Without the pipe to dsget it does not choke.
At 19:05 12/10/2004, you wrote:
One thing that bothers me is that DSQUERY should have brought back all the
entries and you should have been able to use it as expected. I'm trying to
figure out why DSQUERY chokes on the amount.
Can you verify that it's
there is always something new to learn ;-) Thanks
Eric, I wasn't aware of that one (but I can confirm that I've never noticed any
difference in performance myself).
Can you elaborate a little as to why a double ACL check is
required?
/Guido
From: [EMAIL PROTECTED]
[mailto:[EMAIL
Return Receipt
Your RE: [ActiveDir] What is the LDAPS port?
document
:
You can use Restricted Groups in a Policy to do this.
Regards,
/Jimmy
-
Jimmy Andersson, Q Advice AB
Principal Advisor
Microsoft MVP - Directory Services
-- www.qadvice.com --
-Original Message-
From:
Hi Guys,
By Default the Domain Admin is an administrator on every client system
in the domain. Suppose I want to extend this functionality, i.e. having
a particular user who is not a domain administrator but has
administrator rights on every client machine in the domain.
How can I achieve this?
I confirm it
Ghost DOESN'T images pagefile.sys and other temporary
If you want you can delete/extract/view/copy files from the image (.gho)
file (only delete if NTFS, also add in Windows9x case) by a symantec utility
(ghost explorer)
From: Cothern Jeff D. Team EITC [EMAIL PROTECTED]
Reply-To:
I'd suggest using Restricted Groups through group policy. If you go on
the MS site you will get a ton of explanations and examples.
BR
Rob
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Oluwaseyi
Owoeye
Sent: 13 December 2004 10:19
To: [EMAIL
Title: Message
I
find
the following approach works for me:
1.
Keep a master copy of all ADM files on a server which is backed up
regularly
2.
When an ADM is to be altered, alter the master copy and then copy it toa
folder on a DC (ideally the same DC each time for consistency - let's say
Title: Message
Many
thanks for the information and pointers. Having read them, can someone then tell
me if I have got this correct.
If I
copy the latest ADM files to one of my DC's (In my case my local site DC, which
has no FSMO roles) and then create a new GPO and assign it to an OU,
Title: Message
see
inline comments.
Note: This is a huge subject and I
would suggest further reading as follows:
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/techref/en-us/Default.asp?url="">
(the
URL may wrap)
neil
-Original Message-From:
[EMAIL
If your users have local admin rights on their machine, be very
careful with restricted groups. Use a logon script instead.
Dennis
On Mon, 13 Dec 2004 11:26:50 +0100, Jimmy [EMAIL PROTECTED] wrote:
You can use Restricted Groups in a Policy to do this.
Regards,
/Jimmy
Return Receipt
Your RE: [ActiveDir] Making a user a Domain Administrator
document
:
Return Receipt
Your RE: [ActiveDir] Making a user a Domain Administrator
document
:
The following fragment in the machine startup script adds 3 domain
groups to the local admins group; we then just add users to the domain
groups and they will then be local admins as needed.
It's a bit kludged - it ought to check for membership first rather than
just try and add...
Steve
Title: Message
Mark-
You've gotten some good advice but I wanted to add one
clarification. When you edit a new GPO, the ADM files that reside in the
%windir%\inf folder on the machine where you are editing the GPO are
automatically copied to the SYSVOL policies folder for that GPO on the DC
Is there some way with adfind to find the
most frequently logged on user to a client machine? What I am trying to do is
map machine names to their owner. The only way I would know how to do this is
to find the user that most frequently logs on to each machine. Just knowing the
last user to
Title: Message
Just
wanted to say thanks for all the help. I have now successfully configured
GPto control the new XP SP2 roll-out. Hopefully the Boss will be
pleased.
Cheers
again for the pointers and comments.
Mark
-Original Message-From: Darren Mar-Elia
[mailto:[EMAIL
It depends.
We had a long conversation on the use of restricted groups and the changes
made in various SPs previously on this list. To summarize that conversation,
with proper use of This group is a member of you will avoid the replacing
of the contents. But you need to make sure you scope the
Maybe use tee, if dsget is killing the whole command line, it may give you
the exact object at the end of the file ... finding tee.exe, excercise for
the reader.
It could be that dsquery doesn't handle paged searches, and you don't have
more than 500 users, but you do have more than 500 contacts
Title: Account name as Common Name
If you have the hardware and/or funds then
a great solution would consist of an iPAQ with a GPS card and Mini-Stumbler
(from the folks who make Netstumbler).
I have an iPAQ with MiniStumbler and
it picks up things nicely around the office (they
Title: Account name as Common Name
It depends on how your network is built. If you have
a fully switched network, you can look for ports with multiple MAC
addresses. You can also look for MAC addresses that may belong to AP
vendors or wireless nics, but that's a tad cumbersome, and quite
You can set this up via group policy, but beware - unlike most GPO settings,
setting the admin group membership is a permanent change, and will overwrite
whatever the existing group membership is.
