If you still want to set it via GPO...
set allow logon locally to Administrators , domain\domain users
This will ensure that, local accounts doesn't get right to logon, unless they are member of Administrators group
--
Kamlesh~Be the change you want to see in the
Hello,
I used CreateXMLFromEnvironment.wsf and CreateEnvironmentFromXML.wsf to
create those OUs, users, in my AD test.
I managed by making the necessary schema extension in my ad lab test.
But when I use ldifde to create those new objects in AD, i have those errors.
Add error on line 1:
Is it possible to give normal domain account rights to view ADI DNS zonein console ?
I tried to give normal account a rights to READ thru ACL on zone, but it didn't help.
Only otherway, I know is to create a secondary for that zone, on that users machine. but thats overkilll :)--
Now Brian play nice!
Russ you will want to have a look at our KB about DHCP on a DC ---
http://support.microsoft.com/?kbid=255134
Carlos Magalhaes
Brian Desmond wrote:
Why do you have a weekly reboot task? This isn't NT4 anymore...
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731.3132
We deploy Microsoft patches to all servers without a reboot, so we just
schedule servers to reboot every weekend so the patches finish up the installs.
It's easier to just have them reboot every week then to try and determine
programmatically if they need a reboot after a patch or not.
Hello,
I found it ! It was the objectGUID that I imported from the AD prod that caused
this error. I delete this entry in my ldif file and it worsked fine.
Thanks,
Yann
De: [EMAIL PROTECTED] de la part de TIROA YANN
Date: mer. 24/05/2006 10:35
À:
Interesting ... how many DCs do you have?
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731.3132
-Original Message-
From: [EMAIL PROTECTED] [mailto:ActiveDir-
[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Wednesday, May 24, 2006 7:01 AM
To:
Hey all,
I am looking for a good reference for
Event IDs for the event logs listed above. I seem to be able to
find quite a number for Security Logs these days and some bits and pieces here
and there about the FRS and NTDS. I am familiar with EventID.net and
other sites for
You'll need a description of the rights needed to open the tool in this case, as everyone has read access by default. IIRC, the Windows 2000 DNS white paper describes how to delegate rights etc. using tools such as ADSIEDIT or DSACLS.
Curious though: why bother? Read access to a DNS zone? Has
Never seen such a thing. www.eventid.net
is where I go. You could run the tool from the MOM2000 SDK/ResKit to extra
event ids from the event dll for an app. Could go through the MOM 2005 MPs and
see what they collect too.
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731.3132
Anyone know how often machine passwords are renew/reset in the domain?
-Z.V.
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Hello,
What
is the best practice for applying policy in AD? Currently we create a GPO for every separate
policy we want to apply (WSUS, DNS search order, LCS and so on)
and we place all these policies in a created OU called GPOs
and link that to different OUs as needed. My question is
we had that same stupid request too. all because people don't
understand delegation. And yes showed them all the pages like dnsstuff
and nslookup , you might as well be talking to the wall. Long and
short is create a security group and add that group on the zone in
question on the security tab,
30 Days
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731.3132
-Original Message-
From: [EMAIL PROTECTED] [mailto:ActiveDir-
[EMAIL PROTECTED] On Behalf Of Za Vue
Sent: Wednesday, May 24, 2006 11:04 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Machine Psswd Age
I was able to get a nice list of sources
from EventcombMT. So that will get me started, but if anyone has a good source
with event IDs that would be cool.
Todd
From: Al Mulnick
[mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 24, 2006 9:27
AM
To: ActiveDir@mail.activedir.org
Dan-
The decision to separate out policy settings into different
GPOs should be made based on who will be managing those GPOs. If you have
separate teams or people that need to manage WSUS settings but not LCS settings,
then it will be easier to delegate access to those settings if they are
The Microsoft link at the bottom of an event
log entry has gotten much better.
Mike Thommes
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) [E]
Sent: Wednesday, May 24, 2006
10:21 AM
To: ActiveDir@mail.activedir.org
Subject: RE:
So if I wanted to write a utility to seek out stale computer objects in
the domain that were never properly unjoined, could I simply look at
each computer's pwdLastSet attribute? And mayhaps use a value more than
30 days (as we have a few traveling laptops), perhaps 90 or 180?
