7;t see any
relevant setting in it. Otherwise I would be blocking myself and that's just
the point I don't want...
Thanks,
Bart
On 1/25/07, Grillenmeier, Guido <[EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]>>
wrote:
What other things did you change in the same or other G
What other things did you change in the same or other GPOs that apply to the
machine you're logging on as admin? If you've applied some lockdown GPOs for
file-system permissions, those will also apply for your admins
/Guido
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bart Va
ADMT (even in V3) doesn't support this directly, however, you can still use it
to do the re-ACLing if you want, since you can feed it with a list of SID
mappings. You would still have to perform the bulk of the work yourself, which
would be to re-create matching groups in AD and to add the memb
So you might have had a bit too much of the Microsoft Cool-Aid :) Exchange
2007 may not have memory limits that you'd reach - but there are limits as to
what makes sense to use with E2k7 (32GB are being communicated by MSFT).
And of course there are limits as to how much memory a 64bit OS suppo
Happy New Year to you too J
Mexico hasn't joined in, which is why it's a bit of a hassle if you have
machines in Mexico as well: right now they use the same time zone as used in
the US [(GMT-08) Tijuana, Baja California]. But since they're not jumping on
the time zone change track, MSFT will in
I don't - I like leveraging the capabilities of AD and this is something where
it can perform quite well. That's not true for other things you can delegate,
such as creation of objects, where you might really want to add a business
logic. These actions are often combined these days with provisi
Not putting any users in the groups is basically the same effect as removing
them from an operational perspective. If you don't have a user in the group,
nobody has the rights to change things that only these groups have rights to.
That's probably what your mgmt wants to achieve. You'd then p
That's a legacy group from NT4 that you shouldn't leverage in an AD
environment. In fact, you should remove it from the default security descriptor
of your user and group objects to keep your AD clean from unused ACEs.
/Guido
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PRO
Why would you want to modify the change password rights on your OUs? That
doesn't make sense to delegate: unlike password reset, it's the right that only
allows you to _change_ the password if you know the old one...
So this is typically what the rights the users would need to change the PW on
We have a tool that does this (although this is not its main feature), but it's
not free. It's actually a backup tool of all links in your AD forest (i.e. all
domains in the forest).
As we store all of these in an SQL DB, we can easily run reports on
group-nesting across the whole forest, incl
They're mixing up different statements and rephrase them to their advantage -
it is true that SBS doesn't support a second SBS DC in the same domain/forest
(as every SBS has to hold all FSMOs), but another non-SBS server can act as a
second DC in the SBS forest just fine.
/Guido
-Original
__
From: [EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]> [mailto: [EMAIL
PROTECTED]<mailto:[EMAIL PROTECTED]>] On Behalf Of Grillenmeier, Guido
Sent: 17 November 2006 11:33
To: ActiveDir@mail.activedir.org<mailto:ActiveDir@mail.activedir.org>
Subjec
This is a common procedure, but realize that it will still not completely
isolate replication - forced replication will still go through (i.e. in an out
of the 'schema mod' site). You may not do the forced replication yourself, but
if some other "friendly" administrator chooses to do so in order
Ah - now I see - that must be their back-door to access every system Windows is
running on ;-)
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of William Lefkovics
Sent: Friday, November 10, 2006 9:36 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [Active
Nope, there weren't any updates on hypervisor during WinConnections - at least
none I heard of. So this info is actually quite useful. Did they actually demo
it at VMworld? Or just talk about it?
Thanks Mark for sharing.
/Guido
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL
I certainly support joe’s second solution: don’t
delegate this. As with some other suggestions described in the Delegation
Guide (which overall is very useful), you shouldn’t implement every role
just because you can.
Your AD infrastructure will not be in any danger if the Schema FSMO
Well, the tabs and even the user account creation dialog in AD can be extended,
it's just not an easy task to do for the normal administrator. Some dev-work
with c-programming would be involved. I'm not aware of mechanisms to extend the
UI or dialogs for local accounts.
