RE: Active Directory and Group Policy inheritance

[Brian Desmond]

Just make sure you don't write an inefficient filter that takes forever to 
process...

Thanks,
Brian Desmond
br...@briandesmond.com

w - 312.625.1438 | c   - 312.731.3132

-Original Message-
From: Michael B. Smith [mailto:mich...@smithcons.com] 
Sent: Thursday, July 26, 2012 10:50 AM
To: NT System Admin Issues
Subject: RE: Active Directory and Group Policy inheritance

I would use WMI filtering.

-Original Message-
From: Matthew W. Ross [mailto:mr...@ephrataschools.org]
Sent: Thursday, July 26, 2012 11:36 AM
To: NT System Admin Issues
Subject: Active Directory and Group Policy inheritance

Greetings.

Is it possible to block a single group policy from being inheritance, or is my 
only choice to block all inheritance at the OU level? I want one policy blocked 
(A software installation policy, so I don't think I can override it somehow) in 
a Sub-OU, but I want everything else through.

Thanks.


--Matt Ross
Ephrata School District

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin




~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Active Directory and Group Policy inheritance

[Christopher Bodnar]

Inheritance is an attribute of the OU, not of the GPO itself. what you 
need to do its to filter by WMI or security. One of those or a combination 
of both should give you what you are looking for.



Christopher Bodnar 
Enterprise Achitect I, Corporate Office of Technology:Enterprise 
Architecture and Engineering Services 
Tel 610-807-6459 
3900 Burgess Place, Bethlehem, PA 18017 
christopher_bod...@glic.com 




The Guardian Life Insurance Company of America

www.guardianlife.com 







From:   "Matthew W. Ross" 
To: "NT System Admin Issues" 
Date:   07/26/2012 11:36 AM
Subject:Active Directory and Group Policy inheritance



Greetings.

Is it possible to block a single group policy from being inheritance, or 
is my only choice to block all inheritance at the OU level? I want one 
policy blocked (A software installation policy, so I don't think I can 
override it somehow) in a Sub-OU, but I want everything else through.

Thanks.


--Matt Ross
Ephrata School District

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin




-
This message, and any attachments to it, may contain information
that is privileged, confidential, and exempt from disclosure under
applicable law.  If the reader of this message is not the intended
recipient, you are notified that any use, dissemination,
distribution, copying, or communication of this message is strictly
prohibited.  If you have received this message in error, please
notify the sender immediately by return e-mail and delete the
message and any attachments.  Thank you.
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin<>

RE: Active Directory and Group Policy inheritance

[Michael B. Smith]

I would use WMI filtering.

-Original Message-
From: Matthew W. Ross [mailto:mr...@ephrataschools.org] 
Sent: Thursday, July 26, 2012 11:36 AM
To: NT System Admin Issues
Subject: Active Directory and Group Policy inheritance

Greetings.

Is it possible to block a single group policy from being inheritance, or is my 
only choice to block all inheritance at the OU level? I want one policy blocked 
(A software installation policy, so I don't think I can override it somehow) in 
a Sub-OU, but I want everything else through.

Thanks.


--Matt Ross
Ephrata School District

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Active Directory and Group Policy inheritance

[Jimmy Tran]

I don't think you can block itbut you can maybe modify the security
filtering so it only applies to the users you want it to?

-Original Message-
From: Matthew W. Ross [mailto:mr...@ephrataschools.org] 
Sent: Thursday, July 26, 2012 8:36 AM
To: NT System Admin Issues
Subject: Active Directory and Group Policy inheritance

Greetings.

Is it possible to block a single group policy from being inheritance, or
is my only choice to block all inheritance at the OU level? I want one
policy blocked (A software installation policy, so I don't think I can
override it somehow) in a Sub-OU, but I want everything else through.

Thanks.


--Matt Ross
Ephrata School District

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Active Directory Appliance?

[Christopher Bodnar]

I don't think anything like that exists. Even with an appliance like 
storage server, it was still a windows box and you needed to manage it 
like one (patching, agents, domain membership, etc...). So even if 
something like this did exist , I"m not sure how much it would reduce your 
management overhead of the device.

I agree with some of the other comments. if  you have a small 
virtualization environment at one of these locations, it would be your 
easiest solution. You could pre-configure a some Hyper-V servers at  your 
corporate location and then ship them out to the remote offices. Then you 
could just spin up VM's remotely. 

YMMV




Christopher Bodnar 
Enterprise Achitect I, Corporate Office of Technology:Enterprise 
Architecture and Engineering Services 
Tel 610-807-6459 
3900 Burgess Place, Bethlehem, PA 18017 
christopher_bod...@glic.com 




The Guardian Life Insurance Company of America

www.guardianlife.com 







From:   Jonathan 
To: "NT System Admin Issues" 
Date:   06-13-12 04:29 PM
Subject:Active Directory Appliance?



My Google-fu seems to be failing me. I know that infoblox has DNS and DHCP 
hardware appliances, but I don't see anything for Active Directory 
2003/2008. I'm only interested in this for remote offices, not for my 
core. The idea would be to eliminate buying a server, maintaining that 
server, the OS, etc, for our remote offices.
Does such exist, and if so, does the collective brain trust have any 
experience with them?
TIA,
Jonathan
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


-
This message, and any attachments to it, may contain information
that is privileged, confidential, and exempt from disclosure under
applicable law.  If the reader of this message is not the intended
recipient, you are notified that any use, dissemination,
distribution, copying, or communication of this message is strictly
prohibited.  If you have received this message in error, please
notify the sender immediately by return e-mail and delete the
message and any attachments.  Thank you.
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin<>

RE: Active Directory Appliance?

[Daniel Chenault]

Meh.. standard engineering mantra. Those three always come into play eventually.


From: Steven M. Caesare [scaes...@caesare.com]
Sent: Wednesday, June 13, 2012 6:42 PM
To: NT System Admin Issues
Subject: RE: Active Directory Appliance?

I didn’t see him demanding any of those.

-sc

On Jun 13, 2012 5:38 PM, "Daniel Chenault" 
mailto:dchena...@lgnetworksinc.com>> wrote:
Cheap/easy/fast

Pick two

Daniel Chenault
dchena...@lgnetworksinc.com<mailto:dchena...@lgnetworksinc.com>
[Description: Description: cid:image001.jpg@01CCF24C.F9B05160]

From: Jonathan [mailto:ncm...@gmail.com<mailto:ncm...@gmail.com>]
Sent: Wednesday, June 13, 2012 4:01 PM
To: NT System Admin Issues
Subject: RE: Active Directory Appliance?


Not interested in anything home-brewed.
On Jun 13, 2012 4:41 PM, "Daniel Chenault" 
mailto:dchena...@lgnetworksinc.com>> wrote:
Used P4 with 2G RAM, 500M hard drive: ~100
Your favorite flavor of Linux distro: free
DNS and DHCP: free with OS

Image it, lock it down tight and let ‘er rip.

Daniel Chenault
dchena...@lgnetworksinc.com<mailto:dchena...@lgnetworksinc.com>
[Description: Description: cid:image001.jpg@01CCF24C.F9B05160]

From: Jonathan [mailto:ncm...@gmail.com<mailto:ncm...@gmail.com>]
Sent: Wednesday, June 13, 2012 3:20 PM
To: NT System Admin Issues
Subject: Active Directory Appliance?


My Google-fu seems to be failing me. I know that infoblox has DNS and DHCP 
hardware appliances, but I don't see anything for Active Directory 2003/2008. 
I'm only interested in this for remote offices, not for my core. The idea would 
be to eliminate buying a server, maintaining that server, the OS, etc, for our 
remote offices.

Does such exist, and if so, does the collective brain trust have any experience 
with them?

TIA,

Jonathan

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin<>

RE: Active Directory Appliance?

[Daniel Chenault]

I understand that and it's your ballpark so you move the infield fence where 
ever you like. :)

It is a good workable solution though; rock-solid and once setup and locked 
down is practically hands-free.

Those of you who have known me a long time: did you ever think you'd see me 
touting Linux? :)


From: Jonathan [ncm...@gmail.com]
Sent: Wednesday, June 13, 2012 4:45 PM
To: NT System Admin Issues
Subject: RE: Active Directory Appliance?


Ha! True. This is why I did not place constraints on any of those 3 factors 
with the exception stating that I did not want something home brewed. I figured 
that would have implied that I didn't care about trying to  do something on the 
cheap.

On Jun 13, 2012 5:38 PM, "Daniel Chenault" 
mailto:dchena...@lgnetworksinc.com>> wrote:
Cheap/easy/fast

Pick two

Daniel Chenault
dchena...@lgnetworksinc.com<mailto:dchena...@lgnetworksinc.com>
[Description: Description: cid:image001.jpg@01CCF24C.F9B05160]

From: Jonathan [mailto:ncm...@gmail.com<mailto:ncm...@gmail.com>]
Sent: Wednesday, June 13, 2012 4:01 PM
To: NT System Admin Issues
Subject: RE: Active Directory Appliance?


Not interested in anything home-brewed.
On Jun 13, 2012 4:41 PM, "Daniel Chenault" 
mailto:dchena...@lgnetworksinc.com>> wrote:
Used P4 with 2G RAM, 500M hard drive: ~100
Your favorite flavor of Linux distro: free
DNS and DHCP: free with OS

Image it, lock it down tight and let ‘er rip.

Daniel Chenault
dchena...@lgnetworksinc.com<mailto:dchena...@lgnetworksinc.com>
[Description: Description: cid:image001.jpg@01CCF24C.F9B05160]

From: Jonathan [mailto:ncm...@gmail.com<mailto:ncm...@gmail.com>]
Sent: Wednesday, June 13, 2012 3:20 PM
To: NT System Admin Issues
Subject: Active Directory Appliance?


My Google-fu seems to be failing me. I know that infoblox has DNS and DHCP 
hardware appliances, but I don't see anything for Active Directory 2003/2008. 
I'm only interested in this for remote offices, not for my core. The idea would 
be to eliminate buying a server, maintaining that server, the OS, etc, for our 
remote offices.

Does such exist, and if so, does the collective brain trust have any experience 
with them?

TIA,

Jonathan

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin<>

RE: Active Directory Appliance?

[Steven M. Caesare]

I didn't see him demanding any of those.

 

-sc

 

On Jun 13, 2012 5:38 PM, "Daniel Chenault" 
wrote:

Cheap/easy/fast

 

Pick two

 

Daniel Chenault

dchena...@lgnetworksinc.com

 

 

From: Jonathan [mailto:ncm...@gmail.com] 
Sent: Wednesday, June 13, 2012 4:01 PM
To: NT System Admin Issues
Subject: RE: Active Directory Appliance?

 

Not interested in anything home-brewed.

On Jun 13, 2012 4:41 PM, "Daniel Chenault" 
wrote:

Used P4 with 2G RAM, 500M hard drive: ~100

Your favorite flavor of Linux distro: free

DNS and DHCP: free with OS

 

Image it, lock it down tight and let 'er rip. 

 

Daniel Chenault

dchena...@lgnetworksinc.com



 

From: Jonathan [mailto:ncm...@gmail.com] 
Sent: Wednesday, June 13, 2012 3:20 PM
To: NT System Admin Issues
Subject: Active Directory Appliance?

 

My Google-fu seems to be failing me. I know that infoblox has DNS and
DHCP hardware appliances, but I don't see anything for Active Directory
2003/2008. I'm only interested in this for remote offices, not for my
core. The idea would be to eliminate buying a server, maintaining that
server, the OS, etc, for our remote offices.

Does such exist, and if so, does the collective brain trust have any
experience with them?

TIA,

Jonathan

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin<>

RE: Active Directory Appliance?

[Jonathan]

Nope, hardly that many users. We're talking less than 100 users for most of
our remote sites.

Deploying RWDCs to each site is a practice here that long pre-dates me, and
even our department (for a number of years, each site was fairly
autonomous, with no formal internal infrastructure team). Changing over to
RODCs is something worth considering, though, along with 2008R2 Core. I may
bring it up at the next staff meeting.

Thanks,

Jonathan
On Jun 13, 2012 5:59 PM, "Free, Bob"  wrote:

>  Not knowing your specific requirements, especially WRT to user
> population, for file/print, at first blush I’d think cached credentials
> with more of a focus on resilient connectivity would be the best solution.
> 
>
> ** **
>
> I’m a firm believer that RWDCs only go in DataCenters with the attendant
> physical security. If you deploy to the branch, that is the realm of the
> RODC but it carries its own inherent complexities.
>
> ** **
>
> Maybe your idea of a remote office is many hundreds or thousands of users
> and I’m all wet. 
>
> ** **
>
> *From:* Jonathan [mailto:ncm...@gmail.com]
> *Sent:* Wednesday, June 13, 2012 2:01 PM
> *To:* NT System Admin Issues
> *Subject:* [dkim-failure] RE: Active Directory Appliance?
>
> ** **
>
> Authentication survivability at the remote site for access to local
> resources (primarily file and print).
>
> On Jun 13, 2012 4:52 PM, "Free, Bob"  wrote:
>
> I have never come across such a beast.
>
>  
>
> Question in my mind would be more like “why are you deploying DCs
> remotely” 
>
>  
>
>  
>
> *From:* Jonathan [mailto:ncm...@gmail.com]
> *Sent:* Wednesday, June 13, 2012 1:20 PM
> *To:* NT System Admin Issues
> *Subject:* [dkim-failure] Active Directory Appliance?
>
>  
>
> My Google-fu seems to be failing me. I know that infoblox has DNS and DHCP
> hardware appliances, but I don't see anything for Active Directory
> 2003/2008. I'm only interested in this for remote offices, not for my core.
> The idea would be to eliminate buying a server, maintaining that server,
> the OS, etc, for our remote offices.
>
> Does such exist, and if so, does the collective brain trust have any
> experience with them?
>
> TIA,
>
> Jonathan
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Active Directory Appliance?

[Michael B. Smith]

SAMBA 4 can do this on Linux/NetBSD. Dunno how you are with UNIX-variants.

From: Jonathan [mailto:ncm...@gmail.com]
Sent: Wednesday, June 13, 2012 5:01 PM
To: NT System Admin Issues
Subject: RE: Active Directory Appliance?


Authentication survivability at the remote site for access to local resources 
(primarily file and print).
On Jun 13, 2012 4:52 PM, "Free, Bob" mailto:r...@pge.com>> wrote:
I have never come across such a beast.

Question in my mind would be more like "why are you deploying DCs remotely"


From: Jonathan [mailto:ncm...@gmail.com<mailto:ncm...@gmail.com>]
Sent: Wednesday, June 13, 2012 1:20 PM
To: NT System Admin Issues
Subject: [dkim-failure] Active Directory Appliance?


My Google-fu seems to be failing me. I know that infoblox has DNS and DHCP 
hardware appliances, but I don't see anything for Active Directory 2003/2008. 
I'm only interested in this for remote offices, not for my core. The idea would 
be to eliminate buying a server, maintaining that server, the OS, etc, for our 
remote offices.

Does such exist, and if so, does the collective brain trust have any experience 
with them?

TIA,

Jonathan

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Active Directory Appliance?

[Jonathan]

Ha! True. This is why I did not place constraints on any of those 3 factors
with the exception stating that I did not want something home brewed. I
figured that would have implied that I didn't care about trying to  do
something on the cheap.
On Jun 13, 2012 5:38 PM, "Daniel Chenault" 
wrote:

>  Cheap/easy/fast
>
> ** **
>
> Pick two
>
> ** **
>
> Daniel Chenault
>
> dchena...@lgnetworksinc.com
>
> [image: Description: Description: cid:image001.jpg@01CCF24C.F9B05160]
>
> ** **
>
> *From:* Jonathan [mailto:ncm...@gmail.com]
> *Sent:* Wednesday, June 13, 2012 4:01 PM
> *To:* NT System Admin Issues
> *Subject:* RE: Active Directory Appliance?
>
> ** **
>
> Not interested in anything home-brewed.
>
> On Jun 13, 2012 4:41 PM, "Daniel Chenault" 
> wrote:
>
> Used P4 with 2G RAM, 500M hard drive: ~100
>
> Your favorite flavor of Linux distro: free
>
> DNS and DHCP: free with OS
>
>  
>
> Image it, lock it down tight and let ‘er rip. 
>
>  
>
> Daniel Chenault
>
> dchena...@lgnetworksinc.com
>
> [image: Description: Description: cid:image001.jpg@01CCF24C.F9B05160]
>
>  
>
> *From:* Jonathan [mailto:ncm...@gmail.com]
> *Sent:* Wednesday, June 13, 2012 3:20 PM
> *To:* NT System Admin Issues
> *Subject:* Active Directory Appliance?
>
>  
>
> My Google-fu seems to be failing me. I know that infoblox has DNS and DHCP
> hardware appliances, but I don't see anything for Active Directory
> 2003/2008. I'm only interested in this for remote offices, not for my core.
> The idea would be to eliminate buying a server, maintaining that server,
> the OS, etc, for our remote offices.
>
> Does such exist, and if so, does the collective brain trust have any
> experience with them?
>
> TIA,
>
> Jonathan
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin<>

RE: Active Directory Appliance?

[Daniel Chenault]

Cheap/easy/fast

Pick two

Daniel Chenault
dchena...@lgnetworksinc.com
[Description: Description: cid:image001.jpg@01CCF24C.F9B05160]

From: Jonathan [mailto:ncm...@gmail.com]
Sent: Wednesday, June 13, 2012 4:01 PM
To: NT System Admin Issues
Subject: RE: Active Directory Appliance?


Not interested in anything home-brewed.
On Jun 13, 2012 4:41 PM, "Daniel Chenault" 
mailto:dchena...@lgnetworksinc.com>> wrote:
Used P4 with 2G RAM, 500M hard drive: ~100
Your favorite flavor of Linux distro: free
DNS and DHCP: free with OS

Image it, lock it down tight and let 'er rip.

Daniel Chenault
dchena...@lgnetworksinc.com<mailto:dchena...@lgnetworksinc.com>
[Description: Description: cid:image001.jpg@01CCF24C.F9B05160]

From: Jonathan [mailto:ncm...@gmail.com<mailto:ncm...@gmail.com>]
Sent: Wednesday, June 13, 2012 3:20 PM
To: NT System Admin Issues
Subject: Active Directory Appliance?


My Google-fu seems to be failing me. I know that infoblox has DNS and DHCP 
hardware appliances, but I don't see anything for Active Directory 2003/2008. 
I'm only interested in this for remote offices, not for my core. The idea would 
be to eliminate buying a server, maintaining that server, the OS, etc, for our 
remote offices.

Does such exist, and if so, does the collective brain trust have any experience 
with them?

TIA,

Jonathan

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin<>

RE: Active Directory Appliance?

[Damien Solodow]

Your best bet then is to use a Server Core install of either 2008 or 2008 R2. 
It's supported, requires minimal patching/management and is ideally suited to 
remote management.

DAMIEN SOLODOW
Systems Engineer
317.447.6033 (office)
317.447.6014 (fax)
HARRISON COLLEGE

From: Jonathan [mailto:ncm...@gmail.com]
Sent: Wednesday, June 13, 2012 5:01 PM
To: NT System Admin Issues
Subject: RE: Active Directory Appliance?


Not interested in anything home-brewed.
On Jun 13, 2012 4:41 PM, "Daniel Chenault" 
mailto:dchena...@lgnetworksinc.com>> wrote:
Used P4 with 2G RAM, 500M hard drive: ~100
Your favorite flavor of Linux distro: free
DNS and DHCP: free with OS

Image it, lock it down tight and let 'er rip.

Daniel Chenault
dchena...@lgnetworksinc.com<mailto:dchena...@lgnetworksinc.com>
[Description: Description: cid:image001.jpg@01CCF24C.F9B05160]

From: Jonathan [mailto:ncm...@gmail.com<mailto:ncm...@gmail.com>]
Sent: Wednesday, June 13, 2012 3:20 PM
To: NT System Admin Issues
Subject: Active Directory Appliance?


My Google-fu seems to be failing me. I know that infoblox has DNS and DHCP 
hardware appliances, but I don't see anything for Active Directory 2003/2008. 
I'm only interested in this for remote offices, not for my core. The idea would 
be to eliminate buying a server, maintaining that server, the OS, etc, for our 
remote offices.

Does such exist, and if so, does the collective brain trust have any experience 
with them?

TIA,

Jonathan

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin<>

RE: Active Directory Appliance?

[Jonathan]

Not interested in anything home-brewed.
On Jun 13, 2012 4:41 PM, "Daniel Chenault" 
wrote:

>  Used P4 with 2G RAM, 500M hard drive: ~100
>
> Your favorite flavor of Linux distro: free
>
> DNS and DHCP: free with OS
>
> ** **
>
> Image it, lock it down tight and let ‘er rip. 
>
> ** **
>
> Daniel Chenault
>
> dchena...@lgnetworksinc.com
>
> [image: Description: Description: cid:image001.jpg@01CCF24C.F9B05160]
>
> ** **
>
> *From:* Jonathan [mailto:ncm...@gmail.com]
> *Sent:* Wednesday, June 13, 2012 3:20 PM
> *To:* NT System Admin Issues
> *Subject:* Active Directory Appliance?
>
> ** **
>
> My Google-fu seems to be failing me. I know that infoblox has DNS and DHCP
> hardware appliances, but I don't see anything for Active Directory
> 2003/2008. I'm only interested in this for remote offices, not for my core.
> The idea would be to eliminate buying a server, maintaining that server,
> the OS, etc, for our remote offices.
>
> Does such exist, and if so, does the collective brain trust have any
> experience with them?
>
> TIA,
>
> Jonathan
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin<>

RE: Active Directory Appliance?

[Jonathan]

Authentication survivability at the remote site for access to local
resources (primarily file and print).
On Jun 13, 2012 4:52 PM, "Free, Bob"  wrote:

>  I have never come across such a beast.
>
> ** **
>
> Question in my mind would be more like “why are you deploying DCs
> remotely” 
>
> ** **
>
> ** **
>
> *From:* Jonathan [mailto:ncm...@gmail.com]
> *Sent:* Wednesday, June 13, 2012 1:20 PM
> *To:* NT System Admin Issues
> *Subject:* [dkim-failure] Active Directory Appliance?
>
> ** **
>
> My Google-fu seems to be failing me. I know that infoblox has DNS and DHCP
> hardware appliances, but I don't see anything for Active Directory
> 2003/2008. I'm only interested in this for remote offices, not for my core.
> The idea would be to eliminate buying a server, maintaining that server,
> the OS, etc, for our remote offices.
>
> Does such exist, and if so, does the collective brain trust have any
> experience with them?
>
> TIA,
>
> Jonathan
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Active Directory Appliance?

[Daniel Chenault]

Used P4 with 2G RAM, 500M hard drive: ~100
Your favorite flavor of Linux distro: free
DNS and DHCP: free with OS

Image it, lock it down tight and let 'er rip.

Daniel Chenault
dchena...@lgnetworksinc.com
[Description: Description: cid:image001.jpg@01CCF24C.F9B05160]

From: Jonathan [mailto:ncm...@gmail.com]
Sent: Wednesday, June 13, 2012 3:20 PM
To: NT System Admin Issues
Subject: Active Directory Appliance?


My Google-fu seems to be failing me. I know that infoblox has DNS and DHCP 
hardware appliances, but I don't see anything for Active Directory 2003/2008. 
I'm only interested in this for remote offices, not for my core. The idea would 
be to eliminate buying a server, maintaining that server, the OS, etc, for our 
remote offices.

Does such exist, and if so, does the collective brain trust have any experience 
with them?

TIA,

Jonathan

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin<>

Re: Active Directory Management

[helpdesk UK]

Thank you everyone who have responded and also taken the time to read this
post.

After looking at some products including the ones suggested above..

