Title: Message
You
can set the policy permissions to allow the local administrator account to read
but not apply the policy. Or, you can do what we do and create a special
local account for policy administration and set that special account to read and
not apply the policy.
Ken Adams
There is a built-in utility called cacls that can do this for you.
Another utility is a commercial product called Security Explorer by
Small Wonders Software.
Ken Adams
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Wednesday, June 01
The recovery console already has the special drivers for the raid array
while booting from the CD to do a repair does not (in those cases where
the raid controller drivers are not part of the default Windows 2000
distribution CD). To add the raid controller drivers while booting from
the CD, you h
ult Domain Controllers. On 3 people are domain
admins in the domain and I’m the only one at work.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Adams, Kenneth W
(Ken)Sent: Thursday, April 07,
2005 9:02 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Extremely Weir
Title: Message
Have
you checked for a higher level GPO that may have these settings configured the
way they are changing back to? My only other thought would be another
person with permission to change the policy is changing it
back.
Ken Adams
-Original Message-From:
[EMAIL PROTE
Have you looked on the Microsoft web for this type of project plan? I
think they have some of these already, but I've not looked for any
(don't need them at this time).
Ken Adams
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carerros,
Charles
Sent: We
rvice AccountsThanks Ken. We've done that with some of the accounts, but (for example) one of these
accounts is for our own software distribution agent that runs on almost all our
clients. rb
"Adams, Kenneth W \(Ken\)"
<[EMAIL PROTECTED]> Sent
by: [EMAIL PR
If you're talking about a script that runs on the client machines, then
just use the 'net time' command in a logon script.
Ken Adams
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown
Sent: Tuesday, April 05, 2005 2:20 PM
To: ActiveDir@mail.activ
Title: Message
What
about setting the properties of these accounts to allow logon to only the
machines you specify? There is a way in the properties of each account to
specify the machines the accounts can logon to. The number of machine
names you can specify is limited, so you will need t
Title: Message
My
understanding of sites is that each site must have at least one DC. If my
understanding is correct, your planned action to decomm the Site B DC would lead
to the removal of Site B and its incorporation into Site A. As long as the
computers in Site B have the proper DNS se
Title: Message
IIRC,
IF the folders have been replicated to another Exchange 5.5 server, you can
specify the home server on that other server. I had that happen to me
years ago, so I'm not positive about the procedure.
Ken Adams
-Original Message-From:
[EMAIL PROTECTED] [mailto:[E
: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Adams, Kenneth
W (Ken)
Sent: Wednesday, February 16, 2005 10:47 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Strange Issue
Check your policy to determine if these settings are in the Computer or
User portion of the GPO. If
Check your policy to determine if these settings are in the Computer or
User portion of the GPO. If they are set in the Computer portion, then
the computer in the child domain won't get the policy settings from the
parent domain. You would need to set the same policy items in the child
domain's G
When you add a computer to an AD domain, the default location for the
computer's account is the 'Computer' OU (unless the computer is a domain
controller). If you have OUs for computers to organize them (i.e.,
production workstations, office workstations), you need to add the
computer accounts to
Title: Message
I
would suggest creating a local security policy template with the settings you
want, the use a batch file in each machine's user's logon script to apply the
policy.
Ken Adams
-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of EdwinSent
The method you propose is actually the method I've heard Microsoft folks
suggest. Be sure you update the schema before you promote the first
W2K3 server to be a DC. I presume you intended to do that, but did not
mention it.
Ken Adams
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[
With AD and Windows 2000, Windows XP, Windows 2003 Server machines, you
can:
control client PC settings via Group Policy Objects (GPOs)
control server settings via GPOs
distribute software via GPOs(see a pattern here with the use
of GPOs?)
have over 1 million obj
Does the information the application wants to access have to reside on a DC?
If not, move the information to another server and make the service account a
member of the server's Administrators group. If you are stuck with the
information on the DC, you either need to use a different applicatio
Title: Message
To
stop this error message, you will need to turn off the Computer Browser
service. The error message is actually an informational message telling
you about the browser status of computer CCDC01.
Ken Adams
-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PRO
Title: Message
Be
sure the machine is running XP Professional with SP2. If it is running XP
Home with SP2, it can't join a domain.
