The only hole is that it still affords them rights to make screw ups to
the actual .dit file...
-m
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Moran
Sent: Friday, July 18, 2003 3:00 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Installation
dsacls /? will give you a ton of useful switches. Play with each (and a combination)
of the switches, and you get to your desired result.
If you need help after that, someone here will be able to help you.
Sincerely,
Dèjì Akómöláfé, MCSE MCSA MCP+I
www.akomolafe.com
www.iyaburo.com
Do you now
Title: Message
Does
anyone out there know if there is a way to set the ACE's on a group object so
that people can add but not delete members?
Regards,
Eric
Gandy
BHBSS Network Services
Team
Office
281.209.7513
Title: Message
That's
a silly requirement that makes no sense from a security standpoint. If the
server team has the ability to install services and updates on a DC, they
have (or can easily get) privileges to do anything in the domain, and more or
less anything in the forest. See the MSFT A
Cathy,
Thank-you for these very useful insights. I think we're
going to have to wing it ourselves.
-Original Message-
From: Cathy Hooper
[mailto:[EMAIL PROTECTED]
Sent: Friday, July 18, 2003 11:42
AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Quest
Software's ActiveR
Title: Message
Any chance of you sharing the skeleton of
the script?
-Original Message-
From: Ken Cornetet [mailto:[EMAIL PROTECTED]
Sent: Friday, July 18, 2003 12:40
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Locking
Down User Information Fields in AD
I solved t
A quick down and dirty way to solve it would be to create an
admin account for each person like ADMIN_username, then put
them in a group, put the group in domain admins, and then
place an explicit deny all at the root of the domain for the
new group and let it trickle down through inheritance. Wat
Title: Message
Not an expert
but I think there is a sol’n to this…
-
If you are running W2K3 Server there is a new feature called the “Authorization
Manager”
-
If you are running IIS 6.0 you can program rules/scopes etc using
the AuthZ Manager
-
This would a
Title: Message
I solved this
problem the easy way by writing a perl program to read user information (phone
number, address, etc) out of our master HR database and compare it to what's in
AD. If it's different, AD gets updated. This runs every few
hours.
Users can change
their AD info all
Title: Message
Yea...they exist..but for the 50
thousand dollar pricetag on them (for even our small environment)...we couldn't
justify the cost.
-Original Message-
From: Joe
[mailto:[EMAIL PROTECTED]
Sent: Friday, July 18, 2003 11:31
AM
To: [EMAIL PROTECTED]
Subject: RE: [Act
Ok I'm willing to give that a try and just be clear he did that on the
client computers (obviously) and that shouldn't have any system side
affects correct?
On Friday, July 18, 2003, at 01:01 AM, McCann Danny wrote:
Richard
One of our guys was working on a similar problem, in that, Group
Pol
We have been actively using it to grant permissions for a
few months now. It's a very handy tool and generally works quite
well if you know GPOs and ACLs very well. However, the same is true using
native tools. I've learned A LOT over the past year or two. So
much more to learn, though.
Title: Message
Ah ok,
thanks for the clarification.
-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Hazelman, DougSent: Friday, July 18, 2003 11:38
AMTo: [EMAIL PROTECTED]Subject: RE:
[ActiveDir] Locking Down User Information Fields
Title: Message
Lock things down and only allow updates through interfaces
with business rules.
-doug
From: Joe [mailto:[EMAIL PROTECTED]
Sent: Friday, July 18, 2003 7:31 PMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Locking Down
User Information Fields in AD
True
to your overall stat
Title: Message
True
to your overall statement, if you lock things down and only allow updates
through interfaces with business rules you can completely control what goes out
there.
I am
curious about your initial statement, are you saying you have something that
injects into the AD intern
Title: Message
There's a product called RealLastLogon that you could eval http://www.advtoolware.com/t4e/rll/reallastlogon.htm.
I hear 2003 DCs will query all DCs to give that information
accurately.
-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of
Return Receipt
Your [ActiveDir] Service pack 4 and DCs
document
:
Yes - the best way is to programatically collect the name of all of the DCs,
and then loop through them, collecting the specific information for the
users. Then, parse back through the user information to find the REALLY
last logged on time.
Hope this helps
Rick Kingslan MCSE, MCSA, MCT
Mic
Title: Message
Basically my boss wants to give the server team the ability to
install updates and patches, etc on domain controllers but not give them domain
admins permissions. Is this possible? My gut feeling is no.
-Original Message-From: Marcus Oh
[mailto:[EMAIL PROTECTED]
point taken on the clean reboot - biggest issue has been the failure of user
profile migration
MS have owned up on a workstation retaining some sort of lock on the user
profile despite being logged out - err 7334 is generated
on a more general note do people share my view that the level of
docume
Title: Message
Joe,
There are third party tools that do allow you
to define "rules" for property validation that are enforced on the server side
and not the client side so that they can't be bypassed. You can
define that the phone number must be in the format (xxx) xxx- and it will
n
Richard
One of our guys was working on a similar problem, in that, Group Policy was
being received inconsistantly. I asked this morning and this is the solution
he told me he came up with:
"...the problem seemed to be solved for most by deleting the
%systemroot%\system32\grouppolicy folder on the
Rick
Do you know of any resolution to the problem of obtaining the
User.LastLogoff date/time in Windows 2000/2003? It only works for NT4
domains.
Cheers
Danny
<<
Tim,
In Windows 2000, that's a bit of a toughie - as the information is not
stored in a replicated attribute. What this means (you
Is there a such thing as forcing group policies to hit a specific
computer on the network? For some reason not all computers on the
network receive the group policy i created and it's a pretty small
network of only about 30 users all running Windows 2000 and 2 Windows
2000 Server machines. Has
Trust me, I'm taking that approach wisely already :-)
On Wednesday, July 16, 2003, at 12:56 AM, <[EMAIL PROTECTED]> wrote:
I like http://www.microsoft.com/technet/scriptcenter/default.asp
especially.
I highly recommend that you learn all this on a SEPARATE,
non-production environment until yo
email me offline. I have one that loops thru all the DCs and compare.
Sincerely,
Dèjì Akómöláfé, MCSE MCSA MCP+I
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
From: [EMAIL PROTECTED] o
26 matches
Mail list logo