two exceptions in that policy. Now this is all well and good right up until the point that one of the users (a director) takes his laptop out of the building, and then disappears abroad with it without telling us. The internet then stops working for him, as Im guessing that its trying to use a proxy server that it can neither find, nor authenticate to. Due to the policy being forced he, as an end user cant turn it off, and we have resorted to manually changing the registry to get it working again. The GPO mentioned above is of course a USER based policy, so I cant omit his laptop from it, and although I could omit HIM from it, I dont really want to, as it means he has free rein on every PC he logs into. No doubt Im missing something blindingly obvious here, but whats going to be the best solution? -- Gavin Wilby, Twitter: http://twitter.com/gavin_wilby ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Management of laptops
McAfee has a product called Site Advisor. It has an optional web filtering plugin that lets you set a PC-based filter policy for web browsing. The filtering is pretty effective (the policy lives on the PC and it does URL categorization lookups to a McAfee server over the Internet). It works as a browser helper object on IE or as a plug-in on Firefox, so a determined user could get around it. -Malcolm From: Tom Miller [mailto:tmil...@hnncsb.org] Sent: Friday, July 09, 2010 15:00 To: NT System Admin Issues Subject: Management of laptops Folks, Any suggestions on products to manage laptops? We have a number of nomadic users who use their issued laptops with aircards. Sometimes they have a wired or wireless connection, but not at any of my locations (these staff work off-site). Staff don't have much access, they are all users. I am looking for a product whereby I can enforce similar content filtering/web surfing filtering as my corporate fire walls. I assume I'd need some sort of client for the laptops that would occasionally check in to a central system for updates. We are a Fortinet shop, and I'm looking at the Forticlient, but am looking at alternatives. We have an issue with viruses on these machines (usually blocked, but I get the notices), and that's usually from staff going to web sites that would be blocked at the corporate level. Suggestions appreciated. Tom Confidentiality Notice: This e-mail message, including attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: ISA 2006 with GFI WebMonitor 2009
I haven't used GFI, but have used a similar product. Do you have the proper ISA rules in place to allow GFI to communicate with its administrative console and its category download server? -Malcolm From: Farhan Khan [mailto:xs2far...@gmail.com] Sent: Thursday, June 17, 2010 05:42 To: NT System Admin Issues Subject: ISA 2006 with GFI WebMonitor 2009 Hi i have GFI webmonitor installed on my ISA Std 2006. after just setting up GFI, it stopped categorizing sites. like when i blocked news and sports..it didnt blocked any of the site..and on report it said that cnn.com and other news sites are uncategorised...GFI updated it self only once when i installed it last week and its not updating it again. Regards Farhan ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Virtualisation structural question
I would prefer to run the host as VM host only. I would also create 3 VMs - DC, file, Exchange. I don't like to mix file services in to a domain controller as it creates security administration issues. -Malcolm From: Oliver Marshall [mailto:oliver.marsh...@g2support.com] Sent: Monday, June 14, 2010 06:15 To: NT System Admin Issues Subject: Virtualisation structural question Hi chaps. Can I kick some thoughts around here and look for some comments? We have a few old servers that we need to upgrade to new versions. Basically we will be upgrading several Windows 2003 servers running file services, AD and Exchange 2003. We will be replacing these with 2008 64bit R2 servers running Exchange 2010. As running Exchange 2010 on a DC isn't recommended (though it appears that it isn't not-supported as such) we are looking at having two servers; one for AD and file roles and one for Exchange roles. Clearly this lends itself to virtualisation quite nicely with both 'servers' running on a parent host. The question is really this: Should the AD/File roles run in a VM or on the parent host itself, with Exchange being a child VM on the parent host ? So this; Physical Host: VM-HOST1 Roles: Hyper-V Host Domain: Workgroup VM Name: AD-1 Role: DC/GC/FILE Host: VM-HOST1 Domain: MYDOMAIN VM Name: EX-1 Roles: Exchange 2010 Host: VM-HOST1 Domain: MYDOMAIN Or this; Physical Host: VM-HOST1 Roles: Hyper-V Host, DC/GC/FILE Domain: MYDOMAIN VM Name: EX-1 Roles: Exchange 2010 Host: VM-HOST1 Domain: MYDOMAIN My feeling is that the former is neater, that is with both the AD server and the Exchange server being VMs on a parent host, than the latter. Any suggestions? How are you chaps structuring things ? Olly Network Support Online Backups Server Management Tel: 0845 307 3443 Email: oliver.marsh...@g2support.com Web: http://www.g2support.com/ http://www.g2support.com Twitter: http://twitter.com/home?stat...@g2support g2support Newsletter: http://www.g2support.com/newsletter http://www.g2support.com/newsletter Mail: 2 Roundhill Road, Brighton, Sussex, BN2 3RF G2 Support LLP is registered at Mill House, 103 Holmes Avenue, HOVE BN3 7LE. Our registered company number is OC316341. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~image001.jpgimage003.png
RE: Heres a weird one - customer wants to give domain admin rights to non domain admin group members.
Group Policy Preferences will let you just add members to the local Administrator group without disturbing the existing contents of that group. -Malcolm From: Graeme Carstairs [mailto:loonyto...@gmail.com] Sent: Thursday, June 10, 2010 11:14 To: NT System Admin Issues Subject: Re: Heres a weird one - customer wants to give domain admin rights to non domain admin group members. I have used restricted groups before and would be not be keen to use them on servers. Further discussions with the client and he revealed it was a hypothetical from HR as to whether or not it could be done. Thanks for all the suggestions. Graeme On 10 June 2010 16:55, Alan Davies adav...@cls-services.com wrote: First - do not use Restricted Group on your servers without understanding it. You'll most likely strip out every service account in one quick step and break your entire business!! Second - yes, you can just create a domain group and have that added to local Administrators groups on every server via GPO (could be a script, could be Restricted Groups ... latter a better option, but see earlier warning!). However, if you're looking at a user and they're not a Domain Admin but you're worried they could possibly have admin on servers or on AD services, you're out of luck. There are a million sneaky ways they could have added themselves or a sneaky group to various ACLs on servers, in AD, in all sorts of devious places. If you're hugely concerned and they need to still have access for some time, create a new account with no privs and have them use that once you've disabled the other account. It's the only way. However .. if they know service account passwords, etc., then they can get access back that way too ... a _ From: Graeme Carstairs [mailto:loonyto...@gmail.com] Sent: 10 June 2010 14:57 To: NT System Admin Issues Subject: Re: Heres a weird one - customer wants to give domain admin rights to non domain admin group members. yeh thats what I thought. I think they are wanting to make sure that if someone had the admin account they couldn't set themselves up with full domain admin rights, without having the account in the domain admin and local admin groups. Its a security check thing, i think they are preparing to remove someone or someone is leaving who had domain admin rights on a second admin account and want to be sure they haven't set anything else up. Ill check the GPO's Graeme On 10 June 2010 14:52, James Rankin kz2...@googlemail.com wrote: or do you mean have admin rights without belonging to the local administrators group? You could easily give them all permissions and user rights normally restricted to Administrators, but that would kind of defeat the entire object of having the administrators group in the first place. On 10 June 2010 14:47, Graeme Carstairs loonyto...@gmail.com wrote: I have been asked by a customer if on their 2003 AD domain it is possible for someone to have admin rights to the servers and not be a member of domain admins. and local admin groups on member servers. Any one know if it can be done Graeme -- Good news everyone, you have just received and e-mail from me! -- On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question. -- Good news everyone, you have just received and e-mail from me! WARNING: The information in this email and any attachments is confidential and may be legally privileged. If you are not the named addressee, you must not use, copy or disclose this email (including any attachments) or the information in it save to the named addressee nor take any action in reliance on it. If you receive this email or any attachments in error, please notify the sender immediately and then delete the same and any copies. CLS Services Ltd × Registered in England No 4132704 × Registered Office: Exchange Tower × One Harbour Exchange Square × London E14 9GE -- Good news everyone, you have just received and e-mail from me! ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: OTish: Wireless network configuration
