RE: [ActiveDir] Updating an Office XP Admin Installation
The only problem I've found with this (which may not be a problem for you!) is that if you don't immediately update all the clients which were installed from this share then the next time someone needs to do an install on demand or a repair it will fail - the software will tell them that it can't find the installation source. What I'd like is for the installer to realise that it's looking at a patched version and offer to install that patched version. Steve -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: 23 July 2003 16:20 To: ActiveDir (E-mail) Cc: Harabagiu, Alexandru Subject: [ActiveDir] Updating an Office XP Admin Installation I want to update the administrative installation on a network share so that I can redepoly through my GPO the Office XP package with the updated files. I followed Microsofts recommendation on how to update an admin share. Msiexec /p [path\name of update MSP file] /a [path\name of MSI File] SHORTFILENAMES=TRUE What I was typing is was the following Msiexec /p c:\install\oxpsp2a\mainspff.msp /a \\servername\officexp\proplus.msi \\servername\officexp\proplus.msi SHORTFILENAMES=TRUE I get an error right away saying the there are incorrect parameters. Does any one have any ideas, has anyone actually done this? Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Space on computer
Title: Message when they want a file restored, we cannot even write to the folder But, the Backup Operator can ;-) Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rick reynoldsSent: Friday, July 25, 2003 1:31 AMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] Space on computer we dont give the users full control, that way they cannot keep us out, when they want a file restored, we cannot even write to the folder. - Original Message - From: Rick Kingslan To: [EMAIL PROTECTED] Sent: Thursday, July 24, 2003 10:28 PM Subject: RE: [ActiveDir] Space on computer Just being the Administrator or some authority on the server can't prevent the users from removing you from access to their private (or any other folders or files where they have the ability to modify permission)folders. In many companies it is a common practice to allow users Full Control of their files and directories, or this might be granted by the Creator Owner special principal. Regardless of how it's granted, if the administrator permissions are removed, you have no rights to them - unless, of course, you take ownership. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Juan IbarraSent: Thursday, July 24, 2003 6:17 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Space on computer If you have administrator rights shouldn't that give you access to all files? Page file is set to 384MB. I have deleted internet files and cookies as well. Thanks Juan -Original Message-From: Crenshaw, Jason [mailto:[EMAIL PROTECTED] Sent: Thursday, July 24, 2003 3:46 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Space on computer The properties only calculate what you have rights access. No access...No file size counted against properties. You need to find a utility that uses the backup operator bit, something like TreesizePro or other space calculating tool. Jason -Original Message-From: Juan Ibarra [mailto:[EMAIL PROTECTED] Sent: Thursday, July 24, 2003 4:40 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Space on computer Hello, to all, sorry for the off topic question but this I can't find an answer to. I have a windows 2000 professional machine with a 12G HD with two partitions. C:\ is 9G D:\ is 3G C:\ says that it has 2G left of free space, If I unhide all hidden and system files and right click on them and go to properties, it tells me it is using 5Gs. My question here is: Where are the other 2Gs? I have done defrag on the disk and I don't seem to recover the missing space. Any comments would be appreciated. Thanks, Juan
[ActiveDir] Last updated/added property?
Hi group, Does the AD keep track of when an object (a user, specifically) was last updated or when one was created, and if so, can I get to that in a script? I have a script that runs every night that pulls out name, phone, etc. information for every user in our AD and then drops a table in a SQL Server database and recreates the table with the AD info. It seems a bit silly to do this, since most days there are probably only zero to five changes in user information in our AD. Thanks, Ray at work ** The information contained in this e-mail message is intended only for the personal and confidential use of the recipient(s) named above. Distribution, publication, or retransmission of this message is strictly prohibited. This message may be a bank to client communication and as such is priviliged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail, and delete the original message. The sender of this e-mail specifically opts-out of the Electronic Signatures and Global and National Commerce Act (E-Sign) and any and all similar state and federal acts. Accordingly, but without limitation, any and all documents, contracts, and ageements must contain a handwritten signature of the sender to be legal, valid, and enforceable. ** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Last updated/added property?
