Just a quick question and a comment if I
may. First off this is great list to be on even if dont contribute a lot
simply due to what Ive learned.
In South Africa we have a lot of issues
with bandwidth, or rather lack there of and high cost, and I was wondering
which would be less
Im not an expert on this, but I dont
see the need for a server on the DMZ or an ISA server. We have put our exchange
server behind the DMZ and opened up SSL connections to that server only. You
can still use OWA and you dont need an extra VPN or ISA. I guess that Im
assuming you have a
Title: Removing A W2K Domain Where The Host Server No Longer Exists
Can you manually start the service as an
admin?
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Cothern Jeff D. Team EITC
Sent: 06 October 2004 23:29
To: [EMAIL PROTECTED]
Subject: RE:
Oh yeah, sure I'll change my standard to match whatever standard
bank likes!!!
Are others getting this with each post? It's beginning to get annoying.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
Sent: 07 October 2004 12:33
To: Robert Rutherford
Subject: RE:
I may be a little late but
may I ask why you are putting an Exchange server out in your DMZ?
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Wednesday, October 06, 2004
4:51 PM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] Off-topic
sorta
Ok, I'm looking into it...
Tony
-- Original Message --
From: Robert Rutherford [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Date: Thu, 7 Oct 2004 12:38:10 +0100
Oh yeah, sure I'll change my standard to match whatever standard
bank likes!!!
Are
Someday I'll learn to hit Reply-to-All when I do this. :-)
-Original Message-
From: Hunter, Laura E.
Sent: Thursday, October 07, 2004 8:54 AM
To: 'Mulnick, Al'
Subject: RE: [ActiveDir] Windows Server 2003 Security Weirdness
but what's this? Why is the primary DNS server
saying it
Title: RE: [ActiveDir] Windows Server 2003 Security Weirdness
Tell me about it G
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick
BozaSent: Wednesday, October 06, 2004 9:57 PMTo:
[EMAIL PROTECTED]; Hunter, Laura E. ;
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Windows
Laura, the 2003 server and the 2000 server both use the same primary DNS
server. That's a suspect thing since the 2000 server is unable to get a
response according to netdiag.
Can you give a little more information about what you're seeing? I saw this
part: The brute-forcing is taking place
Can you give a little more information about what you're
seeing? I saw this part: The brute-forcing is taking place solely on
the
remaining 2000 DCs but I'm interested in why you say it's a DoS
attack. What
other information led to the conclusion? What's happening on the 2000
servers
Regarding the anonymous enumerations (RestrictAnonymous settings), I
think securityfocus did an article on it outlining other calls that this
setting does not block which allows the enumeration of accounts. Just
FYI... :)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL
I have a laptop which is part of an AD domain. This domain
name, which is private to us, is public on the Internet. When I create a
dialup connection to the Internet, I get a logon box, prompting me to logon to the
domain. I only want to access my domain when I connect via
Is it possible that the accounts are being denied when they shouldn't be?
Is it possible this is a symptom of your problem, meaning that if your 2000
machine cannot get a response from DNS (at least in time), it may be denying
somebody legitimate access to something they should have access to.
On Thu, 7 Oct 2004 09:55:00 -0400, Harding, Devon wrote
How can this be fixed?
Disable Client for microsoft networks on this connection
--
Tomasz Onyszko - [EMAIL PROTECTED]
http://www.w2k.pl
List info : http://www.activedir.org/mail_list.htm
List FAQ:
Is it possible that the accounts are being denied when they
shouldn't be? Is it possible this is a symptom of your problem,
meaning
that if your 2000 machine cannot get a response from DNS (at least in
time), it
may be denying somebody legitimate access to something they should
have access
We have setup an Exchange Front end mail
server in off of the optional port of our firewall, along with some other
monitoring/logging devices for internet access. Any of these devices do
not have an external IP address. Any mail that comes into our domain goes
through the front end mail
Fair enough. g
I still think fixing the DNS issue is worth your time. I mean, while you go
out to disable those machines access to the network that is.
Al
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura E.
Sent: Thursday, October 07, 2004
Sorry, hit send to fast.
Is it possible that those machines are hosting apps/ shared files and are
asking for Kerb tickets? Just curious.
