defect.
Any loss/damage incurred by using this material is not the sender's
responsibility. Liability will be limited to resupplying the material.
Technical Support
[EMAIL PROTECTED]
Sent
by: [EMAIL PROTECTED]
11/09/2006 04:47 PM
Please
respond
worried about Yesterday?
-anon
From: Technical
Support
Sent: Tue 11/7/2006 11:35 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange
--NDR--
Please let me know how I can contact you
Deji
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
onto any computer system. No warranty is
made that this material is free from computer virus or any other defect.
Any loss/damage incurred by using this material is not the sender's
responsibility. Liability will be limited to resupplying the material.
Technical Support
[EMAIL
- Directory Services
www.akomolafe.com- we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday?
-anon
From: Technical
Support
Sent: Mon 11/6/2006 8:14 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Exchange
--NDR--
Hi
Hi,
I am sending mail @XYZ.COM and here is the error I am
getting. When id to Email ID Verification and MX Record lookup it works fine
for xyz.com. Also I am not facing this problem with any other mail id. I am
able to send mails to other clients/vendors.
Here is the NDR I am
Hi,
We are planning to have only one domain for normal users and
users with mailbox. Currently we have two different forests.
My Exchange Forest is FE/BE structure.
Kindly suggest how I can achieve this in the best way.
Thanks and Regards
Ravi Dogra
I would suggest go for Exchange 2k3. I
really enjoy working with it
Makes life easy if you have remote/roaming
users. And rest all is explained by everyone out there.
Also question yourself Do I really
need Messaging Services? this should clear picture for you as you have
other
Hi All,
Kindly suggest, what i can do about my Exchange Log
files?
I have about 120 GB Log files for past 4 months. I
havea few doubts:-
Do i really need all those log files?
If yes, Then how is it possible to manage with this
as i have a very limited space left.
Can i delete these log files?
make that backup.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Technical Support
Sent: Thursday, October 26, 2006 2:09 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Exchange Log files --Disk Full--
Hi All,
Kindly suggest, what i can do about my Exchange Log
Hi,
I am running Normal Backup. Using NTBackup
Utility. Backing up Information store.
From: [EMAIL PROTECTED] on
behalf of Missy KosloskySent: Thu 10/26/2006 12:49 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exchange Log
files --Disk Full--
Are you running full (AKA
Hi,
I am trying to access one of my servers using
Remote Connection. I am using mstsc but its not connecting me to the server.
error "The remote computer has ended the
connection".However if i am using mstsc /v:IP
Address /console it lets me connect to it.
Problem is in this mode i can use
Yes it doesnt happened with
any other serves but i have rebooted it more than twice. but no gud
luck.
what do you guys suggest in this case? did
only rebooting second time resolved the issue for you?
It worked for me when i have disjoined from
my domain. but i am sure this has nothing
My understanding was that the Password Policies are
applied similarly to any other Group Policy. I do recall doing some testing some
time ago where by using various security filtering on Group PoliciesI was
able to set up two DC's with two different effective policies and so two
different
Hi Susan,
If you try using an ADM template to add the key you may have a problem since
it includes binary settings that can't be set via ADM Templates.
Alan Cuthbertson
Policy Management Software:-
http://www.sysprosoft.com/index.php?ref=activedirf=pol_summary.shtml
ADM Template Editor:-
Joni,
As you said, when the machine boots it gets the machine policy applied, and
you want to back it out when the User logs on, which is pretty much a tall
idea! I have never heard of such a function and to be honest would think it
to be impossible, unless of course the machine could predict
Hi Steve,
Just noted your comment on trying to interpret the Userenv Log. I always
found it very confusing so I wrote a utility that picks it apart. You can
download it from http://www.sysprosoft.com/policyreporter.shtml I just ran
it on your file and it shows quite clearly the process
Hi Sudhir,
Use of a mandatory profile should not matter. I
presume you have checked things like otherpolicies at a higher priority
and checked that loopback processing, Policy Overrides etcis not confusing
the issue. Also check the Event log to see if there are any errors processing
Hi Ryan,
The greying out of the settings is a "good thing".
Basically any well designed program that provides a user interface to a regitry
setting should grey out settings that are managed via the Policy key. This is
really saying "This setting is set via policy. Don't fiddle with it".
Jeff,
You could try looking at BrndLog.TXT under C:\Documents and
Settings\xx\Application Data\Microsoft\Internet Explorer (x is the
username)
It gives a detailed log of the IE processing and might give you a hint of
what is happening.
Alan Cuthbertson
Policy Management
Hi Charlie,
If it is a user registry setting (other than Binary) there should be no
problem with a custom ADM template.
Can you explain what registry key it is and exactly what is not working?
