Firstly I would like to say thanks for all the help. I probably wasnt as clear
in my original description about a few things as I could have been so I will go
over the assumptions some of you made that were incorrect.
Ok so from my notes..
--
Existing Environment
The existing
This part troubles me:
(for example it will prevent a user from logginginto a system, but not prevent them from getting their voicemail).
Can you expand on that? To my thinking, if the account is locked out, then the user should not be able to use it. Period. End of story. No exceptions.
I don't know what Brett would do (is that a bracelet idea?) but personally if given the opportunity, I would have chosen to a) figure out why the failure of one disk in a RAID 5 set didn't allow for continuous operation b) fix that issue so that it never happens again (suspect disk cache, raid
Is there anyway to see when a GPO is being applied. Is there a log
somewhere that shows what was applied and what wasn't? Like the log that's
created when one logs into w2k in safe mode. In that log, you can see what
drivers are loaded. I need to see what policy is causing an error when
users
If I were you, rather than put Exchange on a DC, I would put the second DC
on an older but still robust workstation (and beefed up to boot). A long
way from Best Practices, but still preferable to the Taboo Mix.
- Original Message -
From: Steven Johnston [EMAIL PROTECTED]
To:
Al,
Thank you for your response, I willtry to elaborate, but first,
let me
start by saying that I was not invited to participate in thisapplication's
selection, testing, or acceptance. One day it just showed
up.
That said ...
The software we use for VOIP uses its own db for storing
Assuming its XP, then you can use GPMC to get a GP Results report that tells
you what GPOs and what settings were applied to a given user or computer.
However, I think what you're asking is, is there any log that tells you when
a particular operation gets blocked by a particular GPO setting, and
Darren,
Thanks yes, that's what I want to find out. I did read something in
previous emails about using network trace on the group policy, but I have no
clue on how to do that. Would enabling verbose userenv logging help, you
think?
-Original Message-
From: [EMAIL PROTECTED]
No, verbose userenv logging simply tells you what is happening during each
step of GP processing. It doesn't log what is happening as the user is
executing commands that may run into policy. We actually had a conversation
with the GP team at MS about this particular issue because it is very
Why are the last two groups treated differently than the others?
You may want to consider a different approach, such as changing to the workstations that they can logon to or expiring the account.
On 8/21/06, David Aragon [EMAIL PROTECTED] wrote:
Al,
Thank you for your response, I willtry
Adding a dummy workstation will hinder the user to logon
interactively – this could be all you want to achieve. But it won’t hinder
network logons – this may be undesired.
Another thought – if the users aren’t really using their AD
account, couldn’t you just change the
I
think I need to expand the picture here to provide more clarity. At the
top of our tree we have openLDAP which we refer to as the Enterprise and which
is the authoritative source for all credentials. That feeds several
sub-systems, including Active Directory, email, SMB, etc. We have
That's a good explanation. I don't see how you can lock them out
programmatically though. The mechanism just isn't designed to do that.
You'd have to force bad auth attempts on them constantly.
If you can't disable the AD account, what if you expired it? That would
prevent login too,
Yeah I was thinking about forcing pwdLastSet to 0 or forcing an account
expiration (versus password expiration) with the accountExpires attribute.
The former can be bypassed if someone knows the password, they can change
the old password and be up and running. The other would require an admin
I think it can vary wildly. Best case would be some sort of workflow with
the business rules and automated notification for approval by stakeholders.
This is normally something that would have to be tied to some sort of
funding as well, especially for something as crazy as a 500GB request. When
Thank you all. I will give a serious look at account expiration, that might
work also. Again, I was originally looking at account lockout because the
tools and permissions already exist to unlock an account by certain help
desk members and I wouldn't have to provide additional tools and
16 matches
Mail list logo