Al
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura E.
Sent: Thursday, October 07, 2004 10:09 AM
This has already been done. It stills pops up with a logon.
If I can some how tell my system to only use a specific DNS server to
resolve my private domain name, I think it might work then. Is there
any way to do this?
-Devon
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL
Looking at USMT and it's limitations such as clients must be 98 or NT 4.0,
almost all of our clients are running W2K and XP. What about migrating their
mapped drives, network printer configurations, profiles and folder options?
Has anyone worked around this issue?
Peter Seitz
Systems
Have you looked at ADMT?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Seitz, Peter
Sent: Thursday, October 07, 2004 10:25 AM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] USMT
Looking at USMT and it's limitations such as clients must be 98 or NT 4.0,
Yes I have. I'm more concerned about maintaining user resources such as
printers, fileshares, roaming profiles and such. I don't know how granular
ADMT is.
-Original Message-
From: Mulnick, Al [mailto:[EMAIL PROTECTED]
Sent: Thursday, October 07, 2004 7:38 AM
To: '[EMAIL PROTECTED]'
Hello to all I have what I think is going to be a very basic question
but I am rather new. I am the administrator of a win XP pro system and would
like to utilize some of the features located in Group Policy for my Users Group
without having those policies implemented on my Admin Account.
Return Receipt
Your [ActiveDir] Question from a new GPO User
document
:
Can someone tell me whats happening, In terms of Active Directory' when
My XP machine connects to the Internet? Does it still try to connect to
my AD domain?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon
Sent: Thursday, October 07, 2004
Return Receipt
Your [ActiveDir] Question from a new GPO User
document
:
Have you looked at (under XP) Start - All Programs - Accessories -
System Tools - Files and Settings Transfer Wizard ?
Jordan
On Thu, 7 Oct 2004 07:51:06 -0700, Seitz, Peter [EMAIL PROTECTED] wrote:
Yes I have. I'm more concerned about maintaining user resources such as
printers, fileshares,
Check again. Last I checked, that information is stored in their profile on
the local machine.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Seitz, Peter
Sent: Thursday, October 07, 2004 10:51 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir]
Ladies and Gentlemen,
Can someonetell mewhat exactly happens or what the ramifications are when you enable "Trust Computer for delegation"?
I wrote an ASP.NET app that uses current credentials to authenticate. I know that the web app works when this "Feature" is on, and I know that it doesn't
Not a
whole exchange server, just a front-end server. This is in order to
support OWA for external users. This front-end back-end is supposed to be
"more secure" according to Microsoft. Yet there's a whole list of ports
(including 135!) we must open inbound from our DMZ!
-Original
Well, I'm chalking this one up to not my DNS, since the issue seems to
have gone away on its own overnight last night. Maybe there were some
SRV records that didn't get created right away when I registered the
2003 DC or something, and replication was badly affected as a result.
Either way, it's
In case you haven't noticed, Windows NT Mag got renamed yet again. Now it is
the Windows IT Pro mag and is on newsstands now. Robbie has a good article
in there about AD command line tools. :o)
Also FYI, completely redesigned my website.
Any update requests for admod/adfind/oldcmp and any of
Joe, cool new site design!
Would this be creative enough? How 'bout an Excel add-in that would allow someone to
query AD from
within the Excel interface and return the results to the spreadsheet?
mc
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Network trace to find the culprit. Sounds like a scheduled task, doesn't
it?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura E.
Sent: Thursday, October 07, 2004 3:38 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Windows Server 2003
Heck, I can NOT get rid of that. I would hate myself. :o)
But good point.
Let me know how you guys like the tool pages now, hopefully all the info for
a tool will be available on the one page now.
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf
Hmmm so you are asking for CSV output from ADFIND... That has been asked for
before. I have that on the list. Maybe it is time.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Thursday, October 07, 2004 3:35 PM
To: [EMAIL PROTECTED]
I put in a vote for that, too.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, October 07, 2004 3:51 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] [OT] Windows IT Pro Magazine and requests for
modifications
Hmmm so you are asking
I
understood that the original question was to publish OWA from the DMZ.