whenChanged whenCreated Are the ldap attributes. -Original Message- From: Costanzo, Ray [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2003 7:46 AM To: [EMAIL PROTECTED] Hi group, Does the AD keep track of when an object (a user, specifically) was last updated or when one was created, and if so, can I get to that in a script? I have a script that runs every night that pulls out name, phone, etc. information for every user in our AD and then drops a table in a SQL Server database and recreates the table with the AD info. It seems a bit silly to do this, since most days there are probably only zero to five changes in user information in our AD. Thanks, Ray at work ** The information contained in this e-mail message is intended only for the personal and confidential use of the recipient(s) named above. Distribution, publication, or retransmission of this message is strictly prohibited. This message may be a bank to client communication and as such is priviliged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail, and delete the original message. The sender of this e-mail specifically opts-out of the Electronic Signatures and Global and National Commerce Act (E-Sign) and any and all similar state and federal acts. Accordingly, but without limitation, any and all documents, contracts, and ageements must contain a handwritten signature of the sender to be legal, valid, and enforceable. ** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Last updated/added property?
Thanks a lot Joe. Ray at work -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Yes, this info is maintained in two ways. 1. In the whenChanged/whenCreated attributes - ex. (whenCreated=2003072500.0Z) 2. In the USN attributes uSNChanged/uSNCreated. ex. (uSNCreated=648965) trim Hi group, Does the AD keep track of when an object (a user, specifically) was last updated or when one was created, trim ** The information contained in this e-mail message is intended only for the personal and confidential use of the recipient(s) named above. Distribution, publication, or retransmission of this message is strictly prohibited. This message may be a bank to client communication and as such is priviliged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail, and delete the original message. The sender of this e-mail specifically opts-out of the Electronic Signatures and Global and National Commerce Act (E-Sign) and any and all similar state and federal acts. Accordingly, but without limitation, any and all documents, contracts, and ageements must contain a handwritten signature of the sender to be legal, valid, and enforceable. ** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Migration : NT to Win 2k3 Active Directory
Title: Message Sharma, if you are doing an upgrade in-place, you would have to do nothing to the clients or member servers. You would only have to upgrade the DCs. That can be useful. But, is the case _only_ when I leave the domain name intact ? In case of an in-place upgrade, can I change the domain name, and still not have to touch the clients/member servers ? As I remember, each client/member-server is explicitly made to join the NT domain, to start with. So, wont I need to do the same again, using the new domain name ? Any caveats ? Thx, Joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sharma, ShshankSent: Thursday, July 24, 2003 5:34 PMTo: '[EMAIL PROTECTED]' I am wondering if individual client machines need to be explicitly made to join the new AD domain while migrating from NT domains to Win2k3 AD domains, or is it just the PDC and the BDCs that get upgraded and the client machines stay (potentially) untouched ? Just trying to get a feel of the manpower required to do this all over the organization. From: Sharma, Shshank [mailto:[EMAIL PROTECTED] Sent: Thursday, July 24, 2003 11:40 AMTo: '[EMAIL PROTECTED]' Thanks all, for all the information. I'll mull overit, and be back with more questions, soon. From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED] Sent: Thursday, July 24, 2003 7:52 AMTo: [EMAIL PROTECTED] 4) Mixed mode vs 2003 Interim Mode : we have placed the upgraded domains into 2000 Mixed Mode. If someone can tell me the advantages of 2003 Interim Mode, please. We spoke to Microsoft about their reasons, and they didn't really have anything compelling. When switching only the domain mode to 2003 interims, your benefit is minimal: some improvement on replication (mainly different compression algorithm), but you also keep any other admins from adding Win2000 DCs to your domain (which just add an obstacle to make the switch later on). When also switching the forest mode to 2003 interms, your main benefit is Linked Value Replication (LVR) which doesn't only improve speed of replication of your group memberships (incl. ensuring no overwrites by multiple admins and allowing very large group 5000 members), but if you're in a single domain, it also is very benefitial for Disaster Recovery scenarios. With LVR, authoritative restores of deleted/tombstoned objects will also revive the group-memberships (links) - which is not the case for the Windows 2000 style replication (i.e. the mode used prior to switching to Interims or 2003 forest functional level). /Guido From: Richard Boswell [mailto:[EMAIL PROTECTED] Sent: Donnerstag, 24. Juli 2003 15:51To: [EMAIL PROTECTED]Subject: Re: [ActiveDir] Migration : NT to Win 2k3 Active Directory I am just now finishing a NT/Novell 4.11/E5.5to W2K3 AD/E2K3 migration and is was very similar to a W2K migration. I used the docs in the previous posts, but we found some interesting new caveats. 