/Guido
-Original Me
ver - Directory Services
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
( Tel : +31-(0)40-29.57.777
( Mobile : +31-(0)6-26.26.62.80
* E-mail :
From: [EMAIL PROTECTED] on behalf of Grillenmeier, Guido
Sent: Thu 2006-10-19 19:25
To: ActiveDir@mail.activedir.org
Yes, not only for Win2k, but also for Win2k3 (won't change until you deploy
Longhorn and switch to LH DFL)
/Guido
---
sent wirelessly using iPAQ 6900
-Original Message-
From: "Graham Turner" <[EMAIL PROTECTED]>
To: "activedir@mail.activedir.org"
ABE won't necessarily reduce the number of groups you need to control access,
although it certainly controls the visibility for those that don't have any
rights to specific data in your shares.
Your approach is a very common approach and certainly nothing unusual. Not sure
how you get from 15 d
ssing I'm missing something in the
description of the problem else not asking the right question(s).
I'm curious if that's the case?
If so, is there more information to be aware of in this
scenario that can be shared?
On 10/10/06, Grillenmeier
So, where would the ant be 5 seconds after the box started to tumble, assuming
it walks at 1 inch per hour (really slow ant). I'd really like to know :-)
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, October 10, 2006 11:41 PM
To: Acti
e target company.
On 10/10/06, Grillenmeier, Guido
<[EMAIL PROTECTED]
> wrote:
If I were the security officer
for Company B, I would have real issues with this plan.
Most companies with sufficient
understanding of AD Security would not want any of their DCs placed in any
locat
If I were the security officer for Company B, I would have real
issues with this plan.
Most companies with sufficient understanding of AD Security
would not want any of their DCs placed in any location where the other company’s
network is still active (i.e. DCs from company A and compa
I also don't have the details, but the changes are supposed to be "additive" -
I.e. There is no harm done when you implement the B2 schema in production (as
quite few TAP customers have done), but you may need another schema-update for
the final version...
/Guido
P.S. I don't consider this O
It will, but it is a solvable problem. You'll also have some headaches for the
trust itself, but that's where the nifty Win2003 features such as Name Suffix
Routing and Top Level Name Restrictions come into play.
/Guido
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTE
The DomainB that you want to split off still needs the root domain (DomainA) to
work.
So you can't just say screw DomainA and cut it off. You'll need at least 1 (2
for redundancy) DCs of DomainA to remain in the site you wish to split off. No
problems to get rid of DomainB in the site that keep
While this thread is OT, I'd actually consider your example to be right
on-topic ;-)
/Guido
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Thursday, October 05, 2006 4:28 PM
To: ActiveDir.org
Subject: Re: [ActiveDir] what is the meanin
Microsoft is working on an updated Forest Recovery guide for
Windows Server 2003, however, the basic procedures for full forest recovery are
still the same as you’d have to do for a Windows 2000 AD forest. And for
the later a guide already exists:
http://www.microsoft.com/downloads/detail
Common question – it’s fairly difficult to extend
ADUC with a new tab that allows you to edit the attributes you want, but it’s
fairly easy to add a context menu (e.g. when right-clicking on a user account)
to start a script that would pop up a dialog box and allows to enter the
appropriate
Not commenting on the elevation of rights strategies - should be clear
by now that it is simple once you know what you're doing (and Google
will help you and your enemy)
But a quick comment on using domains as a replication boundary due to
the following statement: "Replication wise, the Global Cat
Well, it will basically sit in between everything - you boot into this
environment and then you're able to restore your OS or parts of it,
including AD. The whole backup mechanism has been rewritten in LH and
WinRe is the environment used for recovery. Unsure at this time, if
you'll actually be a
Title: Re: [ActiveDir] Any impacts to domain controller when changingits IP?
Yep, that was Win2k – once you’ve reached Win2k3 domain
functional level, you can start adding another name to your DC, make it
primary, reboot, ensure everything replicates well and registers in DNS, t
Are we actually talking blocking
GPO inheritance, or ACL inheritance?
