There are quite a few tools that will do
this. Take a look at NetIQ SAS,Security Manager for example. Quest also have
some tools. So will MOM I believe.
Regards
Peter Johnson
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer
Sent: 19 May 2005
Hi,
Using ADSI I have a web page that allows staff to add
students to an Active Directory group called DeniedNetAccess.
Members of this group as the name implies are of course denied access to the
web. How can I prevent staff from adding other members of staff to this group?
Is this
Return Receipt
Your RE: [ActiveDir] OT: Windows Server 2003 Clustering
document
:
One final thing-
Because that key is set in the machines registry for loopback to take affect,
the machine has to have read and apply gpo for the gpo with the loopback
settings.
If it doesn't have rights to the loopback gpo, loopback will NOT occur and the
user portion of the gpo will NOT get
You are correct there are free tools to do a restore of objects. There is
one problem though with deleting and reanimating objects. When an object is
deleted almost all info is stripped from it besides some important
attributes (SID, GUID, etc) If you reanimate the object you'll get a
stripped
if the DCsalso have DNS
and/or WINS services don't forget to adjust your DHCP scopes and possibly DHCP
relay agents
The only thing that changes in
DNS are the A records. Make sure these are updated. This also applies for WINS
if you use it.
There could other IP address
dependicies that
I followed the Microsoft whitepaper with the typo's corrected.
Mark
-Original Message-
From: Jorge de Almeida Pinto [EMAIL PROTECTED]
Date: Fri, 20 May 2005 14:42:39
To:ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Unable to log you on because if an account restri
ction
Do you
All,
We had a situation yesterday where random A records would disappear
from DNS. All of these records were static so should not be affected by
scavenging. I do not know why records would disappear other than the
restoration of an old backup that did not contain those records. This is a
Title: Access denied connecting to remote Event Logs
I have 2 DCs in a [test] domain - one w2k sp3, the other w2k3 sp0. The domain is w2k native.
I am logged on to both DCs using an account which is a member of domain admins.
If I connect to the event viewer on the w2k DC from the w2k3
Steven-
I can't help with your question, but would
love to hear more about your web page that allows staff to add students to and
Active Directory group to deny web access.
Thanks,
Brenda
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steven
WoodSent: Friday, May 20,
Currently, we use MOM to capture auditing
and account management events from our DCs and then set alerts in MOM based on
the actions and users/groups we want to be notified on. Depending on the
size of your environment, you may have to customize the way MOM stores these
events in SQL.
Title: Access denied connecting to remote Event Logs
This is a new feature of Windows Server
2003. MS was smart enough to prevent regular users to view the Application and
System log. With Windows 2000, authenticated users can read the Application
log and System log on a domain controller.
Title: Access denied connecting to remote Event Logs
One other thing you may want to look at
is whether the account you are using has Manage auditing and security log (SeSecurityPrivilege)
on the Default DC Policy.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Title: Access denied connecting to remote Event Logs
Could anyone tell me how to remove a Domain Controller that does
not exit anymore from AD? I had three controllers and one had a catastrophic
hardware failure. So now I need to remove a nonexistent DC from the AD.
Antonio
Here you go...
http://support.microsoft.com/default.aspx?scid=kb;en-us;230306
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/012793ee-5e8c-4a5c-9f66-4a486a7114fd.mspx
http://www.petri.co.il/delete_failed_dcs_from_ad.htm
Hi Antonio,
In theory you should just be able to go into sites and services and delete the
server object.
You will also have to delete the existing KCC connections to each DC that still
has a connection to the deleted server and you will have to go into DNS and
delete the SERVER SRV records
We discovered today that our custom delegwiz.inf (the input file for the
delegation GUI) was replaced during the upgrade from w2k3/sp0 to
w2k3/sp1. 8-( Luckily, we do have backups. 8-) Anybody ever caught
up in this issue? Files likely to be customized by MS customers should
be handled with
I should comment that I did find our modified delegwiz.inf in the
uninstall directory (%systemroot%\$NtServicePackUninstall$). So my last
email really should have been more along the lines of be careful if you
choose not to let the system save your old stuff during an upgrade, and
that's probably
Sorry this is short, Im about to
leave work and go on holiday for a week. This is a bit of asp code that adds
the user to the group DeniedNetAccess. There is another page that removes them
and one that lists all members of the group. Use Windows Authentication in IIS to
restrict access to
I think not...