1) Site links : for many environments, the site link costs would stay the same (the default 100), either due to the WAN configuration (such a central access point with sites radiating from it) or due to ignorance. We have found that the default setting in W2K3 doesn't always replicate properly, therefore if you discover any replication issues that you can't explain, split up the site costs based of off WAN load or server capacity. 2) NT BDCs : there is a registry entry that we have found that should be added on the PDC and anyother NT-based DCs thatyou plan to upgrade to W2K3. Once the upgrade/migration has occured, all of the W2K Pro and later clients will ONLYlog in on the newly upgraded PDC emulator. The reg entry will take care of this. It is located at HKEY_Local_Machine\System\CurrentControlSet\Services\Netlogon\Parameters, add a new value called NT4Emulator, make it a REG_DWORD, and set its value to 1. 3) WINS and LMHOSTS : yeah, this is a "duh" one but one that a lot of people don't think about. Make sure that you know what static WINS entries there are and that the LMHOSTS or HOSTS file point to the CORRECT entries. (I would recommend staying as far away from both of these as you can, but there are obvious situations in which one would be required).
RE: [ActiveDir] Last updated/added property?
FWIW, there are a couple other methods for tracking change in AD, but the uSNChanged method Joe described is probably your best bet. Here is more info: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/ad/o verview_of_change_tracking_techniques.asp Robbie Allen http://www.rallenhome.com/ -Original Message- From: Costanzo, Ray [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2003 10:30 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Last updated/added property? Thanks a lot Joe. Ray at work -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Yes, this info is maintained in two ways. 1. In the whenChanged/whenCreated attributes - ex. (whenCreated=2003072500.0Z) 2. In the USN attributes uSNChanged/uSNCreated. ex. (uSNCreated=648965) trim Hi group, Does the AD keep track of when an object (a user, specifically) was last updated or when one was created, trim ** The information contained in this e-mail message is intended only for the personal and confidential use of the recipient(s) named above. Distribution, publication, or retransmission of this message is strictly prohibited. This message may be a bank to client communication and as such is priviliged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail, and delete the original message. The sender of this e-mail specifically opts-out of the Electronic Signatures and Global and National Commerce Act (E-Sign) and any and all similar state and federal acts. Accordingly, but without limitation, any and all documents, contracts, and ageements must contain a handwritten signature of the sender to be legal, valid, and enforceable. ** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Computer Management Snap in?
Fuller, You are right on the dot :-) I turned on dynamic registration on the dns server by going to DNS Snap-in - Forward Lookup Zones - MyServerName - MyDomainName, right clicked MyDomainName and clicked on properties and selected Yes from the allow dynamic updates drop down menu. I believe on most or everyones network cards here have checked Register this connection's address in DNS under their Advanced TCP/IP Settings if that what you are talking about with the dynamic registration. I added a computer to the DNS manually, ex: Right clicked domain in DNS Snap-and and clicked add host... Added computer2 (which in turn equal computer2.mydomain.com) with ip of 192.168.0.16. I can now ping it from the command prompt and open it in the computer management snap-in BUT I have DHCP running on my network so the IP could probably be different tommorrow? Also, shouldn't there be a automated way of the DNS keeping track of all the computers joining the network so I don't have to manually input each of them? - Richard S. On Tuesday, July 22, 2003, at 10:06 PM, Fuller, Stuart wrote: A... I think I may get it... ;) So what you are doing is loading up the MMC, choosing Computer management, and the choosing connect to a computer. And you fail when you use the FQDN for the computer in the connect box?? And you work when you put in the IP address or just the NetBIOS name?? Remembering your other posts about DNS, then this is a probably a DNS issue. FQDN (e.g. my.pretty.good.network.com) are resolved by DNS. NetBIOS names (e.g. my) are resolved by the WINS server or by local network segment broadcast. If your DNS servers don't allow dynamic registration then your workstations will not be in the DNS and therefore not pingable/reachable by FQDN. Can you ping the workstation from