If GPO I tend to agree with
Darren (as with anything on GPO J), as I don’t think
that any change in either the Default Domain or the Default Domain Controller policy
should be implemented without testing (so if blocki
Agree, isolating by site is often confused with requiring a
separate subnet and thus extra efforts on the networking infrastructure. That’s
actually not the case. You can create your AD site and just assign it a
32bit masked IP address as the subnet – if the other sites are properly
config
The AD schema analyzer is quite useful for comparing schemas to
find missing attributes and classes (and to export them to LDIF so as to allow
an import to the target schema). Note however, that it doesn’t find
differences at the level of properties you have set for your schema
:[EMAIL PROTECTED] On Behalf Of Grillenmeier,
Guido
Sent: Saturday, September 02, 2006 2:15 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Seperate Administrator password policy
Eric,
can you already state publicly, what the chance of this feature
is to make it into Longhorn
hat DC handled your
password change, you would be subject to different rules. If that’s the
case, I can’t say I’m a big fan of illogical hacks to help out less-cluefull
admins.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier,
Guido
Sent: Thursday, August 31,
For Win2000 AD that’s quite a common approach. Really depends on
how many domains you have and how you’ve placed your DCs of these domains.
/Guido
From: Rimmerman, Russ
[mailto:[EMAIL PROTECTED]
Sent: Thursday, August 31, 2006 1:45 AM
To: ActiveDir@mail.activedir.org
Subject:
Don’t think that auto disabling them when they don’t follow your
organizational rules is too harsh. They will be certain to follow the rule in
the future.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bahta,
Nathaniel V CTR USAF NASIC/SCNA
Sent: Thursday, August 31,
That would be the Audit Collector Services (ACS) - been in Beta forever
and due to internal struggles they couldn't release it for free. AFAIK,
ACS is still planned to be a part of MOM.
The Longhorn Eventsystem is a completely different story - can handle
many more events (incl. great filtering ca
Agree, a separate domain is certainly a very high price to pay –
it’ll cause ongoing headaches with very little benefit. Other
companies add requirements for smartcard logons for Admins or also solve it via
organizational rules as mentioned by ZV.
I’ve heard of plans to allow setting
sers,DC=X;
CN=Domain Admins,CN=Users,DC=rX
CN=Cert Publishers,CN=Users,DC=X
CN=Enterprise Admins,CN=Users,DC=X
CN=Schema Admins,CN=Users,DC=X
CN=krbtgt,CN=Users,DC=X
-Nathan Muggli
RODC Program Manager
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmei
> I forget if this is unique to SBS's AD setup or what. but any
> network attached printer will automatically get attached to each
> workstation that is set up with the /connectcomputer wizard
I'm pretty sure this is unique to SBS - at least I would hope - nothing
like adding thousands of pr
No, in case you screw up a GPO (vs. deleting it by accident) there's no
need to first delete and then restore the backed-up GPO. The values
won't be "merged" - the existing one will be completely overwritten.
/Guido
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Nope – you’ll have to either create a second GPO without the
setting and apply appropriate filters to both so that only one GPO is applied
to your special set and the other GPO to all others.
Or you trim your existing GPO so that it is more generic (i.e. it
doesn’t contain the “unwanted
Yep - but I'd also run the GetReportsForAllGPOs.wsf script during your
backup job - these reports are very useful to discover what may have
changed in a GPO after the last backup...
/Guido
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner
Sent
The GPMC scripts include the ListSOMPolicyTree.wsf script which at least
creates a useful text report of which GPOs are linked to which OUs (and
sites). Combine this script with the BackupAllGPOs.wsf and the
GetReportsForAllGPOs.wsf to be well prepared to restore GPOs (and then
link them back to w
Adding a dummy workstation will hinder the user to logon
interactively – this could be all you want to achieve. But it won’t hinder
network logons – this may be undesired.
Another thought – if the users aren’t really using their AD
account, couldn’t you just change the P
tive Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier,
Guido
Sent: Thursday, July 20, 2006 2:32 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vendor Domain
I think everyone
you
know what happens.