Do you do anything to prevent random people outside your office from connecting to your guest wireless network? -Malcolm -Original Message- From: Joe Tinney [mailto:jtin...@lastar.com] Sent: Tuesday, June 08, 2010 21:21 To: NT System Admin Issues Subject: RE: OTish: Wireless network configuration While I'm not the one that configured them, our Cisco wireless access points are configured with two SSID's: one on a VLAN that goes to our transparent proxy and without access to our other networks and the other on a VLAN that functions just like our client wired network segment. The first one is an open Guest network and the latter is WPA2 secured. I'm not sure what your network devices would enable you to do but this has been rock solid configuration for us. -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Tuesday, June 08, 2010 7:29 PM To: NT System Admin Issues Subject: OTish: Wireless network configuration All, We've got a decent wireless network at $WORK, but I'm dissatisified with it, because it lacks good guest access. We have 18 Cisco 1240ag WAPs talking with 3 HP POE switches, which currently are in our HP 3400cl layer 3 switch on our production network. There's a single SSID across all of them, and I've got them all configured on a single VLAN. Works great, but as mentioned there is no guest access. I could just stick them all physically outside our firewall, and give the wireless users an IPSec VPN client, but I really would prefer not to do that. I've been doing some reading, but don't have a good handle on how to move to a configuration that would work well - without the VPN, that is. I'm casting about for ideas - anyone have a solution they like? Preferably without spending tons of money, of course. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Windows SBS 2003 User right
The owner's account is an administrator on the SBS server, isn't it? That's the problem. http://support.microsoft.com/?kbid=907434 -Malcolm From: Cesare' A. Ramos [mailto:cra...@idfllc.com] Sent: Wednesday, June 09, 2010 10:59 To: NT System Admin Issues Subject: Windows SBS 2003 User right To all: Have a quick question for you all. We have a new client that is running Windows SBS 2003 with BES on the same server, not our choice and we will be changing this. In the interim though there is one user, the owner nonetheless, that the BlackBerry Administrator user keeps losing the 'Send As' and 'Read' rights thus the user then cannot reply to messages. We log in enable the rights, restart BB Router service and all begins to work. Within 30 minutes, the rights are lost again. We have edited templates and such for user and group rights but have not had success in keeping change static. Any thoughts. Sincerely, Cesare' A. Ramos _ This e-Mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-Mail in error please notify the sender via returned e-Mail. Please note that any views or opinions presented in this e-Mail are solely those of the author and do not necessarily represent those of the company. Although IDF operates anti-virus programs, it does not accept responsibility for any damage whatsoever that is caused by viruses being passed. ** Think before you print this message. ** ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Server Core
I've always struggled with the point of Core. Core sounds appealing, until you consider it doesn't save much patching and it requires a different support model. I had a long discussion with a senior MCS guy about whether Core was a fit for us and one of the things he said stuck with me, that many MCS consultants mostly saw Core as a Microsoft answer to single-purpose Linux boxes in the data center (for example, running DHCP or DNS). -Malcolm -Original Message- From: Free, Bob [mailto:r...@pge.com] Sent: Thursday, June 03, 2010 16:41 To: NT System Admin Issues Subject: RE: Server Core What is interesting is if you talk to the product group and PSS the adoption of Server Core, and RODC for that matter, is abysmal, particularly based on all the desire for the features from customers and the amount of dev that went into them. Less than 10% of expectations I was told. Those I have heard speak about it are pretty disappointed considering that 80% of the AD dev time in the 2K3 timeframe was devoted to Branch Office functionalityfunctionality that customers were screaming for -Original Message- From: Chris Blair [mailto:chris_bl...@identisys.com] Sent: Thursday, June 03, 2010 12:58 PM To: NT System Admin Issues Subject: RE: Server Core They sure push Server Core hard in the 70-640 test. -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Thursday, June 03, 2010 2:56 PM To: NT System Admin Issues Subject: Re: Server Core Interesting, and good to know. Still, the more they can support on core, the better, IMHO. On Thu, Jun 3, 2010 at 12:48, Free, Bob r...@pge.com wrote: Remember the purpose of core was not to be an application platform but to “provide a minimal environment for running specific server roles that reduces the maintenance and management requirements and the attack surface for those server roles.” http://www.microsoft.com/windowsserver2008/en/us/r2-compare-core-insta llation.aspx Caveat to the snippet below- R2 now supports 11 roles rather than the original 9 and we also have .NET now but the underlying message is the same- From http://technet.microsoft.com/en-us/library/dd184076.aspx Consider again the nine server roles you can install on Server Core: AD DS AD LDS DNS DHCP File Services Print Services Streaming Media Services Web Server (IIS) Hyper-V This list of roles should immediately suggest some possible usage scenarios for Server Core within your organization. Here are some ways that you could use Server Core to make your network more secure, more reliable, easier to manage, and easier to maintain: Infrastructure servers. Domain controllers, DHCP servers, and DNS servers are the backbone of your network. Running these roles on Server Core can strengthen this backbone in every way. Branch office servers. Because Server Core installations are more secure and require fewer software updates than Full installations, they are ideal for use in remote locations, such as branch offices where you have few (or no) information technology (IT) staff and less physical security than at your head office location. For example, you might deploy a Server Core installation as a read-only domain controller with BitLocker for added security at a branch office. Server consolidation and testing. Because Hyper-V is a supported role on Server Core, you can use Server Core to consolidate multiple servers onto a single system while still keeping them isolated. This can help lower your TCO by reducing your hardware requirements and your power, cooling, and management costs. Server Core running Hyper-V also provides a convenient environment for deployment testing. Extending hardware life. Because Server Core has lower disk and memory requirements than Full installations, you may be able to get more life out of old systems. For example, when you need to upgrade your e-mail or database servers, those boxes could be moved down the line to become network infrastructure servers running Server Core. Non-Usage Scenarios What shouldn't you use Server Core for? The main thing to understand is that Server Core is intended to run only the nine server roles listed previously. Nothing else. In other words, Server Core can't be used as a platform for running server applications such as Exchange Server, Microsoft SQL Server, or third-party server applications like SAP. You also can't use it for running Microsoft Office System applications or Microsoft Office SharePoint Server. And you can't (or at least shouldn't) use it to run custom applications you've developed in-house. In short, Server Core is not an application hosting platform. -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Thursday, June 03, 2010 11:31 AM To: NT System Admin Issues Subject: Re: Server Core Uh, So what needs a GUI on top? On Thu, Jun 3, 2010 at
RE: Server Core
