This may be a rotten answer
or a perfect answer Check out TWEAKUI for Windows XP. Its
ACCESS CONTROL section gives you UI ability to change very
specific activities permissions, e.g. creating a share, etc. You might
try it (in a lab, first of course) as far as how it works on 2003 for the
I didnt see any responses to this
dont know if I missed an answer but you should be able to ACL the
Write permission to the userPassword property to any account you want
and youre right to do it to a limited account, although Id
be concerned about ANY code that could be accessed and
In fact the root cause of this issue is/was objects with a NULL security
descriptor.
The newly built DCs would not replicate in these objects and so replication
stalled, AD was not available, ADI zones were not available etc etc.
We executed sdprop on all DCs in the domain and 'fixed' the
Hi all,
Having read a few recent mails regarding server imaging, it's interesting to hear how 'easy' it has been for those who have responded. I have been having difficulties trying to create an image, I will explain further...
I have 10xHP Proliant 380's G4, to save time I thought I would
Just pull one of the drives out, put it in your other
server and let the RAID 1 rebuild.
Jeremy
Waldrop
Systems
Engineer
4Front Systems,
Inc.860 Aviation Parkway
Morrisville NC
27560Main Line: (919)653-4400
Support Line: (919)
653-
Web: http://www.4frontsystems.comemail:[EMAIL
Tony,
Thanks for the response. All
subnets are configured correctly in Active Directory and all workstations are
correctly identifying what site they are suppose to be in. DNS settings are
also correct. In sniffing the traffic I forgot to mention that even though the
machine knows what
Aric,
Thank you for the response.
Yes all 9 sites are configured correctly with the correct subnets in Active
Directory. This network topology has not changed in years and these are
physically separate sites. The clients in question definitely are in the
correct subnet associated with
Sakari,
I am not sure what
non-DC-related reasons we could necessarily have. We have 9 sites across the
continental US with some having slow links (fractional T-1s). We put in site configuration
because we wanted to make sure clients used the local DCs for directory
services unless those
Ok, Thanks Sakari and Dan for your answers :)
I
will test TWEAKUI for Windows XP.
But in fact, my need is rather giving a user server op, or equivalent
privilege, for only *one DC* and not the whole DCs of my
Domain.
Last question: Whereall the privileges are defined for
built-in
How can I run a batch file logon script to map a drive and install an
application on a user's PC as an Administrator? I don't want to expose
the password using 'run as'
Devon Harding
Windows Systems Engineer
Southern Wine Spirits - BSG
954-602-2469
-
Search microsoft.com for secdefs.doc
The document is
Default access control settings in Windows Server 2003
Mark
-Original Message-
From: TIROA YANN [EMAIL PROTECTED]
Date: Tue, 19 Jul 2005 15:03:40
To:ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Delegation of privilege
Hi Mark,
You might want to have a look at the Active Directory Delegation Best Practices
document available from MS @
http://www.microsoft.com/downloads/details.aspx?FamilyID=631747a3-79e1-48fa-9730-dae7c0a1d6d3DisplayLang=en
Might not answer you question directly but it's an awesome primer
Yes that's a good document, one of Sanjay's best pieces of work.
The best bit for me was the custom delegwiz.inf in appendicies, which I have
managed extend now to include create mailbox, delete mailbox etc etc..
Mark
-Original Message-
From: Francis Ouellet [EMAIL PROTECTED]
Date:
Software installation from GPO works like a charm.
Z.V.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon
Sent: Tuesday, July 19, 2005 9:10 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Logon script with Admin rights
How can I
Unfortunately, this software is not a .msi format. Can this still be
installed via GPO?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Za Vue
Sent: Tuesday, July 19, 2005 10:09 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Logon script
Make an .MSI out of it. There is a free tool (LE WinInstaller) that is on
the OS CD.
-Z.V
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon
Sent: Tuesday, July 19, 2005 10:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Logon
ScriptLogic lets you run login scripts as an administrator
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon
Sent: Tuesday, July 19, 2005 10:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Logon script with Admin rights
Try adding the controller's dos aspi driver to the
root directory of the ghost boot floppy then add a line to the config.sys
"device=mydriver.sys" without quotes of course. That is a little weird though.
If the scsicontroller is properly grabbing int13 then its strange that
ghost isn't
Hi,
So u may generate a .msi with SWIADMLE.MSI free soft that is provided with
windows 2000 CD. In \VALUEADD\3RDPARTY\MGMT\WINSTLE .
It does a snapshot before and after, and will create a .msi, so u can
distribute it with GPOs.
Cheers,
Yann
-Message d'origine-
De : [EMAIL PROTECTED]
If that doesnt work. Check these links.
For explanation mapping drive scripts:
http://www.wown.com/articles_tutorials/Logon-Scripts-Pure-Mixed-Active-Directory-Environments.html
For VBS installation scripts on clients
http://www.microsoft.com/technet/scriptcenter/scripts/apps/user/default.mspx
Use the ZAP format.