AD Manger Plus etc...


the customer has decided to go for
http://powergui.org/jiveHome/themes/powergui/sbin/releasenotes/PowerGUI_2.0_ReleaseNotes.htm


cheers

Rob



2010/1/26 Christopher Bodnar 

>  I’ve used NetIQ DRA at a few different places and like it for user
> provisioning.
>
>
>
> http://www.netiq.com/products/dra/default.asp
>
>
>
>
>
> YMMV
>
>
>
>
>
> Chris Bodnar, MCSE
> Sr. Systems Engineer
> Infrastructure Service Delivery
> Distributed Systems Service Delivery - Intel Services
> Guardian Life Insurance Company of America
> Email: christopher_bod...@glic.com
> Phone: 610-807-6459
> Fax: 610-807-6003
>   --
>
> *From:* uk.helpd...@gmail.com [mailto:uk.helpd...@gmail.com]
> *Sent:* Tuesday, January 26, 2010 11:50 AM
>
> *To:* NT System Admin Issues
> *Subject:* Active Directory Management
>
>
>
> Hello Everyone,
>
>
>
> One of our customers was looking for buying a product which helps them with
> AD User Management for Windows 2008.
>
>
>
> They have been using scripts and batch files all over the place for Win2k3
> but now moving to Win 2008 and want to invest in a tool which will save
> time:
>
>
>
> This is a education environment...
>
>
>
> 1. User creation
>
> 2. Modification
>
> 3. Home Drive shares
>
> 4. etc...
>
>
>
> I am sure some of you here have either seen others use it or using it
> yourself.
>
>
>
> I will sincerely appreciate any help & your views.
>
>
>
> Thank you in advance for all your help
>
>
>
> cheers
>
>
>
> Rob
>
>
>
>
>
>
>
>
>
>  --
>
> * This message, and any attachments to it, may contain information that is
> privileged, confidential, and exempt from disclosure under applicable law.
> If the reader of this message is not the intended recipient, you are
> notified that any use, dissemination, distribution, copying, or
> communication of this message is strictly prohibited. If you have received
> this message in error, please notify the sender immediately by return e-mail
> and delete the message and any attachments. Thank you. *
>



-- 
Chris

MCP

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Active Directory Management

[Christopher Bodnar]

I've used NetIQ DRA at a few different places and like it for user
provisioning. 

 

http://www.netiq.com/products/dra/default.asp

 

 

YMMV

 

 

Chris Bodnar, MCSE
Sr. Systems Engineer
Infrastructure Service Delivery
Distributed Systems Service Delivery - Intel Services
Guardian Life Insurance Company of America
Email: christopher_bod...@glic.com
Phone: 610-807-6459
Fax: 610-807-6003

  _  

From: uk.helpd...@gmail.com [mailto:uk.helpd...@gmail.com] 
Sent: Tuesday, January 26, 2010 11:50 AM
To: NT System Admin Issues
Subject: Active Directory Management

 

Hello Everyone,

 

One of our customers was looking for buying a product which helps them
with AD User Management for Windows 2008.

 

They have been using scripts and batch files all over the place for Win2k3
but now moving to Win 2008 and want to invest in a tool which will save
time:

 

This is a education environment...

 

1. User creation

2. Modification

3. Home Drive shares

4. etc...

 

I am sure some of you here have either seen others use it or using it
yourself.

 

I will sincerely appreciate any help & your views.

 

Thank you in advance for all your help

 

cheers

 

Rob


 

 



-
This message, and any attachments to it, may contain information
that is privileged, confidential, and exempt from disclosure under
applicable law.  If the reader of this message is not the intended
recipient, you are notified that any use, dissemination,
distribution, copying, or communication of this message is strictly
prohibited.  If you have received this message in error, please
notify the sender immediately by return e-mail and delete the
message and any attachments.  Thank you.
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Active Directory Management

[James Rankin]

DameWare or Hyena spring to mind for general tasks

2010/1/26 helpdesk UK 

> Hello Everyone,
>
> One of our customers was looking for buying a product which helps them with
> AD User Management for Windows 2008.
>
> They have been using scripts and batch files all over the place for Win2k3
> but now moving to Win 2008 and want to invest in a tool which will save
> time:
>
> This is a education environment...
>
> 1. User creation
> 2. Modification
> 3. Home Drive shares
> 4. etc...
>
> I am sure some of you here have either seen others use it or using it
> yourself.
>
> I will sincerely appreciate any help & your views.
>
> Thank you in advance for all your help
>
> cheers
>
> Rob
>
>
>
>
>
>


-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
the machine wrong figures, will the right answers come out?' I am not able
rightly to apprehend the kind of confusion of ideas that could provoke such
a question."

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Active Directory message on "home" PC

[RichardMcClary]

Well, it probably does not apply here...

1. (Trivial?)  Office 2003 (not 2007) used here

2. There is only once PC, and the printer is connected directly to the PC 
(most likely via USB)

3. The original poster to that forum said there were no issues when 
printing from the "main PC".  My coworker cannot get Office to print to 
the "main PC".

Should she try considering it to be a "network printer" and take that 
route?  Possibly deleting the printer and re-boot, hoping that 
Plug-and-Pray will fix things?

Thanks again.  At least that link hints that it is probably an MS system 
screwiness rather than a "loss of ownership" (crack/hack) issue (so we 
hope!).
--
richard

Stephan Barr  wrote on 12/08/2009 08:09:32 
AM:

> Check this...
> http://www.chicagotech.net/netforums/viewtopic.php?p=3875#3875

> On Tue, Dec 8, 2009 at 7:12 AM,  wrote:
> 
> Greetings! 
> 
> A coworker just approached me with a paper on which she'd written a 
> screen message... 
> 
> She has some flavor of Vista Home (Premium?) and (she hopes!) is the
> sole user.  There are no other PCs in her condo. 
> 
> "Recently", she has experienced a pretty disturbing problem.  She 
> can go to the Control Panel for "printers" and print a test page on 
> her printer with no issues. 
> 
> On the other hand, when she tries to print to Word (Office 2003), 
> she gets this: 
> 
> "The Active Directory Domain Services is currently unavailable" 
>  (and, she cannot print). 
> 
> She is disturbed that she cannot print.  I am concerned that Active 
> Directory Domain Services on a machine which not only should not be 
> on any network (other than Comcast cable IP service) and, being a 
> "home" version, should not even be able to belong to an AD domain. 
> 
> Any ideas?  Thanks!
> -- 
> Richard D. McClary 
> Systems Administrator, Information Technology Group 
>   
> ASPCA® 
> 1717 S. Philo Rd, Ste 36 
> Urbana, IL  61802 
>   
> richardmccl...@aspca.org 
>   
> P: 217-337-9761 
> C: 217-417-1182 
> F: 217-337-9761 
> www.aspca.org 
> 
>  
> 
> The information contained in this e-mail, and any attachments 
> hereto, is from The American Society for the Prevention of Cruelty to 
Animals®
> (ASPCA®) and is intended only for use by the addressee(s) named 
> herein and may contain legally privileged and/or confidential 
> information. If you are not the intended recipient of this e-mail, 
> you are hereby notified that any dissemination, distribution, 
> copying or use of the contents of this e-mail, and any attachments 
> hereto, is strictly prohibited. If you have received this e-mail in 
> error, please immediately notify me by reply email and permanently 
> delete the original and any copy of this e-mail and any printout 
thereof. 
>   
>  
>  
> 
> 
> 
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Active Directory message on "home" PC

[Stephan Barr]

Check this...
http://www.chicagotech.net/netforums/viewtopic.php?p=3875#3875

On Tue, Dec 8, 2009 at 7:12 AM,  wrote:

>
> Greetings!
>
> A coworker just approached me with a paper on which she'd written a screen
> message...
>
> She has some flavor of Vista Home (Premium?) and (she hopes!) is the sole
> user.  There are no other PCs in her condo.
>
> "Recently", she has experienced a pretty disturbing problem.  She can go to
> the Control Panel for "printers" and print a test page on her printer with
> no issues.
>
> On the other hand, when she tries to print to Word (Office 2003), she gets
> this:
>
> "The Active Directory Domain Services is currently unavailable"  (and, she
> cannot print).
>
> She is disturbed that she cannot print.  I am concerned that Active
> Directory Domain Services on a machine which not only should not be on any
> network (other than Comcast cable IP service) and, being a "home" version,
> should not even be able to belong to an AD domain.
>
> Any ideas?  Thanks!
> --
> Richard D. McClary
> Systems Administrator, Information Technology Group
>
> *ASPCA®*
> 1717 S. Philo Rd, Ste 36
> Urbana, IL  61802
>
> richardmccl...@aspca.org
>
> P: 217-337-9761
> C: 217-417-1182
> F: 217-337-9761
> *www.aspca.org* 
>
>
>
>
> The information contained in this e-mail, and any attachments hereto, is
> from The American Society for the Prevention of Cruelty to Animals® (ASPCA
> ®) and is intended only for use by the addressee(s) named herein and may
> contain legally privileged and/or confidential information. If you are not
> the intended recipient of this e-mail, you are hereby notified that any
> dissemination, distribution, copying or use of the contents of this e-mail,
> and any attachments hereto, is strictly prohibited. If you have received
> this e-mail in error, please immediately notify me by reply email and
> permanently delete the original and any copy of this e-mail and any printout
> thereof.
>
>
>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Active Directory design in the win2008 R2 world

[Pauls Hotmail]

Thanks to all who replied, - seems like my instincts are still fairly well
on the money... one thing that would really seal the deal for me would be
something documented, ideally by Microsoft, that simply puts these points
into a straightforward recommendation of best practice, ideally with some
numbers to back it up... - you know the sort of thing that I can take into
the next planning meeting to argue my case against the other guys who are
pushing for more domains... I'm searching TechNet, MSDN and other such
knowledge repositories, and I've yet to find the exact article or doc that
would fit the bill.

 

For instance, I've seen mention of 100,000 objects as being a trigger for
considering additional domains, in other places I've seen 120,000 objects
stated. I'm also looking for something that gives an indication of DIT size
requirements for a given number of objects (e.g. does each user object
equate to an average size, like 2.5K per user or some such). - There used to
be an AD sizing tool available - and I've got an old copy here - but it
hasn't been updated for years, it appears to no longer be
available/supported direct from MS, and it won't run on Windows 7... Other
things like what actual amount of bandwidth is considered as "low" for
inter-site replication? - one article I saw suggested 28K!!! - I can't
believe anyone would seriously implement links that slow these days, so I
guess that must have been quite an old doc...

 

Anything with some numbers in it to back up the assertions that it seems we
broadly agree on would be an absolute boon!! - anyone know where/if this
doc/article lives?...

 

TIA

 

Paul G.

 

 

From: Brian Desmond [mailto:br...@briandesmond.com] 
Sent: 10 November 2009 17:22
To: NT System Admin Issues
Subject: RE: Active Directory design in the win2008 R2 world

 

Not much has although you should aim for a single domain forest. I think I
had some slides on that

 

Thanks,

Brian Desmond

br...@briandesmond.com

 

c - 312.731.3132

 

From: Pauls Hotmail [mailto:paul_gor...@hotmail.com] 
Sent: Tuesday, November 10, 2009 11:13 AM
To: NT System Admin Issues
Subject: RE: Active Directory design in the win2008 R2 world

 

Thanks Brian, definitely some food for thought there... I wonder if there's
an article somewhere that illuminates the rationale for selecting between
the various choices, - and indeed whether this has changed at all in light
of the W2008 landscape? - strikes me that not much seems to have changed
with regard to namespace planning since the original AD releases

 

Paul G.

 

 

From: Brian Desmond [mailto:br...@briandesmond.com] 
Sent: 10 November 2009 16:45
To: NT System Admin Issues
Subject: RE: Active Directory design in the win2008 R2 world

 

See the deck I sent earlier.

 

Doesn't really matter although I usually side with something registered. You
can either do a subdomain off the company's domain, use something like
company.net (I'm a fan of this one), or company.com or whatever. 

 

Thanks,

Brian Desmond

br...@briandesmond.com

 

c - 312.731.3132

 

From: Pauls Hotmail [mailto:paul_gor...@hotmail.com] 
Sent: Tuesday, November 10, 2009 9:38 AM
To: NT System Admin Issues
Subject: RE: Active Directory design in the win2008 R2 world

 

An additional query if I may... - What about DNS Namespace choice these
days? - I've always had a personal preference to keep internal AD & public
facing names unique & separate, i.e. NOT using the company's registered
internet domain name as the AD forest name. Obviously this has implications
for DNS configuration, but I've always felt it generally a "good thing" to
maintain isolation between the public & private sides. - Any need to publish
internal resource names outside of the corporate LAN can be achieved simply
enough with products & technologies designed expressly for that purpose...

 

Anyone have any reason to violently disagree with this approach? - care to
comment?

 

TIA

 

Paul G.

 

From: David Lum [mailto:david@nwea.org] 
Sent: 10 November 2009 14:19
To: NT System Admin Issues
Subject: RE: Active Directory design in the win2008 R2 world

 

+1 Domains are an administration boundary, not a traffic boundary. You will
have DC's and GC's all over the place but not different domains, and as you
said, since 2008 allows different password policies you don't even need
different domains for that.

David Lum // SYSTEMS ENGINEER 
NORTHWEST EVALUATION ASSOCIATION
(Desk) 971.222.1025 // (Cell) 503.267.9764

 

 

 

From: Steven M. Caesare [mailto:scaes...@caesare.com] 
Sent: Tuesday, November 10, 2009 5:05 AM
To: NT System Admin Issues
Subject: RE: Active Directory design in the win2008 R2 world

 

Agreed. 1 domain.

 

Additional complication requires justification. Ask them to quantify the
additional traffic load for the expected domain topology a

RE: Active Directory design in the win2008 R2 world

[Tim Vander Kooi]

Just be very sure that whatever you use internal is not something that someone 
else could register externally. That throws all kinds of wrenches in Exchange 
and OCS configurations.
Regards,
Tim

From: Pauls Hotmail [mailto:paul_gor...@hotmail.com]
Sent: Tuesday, November 10, 2009 9:38 AM
To: NT System Admin Issues
Subject: RE: Active Directory design in the win2008 R2 world

An additional query if I may... - What about DNS Namespace choice these days? - 
I've always had a personal preference to keep internal AD & public facing names 
unique & separate, i.e. NOT using the company's registered internet domain name 
as the AD forest name. Obviously this has implications for DNS configuration, 
but I've always felt it generally a "good thing" to maintain isolation between 
the public & private sides. - Any need to publish internal resource names 
outside of the corporate LAN can be achieved simply enough with products & 
technologies designed expressly for that purpose...

Anyone have any reason to violently disagree with this approach? - care to 
comment?

TIA

Paul G.

From: David Lum [mailto:david@nwea.org]
Sent: 10 November 2009 14:19
To: NT System Admin Issues
Subject: RE: Active Directory design in the win2008 R2 world

+1 Domains are an administration boundary, not a traffic boundary. You will 
have DC's and GC's all over the place but not different domains, and as you 
said, since 2008 allows different password policies you don't even need 
different domains for that.
David Lum // SYSTEMS ENGINEER
NORTHWEST EVALUATION ASSOCIATION
(Desk) 971.222.1025 // (Cell) 503.267.9764



From: Steven M. Caesare [mailto:scaes...@caesare.com]
Sent: Tuesday, November 10, 2009 5:05 AM
To: NT System Admin Issues
Subject: RE: Active Directory design in the win2008 R2 world

Agreed... 1 domain.

Additional complication requires justification. Ask them to quantify the 
additional traffic load for the expected domain topology and provide traffic 
statistics demonstrating that a single domain environment would be problematic.

-sc

From: Pauls Hotmail [mailto:paul_gor...@hotmail.com]
Sent: Tuesday, November 10, 2009 6:31 AM
To: NT System Admin Issues
Subject: Active Directory design in the win2008 R2 world

What's the collective wisdom these days regarding the justification of 
deploying multiple domains as a means of limiting replication traffic? I have 
an instance here where every part of me wants to suggest a single forest/domain 
as the optimum solution, but a couple of other admins are pushing for multiple 
domains purely with the justification of controlling AD object replication. The 
AD will be a completely new implementation based on Win 2008 R2, there are 
about 8 countries in scope, but all have extremely good/fast MPLS WAN links 
between them. There are currently only about 1200 users in total, and Exchange 
2010 will be going in as well.

 I'm proposing a single domain, with multiple AD sites, as there's no other 
good reason for over-complicating the design with additional domains, i.e. none 
of the traditional justifications for adding additional domains apply in this 
case.. Plus I believe at least some of the traditional justifications no longer 
apply in W2008 anyway do they? - things like needing domains for the purpose of 
applying differing password policies for example, now that we have the new 
granular password policy ...

Can anyone point me in the direction of some best practice design guidelines 
that would cast some light on these questions? - it's been a few years since I 
was last "properly" involved in AD design, so I'm conscious that things have 
moved on in the AD world, and I probably need to take up-to-date information 
into consideration..

Many thanks.

Paul Gordon

















~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: Active Directory design in the win2008 R2 world

[Brian Desmond]

Not much has although you should aim for a single domain forest. I think I had 
some slides on that

Thanks,
Brian Desmond
br...@briandesmond.com

c - 312.731.3132

From: Pauls Hotmail [mailto:paul_gor...@hotmail.com]
Sent: Tuesday, November 10, 2009 11:13 AM
To: NT System Admin Issues
Subject: RE: Active Directory design in the win2008 R2 world

Thanks Brian, definitely some food for thought there... I wonder if there's an 
article somewhere that illuminates the rationale for selecting between the 
various choices, - and indeed whether this has changed at all in light of the 
W2008 landscape? - strikes me that not much seems to have changed with regard 
to namespace planning since the original AD releases

Paul G.


From: Brian Desmond [mailto:br...@briandesmond.com]
Sent: 10 November 2009 16:45
To: NT System Admin Issues
Subject: RE: Active Directory design in the win2008 R2 world

See the deck I sent earlier.

Doesn't really matter although I usually side with something registered. You 
can either do a subdomain off the company's domain, use something like 
company.net (I'm a fan of this one), or company.com or whatever.

Thanks,
Brian Desmond
br...@briandesmond.com<mailto:br...@briandesmond.com>

c - 312.731.3132

From: Pauls Hotmail [mailto:paul_gor...@hotmail.com]
Sent: Tuesday, November 10, 2009 9:38 AM
To: NT System Admin Issues
Subject: RE: Active Directory design in the win2008 R2 world

An additional query if I may... - What about DNS Namespace choice these days? - 
I've always had a personal preference to keep internal AD & public facing names 
unique & separate, i.e. NOT using the company's registered internet domain name 
as the AD forest name. Obviously this has implications for DNS configuration, 
but I've always felt it generally a "good thing" to maintain isolation between 
the public & private sides. - Any need to publish internal resource names 
outside of the corporate LAN can be achieved simply enough with products & 
technologies designed expressly for that purpose...

Anyone have any reason to violently disagree with this approach? - care to 
comment?

TIA

Paul G.

From: David Lum [mailto:david@nwea.org]
Sent: 10 November 2009 14:19
To: NT System Admin Issues
Subject: RE: Active Directory design in the win2008 R2 world

+1 Domains are an administration boundary, not a traffic boundary. You will 
have DC's and GC's all over the place but not different domains, and as you 
said, since 2008 allows different password policies you don't even need 
different domains for that.
David Lum // SYSTEMS ENGINEER
NORTHWEST EVALUATION ASSOCIATION
(Desk) 971.222.1025 // (Cell) 503.267.9764



From: Steven M. Caesare [mailto:scaes...@caesare.com]
Sent: Tuesday, November 10, 2009 5:05 AM
To: NT System Admin Issues
Subject: RE: Active Directory design in the win2008 R2 world

Agreed... 1 domain.

Additional complication requires justification. Ask them to quantify the 
additional traffic load for the expected domain topology and provide traffic 
statistics demonstrating that a single domain environment would be problematic.

-sc

From: Pauls Hotmail [mailto:paul_gor...@hotmail.com]
Sent: Tuesday, November 10, 2009 6:31 AM
To: NT System Admin Issues
Subject: Active Directory design in the win2008 R2 world

What's the collective wisdom these days regarding the justification of 
deploying multiple domains as a means of limiting replication traffic? I have 
an instance here where every part of me wants to suggest a single forest/domain 
as the optimum solution, but a couple of other admins are pushing for multiple 
domains purely with the justification of controlling AD object replication. The 
AD will be a completely new implementation based on Win 2008 R2, there are 
about 8 countries in scope, but all have extremely good/fast MPLS WAN links 
between them. There are currently only about 1200 users in total, and Exchange 
2010 will be going in as well.

 I'm proposing a single domain, with multiple AD sites, as there's no other 
good reason for over-complicating the design with additional domains, i.e. none 
of the traditional justifications for adding additional domains apply in this 
case.. Plus I believe at least some of the traditional justifications no longer 
apply in W2008 anyway do they? - things like needing domains for the purpose of 
applying differing password policies for example, now that we have the new 
granular password policy ...

Can anyone point me in the direction of some best practice design guidelines 
that would cast some light on these questions? - it's been a few years since I 
was last "properly" involved in AD design, so I'm conscious that things have 
moved on in the AD world, and I probably need to take up-to-date information 
into consideration..

Many thanks.

Paul Gordon

























~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: Active Directory design in the win2008 R2 world

[Pauls Hotmail]

Thanks Brian, definitely some food for thought there... I wonder if there's
an article somewhere that illuminates the rationale for selecting between
the various choices, - and indeed whether this has changed at all in light
of the W2008 landscape? - strikes me that not much seems to have changed
with regard to namespace planning since the original AD releases

 

Paul G.

 

 

From: Brian Desmond [mailto:br...@briandesmond.com] 
Sent: 10 November 2009 16:45
To: NT System Admin Issues
Subject: RE: Active Directory design in the win2008 R2 world

 

See the deck I sent earlier.

 

Doesn't really matter although I usually side with something registered. You
can either do a subdomain off the company's domain, use something like
company.net (I'm a fan of this one), or company.com or whatever. 

 

Thanks,

Brian Desmond

br...@briandesmond.com

 

c - 312.731.3132

 

From: Pauls Hotmail [mailto:paul_gor...@hotmail.com] 
Sent: Tuesday, November 10, 2009 9:38 AM
To: NT System Admin Issues
Subject: RE: Active Directory design in the win2008 R2 world

 

An additional query if I may... - What about DNS Namespace choice these
days? - I've always had a personal preference to keep internal AD & public
facing names unique & separate, i.e. NOT using the company's registered
internet domain name as the AD forest name. Obviously this has implications
for DNS configuration, but I've always felt it generally a "good thing" to
maintain isolation between the public & private sides. - Any need to publish
internal resource names outside of the corporate LAN can be achieved simply
enough with products & technologies designed expressly for that purpose...

 

Anyone have any reason to violently disagree with this approach? - care to
comment?

 

TIA

 

Paul G.

 

From: David Lum [mailto:david@nwea.org] 
Sent: 10 November 2009 14:19
To: NT System Admin Issues
Subject: RE: Active Directory design in the win2008 R2 world

 

+1 Domains are an administration boundary, not a traffic boundary. You will
have DC's and GC's all over the place but not different domains, and as you
said, since 2008 allows different password policies you don't even need
different domains for that.

David Lum // SYSTEMS ENGINEER 
NORTHWEST EVALUATION ASSOCIATION
(Desk) 971.222.1025 // (Cell) 503.267.9764

 

 

 

From: Steven M. Caesare [mailto:scaes...@caesare.com] 
Sent: Tuesday, November 10, 2009 5:05 AM
To: NT System Admin Issues
Subject: RE: Active Directory design in the win2008 R2 world

 

Agreed. 1 domain.

 

Additional complication requires justification. Ask them to quantify the
additional traffic load for the expected domain topology and provide traffic
statistics demonstrating that a single domain environment would be
problematic.

 

-sc 

 

From: Pauls Hotmail [mailto:paul_gor...@hotmail.com] 
Sent: Tuesday, November 10, 2009 6:31 AM
To: NT System Admin Issues
Subject: Active Directory design in the win2008 R2 world

 

What's the collective wisdom these days regarding the justification of
deploying multiple domains as a means of limiting replication traffic? I
have an instance here where every part of me wants to suggest a single
forest/domain as the optimum solution, but a couple of other admins are
pushing for multiple domains purely with the justification of controlling AD
object replication. The AD will be a completely new implementation based on
Win 2008 R2, there are about 8 countries in scope, but all have extremely
good/fast MPLS WAN links between them. There are currently only about 1200
users in total, and Exchange 2010 will be going in as well.

 

 I'm proposing a single domain, with multiple AD sites, as there's no other
good reason for over-complicating the design with additional domains, i.e.
none of the traditional justifications for adding additional domains apply
in this case.. Plus I believe at least some of the traditional
justifications no longer apply in W2008 anyway do they? - things like
needing domains for the purpose of applying differing password policies for
example, now that we have the new granular password policy ...

 

Can anyone point me in the direction of some best practice design guidelines
that would cast some light on these questions? - it's been a few years since
I was last "properly" involved in AD design, so I'm conscious that things
have moved on in the AD world, and I probably need to take up-to-date
information into consideration..

