Many thanks for the link mate.
M@
On 8/1/06, Kitchens Arthur E [EMAIL PROTECTED] wrote:
there is at leastsome documentation on this found at
http://davenport.sourceforge.net/ntlm.html
.i i'm not sure if it will meet your needs or not. think there are some others around as well.
From:
Check out Ryan's take on it...
-- http://dunnry.com/blog/msDsUserAccountControlComputedNotSoSpiffy.aspx
--Paul
- Original Message -
From: David Aragon [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Tuesday, August 01, 2006 11:49 PM
Subject: [ActiveDir] Different (open)LDAP
Title: Automating GC promotion during dcpromo
According to an article I read recently, a DC may be set as a GC automatically using the answer file entry 'ConfirmGC=Yes'.
However, another technet article implies that this I only relevant if the DC is being built using a backup and not over
[EMAIL PROTECTED] wrote:
According to an article I read recently, a DC may be set as a GC
automatically using the answer file entry 'ConfirmGC=Yes'.
However, another technet article implies that this I only relevant if
the DC is being built using a backup and not over the wire.
Anyone have
Thank you Tony and Paul. This is why I think so many people are on this
list. The information provided is good, useful, and to the point.
David Aragon
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Tuesday, August 01, 2006
That's only partially true, you're correct in that the option is made
available in the UI during an IFM promotion if the backup used was from a GC
... but a GC can also be born directly out of a non-forest-creating DCpromo
by modifying the %windir%\system32\schema.ini file.
Assuming you're
I fully concur with the three environment
approach. I typically run Production, Replica (aka Testing) and Sandpit (aka
Development). One of the key tenants of my test environment is that when a
change is tested, its associated back out plan is also tested and I do
not sign off on any
Dean Wells wrote:
That's only partially true, you're correct in that the option is made
available in the UI during an IFM promotion if the backup used was from a GC
... but a GC can also be born directly out of a non-forest-creating DCpromo
by modifying the %windir%\system32\schema.ini file.
Thanks Dean, altho I was looking for a way to automate the 'promotion'
to GC for *every* DC, not just the first (which is a GC by default, as
you point out.)
I have a script which can achieve the above but was hoping it could be
achieved via the answer file.
I just hope this is finally exposed
My inbox continues to be bombarded with messages from your group. Not sure how
I got included on this list, but what can I do to get off it???! Would be
nice to get my inbox back...
joe [EMAIL PROTECTED] wrote:
Interesting thoughts there...
My only tongue in cheek response right
I'm not following, if you're creating an answer file to feed DCpromo when
building new DCs ... why can you not also supply a modified schema.ini that
contains the changes per my earlier post?
--
Dean Wells
MSEtechnology
t Email: [EMAIL PROTECTED]
http://msetechnology.com
-Original
Yeah, I'm in the same boat now. Got a requirement for fully autonomous DC
deployment with a largish DIT. Single domain forest so everything is GC. I
was frustrated to find out that one of the scripting guys told me that that
option didn't work. I plan on working round this by promoting the
Sorry, Dean. Word wrap foiled me and I didn't read your response
correctly :(
This is a great find and tip which would have saved me loads of time in
previous roles :)
Nice one!
neil
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: 02
At the bottom of every single message sent to this list, you'll see the
following link:
List FAQ: http://www.activedir.org/List.aspx
...which brings you to this:
The list provides a discussion forum for those wishing to discuss aspects of
Microsoft's Active Directory. It is intended for
Brad brings up some of the more important change control concepts.
Remember that a dev environment *is* production for a developer. It should be controlled to some degree.
I've often advocated many more test environments. Everything from sandbox (try whatever you want, but no control) to
[EMAIL PROTECTED] wrote:
Thanks Dean, altho I was looking for a way to automate the 'promotion'
to GC for *every* DC, not just the first (which is a GC by default, as
you point out.)
If I understand Dean's tip correctly (Dean correct me if I'm wrong) he
suggests to take some entries from
http://support.microsoft.com/kb/305144/ discusses the various property flags
for the UserAccountControl (UAC). I have tried to set different flags using
LDP, ADSIEdit, and vbScript. One flag in particular is giving me a lot of
grief, LOCKOUT. I can clear the bit, but can not set it. This is
David Aragon wrote:
http://support.microsoft.com/kb/305144/ discusses the various property flags
for the UserAccountControl (UAC). I have tried to set different flags using
LDP, ADSIEdit, and vbScript. One flag in particular is giving me a lot of
grief, LOCKOUT. I can clear the bit, but can
I threw this together for ya to help out:
:-)
strUser = "groupname"strComputer =
"domain"strPath = "WinNT://" strComputer "/"
strUser ",group"wscript.echo "Path: "
strPathwscript.echoSet objUser = GetObject(strPath)Set objClass =
GetObject(objUser.Schema)'on error resume
Ok, thanks for getting back to us RM.
