RE: [ActiveDir] Logon scripts
Elevated privileges relates to access to the registry but does not translate to access to the file system. As such if a user has 'User' security access to a machine they will not be able to install software to it. To be able to do this you need a DMS solution that can manage installations to the box (and keep control of it during installation). Your best bet at a no cost is either to assign/publish though Active Directory or within the login script run the installation at an alternate accounts context (using a VBS, Jscript, CMD wrapper hidden from the user). Get them to spend money on a Desktop Management Solution so that you get sufficient reporting and delivery management, hard to have a reliable lockdown environment without one. Only introduces more headaches then it is worth! Cheers David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Charlie Hope-Lang Sent: 18 July 2002 09:16 To: [EMAIL PROTECTED] Subject: [ActiveDir] Logon scripts Morning all, Does the logon script run with the user rights of the user logging on?? Ie Can we install an MSI from the logon script with out running installer with elevated privileges if the user has user rights to the local machine?? Cheers Charlie -- http://www.channel5.co.uk/ -- List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.375 / Virus Database: 210 - Release Date: 10/07/2002 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.375 / Virus Database: 210 - Release Date: 10/07/2002 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GPO's in W2K AD setup with XP clients
Sounds right to me! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Tony Murray Sent: 18 July 2002 12:39 To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] GPO's in W2K AD setup with XP clients Mark You must have either Administrator or Backup Operator permissions on the computer to perform a restore. I could be wrong, but I believe the GPO setting makes the restore option available, but it does not confer the necessary rights. Tony -- Original Message -- From: Abbiss, Mark [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 18 Jul 2002 13:08:39 +0200 Dear All, I am planning to use GPO's to control a number of XP clients in a W2K AD setup. Currently we have no GPO's, other than the default domain policy. I have imported the .ADM files from XP into a W2K DC and want to use the Computer Configuration\Administrative Templates\System Restore options to control who can and cannot restore their system. The default behaviour is to allow everyone the ability to use system restore but when attempting it on a workstation, I am confronted with the message that tells me I do not have sufficient security privilages. If the defualt behaviour is set to allow restore throughout the domain, where does this security issue come from ? I thought perhaps it might be the Computer Configuration local security settings, so to test I added the group Everyone to all of the various local security settings. When I tried again to restore the system I got a new message saying that system restore is not able to protect the computer and to restart the system and try restore again !! How can I use GPO's and System Restore in my environment !?!?! Many thanks, Mark List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.375 / Virus Database: 210 - Release Date: 10/07/2002 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.375 / Virus Database: 210 - Release Date: 10/07/2002 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Sites and Services
Done it on every deployment with no issues! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Morgan, Joshua Sent: 18 July 2002 13:42 To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Sites and Services Are there any issues with renaming the Default-First-Site-Name? Also can I set up a site and not have a DC in it? Joshua Morgan PROFITLAB Senior Network Engineer PH: (864) 250-1350 Ext 133 Fax: (413) 581-4936 [EMAIL PROTECTED] http://www.profit-lab.com http://ncontrol.info The greatest glory is not in never failing, but in rising up every time we fall. -- Confucius List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.375 / Virus Database: 210 - Release Date: 10/07/2002 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.375 / Virus Database: 210 - Release Date: 10/07/2002 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] IIS Question
Hi, So aslong the printer isinstalledandsharedon a Win2k Server with IISrunning you should be able manage it with http://servername/printers ERIC - Original Message - From: Salandra, Justin A. [EMAIL PROTECTED] Date: Thursday, July 18, 2002 2:58 am Subject: [ActiveDir] IIS Question How do you turn on printer management through IIS? I know there is a way to enable management of printers through the web, but I forgot how to enablethis, any help would be appreciated. Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 914.681.8117 office 646.483.3325 cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.co List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] PasswordAge of Computers and Servers
Title: [ActiveDir] PasswordAge of Computers and Servers All, Does anyone know where I can find the password age of a computer or server and if possible where I can change this setting. I Believe its standard 30 days. How can I force a computer to change his password? Are there any scripts for this? Marc De Schepper * Dit e-mail bericht inclusief eventuele ingesloten bestanden kan informatie bevatten die vertrouwelijk is en/of beschermd door intellectuele eigendomsrechten. Dit bericht is uitsluitend bestemd voor de geadresseerde(n). Elk gebruik van de informatie vervat in dit bericht (waaronder de volledige of gedeeltelijke reproductie of verspreiding onder elke vorm) door andere personen dan de geadresseerde(n) is verboden. Indien u dit bericht per vergissing heeft ontvangen, gelieve de afzender hiervan te verwittigen en dit bericht te verwijderen. This e-mail and any attachment thereto may contain information which is confidential and/or protected by intellectual property rights and are intended for the sole use of the addressees. Any use of the information contained herein (including but not limited to total or partial reproduction or distribution in any form) by other persons than the addressees is prohibited. If you have received this e-mail in error, please notify the sender and delete its contents. *
[ActiveDir] Active Directory Folder and XP
Hi, Where can I find the Active directory folder (like in Windows 2000) to search users, Printers... in Windows XP. I didn't find it under My network Places.