the MMC computer by FQDN? If not, then DNS registration is the issue. You have to have an record in the DNS for the workstation for FQDN name resolution to work. Otherwise you need to fall back to the other (e.g. WINS or network segment broadcast) forms of name resolution to reach the computer. I believe the dynamic DNS issue was the gist of Jonathan Carr's message. Are you running W2K DNS for your AD and your client workstations?? If so, check the allow dynamic registration and your W2K and XP workstation will automagically register and you can use the FQDN instead of the NetBIOS name. Although I am usually much too lazy to type in the FQDN... :p -Stuart Fuller State of Montana -Original Message- From: Richard Sumilang [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 22, 2003 6:24 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Computer Management Snap in? This is DHCP, Windows 2000, and I used (my) and not the the FQN. The FQN is what doesn't seem to work :-\ Any suggestions? On Tuesday, July 22, 2003, at 10:06 AM, Carr, Jonathan (OFT) wrote: How can this be.. In # 2 you say you can map a drive using UNC (\\workstation\admin$) but you have a name resolution issue. Don't make sense??? Is this DHCP Is it windows 2000 or above Try using just the name (my) and not the FQN (my.network.com) -Original Message- From: Richard Sumilang [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 22, 2003 12:30 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Computer Management Snap in? On Tuesday, July 22, 2003, at 08:29 AM, Fuller, Stuart wrote: Other things to try: 1. Admin rights to workstation?? My account is a duplicate of the Administrator account but I can't seem to access it but the administrator account can? 2. Is \\workstation\Admin$ share on workstation reachable?? - this is a quick check to see if file sharing, name resolution, and security is working. Yes 3. Is my.network.net the actual machine name?? I have my domain pointed to my network and my is a actual computer name (of course the above was just an example). When I have seen this error it has usually been one of the following: 1. Machine off. :P It's on 2. File Print sharing not turned up or corrupted. File and print sharing is on but I don't think it's sharing anything 3. No admin rights or not enough rights to remotely connect/read workstation. Refer to number 1 on first set of questions 4. Name resolution failing (workstation not in DNS/WINS). I don't see the workstation in the DNS and don't know where to check the WINS. There is a DNS server running that points my domain to my network but it's a on my web server. I don't have to add each workstation to that DNS do I? 5. Remote registry service turned off. Don't know? -Stuart -Original Message- From: Carr, Jonathan (OFT) [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 22, 2003 5:58 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Computer Management Snap in? dumb question but can you ping it by name ?? If not, does it resolve to the correct IP ?? -Original Message- From: Thommes, Michael M. [mailto:[EMAIL PROTECTED] Sent:
RE: [ActiveDir] Computer Management Snap in?
Richard, Have DHCP do your DNS registrations. You might also want to set scavenging on your DNS server to the same length of time as your DHCP lease. -Original Message- From: Richard Sumilang [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2003 3:31 PM To: [EMAIL PROTECTED] Fuller, You are right on the dot :-) I turned on dynamic registration on the dns server by going to DNS Snap-in - Forward Lookup Zones - MyServerName - MyDomainName, right clicked MyDomainName and clicked on properties and selected Yes from the allow dynamic updates drop down menu. I believe on most or everyones network cards here have checked Register this connection's address in DNS under their Advanced TCP/IP Settings if that what you are talking about with the dynamic registration. I added a computer to the DNS manually, ex: Right clicked domain in DNS Snap-and and clicked add host... Added computer2 (which in turn equal computer2.mydomain.com) with ip of 192.168.0.16. I can now ping it from the command prompt and open it in the computer management snap-in BUT I have DHCP running on my network so the IP could probably be different tommorrow? Also, shouldn't there be a automated way of the DNS keeping track of all the computers joining the network so I don't have to manually input each of them? - Richard S. On Tuesday, July 22, 2003, at 10:06 PM, Fuller, Stuart wrote: A... I think I may get it... ;) So what you are doing is loading up the MMC, choosing Computer management, and the choosing connect to a computer. And you fail when you use the FQDN for the computer in the connect box?? And you work when you put in the IP address or just the NetBIOS name?? Remembering your other posts about DNS, then this is a probably a DNS issue. FQDN (e.g. my.pretty.good.network.com) are resolved by DNS. NetBIOS names (e.g. my) are resolved by the WINS server or by local network segment broadcast. If your DNS servers don't allow dynamic registration then your workstations will not be in the DNS and therefore not pingable/reachable by FQDN. Can you ping the workstation