 

Many thanks.

 

Paul Gordon

 

 

 

 

 

 

 

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: Active Directory design in the win2008 R2 world

[Brian Desmond]

See the deck I sent earlier.

Doesn't really matter although I usually side with something registered. You 
can either do a subdomain off the company's domain, use something like 
company.net (I'm a fan of this one), or company.com or whatever.

Thanks,
Brian Desmond
br...@briandesmond.com

c - 312.731.3132

From: Pauls Hotmail [mailto:paul_gor...@hotmail.com]
Sent: Tuesday, November 10, 2009 9:38 AM
To: NT System Admin Issues
Subject: RE: Active Directory design in the win2008 R2 world

An additional query if I may... - What about DNS Namespace choice these days? - 
I've always had a personal preference to keep internal AD & public facing names 
unique & separate, i.e. NOT using the company's registered internet domain name 
as the AD forest name. Obviously this has implications for DNS configuration, 
but I've always felt it generally a "good thing" to maintain isolation between 
the public & private sides. - Any need to publish internal resource names 
outside of the corporate LAN can be achieved simply enough with products & 
technologies designed expressly for that purpose...

Anyone have any reason to violently disagree with this approach? - care to 
comment?

TIA

Paul G.

From: David Lum [mailto:david@nwea.org]
Sent: 10 November 2009 14:19
To: NT System Admin Issues
Subject: RE: Active Directory design in the win2008 R2 world

+1 Domains are an administration boundary, not a traffic boundary. You will 
have DC's and GC's all over the place but not different domains, and as you 
said, since 2008 allows different password policies you don't even need 
different domains for that.
David Lum // SYSTEMS ENGINEER
NORTHWEST EVALUATION ASSOCIATION
(Desk) 971.222.1025 // (Cell) 503.267.9764



From: Steven M. Caesare [mailto:scaes...@caesare.com]
Sent: Tuesday, November 10, 2009 5:05 AM
To: NT System Admin Issues
Subject: RE: Active Directory design in the win2008 R2 world

Agreed... 1 domain.

Additional complication requires justification. Ask them to quantify the 
additional traffic load for the expected domain topology and provide traffic 
statistics demonstrating that a single domain environment would be problematic.

-sc

From: Pauls Hotmail [mailto:paul_gor...@hotmail.com]
Sent: Tuesday, November 10, 2009 6:31 AM
To: NT System Admin Issues
Subject: Active Directory design in the win2008 R2 world

What's the collective wisdom these days regarding the justification of 
deploying multiple domains as a means of limiting replication traffic? I have 
an instance here where every part of me wants to suggest a single forest/domain 
as the optimum solution, but a couple of other admins are pushing for multiple 
domains purely with the justification of controlling AD object replication. The 
AD will be a completely new implementation based on Win 2008 R2, there are 
about 8 countries in scope, but all have extremely good/fast MPLS WAN links 
between them. There are currently only about 1200 users in total, and Exchange 
2010 will be going in as well.

 I'm proposing a single domain, with multiple AD sites, as there's no other 
good reason for over-complicating the design with additional domains, i.e. none 
of the traditional justifications for adding additional domains apply in this 
case.. Plus I believe at least some of the traditional justifications no longer 
apply in W2008 anyway do they? - things like needing domains for the purpose of 
applying differing password policies for example, now that we have the new 
granular password policy ...

Can anyone point me in the direction of some best practice design guidelines 
that would cast some light on these questions? - it's been a few years since I 
was last "properly" involved in AD design, so I'm conscious that things have 
moved on in the AD world, and I probably need to take up-to-date information 
into consideration..

Many thanks.

Paul Gordon

















~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: Active Directory design in the win2008 R2 world

[Brian Desmond]

They are definitely a traffic boundary if you want them to be. This requires a 
lot more planning for it to actually be the case though.

Thanks,
Brian Desmond
br...@briandesmond.com

c - 312.731.3132

From: David Lum [mailto:david@nwea.org]
Sent: Tuesday, November 10, 2009 8:19 AM
To: NT System Admin Issues
Subject: RE: Active Directory design in the win2008 R2 world

+1 Domains are an administration boundary, not a traffic boundary. You will 
have DC's and GC's all over the place but not different domains, and as you 
said, since 2008 allows different password policies you don't even need 
different domains for that.
David Lum // SYSTEMS ENGINEER
NORTHWEST EVALUATION ASSOCIATION
(Desk) 971.222.1025 // (Cell) 503.267.9764



From: Steven M. Caesare [mailto:scaes...@caesare.com]
Sent: Tuesday, November 10, 2009 5:05 AM
To: NT System Admin Issues
Subject: RE: Active Directory design in the win2008 R2 world

Agreed... 1 domain.

Additional complication requires justification. Ask them to quantify the 
additional traffic load for the expected domain topology and provide traffic 
statistics demonstrating that a single domain environment would be problematic.

-sc

From: Pauls Hotmail [mailto:paul_gor...@hotmail.com]
Sent: Tuesday, November 10, 2009 6:31 AM
To: NT System Admin Issues
Subject: Active Directory design in the win2008 R2 world

What's the collective wisdom these days regarding the justification of 
deploying multiple domains as a means of limiting replication traffic? I have 
an instance here where every part of me wants to suggest a single forest/domain 
as the optimum solution, but a couple of other admins are pushing for multiple 
domains purely with the justification of controlling AD object replication. The 
AD will be a completely new implementation based on Win 2008 R2, there are 
about 8 countries in scope, but all have extremely good/fast MPLS WAN links 
between them. There are currently only about 1200 users in total, and Exchange 
2010 will be going in as well.

 I'm proposing a single domain, with multiple AD sites, as there's no other 
good reason for over-complicating the design with additional domains, i.e. none 
of the traditional justifications for adding additional domains apply in this 
case.. Plus I believe at least some of the traditional justifications no longer 
apply in W2008 anyway do they? - things like needing domains for the purpose of 
applying differing password policies for example, now that we have the new 
granular password policy ...

Can anyone point me in the direction of some best practice design guidelines 
that would cast some light on these questions? - it's been a few years since I 
was last "properly" involved in AD design, so I'm conscious that things have 
moved on in the AD world, and I probably need to take up-to-date information 
into consideration..

Many thanks.

Paul Gordon













~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: Active Directory design in the win2008 R2 world

[Brian Desmond]

Think 120,000 users and really slow links before you need to even think about 
segregating replication.

Here is a deck on this topic I delivered a few weeks ago -  
http://cid-789d5ea8239c9672.skydrive.live.com/self.aspx/[ADUG]%20Slides%20and%20Stuff/Active%20Directory%20Design%20Workshop%20-%20Update.pptx.

Thanks,
Brian Desmond
br...@briandesmond.com

c - 312.731.3132

From: Pauls Hotmail [mailto:paul_gor...@hotmail.com]
Sent: Tuesday, November 10, 2009 5:31 AM
To: NT System Admin Issues
Subject: Active Directory design in the win2008 R2 world

What's the collective wisdom these days regarding the justification of 
deploying multiple domains as a means of limiting replication traffic? I have 
an instance here where every part of me wants to suggest a single forest/domain 
as the optimum solution, but a couple of other admins are pushing for multiple 
domains purely with the justification of controlling AD object replication. The 
AD will be a completely new implementation based on Win 2008 R2, there are 
about 8 countries in scope, but all have extremely good/fast MPLS WAN links 
between them. There are currently only about 1200 users in total, and Exchange 
2010 will be going in as well.

 I'm proposing a single domain, with multiple AD sites, as there's no other 
good reason for over-complicating the design with additional domains, i.e. none 
of the traditional justifications for adding additional domains apply in this 
case.. Plus I believe at least some of the traditional justifications no longer 
apply in W2008 anyway do they? - things like needing domains for the purpose of 
applying differing password policies for example, now that we have the new 
granular password policy ...

Can anyone point me in the direction of some best practice design guidelines 
that would cast some light on these questions? - it's been a few years since I 
was last "properly" involved in AD design, so I'm conscious that things have 
moved on in the AD world, and I probably need to take up-to-date information 
into consideration..

Many thanks.

Paul Gordon





~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Active Directory design in the win2008 R2 world

[Ben Scott]

On Tue, Nov 10, 2009 at 10:37 AM, Pauls Hotmail  wrote:
> What about DNS Namespace choice these days?

  This is something of a religious issue for some people.  :)

> I’ve always had a personal preference to keep internal AD & public
> facing names unique & separate ...

  As do all right-thinking sysadmins.  ;-)

  I favor using a registered domain name, so there is no possibility
of ever having a name collision, even in the event of a
merger/acquisition, or changes in the public DNS topology, or new
stuff that claims your unregistered domain name.  (Some
implementations of zeroconf want to use ".local".)

  I do accept a subdomain of the "regular" domain, e.g.,
"corp.example.com" or "inside.example.com" or "ad.example.com" or
what-have-you.

  The alternative is a "split DNS", where you have multiple disjoint
namespaces which the same name.  I regard that as an ugly kludge.

  My commentary on this, from way back:

  My objection to split DNS is simple: It is one more thing to go
wrong. If I can eliminate a place for something to go wrong, I will.
And when you are claiming authority for a DNS zone you are not
authoritative for (which is what split DNS is all about), there is the
potential for things to get out of sync. Sure, if you do it right,
nothing will, but *WHY* even open up the possibility, if it does not
get you *any* advantage?

  At the same time, I think using a separate DNS domain name has
several advantages:

* It keeps DNS names globally unique.

* It clearly identifies internal vs external resources in their name.

* You don't have to worry about keeping two different DNS zones in sync.

* Should you decide you want to expose your private DNS to the public
for any reason, you can still do so.

* Roaming systems which are sometimes outside the private network will
never get confused over which DNS zone is currently visible.

In short, it keeps separate things separate.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Active Directory design in the win2008 R2 world

[Pauls Hotmail]

An additional query if I may... - What about DNS Namespace choice these
days? - I've always had a personal preference to keep internal AD & public
facing names unique & separate, i.e. NOT using the company's registered
internet domain name as the AD forest name. Obviously this has implications
for DNS configuration, but I've always felt it generally a "good thing" to
maintain isolation between the public & private sides. - Any need to publish
internal resource names outside of the corporate LAN can be achieved simply
enough with products & technologies designed expressly for that purpose...

 

Anyone have any reason to violently disagree with this approach? - care to
comment?

 

TIA

 

Paul G.

 

From: David Lum [mailto:david@nwea.org] 
Sent: 10 November 2009 14:19
To: NT System Admin Issues
Subject: RE: Active Directory design in the win2008 R2 world

 

+1 Domains are an administration boundary, not a traffic boundary. You will
have DC's and GC's all over the place but not different domains, and as you
said, since 2008 allows different password policies you don't even need
different domains for that.

David Lum // SYSTEMS ENGINEER 
NORTHWEST EVALUATION ASSOCIATION
(Desk) 971.222.1025 // (Cell) 503.267.9764

 

 

 

From: Steven M. Caesare [mailto:scaes...@caesare.com] 
Sent: Tuesday, November 10, 2009 5:05 AM
To: NT System Admin Issues
Subject: RE: Active Directory design in the win2008 R2 world

 

Agreed. 1 domain.

 

Additional complication requires justification. Ask them to quantify the
additional traffic load for the expected domain topology and provide traffic
statistics demonstrating that a single domain environment would be
problematic.

 

-sc 

 

From: Pauls Hotmail [mailto:paul_gor...@hotmail.com] 
Sent: Tuesday, November 10, 2009 6:31 AM
To: NT System Admin Issues
Subject: Active Directory design in the win2008 R2 world

 

What's the collective wisdom these days regarding the justification of
deploying multiple domains as a means of limiting replication traffic? I
have an instance here where every part of me wants to suggest a single
forest/domain as the optimum solution, but a couple of other admins are
pushing for multiple domains purely with the justification of controlling AD
object replication. The AD will be a completely new implementation based on
Win 2008 R2, there are about 8 countries in scope, but all have extremely
good/fast MPLS WAN links between them. There are currently only about 1200
users in total, and Exchange 2010 will be going in as well.

 

 I'm proposing a single domain, with multiple AD sites, as there's no other
good reason for over-complicating the design with additional domains, i.e.
none of the traditional justifications for adding additional domains apply
in this case.. Plus I believe at least some of the traditional
justifications no longer apply in W2008 anyway do they? - things like
needing domains for the purpose of applying differing password policies for
example, now that we have the new granular password policy ...

 

Can anyone point me in the direction of some best practice design guidelines
that would cast some light on these questions? - it's been a few years since
I was last "properly" involved in AD design, so I'm conscious that things
have moved on in the AD world, and I probably need to take up-to-date
information into consideration..

 

Many thanks.

 

Paul Gordon

 

 

 

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: Active Directory design in the win2008 R2 world

[David Lum]

+1 Domains are an administration boundary, not a traffic boundary. You will 
have DC's and GC's all over the place but not different domains, and as you 
said, since 2008 allows different password policies you don't even need 
different domains for that.
David Lum // SYSTEMS ENGINEER
NORTHWEST EVALUATION ASSOCIATION
(Desk) 971.222.1025 // (Cell) 503.267.9764



From: Steven M. Caesare [mailto:scaes...@caesare.com]
Sent: Tuesday, November 10, 2009 5:05 AM
To: NT System Admin Issues
Subject: RE: Active Directory design in the win2008 R2 world

Agreed... 1 domain.

Additional complication requires justification. Ask them to quantify the 
additional traffic load for the expected domain topology and provide traffic 
statistics demonstrating that a single domain environment would be problematic.

-sc

From: Pauls Hotmail [mailto:paul_gor...@hotmail.com]
Sent: Tuesday, November 10, 2009 6:31 AM
To: NT System Admin Issues
Subject: Active Directory design in the win2008 R2 world

What's the collective wisdom these days regarding the justification of 
deploying multiple domains as a means of limiting replication traffic? I have 
an instance here where every part of me wants to suggest a single forest/domain 
as the optimum solution, but a couple of other admins are pushing for multiple 
domains purely with the justification of controlling AD object replication. The 
AD will be a completely new implementation based on Win 2008 R2, there are 
about 8 countries in scope, but all have extremely good/fast MPLS WAN links 
between them. There are currently only about 1200 users in total, and Exchange 
2010 will be going in as well.

 I'm proposing a single domain, with multiple AD sites, as there's no other 
good reason for over-complicating the design with additional domains, i.e. none 
of the traditional justifications for adding additional domains apply in this 
case.. Plus I believe at least some of the traditional justifications no longer 
apply in W2008 anyway do they? - things like needing domains for the purpose of 
applying differing password policies for example, now that we have the new 
granular password policy ...

Can anyone point me in the direction of some best practice design guidelines 
that would cast some light on these questions? - it's been a few years since I 
was last "properly" involved in AD design, so I'm conscious that things have 
moved on in the AD world, and I probably need to take up-to-date information 
into consideration..

Many thanks.

Paul Gordon









~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: Active Directory design in the win2008 R2 world

[Steven M. Caesare]

Agreed... 1 domain.

 

Additional complication requires justification. Ask them to quantify the
additional traffic load for the expected domain topology and provide
traffic statistics demonstrating that a single domain environment would
be problematic.

 

-sc 

 

From: Pauls Hotmail [mailto:paul_gor...@hotmail.com] 
Sent: Tuesday, November 10, 2009 6:31 AM
To: NT System Admin Issues
Subject: Active Directory design in the win2008 R2 world

 

What's the collective wisdom these days regarding the justification of
deploying multiple domains as a means of limiting replication traffic? I
have an instance here where every part of me wants to suggest a single
forest/domain as the optimum solution, but a couple of other admins are
pushing for multiple domains purely with the justification of
controlling AD object replication. The AD will be a completely new
implementation based on Win 2008 R2, there are about 8 countries in
scope, but all have extremely good/fast MPLS WAN links between them.
There are currently only about 1200 users in total, and Exchange 2010
will be going in as well.

 

 I'm proposing a single domain, with multiple AD sites, as there's no
other good reason for over-complicating the design with additional
domains, i.e. none of the traditional justifications for adding
additional domains apply in this case.. Plus I believe at least some of
the traditional justifications no longer apply in W2008 anyway do they?
- things like needing domains for the purpose of applying differing
password policies for example, now that we have the new granular
password policy ...

 

Can anyone point me in the direction of some best practice design
guidelines that would cast some light on these questions? - it's been a
few years since I was last "properly" involved in AD design, so I'm
conscious that things have moved on in the AD world, and I probably need
to take up-to-date information into consideration..

 

Many thanks.

 

Paul Gordon

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Active Directory U & C on Win 7

[Steven M. Caesare]

I'll try next time I get the chance. I'm just double-clicking from a
mapped drive at the moment.

 

-sc

 

From: Miller Bonnie L. [mailto:mille...@mukilteo.wednet.edu] 
Sent: Monday, November 09, 2009 8:51 AM
To: NT System Admin Issues
Subject: RE: Active Directory U & C on Win 7

 

Sounds a lot like when WS03 "blocks" programs run from the network.
What happens if you use the DNS name to connect to the UNC (or to map
the drive), and also add that DNS name into your trusted sites zone?

 

-Bonnie

 

From: Steven M. Caesare [mailto:scaes...@caesare.com] 
Sent: Sunday, November 08, 2009 5:50 AM
To: NT System Admin Issues
Subject: RE: Active Directory U & C on Win 7

 

Interestingly, when I save the .MSU file to a network share, and try to
execute form there, it barfs on me.

 

-sc

 

From: Ricardo Becerra [mailto:r...@mail.ucf.edu] 
Sent: Sunday, November 08, 2009 8:40 AM
To: NT System Admin Issues
Subject: Re: Active Directory U & C on Win 7

 

install RSAT tools
http://www.microsoft.com/downloads/details.aspx?FamilyID=7D2F6AD7-656B-4
313-A005-4E344E43997D&displaylang=en

>>> "Jim Dandy"  11/5/2009 6:45 PM >>>

Is there a way of running Active Directory Users and Computers on
Windows 7?  Thanks for your help.

 

Curt Finley

 

 

 

 

 

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: Active Directory U & C on Win 7

[David Lum]

Copy it to your local machine, right click and make sure "unblock" isn't an 
option
David Lum // SYSTEMS ENGINEER
NORTHWEST EVALUATION ASSOCIATION
(Desk) 971.222.1025 // (Cell) 503.267.9764

From: Miller Bonnie L. [mailto:mille...@mukilteo.wednet.edu]
Sent: Monday, November 09, 2009 5:51 AM
To: NT System Admin Issues
Subject: RE: Active Directory U & C on Win 7

Sounds a lot like when WS03 "blocks" programs run from the network.  What 
happens if you use the DNS name to connect to the UNC (or to map the drive), 
and also add that DNS name into your trusted sites zone?

-Bonnie

From: Steven M. Caesare [mailto:scaes...@caesare.com]
Sent: Sunday, November 08, 2009 5:50 AM
To: NT System Admin Issues
Subject: RE: Active Directory U & C on Win 7

Interestingly, when I save the .MSU file to a network share, and try to execute 
form there, it barfs on me.

-sc

From: Ricardo Becerra [mailto:r...@mail.ucf.edu]
Sent: Sunday, November 08, 2009 8:40 AM
To: NT System Admin Issues
Subject: Re: Active Directory U & C on Win 7

install RSAT tools 
http://www.microsoft.com/downloads/details.aspx?FamilyID=7D2F6AD7-656B-4313-A005-4E344E43997D&displaylang=en

>>> "Jim Dandy"  11/5/2009 6:45 PM >>>
Is there a way of running Active Directory Users and Computers on Windows 7?  
Thanks for your help.

Curt Finley

















~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: Active Directory U & C on Win 7

[Miller Bonnie L .]

Sounds a lot like when WS03 "blocks" programs run from the network.  What 
happens if you use the DNS name to connect to the UNC (or to map the drive), 
and also add that DNS name into your trusted sites zone?

-Bonnie

From: Steven M. Caesare [mailto:scaes...@caesare.com]
Sent: Sunday, November 08, 2009 5:50 AM
To: NT System Admin Issues
Subject: RE: Active Directory U & C on Win 7

Interestingly, when I save the .MSU file to a network share, and try to execute 
form there, it barfs on me.

-sc

From: Ricardo Becerra [mailto:r...@mail.ucf.edu]
Sent: Sunday, November 08, 2009 8:40 AM
To: NT System Admin Issues
Subject: Re: Active Directory U & C on Win 7

install RSAT tools 
http://www.microsoft.com/downloads/details.aspx?FamilyID=7D2F6AD7-656B-4313-A005-4E344E43997D&displaylang=en

>>> "Jim Dandy"  11/5/2009 6:45 PM >>>
Is there a way of running Active Directory Users and Computers on Windows 7?  
Thanks for your help.

Curt Finley













~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: Active Directory U & C on Win 7

[Ricardo Becerra]

I'm old school.. I usually copy stuff like this locally to my c drive, then log 
in locally as administrator to run the installer.

>>> "Steven M. Caesare"  11/8/2009 8:49 AM >>>

Interestingly, when I save the .MSU file to a network share, and try to execute 
form there, it barfs on me.
 
-sc
 

From:Ricardo Becerra [mailto:r...@mail.ucf.edu] 
Sent: Sunday, November 08, 2009 8:40 AM
To: NT System Admin Issues
Subject: Re: Active Directory U & C on Win 7

 
install RSAT tools 
http://www.microsoft.com/downloads/details.aspx?FamilyID=7D2F6AD7-656B-4313-A005-4E344E43997D&displaylang=en
 

>>> "Jim Dandy"  11/5/2009 6:45 PM >>>
Is there a way of running Active Directory Users and Computers on Windows 7?  
Thanks for your help.
 
Curt Finley
  
  

 
 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: Active Directory U & C on Win 7

[Steven M. Caesare]

Interestingly, when I save the .MSU file to a network share, and try to
execute form there, it barfs on me.

 

-sc

 

From: Ricardo Becerra [mailto:r...@mail.ucf.edu] 
Sent: Sunday, November 08, 2009 8:40 AM
To: NT System Admin Issues
Subject: Re: Active Directory U & C on Win 7

 

install RSAT tools
http://www.microsoft.com/downloads/details.aspx?FamilyID=7D2F6AD7-656B-4
313-A005-4E344E43997D&displaylang=en

>>> "Jim Dandy"  11/5/2009 6:45 PM >>>

Is there a way of running Active Directory Users and Computers on
Windows 7?  Thanks for your help.

 

Curt Finley

 

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: Active Directory U & C on Win 7

[Ricardo Becerra]

install RSAT tools 
http://www.microsoft.com/downloads/details.aspx?FamilyID=7D2F6AD7-656B-4313-A005-4E344E43997D&displaylang=en
 

>>> "Jim Dandy"  11/5/2009 6:45 PM >>>

Is there a way of running Active Directory Users and Computers on Windows 7?  
Thanks for your help.
 
Curt Finley

 
 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Active Directory U & C on Win 7

[Joseph Heaton]

The RSAT tools?

>>> "Jim Dandy"  11/5/2009 3:45 PM >>>
Is there a way of running Active Directory Users and Computers on
Windows 7?  Thanks for your help.

 

Curt Finley


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Active Directory U & C on Win 7

[Terry Dickson]

Yes I have the Installer my assistant downloaded at Work and you can totally do 
ADUC from a Win7 Box.

From: Jim Dandy [jda...@asmail.ucdavis.edu]
Sent: Thursday, November 05, 2009 5:45 PM
To: NT System Admin Issues
Subject: Active Directory U & C on Win 7

Is there a way of running Active Directory Users and Computers on Windows 7?  
Thanks for your help.

Curt Finley





~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Active Directory and Windows 7

[Steven M. Caesare]

If you download CSMenu you can get close.