RE: [ActiveDir] Active Directory Folder and XP
Hi Barneaud I had the same question this week. This is is Tony's answer: -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 16, 2002 1:19 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] browse AD with XP client Here's an answer to this question posted by a Microsoft employee in the Microsoft AD newsgroup yesterday. It includes an (unsupported) method to get the functionality into XP. * This has been discussed at length in this forum already. It was removed from the Windows XP client. Without wishing to open up the whole discussion again - you can read it for yourself. There are lots of good reasons for not allowing users to randomly browse around the network and in particularly the directory. I suggest you read the rest of the discussions yourself - it gets a little bit heated at times. But since you asked :- The following process is TOTALLY UNSUPPORTED and provided AS IS with no warranties, and confers no rights. To re-enable the Directory folder on a Windows XP Professional client PC in a Domain Environment 1. Copy the dsfolder.dll from a Windows 2000 (SP2 or later) machine to the Windows XP machines (It is in the SYSTEM32 folder under the WINNT folder on Windows 2000 (by default) and needs to go into the SYSTEM32 folder usually under WINDOWS on Windows XP (by default) 2. Close all instances of Windows Explorer 3. Run "regsvr32 dsfolder.dll" on the XP machines. 4. Done The above process is TOTALLY UNSUPPORTED and provided AS IS with no warranties, and confers no rights. ** Tony www.activedir.org -- Original Message -- From: "SEYBOLDT,VOLKER (HP-Germany,ex1)" [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Tue, 16 Jul 2002 13:04:14 +0200 Hi there, I've a question regarding browsing the Active Directory with clients. On a W2K client there's a folder in "My Network Places" where I can browse through the AD structur in order to find objects in AD. I did not found this option on a XP client. Can someone tell me where this browsing feature is located in Windows XP or what has to be configured that it is available? At the moment no policies are configured in the AD. thanks for your help Volker List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -Original Message-From: Barneaud, Christophe [mailto:[EMAIL PROTECTED]]Sent: Friday, July 19, 2002 12:26 PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Active Directory Folder and XP Hi, Where can I find the Active directory folder (like in Windows 2000) to search users, Printers... in Windows XP. I didn't find it under My network Places.
Re: [ActiveDir] AD and NDS
What DS level are you at on NDS. I did what you are doing and had problems with certains E-directory levels. - Original Message - From: John Hicks/MIS/HQ/KEMET/US To: [EMAIL PROTECTED] Sent: Thursday, July 18, 2002 1:25 PM Subject: [ActiveDir] AD and NDS We are in the process of migrating our NT 4 domain to AD. We currently use NDS as our primary directory service. We are using Account Manager to migrate our users and computer accounts into the AD domain form the NT 4 domain. We experienced problems getting IDs created in Novell Console 1 and MMC console to populate the changes in the other directory. Has anyone gone through this process yet? If so, do you have any tips or resources for info on the subject. Both Novell and Microsoft have docs, but they both just bash teh others product. Any help would be greatly appreciated. Thanks, Jonathan Hicks Network Engineer KEMET Electronics Corp 864-228-4473 [EMAIL PROTECTED]
Re: [ActiveDir] LDAP failover/load balancing
Is there no way that the application servers can make use of the information published in DNS via SRV resource records? Clients can find an LDAP server by querying DNS for a record in the format: _ldap._tcp.DnsDomainName Tony -- Original Message -- From: Fugleberg, David A [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 18 Jul 2002 12:02:13 -0500 We have some J2EE application servers which we have configured to authenticate via LDAP against our Active Directory. The configuration of the app server allows only one LDAP server to be specified. If that one DC were to fail, the app servers would be unable to find the directory even though we have many other DCs in the domain. I desperately want to put some failover solution in place before that happens. Are any of you facing similar situations ? What products or techniques are you using to get around the issue ? I'm thinking either some kind of hardware load balancer (like cisco's product) or some kind of an LDAP proxy on another box. Although I've seen it work in the lab, I don't wish to upgrade the DCs to W2K-AS just to get NLB for this. Any suggestions ? Dave List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] LDAP failover/load balancing