from the MMC computer by FQDN? If not, then DNS registration is the issue. You have to have an record in the DNS for the workstation for FQDN name resolution to work. Otherwise you need to fall back to the other (e.g. WINS or network segment broadcast) forms of name resolution to reach the computer. I believe the dynamic DNS issue was the gist of Jonathan Carr's message. Are you running W2K DNS for your AD and your client workstations?? If so, check the allow dynamic registration and your W2K and XP workstation will automagically register and you can use the FQDN instead of the NetBIOS name. Although I am usually much too lazy to type in the FQDN... :p -Stuart Fuller State of Montana -Original Message- From: Richard Sumilang [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 22, 2003 6:24 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Computer Management Snap in? This is DHCP, Windows 2000, and I used (my) and not the the FQN. The FQN is what doesn't seem to work :-\ Any suggestions? On Tuesday, July 22, 2003, at 10:06 AM, Carr, Jonathan (OFT) wrote: How can this be.. In # 2 you say you can map a drive using UNC (\\workstation\admin$) but you have a name resolution issue. Don't make sense??? Is this DHCP Is it windows 2000 or above Try using just the name (my) and not the FQN (my.network.com) -Original Message- From: Richard Sumilang [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 22, 2003 12:30 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Computer Management Snap in? On Tuesday, July 22, 2003, at 08:29 AM, Fuller, Stuart wrote: Other things to try: 1. Admin rights to workstation?? My account is a duplicate of the Administrator account but I can't seem to access it but the administrator account can? 2. Is \\workstation\Admin$ share on workstation reachable?? - this is a quick check to see if file sharing, name resolution, and security is working. Yes 3. Is my.network.net the actual machine name?? I have my domain pointed to my network and my is a actual computer name (of course the above was just an example). When I have seen this error it has usually been one of the following: 1. Machine off. :P It's on 2. File Print sharing not turned up or corrupted. File and print sharing is on but I don't think it's sharing anything 3. No admin rights or not enough rights to remotely connect/read workstation. Refer to number 1 on first set of questions 4. Name resolution failing (workstation not in DNS/WINS). I don't see the workstation in the DNS and don't know where to check the WINS. There is a DNS server running that points my domain to my network but it's a on my web server. I don't have to add each workstation to that DNS do I? 5. Remote registry service turned off. Don't know? -Stuart
[ActiveDir] Do you allow users to add computers to AD themselves?
We're having some internal debates at work and I'm curious how other people do it and their reasons. I know authenticated users can add up to 10 computers to AD, but do you leave it at that or restrict it to some type of admin group? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Do you allow users to add computers to AD themselves?
Restricted to various admin groups, permissions are delegated to OU/container for specific groups -Original Message- From: David Adner [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2003 4:04 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Do you allow users to add computers to AD themselves? We're having some internal debates at work and I'm curious how other people do it and their reasons. I know authenticated users can add up to 10 computers to AD, but do you leave it at that or restrict it to some type of admin group? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Do you allow users to add computers to AD themselves?
David, For us, only IT staff is allowed to join computers to the domain and also only company owned computers are allowed to join our domain. -Original Message- From: David Adner [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2003 4:04 PM To: [EMAIL PROTECTED] We're having some internal debates at work and I'm curious how other people do it and their reasons. I know authenticated users can add up to 10 computers to AD, but do you leave it at that or restrict it to some type of admin group? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This email message may contain information that is confidential and proprietary to Babcock Brown or a third party. If you are not the intended recipient, please contact the sender and destroy the original and any copies of the original message. Babcock Brown takes measures to protect the content of its communications. However, Babcock Brown cannot guarantee that email messages will not be intercepted by third parties or that email messages will be free of errors or viruses. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Why not allow users to add computers to AD?
Like I thought, most people seem to not allow normal users add computers to AD. I'm curious why. For any specific concerns or just general precaution in wanting a more controlled Directory? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Why not allow users to add computers to AD?