-sc

> -Original Message-
> From: Peter van Houten [mailto:peter...@gmail.com]
> Sent: Wednesday, July 01, 2009 10:00 AM
> To: NT System Admin Issues
> Subject: Re: Active Directory and Windows 7
> 
> Yes, it does a faux classic look but one is unable to change the start
> menu to the old style [or at least I have not found a way...]
> 
> --
> Peter van Houten
> 
> On the 01/07/2009 15:47, Christopher Bodnar wrote the following:
> > Is that an option in Windows 7?
> >
> > Chris Bodnar, MCSE
> > Sr. Systems Engineer
> > Distributed Systems Service Delivery - Intel Services
> > Guardian Life Insurance Company of America
> > Email: christopher_bod...@glic.com
> <mailto:christopher_bod...@glic.com>
> > Phone: 610-807-6459
> > Fax: 610-807-6003
> >
> > -
> ---
> >
> > *From:* Jay Dale [mailto:jd...@xpresstel.com]
> > *Sent:* Wednesday, July 01, 2009 9:31 AM
> > *To:* NT System Admin Issues
> > *Subject:* RE: Active Directory and Windows 7
> >
> > In Vista, right click the Desktop, Choose Personalize, choose Themes,
> > then Windows Classic���J
> >
> > Thas what I do for users that have Vista.
> >
> > Jay
> >
> > *From:* John Aldrich [mailto:jaldr...@blueridgecarpet.com]
> > *Sent:* Wednesday, July 01, 2009 7:53 AM
> > *To:* NT System Admin Issues
> > *Subject:* RE: Active Directory and Windows 7
> >
> > YeaI figured that out. I **really** dislike the new look of Vista
> and
> > Windows 7. L I wish there were a way to go back to th�classic��� menu
> > style and control panel. L If there is an **easy** way to do it, I
> > havet found it. For example, thers no ���classi view option in
> > Control panel like there is in XP. **sigh** I guess the song says it
> > best: ��The times, they are a chang���� Doe�t mean I have to 
> > like
> it
> > though. J
> >
> > John-AldrichTile-Tools
> >
> > *From:* Mike Gill [mailto:lis...@canbyfoursquare.com]
> > *Sent:* Tuesday, June 30, 2009 9:03 PM
> > *To:* NT System Admin Issues
> > *Subject:* RE: Active Directory and Windows 7
> >
> > You can right-click Computer in the start menu. Is the same effect
> as
> > if the icon was on the desktop or in an Explorer window.
> >
> > --
> > Mike Gill
> >
> > *From:* John Aldrich [mailto:jaldr...@blueridgecarpet.com]
> > *Sent:* Tuesday, June 30, 2009 8:47 AM
> > *To:* NT System Admin Issues
> > *Subject:* Active Directory and Windows 7
> >
> > Disregard, please���. I figured it out. You connect to the A/D the same
> > way, is just that you have a harder time getting t�My Compute�
> L
> >
> > John-AldrichTile-Tools
> >
> >
> >
> >
> >
> > Checked by AVG - www.avg.com
> > Version: 8.5.375 / Virus Database: 270.13.0/2210 - Release Date:
> > 06/30/09 11:37:00
> >
> >
> >
> >
> >
> >
> >
> > -
> ---
> >
> > * This message, and any attachments to it, may contain information
> that
> > is privileged, confidential, and exempt from disclosure under
> applicable
> > law. If the reader of this message is not the intended recipient, you
> > are notified that any use, dissemination, distribution, copying, or
> > communication of this message is strictly prohibited. If you have
> > received this message in error, please notify the sender immediately
> by
> > return e-mail and delete the message and any attachments. Thank you.
> *
> >
> 
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: Active Directory and Windows 7

[Peter van Houten]

Yes, it does a faux classic look but one is unable to change the start
menu to the old style [or at least I have not found a way...]

--
Peter van Houten

On the 01/07/2009 15:47, Christopher Bodnar wrote the following:

Is that an option in Windows 7?

Chris Bodnar, MCSE
Sr. Systems Engineer
Distributed Systems Service Delivery - Intel Services
Guardian Life Insurance Company of America
Email: christopher_bod...@glic.com <mailto:christopher_bod...@glic.com>
Phone: 610-807-6459
Fax: 610-807-6003



*From:* Jay Dale [mailto:jd...@xpresstel.com]
*Sent:* Wednesday, July 01, 2009 9:31 AM
*To:* NT System Admin Issues
*Subject:* RE: Active Directory and Windows 7

In Vista, right click the Desktop, Choose Personalize, choose Themes,
then Windows Classic…J

That’s what I do for users that have Vista.

Jay

*From:* John Aldrich [mailto:jaldr...@blueridgecarpet.com]
*Sent:* Wednesday, July 01, 2009 7:53 AM
*To:* NT System Admin Issues
*Subject:* RE: Active Directory and Windows 7

Yeah…I figured that out. I **really** dislike the new look of Vista and
Windows 7. L I wish there were a way to go back to the “classic” menu
style and control panel. L If there is an **easy** way to do it, I
haven’t found it. For example, there’s no “classic” view option in
Control panel like there is in XP. **sigh** I guess the song says it
best: “…The times, they are a changin’” Doesn’t mean I have to like it
though. J

John-AldrichTile-Tools

*From:* Mike Gill [mailto:lis...@canbyfoursquare.com]
*Sent:* Tuesday, June 30, 2009 9:03 PM
*To:* NT System Admin Issues
*Subject:* RE: Active Directory and Windows 7

You can right-click Computer in the start menu. It’s the same effect as
if the icon was on the desktop or in an Explorer window.

--
Mike Gill

*From:* John Aldrich [mailto:jaldr...@blueridgecarpet.com]
*Sent:* Tuesday, June 30, 2009 8:47 AM
*To:* NT System Admin Issues
*Subject:* Active Directory and Windows 7

Disregard, please…. I figured it out. You connect to the A/D the same
way, it’s just that you have a harder time getting to “My Computer.” L

John-AldrichTile-Tools





Checked by AVG - www.avg.com
Version: 8.5.375 / Virus Database: 270.13.0/2210 - Release Date:
06/30/09 11:37:00









* This message, and any attachments to it, may contain information that
is privileged, confidential, and exempt from disclosure under applicable
law. If the reader of this message is not the intended recipient, you
are notified that any use, dissemination, distribution, copying, or
communication of this message is strictly prohibited. If you have
received this message in error, please notify the sender immediately by
return e-mail and delete the message and any attachments. Thank you. *



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: Active Directory and Windows 7

[Steven M. Caesare]

Ayup.

 

-sc

 

From: Christopher Bodnar [mailto:christopher_bod...@glic.com] 
Sent: Wednesday, July 01, 2009 9:47 AM
To: NT System Admin Issues
Subject: RE: Active Directory and Windows 7

 

Is that an option in Windows 7? 

 

Chris Bodnar, MCSE
Sr. Systems Engineer
Distributed Systems Service Delivery - Intel Services
Guardian Life Insurance Company of America
Email: christopher_bod...@glic.com
Phone: 610-807-6459
Fax: 610-807-6003



From: Jay Dale [mailto:jd...@xpresstel.com] 
Sent: Wednesday, July 01, 2009 9:31 AM
To: NT System Admin Issues
Subject: RE: Active Directory and Windows 7

 

In Vista, right click the Desktop, Choose Personalize, choose Themes,
then Windows Classic...J

 

That's what I do for users that have Vista.

 

Jay

 

From: John Aldrich [mailto:jaldr...@blueridgecarpet.com] 
Sent: Wednesday, July 01, 2009 7:53 AM
To: NT System Admin Issues
Subject: RE: Active Directory and Windows 7

 

Yeah...I figured that out. I *really* dislike the new look of Vista and
Windows 7. L I wish there were a way to go back to the "classic" menu
style and control panel. L If there is an *easy* way to do it, I haven't
found it. For example, there's no "classic" view option in Control panel
like there is in XP. *sigh* I guess the song says it best: "...The
times, they are a changin'" Doesn't mean I have to like it though. J

 

  

 

From: Mike Gill [mailto:lis...@canbyfoursquare.com] 
Sent: Tuesday, June 30, 2009 9:03 PM
To: NT System Admin Issues
Subject: RE: Active Directory and Windows 7

 

You can right-click Computer in the start menu. It's the same effect as
if the icon was on the desktop or in an Explorer window.

 

-- 
Mike Gill

 

From: John Aldrich [mailto:jaldr...@blueridgecarpet.com] 
Sent: Tuesday, June 30, 2009 8:47 AM
To: NT System Admin Issues
Subject: Active Directory and Windows 7

 

Disregard, please I figured it out. You connect to the A/D the same
way, it's just that you have a harder time getting to "My Computer." L

 



 

 

 

 

 

Checked by AVG - www.avg.com
Version: 8.5.375 / Virus Database: 270.13.0/2210 - Release Date:
06/30/09 11:37:00

 

 

 

 

 

 



This message, and any attachments to it, may contain information that is
privileged, confidential, and exempt from disclosure under applicable
law. If the reader of this message is not the intended recipient, you
are notified that any use, dissemination, distribution, copying, or
communication of this message is strictly prohibited. If you have
received this message in error, please notify the sender immediately by
return e-mail and delete the message and any attachments. Thank you. 


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~<><>

RE: Active Directory and Windows 7

[Christopher Bodnar]

Is that an option in Windows 7? 

 

Chris Bodnar, MCSE
Sr. Systems Engineer
Distributed Systems Service Delivery - Intel Services
Guardian Life Insurance Company of America
Email: christopher_bod...@glic.com
Phone: 610-807-6459
Fax: 610-807-6003

  _  

From: Jay Dale [mailto:jd...@xpresstel.com] 
Sent: Wednesday, July 01, 2009 9:31 AM
To: NT System Admin Issues
Subject: RE: Active Directory and Windows 7

 

In Vista, right click the Desktop, Choose Personalize, choose Themes, then
Windows Classic.:-)

 

That's what I do for users that have Vista.

 

Jay

 

From: John Aldrich [mailto:jaldr...@blueridgecarpet.com] 
Sent: Wednesday, July 01, 2009 7:53 AM
To: NT System Admin Issues
Subject: RE: Active Directory and Windows 7

 

Yeah.I figured that out. I *really* dislike the new look of Vista and
Windows 7. :-( I wish there were a way to go back to the "classic" menu
style and control panel. :-( If there is an *easy* way to do it, I haven't
found it. For example, there's no "classic" view option in Control panel
like there is in XP. *sigh* I guess the song says it best: ".The times,
they are a changin'" Doesn't mean I have to like it though. :-)

 

John-AldrichTile-Tools

 

From: Mike Gill [mailto:lis...@canbyfoursquare.com] 
Sent: Tuesday, June 30, 2009 9:03 PM
To: NT System Admin Issues
Subject: RE: Active Directory and Windows 7

 

You can right-click Computer in the start menu. It's the same effect as if
the icon was on the desktop or in an Explorer window.

 

-- 
Mike Gill

 

From: John Aldrich [mailto:jaldr...@blueridgecarpet.com] 
Sent: Tuesday, June 30, 2009 8:47 AM
To: NT System Admin Issues
Subject: Active Directory and Windows 7

 

Disregard, please.. I figured it out. You connect to the A/D the same way,
it's just that you have a harder time getting to "My Computer." :-(

 

John-AldrichTile-Tools

 

 

 

 

 

Checked by AVG - www.avg.com
Version: 8.5.375 / Virus Database: 270.13.0/2210 - Release Date: 06/30/09
11:37:00

 

 

 

 



-
This message, and any attachments to it, may contain information
that is privileged, confidential, and exempt from disclosure under
applicable law.  If the reader of this message is not the intended
recipient, you are notified that any use, dissemination,
distribution, copying, or communication of this message is strictly
prohibited.  If you have received this message in error, please
notify the sender immediately by return e-mail and delete the
message and any attachments.  Thank you.
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~<><>

RE: Active Directory and Windows 7

[John Aldrich]

Yeah. I don't really like having stuff hidden, though. that bugs the crap
out of me. J Oh, well. to each their own.

 

John-AldrichTile-Tools

 

From: Steven M. Caesare [mailto:scaes...@caesare.com] 
Sent: Wednesday, July 01, 2009 9:03 AM
To: NT System Admin Issues
Subject: RE: Active Directory and Windows 7

 

The task bar behavioral changes alone are enuff to have made the Win7 the
main OS on a couple of machines for me.

 

-sc

 

From: John Aldrich [mailto:jaldr...@blueridgecarpet.com] 
Sent: Wednesday, July 01, 2009 8:53 AM
To: NT System Admin Issues
Subject: RE: Active Directory and Windows 7

 

Yeah.I figured that out. I *really* dislike the new look of Vista and
Windows 7. L I wish there were a way to go back to the "classic" menu style
and control panel. L If there is an *easy* way to do it, I haven't found it.
For example, there's no "classic" view option in Control panel like there is
in XP. *sigh* I guess the song says it best: ".The times, they are a
changin'" Doesn't mean I have to like it though. J

 

John-AldrichTile-Tools

 

From: Mike Gill [mailto:lis...@canbyfoursquare.com] 
Sent: Tuesday, June 30, 2009 9:03 PM
To: NT System Admin Issues
Subject: RE: Active Directory and Windows 7

 

You can right-click Computer in the start menu. It's the same effect as if
the icon was on the desktop or in an Explorer window.

 

-- 
Mike Gill

 

From: John Aldrich [mailto:jaldr...@blueridgecarpet.com] 
Sent: Tuesday, June 30, 2009 8:47 AM
To: NT System Admin Issues
Subject: Active Directory and Windows 7

 

Disregard, please.. I figured it out. You connect to the A/D the same way,
it's just that you have a harder time getting to "My Computer." L

 

John-AldrichTile-Tools

 

 

 

 

 

Checked by AVG - www.avg.com
Version: 8.5.375 / Virus Database: 270.13.0/2210 - Release Date: 06/30/09
11:37:00

 

 

 

 

Checked by AVG - www.avg.com
Version: 8.5.375 / Virus Database: 270.13.0/2210 - Release Date: 07/01/09
05:53:00


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~<><><>

RE: Active Directory and Windows 7

[Jay Dale]

In Vista, right click the Desktop, Choose Personalize, choose Themes,
then Windows Classic...J

 

That's what I do for users that have Vista.

 

Jay

 

From: John Aldrich [mailto:jaldr...@blueridgecarpet.com] 
Sent: Wednesday, July 01, 2009 7:53 AM
To: NT System Admin Issues
Subject: RE: Active Directory and Windows 7

 

Yeah...I figured that out. I *really* dislike the new look of Vista and
Windows 7. L I wish there were a way to go back to the "classic" menu
style and control panel. L If there is an *easy* way to do it, I haven't
found it. For example, there's no "classic" view option in Control panel
like there is in XP. *sigh* I guess the song says it best: "...The
times, they are a changin'" Doesn't mean I have to like it though. J

 

  

 

From: Mike Gill [mailto:lis...@canbyfoursquare.com] 
Sent: Tuesday, June 30, 2009 9:03 PM
To: NT System Admin Issues
Subject: RE: Active Directory and Windows 7

 

You can right-click Computer in the start menu. It's the same effect as
if the icon was on the desktop or in an Explorer window.

 

-- 
Mike Gill

 

From: John Aldrich [mailto:jaldr...@blueridgecarpet.com] 
Sent: Tuesday, June 30, 2009 8:47 AM
To: NT System Admin Issues
Subject: Active Directory and Windows 7

 

Disregard, please I figured it out. You connect to the A/D the same
way, it's just that you have a harder time getting to "My Computer." L

 



 

 

 

 

 

Checked by AVG - www.avg.com
Version: 8.5.375 / Virus Database: 270.13.0/2210 - Release Date:
06/30/09 11:37:00

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~<><>

RE: Active Directory and Windows 7

[Steven M. Caesare]

The task bar behavioral changes alone are enuff to have made the Win7
the main OS on a couple of machines for me.

 

-sc

 

From: John Aldrich [mailto:jaldr...@blueridgecarpet.com] 
Sent: Wednesday, July 01, 2009 8:53 AM
To: NT System Admin Issues
Subject: RE: Active Directory and Windows 7

 

Yeah...I figured that out. I *really* dislike the new look of Vista and
Windows 7. L I wish there were a way to go back to the "classic" menu
style and control panel. L If there is an *easy* way to do it, I haven't
found it. For example, there's no "classic" view option in Control panel
like there is in XP. *sigh* I guess the song says it best: "...The
times, they are a changin'" Doesn't mean I have to like it though. J

 

  

 

From: Mike Gill [mailto:lis...@canbyfoursquare.com] 
Sent: Tuesday, June 30, 2009 9:03 PM
To: NT System Admin Issues
Subject: RE: Active Directory and Windows 7

 

You can right-click Computer in the start menu. It's the same effect as
if the icon was on the desktop or in an Explorer window.

 

-- 
Mike Gill

 

From: John Aldrich [mailto:jaldr...@blueridgecarpet.com] 
Sent: Tuesday, June 30, 2009 8:47 AM
To: NT System Admin Issues
Subject: Active Directory and Windows 7

 

Disregard, please I figured it out. You connect to the A/D the same
way, it's just that you have a harder time getting to "My Computer." L

 



 

 

 

 

 

Checked by AVG - www.avg.com
Version: 8.5.375 / Virus Database: 270.13.0/2210 - Release Date:
06/30/09 11:37:00

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~<><>

RE: Active Directory and Windows 7

[John Aldrich]

Yeah.I figured that out. I *really* dislike the new look of Vista and
Windows 7. L I wish there were a way to go back to the "classic" menu style
and control panel. L If there is an *easy* way to do it, I haven't found it.
For example, there's no "classic" view option in Control panel like there is
in XP. *sigh* I guess the song says it best: ".The times, they are a
changin'" Doesn't mean I have to like it though. J

 

John-AldrichTile-Tools

 

From: Mike Gill [mailto:lis...@canbyfoursquare.com] 
Sent: Tuesday, June 30, 2009 9:03 PM
To: NT System Admin Issues
Subject: RE: Active Directory and Windows 7

 

You can right-click Computer in the start menu. It's the same effect as if
the icon was on the desktop or in an Explorer window.

 

-- 
Mike Gill

 

From: John Aldrich [mailto:jaldr...@blueridgecarpet.com] 
Sent: Tuesday, June 30, 2009 8:47 AM
To: NT System Admin Issues
Subject: Active Directory and Windows 7

 

Disregard, please.. I figured it out. You connect to the A/D the same way,
it's just that you have a harder time getting to "My Computer." L

 

John-AldrichTile-Tools

 

 

 

 

 

Checked by AVG - www.avg.com
Version: 8.5.375 / Virus Database: 270.13.0/2210 - Release Date: 06/30/09
11:37:00


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~<><>

RE: Active Directory and Windows 7

[Mike Gill]

You can right-click Computer in the start menu. It's the same effect as if
the icon was on the desktop or in an Explorer window.

 

-- 
Mike Gill

 

From: John Aldrich [mailto:jaldr...@blueridgecarpet.com] 
Sent: Tuesday, June 30, 2009 8:47 AM
To: NT System Admin Issues
Subject: Active Directory and Windows 7

 

Disregard, please.. I figured it out. You connect to the A/D the same way,
it's just that you have a harder time getting to "My Computer." L

 

John-AldrichTile-Tools

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~<><>

RE: Active Directory Responsibility question

[Barsodi.John]

Thanks for the feedback everyone.

I meant more than a few hundred users.  I know there are posters here, yourself 
included, that work in larger organizations.  I wanted that feedback.

Thanks!

- John Barsodi
From: Free, Bob [mailto:r...@pge.com]
Sent: Friday, April 17, 2009 5:57 PM
To: NT System Admin Issues
Subject: RE: Active Directory Responsibility question

Don't know what you mean by bit larger, we have a little over 20K regular 
users, only a SMB to some. I am one of 2.5 FTE's dedicated for AD support, we 
are in what is now called Windows Server Services under Computing Services 
which is under Infrastructure Services. Sr. Director has all IT Infrastructure, 
under her is  our Director who has all Computing from the mainframes down to 
the handhelds.. My manager is responsible for all elements of  ~1800 Wintel 
servers, my team lead has us AD folks, Exchange, BES, VMWARE, UNITY, the 
various product managers, a couple of system solution design types (we can't 
call them engineers anymore) and a couple of specialized services such as the 
Call and Billing Center  services. Then there are other separate teams for 
responsible for deployment, field operations and data center ops under Windows. 
There are similar manager level teams for mainframe, *nix, Web-cross platform 
and storage.

>From what I have seen it varies according to the organization, I know of one 
>large (~30 in the Fortune 500) financial Co in the US that has the Security 
>department govern everything related to AD as they are extremely 
>risk-avoidance driven and their IT process maturity is very high. They have 
>their processes so developed they run their high level AD groups empty.

There was a good discussion of this very subject on activedir in 2007 with some 
people responsible for large orgs weighing in. You can find in the 
www.activedir.org archives under "Active Directory Team Placement in an 
Organization"

http://www.activedir.org/ListArchives/tabid/55/forumid/1/tpage/1/view/topic/postid/23697/Default.aspx#23697

Brian D supports some very big environments, maybe he will weigh in

From: Barsodi.John [mailto:john.bars...@igt.com]
Sent: Friday, April 17, 2009 4:32 PM
To: NT System Admin Issues
Subject: Active Directory Responsibility question

Question for you guysand this is geared to the people who work in a bit 
larger IT/IS Organizations.
What team within your IT/IS org has responsibility of your active directory 
environment?

I think it's typically in the System Administration realm, but if it's in 
another group/team i.e. Security - why?

Thanks.

- John Barsodi









~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: Active Directory Responsibility question

[Webb, Brian (Corp)]

Bottom part of the Fortune 500 here:
 
We have a Windows Server Admin group that is responsible for the server
hardware, OS, deployment, and AD.  We have a separate security group
that sets policy and audits to ensure compliance with separate groups
for application software.  A weird fact - our AD forest is actually
controlled by a subsidiary so we can only manage AD at the Domain level.
 
Interestingly, we are getting VMWare in our group - I guess it roughly
corresponds to "hardware".
 
-Brian

 



From: Barsodi.John [mailto:john.bars...@igt.com] 
Sent: Friday, April 17, 2009 6:32 PM
To: NT System Admin Issues
Subject: Active Directory Responsibility question



Question for you guysand this is geared to the people who work in a
bit larger IT/IS Organizations.  
What team within your IT/IS org has responsibility of your active
directory environment?

 

I think it's typically in the System Administration realm, but if it's
in another group/team i.e. Security - why?

 

Thanks.

 

- John Barsodi

 

 


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Active Directory Responsibility question

[Don Kuhlman]

Yes - Wintel owns our AD architecture and server design/implementation while 
Security owns the audting, account creation, who gets what rights, and actions 
taken on violations from monitored events.  Kind of a partnership thing, but 
when people can't login  support goes straight to Intel.





From: Brian Desmond 
To: NT System Admin Issues 
Sent: Saturday, April 18, 2009 9:32:38 AM
Subject: RE: Active Directory Responsibility question


Many large orgs I have worked with have AD living in/under security. One of the 
large outsourcers has it arranged this way as well in fact.
 
I have also seen it inside of Wintel and Messaging teams.
 
Very large orgs typically can warranty a dedicated AD team so it’s just a 
matter of the management chain that it lives under. 
 
Thanks,
Brian Desmond
br...@briandesmond.com
 
c - 312.731.3132
 
From:Barsodi.John [mailto:john.bars...@igt.com] 
Sent: Friday, April 17, 2009 6:32 PM
To: NT System Admin Issues
Subject: Active Directory Responsibility question
 
Question for you guys….and this is geared to the people who work in a bit 
larger IT/IS Organizations.  
What team within your IT/IS org has responsibility of your active directory 
environment?
 
I think it’s typically in the System Administration realm, but if it’s in 
another group/team i.e. Security – why?
 
Thanks.
 
- John Barsodi


  
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: Active Directory Responsibility question

[Brian Desmond]

Yep you are describing a typical large org that's been built on mergers and 
acquisitions. Some are further along at integration, others haven't started. 
Usually when CIOs are looking for a good "save money" project this rolls 
straight to the top as long as whoever is doing the accounting is using a 
special calculator that makes centralization projects look cheap and successful.

Thanks,
Brian Desmond
br...@briandesmond.com

c - 312.731.3132


-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com]
Sent: Saturday, April 18, 2009 6:40 PM
To: NT System Admin Issues
Subject: Re: Active Directory Responsibility question

On Sat, Apr 18, 2009 at 10:34 AM, Brian Desmond  wrote:
> I've seen quite a few customers where AD ops falls under the security
> umbrella. This is really a management chain discussion in the end.

  Not really AD specific, but: In some of the large aerospace
companies I've dealt with as customers of %DAYJOB%, their management
structure seems to be very distributed.  I suspect this stems from
their history of merges on top of mergers.  So they'll have local IT
and security departments with a fair degree of autonomy, and then
corporate supervision.  Different office locations will have different
"standards".  Makes for interesting an interesting time when you try
and integrate systems.  It appears some offices look to a corporate AD
department, while some have the local guys running their own show.

