You would not get a permissions problem from that admin. templates policy.
They just don't work that way. So my guess is its something else. What
happens, as administrator, when you run "appwiz.cpl" from a command prompt?
Darren
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf
t driver and installing this new
>>>
>>>
>> driver from HP.
>>
>>
>>> Updating the driver and choosing the new driver explicitly doesn't
>>> work and running HP's update package for the driver obviously fails
>&
this driver version is the root cause of the issue
>> but I do need the drivers updated to have a place to start from.
>>
>> Susan, is there a known issue with Broadcom's that could possibly
>> affect the problem I'm having? Thanks for the assistance!
>>
Behalf Of Darren Mar-Elia
Sent: Monday, January 15, 2007 12:50 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group
Policy)
Sorry, just catching up here. In terms of updating the driver, if it's a MS
provided driver, I think it would say
e!
>
> Donavon
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Susan
> Bradley, CPA aka Ebitz - SBS Rocks [MVP]
> Sent: Monday, January 15, 2007 1:39 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] 1054
as the network admin account through remote
desktops (the account I made the registry edit for
GroupPolicyMinTransferRate under).
Donavon
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Monday, January 15, 2007 12:52 P
Is this the only system that is having this problem? Are you doing anything
on your network to limit ICMP packet size?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Donavon Yelton
Sent: Monday, January 15, 2007 9:39 AM
To: ActiveDir@mail.activedir.org
S
ilto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: 15 January 2007 15:24
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Policy Failing to apply
Dave-
Does that same proxy policy work for any other users correctly?
Darren
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Dave-
Does that same proxy policy work for any other users correctly?
Darren
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade
Sent: Monday, January 15, 2007 3:49 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Policy Failing to apply
Folks,
I have a
I like these guys: http://www.miceandmen.com/
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Monday, January 08, 2007 4:56 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS Comments
Well there hasn’t been some sort of ruling on whethe
Ernesto-
Profiles are notorious for not completely unloading at logoff (i.e. resource
handles "leak" and remain open). As a result, the profile is unable to copy
up to the central server and therefore the server version doesn't get
updated. If that is the problem here, then you can get a hold of th
ECTED] On Behalf Of Darren Mar-Elia
-> Sent: January 5, 2007 6:05 PM
-> To: ActiveDir@mail.activedir.org
-> Subject: RE: [ActiveDir] push a URL in the trusted zone with GPO...
->
-> Alternatively, if you have the IE 6, XP,SP2 version of inetres.adm or
the
-> IE7 ADMs, you can use
Explorer\Internet Control Panel\Security Page\Site to Zone assignment list
Darren
Darren Mar-Elia
CTO & Founder
SDM Software, Inc.
www.sdmsoftware.com
Speed Group Policy Troubleshooting with the NEW GPHealth Reporter tool at
http://www.sdmsoftware.com/products.php
-Original Message-
I don't think the decision has been made yet. I could be wrong but I think
the first iteration of the "Advanced Group Policy Management" only includes
the GP change control product, and not the PolicyMaker extensions. I'm not
sure yet if its been announced or even decided what the ship vehicle is f
realistically, the "ideal" is always the
exception in this field. Microsoft should know that. People will insist on
managing GPO directly from the DCs, best practices be damned.
Sincerely,
_
(, / | /) /) /)
/---| (/_ __ ___// _ // _
) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
Microsoft MVP
ly from the DCs, best practices be damned.
Sincerely,
_
(, / | /) /) /)
/---| (/_ __ ___// _ // _
) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
Microsoft MVP - Directory Services
www.akomolafe.com - we
know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
_
From: Darren Mar-Elia
Sent: Fri 12/15/200
--
"I love the smell of red herrings in the morning" - anonymous
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Friday, December 15, 2006 10:05 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveD
are a superset
of the latest and greatest ADMs (i.e. they include 2003, XP and Vista
settings) so you can happily manage Vista and non-Vista targeted GP settings
from a Vista machine.