I know you can run the SCCM 2007 SP2 client and the latest SEP client on Core. I would be a bit surprised if some of those other 3rd-party clients support Core, though. Additionally, I’d ask what you are trying to accomplish by running all your DCs on Core. I’m not sure the small reduction in attack surface or in patch requirements is worth the support issues and reduced functionality in many cases. -Malcolm From: Christopher Bodnar [mailto:christopher_bod...@glic.com] Sent: Friday, June 04, 2010 07:34 To: NT System Admin Issues Subject: Re: Server Core I've been reading this thread pretty closely since we will be brining up a 2008 test domain very shortly. My thoughts were to do Core for all the DCs. My concern now is all the client/Agent software that the current DCs require. For example: Adiscon client Asset Insight client Blue Coat proxy agent Big brother agent SCCM/SMS client SAV/SEP Antivirus client TSM client Will any of these run on Core? Love to hear from someone who has gone through this. Thanks, Chris Bodnar, MCSE Systems Engineer Distributed Systems Service Delivery - Intel Services Guardian Life Insurance Company of America Email: christopher_bod...@glic.com Phone: 610-807-6459 Fax: 610-807-6003 From:David Lum david@nwea.org To:NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Date:06/03/2010 02:19 PM Subject:Server Core _ Would I be correct in telling my fellow SE’s that Server Core typical uses are remote DC (along with RODC), hyper-V hosts and web servers? David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 - This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: setting up 2008 server for remote office
Yes, no reason to create a new domain. I'd build the new server at the main office and join it to the domain. There should be no issue with then moving it to the new office and giving it a new IP address. -Malcolm From: Brian Desmond [mailto:br...@briandesmond.com] Sent: Wednesday, June 02, 2010 13:28 To: NT System Admin Issues Subject: RE: setting up 2008 server for remote office I'd definitely use the existing domain. Communication between subnets will happen by way of the router/firewall device handling the VPN tunnel. Thanks, Brian Desmond br...@briandesmond.com c - 312.731.3132 From: Mei Ling Gallagher [mailto:meili...@newsys.com.au] Sent: Wednesday, June 02, 2010 1:23 PM To: NT System Admin Issues Subject: setting up 2008 server for remote office Hi all, My client is setting up their new remote office. The main office has a Windows 2003 DC with the subnet of 192.168.2.x. The remote office will be setup with a Windows 2008 R2 server and a subnet of 192.168.3.x. Some users in the remote office will need access to some data from the main office server. VPN are use for the connectivity between these two sites. Would I be better to join the 2008 server to the current 2003 domain or setup a brand new domain with a trust relationship?? The physical 2008 server is currently in the main office. If I choose the first option, should I run it up as a member server before moving it to the remote office then join it to the 2003 domain?? Will this server able to make a contact with 2003 server as they are on the different subnet? Any help would be appreciated. Thanks in advance. Mei Ling _ Scanned by MailMarshal - Marshal8e6's comprehensive email content security solution. Download a free evaluation of MailMarshal at http://www.marshal.com www.marshal.com _ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Web based scanning tool
Sounds like maybe something from http://www.onguardonline.gov? I don't think the more technical sites http://csrc.nist.gov or http://www.us-cert.gov will have online tools like that. -Malcolm From: David McSpadden [mailto:dav...@imcu.com] Sent: Friday, May 28, 2010 07:35 To: NT System Admin Issues Subject: Web based scanning tool A long while ago there was a .gov site that had a web based scanner. It would scan your pc and then give you the recommended security settings to be compliant. It had and NT scanner, 2000 scanner, and an XP scanner. I can not for the life of me remember it right now. Nist.gov or frc.gov or something official sounding.. Please consider the environment before printing this email. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~image001.gif
RE: What's your requirement to allow a user DA?
+1 on the separate accounts. We try to keep Domain Admins to as small a number as possible and we don't allow anyone to use their Domain Admin account to do regular work (such as email, web browsing, etc.). Keeping the number of DAs to a minimum also minimizes the number of people able to screw things up for everyone (not that any of us or our coworkers would do that) and the number of people who have full access to everyone's data, both on workstations and servers, including sensitive stuff that IT doesn't need to see. -Malcolm -Original Message- From: Salvador Manzo [mailto:ma...@usc.edu] Sent: Thursday, May 27, 2010 14:02 To: NT System Admin Issues Subject: RE: What's your requirement to allow a user DA? In addition, use Restricted Group GPOs as much as possible if distributed local administration of machines is required. Personally, I would go a step further and separate admin level accounts of any kind from the normal, day-to-day logins. So, for example, at a minimum Joe Employee Jemployee (normal login, same user rights as everyone else on the network) Jemployee_admin (elevated account, either Domain Admin or what have you) This will reduce your exposure when doing things daily, but does require that people not circumvent it in the name of ease of use (or, what I would call laziness.) -Original Message- From: Phil Brutsche [mailto:p...@optimumdata.com] Sent: Thursday, May 27, 2010 11:55 AM To: NT System Admin Issues Subject: Re: What's your requirement to allow a user DA? My thoughts: No domain admins unless there is no other way to do what you need to. If they need to do AD administration, use LDAP OU ACLs aka delegation. They should only get permissions delegated to them if AD management is part of their duties. On 5/27/2010 1:39 PM, David Lum wrote: What are your guy's prerequisites on someone having a Domain Admin account - assume a medium or large company and 4-5+ Systems Engineers. Previously here they've just had every new SE hire be domain admin, I'm thinking it's time to change that practice but I'll need some ammo and a plan before I have any hope of changing this. My thinking is along the line of need to know what's going in this AD structure as well as being proficient in all things AD, etc. Thoughts comments? I'm thinking there should only be 2-3 DA accounts max per domain max. -- Phil Brutsche p...@optimumdata.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Big Changes Ahead for IT - Anyone seen this?
Same here. Who calls IT “data processing” anymore? ;-) -Malcolm From: Free, Bob [mailto:r...@pge.com] Sent: Wednesday, May 26, 2010 13:25 To: NT System Admin Issues Subject: RE: Big Changes Ahead for IT - Anyone seen this? +1 brings up very old memories :-] From: Don Kuhlman [mailto:drkuhl...@yahoo.com] Sent: Wednesday, May 26, 2010 10:41 AM To: NT System Admin Issues Subject: Re: Big Changes Ahead for IT - Anyone seen this? I like that one - I learned it the other way around :0 AllApplication PeoplePresentation Seem Session ToTransport Need Network DataData/LLC ProcessingPhysical Don K _ From: greg.swe...@actsconsulting.net greg.swe...@actsconsulting.net To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Sent: Wed, May 26, 2010 12:25:09 PM Subject: RE: Big Changes Ahead for IT - Anyone seen this? PleasePhysical Do Data/LLC NotNetwork Throw Transport Sausage Session Pizza Presentation Away Application You will never fail the basic again. Now what each does.. J From: David Lum [mailto:david@nwea.org] Sent: Wednesday, May 26, 2010 1:20 PM To: NT System Admin Issues Subject: RE: Big Changes Ahead for IT - Anyone seen this? I would fail the OSI part (sure I could Google it just now) as it was back in the NetWare days that I learned about it in a class. Heard of it, does that count? 