Just to clarify a bit, there is a race condition when the DC boots where netlogon starts before some other services, e.g. the KDC, are available. Netlogon thinks the DC no longer hosts those services and deregisters the corresponding SRV records. If the deregistration fails for some reason,
Is there a script or documentation available for modifying Active
Directory schema for support for OS X disk quotas?
I have Mac users authenticating to AD but there home directories are
stored on a Mac Server. Home directories mount fine via SMB but I am
unable to set disk quotas for
Hello all,
Anybody working on 2000 server-based networks would care to share
experiences post 04-011 patch installation?
As of now the installation at other customer's sites showed no issues.
However i should be about to deploy it at a quite critical site.
- Has anybody experienced the issues
It will put it back if you give it a chance if you're referring to
something I've seen.
I had 3 servers on 3 different sites; each had a share called cdimages
which were supposed to be manually synched but, of course, they never
were.
I made this into a dfs share and, as you say, dfs appeared
Title: OT: Research Question
Hey, you said it, not us!
As I slink back into VS2003...
--
Roger D. Seielstad -
MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc.
From: Lou Vega [mailto:[EMAIL PROTECTED]
Sent:
Our remote users have always been domain members - its part
of our security policy.
You're correct that an incorrect IPSec policy could cause
issues, but the parts I left off were what I thought were obvious - only block
what you know you can block, and include exclusion rules for things
Title: RE: [ActiveDir] Enumerating DCs from a workstation that is not member of domain.
Um - no. The gethostbyname calls request the network stack
process a name resolution request.
--
Roger D. Seielstad -
MTS MCSE MS-MVP Sr.
Title: OT: Research Question
Pay is
important, obviously, but Im now more interested in the overall strength
of the company I work for, and a good stream of challenging projects to work
on. I dont know what the median age is of the folks on this list, but I
suspect its probably at least a
Hi
Wook,
Thanks for the additional details! I've been
chasing my tail on this issue for about about a week now. Is it too simplistic
to think these problems could be avoided if service dependencies were
used?
Mike
Thommes
-Original Message-From: Lee, Wook
[mailto:[EMAIL
Im
constantly having users ask me to do some ad-hoc query on AD, and send them the
output. Seems like it would be pretty cool to create an Excel add-in that would
allow someone to import AD data directly into Excel. Ive seen a few add-ins
that query a SQL database like that, but has anyone
Title: OT: Research Question
Now I guess I should have written
programmers and other IT pros.
Sorry.
Mitch Lawrence
-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad
Posted At: Friday, May 14,
2004 7:09 AM
Posted To: ~AD
Title: OT: Research Question
Depends. I've seen many It pros that couldn't
program. I've seen many programmers that could do the It pro job.
Typically something gives when you do programming and infrastrcture work.
Very different mindsets. I usually just hope when I meet someone who
claims
Let me look it up, It will just take me some time to put it all
together. Just to get my bearings on the subject, let me ask some
questions:
1. What is the Specific OS version on your client mac machines?
2. What is the Specific OS version on your server mac machines?
3. What is the exact
Title: OT: Research Question
Thank you all for your responses. I got
more than enough to make this an excellent look into what drives the
individuals in this industry. It isnt complete, but it is a great look.
Thank you again.
Thank you,
Mitchell D. Lawrence
The favorite thing about my job is answering questions for Students and Interns
It gives me the warm fuzzies
On May 13, 2004, at 12:05 PM, DL.ActiveDirectory wrote:
x-tad-smallerHello,/x-tad-smaller
x-tad-smallerI am doing research for a college project, and I would appreciate any
Title: RE: [ActiveDir] Enumerating DCs from a workstation that is not member of domain.
I think the original request was that it be vbscript or
vb.net. I suppose you could wrap the call, but I'm not sure it meets what
he's looking for.
Additionally, I think we overcomplicated the request.
How are you monitoring your DC's? You can look for failure events
preventing GP from being applied. Once you find one of those, you could dig
deeper based on the information found.
How's the PSS method coming along?
-Original Message-
From: Fugleberg, David A [mailto:[EMAIL PROTECTED]
On *that* dc? Which dc do you have errors on?
:)
Seriously, do you have any errors going on?
Replication, role, etc?
From: Salandra, Justin A.
[mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 4:17
PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir]
FW: Passwords
I have no errors on
We wrote a basic one that allows users
to dump DL memberships to a spreadsheet w some of the attributes.
Basically it was for the clerical folks that create phone lists for depts. and
floors. I don't know if we can share. Also It's hard coded to
our domains and OUs
Diane
From: [EMAIL
You will need to create an IPSEC policy and apply this via
GPOs.