Darren
Darren Mar-Elia
CTO & Founder
www.sdmsoftware.com
[EMAIL PROTECTED]
-Original Message-
Fro
Vista ADMX format, is it a better implementation to have central
ADMX storage on the DCs?
===
Weiming Lu
Emory College Computing Support
(404)727-7917
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Thu
The converter (ADMX Migrator) is only meant to convert ADMs into ADMXs-- not
the other way around unfortunately.
Darren
-Original Message-
From: "Mark Parris" <[EMAIL PROTECTED]>
To: "ActiveDir.org"
Sent: 12/14/2006 2:20 PM
Subject: Re: [ActiveDir] Vista GPO
www.microsoft.com/downloads
Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
> Sent: Thursday, December 14, 2006 10:34 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Vista GPO
>
> What do you mean Za? I'm not familiar with
What do you mean Za? I'm not familiar with any GPO plug-in for Win2K3,
unless you mean the LDIF files that are in sources\adprep on the Vista CD?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Za Vue
Sent: Thursday, December 14, 2006 9:57 AM
To: ActiveDir
Theoretically you could do that, but besides the obvious security downside,
the registry tweaks really only disable the driver startup, so you would
still have to reboot for that to take effect. All in all, the ADM approach
talked about in that article is pretty weak and only good for completely
di
Ben-
You might want to consider one of the 3rd party solutions for this. There
are several on the market that both use and don't use Group Policy to
implement lockdown. Check out Securewave and DesktopStandard, among others.
If you don't have a budget, then there is a policy hack you can use to ju
If you have GPMC installed, then the GP tab is removed from ADU&C and you'll
need to manage GP from the GPMC.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John
Sent: Tuesday, December 12, 2006 8:16 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] group policy object
the same dance every year.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Wednesday, December 06, 2006 7:18 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [A
Crazy Eddy's TV ads in New York.
Of course its free like a puppy... :)
-gil
________
From: [EMAIL PROTECTED] on behalf of Darren Mar-Elia
Sent: Wed 12/6/2006 4:18 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Quest Recovery Manager
"The Que
I know the SpecOps guys lurk on this forum so you should get a response, but
I would also suggest that they have a forum on their website for asking
questions and getting feedback from other users.
Darren
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of McCann, Danny
Sent:
"The Quest guys told me the other day they had a lot of leeway on some
pricing for one of my clients so I'm wondering if this is the end of the
year for the salesmen and they need to make their year this month (if so
this is an excellent time to buy Quest software)"
Ha! Show me a sales person f
Tim-
Sadly in our business I think you'd have a hard time finding someting akin to a
decent, educated and un-biased review of this stuff. No Consumer Reports for
software. What I would always recommend is to gather your requirements clearly
and evaluate all players against those requirements an
Neil-
You can modify the defaultSecurityDescriptor attribute in the schema to
change which groups are automatically granted rights on a newly created GPO.
Its described here:
http://support.microsoft.com/kb/321476/en-us
Darren
Darren Mar-Elia
CTO & Founder
www.sdmsoftware
Check out delprof.exe. Its either in the reskit or part of suppor tools or
part of the OS, depending upon which version of the OS you have. You would
have to run it in a GPO-based computer startup script so that it runs when
no users are logged on.
Darren
From: [EMAIL PROTECTED]
[mail
On Behalf Of Darren Mar-Elia
Sent: Tuesday, November 28, 2006 3:47 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Exclude Vista from GPO
Ok. So, you could also use this:
Select * from Win32_OperatingSystem Where BuildNumber< 6000
Since Vista's build # is 6000, that
, I want the GPO to run on ALL machines EXCEPT Vista. I also want it
to be dynamic (I don't want to manually add computers to groups)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Tuesday, November 28, 2006 12:24 PM
To: ActiveDir@mail.activedir.or
Nathan-
I can't speak specifically about what DesktopStandard's plans are but
frankly, when I asked MS about supporting existing 3rd party CSEs in Vista a
while ago, they said that there should not be any issues. Of course, it is
up to the vendor to test and support this, and since that vendor is n
Right, or security group filtering where you create a security group that
includes all your Vista machines and deny it Apply Group Policy rights on
that GPO. If you use a WMI Filter, then, assuming all the targets are XP,
you would do something like this:
Select * from Win32_OperatingSystem Whe
ver the
cn=policies,cn=system container in AD and, similarly on the SYSVOL Policies
folder, it should have Change rights over that container.
