A restricted group GPO will not remove the Local Admin Account from the
Local Admin Group. That is the only account that is not effected by the
GPO. It will stay in the Local Admin Group after the policy is applied.
//SIGNED//
David J. Perdue
When you apply GPOs to a container, make sure if it's a Computer
Configuration that computer objects are in the OU. Same thing with User
Configuration. User Objects have to be in the OU.
I think what you are doing is appling a GPO to your OU with User Config
settings, but your user accounts are
The courses of action that I would
reccomend:
1. Escort him out and have all of the locks
changed.
2. Hand him a legal pad and a pen. Tell him
it's his new Tablet PC with Handwriting Recognition
Software.
Good
luck, Dan.
Dave
//SIGNED//
You could encrypt the files/folders and add in the user
accounts of the folks who need access as well as one or two admins to help
maintain it. Depending on what your policy has setup for a recovery agent,
this would prevent individuals from accessing the files. They could still
David J Contr
InDyne/Enterprise IT [mailto:[EMAIL PROTECTED]Sent:
Wednesday, April 20, 2005 11:34 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Restricting
sensitive information
You could encrypt the files/folders and add in the user
accounts of the folks who need access
two. Deny should over ride the privileges they got from the
admin group.
Hope this helps.
Kat
From: [EMAIL PROTECTED] on
behalf of Perdue David J Contr InDyne/Enterprise ITSent: Thu
21/04/2005 6:30 AMTo: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] Restricting sensitive information
Log into your local computer as the Local Administrator. Assuming the
remote workstation has a Local Admin account with the same name, it will
let you in as Manjeet descrbed.
Dave
David J. Perdue
The potential problem with this is that when the user initially
authenticates to OWA, their logon/password is sent plain text as well.
I'm not sure why you wouldn't want to enable SSL for the entire session.
Dave
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
What's the STOP error? What file threw the error?
//SIGNED//
David J. Perdue
Network Security Engineer, InDyne Inc
Comm: (805) 606-4597DSN: 276-4597
-Original Message-
From: [EMAIL
Aelita (now Quest) had an app that would give you what I
think you are looking for. Even send the reports via e-mail. I think
it's been repackaged as Quest Reporter. It uses a SQL database to
aggregate and report on all the data.
Dave
//SIGNED//
Title: Message
The only way you can be guaranteed to accomplish this is to
remove the Domain Admins at each location completely.
You would have to delegate the rights that they need/use
for a 90% solution. Wheter you delegate all the rights to a single group,
or each logical collection of
Was that before or after they smacked your knuckles with a wooden ruler?
;)
If more places would teach coding like that, there'd be a lot more,
better code going around.
Dave
//SIGNED//
David J. Perdue
Network Security Engineer, InDyne Inc
If you expire the account as opposed to disable it, they
shouldn't generate NDRs.
//SIGNED//
David J.
PerdueNetworkSecurity Engineer,
InDyne IncComm: (805) 606-4597 DSN: 276-4597
From:
What happens if the user in domain 1 does a runas using an account with
the appropriate memebership/rights from domain 2?
//SIGNED//
David J. Perdue
Network Security Engineer, InDyne Inc
Comm: (805) 606-4597DSN: 276-4597
Did you check the permissions on the files that were
installed? Of there may be a file in the Windows or System32 directories
that they need permissions on?
Is anything logged that would give you an idea where it
hangs? What's Inuit have to say?
//SIGNED//
Personally, instead of blocking the default domain policy I
would create seperate policy objects with the settingsthat I wanted
filtered/blocked. But your "set policies on each domain" leads me to
believe that there are multiple domains in the forest involved here?
Domains by their nature
Did the OU and the GPO have a chance to replicate?
The policy that you created, did you configure the computer or user
portion of the policy object?
Do you have a user account or a computer account in the OU?
What OS is the client computer? If it's Win2k or lower did you
configure a WinXP
I'd have to agree with you.An option was
toreboot to DOS from Win95. For the life of me, I can't remember
what version it was at the command line though.
//SIGNED//
David J.
PerdueNetworkSecurity Engineer,
InDyne IncComm: (805) 606-4597 DSN:
Sorry to not add anything of import to your thread, Jeff; but I'd love to be on
the list for the Capturing and Interpreting Network Traffic 101.
