Users must be able to install whatever nefarious software they want, but you still
want a secure network? I think those goals are mutually exclusive, especially if you
factor in a reasonable amount of social engineering.
For software installations requiring admin access, you could try to
Hello,
I've got a question on domain naming.
1. Can domains of one forest have equal display name (Netbios)?
Example: we have forest: fst.local
We also have two subdomains: child.fst.local and child.child.fst.local
In that case two different domains have identical display names - child.
This
There's no harm in doing forestprep and indicating that you'll join the
existing Exchange org, then not going any further.
There's no reason that the ADC has to be run - I've run this forest for over
a year without the ADC ever being run. In fact, from what I've seen, the ADC
should be used for
We have to balance the needs of our users and the need to provide a secure
network. The major applications (300+) we package and distribute on a as
needed basis to our users. The problem is the applications that 10 users
want to install. We do not want to deploy very minor software
Set it to use DNS. You can use LDAP for authentication, but it won't really
help with general name resolution in a Windows envrionment,.
--
Roger D. Seielstad - MCSE
Sr. Systems Administrator
Inovis Inc.
-Original Message-
Title: Message
Casey,
Have you had a chance to look into this? If so, any
results yet? Thanks.
Damian ScolesSenior Technical
AnalystMCSE+I, CCNP
-Original Message-From: Friese, Casey
[mailto:[EMAIL PROTECTED] Sent: Tuesday, March 04, 2003 12:38
PMTo: [EMAIL
Is this hypothetical, or are you saying that this is in place and
operating, though problematic?
The reason I ask, is because this won't (shouldn't!) work. Firstly, let
me say that you're talking about to different naming schemes - the DNS
name or FQDN and the NetBIOS name. A domain or machine
Title: OT: Identifying laptops on domain
Perhaps someone here might know:
Is there any machine attribute or registry value that can be queried to differentiate workstations and laptops on a domain? We have a circumstance that requires laptops to be addressed differently from workstations,
You can do this with segmentation on a DHCP network.
Martial
-Message d'origine-
De: Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED]
Date: vendredi 7 mars 2003 16:04
À: '[EMAIL PROTECTED]'
Objet: [ActiveDir] OT: Identifying laptops on domain
Perhaps someone here might know:
Title: OT: Identifying laptops on domain
I don't know how they do it, but
look into ScriptLogic (www.scriptlogic.com)
.- it has passed our trials with flying colors, and we are about to
purchase it. It will differentiate between things in multiple ways. (It is not
too expensive either)
Existing IP scheme is static, and that's not viable to change at this time.
-Original Message-
From: PERRIN Martial (EURIWARE) [mailto:[EMAIL PROTECTED]
Sent: Friday, March 07, 2003 8:16 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] OT: Identifying laptops on domain
You can do
We employ a standardized machine naming convention whereby a laptop is given
the name User-LT and this makes it a very simple process to break them out.
R/Bill
-Original Message-
From: Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED]
Sent: Friday, March 07, 2003 10:32 AM
To:
Title: Message
Damian,
I'm
contacting HP today with regards to our switches because I'm finding tons of CRC
errors on them and my Networking team isn't sure why. I will update
everyone with the results.
Thanks,
Casey
-Original Message-From: Scoles, Damian
[mailto:[EMAIL
Bill,
we are moving to that already, and if I can figure out how to
differentiate the chasis type I can write scripts to automate the process
instead of relying on attrition or a massive helpdesk effort to rename every
pc and laptop. Catch-22.
-Original Message-
From: Brown,
Folks,
I just found this:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/scriptcen
ter/scrguide/sas_cpm_btnz.asp (watch the word wrap)
strComputer = .
Set objWMIService = GetObject(winmgmts: _
{impersonationLevel=impersonate}!\\ strComputer \root\cimv2)
Set colChassis
We use machine naming conventions to distingush laptops
[airport code of city][branch location id][computer role,Workstation,laptop..etc][date
built]
Also we've got a database with every piece of hardware so we know..
Wes
-Original Message-
From: Bjelke John A Contr AFRL/VSIO
Bonjour,
When you execute DCPromo to create the domain, the FSMO Domain Naming
Master wil check that DNS Name AND NetBIOS name are unique.
If the NetBIOS name is already register, it will ask you a different name.
So you can create the first child domain with the name Child, but for the
second
Title: Message
fabulous networking team...
-Original Message-From: Roger Seielstad
[mailto:[EMAIL PROTECTED] Sent: Friday, March 07, 2003
10:15 AMTo: '[EMAIL PROTECTED]'Subject: RE:
[ActiveDir] AD Design Guidance
That's a port speed and/or duplex mismatch. Set both the
Title: Message
Exactly Mike. It's a joy inheriting a mess.
