Sorry I should have been more specific. The "group policy refresh interval for computers" setting in the Computer Configuration/Administrative Templates/System/Group Policy if configured at LSDOU levels for a computer or user, how is it used? Is the refresh value configured on each policy
Title: Rights needed for joining devices under reduced permission sets
Dear list,
For the past couple of weeks, a few staff
members were receiving emails with the 'Subject', 'From', and 'To' fields being
blank. It was not taken too seriously until I received such an email. In the
advent
I just checked it, at 8:38 AM and at 8:35 AM, Central time.
Rich
Oh and it was blank.
---
Rich Milburn
MCSE, Microsoft MVP - Directory Services
Sr Network Analyst, Field Platform Development
Applebee's International, Inc.
4551
Hmmm SDO eh? Going further OT... I don't suppose you (or anyone else)
has figured out how to check the PPTP box on XP (the box under Virtual
Private Network on the Incoming Connections properties dialog)?
I've figured out how to script netsh to configure RRAS almost
completely, but I would
Ditto for me… My title doesn’t start with
a C _ _ so I’m afraid to even ask for a paid trip to Vegas J
---
Rich Milburn
MCSE, Microsoft MVP -
Directory Services
Sr Network Analyst, Field Platform Development
Excellent! Thanks for all of the responses. Not sure how I missed all of
that in my search...
Erik
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith
Sent: Monday, January 09, 2006 7:35 PM
To: ActiveDir@mail.activedir.org
Subject: RE:
On 1/10/06, Kamlesh Parmar [EMAIL PROTECTED] wrote:
If you know the admin password of all new computers, you can use netdom.exe
to join machine
remotely, and at the same time put it in exact ou where you want to put it.
NETDOM JOIN comp1 /DOMAIN:WINDOM /UO:LocalAdmin /PO:LocalAdminPassword
I was wondering if anyone else has lost control of the auto-updating feature
of windows xp? When I go into the control panel of almost all of my window
xp pro computer the auto-update settings are grayed out and unable to change
them. Did this feature come down in a windows update or is it some
On-site support visit. I count 12 Applebee’s
locations in the greater Vegas area. Surely there’s a piece of AD broken in one
of them J
Me? We’ve got pants and shirts scattered
all over Vegas hotels and casinos and I still can’t go L
mc
From:
[EMAIL PROTECTED]
Through GPO, is there a way to enforce Windows Classic View in the
Folder View (WinXP SP2) - without losing the Quick Launch bar on the
Windows 2000 computers.
Thanks,
...D
--
CPDE - Certified Petroleum Distribution Engineer
CCBC - Certified Canadian Beer Consumer
List info :
I have this weird issue-
A user object is missing from my win2k native mode domain.
I know because this user has complained that he can't log in and i can't find the object anywhere in AD.
I've checked the deleted objects container in AD with ldp and he is not in there as well.
He's not in the
Here is the solution that I found that works for me now. Thanks for all of
your help.
On Error Resume Next
Const ADS_SCOPE_SUBTREE = 2
Set objConnection = CreateObject(ADODB.Connection)
Set objCommand = CreateObject(ADODB.Command)
objConnection.Provider = ADsDSOObject
objConnection.Open
No, this is not normal. Sounds like you have group policy settings in
place coming from a server?
Automatic Updates options are greyed out?:
http://windowsxp.mvps.org/aupolicy.htm
BTW two patches today.
Chris Neves [c] wrote:
I was wondering if anyone else has lost control of the
Sounds like a GPO lock down, permissions, or corrupted .CPL.
-Z.V.
Chris Neves [c] wrote:
I was wondering if anyone else has lost control of the auto-updating feature
of windows xp? When I go into the control panel of almost all of my window
xp pro computer the auto-update settings are
That is usually a result of GPO being set to restrict (or direct) use of
Auto Update.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chris Neves [c]
Sent: Tuesday, January 10, 2006 8:59 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Windows
It is most likely being controlled via Group Policy. Otherwise make sure
you are logged on as an Administrator.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chris Neves [c]
Sent: Tuesday, January 10, 2006 9:59 AM
To: ActiveDir@mail.activedir.org
how do you know he's missing exactly? I mean, are you sure the account wasn't changed for example? Maybe renamed somehow?
When you search, how are you searching exactly?
On 1/10/06, Tom Kern [EMAIL PROTECTED] wrote:
I have this weird issue-
A user object is missing from my win2k native mode
Um, is there any Group Policy in effect on your domain?