See KB 231747 below
http://support.microsoft.com/default.aspx?scid=kb;en-us;231747
-Original Message-
From: Harding, Devon [mailto:[EMAIL PROTECTED]
Sent: Tuesday, July 19, 2005 7:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Logon script with
Al,
One of the problems with the .ZAP format - it only executes the underlying
program for install - but cannot be executed with elevated privliges as it
is run under the user's context.
.MSI is much better, but is not easy to create them correctly and
effectively without some experience and
There is simple way of doing this that works if
a) the .exe has a quiet option (-q for example) with no gui output
b) it is not necessary to install the program from a logon script
Simply install the program from another machine using psexec.exe
i.e
logon remote machine with sufficient
I don't know what your budget might be, but a couple of my clients use
TQCRunAs by Quimeras (www.quimeras.com) for this kind of thing... this
tool lets you encapsulate a secondary logon, the credentials for that
logon, and a command in an encrypted .exe, which you could then use in a
logon script.
I don't understand your comment about converting universal
groups to local groups. Can you explain what you mean here?
Your suggestion about moving the root DCs to a separate
site would work, but it would require me to set up a dedicated IP subnet at the
two different locations where the
Worked perfectly, thanks.
Thanks,
--
Matt
Brown [EMAIL PROTECTED]Consultant for Student Technology
Feewebsite: http://techfee.ewu.edu/+--+|
509.359.6972 ph. - 509.359.7087 fx| 307 MONROE HALL | Cheney, WA
99004+--+
Since
the complete list of members within any Universal Group is known only to a GC
and because Universal Groups can be converted to Domain Local groups, it is
necessary to ensure that the conversion does not inadvertently remove members
that exist in a domain other than that of the group
This installation also needs to be run from mapped drive. I would
really like to run this in GPO via VB Script. If anyone knows the best
way to this, lemme know.
-Devon
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Peter Jessop
Sent: Tuesday, July
If you use a startup script, it will run as local system and be able to
fully install. If, however, it NEEDS to be run as a user, this won't
work.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon
Sent: Tuesday, July 19, 2005 8:10 AM
To:
I am connecting to an Active Directory Server, using a Meta Directory
server. But while performing a base level it fails with error
Schema search for 'attributeTypes' ERROR='Resource temporarily unavailable'
Any clues as to how can I debug this problem?
Thanks,
Mayuresh.
List info :
Also when I perform various operations to AD using tools like ldp, or a perl
script, they are performed successfully.
- Original Message -
From: Mayuresh Kshirsagar [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Tuesday, July 19, 2005 11:15 PM
Subject: Resource unavailable
Phillip, doesn't the below imply that you're ghosting a DC?
Phillip, isn't that stricktly verbotten?
Frank, yes, it's strickly forbidden to ghost a DC.
Cheers,
-B
On Tue, 19 Jul 2005, Phillip Partipilo wrote:
Try adding the controller's dos aspi driver to the root directory of
the ghost
One caveat to this - if you are going to be accessing a network resource,
the default behavior is NOT to wait for the network stack to be initialized
before completing computer startup. The obvious problem of not being able
to AuthN the user or the computer against AD is handled via cached
joe wrote:
Ah I ran into your posts in the newsgroups. I responded some there.
To further some of the info given previously, it is possible that some sort
of LSASS injection is being used in one or more products, however, that
doesn't mean this is a supported mechanism. Doing so *could* put
WMI Actually has an asynronous call that you can use to monitor specific
objects. It will notify you when the object changes and what the
original and new values are. Adam Lissoir wrote some scripts that
demonstrate this. I think these links still work:
http://www.LissWare.Net
See Sample
Oops. I meant Alain Lissoir. Sorry Alain.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour,
Joseph
Sent: Tuesday, July 19, 2005 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to
I just want to stress the fact that WMI is not an auditing technology per
se.
All what WMI does is polling AD for changes at regular intervals. Based on
WQL query and changes, it notifies the WMI consumer that there was a change.
No auditing information is available out of WMI. Windows Auditing
Small correction - Alain, not Adam. Unless, however, there is another WMI
Guru out there with the surname Lissoir that I'm not aware of. Anything is
possible, I suspect.
;o)
Rick
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent:
I always assumed that the WMI call is using DirSynch under the covers.
That seemed to me to be the only way it would be able to accomplish the
notifications. It's good to know that that is not the case. Thanks
Alain.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
Has anyone tried this? I got it off of another list I am a part of.
The default domain name is stored in the DefaultDomainName registry
value, but no built-in Group Policy setting to control its value. You
can easily create a custom .adm file that will let you configure the
default domain for
not tried it myself, but it should work as I know Quest DMW does this (setting
a different default domain) when migrating computers
Cheers,
#JORGE#
From: [EMAIL PROTECTED] on behalf of Salandra, Justin A.
Sent: Tue 7/19/2005 10:03 PM
To:
should work just like setting any other registry key on the client.