Thanks,
Mike
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Grillenmeier, Guido
Sent: Thursday, August 03, 2006 11:14 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Authoritative Restore problems
Mike, can you be a little m
Nice one... :-)
BTW, I didn't know GOWAN was still around - used to make great music
when I still lived in Canada ;-)
/Guido
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Strongosky
Sent: Friday, August 04, 2006 1:33 AM
To: ActiveDir@mail.activedi
Mike, can you be a little more specific about the steps that you
took to do your restore? This should work fine using the ntdsutil -> authoritative
restore -> restore object “Cn=test user, ou=it,dc=mycorp,dc=com”
command. Obviously provided you previously took a backup, rebooted to DSRM mod
?
/Guido
-Original Message-
From: RM [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 02, 2006 6:32 AM
To: Grillenmeier, Guido
Cc: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange rollout - How much larger does
NTDS.DIT become?
On Tue, 1 Aug 2006 18:29:24 +0100, "Grillen
completely
different and there are a lot of different things that impact the DIT outside
of user count. Groups, GPOs, OUs, computer objects etc user count
might be a reasonable guage, but I don't think that ~6k DIT per user object is
a reasonable assumption unless it's a newer env
be the one stop shop for info on
employees so everything goes into the GAL which means everything goes into AD.
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Grillenm
Well, at least Darren posted another mail regarding “security
by obscurity” – which this is. It’s just like removing the
Domain Admins group from the local administrators group on member servers “to
secure the member server”…
Just because many of those domain admins don’t know why they
> We thought to upgrade the DC's first because it takes care of the
extension
> of the schema and all which has to be done prior to EXCH2K3 anyhow
The upgrade of the DCs does not take care of the schema extension –
you’ll have to prepare your schema as a separate step prior to being a
Not sure if it makes sense, but this could potentially be combined
with the confidential flag – RODCs wouldn’t cache any confidential attributes,
unless a “Confidential Data Caching Policy” would allow them to do so…
The confidential flag is already used by the Digital Identity
Manage
dge servers, which
from what I can gather are looking to suck bits of the AD into an ADAM for kind
of the same purpose as an ROGC would perform? I may be totally babbling now.
RE: [ActiveDir] Read-Only Domain Controller and Server
Core
From: "Grillenmeier, Guido" <[EMAIL PROTEC
for CHANGE. You
were in one group or the other and there was no other ACLing below that
first folder level. It is much easier to put back together and very
simple
to work out who has access to what.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
---
Only if your sister’s name is Cindy ;-)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Crawford, Scott
Sent: Saturday, July 29, 2006 8:42 PM
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Read-Only Domain Controller and Server
ric
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Grillenmeier, Guido
Sent: Friday, July 28, 2006 1:33 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Read-Only Domain Controller and Server Core
Could be worth to note that an RODC can also be a DNS server for
Could be worth to note that an RODC can also be a DNS server for
the respective BO. As it is designed for one-way replication from a writeable
DC, it does not allow direct dynamic updates of DNS records that are requested
to be updated by clients that use the RODC as a DNS server (same is t
Sent: Thursday, July 27, 2006 7:46 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ldp in ADAM-SP1
Guido, which changes to you want to see in dsacls in B3?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier,
Guido
Sent: Tuesday,
Title: Exchange rollout - How much larger does NTDS.DIT become?
Assuming this is after defrag, 650MB without Exchange is quite a
large AD – guess you’d be close to 100k users in your forest, if
you’ve used the “standard” attributes of the objects in AD
(and haven’t added stuff like thumbnai
--
Kamlesh
~
"Never confuse movement with action."
~
On 7/27/06, Grillenmeier, Guido
<[EMAIL PROTECTED]>
wrote:
you can migrate most objects from the source even without admin
rights to them - th
you can migrate most objects from the source even without
admin rights to them - the default auth. user already has plenty of permissions
to read most attributes you would care to migrate.
You could still setup passwords migration without giving
them domain admin privs to your source domain
s in the docs and syntax help of command
line
> > tools. My sincere apologies for been anal.
