RE: [ActiveDir] OT: Scripting questions
Very cool, though on my box, .tif is associated with MSPaper.Document, which is about as helpful as a chocolate teapot really. Nice command to flex those IT Monkey muscles with. Olly ADSSupport.net http://www.adssupport.net Dedicated free Active Directory Services(tm) support email: [EMAIL PROTECTED] -Original Message- From: Jones, Rick J.(Desktop Engineering) [mailto:[EMAIL PROTECTED]] Sent: 26 September 2002 23:05 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT: Scripting questions OH now that's too cool! Rick J. Jones -Original Message- From: Ken Cornetet [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 26, 2002 2:47 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT: Scripting questions Bring up a command prompt and type assoc /?. -Original Message- From: Jason Benway [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 26, 2002 12:58 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] OT: Scripting questions I need to script (vbs,kix, or batch file) changing the file association of .tif and .tiff files on Windows XP machines. I found in the registry where the extensions are, but it isn't clear value I need to change and how I tell it what program to use. Anyone willing to help? Thanks,jb -- Jason Benway [EMAIL PROTECTED] 1250 S.Beechtree Grand Haven, MI 49417 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Cant remove a DC
Dear All, I am trying to demote a DC using dcpromo and the operation keeps failing. I am being asked for a account with Enterprise Admin privilages in the forest, which the account I am using has. But I keep receiving the following error message. The attempt to configure the machine account machinename on server servername failed. Acces is Denied But the account is an Enterprise Admin Thanks, Mark -Original Message- From: Oliver Marshall [mailto:[EMAIL PROTECTED]] Sent: Freitag, 27. September 2002 10:35 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Scripting questions Very cool, though on my box, .tif is associated with MSPaper.Document, which is about as helpful as a chocolate teapot really. Nice command to flex those IT Monkey muscles with. Olly ADSSupport.net http://www.adssupport.net Dedicated free Active Directory Services(tm) support email: [EMAIL PROTECTED] -Original Message- From: Jones, Rick J.(Desktop Engineering) [mailto:[EMAIL PROTECTED]] Sent: 26 September 2002 23:05 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT: Scripting questions OH now that's too cool! Rick J. Jones -Original Message- From: Ken Cornetet [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 26, 2002 2:47 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT: Scripting questions Bring up a command prompt and type assoc /?. -Original Message- From: Jason Benway [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 26, 2002 12:58 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] OT: Scripting questions I need to script (vbs,kix, or batch file) changing the file association of .tif and .tiff files on Windows XP machines. I found in the registry where the extensions are, but it isn't clear value I need to change and how I tell it what program to use. Anyone willing to help? Thanks,jb -- Jason Benway [EMAIL PROTECTED] 1250 S.Beechtree Grand Haven, MI 49417 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Restricting the ability to create Universal Groups
I can think of ways to run cleanup scripts on a schedule to do this. The Universal Group is designated via a specific bit value or some other designation. The script could look for that designation and look at the creator/owner of the object and check against an authorized list. If the creator/owner is not in the list the object is deleted. This doesn't keep them from creating the group it just may help you get a handle on the situation. The way Aelita's (The company that pays my bills G) handles this situation is with the 'rules and roles' engine of Enterprise directory Manager. The way the product works is on creates or modifies of an object, any policy objects (Aelita policy object) that are hung on the specific container will execute. We have a script that runs prior to the commitment to the directory that checks if the user is creating a universal group and then checks their permissions. If the user is denied creating the UG via the script and permissions (access templates) our EDM engine will not write to AD. This is how we handle it, I am sure that our competitors have similar features. Please contact me offline if you need some further explanation of our product. Kevin -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 26, 2002 10:32 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Restricting the ability to create Universal Groups Devan, Once you are in a Native mode domain and you have granted someone the ability to CREATE groups - I have no information that tells