27-bit subnet? Not off the top of my head, I’d have to think “okay a .128 mask is 25 bits…”. I can explain DNS and forwarding, MX records, Aliases, HOSTS file, DHCP incl. reservations, and give you “jack of all trades” firewall info, conceptualize memory protection rings, and go to town on registry, AD and GPO design as well as give examples of being able to handle a near vertical learning curve. Am I hired? The way I view being an IT guy is day in and day out I’m not necessarily using $30/hr expertise, but there are spikes where I feel I surpass the “I’ve got certs but no real IT skills” Joe at figuring something out and at those times word 2-3x my nominal salary so on balance it works out. That’s my story I’m stickin’ to it. From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Wednesday, May 26, 2010 9:22 AM To: NT System Admin Issues Subject: RE: Big Changes Ahead for IT - Anyone seen this? It’s kinda funny that you mention the OSI model, since there are any number of people here that will dismiss it as irrelevant (personally I think that it’s very relevant to know if you want to advance in an IT career) Corporations, in an ever ending quest to cut costs (or at least, regulate costs) will not continue to pay ludicrous amounts of money for the dross that the IT industry produces. There are far too many people being paid inflated salaries in this industry, without being able to deliver tangible/measurable results. One only needs to look at project delivery in large corporations, and at the small end, the dedicated people who manage to do tasks in a manual manner (this list included has people who have the time to spend working out the best way to do some task for an individual user, yet they must get paid $30-60k, which no other industry would accept). As the industry matures there simply will not be the opportunity for mediocrity to survive, just like every other mature industry. If you are merely average, you’ll earn an average salary, and you won’t be part of “IT” – or you might be part of an IT provider conglomerate. If you want to be a 6-7 figure earner, then you’ll need to provide ever increasing levels of business value, just like every other industry (with the possible exception of Sales, where a really good pitch can make up for lack of substance, but let’s not confuse sales and delivery J ) Cheers Ken From: Steven M. Caesare [mailto:scaes...@caesare.com] Sent: Wednesday, 26 May 2010 11:39 PM To: NT System Admin Issues Subject: RE: Big Changes Ahead for IT - Anyone seen this? I’ve dismissed more network candidates than I can remember because they couldn’t calculate the number of hosts in a subnet. Or had even heard of an OSI model. Systems “Engineers” who are at a loss to even at a high level explain the ideas of process, threads, memory protection, etc… Windows Admins who are clueless about registry interaction, CMD line tools, authorization principles, environment variables, etc… Tis sad. -sc From: David Lum [mailto:david@nwea.org] Sent: Wednesday, May 26, 2010 11:07 AM To: NT System Admin Issues Subject: RE: Big Changes Ahead for IT - Anyone seen this? Slide 10 actually nails what I see: “Technology and confidence in the workforce is broadening but losing its depth
RE: Deploying windows 7 - Anti Virus
Whitelisting via simple GPO without AppLocker is only of limited effectiveness, unfortunately. You can, for instance, get around it by starting a rogue app from the command prompt or by renaming it to match a whitelisted app. I definitely agree with the suggestion to turn off AutoPlay. -Malcolm From: helpdesk UK [mailto:uk.helpd...@gmail.com] Sent: Tuesday, May 25, 2010 09:45 To: NT System Admin Issues Subject: Re: Deploying windows 7 - Anti Virus Thank you James for the reassurance. As for the GPO team I dont know why I did not bother asking the details cheers Peter On 25 May 2010 15:19, James Rankin kz2...@googlemail.com wrote: Why would the GPO team be scratching their heads? If you know the applications in use, it is fairly easy to create an application whitelist. It's also very easy to update when something is missed - the full path to the executable that is blocked is written to the event log and can be updated fairly quickly. We have over 200 entries in our whitelist here already - and there's only me that manages the Group Policy Objects. I've never tried running Windows Defender with SEP. The point I am driving at is that antivirus is a primarily reactive technology, so it won't protect you from unknown executables that users bring in on memory sticks. It also won't protect you from executables you don't want on your network but that aren't viruses (there are more of these than you'd think). Whitelisting is probably the only way to keep yourself from this problem, and disabling the AutoPlay function is vital to keep the Conficker and its ilk away. There are many other things you could do to implement whitelisting, but if it's a Windows domain then I've always found the GPO route to be the quickest and easiest to put in place. On 25 May 2010 15:08, helpdesk UK uk.helpd...@gmail.com wrote: Thank you for your input. For this network they have used various technologies as well but I did not cover al of them in here. Emails web are filtered centrally by the education grid network. WSUS is being used as well. The GPO team are already scratching there heads as the school has more than 140 apps. :( Unfortunately the school does not have lic for the enterprise product or they could use app locker. How about Windows Defender which runs in the background will that interfere with the AV or will that get auto disable as soon as you install the SEP. I have never tried to deploy two AV solutions on the same desktop but did think it would not work. cheers Peter On 25 May 2010 11:18, James Rankin kz2...@googlemail.com wrote: You would do well to implement an application whitelisting GPO and also use a GPO to disable AutoPlay. This should mitigate a lot of the threat from USB keys. GPOs can also be used to block out access to CD and tape drives, should they be present. SEP is my least favourite AV product. I use Vipre and it is easier, lighter, and cheaper. SEP gave me a major headache with logoff delays and a very non-intuitive console. YMMV. Rather than doubling up your AV you'd be better off with a defense-in-depth strategy. Multiple AV products tend to conflict with each other (and the MSRT really isn't an AV product anyway). We use an IronPort for email filtering, Vipre for AV, application whitelists to protect from unknown hostile code, mandatory profiles to limit user's ability to mess with their desktops, WebSense to protect from hacked websites, WSUS and AD for patch management, and GPOs to manage most of the user environment and filesystem. What gets past one layer, gets caught by another. On 25 May 2010 11:09, helpdesk UK uk.helpd...@gmail.com wrote: I have been tasked with deploying Windows 7 professional at a site. I am still trying to learn the new features available in Windows 7 so please bear with my ignorance. :( I am trying to formulate the list of applications which need to be part of the build when I reached the Anti virus section I decided to post here for every ones input. The choice of AV is Symantec End Point Protection. Query: = 1. Has anyone had any known issues with this product ? i.e. ( using it / deployment problems ) 2. Can I / Should I deploy any other product from Microsoft including this AV product. ( second line of defence ) For example: Malicious Software Removal Tool http://www.microsoft.com/downloads/details.aspx?familyid=ad724ae0-e72d-4f54- 9ab3-75b8eb148356 http://www.microsoft.com/downloads/details.aspx?familyid=ad724ae0-e72d-4f54 -9ab3-75b8eb148356displaylang=en displaylang=en If I install the MSRT does it actually scan periodically automatically or does it require a central configuration Console ? Or any other utilities which can help. The reason I am being so paranoid about this as it is a school environment and kids have USB sticks brought from home which are generally infected. We cannot stop them either as they take course
RE: Domain membership change
There's not a specific event for Domain Admins group membership. You'll have to look for the 632 security event and filter on the description containing substring Domain Admins. -Malcolm From: David Lum [mailto:david@nwea.org] Sent: Monday, May 24, 2010 16:03 To: NT System Admin Issues Subject: Domain membership change If I wanted to get notified anytime a user is added to say, Domain Admins, what's the best way to go about this? Is there an EventID I can look for? David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Domain membership change
Good catch. Different event ID (4728); still have to parse the event parameters for the group name, though. -Malcolm -Original Message- From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Monday, May 24, 2010 16:45 To: NT System Admin Issues Subject: RE: Domain membership change Pre windows 2008. For windows 2008 and after, the event id changes. See http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx? eventid=632 And related entries. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Malcolm Reitz [mailto:malcolm.re...@live.com] Sent: Monday, May 24, 2010 5:38 PM To: NT System Admin Issues Subject: RE: Domain membership change There's not a specific event for Domain Admins group membership. You'll have to look for the 632 security event and filter on the description containing substring Domain Admins. -Malcolm From: David Lum [mailto:david@nwea.org] Sent: Monday, May 24, 2010 16:03 To: NT System Admin Issues Subject: Domain membership change If I wanted to get notified anytime a user is added to say, Domain Admins, what's the best way to go about this? Is there an EventID I can look for? David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: script SSID for wireless configs