Dave
//SIGNED//
David J. Perdue
Network Security Engineer, InDyne Inc
Comm: (805) 606-4597DSN:
No. You can set the requirement to password lock the screensaver
separate from the chosen screensaver.
Although, I haven't seen what will happen if you force the screensaver
to lock, but don't have a screensaver chosen.
Dave
//SIGNED//
David J.
You could export everything into a PST file, then import it onto the new
PC.
Dave
//SIGNED//
David J. Perdue
Network Security Engineer, InDyne Inc
Comm: (805) 606-4597DSN: 276-4597
attempting to log on
That is the way we did it before moving to AD. I was kind of hoping to
use the GPO functionality (it is there, after all). I guess a call to
PSS is in order as Google and Technet both turn up nothing.
Jordan
On Mon, 24 Jan 2005 13:20:03 -0800, Perdue David J Contr
InDyne
You can. You just have to deny them "list folder
contents", and they can not see what's in the folder, that coupled with a denied
read should take care of it.
Personally, I'd create new shares for Sales and Finance and
map those straight to M:. Then map your Management to M: for your
I was always under the impression that any
disclaimer/banner had to be:
-At the beginning of the e-mail
-Only used when necessary
//SIGNED//
David J.
PerdueNetworkSecurity Engineer,
InDyne IncComm: (805) 606-4597 DSN: 276-4597
Jordan,
Create your logon banner by modifying the appropriate registry keys and
send that out to your clients, instead of going through GP. Strangely
enough, by the reg key it will work.
HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\LegalNoticeCaption
And
Is Service A set to automatically run or is manual? Are there services that
depend on Service A to run that are causing it to start during the backup?
All things being equal, it shouldn't just be restarting for shiggles.
Dave
//SIGNED//
Dan,
It sounds like mail is being delivered to an alternate
location, like a PST file. Below is the link to check for it in Outlook
2k3. It should be similar for Outlook 2k.
http://office.microsoft.com/en-us/assistance/HP010257441033.aspx
Dave
//SIGNED//
I don't know if this matters in your environment, but the other Account Options
are controlled by that permission as well.
Dave
//SIGNED//
David J. Perdue
Network Security Engineer, InDyne Inc
Comm: (805) 606-4597DSN: 276-4597
@mail.activedir.orgSubject: RE: [ActiveDir]
Software License Management
That went away
with SMS 2.0. It ran on a FoxPro db... hahaha... J
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Perdue David J Contr
InDyne/Enterprise ITSent:
Monday, January 03, 2005 5:15 PMTo:
'ActiveDir
Title: Message
I need to do some real software metering. X
number of users using this piece of software at once on the
network.
SMS 2k3 doesn't provide this. Can anyone point me
to a system that does?
Thanks,
Dave
//SIGNED//
David J.
and you can get the plugin called
SAM(http://www.extendedtools.com/) for SMS 2K3.
Cheers:
Thomas
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Perdue David J Contr
InDyne/Enterprise ITSent:
Monday, January 03, 2005 3:55 PMTo:
'ActiveDir@mail.activedir.org'Subject
Aelita (now Quest) has an app (used to be Enterprise
Directory Manager)that will allow that level of granuality. It
utilizes a SQL database to store the additional information and acts as a go
between for the user and AD. It provides some really neat functionality
besides this feature.
There is a danger to using restricted groups. It will replace the contents
of the group with whatever you specify in the GPO. The only excpetion is
the default local admin account. If you have a lot of users in the local
admin, they will be removed when this gets applied. If you add a user to
Are there updated video drivers available for your system?
Dave
David J. Perdue
Network Security Engineer, InDyne Inc
Comm: (805) 606-4597DSN: 276-4597
-Original Message-
From: [EMAIL
Have him try checking the Omit Duplicate Rows box on the General tab of
the Query Statement Properties. It's more than likely do to the same
computer meeting multiple requirements of his query.
Dave
David J. Perdue
Network Security Engineer,
Title: Message
If all you have to do is grab the data off of the box as
fast as possible, I would recomend doing a parallel install of XP, snagging the
data, then dumping the box or fighting through the problem.
//SIGNED//
David J.
Win2k DNS used a random port in addition to port 53 for DNS resolution. I
don't know if Win2k3 is the same. There is a registry hack that will force
it to a known port. If you sniff the traffic you should be able to see it.
