Tom,
we're using it here across our WAN links to replicate approx 400Gb of
Tiff files (for our workflow / imaging system) between 4 servers. It
works very well for our requirements, although we did have some fun
and games getting it all setup - we use it in a slightly different way
to the
I am trying to set permissions to a folder and all
subfolders/files that allow a group to read/execute and write but not delete. I
have assigned the permissions appropriately for the group (read/execute, list
folder contents, read, write) to the parent folder and reset all
I have a 2000 domain with a mix of 2000 and 2003 member machines. There is
an offsite where all the member machines are 2003. And I wanted to setup an
alternative Domain controller at this site with what is already there. I am
in the process of planning and testing the upgrade to a 2003
I believe you would still have to prep the forest and the domain in order
to even promote a 2003 DC in a 2000 domain.
Antonio Aranda
[EMAIL
There is an alternative group you could
add, CREATOR OWER and set it to have change or modify access. This would
mean that who ever creates it or owns it will have modify access the object but
no one else. Every one else will be restricted by the other security
groups.
Antonio
Hi Antonio
You will need to do a forest prep and a domain prep first to extend the
schema to allow for a 2003 domain controller. Once the schema updates are
done the forest can support 2K and 2K3 (until you change the functional
mode)
The schema update instructions are here.
It depends what you mean with temporary...
To introduce w2k3 DCs in a w2k AD forest you need at least to prepare the
forest and the domain that will host a new w2k3 dc. As you may know schema
updates cannot be undone, but you can introduce a w2k3 dc and later on remove
it as needed.
For
Maybe creating a couple of sub-OU's with different GP's in your primary OU
would be a better solution for you problem. At least that is the way I
handles it.
Antonio
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Thursday, July 07,
Hello all :)
I recovered deleted users from deletion succesfully by either the following
method http://support.microsoft.com/kb/840001/en-us or the excellent adrestore
tool from sysinternals.
But when i restore deleted users, all their existing attributes (such as
telephone, fax dispalyname,
Jorge points to some very interesting KBs. Can I suggest that you could
do the domainprep and the forestprep from a Windows Server 2003 SP1
Server?
When running adprep.exe from a SP1 machine it will detect the presence
of the schema conflict will not perform the change until it has been
solved
Antonio,
At the time that you decide to introduce Windows Server 2003 DCs into an
existing Windows 2000 domain /forest, there is the initial requirement to
upgrade the schema.
You must run adprep /forestprep and domainprep to be able to support the
inclusion of a 2003 DC.
However, running
To do that, you need to modify the schema. The schema modification must be
in place before the deletion occurs, are you prepared to modify the schema
for such a rare occurrence (at least I hope this is rare)?
--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com
Thanks James and Chris
Essentially does this mean that I would have upgraded the domain to a 2003
configuration?
Antonio
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Out of curiosity Dean, what schema mod is this?
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Friday, July 08, 2005 11:20 AM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Keep existing attributes from users restored.
To do that,
Yes yes yes yes :)
Cordialement,
Yann TIROA
Centre de Ressources Informatique.
Campus Scientifique de la DOUA.
Bât. Gabriel Lippmann - 2 ème étage - salle 238.
43, Bd du 11 Novembre 1918.
69622 Villeurbanne Cedex.
-Message d'origine-
De : [EMAIL PROTECTED] [mailto:[EMAIL
If you don't want to deal with the 2k - 2k3 upgrade bit, you might
consider running a VM on one of the 2k3 servers with 2k as the guest OS.
Make that into a DC and you have a local 2K dc. I wouldn't run it long
term necessarily, but it might buy you time until you're ready to
upgrade.
Yes Dean,
I have to recover users rarely, but when it arrives time, as like this morning
where some users has been deleted, it may be easy for me to restore with all
their attributes rather than setting again all their attributes with ADUC or
any scripts ;(
I have a test AD environnement, so
Not exactly.. You could still run in 2000 native or Mixed mode until you
completed upgrading the remaining 2000 Domain controllers to 2003.
Jose
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Antonio Aranda
Sent: Friday, July 08, 2005 7:54 AM
To:
FYI..
http://support.microsoft.com/default.aspx?scid=kb;en-us;325379
Jose
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Antonio Aranda
Sent: Friday, July 08, 2005 7:54 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Can a 2003 server be a
The searchFlags property of the attributeSchema class that represents the
attribute you'd like preserved during logical deletion.
1. Run ADSIEDIT.MSC (Support Tools) (Requires Schema Admins)
2. Expand the Schema NC (Naming Context)
3. Locate cn=attribute
4. Right click it and select Properties
5.
I don't understand this one. to me he wants to introduce a temporary w2k3
DC for testing purposes. I agree that is you want to test things you need a
test environment and not your production environment to test this
Cheers,
#JORGE#
From: [EMAIL PROTECTED]
Resent for clarity, odd formatting in previous post ... at least on my end
... modify the searchFlags property of the attributeSchema class that
represents the attribute you'd like preserved during logical deletion.
