RE: [ActiveDir] adding a group to the RDP permissions

Title: Message Thanks joe (theoretically) ;-)   -Original Message- From: joe [mailto:listmail@joeware.net] Sent: Thursday, May 27, 2004 6:23 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] adding a group to the RDP permissions   Hmmm theoretically , the permissions ar

RE: [ActiveDir] OT: Exchange 2003 SP1

Oddly enough I was JUST looking at that last night before signing off for the evening :-) But yes, it does look like a very handy tool. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, May 27, 2004 7:47 PM To: [EMAIL PROTECTED] Subject

[ActiveDir] MACS

Anyone know where MS are with MACS now? This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should

RE: [ActiveDir] OT:EXCHANGE weirdness

Permissions get changed all the time. Monitoring the DC's for group membership changes has been helpful here. You'd be surprised what people think is a good idea ;) As for permissions, putting that account in domain admins is likely the wrong thing to do. If you look in the security logs, you'l

RE: [ActiveDir] Discontinue Mail Membership

I'm just hoping he doesn't delete me...  That sounds like it would leave a mark. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, May 27, 2004 7:10 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Discontinue Mail Membership I love how Tony can kill a thre

RE: [ActiveDir] strange error on logon

Picasso, would it just be me, or does anyone else think that making KB searching an art vs. a science  is wrong?  I mean, as long as it's public vs. say, utopia, wouldn't it make sense to make it so the intended audience could use it?  Like Joe said, buy google already. That's what gets used

RE: [ActiveDir] strange error on logon

We keep tweaking it to make it better. As you’ve probably read, this is a major work item for us. We’re working on it.     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, May 28, 2004 8:37 AM To: '[EMAIL PROTECTED]' Subject: RE: [Activ

RE: [ActiveDir] OT:EXCHANGE weirdness

here's the deal- i've had this samething happen to a child domain. the domain admins had full exchange admin rights on their admin group. however, when you open up exchange system manager, you could'nt see anything. In adsiedit, if you looked in the exchange services container in the configurat

RE: [ActiveDir] OT:EXCHANGE weirdness

What's the error messages when the service tries to start? What's in the security and application and system logs? What groups is the bb service a member of completely? Which one is delegated exchange rights and how does that compare with the service account? I think that's a good place to star

RE: [ActiveDir] strange error on logon

Hi Eric, Improvements in this area would be great!  I'd like to suggest that MS thinks about moving KB articles from the Premier site to the Public site a little faster also.  Keeping known problems from the public is not a good policy.  (Yes, there are at least two KB databases!)   Mi

[ActiveDir] 1000 user limit

I need to increase the search limit on 2003 so that when I do an ldap search I can retrieve everything. Everywhere I look it just tells me to use ntdsutil and change the maxpagesize (I believe that was it), but doesnt give any specific permissions on how to do it. Do you guys have a link on the det

RE: [ActiveDir] OT:EXCHANGE weirdness

There would be an event logged on the Exchange server if your membership were incorrect. Depending on version, this would be different. Have you checked with the root folks to see if they've done anything lately? How's replication working? Interested to hear what RIM comes back with as well. Al

RE: [ActiveDir] Probable GPO issue

Seems like it could be down to an MS patch as the new machines are patched to the 'nth' degree while the old ones typically only had critical patches. I investigate further. -Original Message- From: Rutherford, Robert Sent: 28 May 2004 15:43 To: '[EMAIL PROTECTED]' Subject: Probable G

RE: [ActiveDir] OT:EXCHANGE weirdness

According to RIM, its a premissions error(duh). they suggested upgrading the mapi32.dll and cdo.dll to the same version as the exchange server. while the blackberry service is now starting, i still can't see anything in exchange system manager or adsiedit logged in as the blackberry account. the

[ActiveDir] GPO Question

Running Windows 2k AD with sp3 Hi, I'm trying to create a GPO for my users that will place a shortcut to their departmental folder that is on a NTFS network share to their desktop. Has anyone done this before? I'm not sure what GPO I should be using or what proceedure I should follow. Any help

RE: [ActiveDir] OT:EXCHANGE weirdness

They could have added an Exchange 2k3 server for starters :) Nothing is logged on the Exchange server or the DC/GC when you try to access that information? Is audit logging turned on? Did they upgrade the root domain as well? Those permissions are set on the configuration container and you shoul