What I would do:
* Rename the default DELEGWIZ.INF to DELEGWIZ-SPx.ORG (where x is the
service pack number)
* Create my own DELEGWIZ.INF (or customize the default) and create a copy
called DELEGWIZ.INF.CUSTOM
Implement the custom DELEGWIZ.INF on all DCs that are used to configure
Would anyone like to recommend a software solution for
backing up Active Directory in case of a server failure and also to restore
individual accounts if necessary?
Thanks.
Any additional info in the event logs?
#JORGE#
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Friday, May 20, 2005 15:07
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Unable to log you on because if an account
restriction
Also, unless you have a hankering for FRS headaches, you should make
sure that the FRS objects in AD are deleted as well. The safest way is
to use the methods built in (ntdsutil as per the articles mentioned).
Good Luck!
Robert Williams, MCSE NT4/2K/2K3, Security+
Infrastructure Rapid Response
Any software that can back up the Active Directory System State will
allow you to back up and restore your Active Directory database. The
simplest of these is the Backup utility that is included natively with
Windows 200/3, as well as any number of third-party vendors.
See this link for a
I am attempting to add a Terminal 2000 license
server (also acts as the terminal server) to a 2003 domain. Once the server is
added to the domain it fails to recognize itself as a licensing server and no
longer allows remote access.
How does one go about adding a license server to a
Hi Robert,
Thank you for pointing that out. I hope that the MOC courseware was also
changed to reflect Microsoft's support recommendations on this subject.
Thanks again,
Jose Medeiros
www.ntea.net
www.sfntug.org
www.tvnug.org
-Original Message-
From: [EMAIL PROTECTED]
Hi Dan,
Can I ask you why you don't just intsall the Terminal Services licensing
service on a 2003 server and just add the 2000 TSCALS for your existing 2000
Terminal servers?
Jose
-Original Message-
From: [EMAIL PROTECTED]
You can not add the license server to the domain after the
fact, the system must be a member of the domain when you install the licensing
service so it can write it's objects to AD for the discovery mechanism.
Additionally, I am fairly sure you can not run a 2000 licensing service in a
2003
Disagree Rick,
MS changed the verbiage in the Q article to say they would support it. I
think it was when Stewart and I got into it a little here that caused them
to rethink the Q article... but I don't want to take the credit.
Todd
_
From: Rick Kingslan [mailto:[EMAIL
I disagree that Lag sites are popular, maybe with you and at AD conferences
as a session. I tend to avoid those sessions.
To all those considering this as a viable solution, why not run it by MSC or
PSS and see what they say. We get something called a supportability review
before we
Hello everybody
:-)
I've read that for debugging
purposesit's possibleto run an app with the local system
account.
So i opened a shell and enter this command
with ldp.exe app.
ldp.exe at /interactive
Ldp is launched succesfully. I opened
taskmanager, and see that ldp process is running
Title: "Access denied" connecting to remote Event Logs
You don't mention if you can view the logs on the 2003 box
from it's own console but absent that info, I'll take a stab at it
anyway
Check that the account isn'ta member ofGuests,
there is an explicit deny in 2003 for Guests. At the
I've done a lot of Delegwiz.inf customization and to my experience do
not believe there's a way to avoid what you experienced. The only
workaround is a cheesy one. I have a workflow for post-SP repairs --
a share where I keep anything that needs to be 'replaced' after an SP.
BTW, I assume
TMK theres no way to prevent a
particular account from being added to the group in this scenario. The
permission youre leveraging is obviously Allow:WriteProperty:Member on
the group object. Once you have that permission, you can add any member.
What youll want to do, therefore,
is have
I have a client who wants to run terminal services in app mode over the intenet.
Is this a bad idea?
thanks
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
I am
at the latter stages of a script to pump out delegation from a
business administrative model description. Ive had great luck
automating DSACLS to drive delegation. Now Ive hit a wall though and maybe
someone can help.