Alan Cuthbertson
- Original Message -
From: Charlie Kaiser [EMAIL PROTECTED]
To:
Johnny,
We do exactly what you suggest, change the password and set the user must
change password at next logon and they are able to change it, even within
the password cannot be changed period.
What do you mean by that would effectively lock out the OWA only users?
Alan Cuthbertson
Policy
Of SysPro Support
Sent: Friday, August 26, 2005 3:19 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Password policy change
Johnny,
We do exactly what you suggest, change the password and set the user must
change password at next logon and they are able to change it, even within
Hi Peter,
It could be NetBiosName that I am looking for. I tried it on my domain, but
it had no value. However that could be because my domain was not built pre
Windows 2000. I will try it on the offending domain and see what it returns.
Alan C
- Original Message -
From: Peter Jessop
Title: RE: [ActiveDir] OT:Exchange 2003 SP1 bloat
Hi Michael,
Thanks for the response, But it isn't quite what I
want. The code you give gives the NetBios name of the
logged on user. I am trying to find the NetBios name
for another domain.
I have tried enumerating all machines on the
Title: RE: [ActiveDir] OT:Exchange 2003 SP1 bloat
Hi,
I have a requirement to determine themachines
that are currently online for a particular domain. I use the Net View
command and give it a domain name such as:
Net View /Domain:DomName
SinceI know the Fully qualified Domain
name
Douglas,
The key is
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
DisablePasswordChange =1.
Further Information is available from
http://support.microsoft.com/?id=154501
Alan Cuthbertson
- Original Message -
From: SysPro Support [EMAIL PROTECTED
Douglas,
There are some registry settings that turn of password changes on the
machine. This means that since the machine password is always the same you
can simply reinstate the image and it will still be part of the domain. Not
sure of the keys though, will check at work today.
When we first
Hi Jeff,
Can't think of anything immediately. When you say
" Its saying security filter" are you
getting that from the UserEnv log, orsomewhere
else?
I always find it useful to activate full logging
and then read the UserEnv.Log in %windir%\debug\usermode to find out what is happening
Tom,
This is not the way I thought it worked (but I may have misread what you are
saying or I may just be wrong!)
I thought that if Loop back processing was active on the machine as Replace,
when the user logged on, they received the policies as if they were members
of the Machine OU.
If Loop
rt and i'm sure joe or al or gil or any of the
other much much more knowledgable people will jump in and correct the hell out
of me.I am sure someone will set us right! Any comments
Darren?
i apologize if i've confused you
more.thanks-Original Message-From: SysPro Support
[mailto:[EMAIL
Joni,
I can't think what may be causing it, but I always find the UserEnv.Log is a
good place to start. If you activate Detailed logging, then logon to the
client terminal it provides detailed info in the file in
%windir%\debug\usermode\userenv.log.
Here is a reference to activating the logging:
Hi Michel,
I don't believe there is a loop back equivalent to do what you want.
I am not exactly sure what you mean by restrict installation process. If
you mean to install and deinstall software for a given user, you can do that
via the User part of the policy. If you mean Change some machine
Hi,
The easiest way to do it is to get a test machine and manually configure IE
the way you want (setting up zones etc). Then create a test policy, go to IE
maintenance and import your settings.
I have never tried exactly what you want to do, but it should work, although
you would want to test
Title: Message
Hi Neil,
I understand your concern that unexpectedly
updating the Production ADM files "sounds like a bad idea", but it really isn't
that dangerous. The ADMtemplate doesn't change the policy at all. It only
changes what you see in Active Directory Users Computers. So even if
Title: Updating ADM files - best practices
Neil,
Not sure if it is best practice, but what I do
is:-
1. Leave on the Auto upgrade of ADM files. We
assume that Microsoft always adds to ADM files, never changes existing
keys.
2. Always use a different ADM file for your
modifications. Never
Sandra,
The best way to check this out is to activate detailed logging by setting
the following registry key on the client:-
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
UserEnvDebugLevel = 65538 (Dword)
After loginng on again, check out the log in
Its done on the client :-
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
UserEnvDebugLevel = 65538 (Dword)
or the tool I mentioned will set it for you.
Alan Cuthbertson
- Original Message -
From: Umer Y. [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Hi,
The best way to check this out is to activate detailed logging, reboot
logon and look at the log in:-
%windir%\Debug\UserMode\userenv.log.
We have written a free utility that will allow you to activate detailed
logging and will display the log in a meaningful way.
Justin,
What we do is modify the my Computer name when we build the machine. I am
not exactly sure of the details, but will get them for you on Monday.
Alan C
Policy Management Software:-
http://www.sysprosoft.com/index.php?ref=activedirf=pol_summary.shtml
ADM Template Editor:-
Hi Bart,
As far as I know, GPO processing will not replace the image. GPO processing
simply sets a registry key which points to the file.