Could you not use some sort of round robin setup? Rene - Original Message - From: Tony Murray [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, July 19, 2002 7:50 AM Subject: Re: [ActiveDir] LDAP failover/load balancing Is there no way that the application servers can make use of the information published in DNS via SRV resource records? Clients can find an LDAP server by querying DNS for a record in the format: _ldap._tcp.DnsDomainName Tony -- Original Message -- From: Fugleberg, David A [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 18 Jul 2002 12:02:13 -0500 We have some J2EE application servers which we have configured to authenticate via LDAP against our Active Directory. The configuration of the app server allows only one LDAP server to be specified. If that one DC were to fail, the app servers would be unable to find the directory even though we have many other DCs in the domain. I desperately want to put some failover solution in place before that happens. Are any of you facing similar situations ? What products or techniques are you using to get around the issue ? I'm thinking either some kind of hardware load balancer (like cisco's product) or some kind of an LDAP proxy on another box. Although I've seen it work in the lab, I don't wish to upgrade the DCs to W2K-AS just to get NLB for this. Any suggestions ? Dave List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] AD and NDS
We are running NDS 8, We did a reinstall of Edir and that fixed several of the problems we were having. I am going to continue testing today. What type problems did you have? Thanks Jon Rene Chakraborty [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 07/18/2002 01:52 PM Please respond to ActiveDir To:[EMAIL PROTECTED] cc:(bcc: John Hicks/MIS/HQ/KEMET/US) Subject:Re: [ActiveDir] AD and NDS What DS level are you at on NDS. I did what you are doing and had problems with certains E-directory levels. - Original Message - From: John Hicks/MIS/HQ/KEMET/US To: [EMAIL PROTECTED] Sent: Thursday, July 18, 2002 1:25 PM Subject: [ActiveDir] AD and NDS We are in the process of migrating our NT 4 domain to AD. We currently use NDS as our primary directory service. We are using Account Manager to migrate our users and computer accounts into the AD domain form the NT 4 domain. We experienced problems getting IDs created in Novell Console 1 and MMC console to populate the changes in the other directory. Has anyone gone through this process yet? If so, do you have any tips or resources for info on the subject. Both Novell and Microsoft have docs, but they both just bash teh others product. Any help would be greatly appreciated. Thanks, Jonathan Hicks Network Engineer KEMET Electronics Corp 864-228-4473 [EMAIL PROTECTED]
RE: [ActiveDir] IIS Question
I try and I can not reach the page, is there a setting in IIS that I need to grant permissions too? -Original Message- From: Eric Yeoh [mailto:[EMAIL PROTECTED]] Sent: Friday, July 19, 2002 3:19 AM To: [EMAIL PROTECTED] Subject:Re: [ActiveDir] IIS Question Hi, So aslong the printer isinstalledandsharedon a Win2k Server with IISrunning you should be able manage it with http://servername/printers ERIC - Original Message - From: Salandra, Justin A. [EMAIL PROTECTED] Date: Thursday, July 18, 2002 2:58 am Subject: [ActiveDir] IIS Question How do you turn on printer management through IIS? I know there is a way to enable management of printers through the web, but I forgot how to enablethis, any help would be appreciated. Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 914.681.8117 office 646.483.3325 cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.co List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Sort of OT: other Protocols
Isolated environment meaning no contact with a DNS server? Most people are trying to get away from NetBEUI these days. Could you setup DNS on the W2K server? It is pretty low overhead. Robbie Allen Cisco Systems Enterprise Management Coauthor of Managing Enterprise Active Directory Services -Original Message- From: Morgan, Joshua [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 18, 2002 10:45 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Sort of OT: other Protocols I have an Isolated environment that runs SQL 2000 and Windows 2000 Servers. This environment experienced problems the other day because of a lack of name resolution between the Servers. I was asked by management to look at netbeui as a backup incase standard TCPIP name Resolution failed... Here is what I have set up... On each machine I have 2 Nic's, 1 nic on each machine is dedicated to IP and 1 Nic is dedicated to NetBeui. Does anyone see any issues with this? Joshua Morgan PROFITLAB Senior Network Engineer PH: (864) 250-1350 Ext 133 Fax: (413) 581-4936 [EMAIL PROTECTED] http://www.profit-lab.com http://ncontrol.info The greatest glory is not in never failing, but in rising up every time we fall. -- Confucius List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/