me that you can limit the TYPES of groups that one can create. This, currently, might be a situation to where you have to put a policy - with a penalty - in place to control the creation of Universal groups without change control or justification. Maybe someone else will have more light to shed on this. Rick Kingslan - Microsoft MVP [Windows NT/2000] Microsoft Certified Trainer MCSA, MCSE+I - Windows NT / 2000 Any sufficiently advanced technology is indistinguishable from magic. --- Arthur C. Clarke -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Devan Pala Sent: Thursday, September 26, 2002 9:18 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Restricting the ability to create Universal Groups Hi all, My question centers upon restricting OU Admins the ability to create Universal Groups but allowing them to create Global Groups and of course Domain Local Groups. The design involves OUs based on geographical locations and we would like local administration to be able to create almost all objects except for things that are central in nature. My greatest concern is if they start populating UGs with domain user accounts and other non-recommended practices then we'll have replication chaos through-out the forest and eventually a administration nightmare. I haven't really hit the test lab with the above scenario but from memory the advanced ACL permissions focus upon group objects in general. Does anyone know whether this can be acheived? Thanks, _ Send and receive Hotmail on your mobile device: http://mobile.msn.com List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] XP GPOs vs Win2k GPOs
Title: Message Here is MS solutions, they are now sure why this is happening but at least the solution works: If you are missing the GPO extensions under User Configuration/windows settings you need to register the following dll's for each extension that is missing. Open a command prompt and type the following: cd %systemroot%\system32 regsvr32 name of dll (without the 's) The dll's for each extension are listed below: Scripts (Logon/Logoff) --- %SystemRoot%\System32\gptext.dll Security Settings --- C:\WINDOWS\System32\wsecedit.dll Internet Explorer Maintenance -- %SystemRoot%\System32\ieaksie.dll Remote Installation Services -- %SystemRoot%\System32\RIGPSNAP.dll Folder Redirection Editor -- C:\WINDOWS\system32\fde.dll Greg Felzer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Leney, Justin Sent: Wednesday, September 25, 2002 4:11 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] XP GPOs vs Win2k GPOs No doubt, RSoP is a nice tool. More in depth than doing a Security Config/Analysis. I am actually havinga similar issue as you, sometimes you can see the entire GPO (with the extended-XP only policies) and sometimes not. Strange. When MS helps you can, can you post it up here? Jbl -Original Message- From: Greg Felzer [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 25, 2002 2:48 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] XP GPOs vs Win2k GPOs Yes they work. We are in the middle of developing our revised XP GPO's. The problem we have run into is that most of our XP pro SP1 machines will not show all of the available GPO settings under: user config/windows settings. On all but one XP machine the only thing listed is RIS and scripts. On the XP machine that works correctly we have all of the settings (IE RIS, scripts, Security settings, folder redirection and IE maintenance). I have an incident open with MS which has been booted up to development. FWIW the .net admin pak has some really cool features. The RSoP mmc, which provides a graphical display of what GPO settings have been applied to a user/computer and from what GPO they came from really helps when you are troubleshooting. Greg Felzer MCSE NT4, MCSE 2000, CCA, CCNA, CNA Senior Systems Engineer Center for Computing and Information Technology Medical University of South Carolina -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Leney, Justin Sent: Wednesday, September 25, 2002 11:08 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] XP GPOs vs Win2k GPOs First thing to download is the .net betaadminpak.msi: http://www.microsoft.com/downloads/release.asp?ReleaseID=34032area=searchordinal=1 Then, you can look at the new group policies and explanations that will only affect XP. In fact, each GP will have a statement At least Windows 2000 or At least XP Pro, etc. Also, does anyone know if the newpoliciesactually 'work' yet, or dowe have to waituntilwe have a .net server running on our domain? -Original Message- From: Taylor, Eric [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 25, 2002 9:58 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] XP GPOs vs Win2k GPOs I am trying to find some information on the differences in GPOs for Windows 2000 and XP. Any links or whitepapers to reference would be great. Thanks, Eric
RE: [ActiveDir] Help.....