  And then there's outsourced services, where we can't talk to the
people doing the work, but the people we can talk to don't know
anything.  There's one particular SharePoint "extranet" site we're
supposed to be using.  They've been trying for over a year to get it
to work and they still can't.  But I digress.  :)

  At %DAYJOB%, we only have 120 people, and the IT department is me
and another guy.  If it uses 1s and 0s, it's our responsibility.  (If
it uses electricity and it's greasy or wet, it's maintenance,
otherwise, IT.)  That includes Active Directory.  Also servers,
desktops, networks,  applications, phones, IT security, Internet,
BlackBerry, electronic door locks, printers/scanners/fax... :)

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: Active Directory Responsibility question

[Ben Scott]

On Sat, Apr 18, 2009 at 10:34 AM, Brian Desmond  wrote:
> I’ve seen quite a few customers where AD ops falls under the security
> umbrella. This is really a management chain discussion in the end.

  Not really AD specific, but: In some of the large aerospace
companies I've dealt with as customers of %DAYJOB%, their management
structure seems to be very distributed.  I suspect this stems from
their history of merges on top of mergers.  So they'll have local IT
and security departments with a fair degree of autonomy, and then
corporate supervision.  Different office locations will have different
"standards".  Makes for interesting an interesting time when you try
and integrate systems.  It appears some offices look to a corporate AD
department, while some have the local guys running their own show.

  And then there's outsourced services, where we can't talk to the
people doing the work, but the people we can talk to don't know
anything.  There's one particular SharePoint "extranet" site we're
supposed to be using.  They've been trying for over a year to get it
to work and they still can't.  But I digress.  :)

  At %DAYJOB%, we only have 120 people, and the IT department is me
and another guy.  If it uses 1s and 0s, it's our responsibility.  (If
it uses electricity and it's greasy or wet, it's maintenance,
otherwise, IT.)  That includes Active Directory.  Also servers,
desktops, networks,  applications, phones, IT security, Internet,
BlackBerry, electronic door locks, printers/scanners/fax... :)

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Active Directory Responsibility question

[Brian Desmond]

I've seen quite a few customers where AD ops falls under the security umbrella. 
This is really a management chain discussion in the end.

Thanks,
Brian Desmond
br...@briandesmond.com

c - 312.731.3132

From: Ken Schaefer [mailto:k...@adopenstatic.com]
Sent: Saturday, April 18, 2009 8:44 AM
To: NT System Admin Issues
Subject: RE: Active Directory Responsibility question

Generally there is a dedicated AD team for escalated issues (problems/issues) 
and monitoring (monitoring replication etc)

Common low-level tasks (like resetting passwords, account creation etc) would 
be handled by various other service desk type teams (usually using some kind of 
front end tool) - these may not be devoted to Wintel platforms, but might also 
handle passwords/access/user provisioning to multiple platforms (Mainframe, 
midrange, Wintel etc)

For project work (implementing new features - SSO, self-service PW reset etc), 
other teams might be involved.

Security is generally a platform agnostic unit IME, and doesn't manage AD 
specifically. It might set general standards and look at some risk issues, but 
isn't involved in the day-to-day operations of AD.

Cheers
Ken


From: Barsodi.John [mailto:john.bars...@igt.com]
Sent: Saturday, 18 April 2009 9:32 AM
To: NT System Admin Issues
Subject: Active Directory Responsibility question

Question for you guysand this is geared to the people who work in a bit 
larger IT/IS Organizations.
What team within your IT/IS org has responsibility of your active directory 
environment?

I think it's typically in the System Administration realm, but if it's in 
another group/team i.e. Security - why?

Thanks.

- John Barsodi









~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: Active Directory Responsibility question

[Brian Desmond]

Many large orgs I have worked with have AD living in/under security. One of the 
large outsourcers has it arranged this way as well in fact.

I have also seen it inside of Wintel and Messaging teams.

Very large orgs typically can warranty a dedicated AD team so it's just a 
matter of the management chain that it lives under.

Thanks,
Brian Desmond
br...@briandesmond.com

c - 312.731.3132

From: Barsodi.John [mailto:john.bars...@igt.com]
Sent: Friday, April 17, 2009 6:32 PM
To: NT System Admin Issues
Subject: Active Directory Responsibility question

Question for you guysand this is geared to the people who work in a bit 
larger IT/IS Organizations.
What team within your IT/IS org has responsibility of your active directory 
environment?

I think it's typically in the System Administration realm, but if it's in 
another group/team i.e. Security - why?

Thanks.

- John Barsodi





~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Active Directory Responsibility question

[Ken Schaefer]

Generally there is a dedicated AD team for escalated issues (problems/issues) 
and monitoring (monitoring replication etc)

Common low-level tasks (like resetting passwords, account creation etc) would 
be handled by various other service desk type teams (usually using some kind of 
front end tool) - these may not be devoted to Wintel platforms, but might also 
handle passwords/access/user provisioning to multiple platforms (Mainframe, 
midrange, Wintel etc)

For project work (implementing new features - SSO, self-service PW reset etc), 
other teams might be involved.

Security is generally a platform agnostic unit IME, and doesn't manage AD 
specifically. It might set general standards and look at some risk issues, but 
isn't involved in the day-to-day operations of AD.

Cheers
Ken


From: Barsodi.John [mailto:john.bars...@igt.com]
Sent: Saturday, 18 April 2009 9:32 AM
To: NT System Admin Issues
Subject: Active Directory Responsibility question

Question for you guysand this is geared to the people who work in a bit 
larger IT/IS Organizations.
What team within your IT/IS org has responsibility of your active directory 
environment?

I think it's typically in the System Administration realm, but if it's in 
another group/team i.e. Security - why?

Thanks.

- John Barsodi





~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Active Directory Responsibility question

[Free, Bob]

Don't know what you mean by bit larger, we have a little over 20K
regular users, only a SMB to some. I am one of 2.5 FTE's dedicated for
AD support, we are in what is now called Windows Server Services under
Computing Services which is under Infrastructure Services. Sr. Director
has all IT Infrastructure, under her is  our Director who has all
Computing from the mainframes down to the handhelds.. My manager is
responsible for all elements of  ~1800 Wintel servers, my team lead has
us AD folks, Exchange, BES, VMWARE, UNITY, the various product managers,
a couple of system solution design types (we can't call them engineers
anymore) and a couple of specialized services such as the Call and
Billing Center  services. Then there are other separate teams for
responsible for deployment, field operations and data center ops under
Windows. There are similar manager level teams for mainframe, *nix,
Web-cross platform and storage.

 

>From what I have seen it varies according to the organization, I know of
one large (~30 in the Fortune 500) financial Co in the US that has the
Security department govern everything related to AD as they are
extremely risk-avoidance driven and their IT process maturity is very
high. They have their processes so developed they run their high level
AD groups empty.

 

There was a good discussion of this very subject on activedir in 2007
with some people responsible for large orgs weighing in. You can find in
the www.activedir.org archives under "Active Directory Team Placement in
an Organization" 

 

http://www.activedir.org/ListArchives/tabid/55/forumid/1/tpage/1/view/to
pic/postid/23697/Default.aspx#23697  

 

Brian D supports some very big environments, maybe he will weigh in

 

From: Barsodi.John [mailto:john.bars...@igt.com] 
Sent: Friday, April 17, 2009 4:32 PM
To: NT System Admin Issues
Subject: Active Directory Responsibility question

 

Question for you guysand this is geared to the people who work in a
bit larger IT/IS Organizations.  
What team within your IT/IS org has responsibility of your active
directory environment?

 

I think it's typically in the System Administration realm, but if it's
in another group/team i.e. Security - why?

 

Thanks.

 

- John Barsodi

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Active Directory Responsibility question

[Jeremy Phillips]

In my experiences it varies by the organization. I've only once seen a security 
team involved in directory administration and I didn't ever ask them why. In 
very large organizations there is usually a dedicated directory services team 
for whatever that is worth.

Thanks,

Jeremy Phillips
Managing Consultant | Cohesive Logic  LLC | M: 540-322-7980 | BB PIN: 318A6889

From: Barsodi.John [john.bars...@igt.com]
Sent: Friday, April 17, 2009 4:31 PM
To: NT System Admin Issues
Subject: Active Directory Responsibility question

Question for you guys….and this is geared to the people who work in a bit 
larger IT/IS Organizations.
What team within your IT/IS org has responsibility of your active directory 
environment?

I think it’s typically in the System Administration realm, but if it’s in 
another group/team i.e. Security – why?

Thanks.

- John Barsodi





~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Active Directory attribute query

[James Rankin]

Hmmm, yeah, I could probably dust off my old batch skills and come up with
something along those lines.

I will have a look-see

Cheers,

2009/1/7 Michael B. Smith 

>  Dsquery/dsmod; perhaps in an HTA wrapper – or a CMD/BAT wrapper would be
> easier.
>
>
>
> Similar idea for adfind/admod.
>
>
>
> Regards,
>
>
>
> Michael B. Smith, MCITP:SA,EMA/MCSE/Exchange MVP
>
> My blog: http://TheEssentialExchange.com/blogs/michael
>
> I'll be at TEC'2009! http://www.tec2009.com/vegas/index.php
>
>
>
> *From:* James Rankin [mailto:kz2...@googlemail.com]
> *Sent:* Wednesday, January 07, 2009 6:42 AM
> *To:* NT System Admin Issues
> *Subject:* Active Directory attribute query
>
>
>
> Hi all, Happy New Year, etc.
>
> For some reason the default printer for our users is set via an Active
> Directory attribute (don't ask why, before my time). I was wondering if
> there is any easy way to be able to change this, preferably through ADUC? At
> the minute I can only do it via Adsiedit.msc, which is not really what I
> want to be teaching my two newly-supplied first-line minions to utilise, as
> I can envisage one of them changing the wrong attribute and making an arse
> out of it.
>
> All suggestions welcome, Windows 2003 native AD.
>
> TIA,
>
>
>
>
> JRR
>
>
>
>
>
>
>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Active Directory attribute query

[Michael B. Smith]

Dsquery/dsmod; perhaps in an HTA wrapper - or a CMD/BAT wrapper would be
easier.

 

Similar idea for adfind/admod.

 

Regards,

 

Michael B. Smith, MCITP:SA,EMA/MCSE/Exchange MVP

My blog: http://TheEssentialExchange.com/blogs/michael

I'll be at TEC'2009! http://www.tec2009.com/vegas/index.php

 

From: James Rankin [mailto:kz2...@googlemail.com] 
Sent: Wednesday, January 07, 2009 6:42 AM
To: NT System Admin Issues
Subject: Active Directory attribute query

 

Hi all, Happy New Year, etc.

For some reason the default printer for our users is set via an Active
Directory attribute (don't ask why, before my time). I was wondering if
there is any easy way to be able to change this, preferably through ADUC? At
the minute I can only do it via Adsiedit.msc, which is not really what I
want to be teaching my two newly-supplied first-line minions to utilise, as
I can envisage one of them changing the wrong attribute and making an arse
out of it.

All suggestions welcome, Windows 2003 native AD.

TIA,




JRR

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Active Directory group memberships

[James Rankin]

I have two main Citrix groups that deploy the application to the end-user
via thin client. I want to make it impossible for a user to be a member of
both of these groups, as my first-line colleagues are not very good at
listening to what I say.

2008/8/21 Russ Jackson <[EMAIL PROTECTED]>

> Not that I'm aware of -- can you give an example of what you would be
> trying to do with this?
>
>
> On Wed, Aug 20, 2008 at 12:35 AM, James Rankin <[EMAIL PROTECTED]>wrote:
>
>> Can't seem to find the right words for this query in Google - is there any
>> way in Active Directory to set two security groups so that a user can only
>> ever be a member of one of them?
>>
>> TIA,
>>
>>
>> JRR
>>
>>
>>
>>
>>
>>
>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Active Directory group memberships

[Russ Jackson]

Not that I'm aware of -- can you give an example of what you would be trying
to do with this?

On Wed, Aug 20, 2008 at 12:35 AM, James Rankin <[EMAIL PROTECTED]>wrote:

> Can't seem to find the right words for this query in Google - is there any
> way in Active Directory to set two security groups so that a user can only
> ever be a member of one of them?
>
> TIA,
>
>
> JRR
>
>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Active Directory Rules

[Brian Caisse]

If you look at this registry setting: 

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU

 

The keys and their value ranges are listed in the following table.

 

Automatic Updates Configuration Registry Keys

 Entry Name Value Range and Meanings Data Type 

AUOptions

 Range = 2|3|4|5

 

2 = Notify before download.

3 = Automatically download and notify of installation. 

4 = Automatic download and scheduled installation. (Only valid if values
exist for ScheduledInstallDay and ScheduledInstallTime.)

5 = Automatic Updates is required, but end users can configure it.

 

After you can change the setting and if the setting gets changed back to
auto install the GPO's are setting the value and you need to find the
"Configure Automatic Updates" setting and change it.

 

If you run the "Group Policy Results" against the server in question,
you can find Winning GPO that is making the change.

 

Ie

 

MyDomain\MyAdmin on MyDomain\MyDC

Data collected on: 3/4/2007 6:22:19 AM

show all

Windows Components/Windows Updatehide  

Policy

Setting

Winning GPO

Allow Automatic Updates immediate installation  

Enabled

WSUS for Servers

Automatic Updates detection frequency  

Enabled

WSUS for Servers

Check for updates at the following

interval (hours): 

1

Policy

Setting

Winning GPO

Configure Automatic Updates  

Enabled

WSUS for Servers

Configure automatic updating:

3 - Auto download and notify for install

The following settings are only required

and applicable if 4 is selected.

Scheduled install day: 

0 - Every day

Scheduled install time:

03:00

 

Hope this helps.

 

 

Brian Caisse, Network Administrator

Solid Waste Authority of PBC
  
7501 N Jog Road
West Palm Beach, FL 33412
http://www.swa.org   

 

 

 

From: Jim Majorowicz [mailto:[EMAIL PROTECTED] 
Sent: Monday, June 23, 2008 6:49 PM
To: NT System Admin Issues
Subject: Active Directory Rules

 

I have a customer with two servers.  We had to remove WSUS from the
network because who ever set it up before borked the whole mess to the
point that:

 

1)  They were fired, and

2)  The customer doesn't want WSUS.

 

Now somewhere along the way of either the setup or the removal, the
servers got his with a Group Policy that forces them to *RUN* the
updates at 3 AM just like the default PC rules.  Obviously this is bad.
I ran the computers through Group Policy Results, and checked the GP
they have in common.  I did not that the Update Services Polices are in
fact gone, but I'm thinking they're somehow still being enforced.

 

How do I go about telling these servers to stop?  I tried restarting one
of them, but that didn't help.  Am I missing something in the registry
maybe?

 

Regards,

Jim Majorowicz, MCP

Sr. Network Engineer

 

Whitsell Computer Services

(503) 297-8440x12

www.whitsell.com

We can support you no matter where you are.  Ask me for details.

 

 

 

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~<><><>

RE: Active Directory Rules

[Martin Blackstone]

Run ClientDiag to see what the current settings are.

http://absoblogginlutely.net/mtblogarchive/005304.php

 

Then:

Start, run,

reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

 

Then run clientdiag to see if its still there.

 

 

From: Jim Majorowicz [mailto:[EMAIL PROTECTED] 
Sent: Monday, June 23, 2008 3:49 PM
To: NT System Admin Issues
Subject: Active Directory Rules

 

I have a customer with two servers.  We had to remove WSUS from the network
because who ever set it up before borked the whole mess to the point that:

 

1)  They were fired, and

2)  The customer doesn't want WSUS.

 

Now somewhere along the way of either the setup or the removal, the servers
got his with a Group Policy that forces them to *RUN* the updates at 3 AM
just like the default PC rules.  Obviously this is bad.  I ran the computers
through Group Policy Results, and checked the GP they have in common.  I did
not that the Update Services Polices are in fact gone, but I'm thinking
they're somehow still being enforced.

 

How do I go about telling these servers to stop?  I tried restarting one of
them, but that didn't help.  Am I missing something in the registry maybe?

 

Regards,

Jim Majorowicz, MCP

Sr. Network Engineer

SBPI_US_rgb

Whitsell Computer Services

(503) 297-8440x12

www.whitsell.com

We can support you no matter where you are.  Ask me for details.

 

 

 

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~<>

RE: Active Directory Rules

[Barsodi.John]

While I don't know if the WSUS settings fail under this, I do know that
some GPO settings aren't removed if the computer fails out of the GPO
scope or the GPO is deleted.

 

http://www.gpoguy.com/FAQs/tattoo.htm

 

- John Barsodi

From: Jim Majorowicz [mailto:[EMAIL PROTECTED] 
Sent: Monday, June 23, 2008 3:49 PM
To: NT System Admin Issues
Subject: Active Directory Rules

 

I have a customer with two servers.  We had to remove WSUS from the
network because who ever set it up before borked the whole mess to the
point that:

 

1)  They were fired, and

2)  The customer doesn't want WSUS.

 

Now somewhere along the way of either the setup or the removal, the
servers got his with a Group Policy that forces them to *RUN* the
updates at 3 AM just like the default PC rules.  Obviously this is bad.
I ran the computers through Group Policy Results, and checked the GP
they have in common.  I did not that the Update Services Polices are in
fact gone, but I'm thinking they're somehow still being enforced.

 

How do I go about telling these servers to stop?  I tried restarting one
of them, but that didn't help.  Am I missing something in the registry
maybe?

 

Regards,

Jim Majorowicz, MCP

Sr. Network Engineer

 

Whitsell Computer Services

(503) 297-8440x12

www.whitsell.com

We can support you no matter where you are.  Ask me for details.

 

 

 

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~<>

Re: Active Directory Mapper

[Joe Fox]

DUH - Nevermind.

Found a thread that I missed on the 6th.  I'm still playing catch-up on the
list.

Thanks.

Joe

On Thu, May 8, 2008 at 8:51 AM, Joe Fox <[EMAIL PROTECTED]> wrote:

> Good Morning.
>
> As I start a new job I'm finding that I need to map out and consolidate a
> few AD Domains.
>
> 1.  Does the AD Domain mapper work with Visio 2007?
> 2. What is the name of the bugger?  I can't seem to remember.
>
> Thanks.
>
> --
> Joe Fox
> Systems/Network Administrator
>
> Mobile# (716) 846-9308
> http://www.linkedin.com/in/josephfoxjr
>
> The information contained in this e-mail message, including any attached
> files, is intended only for the personal and confidential use of the
> recipient(s) named above. If you are not the intended recipient be advised
> that any unauthorized use, disclosure, copying, distribution or the taking
> of any action in reliance on the contents of this information is strictly
> prohibited. If you have received this email in error, please immediately
> notify the sender via telephone at 716-846-9308 or by return e-mail.
>
>


-- 
Joe Fox
Systems/Network Administrator

Mobile# (716) 846-9308
http://www.linkedin.com/in/josephfoxjr

The information contained in this e-mail message, including any attached
files, is intended only for the personal and confidential use of the
recipient(s) named above. If you are not the intended recipient be advised
that any unauthorized use, disclosure, copying, distribution or the taking
of any action in reliance on the contents of this information is strictly
prohibited. If you have received this email in error, please immediately
notify the sender via telephone at 716-846-9308 or by return e-mail.

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

RE: Active Directory tests

[Ken Schaefer]

Do you want to start with Windows 2003? Or Windows 2008?

I found that the MS Press core exam kit for 2003 (that covered exams 290, 291, 
293 and 294) had pretty good content, and the CD that came with it had 
questions that were much tougher than the actual exams. If you can get 70% on 
the practise questions on that CD, you'll pass the actual exam without any 
issues.

That said, there are only really two exams that cover AD per se. 70-294 is the 
Active Directory operations/management exam, and 70-297 is the AD design exam 
(which is the horrible case study format). You'd only need to do 70-297 if you 
want to do your MCSE. All the other exams cover other stuff.

70-290 is pretty simple if you know all the features of Windows Server 2003 
(from shares to printers to clustering to setup etc - not in any depth, but 
just know your options).

70-291 and 70-293 cover mostly the same things - TCP/IP + subnetting, DHCP, 
DNS, WINS and similar technologies.

70-294 covers AD operations

Cheers
Ken

> -Original Message-
> From: David Lum [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, 29 April 2008 8:01 AM
> To: NT System Admin Issues
> Subject: Active Directory tests
>
> Soafter "fighting" going after an MS cert for many years I've come
> to the conclusion it will help enhance my career (having no certs AND
> no
> college degree). I don't think I'm ready for a real test yet, but are
> there practice tests that are free? I'd like to pass the tests by just
> studying on my own, but I have no clue what the questions would look
> like...
>
> The last cert I had was a CNA for Novell back in 1995 (NetWare 4.x)
>
> Dave Lum  - Systems Engineer
> [EMAIL PROTECTED] - (971)-222-1025
> "When you step on the brakes your life is in your foot's hands"


~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

Re: Active Directory User and Home Folder creation problems. FIXED.

[Eric E Eskam]

"Matthew W. Ross" <[EMAIL PROTECTED]> wrote on 01/25/2008 02:45:21 
PM:

> Reason I ask it because Full Control includes the power to 
> change permissions if the NTFS permissions allow it, correct? I
> want to avoid users from granting permissions of their own 
> folders to other users.

1st premise - the easier a configuration, the more likely you are to have 
it secured.

So what's easier? Having your NTFS permissions be correct, or trying to 
compensate for bad NTFS permissions by setting another layer of security?

What's easier to audit?

What's easier to decipher to figure out what the true effective 
permissions are?

I submit it's far easier (and more secure) to simply fix your NTFS 
permissions so they are correct, rather then trying to maintain multiple 
layers of permissions in a vain attempt to compensate for poor NTFS 
permissions.

Eric Eskam
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
The contents of this message are mine personally and do not reflect any 
position of the U.S. Government
"The human mind treats a new idea the same way the body treats a strange 
protein; it rejects it."
-  P. B. Medawar

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

Re: Active Directory User and Home Folder creation problems. FIXED.

[Eric E Eskam]

"Micheal Espinola Jr" <[EMAIL PROTECTED]> wrote on 01/25/2008 
03:25:09 PM:

> Share Permissions are a throw-back to pre-NTFS days.  It is best to
> avoid them completely.

Sigh - I have this argument continually.  No matter how many "I told you 
so" incidents where share permissions screwed something up in a 
non-obvious way can I convince some people to just leave them alone.  Unix 
and Netware work just fine with no share permissions (or shares for that 
matter, but that's another thread) - and most of the admins I work with 
are old Novel admins...  I just don't get it

Eric Eskam
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
The contents of this message are mine personally and do not reflect any 
position of the U.S. Government
"The human mind treats a new idea the same way the body treats a strange 
protein; it rejects it."
-  P. B. Medawar
~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

RE: Active Directory User and Home Folder creation problems. FIXED.

[Fogarty, Richard R Mr CTR USA USASOC]

Personally, and because of the problem you just ran into, I think you'll
find most people set the share to everyone full control, then lock it down
with NTFS permissions.  Just my $0.02

 

From: Matthew W. Ross [mailto:[EMAIL PROTECTED] 
Sent: Friday, January 25, 2008 2:45 PM
To: NT System Admin Issues
Subject: Re: Active Directory User and Home Folder creation problems. FIXED.

 


Full Control, or just Write?

Reason I ask it because Full Control includes the power to change
permissions if the NTFS permissions allow it, correct? I want to avoid users
from granting permissions of their own folders to other users.

Otherwise, yes. that would be simple.

--Matt Ross

  _  

From: Micheal Espinola Jr [mailto:[EMAIL PROTECTED]
To: NT System Admin Issues [mailto:[EMAIL PROTECTED]
Sent: Fri, 25 Jan 2008 11:39:43 -0800
Subject: Re: Active Directory User and Home Folder creation problems. FIXED.

Moving forward, I would recommend that you keep your share permissions
open to everyone full control, and apply your ACLs to NTFS.