> >
> > Is it too much to ask, to have at the very least a reliable command
> > line or GUI tool (ldp) to configure perms just the way I want and
> > need? Actually I don care
heers
M@
P.S. thanks once again for reading, for escalating, for laughing, for
educating , the kind words, hugs
Control-H,Control-H,Control-H,Control-H,Control-H, etc...
On 7/25/06, Grillenmeier, Guido <[EMAIL PROTECTED]> wrote:
> I guess Matheesha's original question has been
changing the permissions to read only on the DFS roots is
no issue at all (doesn't matter what type of server the root is hosted on - DC
or member). I'd actually replace everyone with Auth. Users at the same
time.
as for Kevin's other comment on using Win2000 for DFS vs.
Win2003 or R2 - to
I guess Matheesha's original question has been answered as good as it
can for now with the information given. I just quickly want to comment
on the 3rd party tool aspect joe is mentioning below - naturally, before
spending considerable money on the tools, you'd need to test if they do
what you want
just to be clear:
step 3 (R2 adprep) is NOT needed at all if you build a new
forest - your not doing an upgrade here.
Whenever you do an upgrade, you do NOT change the
TSL.
The documentation is wrong as the TSL is always the
hardcoded value of 60, if the value is "not set". If you've crea
hehe, yep I've seen that (the difference of the Schema.ini
files; i.e. missing entry for the tombstonelifetime property) but didn't think
too much of it because for now I've only had to handle upgrading from Win2000 or
2003 to R2 where the Schema.ini doesn't play a role. It is "only" used to
nd click on the first
item...
On 7/23/06, Grillenmeier,
Guido <
[EMAIL PROTECTED]> wrote:
> because the objects that need to go in that domain really
do need to get out of our current user environment.
Matt,
this doesn't yet sound to me like administrat
's own ISA 2004 doesn't have a released 64 bit client
released for a 64 bit Windows and you have to set them up as securenat
clients. adoption by vendors has not occurred.
Grillenmeier, Guido wrote:
> /Renaming the thead due to change of focus topic/
>
> I've b
ted when I create the object, but what can I do with the
trust" any more :)
On 7/22/06, Grillenmeier,
Guido <[EMAIL PROTECTED]>
wrote:
you
might want to describe to us what your actual goal is for creating a non-fully
trusted domain in your AD forst. Maybe you can
Renaming the thead due to change of focus
topic
I've been doing quite a bit with my own 64bit notebook
(using WinXP x64) in the past few weeks and I do have to say that there are
plenty of little surprises. Many of which don't play a role for servers, which
are used with a much lesser rang
> I don't have a lot of experience yet with x64 DCs but my gut says that
> assuming you have enough RAM to cache the entire DIT and you aren't
> constantly rebooting the DC or doing things that force the cache to be
> trimmed, the disk subsystem is really only going to be important for
writes
> (wh
you might want to describe to us what your actual goal is
for creating a non-fully trusted domain in your AD forst. Maybe you can
reach a similar goal by using the fairly powerful capabilities in AD to delegate
administration of objects within a domain. You can also use these features to
hi
> Will the application run off of an ADAM
instance instead of a full blown forest?
That was going through my mind as well - why would the
vendor want to use a NOS AD for his application? Again, there must be some
reason for this.
joe makes great points rgd. the support issues of an
appl
I think everyone would be conceptually opposed - would be
good to hear the vendor's reasoning for this.
What does the app do?
What benefit do you have from running their app in a
speparate (single domain) forest?
I can think of many downsides, but if the app is supposed
to protect really
recall. they had a
tenedancy to wreak havoc with integrated dns zones when a dc would come up and
create a new zone and then replicate that. There were several fixes
related though and that behavior might have changed several times.
On 7/14/06, Grillenmeier, Guido <[EMAIL PROTEC
just found the description of the error and the pre-SP1
hotfix to the duplicate DNS app-partitions issue:
http://support.microsoft.com/kb/836534/en-us
From: Grillenmeier, Guido Sent:
Freitag, 14. Juli 2006 20:34To:
'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir] Always p
plicate that. There were several fixes related though and that
behavior might have changed several times.