-ASB
FAST, CHEAP, SECURE: Pick Any TWO
http://www.ultratech-llc.com/KB/
On 1/10/06, Chris Neves [c] [EMAIL PROTECTED] wrote:
I was wondering if anyone else has lost control of the auto-updating feature
of windows xp? When I go into
If the auto-update settings are grayed out, there might be a GP in
place.
Local admin account should not be affected by the Group Policy so you
can perform updates via that route...assuming that you have the local
admin password.
-Nav
-Original Message-
From: [EMAIL PROTECTED]
Ha you’re funny Mark J I might try that but it
won’t fly, I don’t do that kind of support J
---
Rich Milburn
MCSE, Microsoft MVP -
Directory Services
Sr Network Analyst, Field Platform Development
Applebee's
Try adfind with the -showdel flag
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom
KernSent: Tuesday, January 10, 2006 8:11 AMTo:
activedirectorySubject: [ActiveDir] Strange deleted object
issue
I have this weird issue-
A user object is missing from my win2k native
Does anyone here happen to know where the setting is to turn
off new users on a computer getting the Getting Started popup on
windows 2000?
Scott Klassen
Title: Changing network password for remote user
Hi all
I have a problem that I cant seem to figure out.
We have a remote user who is using a laptop w/ Windows XP SP2. The laptop is set to log into the domain. I've changed his network password. How can I get his computer to see that I've
Thanks.
That worked.
Now my question is, why didn't LDP show that?
is it because i'm running the win2k3 verison against a win2k forest?
what am i doing wrong with ldp?
Thanks again
On 1/10/06, Coleman, Hunter [EMAIL PROTECTED] wrote:
Try adfind with the -showdel flag
From: [EMAIL PROTECTED]
It can also come from your local GP settings, as well as domain. Set
the settings there and you can't control them from control panel.
Rich
---
Rich Milburn
MCSE, Microsoft MVP - Directory Services
Sr Network Analyst, Field
Oh yeah, can you reanimate an object from Deleted Objects in win2k or is that only a win2k3 DFL feature?
What are my options for restoring the account?
Just backup and repopulate group membership/acl's?
Thanks again
On 1/10/06, Tom Kern [EMAIL PROTECTED] wrote:
Thanks.
That worked.
Now my
Theres a widely publicized reg
entry but I have had no success in making it work. I havent found a
corresponding GPO entry.
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Tour]
RunCount=dword:
Computer Settings\Administrative Templates\System\Logon
A good resource here is the Policy Settings.xls spreadsheet
downloadable from
http://www.microsoft.com/downloads/details.aspx?FamilyID=7821C32F-DA15-438D-8E48-45915CD2BC14displaylang=en
(watch wrapping on that URL). Gives you a list of all
You need to set the LDAP control flags in LDP to view deleted objects.
(It's what the -showdel switch is doing for you in adfind.) It's
under Options somewhere, look for it and you'll see it.
- Laura
On 1/10/06, Tom Kern [EMAIL PROTECTED] wrote:
Thanks.
That worked.
Now my question is,
Still looks blank using IE7
Cheers
On 1/10/06, Rich Milburn [EMAIL PROTECTED] wrote:
I just checked it, at 8:38 AM and at 8:35 AM, Central time.RichOh and it was blank.
---Rich MilburnMCSE, Microsoft MVP - Directory ServicesSr
What we do is find out what the user has set the pw to on the laptop,
then set the pw on the domain to match (checking user must change pw at
next login), force replication on the DCs, and have the user log into
the laptop and VPN with the now-matched credentials. We then educate the
user that the
Right, so that policy is
processed by the computer, and thus is subject to LSDOU. It does not effect the
actual GPO where its set.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matheesha
WeerasingheSent: Tuesday, January 10, 2006 2:53 AMTo:
Once this user has VPNed in have him lock the laptop and then open it back up
using the new passy. Sometimes this works...
From: [EMAIL PROTECTED] on behalf of Etts, Russell
Sent: Tue 1/10/2006 18:10
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir]
In LDP you have to set the Return
Deleted Objects predefined control (OID 1.2.840.113556.1.4.417) on the
query.
Wook
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Tuesday, January 10, 2006
8:31 AM
To: ActiveDir@mail.activedir.org
Subject: Re:
You could get a spam filter that does something as simple as reverse dns
checks...