Jenny, is that you? -Malcolm -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Friday, May 21, 2010 17:14 To: NT System Admin Issues Subject: Re: script SSID for wireless configs On Fri, May 21, 2010 at 15:08, Ben Scott mailvor...@gmail.com wrote: On Fri, May 21, 2010 at 2:23 PM, Micheal Espinola Jr michealespin...@gmail.com wrote: And with that, let the soapboxing begin... On that note: It is important to remember that wireless is inherently a broadcast medium. So everyone around you is always receiving *everything* you transmit. What matters is how you protect what you transmit. :) It's like a bunch of people standing in a room together. If you say, Hey, Ben, your shoe is untied, most other people in the room aren't going to bend down to tie their shoes, too. But they'll still hear what you said to me. That is what things like hidden SSIDs and MAC address filtering do. If you say, Hey, Ben, seven six two three nine four eight five one nine six, everyone again knows you said something to me, but they don't know *what* unless they know the code. That is encryption. -- Ben What about eight six seven five three zero nine? Hm? Is that encryption? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: enforcing preferred DC
Your Windows 2000 clients won't be able to read the WMI filters no matter what DC they authenticate to. The Vista clients should be fine regardless of which DC authenticates them - WMI filters are not a new Windows 2008 function. If the Vista clients aren't getting policies when they authenticate to Windows 2003 DCs, check replication. -Malcolm -Original Message- From: Juned Shaikh [mailto:jsha...@gmail.com] Sent: Thursday, May 20, 2010 13:36 To: NT System Admin Issues Subject: enforcing preferred DC Hello: We have recently upgraded Windows 2003 to Windows 2008 DCs and it seems that most workstations (mostly vista with few W2k) are indvertantly connecting to legasy Win2k3 DCs and it seems that the some of the GPOs with WMI filters are not working. Where are the options in the GPO, where I can mentioned i.e. DC1, DC2, DC3 and DC4 only. Thank you ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Scripting IP Changes on remote devices
There are places that prefer not to enable DHCP on server subnets for security reasons. Also, managing DHCP reservations will be a non-trivial operational workload in a dynamic data center. -Malcolm From: Micheal Espinola Jr [mailto:michealespin...@gmail.com] Sent: Tuesday, May 18, 2010 11:52 To: NT System Admin Issues Subject: Re: Scripting IP Changes on remote devices +1 If you are going to do the work of manually configuring specific IP addresses, why not do it in a way that is centrally manageable? Although you did say servers... I would still go with DHCP possible. -- ME2 On Fri, May 14, 2010 at 3:13 PM, Jonathan Link jonathan.l...@gmail.com wrote: Any reason to have static? Consider DHCP with reservations so this kind of transition could be managed centrally in the future? As long as your rolling out the script you could have it switch from static to dynic and be done. Of course all this is predicated on not having a major reasons to be static. On Friday, May 14, 2010, Brian Desmond br...@briandesmond.com wrote: This is fairly easy to do with WMI. You just want to iterate through the IPEnabled adapters collection and there are methods to stamp WINS and DNS servers. I'd suggest inspecting the current settings and using that data to decide whether you stamp or not. WINS is a simple primary/secondary stamp, DNS is a collection you need to clear and populate. Thanks,Brian desmondbr...@briandesmond.com c - 312.731.3132 From: Sean Martin [mailto:seanmarti...@gmail.com] Sent: Friday, May 14, 2010 2:43 PM To: NT System Admin Issues Subject: Scripting IP Changes on remote devices Good Morning/Afternoon, I'm looking for a little assistance with automating IP changes on several hundred servers. The vast majority will be Windows 2003 but there may be some Windows 2000 boxes mixed in there. I'm going to need to change the DNS and WINS IP addresses on our servers with static assignments. I'm thinking VB would be the best language to use, unfortunately I'm not real strong with VB so I was hoping someone might have some already written code I could manipulate (certainly not asking anyone to write anything for me!). The main problem is that I can't rely on any continuity amongst the servers. Meaning, the interface names may not be the same (LAN Connection X), and some servers may have multiple NICs for which I only need to modify one. I was hoping it would be possible to query the current configuration of the NICs and identify ones with DNS IP 1 = X and then modify those to DNS IP 1 = Y. I'd like to do this for the primary and secondary DNS and WINs references. Any pointers at all would be much appreciated. - Sean ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Scripting IP Changes on remote devices
Other than a DoS from a rouge DHCP server, I'm not sure I see too many issues with DHCP either. That said, how often do you actually change IP addresses for a server? -Malcolm From: Micheal Espinola Jr [mailto:michealespin...@gmail.com] Sent: Tuesday, May 18, 2010 13:35 To: NT System Admin Issues Subject: Re: Scripting IP Changes on remote devices So I've heard and have worked in similar environments, but, I have never heard a convincing argument for it as a security concern. It can be quite easy in a properly planned and operated environment. I honestly dont take any aspects of IT as trivial, and I think that anything that allows for centralized control to be paramount in IT operations. As far as workload goes, I have found DHCP reservations to require less workload than independently configured hosts. Independently configured hosts are going to require more man-hours and leg work, or a good deal of scripting skill. Centralized control via DHCP is also going to be easier to hand-off to other administrators. -- ME2 On Tue, May 18, 2010 at 10:54 AM, Malcolm Reitz malcolm.re...@live.com wrote: There are places that prefer not to enable DHCP on server subnets for security reasons. Also, managing DHCP reservations will be a non-trivial operational workload in a dynamic data center. -Malcolm From: Micheal Espinola Jr [mailto:michealespin...@gmail.com] Sent: Tuesday, May 18, 2010 11:52 To: NT System Admin Issues Subject: Re: Scripting IP Changes on remote devices +1 If you are going to do the work of manually configuring specific IP addresses, why not do it in a way that is centrally manageable? Although you did say servers... I would still go with DHCP possible. -- ME2 On Fri, May 14, 2010 at 3:13 PM, Jonathan Link jonathan.l...@gmail.com wrote: Any reason to have static? Consider DHCP with reservations so this kind of transition could be managed centrally in the future? As long as your rolling out the script you could have it switch from static to dynic and be done. Of course all this is predicated on not having a major reasons to be static. On Friday, May 14, 2010, Brian Desmond br...@briandesmond.com wrote: This is fairly easy to do with WMI. You just want to iterate through the IPEnabled adapters collection and there are methods to stamp WINS and DNS servers. I'd suggest inspecting the current settings and using that data to decide whether you stamp or not. WINS is a simple primary/secondary stamp, DNS is a collection you need to clear and populate. Thanks,Brian desmondbr...@briandesmond.com c - 312.731.3132 From: Sean Martin [mailto:seanmarti...@gmail.com] Sent: Friday, May 14, 2010 2:43 PM To: NT System Admin Issues Subject: Scripting IP Changes on remote devices Good Morning/Afternoon, I'm looking for a little assistance with automating IP changes on several hundred servers. The vast majority will be Windows 2003 but there may be some Windows 2000 boxes mixed in there. I'm going to need to change the DNS and WINS IP addresses on our servers with static assignments. I'm thinking VB would be the best language to use, unfortunately I'm not real strong with VB so I was hoping someone might have some already written code I could manipulate (certainly not asking anyone to write anything for me!). The main problem is that I can't rely on any continuity amongst the servers. Meaning, the interface names may not be the same (LAN Connection X), and some servers may have multiple NICs for which I only need to modify one. I was hoping it would be possible to query the current configuration of the NICs and identify ones with DNS IP 1 = X and then modify those to DNS IP 1 = Y. I'd like to do this for the primary and secondary DNS and WINs references. Any pointers at all would be much appreciated. - Sean ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Scripting IP Changes on remote devices