So my guestimate with 100k users was just slightly off ;-) But now I
wonder what in the world you store in your AD to have the DIT grown to
650MB with your user and computer population.
Is this 2000 or 2003? Have you disabled Distributed Link Tracking?
Hi guys,
I'm having trouble with adding a disclaimer on E2K3 on a SBS 2K3 box.
I'm using the EventSink with a .vbs to add the disclaimer. The box is
configured with a default SMTP server and a SMTP connector which
forwards all external email to the SMTP of the ISP.
Anybody who has done the
No, I think the bigger problem with having lots of
over-privileged admins is the same problem we have with organizations that make
all of their users admins on their local machines--that of over-privileged
users being targets for malware that take advantage of their privileges to do
nasty
RedEarth Software policypatrol.com
Wizard and GUI
The SBS way
There are instructions at www.smallbizserver.net (I think they are still
in the free docs) ...but I'm blonde and GUI and policy patrol works.
If you are cheap GFI's mail scanner ...install the trial version and
when it expires
Alex-
I think you've proved my pointby saying, "having
local admin rights is definitely a bad thing as far as security is concerned".
:-). But of course you are pointing out the underlying dilemma that
administrators have faced while trying to create a least-privileged user
environment.
Thats a browser function not something in AD. Theres probably
still computers joined to those domains (even though they dont exist) or
computers in workgroups with the same names
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731.3132
From:
[EMAIL PROTECTED]
If you use WINS check for them in there
and delete if required.
Cheers,
Rob
Robert
Rutherford
QuoStar
Solutions Limited
The Enterprise
Pavilion
Fern Barrow
Wallisdown
Poole
Dorset
BH12 5HH
That
would depend upon whether or not the domains are appearing because of metadata,
or whether they're appearing because of "bad" browsing information. Do the
domains appear anywhere besides Network Neighborhood? Is WINS in use? If so, are
there entries in WINS representing the domains?
Loads of tools as Susan says, but just to note the GFI one no longer
works - one of my engineers tried it a couple of months ago.
Rob
Robert Rutherford
QuoStar Solutions Limited
The Enterprise Pavilion
Fern Barrow
Wallisdown
Poole
Dorset
BH12 5HH
T: +44 (0) 8456
Thank you Tomasz for the clarification on UAC. If I understand you, then if
the lockoutTime were set to some non-0 value (a time say in the next year?
or last year?) this would trigger the lockout bit to be set. The
presumption being that the lockoutTime can be set.
David Aragon
In an effort to cut down on service account abuse,
Ive been removing and reducing privileges left and right. I have
delegated Exchange Full Administrator rights to a few users who had previously
been using the service account we originally installed Exchange 2003.
Sometimes, the
Ah right, I read the initial question
wrong and thought you were trying to rid yourself of an old domain that no
longer exists. It certainly sounds more like a browsing issue.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson
Sent: Saturday,
dusting off old NT 4.0
sectors
Check your WINS database if you are
using WINS. Part of the browsing data comes from WINS and the database
will tell you where those records are coming from. You can address
it viathe hosts if it's coming from there or clean up your WINS
db.
Diane
From:
The perm youre looking for is Receive
As on the Mailbox store. The problem is that delegating Exchange Full
Administrator adds an explicit Deny ACE to CN=First Organization,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=domain,DC=com for Receive As and that
gets replicated all the
Information about lingering objects in a Windows 2000-based forest or in
a Windows Server 2003-based forest:
http://support.microsoft.com/?kbid=910205
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
If you are a SBSer and you don't subscribe to the SBS
hey guys -
Yes, i'm using wins.
Yes, they are appearing outside of network neighborhood.
what exactly would i examine (node type) that would help me pinpoint where these are appearing ? and how to get rid of it ?
definitely appears to be a browsing issue ?
how can i force who is the master
We actually use a script at work after having tried a few products and
having terrible performance problems. If you are interested, I'll ping one
of the exchange guys and see if he can provide a little direction.
Once you actually get it working from a plumbing standpoint, the script
itself
This is an SBS box. we may have performance problems.. but it's
certainly not caused by a SMTP sink event on that Exchange server ;-)
Remember at the most we're only hosting 75 users/devices on that server
with a max of 75 gigs (remember no snickering from the Enterprise folks)
of Store.
Susan, how on earth could _you_ get a lingering object? Seems impossible
with only one DC, oh wait did you just forget to delete it?
From The Love,
-B
On Wed, 2 Aug 2006, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote:
Information about lingering objects in a Windows 2000-based forest
You know us blondes
With barely a twig, let alone a tree in our forest...and I'll have you
know this twig is clean installed 2k3 domain (I strongly believe in no
inplace even in our twig domains down here).
(and for the record for everyones trivia tonightwhile I choose to
have a
Sure, I saw the message and remembered that we were still using a disclaimer
script for this, so I thought I'd offer some help, but a word of caution
about the fact that the script can get tricky.
With only that many users, many of those problems might never show up. We
have a few more users
40 matches
Mail list logo