--
Brian Cline
You could... It won't be 100% accurate though because there is no
requirement for machines to change their password. It is voluntary on their
part and machines that usually come in over VPN don't usually touch their
password for instance, nor any machine that has been configured to not
change its
Or you could just use OLDCMP. (www.joeware.net) Why roll your own
when joe's already done the work? :-)
On 5/24/06, Brian Cline [EMAIL PROTECTED] wrote:
So if I wanted to write a utility to seek out stale computer objects in
the domain that were never properly unjoined, could I simply look
for many thousands of other businesses around the world. And if it
isn't enough, I would email the dev who wrote it, he seems to be
fairly
responsive to requests for changes. :)
Yeah I hear buying the company thong goes a long ways with the dev team.
I guess they're thinking maybe they'll get
Title: Message
Net Time is using the gag Browser Service to
determine the timesource in the scenarios you outline so all the foibles of the
Browser mechanisms come into play.
You would be much better served to use w32tm to
troubleshoot time issues in an AD environment.
IIRC, what you are
Title: Message
Actually looking at my message in hindsight I think the
/Domain arg is returning the PDC flag..am I talking to myself again ?
:-]
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Free,
BobSent: Wednesday, May 24, 2006 10:17 AMTo:
Title: Naming conventions (quasi-OT)
I'm curious to see how some of you (especially at the larger corporations) name your domain-joined computers. At my company we've got about 110 computers in roughly , and for the longest time they've been named after the logon name of the user who
Thanks for the link- will definitely have a look.
Brian
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday 24 May 2006 12:04
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Machine Psswd Age
You could... It won't be 100%
Title: Naming conventions (quasi-OT)
{I,A}Unit#{W, L, M}#
I/A is specific to us, it differentiates subnet and function
Unit # is the location (four digit number)
W = Workstation
L = Laptop
M = Macintosh
# = 9 digit asset tag
If I need to figure out a users
Title: Naming conventions (quasi-OT)
We
name them by area, i.e. accounting, then a dash, and then a number 2 or 4, 2 =
win 2000, 4 - XP, then a number starting at 001. When we move a computer to a
new area, we do this a lot, we just rename the area part of the name. So if we
have an
Title: Naming conventions (quasi-OT)
All workstations are named according to building, room, and staff's
initials.
Chemistry Building Room 5 and user John Doe- CB-005JD
-Z.V.
Brian Desmond wrote:
{I,A}Unit#{W,
L, M}#
I/A
is specific to us, it differentiates
AFAIK the password change interval is set to 30 in XP (15 in NT, W2k), but
the computer accounts starts to request renewal after 50% of the time is
over. After 30 days it'll change it if being logged onto the domain for sure
(unless otherwise configured or connected).
Gruesse - Sincerely,
Ulf
The KB I found this morning to answer this said 30 for NT-2k3.
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731.3132
-Original Message-
From: [EMAIL PROTECTED] [mailto:ActiveDir-
[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner
Sent: Wednesday, May 24, 2006 2:52 PM
To:
If you have all OS and English selected in your WSUS settings, don't
approve that SQL 2005 sp1 patch that may be offered up to you on your
WSUS servers otherwise you'll end up with a 6 gig download.
http://www.sbslinks.com/wsus1.htm
--
Letting your vendors set your risk analysis these days?
Title: Naming conventions (quasi-OT)
We do like so;a user in finance in denver named Jason
Smith would be
DENFINJSMI
3 char location
3 char department
first initial and first 3 of last name
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian
ClineSent: Wednesday, May 24,
Title: Naming conventions (quasi-OT)
If you don't have the resources or timeto change a
computer name every time is changes departments, you could go with something
static like a serial number or service tag number. It may not help you
physically locate the PC, but you would be able to track
The default was 7 days for NT, increased to 30 in W2K and above. See
http://support.microsoft.com/kb/154501/ or q175468 or any of the old
domain sizing docs.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B.
Simon-Weidner
Sent: Wednesday, May 24,
I agree with Bob. Seven days pre-W2K, 30 days for W2K and better.
I have never seen a machine change its password at the 50% age and I have
looked at this quite a bit for various[1] reasons.
joe
[1] OldCmp being one of them...
--
O'Reilly Active Directory Third Edition -
Hi Freddy,
(From my DNS Admin)
When any client (or server) machine wants to locate an SRV record, it
asks the BIND slave servers, as the Windows 2003 DNS Server is not in
any TCP/IP configuration as a DNS server to be queried.