It all relates to two very specific reasons in our company - secure control of company assests (the network and AD) and liability. We provide specifically built computers to perform functions for our workers and we also have a staff of people who are paid to maintain them. I don't want anyone bringing just anything in and plugging just any computer in (this also prevents, to a great degree, the rogue servers) without our knowledge. Also, the security of our environment I take very seriously - and I can't control what's on the network and in AD if I let just anyone with a logon to add computers to it. Finally, I can't, nor does the company want to, be respoinsible for our worker's personal systems. They can use them at home - I don't want the liability of them at work. Period. That's the long and short of it. :-) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Friday, July 25, 2003 7:32 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Why not allow users to add computers to AD? Like I thought, most people seem to not allow normal users add computers to AD. I'm curious why. For any specific concerns or just general precaution in wanting a more controlled Directory? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Applying Group Policies
Richard- From the client computer, you can manually force a background refresh of policy using secedit.exe on Win2K (e.g. secedit /refreshpolicy machine_policy). However, if there are problems with the workstation processing policy, this won't really help much--you need to get to the root cause. There are a few things you can check on the problem computer. I've put together a little GPO troubleshooting FAQ that I posted on Mark Minasi's forum a while back, and I'm re-posting here. Its not a complete list, but it covers the most obvious stuff. Hope it helps. When its a client-based problem like yours, #s 4, 5 6 below are the most likely routes. Also, if its XP, and you find that certain policy is processed, but others, like Folder Redirection, is not, then you may have Fast Logon Optimization enabled. You can control this behavior, and turn it off, using the following Admin. Template policy: Computer Configuration\Administrative Templates\System\Logon\ Always wait for the network at computer startup and logon=Enabled Good Luck, Darren GPO Troubleshooting FAQ 1. Your AD domain controllers are not correctly registered in DNS. While it may not seem like there is any relationship btw GPO and DNS, there is. In fact, your users may be able to authenticate to the domain just fine without DNS being healthy but GPOs will not process. GPO processing requires that the various SRV records related to LDAP be located in order to successfully complete. If you have determined that GPOs simply aren't being processed, check DNS first. Restart the Netlogon service on your DCs to refresh SRV registration. 2. You have No Override or Block Inheritance Set on a GPO or Container. Sometimes, we can cause our own problems. You can set a GPO as No Override, which means any downstream GPOs are simply not processed. Or, you can set an OU with Block Inheritance, which prevents upstream GPOs from being processed. Note that No Override overrides Block Inheritance in cases where both are in place. 3. GPO synchronization is whacked. A GPO is composed of two pieces--the GPC that resides in AD under System\Policies and the GPT that resides in SYSVOL\Policies. These two pieces replicate by default from the PDC emulator DC to all other DCs in a domain. Each piece has a version number associated with it. If these version numbers are not in sync (i.e. the GPC doesn't get replicated at the same time as the GPT or vice-versa), then the GPO will not be processed. You can use tools like GPOTool, Replmon or the new GPMC to view out-of-sync GPOs. If you find them, check the event logs on the affected DCs for NTFRS or AD replication problems. If everything seems ok, you can always resort to manually copying files between SYSVOL folders, but its not the best approach. Try changing something on the GPO again, which can trigger a change event. 4. GPOs don't get processed unless they change. This one trips up a lot of people. By default, GPO are processed at machine startup and user logon. They are also processed in the backgroun every 90 min. (with a randomizer) on member servers and workstations and every 5 min. on DCs. However, in all cases, a GPO is not processed unless something on it has changed. The client machine will keep a history of GPO versions in the registry and will compare them to existing GPOs during each processing cycle. If nothing changes on the GPO, it will not be processed each time unless you force it to via Administrative Template policy. The problem arises when people make changes to workstation or server configs and expect them to get cleaned up automatically via policy. It won't happen until the AD-based GPO changes unless you force it. 5. Slow link detection prevents certain Policy from Processing By default, if a client processing policy from a DC detects a slow link (500Kb/s) to that DC, then certain policy is not processed. This includes Software Installation and Folder Redirection policy. Therefore, if for some reason the client detects a slow link, these policies won't get processed. This can be confusing, since part of the policy is being processed. You can change the default slow link threshold via Admin. Template policy (Computer Configuration|Admin. Templates|System|Group Policy if you find this happening. You can also verify if a slow link is being detected by enabling verbose userenv.log logging (see #6 below). 6. I can't figure out what's happening during GPO processing. There are a number of ways to log the GPO processing operation. First off, the RSoP Logging (aka GPO Results) tools in XP, Server 2003 and GPMC uses WMI to report what policy settings were applied to a given workstation or user. This gives you the effective policy, assuming everything worked well. If there are problems with GPO processing, they are generally logged to the Application event log on the client or in a log file called %systemroot%\debug\usermode\userenv.log. You can