The 'most important issue' will surely depend on the company for which the AD is being designed. For example, the ability to set different password policies may be of paramount importance for some companies, and the replication traffic generated my not be an issue in a relatively static environment. Another couple of things that I think should be considered: 1) Server consolidation. In most cases, less domains will require less hardware (because of the IM/GC incompatibility etc etc). 2) Some applications work better in a single domain environment, such as Exchange 2000. From experience, Microsoft usually recommend one domain, unless you can explicitly think of reasons that would prevent that design 3) Non technical issues; company politics may dictate that multiple domains exist, regardless of technical suitability. 4) The reliance on certain server roles in each domain. For example, in a large single domain environment, there will be a greater reliance on the PDC emulator for legacy applications that use API's to use the 'PDC'. I'm sure there are loads more, which others will soon point out! Darren. -Original Message- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED]] Sent: 27 September 2002 16:31 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Help. I think Rick has hit the main points. From my POV, the most important issue is being able to constrain replication if you use multiple domains. If you have a smallish environment and replication traffic is not going to be an issue, stick with a single domain, or at most an empty root with a single subdomain. -gil -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 26, 2002 8:15 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Help. Rich, Loaded question. I've got a few minutes before heading off to bed to do some reading, but I think you'll get more than enough response to get a full view. A few benefits (I suggest someone fill in some of the drawbacks, too) 1. Separation of Schema and Enterprise administrator from rest of domain structure, providing some degree of protection for key and sensitive entities from the 'work' domains. 2. Use of a root domain provides for easy expansion and acquisition by adding a domain below the root. 3. Provide for replication boundary of domain related data, thereby reducing unnecessary traffic because domains do not replicate to each other. 4. Create a separation of function or security based on password, account lockout properties. (Do not in any way confuse a domain in Windows 2000 to a domain in Windows NT 4.0. Transitive trusts are automatically created between domains in a forest. A forest is more synonomous to a Windows NT 4.0 domain when viewed from a autonomous security context) Hope this helps - and gets the discussion going Rick Kingslan - Microsoft MVP [Windows NT/2000] Microsoft Certified Trainer MCSA, MCSE+I - Windows NT / 2000 Any sufficiently advanced technology is indistinguishable from magic. --- Arthur C. Clarke -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Johnson, Richard (NY Int) Sent: Thursday, September 26, 2002 10:01 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Help. Can someone outline the benefits of having a single forest with multiple domains as opposed to a single domain. Thanks, Rich List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail is from Energis Communications Ltd, 50 Victoria Embankment, London, EC4Y 0DE, United Kingdom, No: 2630471. This e-mail is confidential to the addressee and may be privileged. The views expressed are personal and do not necessarily reflect those of Energis. If you are not the intended recipient please notify the sender immediately by calling our switchboard on +44 (0) 20 7206 and do not disclose to another person or use, copy or forward all or any of it in any form. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] XP GPOs vs Win2k GPOs
Title: Message Greg, thanks for the help on that. -Original Message-From: Greg Felzer [mailto:[EMAIL PROTECTED]]Sent: Friday, September 27, 2002 11:28 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] XP GPOs vs Win2k GPOs Here is MS solutions, they are now sure why this is happening but at least the solution works: If you are missing the GPO extensions under User Configuration/windows settings you need to register the following dll's for each extension that is missing. Open a command prompt and type the following: cd %systemroot%\system32 regsvr32 "name of dll" (without the ""'s) The dll's for each extension are listed below: Scripts (Logon/Logoff) --- %SystemRoot%\System32\gptext.dll Security Settings --- C:\WINDOWS\System32\wsecedit.dll Internet Explorer Maintenance -- %SystemRoot%\System32\ieaksie.dll Remote Installation Services -- %SystemRoot%\System32\RIGPSNAP.dll Folder Redirection Editor -- C:\WINDOWS\system32\fde.dll Greg Felzer -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Leney, JustinSent: Wednesday, September 25, 2002 4:11 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] XP GPOs vs Win2k GPOs No doubt, RSoP is a nice tool. More in depth than doing a Security Config/Analysis. I am actually havinga similar issue as you, sometimes you can see the entire GPO (with the extended-XP only policies) and sometimes not. Strange. When MS helps you can, can you post it up here? Jbl -Original Message-From: Greg Felzer [mailto:[EMAIL PROTECTED]]Sent: Wednesday, September 25, 2002 2:48 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] XP GPOs vs Win2k GPOs Yes they work. We are in the middle of developing our revised XP GPO's. The problem we have run into is that most of