On Jan 25, 2008 1:53 PM, Matthew W. Ross <[EMAIL PROTECTED]> wrote:
>
> Thanks for the link to the KB. Most useful stuff.
>
> Student Admins was/is a security group.
>
> Whatever the problem, It's fixed now. I explicitly gave the user
permissions
> to the Share and Folder. That seemed to have fixed the problem.
>
> Thanks for all your help.
>
> --Matt Ross
> 
> From: Miller Bonnie L. [mailto:[EMAIL PROTECTED]
> To: NT System Admin Issues [mailto:[EMAIL PROTECTED]
> Sent: Fri, 25 Jan 2008 10:24:56 -0800
> Subject: RE: Active Directory User and Home Folder creation problems.
>
>
>
>
> Have you seen this?
>
> http://support.microsoft.com/kb/555046/en-us
>
>
>
> Also, make sure your "student admins" group is a security group and not a
> distribution group.
>
>
>
> -Bonnie
>
>
>
>
> From: Matthew W. Ross [mailto:[EMAIL PROTECTED]
> Sent: Friday, January 25, 2008 9:52 AM
> To: NT System Admin Issues
> Subject: Re: Active Directory User and Home Folder creation problems.
>
>
>
>
> Okay, something just came up as a question...
>
> As the user who I want to have control, I am trying to manually set the
> permissions... and the "add" button is greyed out. Somehow this user
doesn't
> have permissions.
>
> But I don't see how she doesn't: She's a member of the Student Admins
group,
> which has Full Control of the Share and the root of the share's folder...
>
> I'm going to try to set her manually as full access. Why wouldn't the
Group
> propigate her permissions correctly? Arg!
>
> --Matt Ross
> 
>
>
> From: Matthew W. Ross [mailto:[EMAIL PROTECTED]
> To: NT System Admin Issues [mailto:[EMAIL PROTECTED]
> Sent: Fri, 25 Jan 2008 09:38:40 -0800
> Subject: Re: Active Directory User and Home Folder creation problems.
>
>
> Just checked that...
>
> Everyone had "Change", while Administrators had "Full Control". I just
added
> the Student Admins to the list, and gave that group "Full Control" as
well.
>
> So, I'm testing this with her account... I logged off, logged back in as
> her, tried to create an account again... Same thing: Can create the
accout.
> Try to set the profile and home path and it complains it can't create the
> home folder (although it does) and does not set permissions correctly on
the
> folder.
>
> *stumped*
>
> --Matt Ross
> 
>
>
> From: Jon Harris [mailto:[EMAIL PROTECTED]
> To: NT System Admin Issues [mailto:[EMAIL PROTECTED]
> Sent: Fri, 25 Jan 2008 09:15:39 -0800
> Subject: Re: Active Directory User and Home Folder creation problems.
>
>
>
> Have you checked the Share rights?
>
>
>
>
>
> Jon
>
>
> On Jan 25, 2008 12:07 PM, Matthew W. Ross <[EMAIL PROTECTED]>
wrote:
>
>
>
> Greetings, List.
>
> I have delegated control of a part of Active Directory to a user in my
> School District. She is trying to create students as they come in.
>
> When she creates the student, she enters user's name, username and
password
> and finishes making the account. Account creates successfully. Then she
> edits the user to set the Profile and Home Folder path. After editing the
> path, she hits "OK" and the following error appears:
>
> The \\Servername\Share\username home folder was not created because you do
> not have create access on the server. The user account has been updated
with
> the new home folder value but you must create the directory manually after
> obtaining the required access rights.
>
> What's i

Re: Active Directory User and Home Folder creation problems. FIXED.

[Micheal Espinola Jr]

Full Control.  This will allow you to fully control any and all users
to the precise rights that you want to - all in NTFS.

Share Permissions are a throw-back to pre-NTFS days.  It is best to
avoid them completely.


On Jan 25, 2008 2:45 PM, Matthew W. Ross <[EMAIL PROTECTED]> wrote:
>
> Full Control, or just Write?
>
> Reason I ask it because Full Control includes the power to change
> permissions if the NTFS permissions allow it, correct? I want to avoid users
> from granting permissions of their own folders to other users.
>
> Otherwise, yes. that would be simple.
>
> --Matt Ross
> 
> From: Micheal Espinola Jr [mailto:[EMAIL PROTECTED]
>
> To: NT System Admin Issues [mailto:[EMAIL PROTECTED]
> Sent: Fri, 25 Jan 2008 11:39:43 -0800
> Subject: Re: Active Directory User and Home Folder creation problems. FIXED.
>
>
>
> Moving forward, I would recommend that you keep your share permissions
> open to everyone full control, and apply your ACLs to NTFS.
>
>
> On Jan 25, 2008 1:53 PM, Matthew W. Ross <[EMAIL PROTECTED]> wrote:
> >
> > Thanks for the link to the KB. Most useful stuff.
> >
> > Student Admins was/is a security group.
> >
> > Whatever the problem, It's fixed now. I explicitly gave the user
> permissions
> > to the Share and Folder. That seemed to have fixed the problem.
> >
> > Thanks for all your help.
> >
> > --Matt Ross
> > 
> > From: Miller Bonnie L. [mailto:[EMAIL PROTECTED]
> > To: NT System Admin Issues [mailto:[EMAIL PROTECTED]
> > Sent: Fri, 25 Jan 2008 10:24:56 -0800
> > Subject: RE: Active Directory User and Home Folder creation problems.
> >
> >
> >
> >
> > Have you seen this?
> >
> > http://support.microsoft.com/kb/555046/en-us
> >
> >
> >
> > Also, make sure your "student admins" group is a security group and not a
> > distribution group.
> >
> >
> >
> > -Bonnie
> >
> >
> >
> >
> > From: Matthew W. Ross [mailto:[EMAIL PROTECTED]
> > Sent: Friday, January 25, 2008 9:52 AM
> > To: NT System Admin Issues
> > Subject: Re: Active Directory User and Home Folder creation problems.
> >
> >
> >
> >
> > Okay, something just came up as a question...
> >
> > As the user who I want to have control, I am trying to manually set the
> > permissions... and the "add" button is greyed out. Somehow this user
> doesn't
> > have permissions.
> >
> > But I don't see how she doesn't: She's a member of the Student Admins
> group,
> > which has Full Control of the Share and the root of the share's folder...
> >
> > I'm going to try to set her manually as full access. Why wouldn't the
> Group
> > propigate her permissions correctly? Arg!
> >
> > --Matt Ross
> > 
> >
> >
> > From: Matthew W. Ross [mailto:[EMAIL PROTECTED]
> > To: NT System Admin Issues [mailto:[EMAIL PROTECTED]
> > Sent: Fri, 25 Jan 2008 09:38:40 -0800
> > Subject: Re: Active Directory User and Home Folder creation problems.
> >
> >
> > Just checked that...
> >
> > Everyone had "Change", while Administrators had "Full Control". I just
> added
> > the Student Admins to the list, and gave that group "Full Control" as
> well.
> >
> > So, I'm testing this with her account... I logged off, logged back in as
> > her, tried to create an account again... Same thing: Can create the
> accout.
> > Try to set the profile and home path and it complains it can't create the
> > home folder (although it does) and does not set permissions correctly on
> the
> > folder.
> >
> > *stumped*
> >
> > --Matt Ross
> > 
> >
> >
> > From: Jon Harris [mailto:[EMAIL PROTECTED]
> > To: NT System Admin Issues [mailto:[EMAIL PROTECTED]
> > Sent: Fri, 25 Jan 2008 09:15:39 -0800
> > Subject: Re: Active Directory User and Home Folder creation problems.
> >
> >
> >
> > Have you checked the Share rights?
> >
> >
> >
> >
> >
> > Jon
> >
> >
> > On Jan 25, 2008 12:07 PM, Matthew W. Ross <[EMAIL PROTECTED]>
> wrote:
> >
> >
> >
> > Greetings, List.
> >
> > I have delegated control of a part of Active Directory to a user in my
> > School District. She is trying to create students as they come in.
> >
> &g

RE: Active Directory User and Home Folder creation problems. FIXE D.

[Louis, Joe]

Agreed.  

-Original Message-
From: Micheal Espinola Jr [mailto:[EMAIL PROTECTED] 
Sent: Friday, January 25, 2008 2:40 PM
To: NT System Admin Issues
Subject: Re: Active Directory User and Home Folder creation problems. FIXED.

Moving forward, I would recommend that you keep your share permissions open
to everyone full control, and apply your ACLs to NTFS.


On Jan 25, 2008 1:53 PM, Matthew W. Ross <[EMAIL PROTECTED]> wrote:
>
> Thanks for the link to the KB. Most useful stuff.
>
> Student Admins was/is a security group.
>
> Whatever the problem, It's fixed now. I explicitly gave the user 
> permissions to the Share and Folder. That seemed to have fixed the
problem.
>
> Thanks for all your help.
>
> --Matt Ross
> 
> From: Miller Bonnie L. [mailto:[EMAIL PROTECTED]
> To: NT System Admin Issues 
> [mailto:[EMAIL PROTECTED]
> Sent: Fri, 25 Jan 2008 10:24:56 -0800
> Subject: RE: Active Directory User and Home Folder creation problems.
>
>
>
>
> Have you seen this?
>
> http://support.microsoft.com/kb/555046/en-us
>
>
>
> Also, make sure your "student admins" group is a security group and 
> not a distribution group.
>
>
>
> -Bonnie
>
>
>
>
> From: Matthew W. Ross [mailto:[EMAIL PROTECTED]
> Sent: Friday, January 25, 2008 9:52 AM
> To: NT System Admin Issues
> Subject: Re: Active Directory User and Home Folder creation problems.
>
>
>
>
> Okay, something just came up as a question...
>
> As the user who I want to have control, I am trying to manually set 
> the permissions... and the "add" button is greyed out. Somehow this 
> user doesn't have permissions.
>
> But I don't see how she doesn't: She's a member of the Student Admins 
> group, which has Full Control of the Share and the root of the share's
folder...
>
> I'm going to try to set her manually as full access. Why wouldn't the 
> Group propigate her permissions correctly? Arg!
>
> --Matt Ross
> 
>
>
> From: Matthew W. Ross [mailto:[EMAIL PROTECTED]
> To: NT System Admin Issues 
> [mailto:[EMAIL PROTECTED]
> Sent: Fri, 25 Jan 2008 09:38:40 -0800
> Subject: Re: Active Directory User and Home Folder creation problems.
>
>
> Just checked that...
>
> Everyone had "Change", while Administrators had "Full Control". I just 
> added the Student Admins to the list, and gave that group "Full Control"
as well.
>
> So, I'm testing this with her account... I logged off, logged back in 
> as her, tried to create an account again... Same thing: Can create the
accout.
> Try to set the profile and home path and it complains it can't create 
> the home folder (although it does) and does not set permissions 
> correctly on the folder.
>
> *stumped*
>
> --Matt Ross
> 
>
>
> From: Jon Harris [mailto:[EMAIL PROTECTED]
> To: NT System Admin Issues 
> [mailto:[EMAIL PROTECTED]
> Sent: Fri, 25 Jan 2008 09:15:39 -0800
> Subject: Re: Active Directory User and Home Folder creation problems.
>
>
>
> Have you checked the Share rights?
>
>
>
>
>
> Jon
>
>
> On Jan 25, 2008 12:07 PM, Matthew W. Ross <[EMAIL PROTECTED]>
wrote:
>
>
>
> Greetings, List.
>
> I have delegated control of a part of Active Directory to a user in my 
> School District. She is trying to create students as they come in.
>
> When she creates the student, she enters user's name, username and 
> password and finishes making the account. Account creates 
> successfully.  Then she edits the user to set the Profile and Home 
> Folder path. After editing the path, she hits "OK" and the following error
appears:
>
> The \\Servername\Share\username home folder was not created because 
> you do not have create access on the server. The user account has been 
> updated with the new home folder value but you must create the 
> directory manually after obtaining the required access rights.
>
> What's interesting is that she _does_ have create access on the 
> server. She is part of a StudentAdmins group, which has full control 
> of the root of the share. Also, The user's folder was created by the 
> Active Directory Users and Computers plugin, but the permissions are not
set correctly.
>
> Any idea on why this doesn't just work as expected?
>
> --Matt Ross
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>



--
ME2

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm>  ~

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm>  ~

Re: Active Directory User and Home Folder creation problems. FIXED.

[Matthew W. Ross]

Full Control, or just Write?

Reason I ask it because Full Control includes the power to change permissions 
if the NTFS permissions allow it, correct? I want to avoid users from granting 
permissions of their own folders to other users.

Otherwise, yes. that would be simple.

--Matt Ross
  _  

From: Micheal Espinola Jr [mailto:[EMAIL PROTECTED]
To: NT System Admin Issues [mailto:[EMAIL PROTECTED]
Sent: Fri, 25 Jan 2008 11:39:43 -0800
Subject: Re: Active Directory User and Home Folder creation problems. FIXED.

Moving forward, I would recommend that you keep your share permissions
  open to everyone full control, and apply your ACLs to NTFS.
  
  
  On Jan 25, 2008 1:53 PM, Matthew W. Ross <[EMAIL PROTECTED]> wrote:
  >
  > Thanks for the link to the KB. Most useful stuff.
  >
  > Student Admins was/is a security group.
  >
  > Whatever the problem, It's fixed now. I explicitly gave the user permissions
  > to the Share and Folder. That seemed to have fixed the problem.
  >
  > Thanks for all your help.
  >
  > --Matt Ross
  > 
  > From: Miller Bonnie L. [mailto:[EMAIL PROTECTED]
  > To: NT System Admin Issues [mailto:[EMAIL PROTECTED]
  > Sent: Fri, 25 Jan 2008 10:24:56 -0800
  > Subject: RE: Active Directory User and Home Folder creation problems.
  >
  >
  >
  >
  > Have you seen this?
  >
  > http://support.microsoft.com/kb/555046/en-us
  >
  >
  >
  > Also, make sure your "student admins" group is a security group and not a
  > distribution group.
  >
  >
  >
  > -Bonnie
  >
  >
  >
  >
  > From: Matthew W. Ross [mailto:[EMAIL PROTECTED]
  > Sent: Friday, January 25, 2008 9:52 AM
  > To: NT System Admin Issues
  > Subject: Re: Active Directory User and Home Folder creation problems.
  >
  >
  >
  >
  > Okay, something just came up as a question...
  >
  > As the user who I want to have control, I am trying to manually set the
  > permissions... and the "add" button is greyed out. Somehow this user doesn't
  > have permissions.
  >
  > But I don't see how she doesn't: She's a member of the Student Admins group,
  > which has Full Control of the Share and the root of the share's folder...
  >
  > I'm going to try to set her manually as full access. Why wouldn't the Group
  > propigate her permissions correctly? Arg!
  >
  > --Matt Ross
  > 
  >
  >
  > From: Matthew W. Ross [mailto:[EMAIL PROTECTED]
  > To: NT System Admin Issues [mailto:[EMAIL PROTECTED]
  > Sent: Fri, 25 Jan 2008 09:38:40 -0800
  > Subject: Re: Active Directory User and Home Folder creation problems.
  >
  >
  > Just checked that...
  >
  > Everyone had "Change", while Administrators had "Full Control". I just added
  > the Student Admins to the list, and gave that group "Full Control" as well.
  >
  > So, I'm testing this with her account... I logged off, logged back in as
  > her, tried to create an account again... Same thing: Can create the accout.
  > Try to set the profile and home path and it complains it can't create the
  > home folder (although it does) and does not set permissions correctly on the
  > folder.
  >
  > *stumped*
  >
  > --Matt Ross
  > 
  >
  >
  > From: Jon Harris [mailto:[EMAIL PROTECTED]
  > To: NT System Admin Issues [mailto:[EMAIL PROTECTED]
  > Sent: Fri, 25 Jan 2008 09:15:39 -0800
  > Subject: Re: Active Directory User and Home Folder creation problems.
  >
  >
  >
  > Have you checked the Share rights?
  >
  >
  >
  >
  >
  > Jon
  >
  >
  > On Jan 25, 2008 12:07 PM, Matthew W. Ross <[EMAIL PROTECTED]> wrote:
  >
  >
  >
  > Greetings, List.
  >
  > I have delegated control of a part of Active Directory to a user in my
  > School District. She is trying to create students as they come in.
  >
  > When she creates the student, she enters user's name, username and password
  > and finishes making the account. Account creates successfully.  Then she
  > edits the user to set the Profile and Home Folder path. After editing the
  > path, she hits "OK" and the following error appears:
  >
  > The \\Servername\Share\username home folder was not created because you do
  > not have create access on the server. The user account has been updated with
  > the new home folder value but y

Re: Active Directory User and Home Folder creation problems. FIXED.

[Micheal Espinola Jr]

Moving forward, I would recommend that you keep your share permissions
open to everyone full control, and apply your ACLs to NTFS.


On Jan 25, 2008 1:53 PM, Matthew W. Ross <[EMAIL PROTECTED]> wrote:
>
> Thanks for the link to the KB. Most useful stuff.
>
> Student Admins was/is a security group.
>
> Whatever the problem, It's fixed now. I explicitly gave the user permissions
> to the Share and Folder. That seemed to have fixed the problem.
>
> Thanks for all your help.
>
> --Matt Ross
> 
> From: Miller Bonnie L. [mailto:[EMAIL PROTECTED]
> To: NT System Admin Issues [mailto:[EMAIL PROTECTED]
> Sent: Fri, 25 Jan 2008 10:24:56 -0800
> Subject: RE: Active Directory User and Home Folder creation problems.
>
>
>
>
> Have you seen this?
>
> http://support.microsoft.com/kb/555046/en-us
>
>
>
> Also, make sure your "student admins" group is a security group and not a
> distribution group.
>
>
>
> -Bonnie
>
>
>
>
> From: Matthew W. Ross [mailto:[EMAIL PROTECTED]
> Sent: Friday, January 25, 2008 9:52 AM
> To: NT System Admin Issues
> Subject: Re: Active Directory User and Home Folder creation problems.
>
>
>
>
> Okay, something just came up as a question...
>
> As the user who I want to have control, I am trying to manually set the
> permissions... and the "add" button is greyed out. Somehow this user doesn't
> have permissions.
>
> But I don't see how she doesn't: She's a member of the Student Admins group,
> which has Full Control of the Share and the root of the share's folder...
>
> I'm going to try to set her manually as full access. Why wouldn't the Group
> propigate her permissions correctly? Arg!
>
> --Matt Ross
> 
>
>
> From: Matthew W. Ross [mailto:[EMAIL PROTECTED]
> To: NT System Admin Issues [mailto:[EMAIL PROTECTED]
> Sent: Fri, 25 Jan 2008 09:38:40 -0800
> Subject: Re: Active Directory User and Home Folder creation problems.
>
>
> Just checked that...
>
> Everyone had "Change", while Administrators had "Full Control". I just added
> the Student Admins to the list, and gave that group "Full Control" as well.
>
> So, I'm testing this with her account... I logged off, logged back in as
> her, tried to create an account again... Same thing: Can create the accout.
> Try to set the profile and home path and it complains it can't create the
> home folder (although it does) and does not set permissions correctly on the
> folder.
>
> *stumped*
>
> --Matt Ross
> 
>
>
> From: Jon Harris [mailto:[EMAIL PROTECTED]
> To: NT System Admin Issues [mailto:[EMAIL PROTECTED]
> Sent: Fri, 25 Jan 2008 09:15:39 -0800
> Subject: Re: Active Directory User and Home Folder creation problems.
>
>
>
> Have you checked the Share rights?
>
>
>
>
>
> Jon
>
>
> On Jan 25, 2008 12:07 PM, Matthew W. Ross <[EMAIL PROTECTED]> wrote:
>
>
>
> Greetings, List.
>
> I have delegated control of a part of Active Directory to a user in my
> School District. She is trying to create students as they come in.
>
> When she creates the student, she enters user's name, username and password
> and finishes making the account. Account creates successfully.  Then she
> edits the user to set the Profile and Home Folder path. After editing the
> path, she hits "OK" and the following error appears:
>
> The \\Servername\Share\username home folder was not created because you do
> not have create access on the server. The user account has been updated with
> the new home folder value but you must create the directory manually after
> obtaining the required access rights.
>
> What's interesting is that she _does_ have create access on the server. She
> is part of a StudentAdmins group, which has full control of the root of the
> share. Also, The user's folder was created by the Active Directory Users and
> Computers plugin, but the permissions are not set correctly.
>
> Any idea on why this doesn't just work as expected?
>
> --Matt Ross
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>



-- 
ME2

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm>  ~

RE: Active Directory User and Home Folder creation problems.

[Joe Heaton]

You can go down that road, but as Tom and I said, the user account, the
one that the home folder is named after, has to have rights to the
directory structure.  The admin account is not creating the home
directory, the user account is...

 

Joe Heaton



From: Matthew W. Ross [mailto:[EMAIL PROTECTED] 
Sent: Friday, January 25, 2008 9:52 AM
To: NT System Admin Issues
Subject: Re: Active Directory User and Home Folder creation problems.

 


Okay, something just came up as a question...

As the user who I want to have control, I am trying to manually set the
permissions... and the "add" button is greyed out. Somehow this user
doesn't have permissions.

But I don't see how she doesn't: She's a member of the Student Admins
group, which has Full Control of the Share and the root of the share's
folder...

I'm going to try to set her manually as full access. Why wouldn't the
Group propigate her permissions correctly? Arg!

--Matt Ross



From: Matthew W. Ross [mailto:[EMAIL PROTECTED]
To: NT System Admin Issues
[mailto:[EMAIL PROTECTED]
Sent: Fri, 25 Jan 2008 09:38:40 -0800
Subject: Re: Active Directory User and Home Folder creation problems.


Just checked that...

Everyone had "Change", while Administrators had "Full Control". I just
added the Student Admins to the list, and gave that group "Full Control"
as well.

So, I'm testing this with her account... I logged off, logged back in as
her, tried to create an account again... Same thing: Can create the
accout. Try to set the profile and home path and it complains it can't
create the home folder (although it does) and does not set permissions
correctly on the folder.

*stumped*

--Matt Ross



From: Jon Harris [mailto:[EMAIL PROTECTED]
To: NT System Admin Issues
[mailto:[EMAIL PROTECTED]
Sent: Fri, 25 Jan 2008 09:15:39 -0800
Subject: Re: Active Directory User and Home Folder creation problems.



Have you checked the Share rights?

 

Jon

On Jan 25, 2008 12:07 PM, Matthew W. Ross <[EMAIL PROTECTED]>
wrote:


Greetings, List.

I have delegated control of a part of Active Directory to a user in my
School District. She is trying to create students as they come in.

When she creates the student, she enters user's name, username and
password and finishes making the account. Account creates successfully.
Then she edits the user to set the Profile and Home Folder path. After
editing the path, she hits "OK" and the following error appears:

The \\Servername\Share\username home folder was not created because you
do not have create access on the server. The user account has been
updated with the new home folder value but you must create the directory
manually after obtaining the required access rights.

What's interesting is that she _does_ have create access on the server.
She is part of a StudentAdmins group, which has full control of the root
of the share. Also, The user's folder was created by the Active
Directory Users and Computers plugin, but the permissions are not set
correctly.

Any idea on why this doesn't just work as expected?

--Matt Ross






 


 






 


 






 


 

 





 


~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm>  ~

RE: Active Directory User and Home Folder creation problems. FIXED.

[Matthew W. Ross]

Thanks for the link to the KB. Most useful stuff.

Student Admins was/is a security group.

Whatever the problem, It's fixed now. I explicitly gave the user permissions to 
the Share and Folder. That seemed to have fixed the problem.

Thanks for all your help.

--Matt Ross
  _  

From: Miller Bonnie L. [mailto:[EMAIL PROTECTED]
To: NT System Admin Issues [mailto:[EMAIL PROTECTED]
Sent: Fri, 25 Jan 2008 10:24:56 -0800
Subject: RE: Active Directory User and Home Folder creation problems.

  
  


Have you seen this?

http://support.microsoft.com/kb/555046/en-us

 

Also, make sure your “student admins” group is a  security group and not a 
distribution group.

 

-Bonnie

 



From: Matthew W. Ross  [mailto:[EMAIL PROTECTED] 
  Sent: Friday, January 25, 2008 9:52 AM
  To: NT System Admin Issues
  Subject: Re: Active Directory User and Home Folder creation problems. 
   

 


  Okay, something just came up as a question...
  
  As the user who I want to have control, I am trying to manually set the  
permissions... and the "add" button is greyed out. Somehow this user  doesn't 
have permissions.
  
  But I don't see how she doesn't: She's a member of the Student Admins group,  
which has Full Control of the Share and the root of the share's folder...
  
  I'm going to try to set her manually as full access. Why wouldn't the Group  
propigate her permissions correctly? Arg!
  