On 7/14/06, Grillenmeier,
Guido <[EMAIL PROTECTED]>
wrote:
I'd
have to do some more digging as to *why* the duplicateapp-partitions were
created, but I've had to
;well-known"
GUIDs
for the DNS NCs?).
Although the behaviour you speak of is new to me, and another one of
those
slight, interesting changes, so thanks for that.
Can you elaborate on this new behaviour? What, exactly, happens and in
what
order?
--Paul
- Original Message -
From
yes Tony, this is standard behaviour - you'll only "see" domains that
are directly trusted. Trust type doesn't matter. Even though a forest
trust will be transitive to all child domains by default, you'll have to
use UPN to authenticate to a child domain. Which is another reason why
empty placehold
I'd have to check out myself if an OU move is possible to
audit with the built-in auditing events - I'm pretty sure though it is possbile
with AD specific auditing software such as NetPro's ChangeAuditor AD and Quest's
Intrust for AD.
you may also want to disable drag & drop in your
forest
not a problem for AD or most apps that use it - potentially
an issue with scripts that use hardcoded names.
Clients will fail to find their DC that they've last used
and will need to do a generic DNS query prior to finding the renamed site
again. Usually no big deal.
If your DFS root
note that DNS startup behavious changes with SP1, which is another
reason not to choose the DC itself as the preferred DNS server: with
SP1, AD will not allow the DNS service to read any records, until it has
successfully replicated with one of it's replication partners. This is
to avoid false or
1.7GB for 250.000 users is pretty small already - I guess
you don't use Exchange for messaging or use extremely few attributes of your
objects in AD. With the steps outlined by Ulf you should get a fair idea
on how much whitespace you currently have, however, you shouldn't expect to have
mu
I wasn't aware that this was a change in SP1, but it sounds
as if StrictNameChecking is enabled on your server after you've added SP1
(http://support.microsoft.com/default.aspx?scid=kb;en-us;281308)
You ca disable it in general by configuring the
DisableStrictNameChecking reg-key as the KB
... because there could be other explicit rights on the
objects further below in the tree that do allow to view all kind of objects and
properties. For example: Authenticated Users. Unless you've removed
these rights, it is likely that if you search for objects in you the OU (if it
has sub
yep, that's it - no need
to perform the auth restore of AD in your scenario
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joshua
CoffmanSent: Mittwoch, 21. Juni 2006 17:56To:
ActiveDir@mail.activedir.orgSubject: RE: Re: [ActiveDir] Errors
During Authoritative Restore
Than
Profiles and User rights unchecked
5. Migrate Servers using the Security Translation Wizard and then the
Computer Migration Wizard.
john
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier,
Guido
Sent: Tuesday, June 20, 2006 11:48 PM
To: Act
"Isn't this what you
want?"
yes and no - it really
depends on what you're trying to achieve. Josh was trying to do a complete
AD DR - not a recovery of a failed DC. For a failed DC you'd want it to
replicate the other changes after a successful (non-auth) restore.
But if you want to c
not until you send us your resume
;-)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ajay
KumarSent: Mittwoch, 21. Juni 2006 08:38To:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] How to block
particular Subjects
Hi all,
I just wanna to know that, Is that possible
same question here: there's nothing you can really do to
control the addition of specific SIDs to the security token of any account
during logon - the Authenticated Users SID is one of those (besides many other
well-known-security-principals controlled by the system).
but if you tell us wha
glad Brett picked up on
analysing the different errors you were getting - I've not seen these
before.
curious to hear what type
of issue you are testing to recover from? From what you write, I gather you are testing to
restore your production domain to another (hopefully physically separa
servers first? workstations first?
first what?
I assume you're talking about migrating your servers and workstations
from an NT4 domain to an AD domain - correct? If so, the order strongly
depends on various aspects, such as the status of your user and group
migration and how you handle permissio
1 - 100 of 791 matches
Mail list logo