RE: [ActiveDir] GPO Question

Use the GPO to run a logon script that creates the shortcut http://msdn.microsoft.com/library/default.asp?url=/library/en-us/script5 6/html/wsconcreatingshortcut.asp -Original Message- From: Christine Easton [mailto:[EMAIL PROTECTED] Sent: Friday, May 28, 2004 11:09 AM To: '[EMAIL PROTEC

RE: [ActiveDir] MACS

>Anyone know where MS are with MACS now? MACS is now called The Microsoft Windows Audit Collection Services (ACS) Release Candidate 1 became available to beta testers at the end of April. ACS Release Candiate changes include: 1) Simplified and updated database schema 2) Updated communcations pr

RE: [ActiveDir] GPO Question

How are the users organized? Is there some attribute populated already in your AD that can properly match the user to the directory shortcut they should receive? I think I'd use a login script for this... -Original Message- From: Christine Easton [mailto:[EMAIL PROTECTED] Sent: Friday,

[ActiveDir] LDAP Query Response Time

Title: LDAP Query Response Time Anyone found a clever way to monitor and alert on this stuff?  J  Counters maybe?

RE: [ActiveDir] OT:EXCHANGE weirdness

they added an exchange2k3 server and a win2k3 dc. how would that change things? in my child domain, i'm a full exchange admin and can see everything. in another domain, the exchange full admins can't see anything. and of course the view only blackberry service account can't see anything in my dom

RE: [ActiveDir] MACS

And, as I understand it, it is not going to be a free download or Resource Kit component any more. MSFT is going to charge for it. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Friday, May 28, 2004 11:19 AM To: [EMAIL PROTECTED] Su

RE: [ActiveDir] MACS

Where did you hear that? Last I heard in the beta group it was to be included in the next 2K/2003 SP's but I am not as well connected as you are :-] Maybe ~eric can answer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Friday,

[ActiveDir] wierd request

my manager just came to me and asked if there is a way to prevent a user from doing anything but email on the network or from a specific pc? we use exchange2k with win2k ad. is ther a way to do this via a local gpo or put them into an ou and apply a gpo that way? very strange thanks List info

RE: [ActiveDir] OT:EXCHANGE weirdness

Checking this document, can you verify what permissions are associated with the BB account? http://support.microsoft.com/default.aspx?scid=kb;en-us;823018 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Friday, May 28, 2004 2:25 PM To: [E

RE: [ActiveDir] wierd request

You could probably set the machine up like a kiosk with lots of GPO lockdown policies - personally I'd get one of those rdp thin clients and have it connect to a terminal server - setting the session to run the application (eg Outlook) only, rather than showing the desktop -Original Messag

RE: [ActiveDir] wierd request

You can definitely do this with GPO. You could even try to change the shell from Explorer to Outlook, which would prevent any access to the Explorer. I haven't tried this with Outlook but have done it successsfully with IE for web kiosks. You might want to check out the GPO scenarios that MS provid

RE: [ActiveDir] wierd request

<< my manager just came to me and asked if there is a way to prevent a user from doing anything but email on the network or from a specific pc? we use exchange2k with win2k ad. is ther a way to do this via a local gpo or put them into an ou and apply a gpo that way? >> In situations similar, I'v

RE: [ActiveDir] LDAP Query Response Time

Title: LDAP Query Response Time   This article summarizes some techniques.  Look towards the middle and end of the article.  If you have control over a particular LDAP client application, consider building a debug

RE: [ActiveDir] OT:EXCHANGE weirdness

Everything I read in this chain is definitely saying permission issues. Note that the main permissions for Exchange are iun the config container. Anyone from any domain that has permissions to that container can be dangerous. Including domain admins of children domain. The fact that you can't eve

RE: [ActiveDir] MS Exchange Tools on Domain Controller

Heck even when installing patches I would recoomend avoiding desktop logon. My usual process would be to wrap the qfe in a batch file that would fire it and then rcmd into the server to do the launch. Yes, you are running a console from the server but I found it is less likely to have accide

RE: [ActiveDir] 1000 user limit

Agreed. People should remember that it's not a "search limit"; it's the maximum number of results in a single page of results returned. Without limits like this, it would be trivial to write an Denial of Service program that queries (objectClass=*) repetitively forcing the server to keep returnin

RE: [ActiveDir] LDAP Query Response Time

Title: LDAP Query Response Time One way to do this is set up "stations" that on some frequency will send ldap queries to your DCs. You will then simply record the time it took to process the query. Obviously do something that is consistent (rootdse or specific attribs from the default context

RE: [ActiveDir] OT:EXCHANGE weirdness

i checked the perms thru adsiedit- blackberry account(ex view only admin according to ESM)- has all the appropriate rights except no entry at the ORG container and at the Administrative groups container. Domain admins in child domain with similliar issues(ex full admin according to ESM)- same th

RE: [ActiveDir] 1000 user limit

Youch, I am with ~Eric and Al on this one. Scary day. :oP Do NOT increase the maxpagesize on the DCs. You have to ask yourself, maybe 2000 is ok for now but maybe next year I will need 3000 or 4000. Obviously there has to be a more flexible and standard method... And there is! It is to use paging.