It's spam - welcome to email.
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731.3132
From: [EMAIL PROTECTED] on behalf of Navroz Shariff
Sent: Tue 1/10/2006 7:54 AM
To:
Its not Vegas the Green Valley Resort is in Henderson,
NV. :)
Nope, nothing to see here. No gambling, no shows, no fast
women. Just boring technical sessions. Move along.
-gil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rich
MilburnSent: Tuesday,
I did.
No go.
I selected the load predefined and return deleted objects.
I also used the OID for the ldap control manually.
Both didn't work.
Load Predefined just gives me linkTrackOMTEntry objects.
Manually putting in that control gives me-
**Searching...ldap_search_ext_s(ld,
I did a pretty involved investigation of
it last summer: If all you are looking to do is sign on to the operating system
(logon in Unix), then you can set up a PAM module to do that. Its
not too hard, but you do need Kerberos installed on the *nix side, which isnt
always the case by
I'm running IE7 from Vista build 5270 and activedir.org
looks fine.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
SteveSent: Tuesday, January 10, 2006 8:53 AMTo:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] [List Owner] IE7
and ActiveDir
Still looks blank using
Don't know the size of your environment, but in mine we have 60+ machines join
daily. I tell the admins which OU to join them to, and then sweep up behind
them in the Computers container with a script like Alain's with dsquery and
dsmove: we query for operating system then place accordingly.
Title: Changing network password for remote user
Or will Ctrl-Alt-Del work to change the
password?
Steven Comeau
Manager, Corporate IT Systems
Main Tape
1 Capital Drive, Suite 101
Cranbury, NJ 08512
800-718-8273 x332
From: Juvonen, Maarit
[mailto:[EMAIL PROTECTED] On
You know... it just might be group policy? :-) ya think?
Navroz Shariff wrote:
If the auto-update settings are grayed out, there might be a GP in
place.
Local admin account should not be affected by the Group Policy so you
can perform updates via that route...assuming that you have the
If you can setup your firewall to do
reverse IP most if not all of this would go away. For example on Cisco
your firewall should be configured as:
ip verify reverse-path interface outside
Where 'outside' is whatever you refer
to the outside facing interface. It could called anything
I tried that but he gets an error saying that his computer cannot find
the domain. He can connect to all of his shared drives, however. I
checked his LMHOST file and everything seems to be correct.
Uugghh
Thanks
Russ
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL
I'm just using ADUC and searching by sAMAccountName.
With LDP, i'm looking in Deleted Objects container but this company never deletes users accounts, just disables them indefinetly so all i see in that container are linkTrackOMTEntry objects.
How can i see if the user was renamed?
I got a call
I meant DEFINITELY there is a GP :-) (lol)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Tuesday, January 10, 2006 12:26 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Windows update
Title: OT: WSUS
Is there a way to push out patches immediately in WSUS? I have this
installed on a Windows2003 server in a non-active directory environment.
Thanks for any help!!
Chris Pohlschneider
Network Administrator
Cenveo-Sidney
937-497-2136
[EMAIL PROTECTED]
Cenveo is your visual
Title: OT: WSUS
Yes, simply set a deadline when you approve the
patch.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Pohlschneider,
ChrisSent: Tuesday, January 10, 2006 1:54 PMTo:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: WSUS
Is there a way to push out
I've deleted the rest of the thread already, but did you not already say you found him in the deleted items using ADFIND -showdel?
Or did I misread that and you're still looking for him?
On 1/10/06, Tom Kern [EMAIL PROTECTED] wrote:
I'm just using ADUC and searching by sAMAccountName.
With
Blank from (IE7 + 1 hotfix) on (XP +
SP2 + 487 hotfixes)
But then again, I seem to be having other
web issues today. Connect.microsoft.com had the same issue earlier.
Rich
---
Rich Milburn
MCSE, Microsoft MVP -
Hunting arount a bit with RegMon, I was
also able to find [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\tips]
Show=dword: and [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\tips]
Show=dword:0001. The
HKCU is the one which is
Thanks Darren. Are you running any IE7 hotfixes?
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Wednesday, 11 January 2006 6:22 a.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [List Owner] IE7 and ActiveDir
I'm
running
Title: OT: WSUS
I
approved the patch in the updates section and set a deadline for 1-10-06 at 3PM
EST and I have not seen anything happen yet on the test computer. Any idea why
this is not pushing out? It looked like that the server deadline settings would
override the client setting.