Ken Adams
-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Za VueSent: Monday, November 08, 2004 1:28
PMTo: [EMAIL
Title: Message
Installing or not installing Windows XP Service Pack 2 is a matter of
personal choice at this time. Set up a test machine that you don't care
about formatting if needed, install Windows XP with SP2, and test your
applications, including wireless connectivity.
You
need to ma
Title: Message
Yes,
you can set permissions on individual accounts to permit only adding computers
to the domain. The way I've done it is to set the permissions on the OU
that will contain the computers. Open that OU's properties, go to the
Security tab, add the user's ID, then set the per
You are correct in point 1, but I would use the server's own IP address
instead of 127.0.0.1 in point 2.
When a client PC makes a DNS request, it sends that request to its
primary DNS server. If the primary DNS server is not available, the PC
will send the request to its secondary DNS server. Th
Your DC doesn't have its default gateway pointing to your router, but
your PC does? If you point your DC's default gateway to the router, it
should be able to forward DNS resolution requests to one of the up-level
DNS servers.
I'm presuming that your DC is also your DNS server. If my presumption
anything that needed to work with the extended schema could – is
that correct? Or am I reading
between the lines?
R/Bill
-Original
Message-From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]On
Behalf Of Adams, Kenneth W (Ken)Sent: Tuesday, August 10, 2004 8:52
AMTo:
[EMAIL
Title: Message
If you
read the upgrade documentation for W2K3, you will find that you have to extend
the forest schema before you install the first W2K3 DC. Extend the schema
on the empty root domain with the forestprep option, then allow sufficient time
for the schema extension to replicat
Title: Message
Personally, I'd go with your alternate option of performing a wipe and
load. That ensures you don't have any inefficiencies carried over from the
previous OS.
If you
copy the OS and HP Support Pack software onto a networked share, you should be
able to perform the installat
I'll answer the second question first: When assigning NTFS permissions
to resources, I select the local Administrators group and the local
System account with Full Control. I then select the appropriate control
group or groups, or individual accounts (domain accounts) and set them
with the approp
Title: Message
The
standard best practice IS to rename the Administrator account, no matter what
level it is (i.e., local Administrator, Domain Administrator). Yes, there
are some programs that refer to the account name. Those are mostly hacker
programs from what I've learned. You DON'T w
Title: Message
It
sounds like you need to change the policy to send unencrypted passwords to
down-level / SMB devices.
Kenneth W. (Ken) Adams, MCSA, MCSE
-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Wright, T. MR NSSBSent: Thursday, July 08, 20
Title: Message
I
recommend running dcpromo, then uninstall DNS. I also recommend checking
with the hardware manufacturer first to determine if any updated hardware
drivers are available for the system. Most BSODs are caused by bad
hardware drivers, then by bad hardware.
Kenneth W. (Ken)
So, if I have this right, I'm going to put the SAP
domain in as a child domain of the existing users domain and not a new domain
tree?
Therefore, the domain SAP NetBIOS name will be SAP and the
accounts will be that of SAP\user or a UPN of the forest like [EMAIL PROTECTED]
?
Thanks
Title: Message
Not
knowing all of the details to your current situation, those you provided lead me
to recommend having one forest, but 2 domains. You can upgrade your user
domain and have that as your forest root, then upgrade the SAP domain as a new
domain in the forest. With that arrang
Title: Message
I've
seen some neat things being done with one or a very few machines using
Microsoft's Virtual PC or VMWare to simulate many machines. You could take
a few, well configured PCs to emulate your domain while keeping those PCs on an
isolated network.
Check
out Microsoft's Vi
Title: Message
Funny
you should ask about this at a time when I just encountered it. The issue
is with the security built into Outlook XP. There is a program that is
trying to send e-mail messages using your Outlook client. If you want this
to happen, you allow it on an individual basis,
Title: Message
I
subscribe to 2 Exchange newsgroups. Both have good people participating in
them and cover any flavor of Exchange.
Try:
Yahoo! Groups Links
<*> To visit your group on the web, go to:
http://groups.yaho
I read a newsgroup message from the NT group sponsored by Sunbelt. The
sender stated file corruption in database files that Microsoft has a fix
for but told the sender that it will only release it to Great Plains
users.