In fact, we recently moved the DNS Service from one DC to
Title: Naming conventions (quasi-OT)
I tend to recommend to keep theletters to as few as
possible, especially in global orgs. The reasons being
1. To make support easier, it is easier to hear someone
saying numbers over a staticy phone line at 3AM than letters. Also spelling
conventions.
Yeah, thankfully I don't have to guess nearly as much anymore. I got fed up
about two years ago and wrote three things: a small background agent program
that got pushed out via GPO to all our PCs, a service that ran on one of our
servers, and a program for the admins to find PCs. The agent
Title: Naming conventions (quasi-OT)
Following this thread, I want to comment
that we name workstations with their local serial numbers. In addition,
we have a process to look through the local security log to see who is the most
common user of the workstation and put their name in the
In this domain, in the default domain
policy the Max Password Age is set to 90, however when I look for when
the password will change using the below sample script
I always get the answer The
Maximum Password Age is set to 0 in the domain. Therefore, the password
does not expire.
The rest of
What do you get if just before this:
If intMaxPwdAge 0 Then WScript.Echo The Maximum Password Age is set to 0 in the _ domain. Therefore, the password does not expire.
you echo the intMaxPwdAgevalue? I'm wondering if you're not pulling back the max password age value correctly either
Why configure the BIND servers as secondary to the zones delegated to
the Windows DNS servers? Why not just let the Windows DNS servers
handle those queries? By doing so you would remove the issue
surrounding the zone serial numbers while also provide redundancy for
Windows based zones and the
So I am trying to get some information from a gigantic list of machines.
Problem is that if the machine isn't up, the script retains the previous
values. Example
server1+Microsoft(R) Windows(R) Server 2003, Enterprise Edition+5.2.3790
server2+Microsoft(R) Windows(R) Server 2003, Enterprise
'=
For Each strComputer In serverList
Set colSettings =
Set objWMIService = GetObject(winmgmts: _
{impersonationLevel=impersonate}!\\ strComputer \root\cimv2)
Set colSettings = objWMIService.ExecQuery _
(Select * from
Dan, I agree with Darrens comments but will add that as general rule
its better to include all setting in one GPO and unlock settings for
individual requirements with single GPOs, rather than the other way
around as it seems you are doing it.
Rgds,
Tim
snip
List info :
Here's what I use; you can replace the commas with + if you like, but
the quotes make Excel ignore the comma in the os caption.
On Error Resume Next
DomainString=Inputbox(Enter the domain name,Check Active
Computers,YOUR DOMAIN HERE)
oFileName = CompOSList.csv
if DomainString= then
Hi Mike,
Thanks but personally I don't see why its not delegated to all DNS DCs, kind
of limits off the load spreading and redundancy for the name resolution
portion. Unless you are only running one dns on the dc, in which again same
as above.
Im guessing if your dc is down (the one running the
Mike,
Just read it properly now, the bind dns are secondary dns of your
_msdcs.domain.com? That's interesting..
Thank you and have a splendid day!
Kind Regards,
Freddy Hartono
Group Support Engineer
InternationalSOS Pte Ltd
mail: [EMAIL PROTECTED]
phone: (+65) 6330-9785
-Original
Title: Naming conventions (quasi-OT)
I'm assuming with this every person has their own
workstation? Or how would it be named for shared
workstation..
Thank you and have a splendid
day!
Kind Regards,
Freddy Hartono
Group Support
Engineer
InternationalSOS Pte Ltd
mail:
[EMAIL PROTECTED]
Of course labs and servers are different.
-Z.V.
Freddy HARTONO wrote:
Naming conventions (quasi-OT)
I'm assuming with this every
person has their own workstation? Or how would it be named for shared
workstation..
Thank you and have a
splendid day!
Kind Regards,
Yeah doublecheck the value you are getting back from
MaxPasswordAge, if zero, check out maxPwdAge attribute on the NC Head, possibly
your policy isn't being applied properly.
joe
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: [EMAIL PROTECTED]
Todd are you looking for a comprehensive list of all events
and eventids or the meanings of the events?
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CC/DNA) [E]Sent:
You always want to reboot systems/servers after the install of a patch
and not leave the patch bits on the box if the patch requires a reboot.
1. You may not be fully patched if you don't reboot
2. Weird issues may occur with event logs, DNS and other issues when
DCs or any machine is not
Dear all,
I have parent root server, in which exchange server 2003 installed and I have other child domain in same forest.
Can any tell mehow can send and recieve mails between parentand child Domain.
Thank Regards,
Ajay
54 matches
Mail list logo