Yes.
Thanks.
I just have 2 issues.
1. I don't understand why i get that error in ldp when i enter the oid control for deleted objects
2. Most importantly, i had audit account management enabled for sucess and failure on my domain controllers ou and auditing enabled for everyone for everything on
Because you knew full well that if you'd scheduled the conference on
the strip, you would've had 500 geeks walk into the casino that stood
between them and the conference rooms...and maybe 3 of us would've
come out the other side. :-)
- L
On 1/10/06, Gil Kirkpatrick [EMAIL PROTECTED] wrote:
Create a user account, then delete it. Note which DC you're
connected to for the delete, then check the security log on that DC. Look at all
of the events around the time you deleted the account so that you'll know what
is actually getting logged.
From: [EMAIL PROTECTED]
[mailto:[EMAIL
Thanks Laura. I actually had looked in the spreadsheet, but must have
missed it. Just tried it and works great.
Scott Klassen
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura E. Hunter
Sent: Tuesday, January 10, 2006 10:36 AM
To:
I think you are going to find the same at Green Valley -
http://www.greenvalleyranchresort.com/gaming/index.html
Leave your car and house titles at home!
Mike Thommes
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura E. Hunter
Sent: Tuesday,
What would cause a site link connection from two sites not
to automatically create? If I manually create the connection, the KCC
updates with the correct info about other sites, but for some reason its
not automatically creating the connection. What ports are required for
It logged the creation/deletion.
My question is- i've always had this policy set and yet an account got deleted last nite and i can't find any record of it.
the security logs have not been cleared and are set to stay for 7 days.
still i know a user account ended up in the deleted objects
Nope. The About dialog shows the version as
7.0.5270.9
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony
MurraySent: Tuesday, January 10, 2006 12:03 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [List Owner] IE7
and ActiveDir
Thanks Darren.
Are you
Are site connection links not manual as you map these to your desired
configuration?
The replication is then automatic between servers.
-Original Message-
From: Harding, Devon [EMAIL PROTECTED]
Date: Tue, 10 Jan 2006 15:50:10
To:ActiveDir@mail.activedir.org
Subject: [ActiveDir] Site
My experience is just the opposite. I attended DECUS (The other DEC, Digital
Equipment Computer Users Society Symposia) a few times back in the 90's and
the casinos complained that the attendees were not losing enough money.
This was attributed to 1) most of the attendees knew the odds were
Devon,
Trying to understand what you are saying... Not succeeding though...
If you created a CO manually the KCC will never touch that CO. Is that what you
want to know?
Jorge
From: [EMAIL PROTECTED] on behalf of Harding, Devon
Sent: Tue 2006-01-10 21:50
Sounds like the tree fell in the forest and nobody heard it :)
Actually, now that you know the event id, you need to ensure that all DC's are logging it correctly and that the logs didn't wrap and overwrite that entry. Usually, that's the case, but you'll want to check.
Al
On 1/10/06, Tom Kern
As a dedicated beer scout I have investigated the best plan of action and
return of investment and I have decided to stay on the strip for five nights
(monte carlo), which is the same price as two in the jolly green valley. Which
means more beer vouchers even with the expence of cab fare.
Use repadmin to check the objects metadata, can usually find the DC where the
deletion occured and also who did it.
The Active Directory forestry book by john craddock is an excellent resource
for this type of AD audit.
-Original Message-
From: Tom Kern [EMAIL PROTECTED]
Date: Tue, 10
logs are set to overwrite after 7 days.
There are tons of security events going back days and many on the day in question.
Just no event id 630.
I ran eventcombMT on every DC and i rdp'ed to every dc just to make sure.
no dice.
Also, i followed Hunter's advice and created and deleted an account
Tony I have 905915 Dec IE7 update loaded.
---
Rich Milburn
MCSE, Microsoft MVP -
Directory Services
Sr Network Analyst, Field Platform Development
Applebee's International, Inc.
4551 W. 107th St
Overland Park, KS
I thought to do that you first have to reanimate the object from the Deleted Objects container before you can search on the GUID.
The deletion occured in a Win2k forest. I think what you are talking about you can only do in a WIn2k3 DFL forest.
Besides, that will only tell me the DC and time the
I can confirm this behavior.