Darren
Darren Mar-Elia
For comprehensive Windows Group Policy Information, check out
<http://www.gpoguy.com/> www.gpoguy.com-- the best sou
GP processing cycle failed, then as
soon as I detect that the DC is back online, I will trigger a background
policy refresh". So, it doesn't help with the foreground issues stated
above, but does significantly reduce the refresh time of up to 120 minutes.
Hope that helps.
Darren
Da
tinue to use the setting and ignore the change
from enabled to 'not defined'.
e.g. wallpaper set to A, originally. Then wallpaper set to 'not defined'. I
always believed clients would ignore any 'not defined' settings and thus
continue to use wallpaper A.
Am I wrong?
: +31-(0)40-29.57.777
( Mobile : +31-(0)6-26.26.62.80
* E-mail :
_
From: [EMAIL PROTECTED] on behalf of Darren Mar-Elia
Sent: Wed 2006-11-15 17:04
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest
Well, it depends upon the purpo
Title: Locating empty GPOs in a domain / forest
Well, it depends upon the purpose of you quest, but you're
correct. For example, you may not want to delete a GPO that has no settings
(but does have versionNumber >0) because that may be a desirable state for
it. In other words, if a GPO had se
Title: Locating empty GPOs in a domain / forest
Another option is to perform an LDAP search on the
cn=policies, cn=system container for GPC objects, and on each GPC object, look
for a versionNumber attribute == 0. Its probably slightly faster than first
generating the HTML report and then pa
ed. I expect you will
see that when it is not updating, the client isn't even querying AD.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Mo
Which tool and what is the prompt? One thing I've done in the past, when
asked for 'y' or 'n', is simply do this:
Command | echo y
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Monday, November 13, 2006 2:04 PM
To: ActiveDir@m
have a business justification for a web site, ask.
If you are in China or insert Country of your choice, that's a tougher
call but if he was I'd strongly recommend that he not ask about it on a
public listserve that could be easily found later.
Darren Mar-Elia wrote:
> Hmm. That'
vices
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
( Tel : +31-(0)40-29.57.777
( Mobile : +31-(0)6-26.26.62.80
* E-mail :
_
From: [EMAIL PROTECTED] on behalf of Darren Mar-Elia
Sent: Mon 2006-11-13 18:23
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Timeout period on object
P processing to determine its location in AD. Its almost as if AD is caching
the previous location of the object to dampen excessive object moves. Sounds
weird but I'm wondering if anyone has an explanation to
this?
Darren
Darren Mar-Elia
For comprehensive
Windows Group Policy In
Hmm. That's a dubious stretch. Does that mean all those folks in China that
find ways to bypass their government-controlled proxy are endangering us all
and should be stopped? There may be lots of legitimate reasons why someone
needs to do this. I don't think it should be assumed that suddenly we a
That indicates that something is preventing Admi. Template policy from running.
Posting the relevants part of userenv.log would be helpful.
Darren
-Original Message-
From: "Paul G. DaSilva" <[EMAIL PROTECTED]>
Cc: ActiveDir@mail.activedir.org
Sent: 11/10/2006 10:43 AM
Subject: [ActiveDi
I didn't honestly see anything in the risk factors of the 10Q that any other
software business doesn't declare. I read it as basically saying that
Microsoft has competition from various sources that could threaten its
business model. That's pretty normal. I think its fair to say, based on the
big d
Also. Check out Don's site at www.scriptinganswers.com. Lots of
good resources there. Since you're learning scripting anew, you might even want
to consider jumping right into PowerShell, which is MS' new scripting
environment. The TechNet scripting center cited below has links to PowerShell
Yes, if you deleted and recreated the GPO, it would have a
different GUID. So I'm guessing that one of those packageRegistration objects is
the package you've deployed and one is a package that has been removed. I can't
think of any reason why software deployment would just fail like that, ac
Dan-
The 2 packageRegistration objects represent two separate
packages. The MSI and MST are referenced within the msiFileList attribute on
each packageRegistration object. Its possible that one of those
packageRegistration objects is a "removed" package--removed packages don't
actually get d
Dan-
I would resolve the problem before upgrading.