TL
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf
I posted earlier(last week) but didin't resolve my issue.
I'm running a win2k term server in app mode and i have users connecting
remotely over a vpn(pptp via rras). They can connect to the server fine but
client side printer redirection does not work. the clients are all windows xp
sp1.
the
You'd need to write something custom to actually output a text file or
something like that. Here's my cheap but effective way though:
Give the user Outlook 2003
Have them compose a new message
In the To box, put the DL in, and hit the little plus button to expand it
Print the unsent message,
here's my "I'm not a programmer but I
play one on TV" approach... Dumps to an excel spreadsheet. Easily
modifiable to even the programming challenged like me...
Diane
---
On Error Resume Next
CRLF=CHR(13)+CHR(10)
strADName =
Hey Michael I am sensing royalties.
:o)
LOL J/K.
Ok a
couple of items, get ready to edit. ;o)
1.Change your objectclass=group to
objectcategory=group in those queries...
2.This filter has an issue - "objectclass=group,mail=*"
3.
Adfind defaults to subtree so you don't have to
Well, here's a way:
http://blogs.brnets.com/michael/archive/2004/06/24/168.aspx
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian
DesmondSent: Monday, December 13, 2004 3:08 PMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Printing
Distribution Lists
You'd need to
I KNEW you'd have something to say. :-)
I hesitated to post...thanks for the feedback. I'll update
later tonite.
M
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
joeSent: Monday, December 13, 2004 3:55 PMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Printing
Never hesitate.Best way to learn is to hang your
knowledge out there and see who salutes. :o)
I am sure there
aren't less than 10 people who are happy you posted that response on this list
and who knows how many from the blog entry.
joe
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
As I mentioned earlier, it depends on how you do things.
See
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q810076
Also from the list archives look for the thread
[ActiveDir] [Slightly OT] Delete inhibit DOMAIN\Remote Manage ment group
from local admins...
From March. I think
its going thru a vpn. the ports are open for vpn. i assume all activity is in
the vpn tunnel so i don't need to open anymore ports except for pptp access.
also, under configure port, its a ts port
finally, the client printer never shows up in the printer folder.
the client can connect to the ts
IN 2000 the print driver must be native to 2000. no guarantees printing
terminaly. The real solution is Citrix. Ive been playing with printer
redirection in 2000 terminal for months. Microsoft never intended to
rectify problem. If local printer is native, than 95% chance you can
print. Hehe
I set
my company is looking at getting cisco security agent for intrusion prevention.
Personally, at $60,000, I think its a bit much.
does anyone have any cheap intrusion prevention software they use out there? or
can you lockdown your desktops enough via GPO's and good AV?
we get alot of bots lately
There is an alternative that we are looking into called Lightspeed -
www.lightspeedsystems.com. Their Total Traffic Control appliance comes
complete with a CSA-like agent. We are about to start testing it so I can't
really tell you how it works but it is a lot cheaper.
Brian
-Original
Title: Message
"...you should not need to copy any ADMs to
your
DC unless you are actually editing the new GPO from the console (or via TS) of
the DC and the ADMs that reside in the %windir%\inf folder on that DC are not
the ones you want to use."
I
should have pointed out that this
Hello Everyone. I have an ongoing problem and would like to get some assistance please.
The domain that I am currently responsible for is the first domain that I have ever configured. As a result there was a lot of trial and error and most things were resolved but there remains this one
Why dont you just duplicate the records
in the public DNS zone to the private zone. That is what I do since both my
internal and external namespaces are the same.
-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin
Sent: Tuesday, December 14,
Intrusion detection and prevention are two different things in my
experience. IDS is used to detect the intrusion. Prevention is a process
lifecycle all it's own.
If you have the opportunity to have something that does both with a single
code-base that would be a good thing IMHO. AV is
Hi,
Ive a little question: is it possible to make another
domain forest root? I mean: domain X is now forest root domain, and I want to
make domain Y forest root domain. If it is possible, how do I do this?
(Actually, I want to shut down domain X, but I cant since it is forest
root
Also see:
MS-KBQ224196_Restricting Active
Directory Replication Traffic to a Specific Port
MS-KBQ319553_How to Restrict FRS
Replication Traffic to a Specific Static Port
Regards,
Jorge
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul van
GeldropSent: Thursday, December
You can use the Restricted Groups settings in Group Policy to make particular
users a member of the local administrators group without giving them any extra
rights on the domain.