Centralized = good; I'm with you on that! -Malcolm From: Micheal Espinola Jr [mailto:michealespin...@gmail.com] Sent: Tuesday, May 18, 2010 14:53 To: NT System Admin Issues Subject: Re: Scripting IP Changes on remote devices Not often at all. There is definitely a case for either way - especially when you take into account the environment and staff into consideration. Certainly it may be the case that managing DHCP for servers might over-complicate your environment. But, I always lean toward centralized manageability. -- ME2 On Tue, May 18, 2010 at 12:01 PM, Malcolm Reitz malcolm.re...@live.com wrote: Other than a DoS from a rouge DHCP server, I'm not sure I see too many issues with DHCP either. That said, how often do you actually change IP addresses for a server? -Malcolm From: Micheal Espinola Jr [mailto:michealespin...@gmail.com] Sent: Tuesday, May 18, 2010 13:35 To: NT System Admin Issues Subject: Re: Scripting IP Changes on remote devices So I've heard and have worked in similar environments, but, I have never heard a convincing argument for it as a security concern. It can be quite easy in a properly planned and operated environment. I honestly dont take any aspects of IT as trivial, and I think that anything that allows for centralized control to be paramount in IT operations. As far as workload goes, I have found DHCP reservations to require less workload than independently configured hosts. Independently configured hosts are going to require more man-hours and leg work, or a good deal of scripting skill. Centralized control via DHCP is also going to be easier to hand-off to other administrators. -- ME2 On Tue, May 18, 2010 at 10:54 AM, Malcolm Reitz malcolm.re...@live.com wrote: There are places that prefer not to enable DHCP on server subnets for security reasons. Also, managing DHCP reservations will be a non-trivial operational workload in a dynamic data center. -Malcolm From: Micheal Espinola Jr [mailto:michealespin...@gmail.com] Sent: Tuesday, May 18, 2010 11:52 To: NT System Admin Issues Subject: Re: Scripting IP Changes on remote devices +1 If you are going to do the work of manually configuring specific IP addresses, why not do it in a way that is centrally manageable? Although you did say servers... I would still go with DHCP possible. -- ME2 On Fri, May 14, 2010 at 3:13 PM, Jonathan Link jonathan.l...@gmail.com wrote: Any reason to have static? Consider DHCP with reservations so this kind of transition could be managed centrally in the future? As long as your rolling out the script you could have it switch from static to dynic and be done. Of course all this is predicated on not having a major reasons to be static. On Friday, May 14, 2010, Brian Desmond br...@briandesmond.com wrote: This is fairly easy to do with WMI. You just want to iterate through the IPEnabled adapters collection and there are methods to stamp WINS and DNS servers. I'd suggest inspecting the current settings and using that data to decide whether you stamp or not. WINS is a simple primary/secondary stamp, DNS is a collection you need to clear and populate. Thanks,Brian desmondbr...@briandesmond.com c - 312.731.3132 From: Sean Martin [mailto:seanmarti...@gmail.com] Sent: Friday, May 14, 2010 2:43 PM To: NT System Admin Issues Subject: Scripting IP Changes on remote devices Good Morning/Afternoon, I'm looking for a little assistance with automating IP changes on several hundred servers. The vast majority will be Windows 2003 but there may be some Windows 2000 boxes mixed in there. I'm going to need to change the DNS and WINS IP addresses on our servers with static assignments. I'm thinking VB would be the best language to use, unfortunately I'm not real strong with VB so I was hoping someone might have some already written code I could manipulate (certainly not asking anyone to write anything for me!). The main problem is that I can't rely on any continuity amongst the servers. Meaning, the interface names may not be the same (LAN Connection X), and some servers may have multiple NICs for which I only need to modify one. I was hoping it would be possible to query the current configuration of the NICs and identify ones with DNS IP 1 = X and then modify those to DNS IP 1 = Y. I'd like to do this for the primary and secondary DNS and WINs references. Any pointers at all would be much appreciated. - Sean ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: DPM, SCCM AND SCOM on same box???
That would be a much better idea. No way I'd want to put SCCM on any kind of shared server. -Malcolm -Original Message- From: Brian Desmond [mailto:br...@briandesmond.com] Sent: Monday, May 17, 2010 11:09 To: NT System Admin Issues Subject: RE: DPM, SCCM AND SCOM on same box??? Why don't you put HyperV on it and break up the roles? I wouldn't mix all those three together. Thanks, Brian Desmond br...@briandesmond.com c - 312.731.3132 -Original Message- From: Stephen Wimberly [mailto:swimbe...@gmail.com] Sent: Monday, May 17, 2010 10:13 AM To: NT System Admin Issues Subject: DPM, SCCM AND SCOM on same box??? I am pricing out a DPM box which we are likely to purchase. Dell R510 16 GB RAM 2 146GB RAID1 for OS 12 2TB RAID5 for database storage pool The question is: Would you put SCCM and SCOM on the same box??? SCCM and SCOM would use a remote SQL server rather than the same internal storage. We have fewer than 500 workstations, and DPM would not be used for workstation backup, only backing up data from 17 servers. Design thoughts? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Virtualizing applications
You wish :-) App-V is part of the MDOP (Microsoft Desktop Optimization Pack) client license. It isn't terribly expensive, but it isn't free. -Malcolm From: Tom Miller [mailto:tmil...@hnncsb.org] Sent: Wednesday, May 05, 2010 13:47 To: NT System Admin Issues Subject: RE: Virtualizing applications Regarding App-V, I have not used it yet, but I hear it's pretty nice. Anyone have idea how it's priced (free?) I wish I could go to Synergy. It was cut from the budget. Tom Webster carlwebs...@gmail.com 5/5/2010 2:42 PM And Citrix just updated their Streaming Profiler to version 6. While at the same time they are doing a road show with Microsoft telling people to use App-V with XA6 and XenDesktop and Microsoft is saying that you get better performance and better scalability with XenDesktop 4. http://community.citrix.com/display/ocb/2010/03/12/Go+ahead+use+App-V,+no+re ally,+please... Carl Webster Citrix Technology Professional http://dabcc.com/Webster From: Ken Cornetet [mailto:ken.corne...@kimball.com] Subject: RE: Virtualizing applications I doubt Microsoft is ceding virtualized desktops. They just added virtual desktop and a slew of new virtual app features in server 2008 R2. From: Webster [mailto:carlwebs...@gmail.com] Subject: RE: Virtualizing applications Just between me and you (and everyone else on this list) my Citrix contacts are telling me to concentrate on App-V (and hurry up and write some articles on it). Citrix is ceding streaming to App-V Microsoft is ceding virtualized desktops to XenDesktop Just what I have been told by several Citrites. Hope to learn more at the Citrix Synergy next week and from all the CTP meetings. I will fill you in on what is not NDA when I get back (just remind me). Carl Webster Citrix Technology Professional http://dabcc.com/Webster From: Tom Miller [mailto:tmil...@hnncsb.org] Subject: RE: Virtualizing applications Wow, so no more streaming profiler. I had issues with it off and on. App-v it is. Webster carlwebs...@gmail.com 5/5/2010 12:13 PM Yes that is what I am saying. Webster From: Tom Miller [mailto:tmil...@hnncsb.org] Subject: RE: Virtualizing applications Webster are you saying use App-V instead of Citrix streaming? I'll need to keep that in mind for XenDesktop when I roll that out. Webster carlwebs...@gmail.com 5/5/2010 10:44 AM Citrix now recommends using App-V with XenApp 6. I would recommend going in that direction. I will be as soon as I can find some lab time that is not spent writing articles. Several of the CTPs are also App-V MVPs. Carl Webster Citrix Technology Professional http://dabcc.com/Webster From: James Rankin [mailto:kz2...@googlemail.com] Subject: Virtualizing applications We are in the process of migrating our Citrix 4.5 x86 Windows 2003 R2 farm to a brand new, Windows 2008 R2 XenApp 6 x64 environment. All is going swimmingly well...until a couple of departments remind us that they have some old apps that are vitally important to them they'd like including in the new deployment. All this after they forgot to mention it in the initial systems analysis and only two days before go-livethe lack of communication is an issue I'm not looking for advice on. The issue I am concerned with is how to get these apps into the new environment. Naturally, they won't install on x64 servers or 2008. Because we're using XenApp 6 we can't join either MPS 4.5 or XenApp 5 servers to the farm, which would have been handy as we could have built an x86 server and published these apps on it. So I thought I'd fire up another server, install the Citrix Streaming Profiler and virtualize them as streamed applications to the new environment. No dice there either. The first of these problem apps uses a huge set of patches that have to be deployed through a vendor-specific patching tool, and this causes the profiler to crash. Same with the second app - it uses some strange installer procedures and the profiler fails when running it. So I am kind of at a dead end. The only other thing I can think of is using App-V, but I'm worried that this will a) put me back a few days as I learn how to use it, and b) could possibly fail in the same way as the Citrix Profiler solution. There's also the problem of learning how to integrate XenApp 6 and App-V, which I am sure can be done but which I have no experience of. Either way, it seems a bit tricky. Does anyone else have any bright ideas that might help out? Could I use RDP connections to a virtual x86 server with these apps on and use Terminal Services to publish applications in the same way as Citrix does, without the hassle of the incompatible farms in Citrix? Or is there some better way of virtualizing application access, or indeed any other way I could achieve this in the small timeframe I have been left with? All ideas, hints, tips and suggestions are gratefully