David J. Perdue
Even with SYSKEY enabled on a NT DC the
sam can still be cracked with l0phtcrack or the other tools. Just make a
recovery disk with the /r (I believe) option would export a readable copy of
the sam. We would have to do it for our security folks to test password
strength every so often.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Perdue David J Contr
InDyne/Enterprise IT
Sent: Wednesday, November 17, 2004
4:57 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Syskey
and AD
Even with SYSKEY enabled on a NT DC the
sam can still be cracked with l0phtcrack
The computer browser service is used to
populate things like Network Neighborhood and isn't related to any of the
FSMO roles or truly critical network use.
Unless it's causing problems for
your users, I wouldn't worry about it. If you do want to worry about it:
If you turn off the service to fix your problem you want to do it on the box
that has taken over the role as Master Browser, not on the DC.
David J. Perdue
Network Security Engineer, InDyne Inc
Comm: (805) 606-4597DSN: 276-4597
Have you checked the NIC and switch port
that both are configured for the same duplex and port speed? Force them to
1000 Full if they are not. While you're looking at the switch see if
there are any other errors on the port. I had a backup server that even though
both it and the switch
If you go through and mod the registry key manually, it does impose a
character limit on you. Around 128 characters I think. But if you go
through and use group policy or import the registry key it doesn't.
Kinda quirky that.
dave
David J.
You can shutdown the Computer Browser Service
(CBS) on everything and it won't cause any issues with WINS or your DCs.
Where it will cause an issue is when you attempt to browse the network from say
Network Neighborhood.
The Computer Browser Service pretty much
bites. I've beaten my head
http://wm.quest.com/products/activerolesserver/
It used to be Enterprise Directory Manager. Nice stuff.
David J. Perdue
MCSE 2000, MCSE NT, MCSA, MCP+I
Network Security Engineer, InDyne Inc
Comm: (805) 606-4597DSN: 276-4597
[EMAIL
Tom,
I thought that Term Service in App mode required a license server. My
assumption was that the license server would track all of that.
Dave
David J. Perdue
MCSE 2000, MCSE NT, MCSA, MCP+I
Title: OT: Disk Quota
Rick,
Disk Quotais based on
the user account that owns the files. Depending on the file structure and
how it is setup, the default owner on the files could be the
Administrator. This would skew her profie usage.
If I remember correctly, the other two reasons a user
With AD you can have scripts that runon Workstation
Startup, Workstation Shutdown, User Logon and User Logoff.
The user directory is created based off of the logged on
user name. This is stored in %username%.
I'm not a script master, but I wouldn't think it would be
harder than using a
I've usedversion 3on WinNT before. It's
pretty slick. A bunch of options to make passwords super strong that we
didn't use. There wasn't any lag that we ever saw.
Dave
David J.
PerdueMCSE
2000, MCSE NT, MCSA,
The pop-up blocker in WinXP SP2 works like a champ for me.
It blocks the automated pop-ups, but will still open a new windows if I
click on a link.
David J. Perdue
MCSE 2000, MCSE NT, MCSA, MCP+I
I think this is the one you are talking about Brian. It's formerly Aelita,
but now is Quest.
http://wm.quest.com/products/domainmigrationwizard/
They've got a a product that will demote a NT4 PDC/BDC. It's pretty
slick. And totally not supported by MS.
Dave
Best way would be to write your script that copies it down from a central
source and set it as a Start Up Script via GPO. It would get run every time
the client starts and run in the System Context, as opposed to a logon
script which runs in the user context.
Dave
I think there is a policy setting for roaming profiles that
you will allow you to skip the Temp Internet Files folder.
Unless if you need the temp to follow them
around.
David J.
PerdueMCSE
2000, MCSE NT, MCSA,
copy
format.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Perdue David J Contr
InDyne/Enterprise ITSent:
Friday, October 08, 2004 11:47 AMTo:
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Group Policy to
set limit or disk space used for Temporary Internet
F
Title: root domain alias
Marcus,
I guess the questions are, do you use AD and does your AD
domain have the same domain name as your external web
server?
If not, you could probably get away with it. If so,
you'll probably have some problems.
Dave
To take that away in Win2k you have to remove their write ability to the
userAccountControl attribute. That is accessed via the Security Tab,
Advanced, Effective Permissions on an individual account.
However, I believe that will also remove their ability to change anything in
the Account
Title: RE: [ActiveDir] Active Directory Container (Folders)
Jeff,
There are a lot of reasons this could be the case.