Denny
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mike
HogenauerSent: Thursday, May 13, 2004 4:14 PMTo:
[EMAIL PROTECTED]Subject: [ActiveDir] TCP Port
Blocking
Sorry for
the newbie sounding question.
I have to DCs and neither have any errors
in any log.
-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Friday, May 14, 2004 10:22
AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] FW:
Passwords
On *that* dc? Which
dc do you
Great article that simplifies the creation of IPsec policies ...seeing that
the GUI is nefarious...
http://www.microsoft.com/serviceproviders/columns/using_ipsec.asp
At 10:36 AM 5/14/2004, Depp, Dennis M. wrote:
urn:schemas-microsoft-com:office:office xmlns:w =
What happens if they ignore the password reset
notification?
Al
From: Salandra, Justin A.
[mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 10:39
AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir]
FW: Passwords
I have to DCs and
neither have any errors in any log.
-Original
Here is the specific attribute you are looking to import, although
there is an entire apple-user class that you would probably want to
import in order to support all of the apple controls. I have attached
a copy of the latest version of the Apple Openldap Schema that is used
for open
Hi
Folks,
I
apologize for the question since I think it has been battered around in one form
or another but I can't seem to find the answer. The question: a related
company root admin wants to see a password expiration length time on a W2K
domain. He is worried that everyone's password
Depends on which part of the process you're concerned
about. Will the passwords expire at the same time? Not
necessarily. They'll all expire at the interval of password expiration
based on pwdLastSet. To play that out, if user 1 last set her pwd
yesterday, she has until pwd expiration
Thanks, Al!
-Original Message-From: Mulnick, Al
[mailto:[EMAIL PROTECTED]Sent: Friday, May 14, 2004 10:29
AMTo: [EMAIL PROTECTED]Subject: RE:
[ActiveDir] consequences of setting password expiration lengt
h
Depends on which part of the process you're concerned
about.
It really depends on what type of group
policy you se.
On an interesting note - -I just attended
the Microsoft Security Strategies Road Show this week and the topic of
passwords vs. passphrases was
brought up.
If you are willing to implement the policy
- - if you force your users to
Now if you want to set a policy for say 91 days but
everyone's password is over say 150 days, you can either get to 91 days by
starting with a high policy age and slowly decrease it or you can manually
expire people so they have to change and then once they all get changed, set
your policy.
It is a good idea. I use pass phrases... however trying
using TS Manager to grab one a session when you have a long password like that,
comes back and tells you bad password even though you can log into a "fresh" TS
session just fine.
joe
From: [EMAIL PROTECTED]
[mailto:[EMAIL
On a Windows XP Machine, I have a GPO that is allowing Offline files,
and everything seemed okay when I was logged in as administrator,
however when I tried to make something available offline the option on
the context menu was grayed out. How do I change this through the GPO?
I don't see the
The few thoughts I had
1. Are they maybe using local accounts?
2. Did anyone check the attributes on the user objects in
the domain, are they changed?
3. Have they logged off and logged on since changing the
password or do they just lock and unlock the desktops?
From: [EMAIL PROTECTED]
Let me modify my question, I noticed that with the MY Documents folder,
I am unable to specify whether to make it available offline or not.
Justin A. Salandra, MCSE
Senior Network Engineer
Catholic Healthcare System
212.752.7300 - office
917.455.0110 - cell
[EMAIL PROTECTED]
List info :
I thought we were discussing end user
policies though not TS Admins
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, May 14, 2004 12:33
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir]
consequences of setting password expiration length
It is
NO
Attributes appear normal
They receive this when logging
on not unlocking the workstation.
-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, May 14, 2004 12:36
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] FW:
Mine never got copied back from the preexisting folder. Took me a while
of wondering why replication hadn't started to go look at the source,
and low behold the ntfrs_preexisting was empty.
--Brian
-Original Message-
From: Steve Rochford [mailto:[EMAIL PROTECTED]
Sent: Friday, May 14,
Correct.
--Brian
-Original Message-
From: Thommes, Michael M.
[mailto:[EMAIL PROTECTED]
Sent: Friday, May 14, 2004 10:04
AM
To: Active Directory Mailing List
(E-mail)
Subject: [ActiveDir] consequences
of setting password expiration length
Hi Folks,
I apologize
Thanks
Brian I hadnt seen that one. Ill take a look
mc
-Original Message-
From: Brian Desmond
[mailto:[EMAIL PROTECTED]
Sent: Friday, May 14, 2004 1:28 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] OT: Ad
hoc queries from within Excel
Check out Richard
Muellers
But would you want a password policy weaker on your admins
than on your users?
joe
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Craig
CerinoSent: Friday, May 14, 2004 12:43 PMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of
setting password expiration
2. Are they updated with the new value from when they
changed?