RE: Symantec Acquires PGP
Don't know if it is better news or not, but Secure Computing was bought by McAfee, not Symantec. -Malcolm -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Friday, April 30, 2010 23:56 To: NT System Admin Issues Subject: Re: Symantec Acquires PGP On Thu, Apr 29, 2010 at 09:00, Jonathan Link jonathan.l...@gmail.com wrote: http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci15 2,00.html?track=NL-102ad=763391asrc=EM_NLN_11453454uid=9835724 FRAK! I share that sentiment. They bought Secure Computing last year, which really bummed me out, because I love my Sidewinders. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Webster is now employed
Excellent - congrats! Post a pic of you in your green beret :-) -Malcolm From: Webster [mailto:webs...@carlwebster.com] Sent: Tuesday, April 27, 2010 21:06 To: NT System Admin Issues Subject: Webster is now employed Webster is now employed by LPS Integration in Nashville, TN as Sr. Citrix Technical Architect. I start Friday May 7th. http://www.lpsintegration.com/ Carl Webster Citrix Technology Professional http://dabcc.com/Webster ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Web filtering solutions
The TMG URL filtering is pretty good, but I doubt it will be any less costly than SmartFilter. There are cloud-based filtering options these days; McAfee offers a SmartFilter cloud and ATT has one too. -Malcolm -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Wednesday, April 21, 2010 09:43 To: NT System Admin Issues Subject: Re: Web filtering solutions Microsoft Threat Management Gateway is the new name for ISA... could look at that. James Rankin kz2...@googlemail.com 4/21/2010 9:19 AM We are looking to cut costs at the minute and the issue of our web filtering solution has come up. Currently we use WebSense Enterprise in a mixed Citrix / Xen / VMWare View environment which makes the WebSense implementation a little challenging at the best of times. We're not bothered about whether it is a hardware or software solution, but ease of setup is probably a primary factor in our needs. Does anyone have any particular recommendations, or know of any solutions that we should avoid like the plague? All of our users are on Windows of one sort or another, and we'd probably like something that had half-decent reporting - but as I said, the ease of setup is most likely the biggest factor in our equation. TIA for any suggestions, JRR -- On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Group membership updates
This complaint would probably elicit a that's the way it is - deal with it response from me; a workaround such KLIST may help (are you sure the user really has a Kerberos logon and ticket to the relevant CIFS service?), but it complicates the scenario significantly and your users are just as likely to complain that they have to go through the workaround steps, too. -Malcolm From: James Rankin [mailto:kz2...@googlemail.com] Sent: Tuesday, April 20, 2010 08:47 To: NT System Admin Issues Subject: Re: Group membership updates We tend to deploy applications to users via group membership. The shortcuts to applications are held in a single shared desktop folder, with NTFS permissions on each shortcut linking to the application group. It is quick and dirty and saves writing new entries to the relevant GPOs every time you want to push out a new app. However, some of our more PITA users are complaining that they have to log off and back on when a new app is deployed, so we were trying to give them a way to update their group memberships dynamically by running some sort of shortcut on their desktop. I considered klist, but does that not just purge the Kerberos token and you have to reacquire a new one at login time? I've never used it before - that was just what I read in a couple of forums. Cheers, On 20 April 2010 16:40, Free, Bob r...@pge.com wrote: Is the issue around Kerberos tickets? Is it that YOU want to update Their memberships or you want Them to be able to do it to themselves? You could have them purge their tickets with klist if they are somewhat savvy. From: James Rankin [mailto:kz2...@googlemail.com] Sent: Tuesday, April 20, 2010 3:40 AM To: NT System Admin Issues Subject: Group membership updates I know that there's probably no way of doing this, but I thought I'd askis there any way of updating a logged-on user's AD group memberships without them logging out of the system? Everything I've read suggests that there is no way to update an access token except by logging in again, so short of launching an application with a RunAs command, I think I may be pretty much snookered. I live in hope though. TIA, JRR -- On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question. -- On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: modifying subnet assignment by script
In VBScript, the _ character is a special character denoting a line continuation. It is used as the last character on a line. Rewrite the lines to look like this and give it a try. Set objSiteSettings = GetObject(LDAP://cn= _ strSubnetName _ cn=subnets,cn=sites, _ objRootDSE.Get(ConfigurationNamingContext)) -Malcolm From: Christopher Bodnar [mailto:christopher_bod...@glic.com] Sent: Thursday, April 15, 2010 14:07 To: NT System Admin Issues Subject: modifying subnet assignment by script I got this from the AD Cookbook and it's giving me an error. Can someone test this and let me know if it works for them in a test environment? The site and subnet must exist for this to work. I'm getting the following error: (5, 49) Microsoft VBScript compilation error: Invalid character Which corresponds to the _ in front of _strSubnetName. I've tried it without the _ and get a null error. '*Begin Script*** strNewSiteName = TESTSite1 ' e.g. Raleigh strSubnetName = 10.170.2.0/24 ' e.g. 192.168.1.0/24 Set objRootDSE = GetObject(LDAP://RootDSE) Set objSiteSettings = GetObject(LDAP://cn= _strSubnetName _ cn=subnets,cn=sites, _ objRootDSE.Get(ConfigurationNamingContext)) objSiteSettings.Put siteObject, _ cn= strNewSiteName ,cn=sites, _ objRootDSE.Get(ConfigurationNamingContext) objSiteSettings.SetInfo WScript.Echo(Site Membership updated successfully!) '*End Script*** Not sure what the issue is here. Thanks, Chris Bodnar, MCSE Systems Engineer Distributed Systems Service Delivery - Intel Services Guardian Life Insurance Company of America Email: christopher_bod...@glic.com Phone: 610-807-6459 Fax: 610-807-6003 - This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Add SNMP community remotely?
Pretty simple to set the SNMP registry keys with a group policy... Community strings go here: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SNMP\Parameters\ValidCo mmunities SNMP management servers go here: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SNMP\Parameters\Permitt edManagers -Malcolm -Original Message- From: Michael Leone [mailto:oozerd...@gmail.com] Sent: Friday, April 16, 2010 08:17 To: NT System Admin Issues Subject: Re: Add SNMP community remotely? On Fri, Apr 16, 2010 at 9:08 AM, James Rankin kz2...@googlemail.com wrote: This might help, from a quick Google search. I think the idea of using a .reg file to import the community strings jogs my memory, so if SNMP is already installed it may be one less step for you http://www.pcreview.co.uk/forums/thread-1602002.php I'd never heard of sysocmgr; thanks for that! Yes, all the machines already have SNMP installed, and all have at least the PUBLIC community defined as READ ONLY. So I'd be interested in just adding my own community. That's a great help, thanks! ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: please don't change your password!