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCT
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
From: [EMAIL
You are welcome, Erik :)
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCT
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
From: [EMAIL
LOL!
From what I can determine the problem only occurs with IE7 browsers
running on XP. IE7 on Vista seems to be ok.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Wednesday, 11 January 2006 11:03 a.m.
To: ActiveDir.org
Subject: Re:
I am sure he showed me in a seminar how to do this and it was pre w2k.
-Original Message-
From: Tom Kern [EMAIL PROTECTED]
Date: Tue, 10 Jan 2006 17:03:11
To:ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Strange deleted object issue
I thought to do that you first have to
If I recall, he reset the permissions on the ou/container which holds the
deleted objects then you could query it with out reanimating anything.
-Original Message-
From: Tom Kern [EMAIL PROTECTED]
Date: Tue, 10 Jan 2006 17:03:11
To:ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir]
Well I can verify that IE7 for XP IE7 on Vista. Not only are the
product versions different, but also the functionality is different.
Like RSS feeds, etc.
---
Rich Milburn
MCSE, Microsoft MVP - Directory Services
Sr Network
Also in InstallShield 10.5 and 11.0 IDE, the property tables are blank.
IS says this is due to IE7. So if you figure out what the issue is,
then it's for more than just ActiveDir.org :)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent:
Thanks Rich. Yeah, I'm pretty sure it's a IE7 bug, rather than
anything on ActiveDir. I'd just be interested to find out what it is
about the pages on ActiveDir that cause this behaviour. Other sites
don't appear to be affected in the same way.
Perhaps someone on the IE team has something
All sites are bridged by default
The Bridge all site links box is checked by default on the IP Inter-site transport object, so those site are getting replication transitively.
Is that your concern?
On 1/10/06, Harding, Devon [EMAIL PROTECTED] wrote:
Yes, I know that. What I'm saying, is that if
Have you seen this already? It's a nice explanation of the process.
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/adsrv.mspx#EEAA
On 1/10/06, Harding, Devon [EMAIL PROTECTED] wrote:
Yes, I know that. What I'm saying, is that
Stopped logging the events? How so? You mention that each DC has a log of similar events going back daysand that it handles the events now when you test it. How did it selectively not log one account being deleted?
Is it possible it was done prior to the dates you're looking at? Is it possible
I'm saying all dc's are logging security events for days but none have a log of object deletion or creation. EVER, except-
just a few hrs ago when i created/deleted a test user was the first time i saw such a log(eventid 630).
before that time, there were only logon security events even though
that wont work.
You have to restore(reanimate) the object from the Deleted Objects container back into AD to run repadmin /showmeta GUID. otherwise it won't work.
i could be wrong..
Besides this won't help me figure out who deleted it or why the audit wasn't logged.
p.s.- i have the
This
was posted in the AD newsgroup earlier today.
The
Directory Services team is glad to announce the release of Service Pack
1
(SP1) for Active Directory Application Mode (ADAM) for the English
language,
to Microsoft Download Center. The download section of ADAM
Technology
I'm not sure about W2K, but in 2003 I look at
the metadata of objects in the deleted objects container all the time to see
which DC performed the last write. If you could get that info,
wouldn'tit help you to focus on one DC?
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Tom-
Account Management auditing is on or off. What are yout talking about that it's
on for Everyone.
You know it would help if you woked on the simple things like capitalization,
spelling, and sentence structure. I find I have to read your messages two or
three times and really while I
We are in the process of Re-IPing our whole network and we
are facing the following issue. When we re-ip a server, the clients have
problems connecting to the server unless we do an IPCONFIG /FLUSHDNS on the
client. The question is:
Is there a way to create a script or something to put
Is there a reason why you cant just
put an ipconfig/flushdns into the login script? :)
You can also disable the DNS cache
altogether by stopping the DNS CLIENT service. Be aware that doing so also
causes your clients to generate more DNS resolver traffic. Stopping and
restarting the
How to implement system policies for Windows XP-based, Windows
2000-based, and Windows Server 2003-based client computers in non-Active
Directory environments:
http://support.microsoft.com/?kbid=910203
List info : http://www.activedir.org/List.aspx
List FAQ:
Still not clear...
Explain what you mean with is that if I manually create a CO from Site A to
Site B, the KCC then knows about Site C, Site D Site E
Explain what you mean with even though there is a physical connection (FR),
and all ports are open from Site A Site B, the CO doesn't get
90 matches
Mail list logo