That
said a fraction of users need all the services a VPN provides. With the
new HTTP RPC in Exchange 2003 users can even use the full Outlook client remotely.
The cost of educating thousands if not tens or
Yeah, but you don't need Joe to do that, you can do it anyway with Excel VBA
and ADO (which supports SQL style queries to AD).
Tony
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Donnerstag, 7. Oktober 2004 22:04
To: [EMAIL
I know - so far I haven't been too successful. If Joe thinks it's a worthwhile spinoff
of adfind's
many capabilities, I sure won't complain :-)
mc
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony
Murray
Sent: Thursday, October 07, 2004 4:33 PM
To:
Chris,
You control it via the security on the
Policy.
If you open the properties for the Policy then look
at security, you will see that Authenticated Users have the APPLY
attribute.
You can either remove it from Authenticated Users
and add the Groups that you want to receive the policy,
A server we were working on was inadvertently moved into an OU that
had a policy applied to it. That GPO had some settings that we are not sure
which that broke some functionality of the server we are still in the process
of developing fully. The Server was moved out of that ou back
Ok I found the fix. Was a couple of things. First the network service
didn't have full permissions to run the service under the GPO. Also the
Network service didn't have full permissions to the DHCP registry key.
Once I fixed that the service started just fine.
Ref
Is there a way to get this to work on windows 2000 servers or is it only
for 2003.
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Title: Removing A W2K Domain Where The Host Server No Longer Exists
Jeff,
My guess would be that the DHCP client
service permissions have been changed. What I would do is from the particular server
run RSoP.msc and check the resultant set of policy on Computer Configuration/Windows
What kind of policy was it Jeff? Admin Templates?
Other?
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D.
Team EITCSent: Thursday, October 07, 2004 2:33 PMTo:
[EMAIL PROTECTED]Subject: [ActiveDir] GPO
applying.
A server
we were working on was
RSoP logging is only supported against XP and 2003 boxes. This is a
hard-coded thing because MS added a WMI provider and supporting
infrastructure into these newer platforms to support that. RSoP
modeling, of course, can support what-if scenarios against any 2000
client platform, since it only
;-)) I could think about a few other things the query would return for
Joe ;-)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Thursday, October 07, 2004 10:04 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] [OT] Windows IT Pro
if you have Win2000, you'll be opening security holes since
basically any service could leverage tokens from other users connecting to it to
do whatever it likes as the user
that's why in 2003, constrained delegation was added, so
you can configure it for just a specific service...
/Guido
Laura,
I would suggest you look at the following security policy options to
determine if they are being applied to your infrastructure.
A couple of notes about this statement
These settings are typically are not likely being configured via GPO, so
you will have to look at the local
Title: Message
We have 4
people working on the Support Centre and the error below came up on only one of
the computers. All users have the same permissions and they have been using the
same computer for the past 5 months without any problems. Apparently the user
was able to get in at one
You can try refreshing its policy configuration
using gpupdate or secedit (dependant on OS).
If you receive no joy from that, you can
try hacking the registry clean starting with the default location that many
(not all) GPO settings are stored on the client (HKLM\Software\Policies).
Have you tried re-applying the default security
template? (using Secedit, or the Security Config Analysis MMC
snapin...)
What functionality appears to be broken? (Most policy
settings are not permanent...)
Tyson.
From: Cothern Jeff D. Team EITC
[mailto:[EMAIL PROTECTED] Sent:
Actually security is one of those areas that stays around
even after the policy is removed. There are obvious advantages to that, and of
course some disadvantages. But you're right, the best approach if you want to
remove a previous security policy is to apply a sec. template that undoes
Title: [ActiveDir] Folder Redirection issues.
You
can set an idle timeout on the TS session. If your clients are all 2k/xp, you
could write a logoff script which did the TS logoff forcibly with the shutdown
utility or some other means (perhaps the utility you mention).
Id
imagine that
It comes with Windows Server 2003 and XP.
Chuck
From: [EMAIL PROTECTED] on behalf of Cothern Jeff D. Team EITC
Sent: Thu 10/7/2004 9:47 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir]OT: Terminal Service and 2003
I am trying to find a way to ensure that a user
56 matches
Mail list logo