DSACLS
wont let you remove a
single permission. It will let you
Greetings Roger,
Aelita has some great tools for doing a Active Directory backup and recovery (
System State Restores are not granular ), however I have never used the AD
tools but have used their ERD tool for NT 4 at Mirapoint and was quite happy
with the product. Aelita was acquired Quest
Hi Dan,
Thanks for the pointer! I downloaded that MS document a long time
ago and I think I was so overwhelmed by the content, I didn't even see
the modified delegwiz.inf that was presented in Appendix O . Thanks
again for the pointer; it's going to be a big help in developing future
Try:
at 10:29:00 /interactive ldp.exe
not sure on how to get around the time?
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: Friday, May 20, 2005 10:06
AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] The at
/interacive command
Kern, Tom wrote:
I have a client who wants to run terminal services in app mode over the intenet.
Is this a bad idea?
Not the best .. remember that when You will allow connection from the
Internet to Your Terminal Server You are allowing anybody on the
Internet to try guess the password in this
YEESSS ! that's it !!! :-))) Thank U very much for the tip !!!
Have a nice day ! 8-)
Regards,
Yann
De: [EMAIL PROTECTED] de la part de Alex Fontana
Date: ven. 20/05/2005 19:32
À: ActiveDir@mail.activedir.org
Objet : RE: [ActiveDir] The at /interacive
My 2 cents... Implementation of lag sites is a solution that was
recommended to us by our MS Advisory Support Engineer. From what we
have been told, MS is writing a whitepaper on implementing lag sites.
Not sure when that would be officially released.
Arden
On 5/20/05, Myrick, Todd
VPN is probably the best bet. Citrix has some good solutions around
Secure TS sessions over the internet.
Phil
On 5/20/05, Tomasz Onyszko [EMAIL PROTECTED] wrote:
Kern, Tom wrote:
I have a client who wants to run terminal services in app mode over the
intenet.
Is this a bad idea?
Not
It looks like you have more than one DNS servers. It looks like you are
having serial number versioning issues with the zone. It looks like you are
making changes on serverA and serverB has a higher serial number for the zone
than what's on ServerA. It then looks like when the zone converges, the
Can you set up the FTP server that comes with IIS to use MS SQL or mysql or
access to verify usernames and passwords or are your only choices AD or
anonymous?
I have a client that wants to auth users to an IIS FTP site but doesn't want to
give them an AD account.
is this possible or should I
Is there a way to export all the user info (mainly the contact info) into a
csv. Incase the ADC replicates old user info from our exchange 55.
Thank you
jb
--
Jason Benway
[EMAIL PROTECTED]
GHSP
1250 S.Beechtree
Grand Haven, MI 49417
616-847-8474
Fax: 616-850-1208
No can do.
Peter
Im setting up my first GPO. Can you tell me how to go about doing this?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Friday, May 20, 2005 2:45 PM
To: ActiveDir (E-mail)
Subject: [ActiveDir] OT FTP
Can you set up the FTP server that
I'm sorry, but what does this have to do with ftp?
You should start a new thread/post to get a response...
thanks
dallen wrote:
Im setting up my first GPO. Can you tell me how to go about doing
this?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Sorry.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Friday, May 20, 2005 3:16 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT FTP
I'm sorry, but what does this have to do with ftp?
You should start a new thread/post
The account does not have to be a domain account. Unless the client is
running IIS on the DCs, you can always create a local account on the IIS
server and use that for the FTP. No tangling with AD.
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
A script doing ldap query for objectclass='contact' and writing that into a
database or to a file (using FSO) would be an option - for me.
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize
The tool ldifde would be an obvious option and wouldn't require scripting.
For users you would want to use (objectcategory=person)(objectclass=user),
for contacts you would use (objectcategory=person)(objectclass=contact),
for both, objectcategory=person would be sufficient.
-Original
Or CSVDE that would put it into a CSV file. :)
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, May 20, 2005 4:30 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Export user info
The tool ldifde would be an obvious option
Well - then I guess that I don't have a problem with Recovery Manager
anymore then. :o)
(Cost, however might be an issue... Don't know - never priced it because of
concern stated Now mitigated)
But, I'm not likely to retire my Lag Site, nonetheless! Don't want to fix
what's not
Mark,
Please post the link to the white paper, if you would. I'm sure that you
can imagine that there are more than a few white papers that we all know
about
Rick Kingslan MCSE, MCSA, MCT, CISSP
Microsoft MVP:
Windows Server / Directory Services
Windows Server / Rights Management
Windows
Absolutely, two things that make me tend to avoid csvde though
1. Can't be used to update entries, only create new.
2. csvde outputs some fun output when attribute value ranging kicks in. Not
that that should be an issue with users and contacts but it is something to
keep in mind overall.