It sounds like you have at least two things going on. First off, the sw.
deployment error sounds like something deeply wrong with AD. The software
installation data object referred to below is probably something called a
packageRegistration
Mark-
That sounds like you're users are being created from some pre-created
template user? Normally, when FR occurs, it would not append the
administrator's account to those folders.
Darren
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sen
This article,
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/exten
ding_the_user_interface_for_directory_objects.asp, describes display
specifiers, which is what Guido is referring to here. It is possible to add,
for example, a context menu item to an object class in ADUC th
Minor nit below. Otherwise, spot on
observations.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt
HargravesSent: Friday, October 06, 2006 7:56 AMTo:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Assign User
rights overs computers with AD
Just to cover some thin
I've used/liked FolderSizes (www.foldersizes.com)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Comeau
Sent: Friday, October 06, 2006 8:01 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Disk Space Hogs
Is there a tool or utility out th
You mean Jet Blue doesn't have TV on their flights???
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
Sent: Thursday, October 05, 2006 10:12 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: wikis
Except when 99% of the commo
27;re getting the Access
Denied.
Darren
Darren Mar-Elia
For comprehensive
Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO FAQs,
video training, tools and whitepapers. Also check out the Windows
Group Policy Guide, the definitive resource for Group P
least. :)
On 10/2/06, Darren
Mar-Elia <[EMAIL PROTECTED]>
wrote:
Haha.
This is the first time I've been on the receiving end Deji. You can't blame ME
for this one :). Just for the record, I'm not going to MS (
http://blogs.dirteam.com/blogs/gpoguy/archive/2006/10/02/D
akomolafe.com> - > we
> know IT
> -5.75, -3.23
> Do you now realize that Today is the Tomorrow you were worried about
> Yesterday? -anon
>
> ________
>
> From: [EMAIL PROTECTED] on behalf of Darren Mar-Elia
> Sent: Mon 10/2/2006 9:47 AM
http://www.desktopstandard.com/PressReleases/02Oct2006.aspx
In case anyone is
interested...
Darren Mar-Elia
For comprehensive
Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO FAQs,
video training, tools and whitepapers. Also check out the Windows
You actually shouldn't have to use Interop or
PInvoke like that to authenticate to AD using VB.Net. I do it all the time
in WinForms using the DirectoryEntry class, which allows you to pass creds
to your AD connection. You just need to front those creds with a simple form and
away you go. Ju
migrating a GPO from one forest or domain to another.
Problem is that I think it would be pretty invasive doing it this way
because essentially you need to backup your existing GPOs and then re-import
the changed ones over them.
Darren
Darren Mar-Elia
For comprehensive Windows Group Policy
Brian-
You might want to run TCPView on the DC (http://www.sysinternals.com/Utilities/TcpView.html).
It will tell you which process owns the communication on that port.
Darren
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al
MulnickSent: Thursday, September 21, 2006 12:
I smell sulfur... ;-)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe,
DejiSent: Thursday, September 21, 2006 11:49 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] I'm
Baaack!
Yikes! Is it Halloween
yet?
Sincerely,
_
at DC OU2) Create Password Policy at
Domain level and enforce it. This helped for keeping a consistent
password policy across all OUs and Domain.And also "saving" DCs from domain
level general purpose GPOs.Long term, soln is to rethink the OU
structure.Kamlesh
On 9/13/06, Darren
Mar-Eli
This helped for keeping a consistent
password policy across all OUs and Domain.And also "saving" DCs from domain
level general purpose GPOs.Long term, soln is to rethink the OU
structure.Kamlesh
On 9/13/06, Darren
Mar-Elia <[EMAIL PROTECTED]>
wrote:
Well, the
obvious
it.