our XP pro SP1 machines will not show all of the available GPO settings under: user config/windows settings. On all but one XP machine the only thing listed is RIS and scripts. On the XP machine that works correctly we have all of the settings (IE RIS, scripts, Security settings, folder redirection and IE maintenance). I have an incident open with MS which has been booted up to development. FWIW the .net admin pak has some really cool features. The RSoP mmc, which provides a graphical display of what GPO settings have been applied to a user/computer and from what GPO they came from really helps when you are troubleshooting. Greg Felzer MCSE NT4, MCSE 2000, CCA, CCNA, CNA Senior Systems Engineer Center for Computing and Information Technology Medical University of South Carolina -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Leney, JustinSent: Wednesday, September 25, 2002 11:08 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] XP GPOs vs Win2k GPOs First thing to download is the .net betaadminpak.msi: http://www.microsoft.com/downloads/release.asp?ReleaseID=34032area=searchordinal=1 Then, you can look at the new group policies and explanations that will only affect XP. In fact, each GP will have a statement "At least Windows 2000" or "At least XP Pro", etc. Also, does anyone know if the newpoliciesactually 'work' yet, or dowe have to waituntilwe have a .net server running on our domain? -Original Message-From: Taylor, Eric [mailto:[EMAIL PROTECTED]]Sent: Wednesday, September 25, 2002 9:58 AMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] XP GPOs vs Win2k GPOs I am trying to find some information on the differences in GPOs for Windows 2000 and XP. Any links or whitepapers to reference would be great. Thanks, Eric
RE: [ActiveDir] KCC Error
Noah, Pardon my confusion. I'm trying to get my mind around the problem that you're experiencing, but something didn't quite make sense. If there is one server per site, were there two servers in a site, and that is what prompted the move? Also, DNS - is there DNS on each server? Is there an A record for the server with the other missing records? Now, on to somethings that might assist in finding the problem: I suspect that there is no site link defined for the site in which the DC that you moved is now located. If there is no site link object, then the Inter-Site Topology Generator will not have sufficient information in which to replicate with the DC in the 'foreign' site. The site that the server WAS in DID have a link, and the local replication (intra-site) worked fine between the two servers. Moving it to another site with no site link object created a situation where the KCC cannot complete the spanning tree. Solving this Basically, what they are talking about in option A is to open up AD Sites and Services and create the proper site links from source to destination. By default, there is a DEFAULTSITELINK object (yeah, great name) in the IP under Inter Site Transports. And, in this would be the Default-First-Site-Name (again, great name). If you confirm that you have complete coverage of the link topology (enough for the KCC to create the entire spanning tree) the erros will resolve and the replication topology will be restored. Rick Kingslan - Microsoft MVP [Windows NT/2000] Microsoft Certified Trainer MCSA, MCSE+I - Windows NT / 2000 Any sufficiently advanced technology is indistinguishable from magic. --- Arthur C. Clarke -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Noah Eiger Sent: Friday, September 27, 2002 4:33 PM To: Active Directory List Subject: [ActiveDir] KCC Error Hello: I have three sites that are (supposed to be) in a hub and spoke configuration. Each site has only one server with is both a DC and GC. Yesterday, I saw that one of the servers was in the wrong site and moved it. Since then, I have been receiving constant errors such as the one below. I noticed that when I check the SRV records (as per Tim Hines' t-shooting tips) at the hub, I see that the problem site is not listed as a DNS server. I added that within DNS Forward Lookups, did the net stop/start of netlogon and dns, but still nothing. Any ideas or tips on how I can ask this question so it makes sense ;-) Here is the eventlog message: EVENT #: 22692 EVENTLOG : Directory Service EVENT TYPE : ERROR (1) SOURCE : NTDS KCC CATEGORY : Knowledge Consistency Checker EVENT ID : 1311 TIME : 9/27/2002 2:23:12 PM MESSAGE: The Directory Service consistency checker has determined that either (a) there is not enough physical connectivity published via the Active Directory Sites and Services Manager to create a spanning tree connecting all the sites containing the Partition DC=prbo,DC=org, or (b) replication cannot be performed with one or more critical servers in order for changes to propagate across all sites (most often due to the servers being unreachable). For (a), please use the Active Directory Sites and Services Manager to do one of the following: 1. Publish sufficient site connectivity information such that the system can infer a route by which this Partition can reach this site. This option is preferred. 2. Add an ntdsConnection object to a Domain Controller that contains the Partition DC=prbo,DC=org in this site from a Domain Controller that contains the same Partition in another site. For (b), please see previous events logged by the NTDS KCC source that identify the servers that could not be contacted. Noah M. Eiger Manager of Information Technology PRBO Conservation Science [EMAIL PROTECTED] 415-269-1832 (cellular) List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/