The question is, if you really need it/want it. Most computer migration
tools can set that value during the migration of the PC from source to
target. But you might very well not want to change this value at the
time of the
I am actually thinking of using it since I have 7 domains in one forest,
if someone from a different domain uses someones computer, on reboot the
domain that is selected in the drop down list is the proper domain for
that computer. Similar to when my helpdesk people login to the local
machine,
got ya - makes sense in this case.
however, you could also edjucate users to logon via UPN thus not
requiring the selection of a domain at all, regardless of the
domain-affiliation of the PC used during logon...
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Oh yeah. my brain is elsewhere. Doh!
Phillip Partipilo
Parametric Solutions Inc.
Jupiter, Florida
(561) 747-6107
- Original Message -
From: Brett Shirley [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Tuesday, July 19, 2005 1:54 PM
Subject: Re: [ActiveDir] OT: Ghost Imaging
well, I could think of many more drawbacks using this option...
don't get me wrong - psexec is cool. But I don't really see it as an
option to deploy software to many clients of which usually a certain
percentage is remotely connected or offline. So you'd have to build
your own little framework
http://www.acronis.com/enterprise/products/snapdeploy/
Might be an option
Grtz J
-Oorspronkelijk bericht-
Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Grillenmeier, Guido
Verzonden: woensdag 20 juli 2005 0:02
Aan: ActiveDir@mail.activedir.org
Onderwerp: RE: [ActiveDir]
We are using a startup script that has two reg add commands
reg add HKLM\software\microsoft\windows nt\currentversion\winlogon /v
altdefaultdomainname /t REG_SZ /d DOMAINAME /f
reg add HKLM\software\microsoft\windows nt\currentversion\winlogon /v
defaultdomainname /t REG_SZ /d DOMAINAME /f
You have multiple problems here:
The SmartArray card has no RAID config. The default varies though my
experience is it RAID5s the first four drives and shuts down the remaining two
in a DL380G4.
Ghost likely does not have a driver enabling it to see the scsi disk. You
will need to
Ami i missing something here?
Ghost and
RAIDGhost is not compatible with computers that use RAID. That
is, Symantec Ghost 8.x and earlier, and Norton Ghost 2003 and earlier, do not
support RAID controllers on computers that are being imaged. In addition:
in addition: Ghost 9.0 supports only raid 0 (stripe) and
raid 5 (stripe sets with parity)
Van: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Namens Quatro
InfoVerzonden: woensdag 20 juli 2005 2:38Aan:
ActiveDir@mail.activedir.orgOnderwerp: RE: [ActiveDir] OT: Ghost
Imaging HP Proliant
---BeginMessage---
I too have seen this and can reproduce it over and over. After we migrate a PC
from our NT4 domains to AD, Quest DMW sets the default domain to our AD domain.
However if the user hits ctrl-alt-del to logon and then ESC and then
CTRL-ALT-DEL again, the default domain is set
No. It doesn't use DIRSYNC. To be honest, I would like, but that is another
story.
Just a question of priority among the millions of things to do in WMI ... :)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005
---
Attention: Non-Delivery Report
---
This report is generated by the email server at:
ivytech.edu
The message with subject:
RE: [ActiveDir] Programmatic auditing of
---
Attention: Non-Delivery Report
---
This report is generated by the email server at:
ivytech.edu
The message with subject:
RE: [ActiveDir] Programmatic auditing of
---
Attention: Non-Delivery Report
---
This report is generated by the email server at:
ivytech.edu
The message with subject:
RE: [ActiveDir] Programmatic auditing of
---
Attention: Non-Delivery Report
---
This report is generated by the email server at:
ivytech.edu
The message with subject:
RE: [ActiveDir] Programmatic auditing of
---
Attention: Non-Delivery Report
---
This report is generated by the email server at:
ivytech.edu
The message with subject:
RE: [ActiveDir] Programmatic auditing of
---
Attention: Non-Delivery Report
---
This report is generated by the email server at:
ivytech.edu
The message with subject:
[ActiveDir] Message Not Delivered
and
---
Attention: Non-Delivery Report
---
This report is generated by the email server at:
ivytech.edu
The message with subject:
[ActiveDir] Message Not Delivered
and
---
Attention: Non-Delivery Report
---
This report is generated by the email server at:
ivytech.edu
The message with subject:
[ActiveDir] Message Not Delivered
and
---
Attention: Non-Delivery Report
---
This report is generated by the email server at:
ivytech.edu
The message with subject:
[ActiveDir] Message Not Delivered
and
---
Attention: Non-Delivery Report
---
This report is generated by the email server at:
ivytech.edu
The message with subject:
[ActiveDir] Message Not Delivered
and
---
Attention: Non-Delivery Report
---
This report is generated by the email server at:
ivytech.edu
The message with subject:
[ActiveDir] Message Not Delivered
and
---
Attention: Non-Delivery Report
---
This report is generated by the email server at:
ivytech.edu
The message with subject:
[ActiveDir] Message Not Delivered
and
---
Attention: Non-Delivery Report
---
This report is generated by the email server at:
ivytech.edu
The message with subject:
[ActiveDir] Message Not Delivered
and
66 matches
Mail list logo