Kenneth W. (Ken) Adams, MCSA, MCSE
-Original Message-
From: [EMAIL
Don't you have a desktop PC that you could temporarily use? If not, you
might want to consider moving your internal DC into the DMZ long enough
to move the FSMO instead of the other way around.
Kenneth W. (Ken) Adams, MCSA, MCSE
-Original Message-
From: Frank Buechler [mailto:[EMAIL PR
Before doing anything that drastic, check the event logs on both
servers. With the server inside the DMZ being behind closed ports, its
hidden account password may be out of sync with the DC inside the
network. MS has a Knowledge Base article about how to change the hidden
machine account passwor
nge 2000 to Exchange
2003 on the new server.. Maybe IPSec is the solution..
-Original Message-
From: Adams, Kenneth W (Ken) [mailto:[EMAIL PROTECTED]
Sent: Tuesday, February 03, 2004 12:42 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Moving Schema Master
The actual moving the Schem
ng that machine inside, how long would it take to move
the Schema Master role to the second server? Are there any gotchas
involved in doing that, then simply placing the machine back in the DMZ?
-Original Message-----
From: Adams, Kenneth W (Ken) [mailto:[EMAIL PROTECTED]
Sent: Tuesday, February
Either take the current Schema Master out of the DMZ or (shudder) open
the appropriate ports through the interior firewall and point them
explicitly to the server you want to become the Schema Master.
Kenneth W. (Ken) Adams, MCSA, MCSE
-Original Message-
From: Frank Buechler [mailto:[EM
Title: Message
Have
you tried performing an authoritative restore of DOM_B using a backup from
T3? That should restore all objects to the domain and still keep the GCs
in sync.
Kenneth W. (Ken) Adams, MCSA, MCSE
-Original Message-From: Jorge de Almeida Pinto
[mailto:[EMAIL PRO
User GPOs are applied AFTER machine GPOs IIRC. If the user GPOs set the proxy or home
page settings differently than the machine GPO, the user GPO settings will be the
effective settings.
Kenneth W. (Ken) Adams, MCSA, MCSE
-Original Message-
From: Bruce Clingaman [mailto:[EMAIL PROTE
to upgrade forest domain (ABC.COM) to windows
2003. I would like to keep Windows 2000 as my forest domain.
Is that going to be an issue?
-Original
Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Adams, Kenneth W
(Ken)Sent: Thursday, October
30, 2003 1:00 PMT
EMAIL PROTECTED]Sent: Thursday, October 30, 2003
2:11 PMTo: [EMAIL PROTECTED]Subject: RE:
[ActiveDir] Windows 2003 domain in Windows 2000
How you do upgrade the schema without
upgrading the OS?
-Original
Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Adams, Kenn
nment, then approval, then deployment to production.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Adams, Kenneth W
(Ken)
Sent: Friday, September 19, 2003 11:45 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] SUS does SPs now
Not if your SUS server is
approval in the change management process should be before the update is
even deployed -- after testing against applications, services,
infrastructure, rollback, etc.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Adams, Kenneth W
(Ken)
Sent: Friday
I'll be setting up SUS SP updates to servers, only I set my servers to download and
notify, not to automatically install and boot. I keep control that way.
Ken A., MCSA, MCSE
-Original Message-
From: Henderson Richard [mailto:[EMAIL PROTECTED]
Sent: Friday, September 19, 2003 7:13 AM
IIRC, password changes are part of the normal AD replication. That replication can
take a few minutes unless forced. During the logon process, the logically closest DC
will attempt to validate the logon. If the client is a down-level client (i.e.,
Win9X, NT 4.0), the logon process goes to the
IIRC, the local policy runs no matter what as it is the first policy to be run. If
you want to override local policies, you need to set the policies in either the
domain, site, or OU. Note that domain based security policies, such as password
aging, cannot be overridden by site or OU policies.
Your configuration for Exchange should work very well for your DCs. We have
something similar for our DCs (we don't use a separate logical disk for our
log files and database, but we should have IMHO).
Kenneth W. (Ken) Adams, MCSA, MCSE
-Original Message-
From: Hughes. Daryn (IT Soluti
52 matches
Mail list logo