-Original Message-From: Hutchins, Mike
[mailto:[EMAIL PROTECTED]Sent: Friday, March 07, 2003 12:36
PMTo: [EMAIL PROTECTED]Subject: RE:
[ActiveDir] AD Design Guidance
fabulous networking team...
Title: Message
Turst
me. Shutting up an adversarial network team is even more fun. They'll start to
listen to you once they see you're not half baked.
--
Roger D. Seielstad -
MCSE Sr. Systems Administrator Inovis Inc.
Title: Message
Roger,
The
problem is appearing with the fiber modules in the switch and it's not just CRC
errors. I apologize for miss informing everyone.
The
majority of the errors are excessive late collision errors
Late collisions (collisions detected after
transmitting ~64 bytes) were
Title: Message
You
must not have worked with a network team who thinks their stuff never
breaks.
--
Roger D. Seielstad -
MCSE Sr. Systems Administrator Inovis Inc.
-Original Message-From: Scoles, Damian
Title: Remove a Local Security Template
Does anyone know of a way to remove a Local Security Template and return the box to Gold? (W2K server)
Shawn Hayes, MCSE
Network Engineer
Compass Technology Management
Sound Business Sense for IT
www.compass.net
757.226.3328
Title: Message
Based
on the recent discussions about networking problems, I would like to reiterate a
posting I made afew daysago:
All:
You might be interested in a network performance tester that one of
our staff members put together. It has come in handy plenty of times
when trying to
Title: Message
Shawn,
It
depends. What it depends on is what has changed and HOW was it
changed. Typically, one can re-apply the Setup Security template.
But, this won't work completely if changes have been made that this template
cannot affect (e.g. Registry settings or permissions, NTFS
Title: Message
A
certain un-named company's (don't want their lawyers on my doorstep)teamed
NIC's have a problem in that they show one setting in the GUI applet and the
registry is what the NIC driver uses. You can set 100/Full in the GUI and it
will be HALF on the wire. Worth looking into
Title: Message
They'll start to listen to you once they see you're not half
baked
Not if
they are the arrogant pricks I work with ;-)
No way
to shut them up. They have upper management absolutely
snowed.
Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active
DirectoryAssociate
You can delete the security.sdb file
out of \\Winnt\security\database directory. You then run secedit /refreshpolicy
{policy type}. We had good luck using this on Win2000 workstations
to flush a local policy that had been created on them.
[EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
Title: Message
Michael,
We have similar issues with some of our servers and Windows
2000 that do the exact same thing. I know which manufacturer you're
referring to.
Damian ScolesSenior Technical
AnalystMCSE+I, CCNP
-Original Message-From: Michael O'Toole
[mailto:[EMAIL
Just
finishing up on a similar problem with Microsoft, I found that it is critical to
also remove/rename any ".log" files in \\winnt\security\logs\
.
Mike
Thommes
Argonne National Laboratory
-Original Message-From: John Hicks/MIS/HQ/KEMET/US
[mailto:[EMAIL PROTECTED]Sent:
Title: Message
What
about the registry changes the original template applied? I don't think
this would get it Thanks though
-Original Message-From: John
Hicks/MIS/HQ/KEMET/US [mailto:[EMAIL PROTECTED] Sent: Friday,
March 07, 2003 3:26 PMTo:
[EMAIL PROTECTED]Subject:
This will flush out the policy completely,
to the best of my knowledge. For the most part all the GPO settings are
nothing more than registry changes to begin with, so clearing them out
should return the machine to the state it was in before the policy was
applied. This was my experience with
First a little background...
I work at a school district and am building web pages to browse AD and add/modify
information for user objects. I want this so the Payroll and HR people can add new
employees to the Employees OU, staff at each school can add students to the
appropriate school OU,
This is all doable through the AD access control mechanisms and security
policies. The AD Delegation of Control Wizard is included with the W2K
distribution and can help with some of this. You might also look at third
party delegation products such as Quest ActiveRoles or FAZAM from FullArmor.
Title: Message
Folks,
Don't
forget - security templates make more than just changes to registry. You
can affect group memberships via the restricted groups, permission on services,
permissions on registry, added registry entries, permissions on NTFS, blah,
blah, blah.
Oh,
and if you
In supporting a extranet/intranet/internet application are there any
technotes or whitepapers on firewalls and AD?Ihave scoured the MS site, I
have read the Internet Data Center Reference Design, but my ideas are a bit more
complex. We have a firewall design that includes 4 segments and may
36 matches
Mail list logo