1. Run ADSIEDIT.MSC (Support Tools) (Requires Schema Admins)
2. Expand the
what we are trying understand is why you need to restore objects that
frequently. At least in my opinion you should not try to solve the problem by
also undelete additional attributes, but you should look at how your delegation
is configured. Are the correct people deleting the objects? Should
I'm interested in identifying the programming interfaces used by products
like Quest's Change Manager for Active Directory and NetPro's AD-related
change monitoring products. The existing ADSI and LDAP interfaces do not
appear to offer the degree of granularity that these products are capable
This is how I did mine.
1) AD Forest prep
2) Domain Prep
3) AD domain prep /GPO
4) Make sure all DC replicated successfully! ( I waited a day)
5) Depromo DC-1 than upgraded it to W23K (This of course also removed
the W2K AD tools *not compatible w/W3K*)
6) Dcpromo DC-1 again. Now I have W2K
It sounded to me like he needed a W2K DC for a while at a remote site
with no W2K boxes and was concerned about the impact a W2K3 DC would
have on the current W2K AD environment. A VM would allow the W2K DC
without requiring the W2K3 AD schema updates...
**
Charlie Kaiser
Good analogy Mark. I didn't know that they would still be hangin' around.
On 7/5/05 2:19 PM, Mark Parris [EMAIL PROTECTED] wrote:
That's a a bit like using invisible paint, you can't see it but it's still
there.
-Original Message-
From: Za Vue [EMAIL PROTECTED]
Date: Tue, 5
Don't forget to upgrade the schema.
Za Vue wrote:
This is how I did mine.
1) AD Forest prep
2) Domain Prep
3) AD domain prep /GPO
4) Make sure all DC replicated successfully! ( I waited a day)
5) Depromo DC-1 than upgraded it to W23K (This of course also removed
the W2K AD tools *not
Chuck-
Have you seen this article?
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/c
hange_notifications_in_active_directory.asp
Darren
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Friday, July 08, 2005 9:53
Darren Mar-Elia wrote:
Chuck-
Have you seen this article?
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/c
hange_notifications_in_active_directory.asp
Yes, I have. Been there, done that, bought the postcard T-shirt... and,
sadly, it falls far far short of both what
Hi Darren
The Quest tool uses LSAS insertion. The explanation given to a lowly
network admin that can almost spell C++ is they stick a piece of code into
LSAS that intercepts every write to the AD database and reports it.
Short of hacking the secure communications on all your DCs I am not sure
i have a couple of questions about the attribute ms-DS-MachineAccountQuota
that allows auth users to join 10 workstations to a domain
1. Do these computer accounts have to already be precreated in AD or can any
user do a create/join?
2. I assume the user still has to be a local admin to change
1-No, up to their quota they can add
2-Yes
3- You can allow the user right add workstations to the domain but it
would be much preferred to delegate more discretely. You can get
discrete you can get with delegwiz [1] but I don't remember the details
because we've been doing it with ActiveRoles
(1) each authenticated user may add/join 10 workstatiobs to the domain and the
objects are owned by the administrators
(2) yes
(3) no! it is better to set the quota to zero or remove the authenticated users
from that user right or do both. The best way is to delegate the right to
create
Hi
all
It seems there have
been a few problems over the past 12 hours or so. I'm looking into this
and will post an update when everything has been resolved.
Tony
[EMAIL PROTECTED] wrote:
Hi Darren
The Quest tool uses LSAS insertion. The explanation given to a lowly
network admin that can almost spell C++ is they stick a piece of code into
LSAS that intercepts every write to the AD database and reports it.
Short of hacking the secure communications on
Title: RE: [ActiveDir] Keep existing attributes from users restored.
hi Jorge ;)
Yes you're right in the fact that we must
design our AD delegation as well, and this whatwe did, with admin people
that i trust.
But deletion is a reality,and
fortunatelythat not happens frequently, so i do
Thanks Dean,
I will test it.
Cheers,
Yann
De: [EMAIL PROTECTED] de la part de Dean Wells
Date: ven. 08/07/2005 18:29
À: Send - AD mailing list
Objet : RE: [ActiveDir] Keep existing attributes from users restored.
Resent for clarity, odd formatting in
Hi Johnny,
In addition to what Tony listed, you can add to the context menu (i.e., mouse
right click) of a user object a feature to modify employeeID.
Instructions and the VBScript required are on the bottom of the page
http://www.kouti.com/scripts.htm
Yours, Sakari
-Original
Hi,
You could also do it another way...
If for some reason the user account is not needed anymore don't delete right
away but make it inactive (disable it)and move it to a de-provisioning OU. Let
it stay over there for, lets say 60 days (or 90 or whatever you think you
enough) and delete
I know imaging and ghosting has
been talked about before, especially in regards to backing up DCs and the
conclusion is dont. I totally understand this and agree, but what about
a base image of a win2k3 server, non-domain member, that has had sysprep run
for all servers, including maybe a
You can sysprep base images for servers and machines all day long. I
deploy hundreds of servers (inc DCs), believe me, I dont use the CD in
every one of them. :)
Thanks,
Brian
Desmond
[EMAIL PROTECTED]
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex
42 matches
Mail list logo