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin
A.Sent: Friday, May 14, 2004 1:26 PMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FW:
Passwords
NO
Attributes appear
normal
They
I read somewhere that the computer policy refresh does not periodically apply unless
there has been a change to the policy. Is that true?
We have a group that is proposing ACL'ing system files on servers in the computer
policy. Is this a good idea or bad idea? Our believe is that it's
2a. And is that updated value showing on both dc's
correctly?
From: joe [mailto:[EMAIL PROTECTED]
Sent: Friday, May 14, 2004 2:00 PMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FW:
Passwords
2. Are they updated with the new value from when they
changed?
From: [EMAIL PROTECTED]
Are you on W2k or W3K AD?
Lynden
From: Salandra, Justin
A. [mailto:[EMAIL PROTECTED]
Sent: Friday, May 14, 2004 1:26 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] FW:
Passwords
NO
Attributes
appear normal
They
receive this when logging on not
Hello:
I need some advice about file service, directory management, and user
authentication in a mixed Windows/Mac environment.
I have a magazine client with approximately 70 users: half Macs, half
Windows. As you might expect, the Macs are the art department and editorial;
the PCs are
And would you want something that never changes? On
the one hand it reduces your help-desk-password-reset-side-business
impact. On the other hand, it is much more likely to be shared or
otherwise circulated by silly users. Oh sure, "our policy prevents that"
you say. But think about it. Is
Mike-
It is true, but you can override that behavior through Admin. Template
policy on a per-policy area basis to force GPO to process during every
foreground and background refresh regardless of whether the GPO has
changed. The exception to this is that security policy (including file
security)
Crap, I didn't even catch the part about never changing the
password, that is assinine. Any admin who set a policy like that needs to be
washing dishes for a living.
On the password reset help desk business, get a self-help
reset web site... Queue Idan from M-Tec.
joe
From: [EMAIL
Queue Idan? Where's this at?
URL?
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
joeSent: Friday, May 14, 2004 1:46 PMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of
setting password expiration lengt h
Crap, I didn't even catch the part about never changing
Identifying the issues is easy. Getting others to
understand and work to resolve the issue is what separates the dish washers from
the It professionals and developers ;-)
From: joe [mailto:[EMAIL PROTECTED]
Sent: Friday, May 14, 2004 2:46 PMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir]
I'm currently involved in migrating a network from Netware to AD/OS X
Server. The problem with running Windows servers in a Mac invironment
is that Microsoft has no plans to support the latest AFP version, which
kinda sucks for various reasons. (auto reconnect, etc)
Best way I can come up
http://www.psynch.com/
Idan works for M-Tec, IIRC
From: Rimmerman, Russ
[mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004
12:51 PMTo: '[EMAIL PROTECTED]'Subject: RE:
[ActiveDir] consequences of setting password expiration lengt
h
Queue Idan? Where's this at?
URL?
From: [EMAIL
Have any problem to
view the Dial-In Property Sheetwith Windows XP SP1 ?.
Thks.AVISO LEGAL:Esta informacion es privada y confidencial y esta dirigida unicamente a su destinatario. Si usted no es el destinatario original de este mensaje y por este medio pudo acceder a dicha informacion por
Install the Windows 2000 Adminpak.msi (ignore any warnings)
and then install the 2003 Adminpak.msi over top of it, and you'll have the
dial-in tab back.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]Sent: Friday, May 14, 2004 2:38
PMTo: [EMAIL
This is one of my pet peeves forthe ADUC in XP.
See http://support.microsoft.com/?id=304718and
then search for "dial-in".
Quote:
The Dial-in tab that configures Routing and Remote Access
dial-in or VPN access and callback settings is removed
when the Administration Tools package is
We have password
protected screensavers enabled in our default domain policy, and then at a lower
OU level, I have a GPO linked that is set to Screen Savers "Not
configured". Basically, we want all users to have password protected
screensavers except a select few
machines.
So, I created a
Russ, I
believe what you need to do is set up an OU and put those machines in it. Then
set the group policy Computer Configuration setting User Group Policy Loopback processing
mode. Set the Screen Saver policy accordingly in the User Configuration
section.
Then users
who log in to
Is it absolutely necessary to create a whole seperate
GPO for these computers? Seems like it will create an administrative
nightmare. Can't you just deny access to the default domain GPO and it
won't apply the screen saver settings?