This helped for keeping a consistent password policy across all OUs and
Domain.
And also "saving" DCs from domain level general purpose GPOs.
Long term, soln is to rethink the OU structure.
Kamlesh
On 9/13/06, Darren Mar-Elia <[EMAIL PROTECTED]> wrote:
>
> Well, the obvi
in the case of
password policy. This can only be set at the top level of the domain.
Does this block actually prevent it being applied? I would guess that is
does, but I wonder if any one has tested it or has any docs on what
actually happens.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PRO
Well, the obvious effect is that it prevents domain-linked
policies from being delivered correctly, including password policy. This is
probably not desirable. I can't think of a good scenario where this would be
useful.
Darren
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf
Matt-
I don't think these accounts have well-known SIDs, so I'm
not sure that's going to help. You can easily verify using psgetsid from
Sysinternals. I checked a couple accounts here (though they were domain
accounts) and they were not well-known SIDs.
Darren
Darr
Alan-
I ran one of these evalutions a while back for a 25,000
desktop environment. I would highly advise putting together a spreadsheet of
your *real* requirements prior to narrowing the vendor list. Don't let the
vendor tell you what you need or the choice will become obvious. Apart from tha
safe location == post-it note on the side of
CPU
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al
MulnickSent: Thursday, September 07, 2006 10:36 AMTo:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: admin
account in Vista
"Write down your username and password
of each
>> other--2003, SP1 is a superset of XP,SP2, XP is a superset of 2000,
>> etc. And it is definitely best to manage such a mixed environment
>> from the latest platform (e.g. XP). The key of course, is to pay
>> attention to the "Supported" tags in the
> etc. And it is definitely best to manage such a mixed environment from
> the latest platform (e.g. XP). The key of course, is to pay attention
> to the "Supported" tags in the newer ADMs.
>
> Darren
>
> Darren Mar-Elia
> For comprehensive Windows Group
"Supported" tags in the newer ADMs.
Darren
Darren Mar-Elia
For comprehensive Windows Group Policy Information, check out
www.gpoguy.com-- the best source for GPO FAQs, video training, tools and
whitepapers. Also check out the Windows Group Policy Guide, the definitive
resource for Gr
Graham-
The Inheritance and Delegation tabs (when you're sitting on a container
object like an OU in GPMC) provides the information indicated below. I guess
I'm wondering what you're missing from that? Its true that GPMC
backup/restore does not restore links, link order or Enforced flags, but
there
FI. We're also considering ScriptLogic, Quest, NetIQ and
NetPro.
Teo
On 8/23/06, Darren
Mar-Elia <[EMAIL PROTECTED]>
wrote:
James-Its
been a while, but since it was my job to know this stuff, I can give you some
general comments here. First off, its important to know your
James-
Its been a while, but since it was my job to know this stuff, I can give you
some general comments here. First off, its important to know your requiirements
before asking the various vendors how they can help. What do you need to manage
AD here? One thing I can tell you about the Scriptlo
one
policy item at a time until you find the problematic one.
Darren
Darren Mar-Elia
For comprehensive Windows Group Policy Information, check out
www.gpoguy.com-- the best source for GPO FAQs, video training, tools and
whitepapers. Also check out the Windows Group Policy Guide, the definitive
resou
operation
described below. However, outside of that its trial and error to find why
the operation is getting stopped.
Darren
Darren Mar-Elia
For comprehensive Windows Group Policy Information, check out
www.gpoguy.com-- the best source for GPO FAQs, video training, tools and
whitepapers. Also
bit torrent? (just kidding)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON,
BENSent: Thursday, August 17, 2006 8:35 AMTo:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] [OT] Longhorn
Beta
Outside of my MSDN account is there
a preferred way to obtain Longhorn Bet
We aren't using Windows Firewall, we're using the firewall that comes
> with our desktop antivirus solution. So I guess we're OK turning off
> NLA (via GPO)?