  --Matt Ross
  _  



From: Matthew W. Ross  [mailto:[EMAIL PROTECTED]
  To: NT System Admin Issues  [mailto:[EMAIL PROTECTED]
  Sent: Fri, 25 Jan 2008 09:38:40 -0800
  Subject: Re: Active Directory User and Home Folder creation problems.
  
  
  Just checked that...
  
  Everyone had "Change", while Administrators had "Full Control".  I just added 
the Student Admins to the list, and gave that group "Full  Control" as well.
  
  So, I'm testing this with her account... I logged off, logged back in as her, 
 tried to create an account again... Same thing: Can create the accout. Try to 
set  the profile and home path and it complains it can't create the home folder 
 (although it does) and does not set permissions correctly on the folder.
  
  *stumped*
  
  --Matt Ross
  _  



From: Jon Harris [mailto:[EMAIL PROTECTED]
  To: NT System Admin Issues [mailto:[EMAIL PROTECTED]
  Sent: Fri, 25 Jan 2008 09:15:39 -0800
  Subject: Re: Active Directory User and Home Folder creation problems.
  
  


Have  you checked the Share rights?


 


Jon


On  Jan 25, 2008 12:07 PM, Matthew W. Ross <[EMAIL PROTECTED]> wrote:



  Greetings, List.
  
  I have delegated control of a part of Active Directory to a user in my School 
 District. She is trying to create students as they come in.
  
  When she creates the student, she enters user's name, username and password 
and  finishes making the account. Account creates successfully.  Then she edits 
 the user to set the Profile and Home Folder path. After editing the path, she  
hits "OK" and the following error appears:
  
  The \\Servername\Share\username home folder was not created because you do 
not  have create access on the server. The user account has been updated with 
the  new home folder value but you must create the directory manually after  
obtaining the required access rights.
  
  What's interesting is that she _does_ have create access on the server. She 
is  part of a StudentAdmins group, which has full control of the root of the 
share.  Also, The user's folder was created by the Active Directory Users and 
Computers  plugin, but the permissions are not set correctly.
  
  Any idea on why this doesn't just work as expected?
  
  --Matt Ross


  
  

 



 


  
  

 



 


  
  

 



 

 


  
  

 


  






  
~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm>  ~

RE: Active Directory User and Home Folder creation problems.

[Louis, Joe]

This may help too
http://technet2.microsoft.com/windowsserver/en/library/75d63fcc-de6f-4fb9-80
36-2cfafb6c05971033.mspx?mfr=true
<http://technet2.microsoft.com/windowsserver/en/library/75d63fcc-de6f-4fb9-8
036-2cfafb6c05971033.mspx?mfr=true> 
 
 

  _  

From: Miller Bonnie L. [mailto:[EMAIL PROTECTED] 
Sent: Friday, January 25, 2008 1:25 PM
To: NT System Admin Issues
Subject: RE: Active Directory User and Home Folder creation problems.




Have you seen this?

http://support.microsoft.com/kb/555046/en-us
<http://support.microsoft.com/kb/555046/en-us> 

 

Also, make sure your "student admins" group is a security group and not a
distribution group.

 

-Bonnie

 

From: Matthew W. Ross [mailto:[EMAIL PROTECTED] 
Sent: Friday, January 25, 2008 9:52 AM
To: NT System Admin Issues
Subject: Re: Active Directory User and Home Folder creation problems.

 


Okay, something just came up as a question...

As the user who I want to have control, I am trying to manually set the
permissions... and the "add" button is greyed out. Somehow this user doesn't
have permissions.

But I don't see how she doesn't: She's a member of the Student Admins group,
which has Full Control of the Share and the root of the share's folder...

I'm going to try to set her manually as full access. Why wouldn't the Group
propigate her permissions correctly? Arg!

--Matt Ross

  _  

From: Matthew W. Ross [mailto:[EMAIL PROTECTED]
To: NT System Admin Issues [mailto:[EMAIL PROTECTED]
Sent: Fri, 25 Jan 2008 09:38:40 -0800
Subject: Re: Active Directory User and Home Folder creation problems.


Just checked that...

Everyone had "Change", while Administrators had "Full Control". I just added
the Student Admins to the list, and gave that group "Full Control" as well.

So, I'm testing this with her account... I logged off, logged back in as
her, tried to create an account again... Same thing: Can create the accout.
Try to set the profile and home path and it complains it can't create the
home folder (although it does) and does not set permissions correctly on the
folder.

*stumped*

--Matt Ross

  _  

From: Jon Harris [mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> ]
To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.com
<mailto:ntsysadmin@lyris.sunbelt-software.com> ]
Sent: Fri, 25 Jan 2008 09:15:39 -0800
Subject: Re: Active Directory User and Home Folder creation problems.



Have you checked the Share rights?

 

Jon

On Jan 25, 2008 12:07 PM, Matthew W. Ross <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]> > wrote:


Greetings, List.

I have delegated control of a part of Active Directory to a user in my
School District. She is trying to create students as they come in.

When she creates the student, she enters user's name, username and password
and finishes making the account. Account creates successfully.  Then she
edits the user to set the Profile and Home Folder path. After editing the
path, she hits "OK" and the following error appears:

The \\Servername\Share\username home folder was not created because you do
not have create access on the server. The user account has been updated with
the new home folder value but you must create the directory manually after
obtaining the required access rights.

What's interesting is that she _does_ have create access on the server. She
is part of a StudentAdmins group, which has full control of the root of the
share. Also, The user's folder was created by the Active Directory Users and
Computers plugin, but the permissions are not set correctly.

Any idea on why this doesn't just work as expected?

--Matt Ross








 


 








 


 








 


 

 







 


















~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm>  ~

RE: Active Directory User and Home Folder creation problems.

[Miller Bonnie L .]

Have you seen this?
http://support.microsoft.com/kb/555046/en-us

Also, make sure your "student admins" group is a security group and not a 
distribution group.

-Bonnie

From: Matthew W. Ross [mailto:[EMAIL PROTECTED]
Sent: Friday, January 25, 2008 9:52 AM
To: NT System Admin Issues
Subject: Re: Active Directory User and Home Folder creation problems.


Okay, something just came up as a question...

As the user who I want to have control, I am trying to manually set the 
permissions... and the "add" button is greyed out. Somehow this user doesn't 
have permissions.

But I don't see how she doesn't: She's a member of the Student Admins group, 
which has Full Control of the Share and the root of the share's folder...

I'm going to try to set her manually as full access. Why wouldn't the Group 
propigate her permissions correctly? Arg!

--Matt Ross

From: Matthew W. Ross [mailto:[EMAIL PROTECTED]
To: NT System Admin Issues [mailto:[EMAIL PROTECTED]
Sent: Fri, 25 Jan 2008 09:38:40 -0800
Subject: Re: Active Directory User and Home Folder creation problems.


Just checked that...

Everyone had "Change", while Administrators had "Full Control". I just added 
the Student Admins to the list, and gave that group "Full Control" as well.

So, I'm testing this with her account... I logged off, logged back in as her, 
tried to create an account again... Same thing: Can create the accout. Try to 
set the profile and home path and it complains it can't create the home folder 
(although it does) and does not set permissions correctly on the folder.

*stumped*

--Matt Ross

From: Jon Harris [mailto:[EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]>]
To: NT System Admin Issues 
[mailto:ntsysadmin@lyris.sunbelt-software.com<mailto:ntsysadmin@lyris.sunbelt-software.com>]
Sent: Fri, 25 Jan 2008 09:15:39 -0800
Subject: Re: Active Directory User and Home Folder creation problems.

Have you checked the Share rights?

Jon
On Jan 25, 2008 12:07 PM, Matthew W. Ross <[EMAIL PROTECTED]<mailto:[EMAIL 
PROTECTED]>> wrote:

Greetings, List.

I have delegated control of a part of Active Directory to a user in my School 
District. She is trying to create students as they come in.

When she creates the student, she enters user's name, username and password and 
finishes making the account. Account creates successfully.  Then she edits the 
user to set the Profile and Home Folder path. After editing the path, she hits 
"OK" and the following error appears:

The \\Servername\Share\username home folder was not created because you do not 
have create access on the server. The user account has been updated with the 
new home folder value but you must create the directory manually after 
obtaining the required access rights.

What's interesting is that she _does_ have create access on the server. She is 
part of a StudentAdmins group, which has full control of the root of the share. 
Also, The user's folder was created by the Active Directory Users and Computers 
plugin, but the permissions are not set correctly.

Any idea on why this doesn't just work as expected?

--Matt Ross










































~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm>  ~

Re: Active Directory User and Home Folder creation problems.

[Matthew W. Ross]

Okay, something just came up as a question...

As the user who I want to have control, I am trying to manually set the 
permissions... and the "add" button is greyed out. Somehow this user doesn't 
have permissions.

But I don't see how she doesn't: She's a member of the Student Admins group, 
which has Full Control of the Share and the root of the share's folder...

I'm going to try to set her manually as full access. Why wouldn't the Group 
propigate her permissions correctly? Arg!

--Matt Ross
  _  

From: Matthew W. Ross [mailto:[EMAIL PROTECTED]
To: NT System Admin Issues [mailto:[EMAIL PROTECTED]
Sent: Fri, 25 Jan 2008 09:38:40 -0800
Subject: Re: Active Directory User and Home Folder creation problems.


Just checked that...

Everyone had "Change", while Administrators had "Full Control". I just added 
the Student Admins to the list, and gave that group "Full Control" as well.

So, I'm testing this with her account... I logged off, logged back in as her, 
tried to create an account again... Same thing: Can create the accout. Try to 
set the profile and home path and it complains it can't create the home folder 
(although it does) and does not set permissions correctly on the folder.

*stumped*

--Matt Ross
  _  

From: Jon Harris [mailto:[EMAIL PROTECTED]
To: NT System Admin Issues [mailto:[EMAIL PROTECTED]
Sent: Fri, 25 Jan 2008 09:15:39 -0800
Subject: Re: Active Directory User and Home Folder creation problems.

  

Have you checked the Share rights?  
   
Jon

  
On Jan 25, 2008 12:07 PM, Matthew W. Ross <[EMAIL PROTECTED]> wrote:


Greetings, List.

I have delegated control of a part of Active Directory to a user in my School 
District. She is trying to create students as they come in.

When she creates the student, she enters user's name, username and password and 
finishes making the account. Account creates successfully.  Then she edits the 
user to set the Profile and Home Folder path. After editing the path, she hits 
"OK" and the following error appears:
  
The \\Servername\Share\username home folder was not created because you do not 
have create access on the server. The user account has been updated with the 
new home folder value but you must create the directory manually after 
obtaining the required access rights.
  
What's interesting is that she _does_ have create access on the server. She is 
part of a StudentAdmins group, which has full control of the root of the share. 
Also, The user's folder was created by the Active Directory Users and Computers 
plugin, but the permissions are not set correctly.
  
Any idea on why this doesn't just work as expected?

--Matt Ross

  

  






  














  







~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm>  ~

RE: Active Directory User and Home Folder creation problems.

[Christopher Boggs]

So, you've checked NTFS and Share permissions...  You said she has full
control at the root of the share, have you checked down at the folder
level that the home directory is being created at?  Could be a
propagation issue.. do you have any security auditing setup on the
server that the directories are being created on?  If so, I would check
the Security log

 

To troubleshoot, you could try giving her account permissions
specifically on the share and file system, see if that works?

 

 



From: Matthew W. Ross [mailto:[EMAIL PROTECTED] 
Sent: Friday, January 25, 2008 11:39 AM
To: NT System Admin Issues
Subject: Re: Active Directory User and Home Folder creation problems.

 


Just checked that...

Everyone had "Change", while Administrators had "Full Control". I just
added the Student Admins to the list, and gave that group "Full Control"
as well.

So, I'm testing this with her account... I logged off, logged back in as
her, tried to create an account again... Same thing: Can create the
accout. Try to set the profile and home path and it complains it can't
create the home folder (although it does) and does not set permissions
correctly on the folder.

*stumped*

--Matt Ross



From: Jon Harris [mailto:[EMAIL PROTECTED]
To: NT System Admin Issues
[mailto:[EMAIL PROTECTED]
Sent: Fri, 25 Jan 2008 09:15:39 -0800
Subject: Re: Active Directory User and Home Folder creation problems.



Have you checked the Share rights?

 

Jon

On Jan 25, 2008 12:07 PM, Matthew W. Ross <[EMAIL PROTECTED]>
wrote:


Greetings, List.

I have delegated control of a part of Active Directory to a user in my
School District. She is trying to create students as they come in.

When she creates the student, she enters user's name, username and
password and finishes making the account. Account creates successfully.
Then she edits the user to set the Profile and Home Folder path. After
editing the path, she hits "OK" and the following error appears:

The \\Servername\Share\username home folder was not created because you
do not have create access on the server. The user account has been
updated with the new home folder value but you must create the directory
manually after obtaining the required access rights.

What's interesting is that she _does_ have create access on the server.
She is part of a StudentAdmins group, which has full control of the root
of the share. Also, The user's folder was created by the Active
Directory Users and Computers plugin, but the permissions are not set
correctly.

Any idea on why this doesn't just work as expected?

--Matt Ross






 


 






 


 

 





 


~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm>  ~

RE: Active Directory User and Home Folder creation problems.

[Joe Heaton]

It's not the admin account that has to have the rights.  It's the user
account.  I hate share permissions...

 

Joe Heaton



From: Matthew W. Ross [mailto:[EMAIL PROTECTED] 
Sent: Friday, January 25, 2008 9:39 AM
To: NT System Admin Issues
Subject: Re: Active Directory User and Home Folder creation problems.

 


Just checked that...

Everyone had "Change", while Administrators had "Full Control". I just
added the Student Admins to the list, and gave that group "Full Control"
as well.

So, I'm testing this with her account... I logged off, logged back in as
her, tried to create an account again... Same thing: Can create the
accout. Try to set the profile and home path and it complains it can't
create the home folder (although it does) and does not set permissions
correctly on the folder.

*stumped*

--Matt Ross



From: Jon Harris [mailto:[EMAIL PROTECTED]
To: NT System Admin Issues
[mailto:[EMAIL PROTECTED]
Sent: Fri, 25 Jan 2008 09:15:39 -0800
Subject: Re: Active Directory User and Home Folder creation problems.



Have you checked the Share rights?

 

Jon

On Jan 25, 2008 12:07 PM, Matthew W. Ross <[EMAIL PROTECTED]>
wrote:


Greetings, List.

I have delegated control of a part of Active Directory to a user in my
School District. She is trying to create students as they come in.

When she creates the student, she enters user's name, username and
password and finishes making the account. Account creates successfully.
Then she edits the user to set the Profile and Home Folder path. After
editing the path, she hits "OK" and the following error appears:

The \\Servername\Share\username home folder was not created because you
do not have create access on the server. The user account has been
updated with the new home folder value but you must create the directory
manually after obtaining the required access rights.

What's interesting is that she _does_ have create access on the server.
She is part of a StudentAdmins group, which has full control of the root
of the share. Also, The user's folder was created by the Active
Directory Users and Computers plugin, but the permissions are not set
correctly.

Any idea on why this doesn't just work as expected?

--Matt Ross






 


 






 


 

 





 


~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm>  ~

RE: Active Directory User and Home Folder creation problems.

[Tom Strader]

User must have write access to the directory.



From: Jon Harris [mailto:[EMAIL PROTECTED] 
Sent: Friday, January 25, 2008 12:16 PM
To: NT System Admin Issues
Subject: Re: Active Directory User and Home Folder creation problems.



Have you checked the Share rights?
 
Jon


On Jan 25, 2008 12:07 PM, Matthew W. Ross <[EMAIL PROTECTED]>
wrote:



Greetings, List.

I have delegated control of a part of Active Directory to a user
in my School District. She is trying to create students as they come in.

When she creates the student, she enters user's name, username
and password and finishes making the account. Account creates
successfully.  Then she edits the user to set the Profile and Home
Folder path. After editing the path, she hits "OK" and the following
error appears:

The \\Servername\Share\username home folder was not created
because you do not have create access on the server. The user account
has been updated with the new home folder value but you must create the
directory manually after obtaining the required access rights.

What's interesting is that she _does_ have create access on the
server. She is part of a StudentAdmins group, which has full control of
the root of the share. Also, The user's folder was created by the Active
Directory Users and Computers plugin, but the permissions are not set
correctly.

Any idea on why this doesn't just work as expected?

--Matt Ross























~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm>  ~

Re: Active Directory User and Home Folder creation problems.

[Matthew W. Ross]

Just checked that...

Everyone had "Change", while Administrators had "Full Control". I just added 
the Student Admins to the list, and gave that group "Full Control" as well.

So, I'm testing this with her account... I logged off, logged back in as her, 
tried to create an account again... Same thing: Can create the accout. Try to 
set the profile and home path and it complains it can't create the home folder 
(although it does) and does not set permissions correctly on the folder.

*stumped*

--Matt Ross
  _  

From: Jon Harris [mailto:[EMAIL PROTECTED]
To: NT System Admin Issues [mailto:[EMAIL PROTECTED]
Sent: Fri, 25 Jan 2008 09:15:39 -0800
Subject: Re: Active Directory User and Home Folder creation problems.

  

Have you checked the Share rights?  
   
Jon

  
On Jan 25, 2008 12:07 PM, Matthew W. Ross <[EMAIL PROTECTED]> wrote:


Greetings, List.

I have delegated control of a part of Active Directory to a user in my School 
District. She is trying to create students as they come in.

When she creates the student, she enters user's name, username and password and 
finishes making the account. Account creates successfully.  Then she edits the 
user to set the Profile and Home Folder path. After editing the path, she hits 
"OK" and the following error appears:
  
The \\Servername\Share\username home folder was not created because you do not 
have create access on the server. The user account has been updated with the 
new home folder value but you must create the directory manually after 
obtaining the required access rights.
  
What's interesting is that she _does_ have create access on the server. She is 
part of a StudentAdmins group, which has full control of the root of the share. 
Also, The user's folder was created by the Active Directory Users and Computers 
plugin, but the permissions are not set correctly.
  
Any idea on why this doesn't just work as expected?

--Matt Ross

  

  






  














~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm>  ~

Re: Active Directory User and Home Folder creation problems.

[Jon Harris]

Have you checked the Share rights?

Jon

On Jan 25, 2008 12:07 PM, Matthew W. Ross <[EMAIL PROTECTED]> wrote:

>
> Greetings, List.
>
> I have delegated control of a part of Active Directory to a user in my
> School District. She is trying to create students as they come in.
>
> When she creates the student, she enters user's name, username and
> password and finishes making the account. Account creates successfully.
> Then she edits the user to set the Profile and Home Folder path. After
> editing the path, she hits "OK" and the following error appears:
>
> The \\Servername\Share\username home folder was not created because you do
> not have create access on the server. The user account has been updated with
> the new home folder value but you must create the directory manually after
> obtaining the required access rights.
>
> What's interesting is that she _does_ have create access on the server.
> She is part of a StudentAdmins group, which has full control of the root of
> the share. Also, The user's folder was created by the Active Directory Users
> and Computers plugin, but the permissions are not set correctly.
>
> Any idea on why this doesn't just work as expected?
>
> --Matt Ross
>
>
>
>
>

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

RE: Active Directory Installation and Removal

[Mier, Juan]

Title: Message



Just 
like the error message says, DNS is always the first thing to look at with AD 
problems.  Is it configured correctly?

  -Original Message-From: A. G. Choudhry 
  [mailto:[EMAIL PROTECTED]]Sent: Wednesday, August 29, 2001 6:30 
  AMTo: NT System Admin IssuesSubject: Active Directory 
  Installation and Removal
  
   
  Hi,
  I have a very basic problem.  It may be very simple But I am missing some thing. When I want to add second 
  controller in  
  a domain I get the error message that “Assess denied You have no 
  permission to change account of the “compuername$”. 
  A dialog box of new user name and password is opened. I tried all possible 
  accounts but without success. I am tha local and 
  domain administrator of these machines and 
domain.
  Just for test purpose I tried to add the same server 
  as sub/child domain, and it was successful.
  But when I tried to remove that sub domain I get reply ”Active Directory Installation failed The 
  operation failed to replicate off the changes made locally. The DSA operation 
  is unable to proceed because DNS lookup failure”
  Any Help
  Bilal
   http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
  DO NOT read, copy or disseminate this communication 
  unless you are the intended addressee. This e-mail communication contains 
  confidential and/or privileged information intended only for the addressee. If 
  you have received this communication in error, please call us immediately at 
  (907) 561-1250 and ask to speak to the sender of the communication. Also, 
  please e-mail the sender and notify the sender immediately that you have 
  received the communication in error.
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm

RE: Active Directory Problem

[Andrew J. Lund]

Joe is correct.  listen to Joe.

Ibby, i just realized that i didn't tell you what machine to make those
changes on.  The property pages i mentioned below are on the Win 98
machines.  but you probably figured that out... just want to make sure
you don't go looking for those on your DC.
andy


Andrew J. Lund, MCSE
Systems Manager
IEA - San Francisco



-Original Message-
From: Joe Casale [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, August 21, 2001 9:04 AM
To: NT System Admin Issues
Subject: RE: Active Directory Problem


By default in a domain, the pdc should win the election. Unfortunately,
Windoze98 thinks it's the man, and in my experience wins the election
more often then not(I hate win9x). Check you event logs on the dc, see
if it was forced into an election, and lost.
jlc

-Original Message-
From: Andrew J. Lund [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, August 21, 2001 10:02 AM
To: NT System Admin Issues
Subject: RE: Active Directory Problem

i haven't had a win 98 in my possession in so long so i'm just going to
guess where i think it might be...
Go to the property pages of TCP/IP on your LAN settings and there should
be a page where there is a pull down menu that shows browse functions.
"Act as master browser", or some related syntax, is chosen by default on
the machines i was working with.  choose "Never" for browsing functions.
that way the Win 98 machines will never win the browse election process.
reboot those machines that were changed.

sorry for the vagueness.  it's been a while.  contact me directly if you
need further help.  the actual screens escape me.
good luck.
andy


Andrew J. Lund, MCSE
Systems Manager
IEA - San Francisco



-Original Message-
From: Ibby El-Raheb [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, August 21, 2001 8:34 AM
To: NT System Admin Issues
Subject: RE: Active Directory Problem


Can you elaborate how to do this please.

Thanks
Ibby

-Original Message-
From: Andrew J. Lund [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 20, 2001 5:11 PM
To: NT System Admin Issues
Subject: RE: Active Directory Problem


since you have Win 98 machines floating around, i would check to make
sure they are not acting as master browsers when the server is rebooted
or down.
i'm telling you this from the exact same experience i had.
good luck.
andy


Andrew J. Lund, MCSE
Systems Manager
IEA - San Francisco



-Original Message-
From: Ibby El-Raheb [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 20, 2001 11:00 AM
To: NT System Admin Issues
Subject: Active Directory Problem


I have a small network: W2K Server SP2 with 2 NICs one for internal and
one
for cable modem that is shared. A bunch of WIN98 clients. Things have
been
running smooth for a while and all of a sudden none of the clients can
be
authenticated through the server. When I try to go into manage user
accounts
I get the following message: "Naming information cannot be located
because:
The specified domain either does not exist or cannot be contacted.
Contact
your system administrator to verify that your domain is properly
configured
and is currently online." Well ladies and gentlemen I am the so called
system administrator and I have no clue what to do. Please help me.

Thanks
Ibby
wannabe sys admin.

You can tell whether a man is clever by his answers. You can tell
whether a
man is wise by his questions.   Naguib Mahfouz



http://www.sunbelt-software.com/ntsysadmin_list_charter.htm


http://www.sunbelt-software.com/ntsysadmin_list_charter.htm


http://www.sunbelt-software.com/ntsysadmin_list_charter.htm


http://www.sunbelt-software.com/ntsysadmin_list_charter.htm


http://www.sunbelt-software.com/ntsysadmin_list_charter.htm


http://www.sunbelt-software.com/ntsysadmin_list_charter.htm

RE: Active Directory Problem

[Bunting, Jeff]

It is in the Properties of File & Print sharing which is under Network,
listed along with the protocols and adapters.