Todd,
With all due respect, I think there are more people doing this than you
think. You aren't using a Lag Site, so it's 'whacky'. Your opinion, so
you're entitled to it.
PSS blessed our implementation, BTW. If you'd like, I'll be happy to
provide you with contacts for the ROSS tech (out of
Arden,
Validation - I'm not the only one that MS is telling that 'whacky' things are a
good thing.
-rtk
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of A P
Sent: Friday, May 20, 2005 12:52 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] AD
Adfind and CSVDE comes to mind.
-rtk
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jason Benway
Sent: Friday, May 20, 2005 2:00 PM
To: 'ActiveDir@mail.activedir.org'
Subject: [ActiveDir] Export user info
Is there a way to export all the user
Hey...just FYI...a bunch of posts came through a couple of days ago
about KDC event 11, which reminded me that I've got some myself. I've
been using Dean's nifty little script here to identify the objects with
duplicate serviceprincipalname attrs. Working great.
Thanks Dean!
-DaveC
Reuters IST
I guess it's just a normal response anymore
Adfind will do that
=)
-rtk
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, May 20, 2005 3:30 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Export user info
The tool
Hi Rick,
I think he means Best Practices: Active Directory Forest Recovery
(http://www.microsoft.com/downloads/details.aspx?displaylang=enFamilyID=3ED
A5A79-C99B-4DF9-823C-933FEBA08CFE)
I have used this white paper as basics to create a DR recovery plan for a
customer of mine and it works like
Using my non-scientific personal observations, of the last 50 or so
customers I've been to I believe only 3 had lag sites. Of those 3, none had
done what I'd call a good job of setting it up (they had basically just
created a separate site with a longer replication interval). Of the other
~47,
The latter is a device that doesn't have a built-in license... IOW- A
downlevel OS or client such as a 9x box that has to have a license
issued.
Existing Windows 2000 license which says built-in is a 2000 machine
that has the builtin license by nature of the OS, a license is tracked
but not
I installed real licenses from MS on this server.
Where would they be.
All my clients are using the built in ones and some are way past the grace
period(90 days? 120 days?) and still working.
All my clients are win2k and xp...
Thanks
--
Sent from my BlackBerry Wireless
If it is a 2000 TS, the XP and 2000 have a builtin license, there is
no grace period really once they contact the license server and it
confirms them. The temporary license is only granted initially. The only
time the buitin license will expire is if the client can't contact a
license server.
So if I have win2k/xp clients, I don't need to buy a license!??
I'm confused.
I thought there was a temp license that was given to these clients and would
expire after a time period whereupon I would have to buy real licenses...
Thanks
--
Sent from my BlackBerry Wireless
What specific MOC Course (s) are you referring to?
Robert Williams, MCSE NT4/2K/2K3, Security+
Infrastructure Rapid Response Engineer
Northeast Region
Microsoft Corporation
Global Solutions Support Center
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Check out the script at http://users.skynet.be/alain.lissoir/conferences/WMIManageSD.zipI
wrote for my books.
This script is fully documented in my WMI books at http://www.lissware.net (Vol
2).
It supports the management of security descriptors for files, folders,
file shares, registry, WMI
Guys,
This is the document in question, sorry for non specifics before but the web
was not to hand (I used my blackberry)
I thought today, I would start again: so I took a clean backup and restored my
forest root.
After restoration I rebooted and could logon with no issue as a user. I then
Ummm ... U .
Not sure what I'm allowed to say. Ok, I just had a long conversation with
Stuart ... it'll take me awhile to write up something a little more
accurate than the below. More to come ...
Cheers,
-BrettSh [msft]
On Fri, 20 May 2005, Rick Kingslan wrote:
Well - then I
That's crazy enough to work :)
-Original Message-
From: Free, Bob [mailto:[EMAIL PROTECTED]
Sent: Friday, May 20, 2005 6:33 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Windows 2000 terminal services again
I am addressing the technicalities of how the licensing service
Hi Robert,
I received most of my training on 2000 server, Active Directory, Clustering
2000 , Exchange 2000 and SQL 2000 from Quickstart Technologies in san
Francisco.