In your case, something else must be replacing the file, perhaps Sysvol
replication. Can you tell me the location of the file?
Alan Cuthbertson
Policy
Hi Chrisitine,
Your problem is not that you are not allowed to set
it to \\server\share\%username%\MyDocumentsbut
that you can't change it from \\server\share\%username%\to \\server\share\%username%\MyDocumentsThe
reason is that when the destination changes, it tries to move all existing
Jordan,
We do exactly what you have done and had no
problems. Is it possible that you have another policy that only applies to XP
machines thatalso has the value set?
Alan
CuthbertsonPolicy Management Software:-http://www.sysprosoft.com/index.php?ref=activedirf=pol_summary.shtmlADM
I know of a very good product
Alan Cuthbertson
Policy Management Software:-
http://www.sysprosoft.com/index.php?ref=activedirf=pol_summary.shtml
ADM Template Editor:-
http://www.sysprosoft.com/index.php?ref=activedirf=adm_summary.shtml
Policy Log Reporter(Free)
Jeff,
Entries placed in the Registry via policies under
Software\Policies and Software\Microsoft\windows\CurrentVersion\Policies should
be removed when the policy is disabled.
When you say "But when I disable the Policy setting it doesnt set it back" do you
mean that the Registry key
An alternative approach may be to launch a program on the laptop which:-
1. Waits for the VPN to be established
2. Checks for the age of the password via AD
3. Prompts the user to change password if appropriate
4. Shuts down
A bit messy, but fairly simple.
Alan Cuthbertson
Policy Management
I haven't really tried this, but my understanding is that the file
C:\WINDOWS\system32 GroupPolicy\Machine\Registry.pol contains all of the
registry settings set via GPEDIT for the admin templates. You should be able
to back that up and copy it to another machine. You do need to be careful
though
2004 8:17
PMTo:
[EMAIL PROTECTED]Subject: RE: [gptalk] RE: [ActiveDir]
Configure "Check for newer versions of stored pag es"
Justin-
Its
possible that if a newer version of inetcorp.adm comes out that does not
support these same settings, then the setting you ha
PROTECTED] On Behalf Of Darren Mar-EliaSent: Tuesday, November 23, 2004 8:17
PMTo:
[EMAIL PROTECTED]Subject: RE: [gptalk] RE: [ActiveDir]
Configure "Check for newer versions of stored pag es"
Justin-
Its
possible that if a newer version of inetcorp.adm comes out that does not
Joe,
When we did it, the machines seemed stable It was just that one DC had one
set of values and the other had another set of values. Depending which DC
authenticated your password changes etc, you got a different set of rules
enforced.
Admittedly we didn't do an exhaustive test over an
Doh!
You should have stuck to your guns James!
My only defence is that I had never actually used User components in site
policies before. I have now and agree that the User does receive the User
based settings that exist in the policies connected to the site.
Alan C
- Original Message
Rick,
That's correct. In fact we once tried having two policies at the domain
level with different values for the password length. We then changed
filtering so that one Domain controller got one policy and an other Domain
controller got a different policy.
We then tested how each behaved when
Hi Mario,
Maybe this is why you thought it was so hard! There is a policy under
Machine/ADM Templates/System/Group Policy called Use Group Policy
LoopBack Mode. It all works easy then!
Have a look at the Explanation provided for the policy .
Alan Cuthbertson
Policy Management Software:-
Mario,
I think you have got it now...
The OU that the USER belongs to should contain the policies you normally
want
The OU the Citrix server belongs to should contain the Loopback option
enabled. It should also contain the User polices that you want the user to
get when they log on to Citrix
Hi,
One way of doing it (which is a little dodgey) is to create your own ADM
file which does the registry hack for you. You still can't type in the
crlf but you can create a default entry with the required crlf in
place (see beleow). Seems to work OK. You can still edit the text in the
field, you
Hi All,
Since moving to XP I get really peeved that whenever I edit a Policy that
has non Policy settings in the Administrative Template area I must go to
View/Filtering' and unclick Only show policy settings that can be fully
managed
I found a Policy under System/Group Policy to Enforce show
Title: Schema recovery
Hi,
We have (finally) decided that we need to control
all Interent Explorer settings on workstations but have run into the following
issues. I would appreciate other peoples comments on them:-
1. We are selecting the Microsoft defaults as a
starting point. Can anyone
Chris,
You control it via the security on the
Policy.
If you open the properties for the Policy then look
at security, you will see that Authenticated Users have the APPLY
attribute.
You can either remove it from Authenticated Users
and add the Groups that you want to receive the policy,
Mike,
At risk of being accused of pushing our software, we do sell a product
called PolMan which will allow you to view Policies on Multiple Domains
(assuming you are trusted on both) and compare gpo(s) .