Jeff

-Original Message-
From: Andrew J. Lund [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, August 21, 2001 12:02 PM
To: NT System Admin Issues
Subject: RE: Active Directory Problem


i haven't had a win 98 in my possession in so long so i'm just going to
guess where i think it might be...
Go to the property pages of TCP/IP on your LAN settings and there should
be a page where there is a pull down menu that shows browse functions.
"Act as master browser", or some related syntax, is chosen by default on
the machines i was working with.  choose "Never" for browsing functions.
that way the Win 98 machines will never win the browse election process.
reboot those machines that were changed.

sorry for the vagueness.  it's been a while.  contact me directly if you
need further help.  the actual screens escape me.
good luck.
andy


Andrew J. Lund, MCSE
Systems Manager
IEA - San Francisco



-Original Message-
From: Ibby El-Raheb [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, August 21, 2001 8:34 AM
To: NT System Admin Issues
Subject: RE: Active Directory Problem


Can you elaborate how to do this please.

Thanks
Ibby

-Original Message-
From: Andrew J. Lund [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 20, 2001 5:11 PM
To: NT System Admin Issues
Subject: RE: Active Directory Problem


since you have Win 98 machines floating around, i would check to make
sure they are not acting as master browsers when the server is rebooted
or down.
i'm telling you this from the exact same experience i had.
good luck.
andy


Andrew J. Lund, MCSE
Systems Manager
IEA - San Francisco



-Original Message-
From: Ibby El-Raheb [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 20, 2001 11:00 AM
To: NT System Admin Issues
Subject: Active Directory Problem


I have a small network: W2K Server SP2 with 2 NICs one for internal and
one
for cable modem that is shared. A bunch of WIN98 clients. Things have
been
running smooth for a while and all of a sudden none of the clients can
be
authenticated through the server. When I try to go into manage user
accounts
I get the following message: "Naming information cannot be located
because:
The specified domain either does not exist or cannot be contacted.
Contact
your system administrator to verify that your domain is properly
configured
and is currently online." Well ladies and gentlemen I am the so called
system administrator and I have no clue what to do. Please help me.

Thanks
Ibby
wannabe sys admin.

You can tell whether a man is clever by his answers. You can tell
whether a
man is wise by his questions.   Naguib Mahfouz



http://www.sunbelt-software.com/ntsysadmin_list_charter.htm


http://www.sunbelt-software.com/ntsysadmin_list_charter.htm


http://www.sunbelt-software.com/ntsysadmin_list_charter.htm


http://www.sunbelt-software.com/ntsysadmin_list_charter.htm

http://www.sunbelt-software.com/ntsysadmin_list_charter.htm

RE: Active Directory Problem

[Joe Casale]

By default in a domain, the pdc should win the election. Unfortunately,
Windoze98 thinks it's the man, and in my experience wins the election
more often then not(I hate win9x). Check you event logs on the dc, see
if it was forced into an election, and lost.
jlc

-Original Message-
From: Andrew J. Lund [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, August 21, 2001 10:02 AM
To: NT System Admin Issues
Subject: RE: Active Directory Problem

i haven't had a win 98 in my possession in so long so i'm just going to
guess where i think it might be...
Go to the property pages of TCP/IP on your LAN settings and there should
be a page where there is a pull down menu that shows browse functions.
"Act as master browser", or some related syntax, is chosen by default on
the machines i was working with.  choose "Never" for browsing functions.
that way the Win 98 machines will never win the browse election process.
reboot those machines that were changed.

sorry for the vagueness.  it's been a while.  contact me directly if you
need further help.  the actual screens escape me.
good luck.
andy


Andrew J. Lund, MCSE
Systems Manager
IEA - San Francisco



-Original Message-
From: Ibby El-Raheb [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, August 21, 2001 8:34 AM
To: NT System Admin Issues
Subject: RE: Active Directory Problem


Can you elaborate how to do this please.

Thanks
Ibby

-Original Message-
From: Andrew J. Lund [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 20, 2001 5:11 PM
To: NT System Admin Issues
Subject: RE: Active Directory Problem


since you have Win 98 machines floating around, i would check to make
sure they are not acting as master browsers when the server is rebooted
or down.
i'm telling you this from the exact same experience i had.
good luck.
andy


Andrew J. Lund, MCSE
Systems Manager
IEA - San Francisco



-Original Message-
From: Ibby El-Raheb [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 20, 2001 11:00 AM
To: NT System Admin Issues
Subject: Active Directory Problem


I have a small network: W2K Server SP2 with 2 NICs one for internal and
one
for cable modem that is shared. A bunch of WIN98 clients. Things have
been
running smooth for a while and all of a sudden none of the clients can
be
authenticated through the server. When I try to go into manage user
accounts
I get the following message: "Naming information cannot be located
because:
The specified domain either does not exist or cannot be contacted.
Contact
your system administrator to verify that your domain is properly
configured
and is currently online." Well ladies and gentlemen I am the so called
system administrator and I have no clue what to do. Please help me.

Thanks
Ibby
wannabe sys admin.

You can tell whether a man is clever by his answers. You can tell
whether a
man is wise by his questions.   Naguib Mahfouz



http://www.sunbelt-software.com/ntsysadmin_list_charter.htm


http://www.sunbelt-software.com/ntsysadmin_list_charter.htm


http://www.sunbelt-software.com/ntsysadmin_list_charter.htm


http://www.sunbelt-software.com/ntsysadmin_list_charter.htm


http://www.sunbelt-software.com/ntsysadmin_list_charter.htm

RE: Active Directory Problem

[Andrew J. Lund]

i haven't had a win 98 in my possession in so long so i'm just going to
guess where i think it might be...
Go to the property pages of TCP/IP on your LAN settings and there should
be a page where there is a pull down menu that shows browse functions.
"Act as master browser", or some related syntax, is chosen by default on
the machines i was working with.  choose "Never" for browsing functions.
that way the Win 98 machines will never win the browse election process.
reboot those machines that were changed.

sorry for the vagueness.  it's been a while.  contact me directly if you
need further help.  the actual screens escape me.
good luck.
andy


Andrew J. Lund, MCSE
Systems Manager
IEA - San Francisco



-Original Message-
From: Ibby El-Raheb [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, August 21, 2001 8:34 AM
To: NT System Admin Issues
Subject: RE: Active Directory Problem


Can you elaborate how to do this please.

Thanks
Ibby

-Original Message-
From: Andrew J. Lund [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 20, 2001 5:11 PM
To: NT System Admin Issues
Subject: RE: Active Directory Problem


since you have Win 98 machines floating around, i would check to make
sure they are not acting as master browsers when the server is rebooted
or down.
i'm telling you this from the exact same experience i had.
good luck.
andy


Andrew J. Lund, MCSE
Systems Manager
IEA - San Francisco



-Original Message-
From: Ibby El-Raheb [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 20, 2001 11:00 AM
To: NT System Admin Issues
Subject: Active Directory Problem


I have a small network: W2K Server SP2 with 2 NICs one for internal and
one
for cable modem that is shared. A bunch of WIN98 clients. Things have
been
running smooth for a while and all of a sudden none of the clients can
be
authenticated through the server. When I try to go into manage user
accounts
I get the following message: "Naming information cannot be located
because:
The specified domain either does not exist or cannot be contacted.
Contact
your system administrator to verify that your domain is properly
configured
and is currently online." Well ladies and gentlemen I am the so called
system administrator and I have no clue what to do. Please help me.

Thanks
Ibby
wannabe sys admin.

You can tell whether a man is clever by his answers. You can tell
whether a
man is wise by his questions.   Naguib Mahfouz



http://www.sunbelt-software.com/ntsysadmin_list_charter.htm


http://www.sunbelt-software.com/ntsysadmin_list_charter.htm


http://www.sunbelt-software.com/ntsysadmin_list_charter.htm


http://www.sunbelt-software.com/ntsysadmin_list_charter.htm

RE: Active Directory Problem

[Ibby El-Raheb]

Can you elaborate how to do this please.

Thanks
Ibby

-Original Message-
From: Andrew J. Lund [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 20, 2001 5:11 PM
To: NT System Admin Issues
Subject: RE: Active Directory Problem


since you have Win 98 machines floating around, i would check to make
sure they are not acting as master browsers when the server is rebooted
or down.
i'm telling you this from the exact same experience i had.
good luck.
andy


Andrew J. Lund, MCSE
Systems Manager
IEA - San Francisco



-Original Message-
From: Ibby El-Raheb [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 20, 2001 11:00 AM
To: NT System Admin Issues
Subject: Active Directory Problem


I have a small network: W2K Server SP2 with 2 NICs one for internal and
one
for cable modem that is shared. A bunch of WIN98 clients. Things have
been
running smooth for a while and all of a sudden none of the clients can
be
authenticated through the server. When I try to go into manage user
accounts
I get the following message: "Naming information cannot be located
because:
The specified domain either does not exist or cannot be contacted.
Contact
your system administrator to verify that your domain is properly
configured
and is currently online." Well ladies and gentlemen I am the so called
system administrator and I have no clue what to do. Please help me.

Thanks
Ibby
wannabe sys admin.

You can tell whether a man is clever by his answers. You can tell
whether a
man is wise by his questions.   Naguib Mahfouz



http://www.sunbelt-software.com/ntsysadmin_list_charter.htm


http://www.sunbelt-software.com/ntsysadmin_list_charter.htm


http://www.sunbelt-software.com/ntsysadmin_list_charter.htm

RE: Active Directory Problem

[Ibby El-Raheb]

I am able to restart the server and logon as "administrator", every time I
try do something that needs to address the Domain I get errors. I only have
the one server. So it appears that the server does know that it is hosting
the domain. Please forgive my simplistic interpretation of what is
happening.

Ibby

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 20, 2001 2:54 PM
To: NT System Admin Issues
Subject: RE: Active Directory Problem


Before that I would check to see if your Account is Locked OUT.  I have
seen this error when mine gets locked out.

Jeremiah

-Original Message-
From: Howard.Steinberg [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 20, 2001 2:37 PM
To: ntsysadmin
Subject: RE: Active Directory Problem


I would start by checking your DNS server.

¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸

Howard Steinberg, MCSE
LAN Administrator
Zepf Inc., Clearwater, FL
[EMAIL PROTECTED]

Click here for the Top TEN reasons you should have quick-change
container
handling parts for all your packaging machines!
http://www.zepf.com/zepf/chngprts.htm



-Original Message-
From: Ibby El-Raheb [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 20, 2001 2:00 PM
To: NT System Admin Issues
Subject: Active Directory Problem


I have a small network: W2K Server SP2 with 2 NICs one for internal and
one
for cable modem that is shared. A bunch of WIN98 clients. Things have
been
running smooth for a while and all of a sudden none of the clients can
be
authenticated through the server. When I try to go into manage user
accounts
I get the following message: "Naming information cannot be located
because:
The specified domain either does not exist or cannot be contacted.
Contact
your system administrator to verify that your domain is properly
configured
and is currently online." Well ladies and gentlemen I am the so called
system administrator and I have no clue what to do. Please help me.

Thanks
Ibby
wannabe sys admin.

You can tell whether a man is clever by his answers. You can tell
whether a
man is wise by his questions.   Naguib Mahfouz



http://www.sunbelt-software.com/ntsysadmin_list_charter.htm

http://www.sunbelt-software.com/ntsysadmin_list_charter.htm



http://www.sunbelt-software.com/ntsysadmin_list_charter.htm



http://www.sunbelt-software.com/ntsysadmin_list_charter.htm

RE: Active Directory Problem

[Ibby El-Raheb]

I do have DNS problem. Here is what the system log says:

"The DNS proxy agent was unable to bind to the IP address 192.168.0.1.
This error may indicate a problem with TCP/IP networking. The data is
the error code."

The Data (Bytes) is 1d 27 00 00 (word) 271d

Any ideas?

Thanks


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 20, 2001 2:37 PM
To: NT System Admin Issues
Subject: RE: Active Directory Problem


I would start by checking your DNS server.

¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸

Howard Steinberg, MCSE
LAN Administrator
Zepf Inc., Clearwater, FL
[EMAIL PROTECTED]

Click here for the Top TEN reasons you should have quick-change container
handling parts for all your packaging machines!
http://www.zepf.com/zepf/chngprts.htm



-Original Message-
From: Ibby El-Raheb [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 20, 2001 2:00 PM
To: NT System Admin Issues
Subject: Active Directory Problem


I have a small network: W2K Server SP2 with 2 NICs one for internal and one
for cable modem that is shared. A bunch of WIN98 clients. Things have been
running smooth for a while and all of a sudden none of the clients can be
authenticated through the server. When I try to go into manage user accounts
I get the following message: "Naming information cannot be located because:
The specified domain either does not exist or cannot be contacted. Contact
your system administrator to verify that your domain is properly configured
and is currently online." Well ladies and gentlemen I am the so called
system administrator and I have no clue what to do. Please help me.

Thanks
Ibby
wannabe sys admin.

You can tell whether a man is clever by his answers. You can tell whether a
man is wise by his questions.   Naguib Mahfouz



http://www.sunbelt-software.com/ntsysadmin_list_charter.htm

http://www.sunbelt-software.com/ntsysadmin_list_charter.htm


http://www.sunbelt-software.com/ntsysadmin_list_charter.htm

RE: Active Directory

[Spencer Kent]

.. I agree. Look closely at this white paper. Kent

http://www.microsoft.com/windows2000/techinfo/reskit/deploymentscenarios/scenarios/dns04_integ_adnspace_with_nameoverlap.asp

--- Benjamin Winzenz <[EMAIL PROTECTED]>
wrote:
> You know, you REALLY should use AD DDNS.  Your
> active directory will be much
> happier.  If you can't, I would start looking at
> DNS, as that is bound to be
> where your problems are.  I wonder if the correct
> entries ever made it into
> DNS for the first DC?  I don't have the article
> handy, but here are a LOT of
> entries required and if they aren't there, you ain't
> doing JACK.  And
> SERIOUSLY consider using DDNS with W2K.
>  
> Ben Winzenz, MCSE
> Network/Systems Administrator
> Peregrine Systems, Inc.
>  
> -Original Message-
> From: Martijn Eindhoven
> [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, August 21, 2001 3:35 AM
> To: NT System Admin Issues
> Subject: Active Directory
>  
> Hey guys,
> 
> following question we're using an active directory
> single controller. Now I
> want to add a second domain and here comes the
> trouble.
> I didnt install the first one but still. Where using
> linux dns server. So i
> cant do shit in dns from the first computer. When
> i'm working with the
> second it cannot find the first domain controller.
> Any advice appreciated.
> Some documentation about active directory and
> deployment would be nice to. 
> 
> 
> 
> Met vriendelijke groet,
> 
> 
> M. Eindhoven
> NT System Administrator
> Bevelander Internet Services B.V. 
> Folkstoneweg 10 
> 1118 LM SCHIPHOL Zuidoost 
> Tel : 020 40 53 900 
> Fax : 020 40 53 910 
> http://www.bevelander.nl 
> 
> = 
> This communication contains information which is
> confidential and 
> may also be privileged. It is for the exclusive use
> of the 
> intended recipient(s). If you are not the intended
> recipient(s), 
> please note that any distribution, copying or use of
> this 
> communication or the information in it is strictly
> prohibited. 
> If you have received this communication in error,
> please notify 
> the sender immediately and then destroy any copies
> of it. 
> =
>
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
> 
> 
>
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
> 
> 


__
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/

http://www.sunbelt-software.com/ntsysadmin_list_charter.htm

Re: Active Directory

[Spencer Kent]

http://www.microsoft.com/windows2000/technologies/directory/AD/default.asp

.. Why can't you do anything with the first DC? Is
   Linux not running a compatible DNS/BIND version?
Kent
 
--- Martijn Eindhoven <[EMAIL PROTECTED]>
wrote:
> Hey guys,
> 
> following question we're using an active directory
> single controller. Now I 
> want to add a second domain and here comes the
> trouble.
> I didnt install the first one but still. Where using
> linux dns server. So i 
> cant do shit in dns from the first computer. When
> i'm working with the 
> second it cannot find the first domain controller.
> Any advice appreciated. 
> Some documentation about active directory and
> deployment would be nice to.
> 
> 
> Met vriendelijke groet,
> 
> 
> M. Eindhoven
> NT System Administrator
> Bevelander Internet Services B.V.
> Folkstoneweg 10
> 1118 LM SCHIPHOL Zuidoost
> Tel : 020 40 53 900
> Fax : 020 40 53 910
> http://www.bevelander.nl
> =
> This communication contains information which is
> confidential and
> may also be privileged. It is for the exclusive use
> of the
> intended recipient(s). If you are not the intended
> recipient(s),
> please note that any distribution, copying or use of
> this
> communication or the information in it is strictly
> prohibited.
> If you have received this communication in error,
> please notify
> the sender immediately and then destroy any copies
> of it.
> =
> 
> 
>
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
> 
> 


__
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/

http://www.sunbelt-software.com/ntsysadmin_list_charter.htm

RE: Active Directory

[Benjamin Winzenz]

You know,
you REALLY should use AD DDNS.  Your
active directory will be much happier. 
If you can’t, I would start looking at DNS, as that is bound to be where
your problems are.  I wonder if the
correct entries ever made it into DNS for the first DC?  I don’t have the article handy, but here
are a LOT of entries required and if they aren’t there, you ain’t doing
JACK.  And SERIOUSLY consider using
DDNS with W2K.

 

Ben
Winzenz, MCSE

Network/Systems
Administrator

Peregrine
Systems, Inc.

 

-Original
Message-
From: Martijn Eindhoven
[mailto:[EMAIL PROTECTED]]
Sent: Tuesday, August 21, 2001
3:35 AM
To: NT System Admin Issues
Subject: Active Directory

 

Hey guys,

following question we're using an active directory single controller. Now I
want to add a second domain and here comes the trouble.
I didnt install the first one but still. Where using linux dns server. So i
cant do shit in dns from the first computer. When i'm working with the second
it cannot find the first domain controller. Any advice appreciated. Some
documentation about active directory and deployment would be nice to. 






Met
vriendelijke groet,


M. Eindhoven
NT System Administrator
Bevelander Internet Services B.V. 
Folkstoneweg 10 
1118 LM SCHIPHOL Zuidoost 
Tel : 020 40 53 900 
Fax : 020 40 53 910 
http://www.bevelander.nl
=

This communication contains information which is confidential and 
may also be privileged. It is for the exclusive use of the 
intended recipient(s). If you are not the intended recipient(s), 
please note that any distribution, copying or use of this 
communication or the information in it is strictly prohibited. 
If you have received this communication in error, please notify 
the sender immediately and then destroy any copies of it. 
=
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm




http://www.sunbelt-software.com/ntsysadmin_list_charter.htm

RE: Active Directory Problem

[Andrew J. Lund]

since you have Win 98 machines floating around, i would check to make
sure they are not acting as master browsers when the server is rebooted
or down.
i'm telling you this from the exact same experience i had.
good luck.
andy


Andrew J. Lund, MCSE
Systems Manager
IEA - San Francisco



-Original Message-
From: Ibby El-Raheb [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 20, 2001 11:00 AM
To: NT System Admin Issues
Subject: Active Directory Problem


I have a small network: W2K Server SP2 with 2 NICs one for internal and
one
for cable modem that is shared. A bunch of WIN98 clients. Things have
been
running smooth for a while and all of a sudden none of the clients can
be
authenticated through the server. When I try to go into manage user
accounts
I get the following message: "Naming information cannot be located
because:
The specified domain either does not exist or cannot be contacted.
Contact
your system administrator to verify that your domain is properly
configured
and is currently online." Well ladies and gentlemen I am the so called
system administrator and I have no clue what to do. Please help me.

Thanks
Ibby
wannabe sys admin.

You can tell whether a man is clever by his answers. You can tell
whether a
man is wise by his questions.   Naguib Mahfouz



http://www.sunbelt-software.com/ntsysadmin_list_charter.htm


http://www.sunbelt-software.com/ntsysadmin_list_charter.htm

RE: Active Directory Problem

[Joe Casale]

No doubt, more then one nic on diff subnets w/ ics or blocked ports get
tricky on a dc. You probably did that all on one machine because of
budget constraints, but that is not an "ideal" setup so to speak. I am
betting its DNS issues as well!

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
Sent: Monday, August 20, 2001 12:37 PM
To: NT System Admin Issues
Subject: RE: Active Directory Problem

I would start by checking your DNS server.

¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸

Howard Steinberg, MCSE
LAN Administrator
Zepf Inc., Clearwater, FL
[EMAIL PROTECTED]

Click here for the Top TEN reasons you should have quick-change
container
handling parts for all your packaging machines!
http://www.zepf.com/zepf/chngprts.htm



-Original Message-
From: Ibby El-Raheb [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 20, 2001 2:00 PM
To: NT System Admin Issues
Subject: Active Directory Problem


I have a small network: W2K Server SP2 with 2 NICs one for internal and
one
for cable modem that is shared. A bunch of WIN98 clients. Things have
been
running smooth for a while and all of a sudden none of the clients can
be
authenticated through the server. When I try to go into manage user
accounts
I get the following message: "Naming information cannot be located
because:
The specified domain either does not exist or cannot be contacted.
Contact
your system administrator to verify that your domain is properly
configured
and is currently online." Well ladies and gentlemen I am the so called
system administrator and I have no clue what to do. Please help me.

Thanks
Ibby
wannabe sys admin.

You can tell whether a man is clever by his answers. You can tell
whether a
man is wise by his questions.   Naguib Mahfouz



http://www.sunbelt-software.com/ntsysadmin_list_charter.htm

http://www.sunbelt-software.com/ntsysadmin_list_charter.htm


http://www.sunbelt-software.com/ntsysadmin_list_charter.htm

RE: Active Directory Problem

[jwatson]

Before that I would check to see if your Account is Locked OUT.  I have 
seen this error when mine gets locked out.

Jeremiah

-Original Message-
From: Howard.Steinberg [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 20, 2001 2:37 PM
To: ntsysadmin
Subject: RE: Active Directory Problem


I would start by checking your DNS server.

¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸

Howard Steinberg, MCSE
LAN Administrator
Zepf Inc., Clearwater, FL
[EMAIL PROTECTED]

Click here for the Top TEN reasons you should have quick-change 
container
handling parts for all your packaging machines!
http://www.zepf.com/zepf/chngprts.htm



-Original Message-
From: Ibby El-Raheb [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 20, 2001 2:00 PM
To: NT System Admin Issues
Subject: Active Directory Problem


I have a small network: W2K Server SP2 with 2 NICs one for internal and 
one
for cable modem that is shared. A bunch of WIN98 clients. Things have 
been
running smooth for a while and all of a sudden none of the clients can 
be
authenticated through the server. When I try to go into manage user 
accounts
I get the following message: "Naming information cannot be located 
because:
The specified domain either does not exist or cannot be contacted. 
Contact
your system administrator to verify that your domain is properly 
configured
and is currently online." Well ladies and gentlemen I am the so called
system administrator and I have no clue what to do. Please help me.

Thanks
Ibby
wannabe sys admin.

You can tell whether a man is clever by his answers. You can tell 
whether a
man is wise by his questions.   Naguib Mahfouz



http://www.sunbelt-software.com/ntsysadmin_list_charter.htm

http://www.sunbelt-software.com/ntsysadmin_list_charter.htm



http://www.sunbelt-software.com/ntsysadmin_list_charter.htm

RE: Active Directory Problem

[Howard . Steinberg]

I would start by checking your DNS server.

¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸

Howard Steinberg, MCSE
LAN Administrator
Zepf Inc., Clearwater, FL
[EMAIL PROTECTED]

Click here for the Top TEN reasons you should have quick-change container
handling parts for all your packaging machines!
http://www.zepf.com/zepf/chngprts.htm



-Original Message-
From: Ibby El-Raheb [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 20, 2001 2:00 PM
To: NT System Admin Issues
Subject: Active Directory Problem


I have a small network: W2K Server SP2 with 2 NICs one for internal and one
for cable modem that is shared. A bunch of WIN98 clients. Things have been
running smooth for a while and all of a sudden none of the clients can be
authenticated through the server. When I try to go into manage user accounts
I get the following message: "Naming information cannot be located because:
The specified domain either does not exist or cannot be contacted. Contact
your system administrator to verify that your domain is properly configured
and is currently online." Well ladies and gentlemen I am the so called
system administrator and I have no clue what to do. Please help me.

Thanks
Ibby
wannabe sys admin.

You can tell whether a man is clever by his answers. You can tell whether a
man is wise by his questions.   Naguib Mahfouz



http://www.sunbelt-software.com/ntsysadmin_list_charter.htm

http://www.sunbelt-software.com/ntsysadmin_list_charter.htm