Passwords of sufficient complexity mitigate the threat of brute-force attacks without having to be changed. And, if you know a user's password this month, you are probably 95% of the way to knowing his password next month (change a digit at the end, pick the next kid's name, etc.). -Malcolm From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] Sent: Friday, April 16, 2010 07:52 To: NT System Admin Issues Subject: RE: please don't change your password! There's a flaw in the logic. The Globe article states: . . . [U]sers are admonished to change passwords regularly, but redoing them is not an effective preventive step against online infiltration unless the cyber attacker (or evil colleague) who steals your sign-in sequence waits to employ it until after you've switched to a new one, Herley wrote. That's about as likely as a crook lifting a house key and then waiting until the lock is changed before sticking it in the door. This fails to consider the situation where a user's password is compromised and the bad guy accesses the user's information on an ongoing basis. For instance, monitoring a folder that contains files with information about patent filings to see when new files show up, or logging into OWA to keep an eye on e-mail messages. The unauthorized access will end once the password is changed (assuming a variety of other factors, such as the bad guy not getting the new password, etc.), and thus requiring regular password changes can be of value. Similarly, regular password changes can mitigate the risk from brute-force attacks. If a password has to be changed every 60 days, for instance, the bad guy will only have 60 days to try to determine the user's password. This is generally considered to be better than the bad guy having an infinite amount of time to try to determine it. John Hornbuckle MIS Department Taylor County School District www.taylor.k12.fl.us From: Brian Clark [mailto:brianclark2...@googlemail.com] Sent: Thursday, April 15, 2010 4:38 PM To: NT System Admin Issues Subject: please don't change your password! After a long week doing a SBS migration I didn't know how to take this article and needed to share it!! http://www.boston.com/bostonglobe/ideas/articles/2010/04/11/please_do_not_ch ange_your_password/?page=1 Brian NOTICE: Florida has a broad public records law. Most written communications to or from this entity are public records that will be disclosed to the public and the media upon request. E-mail communications may be subject to public disclosure. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: please don't change your password!
+1 For the past few years, every time we've had a server compromised, it has been because something was overlooked or done incorrectly by one of our own people, such as not changing default administrator passwords, assigning improper permissions to key folders or leaving vulnerable ports open. -Malcolm From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Friday, April 16, 2010 09:14 To: NT System Admin Issues Subject: Re: please don't change your password! This fails to consider the situation where a user's password is compromised and the bad guy accesses the user's information on an ongoing basis. For instance, monitoring a folder that contains files with information about patent filings to see when new files show up, or logging into OWA to keep an eye on e-mail messages. The unauthorized access will end once the password is changed (assuming a variety of other factors, such as the bad guy not getting the new password, etc.), and thus requiring regular password changes can be of value. We live in a world where scripted attacks dominate, and where targeted attacks are against highly privileged assets. Add to that, most scripted attacks are aimed at an application or OS or protocol vulnerability, with the primary intent of sending spam or rooting the machine in some way. Thus, the changing of passwords does little to mitigate any of the aforementioned. Even a targeted attack is likely to take steps to elevate privileges and creating a new account for the purpose of removing reliance on the compromised account. Similarly, regular password changes can mitigate the risk from brute-force attacks. If a password has to be changed every 60 days, for instance, the bad guy will only have 60 days to try to determine the user's password. This is generally considered to be better than the bad guy having an infinite amount of time to try to determine it. In most cases, it doesn't take weeks to brute force an account. Mostly hours, and occasionally days. (Doesn't everyone have a quad-core system or set of systems?) But that's not really the point. Most breaches today aren't accomplished via brute force of the password. There are hundreds of other approaches to get into systems remote that require far less time and effort, and all lead to elevated rights. -ASB: http://XeeSM.com/AndrewBaker On Fri, Apr 16, 2010 at 8:51 AM, John Hornbuckle john.hornbuc...@taylor.k12.fl.us wrote: There's a flaw in the logic. The Globe article states: . . . [U]sers are admonished to change passwords regularly, but redoing them is not an effective preventive step against online infiltration unless the cyber attacker (or evil colleague) who steals your sign-in sequence waits to employ it until after you've switched to a new one, Herley wrote. That's about as likely as a crook lifting a house key and then waiting until the lock is changed before sticking it in the door. This fails to consider the situation where a user's password is compromised and the bad guy accesses the user's information on an ongoing basis. For instance, monitoring a folder that contains files with information about patent filings to see when new files show up, or logging into OWA to keep an eye on e-mail messages. The unauthorized access will end once the password is changed (assuming a variety of other factors, such as the bad guy not getting the new password, etc.), and thus requiring regular password changes can be of value. Similarly, regular password changes can mitigate the risk from brute-force attacks. If a password has to be changed every 60 days, for instance, the bad guy will only have 60 days to try to determine the user's password. This is generally considered to be better than the bad guy having an infinite amount of time to try to determine it. John Hornbuckle MIS Department Taylor County School District www.taylor.k12.fl.us From: Brian Clark [mailto:brianclark2...@googlemail.com] Sent: Thursday, April 15, 2010 4:38 PM To: NT System Admin Issues Subject: please don't change your password! After a long week doing a SBS migration I didn't know how to take this article and needed to share it!! http://www.boston.com/bostonglobe/ideas/articles/2010/04/11/please_do_not_ch ange_your_password/?page=1 Brian ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: What are my options, Windows Server 2008 or Windows Server 2008 R2 or...
Exchange 2010 requires DCs to be at least Server 2003 SP2 along with domain and forest functional levels of at least Windows Server 2003, so Server 2008 DCs are not required. You could proceed with your Exchange upgrades and leave the DCs alone until you can get updated hardware to replace them. Putting Exchange and a DC on a Hyper-V virtual host is also a valid idea, given sufficient hardware to handle the workload. -Malcolm From: Erik Goldoff [mailto:egold...@gmail.com] Sent: Tuesday, March 23, 2010 09:39 To: NT System Admin Issues Subject: Re: What are my options, Windows Server 2008 or Windows Server 2008 R2 or... I didn't see anyone else mention this, but my understanding is the 2008r2 *requires* x64 architecture, so if you only have 32 bit systems in your environment, Windows 2008 would be your choice, *not* 2008r2 ! On Fri, Mar 19, 2010 at 4:44 PM, Reimer, Mark mark.rei...@prairie.edu wrote: Here's my upcoming problem. We currently have a Windows 2003 domain. All servers, including DC's are Windows 2003 standard. We will be replacing our Exchange server this summer, jumping from Exchange 2003 to Exchange 2010. I'm planning on installing Windows 2008 R2 on it. My current DC's are 32 bit, and almost 5 years old, and don't have 64 bit architecture. So . Should I upgrade my DC's to Windows 2008 32 bit? Should I try to get upgraded hardware, and install Windows 2008 R2? Should I not worry about it, put in the new Exchange server on my Windows 2003 domain, and upgrade the DC's later? I'm planning on using the standard version (vs. enterprise or datacenter), unless I can get some beefy server, then I'll virtualize one DC and some other physical servers on it. I'm NOT going to put both DC's virtualized on one physical box. My googling on this hasn't turned up any useful information. Maybe it's Friday afternoon. Thanks for any advice. Mark Reimer, A+, MCSA Windows Servers Networking Prairie Bible Institute Box 4000 Three Hills, AB T0M-2N0 Canada Tel: 403-443-5511, Ext. 3476 Fax: 403-443-5540 Email: mark.rei...@prairie.edu www.prairie.edu http://www.prairie.edu/ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Deploy xpmode updates av and such
We're gonna try like heck not to use it. Don't want to have to support 2 OSes on a single PC for the reasons you've mentioned and more. -Malcolm -Original Message- From: jgarciaitl...@gmail.com [mailto:jgarciaitl...@gmail.com] Sent: Friday, March 19, 2010 19:44 To: NT System Admin Issues Subject: Deploy xpmode updates av and such Any ideas of deploying for xpmode in windows 7? Sent via BlackBerry from T-Mobile ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~