All in all I have just about 600 hours of MOC training from Quickstart on 2000
server technologies ( Cathy Moya with
any additional info in the event logs of the DC and the client?
-Original Message-
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org; 'Rick Kingslan ';
'[EMAIL PROTECTED] '
Sent: 5/21/2005 1:10 AM
Subject: Re: [ActiveDir] Unable to log you on because if an account
restriction
I'd say this is a discussion much better taken up in the MCT newsgroups.
I'd love to see Paul Adare's reaction to this
My only comment - When I taught Windows 2000 AD, and now teaching Windows
Server 2003 - every one of my students was taught to remove a failed DC
using NTDSUTIL. I created
Greetings Rick,
Point well taken. It's like I always say, a class is only as good as the
instructor teaching it. I would be honored to be one of your students.
Have a great weekend!
Peace!
Jose Medeiros :-)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf
I would have to agree with Rick here, I am positive everything needed to be
an effective Admin isn't taught. In fact I would bet 95% of the admin stuff
I have done over the years isn't taught in any class, even if you took
hundreds of hours of classes. Heck you could probably spend thousands of
That sounds kind of messy Brian, I especially don't like the delete all
existing subnets and recreate them all. Do you mean you delete *ALL* the
subnets or just the subnets for that one site? If all of them it isn't a
good thing, you are really working your DCs as they have to refigure
everything.
There is a resource kit called soon that will do it for
you. You just say
soon 60 /interactive command
You need the 60 because you have to tell it to push out to
the next minute. The AT service used to have a time resolution oflike a
second so if you scheduled something for 1 second in
I can't think of a way to handle that with a restricted group other than
specifing the different names that the account could be named. Otherwise you
would want to say use a startup script that determines the local
administrator account and adds it to Power Users that way, obviously
administrator
I am confused, the config is the only partition not
replicating? If the DC is not replicating due to being to far out because of TLS
issues then it shouldn't be replicating anything.
Anytime you get into a position like that, I agree with
Rick, mow the DC down and start over.
joe
From:
Microsoft doesn't support this
and this is why no tool doing this exists.
I am
confused, what specifically isn't supported?
Deleting a single ACE is obviously supported, the
reason DSACLS doesn't do it I would bet is programmer laziness versus anything
being unsupported. You would have
If there's anything more important than my ego around, I want it caught and
shot now.
:o)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Friday, May 20, 2005 4:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Export
As I checked the driver information both
have the "list in directory" checked.
The odd part is when I do try to add them
manually, AD always tells me to
use the printer folder, of which I can not
find - anywhere.
Where is this at?
What interface?
From: [EMAIL PROTECTED]
Hey Deji, the company we used to do work for together actually does set
seaprate passwords for every workstation, that is some 200,000 workstations;
it is done through a special service designed to do so on a regular basis.
Basically the local admin password is only used if it requires a physical
Hey ~Eric.
Yes, we know, and we're working on such things. We're also working
on how to better manage such passwords going forward.
Excellent, great news.
Joe, no such forest mayhem exists.
And
But they don't really count
My first thought from the first sentence was, How do you know
This is pretty easily overcome. You simply modify the schema and tell it not
to scrub all of the entries. This doesn't work for everything but can
definitely get you close. Coupled with an AD/AM to maintain last known
states and you can easily and freely recover your data.
joe
-Original
I would tend to agree with what David is saying from what I have seen of lag
sites as well.
Not many people, relatively, doing it, those that are are likely to be doing
it in a rough shod way.
I am not a huge fan of lag sites. I think they are ok, but for instance
didn't think they deserved 3
Yep, Dean lovingly calls this AD feature Global Group Crashing. He wasn't
thrilled with the feature back when it was still in beta last I spoke to him
about it.
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Adner
Sent: Sunday, May 15,
I ***absolutely*** do not recommend
setting legacyExchangeDN this way.
It is absolutely critical that the LEDN be unique in the
ORG and there is no attemptverify that uniqueness. Best to just let the
RUS set it as you don't need to. If you absolutely want to do it, I would
recommend
91 matches
Mail list logo