Feel free to download it and make use of our 30 day trial.
Alan Cuthbertson
Policy
Jeff,
I think what you want is Loop Back processing, although it is not done
through groups.
You put the user in an OU called MyUsers and the Kiosk is in an OU called
MyKiosks and you enable LoopBack processing for the MyKiosks OU with Merge
option.
When they logon normally they get all of the
: RE: [ActiveDir]GROUP
Policy
For more information,
see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.new
here so I am sorry if this question has been asked many times
before.
My network:
Three Windows 2000 servers and 200 W2k/XP
workstations
I work in the desktop area and we see some peculiar things around DNS name
resolution. When I ask our server guys, I get some answers that don't seem
to make sense.
We are running Windows 2003 servers with Wins and my problems are:-
1. Duplicate IP entries in DNS. I have a program that gets a
Hi Mark
I believe the Last Login Date does not propagate
between DC's. If you check out the Last login Date on all DC's you will get the
correct answer.
Alternatively, assuming you expire passwords on all
accounts, you can check the age of passwords to get an approximate
value.
Alan
Hi,
We have a network of some 8,000 workstations running Windows 2000.
Approximately 5 are still reporting an old Group Policy Object being applied
for the user component of Internet Explorer.
When I check the UserEnv.log they all have these entries
USERENV(a8.3a4) 15:35:17:534 ProcessGPOs:
Hi,
I presume you actually want to know that it is still operational, rather
than whether it still exists as a task.
The standard way I do this is to put a heartbeat in the program to write
status info to the registry every (say) minute including the current time.
You then monitor the registry
I don't think there is one. The power Configuration settings are not set up
in a very friendly way. All of the settings for each Power Scheme is held in
a Binary registry entry under the key
HKEY_CURRENT_USER\Control Panel\PowerCfg\PowerPolicies\0 (a different entry
for each Scheme)
using a Value
I used a great little program called Hacker.EXE
(excuse the name) that was great for modifying the Gina to change any of the
messages, imagesetc, but can't seem to find a site for it now. Maybe
someone else has experience.
In the end, we didn't use it 'cos management was a
little nervous,
issues with doing it?
Microsoft Support comment:-
Regardless, the basic answer is that under
normal circumstances, the clientmachine is responsible for resetting its own
password, and the interval atwhich the machine changes its password is
configurable through the clientregistry, and can
Justin,
I would agree... it should all work. One way of debugging this is to look at
the article here. http://www.jsiinc.com/SUBH/tip3700/rh3799.htm
It explains how to enable logging and creates a log that shows everything
that is happening as the policies are applied in the machine. It's a bit
Does anyone know of some software that formats
UserEnv.Log into an intelligent format?
Alternatively, does anyone know of documentation on
how it is formatted, so I can write my ownprogram? (I would even post it
back here for general use!)
I have spent a lot of time crawling through this
Hi Steve,
What sort of Registry keys do you mean? When
you say "under local Policy, a mess of registry settings are listed" do you mean
"Under the registry key \Machine\Software\Policy" or are you somehow looking at
the registry keys that are being applied via Local Policy. If the latter,
I am interested in the comment that OU's are a better way to manage Policies
than using group based filtering. Is this for performance reasons,
management reasons or safety reasons?
I could see a very small improvement in performance, using OU's is a little
easier to see what is going on and it
These things are notoriously tricky, cos there are so many things to go
wrong.
have you check in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group
Policy\History to check that the policy is actually being applied?
Alan Cuthbertson
Policy Management Software:-
Title: Cross forest policies - boxes in Win2k domain, users in win2k3 single domain forest
Hi Stephen,
LoopBack processing should do the trick. Basically
it says "Apply the policies using the user's Group membership as if he was a
member of the OU that the Citrix server belongs to". You can
David,
From your description I can't see any problem, but these things are often
more complex than you think. Maybe another policy is inadvertently setting
it. I have just started marketing a program for interrogating Policy
configurations and it should tell you exactly what is going on.
Feel
, one for each policy applying IE settings. This shows the policies
and the order they apply which may give you a hint.
Also, you can get into a mess if you apply policies both via the IE
extension and via the ADM extension
Alan C
- Original Message -
From: SysPro Support [EMAIL
Anders,
We market a product call PolMan that will produce a
report of all settings that are enabled within your AD Policy. It provides a
list of all entries with columns for the Policy name, the extension type, key
name etc.
We also market a nice little ADM Template editor.
Feel free to
is supposed to support this
automatically, you might want to check the following policy on your XP
machine that you're using to edit those GPOs:
User Configuration|Administrative Templates|System|Group Policy|Turn off
Automatic Update of ADM files to make sure this isn't enabled.
Darren
77 matches
Mail list logo