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
I dont
think so screen savers are configured on the user, and you want to
limit by the machine. Thats why the Loopback policy, and the reason for
segregating the machines in a separate OU. Others please chime in if Im
wrong though
mc
-Original Message-
From: Rimmerman,
Well, we seem to be ok now. The repadmin /showmeta deal was one of the early things
we tried in hopes of narrowing it down, but the values of three of those attributes
kept incrementing and the Org DSA would be different virtually every time, so it was
hard to chase back. Operations started
I just thought you could avoid creating an OU mess by using
the security permissions (apply gpo, deny gpo) on each GPO
properties.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Creamer,
MarkSent: Friday, May 14, 2004 3:20 PMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir]
Russ-
Not Configured essentially means 'do nothing', so to undo
an enabled setting, you have to set the downstream GPO to Disabled. In your
case, I'm assuming you're controlling the screensaver through User
Configuration|Admin Templates. If that's the case, then your deny ACEs need to
be on
Yep, that
would work if the *users* were in
the OU, but your goal is to isolate the machines from the policy regardless of
who the user is. We do this for our Win2K based video-conferencing systems. The
execs kept getting annoyed when the monitor went into locked screensaver right
in the
My $0.02
In the existing situation, with 70 machines at one site, half macs and half PCs. The choice is actually a dead giveaway... Xserve's all the way. OS X server with OpenDirectory and Samba 3 can handle the authentication needs of the whole shop. You don't need Active Directory at all.
My DNS guy would like to be able to archive the DNS debugging logs (eg,
c:\winnt\system32\dns.log) . Currently, you can indicate what size you like the log
to be, and when it gets to that size, it just writes over itself. Has anyone found a
way to automatically cut a new a log file? TIA!
If you truly want to control a user policy based on the
computer, then loopback is the right choice. You don't have to create a separate
OU to do that. It makes it more obvious when you have machines controlled by
loopback in a separate OU, but you can use security permissions to control it,
Mark is absolutely correct, the screensaver setting is a user policy. In order to fix this correctly and still use the default domain policy to set the screensaver you have to use loopback processing. One great thing about active directory is that it is designed to be extensible. Creating
Actually, now that I look at this, you may need to set the
Screensaver policy in your loopback GPOto Disabled, if this GPO gets
processed after the default domain GPO that sets this to enabled. Not sure now
that I think about it, since loopback replace mode should do just that, but its
So if we have password protected screensavers enabled, and
I want to allow a specific PC to be configured to whatever the currently logged
in user wants for a screensaver, do I set it back to "Not configured"? Or
do I have to disable it, wait for it to apply, and then set it back to Not
I'm trying to authorize a dhcp server in a child domain as an enterprise admin and i
get access denied.
we are running win2k forest in mixed mode.
any suggestions?
thanks
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
Add the user ID you are running as to the DHCP Admins group on the DHCP
server
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Friday, May 14, 2004 4:09 PM
To: ActiveDir (E-mail)
Subject: [ActiveDir] authorize dhcp
I'm trying to
is that always the standard procdure?
-Original Message-
From: Ken Cornetet [mailto:[EMAIL PROTECTED]
Sent: Friday, May 14, 2004 5:31 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] authorize dhcp
Add the user ID you are running as to the DHCP Admins group on the DHCP
server
The only problems I have noticed with MS04-011 is the older versions of
shutdown.exe and printmig.exe didn't work. Printmig.exe actually ate up
a nice chunk of memory in the process of hanging but 3.0= works fine
We patched over 800 servers with only one case of performance issues
related to an
Good question. This stuff gets ugly quick. Just a quick
test shows that if I either enable or disable that policy, then its grayed out
for the user, preventing them from changing it in either direction. The problem
is that the first GPO to set this owns it, until another one comes along with
Does anyone know how to do a search and destroy of an email message
across mail stores?
Thanks,
S
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Use Exmerge. I believe it is in the Exchange support tools for 2000 and
2003.
Denny
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff
Sent: Friday, May 14, 2004 6:18 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Exchange 2003 Question
what is the purpose of the exchange settings folder(which is empty) under the
pdc/rid/infra master dc in ad sites and services?
and how does exchange or ad pick which server to place it under?
finally, if i'm decomissning that server, how do i move this folder or will it move
automagically?
You will also have to give yourself (or some account) access to all the mailboxes to
use Exmerge.
http://support.microsoft.com/default.aspx?scid=kb;en-us;821897
Clyde Burns
-Original Message-
From: [EMAIL PROTECTED] on behalf of Depp, Dennis M.
Sent: Fri
I have a Proliant 3000 (Win2k SP4, Exch2000) with ten spindles in it, three arrays
hooked up to an SA3200 card. Three of the spindles are configured as spares in the
three arrays. To me, when I set this up, it translated to if an active spindle fails,
a spare will hop in and the mirror/strip
78 matches
Mail list logo