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q279301
-Original Message-
From: [EMAIL PROTECTED]
If you would like to make a user ADMIN of all workstations you could one of
the following:
* Make that user a Domain Admin - very easy to achieve but I would NOT
RECOMMEND this for security sake (to much for what that user eally needs)
* I prefer the following:
* Create a GLOBAL GROUP in
On Mon, 13 Dec 2004 11:38:35 +0100, Abbiss, Mark wrote
Am I misunderstanding the basic idea ? If I update one DC with the
new ADM files (i.e. replace the existing files in the INF directory)
and then create on this DC the GPO I need, will the necessary ADM
updates be replicated around the
I have a domain with over 1000 computers and can't possibly go round the
machines doing this.
DO you have a sample script that can achieve this?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson
Sent: Monday, December 13, 2004 11:10 AM
To:
Add the user to the local administrator group on each machine in the
domain. This can be done via script for example. Does anyone know if
this can be done by GPO?
Regards
Peter Johnson
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Oluwaseyi
Owoeye
Title: Message
I have been
searching around for a clear and definitive explanation of how to replicate
updated ADM files around my Windows 2003 domain.
I an currently
trying to update my ADM files to the latest version so that I can support a
roll-out of Windows XP SP2. However, I cannot
On Mon, 13 Dec 2004 12:42:11 +0100, Abbiss, Mark wrote
Many thanks for the information and pointers. Having read them, can someone
then tell me if I have got this correct.
(...)
Therefore, I do not need to ensure that identical versions of the
ADM files exist on all DC's in the domain ?
Create a startup group. Place the following command in the startup script:
Net Group Administrators GlobalGroupToAdd /add.
This should work, but please test it first.
Dennis
On Mon, 13 Dec 2004 11:18:52 +0100, Oluwaseyi Owoeye
[EMAIL PROTECTED] wrote:
I have a domain with over 1000
Return Receipt
Your RE: [ActiveDir] Making a user a Domain Administrator
document
:
Return Receipt
Your RE: [ActiveDir] Making a user a Domain Administrator
document
:
1. Use restricted groups.
2. Use startup scripts. Simply add some other group from the domain to the
local administrators group of the machines.
3. Use a script or batch file that goes through all machines and adds the
user.
One thousand machines isn't many, but it is well beyond the number that
This is a guess but...
You have two rights/permissions associated with listing an
object.
1.ADS_RIGHT_ACTRL_DS_LIST- list child
(aka list contents). This is a permission that would be set on an OU to say that
a secprin had the ability to list subobjects of the OU.
2.
Is anyone else having
anissue with Mac machines accessing hidden shares on a DC? Other than not
hidden the shares, is there a work around?
Thank
you,
-Z.V.
There is no mapping in AD for the users to the machines
they use unless you specify restricted logons to specific machines and that is a
manual process.
The query below will tell you the computer name of all
machines running Service Pack 1. It could W2K machines, XP machines, K3 with
Beta
There is a danger to using restricted groups. It will replace the contents
of the group with whatever you specify in the GPO. The only excpetion is
the default local admin account. If you have a lot of users in the local
admin, they will be removed when this gets applied. If you add a user to
Joe is pretty much there.
So list object mode really just makes a
second chance check. So if you dont have list children on the parent, we
then also check if you have list_object on each child object and return them if
you do. So instead of making one check (for list children on the
Is it possible then that you have missing data for some of the users? Can
you run dsquery and check the results?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dan HINCKLEY
Sent: Monday, December 13, 2004 3:34 AM
To: [EMAIL PROTECTED]
Subject: RE:
Everyone,
If I had a external Harddrive that connected to the server via a USB
port, would the ASR Backup be able to identify it when you are going
through the ASR Restore?
Justin A. Salandra, MCSE
Senior Network Engineer
Catholic Healthcare System
212.752.7300 - office
917.455.0110 - cell
Running Exchange
2003 and ad 2000 (not on the same box).
Is there a way to
allow user to print out DL membership? Thanks.
-ChristineChristine N. AllenCitrix/Windows 2000
EngineerBMC Healthnet PlanOne Design Center PlaceBoston, MA
02210Work: 617-748-6034Cell:
617-290-4407
You may need to open the correct ports on your firewall for the printer to
work.
Go to Printer properties-Ports-Configure port and see what port the
printer uses, then open that port in the firewall for the clients.
AM
-Original Message-
From: Kern, Tom [mailto:[EMAIL PROTECTED]
Sent:
So I have a Domain called domain.com
All computers log on to Domain.com but the DNS Suffix on all systems points to
corp.domain.com.
In DNS there is a Zone for domain.com that was obviously setup when the domain
was initial setup.
there is also a Zone called corp.domain.com, most all resources
So I have a Domain called domain.com
All computers log on to Domain.com but the DNS Suffix on all systems points to
corp.domain.com.
In DNS there is a Zone for domain.com that was obviously setup when the domain
was initial setup.
there is also a Zone called corp.domain.com, most all resources
62 matches
Mail list logo