RE: [ActiveDir] [OT] Discontinue Mail Membership

He wouldn't do that. Tony is a great big teddy bear with outstanding wine selection skills. :o)       joe   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Friday, May 28, 2004 9:34 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Discontinue Mail Members

RE: [ActiveDir] strange error on logon

I think the KBs are the same, just different permissions required to see different things. You have public content, partner level content, and internal content and actually that may be accessed through a different engine I think, not positive, I don't seem to have access. :o)   Honestly thou

RE: [ActiveDir] LDAP Query Response Time

Title: LDAP Query Response Time So a few ideas have been floated out on this thread. I can float a few myself if you can answer a question first: what is your goal?   Common goals I’ve heard of: I want to understand all queries my DCs are seeing I want to identify queries bo

RE: [ActiveDir] OT:EXCHANGE weirdness

1. It can't just change. Someone has to initiate something. I would expect you would need at least read (view) access through the chain down to your specific DB you want to manage. Anything not in that chain you probably don't need access to. Specifically it sounds like you need read down to your a

RE: [ActiveDir] OT:EXCHANGE weirdness

i checked the perms thru adsiedit- blackberry account(ex view only admin according to ESM)- has all the appropriate rights except no entry at the ORG container and at the Administrative groups container. Domain admins in child domain with similliar issues(ex full admin according to ESM)- same th

RE: [ActiveDir] 1000 user limit

Well, I'd disagree with you slightly Chuck. You could, in theory, still DoS a DC even with paged searches. For example, submit many very expensive searches at once. That said, this is a general DC perf concern. Even those with good intentions could cause a DC perf issue with adequately large page

[ActiveDir] Group Policy at the Site Level With Remote VPN Users - Wrong Site Applied

We have our logon scripts in GPOs tied to AD Sites in our Win2K domain, with each site having its own GPO that calls a script tailored to the locally available file shares. This has worked exceedingly well, until... Based on some great input from another list reader we started testing a feature

RE: [ActiveDir] Users and Computers

Or you can download from here:   http://www.microsoft.com/downloads/results.aspx?productID=&freetext=adminpak.msi&DisplayLang=en   I believe you need the 2003 tools to admin a 2000 server from XP.   nme   From: Brent Westmoreland [mailto:[EMAIL PROTECTED] Sent: Thursday, M

RE: [ActiveDir] OT:EXCHANGE weirdness

i checked the perms thru adsiedit- blackberry account(ex view only admin according to ESM)- has all the appropriate rights except no entry at the ORG container and at the Administrative groups container. Domain admins in child domain with similliar issues(ex full admin according to ESM)- same th

RE: [ActiveDir] MACS

It was announced at TechEd (although its second-hand information from one of our PMs; I wasn't at that session.) -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Friday, May 28, 2004 11:44 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveD

RE: [ActiveDir] LDAP Query Response Time

Title: LDAP Query Response Time DirectoryAnalyzer from NetPro does this   -gil   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, May 28, 2004 11:23 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] LDAP Query Response Time   Any

RE: [ActiveDir] DC not replicating out

The error was Access Denied... My colleague has found a workaround for the replication issue by adding the accounts of the DCs that were trying to pull to Builtin\Administrators group. After that the replication started to flow. More investigation showed that the DC was rejecting any connection of

RE: [ActiveDir] Anonymous bind

I have went over the Vintela's white paper you posted a link some time ago. Looks very promising. But give the Open Source folks some time... go figure, maybe they will come up with something even better :oP Guy On Fri, 2004-05-28 at 01:28, joe wrote: > Nothing free. :oP > > However Vintela and

RE: [ActiveDir] GPO Question

You'll need a logon script to do this. There's a CreateShortcut method in Wscript.Shell which you can use. If you need a code sample, let me know & I'll look up the syntax. --Brian -Original Message- From: Christine Easton [mailto:[EMAIL PROTECTED] Sent: Fri 5