Network Neighborhood is run off of the Computer Browser Service. Just as
you are seeing, their ability to be seen in NN is independant of them being able
to participate in
Russ,
You say you're switched and your bandwidth utilization is
pretty low, so it's probably not related directly to excessive broadcast
traffic. But that could explain the delay. One thing that I would
check is what "Node Type" your clients are in in regards to WINS name
resolution. That
If the kiosks are members of the AD domain, and the configuration in
question is applied to the computer portion of the group policy object, they
should be in effect no matter who is logged on.
But I think you are right, an NT4.0 user would not get the user portion of
the GPO on that workstation.
http://wm.quest.com/products/reporter/
I haven't had a chance to look at this product per se, but their other
products are pretty good.
Dave
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel
Sent: Monday, September 20, 2004 9:03 AM
To:
Title: Message
The below link on JSI shows a way to pull it from the
DCs.
http://www.jsiinc.com/SUBQ/tip8400/rh8433.htm
Dave
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Caple,
AndrewSent: Tuesday, September 07, 2004 10:07 PMTo:
[EMAIL PROTECTED]Subject: [ActiveDir]
Have you considered just re-directing the My Documents folder to a network
share? You could filter the GPO based on user group membership. If you
wanted it going to different servers. The user would be able to access it
no matter what computer they logged into.
Dave
-Original
Title: Re: [ActiveDir] Set Preferred DC
Isn't that a setting that you can push via DHCP? I
want to say you can put a "tag" on your clients so that they can receive
different info via DHCP without having to be on a different
subnet.
For the life of me, I can't remember what MS calls the
] On Behalf Of Perdue David J
Contr InDyne/Enterprise IT
Sent: Tuesday, September 07, 2004 4:12 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Desktop folder
Have you considered just re-directing the My Documents folder to a network
share? You could filter the GPO based on user group membership
I don't know if this would work, but...
Add the share on your data server to the website as a
virtual directory. Then, add your web server's computer account or the IIS
account with the access that the app needs to your data servers share. I'm
not sure which would be needed to work.
You
Title: Message
Check out Password Policy Enforcer. I think it has
the ability to create different policies based on group memebership within the
same domain.
Dave
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B.
Simon-WeidnerSent: Wednesday, September 01, 2004 11:21
Problems with systems showing up in NetNeighborhood is
related to the Computer Browser. This article will give you some info
regarding the Browser: http://www.microsoft.com/resources/documentation/windows/2000/server/reskit/en-us/tcpip/part4/tcpappi.mspx
This article has some good info for
Title: New Windows Update
Microsoft has been making changes to the Windowsupdate
site. They're up to version 5 or something. It was breaking with the
XP SP2 Betas.
Dave
-- David J.
PerdueMCSE 2000, MCSE NT, MCSA,
John,
I can recommend Storage Central. It's been recently bought by Veritas.
http://www.veritas.com/Products/www?c=productrefId=48 It's got everything
that you're looking for below. The really nice part is that you can also
build reports based off of the policies. The reports can be
Title: Message
If your users are organized by OU, you can create different
GPOs for each OU and then use the Logon Script setting to give each one a
different batch file.
Dave
-- David J.
PerdueMCSE 2000, MCSE NT, MCSA,
Go back to your master, log on as an admin and start up each of the Office
apps. Then re-image and you'll be good to go.
For some reason, the first time the Office apps are run they still do a
little more installing.
Dave
--
David J.
Title: Customize Group Permissions
One thing to be really careful of though. It will
replace the contents of the local group. The only exception to this is the
default local Admin account in the local Administrators group. That
account will stay. If you are using software, like SMS, that
Clyde,
Check out www.bootdisk.com. Under the Network boot disks give Barts a shot.
It's pretty good and customizable.
Dave
--
David J. Perdue
MCSE 2000, MCSE NT, MCSA, MCP+I
Network Security Engineer, InDyne Inc
Comm: (805)
Title: [ActiveDir] Forest Wide DNS Zone
James,
That should help you out. It will include DNS
replication with your AD replication. The other thing that you want to
look at is if you have your sites and links configured in AD. That will
help AD better manage replication. If you have, you
Edwin,
You can use the Internet Explorer Admin Pack to create a custome install.
Then just choose the OE componenets. It will generate everything you need.
Then just assign the MSI.
Dave
--
David J. Perdue
MCSE 2000, MCSE NT, MCSA,
75 matches
Mail list logo