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Darren Ma
---
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
> Sent: Wednesday, August 09, 2006 5:29 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Computer bootup speeds
>
> Yes, good point Susan. NLA is used to let Windows know that a
Yes, good point Susan. NLA is used to let Windows know that a network
connection state has changed. So if you're using Windows Firewall and have
both domain and standard profiles, by disabling NLA, you prevent that state
change from notifying the firewall that it may need to switch from one
profile
That's a new one on me. Its kind of ironic because in
Vista, the NLA service replaces ICMP slow link detection for GP
processing...
Darren
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman,
RussSent: Wednesday, August 09, 2006 2:14 PMTo:
ActiveDir@mail.activedir.o
There's lot of reasons for slow boot up, as folks have
indicated. Enabling userenv logging and observing the time stamps will give you
a clue as to whether its related to user profiles or group policy. Also, as per
the network issues, check out http://support.microsoft.com/default.aspx?scid=k
GPOs are not denied for some reason that you can control. If the component
status shows that GP Infrastructure processing Failed, then its probably
something other than the obvious and we can go from there.
Darren
Darren Mar-Elia
For comprehensive
Windows Group Policy Information, check out
much difference there on a 4 - 6 disk set -the argument is
political to do with different standards for the management people. But
then, the SYSVOL volume is also a scratch area for administrators. The DIT
and OS volumes are very much off limits, and secured thus.
--Paul
- Original Mes
Yea, I'm not sure why one has to do with the other (GPO
delegation and security of the DIT). GPO delegation simply involves granting
permissions on a individual GPC objects in AD and individual folders in the GPT
(SYSVOL). The only risk I can see is that it is marginally easier to
fill up a
Alex-
I think you've proved my point by saying, "having
local admin rights is definitely a bad thing as far as security is concerned".
:-). But of course you are pointing out the underlying dilemma that
administrators have faced while trying to create a least-privileged user
environment. Fra
This is silly. At least on XP, a normal, non-admin user cannot add AT jobs.
So, yes, this would work if the user is local admin., but big deal. At that
point, who cares? Is the point here that I can elevate from Administrator to
LocalSystem? I'm not really sure that's a revelation...
-Origi
Thanks Joe. Interestingly, I agree with what you're saying
here, but not for exactly the same reason. I happen to think that the
"badness" of having lots of over-privileged admins is not the accidental
stupidity (hmmm...is that an oxymoron?), although we know that happens. This
actually gets
Monday, July 31, 2006 5:38 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] schema extensions for Vista wireless networking GP support
I thought all that stuff was part of the Server 2003 R2 schema extensions and would work in XP also.On 7/28/06, Darren Mar-Elia < [EMAIL PROTEC
I
think we all know how bad it is to have hoards of DAs. We also know that it is
the reality in many large and small orgs. and we also know that it is sometimes
unavoidable for purely non-technical reasons. The bottom line is that many of
those DAs probably don't know how to undo something t
created. In order to change
this, you will need to modify this attribute in the schema (e.g. using ADSIEdit)
to remove that group from the SDDL list stored in that
attribute.
Darren
Darren Mar-Elia
For comprehensive
Windows Group Policy Information, check out www.gpoguy.com-- the best
In case anyone is
interested, here's a doc that describes the AD schema extensions that will be
required to support the new wireless networking Group Policy stuff in
Vista:
http://www.microsoft.com/technet/itsolutions/network/wifi/vista_ad_ext.mspx
Darren
Darren Mar-Eli
Check out this article for restricting the range of dynamic
ports used by RPC/DCOM.
http://msdn.microsoft.com/library/default.asp?url="">
Darren
Darren Mar-Elia
For comprehensive
Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO FAQs,
v
1 - 100 of 597 matches
Mail list logo