RE: [ActiveDir] Failed SP4 install on a DC
Excellent, thanks Robbie. I'll use a new hostname. Thanks for the KB articles too. -Jbl -Original Message- From: Robbie Allen [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2003 4:39 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Failed SP4 install on a DC It is safe, but before you re-promote it, you'll need to remove the objects in AD that are associated with the previous build. Unfortunately you can't simply reuse the DC-related objects in AD after rebuilding. The safest option is to use a different host name for the new build to ensure nothing gets confused. Here are the relevant MS KB articles: MS KB 216498 (HOW TO: Remove Data in Active Directory After an Unsuccessful Domain Controller Demotion) MS KB 332199 (Using the DCPROMO /FORCEREMOVAL Command to Force the Demotion of Active Directory Domain Controllers) Regards, Robbie Allen http://www.rallenhome.com/ -Original Message- From: Jb Leney [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2003 3:17 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Failed SP4 install on a DC Hi All. Recently installed SP4 on a DC. Unfortunately the system won't boot now. Performed some troubleshooting, but as there were other issues with the system, I would just like to reinstall the OS and start from scratch. Is it safe enough to 1) Reinstall the OS 2) Perform Windows Updates, etc 3) Give system old name and IP 4) Run DCPROMO. Luckily this box held no operations master roles. Any advice would be greatly appreciated. Thanks! List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Windows 2000 VPN
Ok heres the deal. I set up Microsoft's VPN Service with the wizard provided when going to the Routing and Remote Access program. I thought just following that and testing that the client connects fine is all I needed to do. I set the router to forward all data coming from port 1723 to the server also. I just got home, start up my personal computer running Windows 2000 and create a VPN connection to the office and it connected and authenticated my user information fine. Now heres the problem, I thought when I VPN into a network it is like actually physically being their with your computer so thus I should be able to ping and connect to shared files on the network but I cant? I don't see anything?!?!?!?! All I get is this little monitor connection sitting in my system tray saying that I am connected. I also thought it would be interesting to check the IP I am when I go to the internet and it gave the office's IP http://www.whatismyip.com/ and my internet IP when I disconnect so thus I know something is working. Can anyone help me with this problem? I want to be able see all the computers on the network, ping them, and access shares. Thanks - Richard S. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Do you allow users to add computers to AD themselves?
We allow local site admins to create and join workstations. We require them to submit tickets to the domain admins to create server objects. We have a script that scans the domains and if we find server objects in workstation OU's (i.e. not created by the domain admins) we put them in jail - i.e. an OU only enterprise admins have access to and wipe the ACL on the server object and disable it. It prevents them from using it and reusing the name. Also if we find workstations not following the standards we jail them as well. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Friday, July 25, 2003 7:04 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Do you allow users to add computers to AD themselves? We're having some internal debates at work and I'm curious how other people do it and their reasons. I know authenticated users can add up to 10 computers to AD, but do you leave it at that or restrict it to some type of admin group? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Windows 2000 VPN
Richard, Need to know a bit more about how the VPN is connected, routing, size of the network, switched, routed, etc. Just having a VPN server on the network MAY NOT give you access to everything there - unless the routing and ACLs on the routers/switches are configured to allow such. However, I am glad to hear that the VPN is working and that the PPTP config helped. I hope that I was of some assistance on getting that done, and hope I can continue to be of assistance on this. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Richard Sumilang Sent: Friday, July 25, 2003 9:48 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Windows 2000 VPN Ok heres the deal. I set up Microsoft's VPN Service with the wizard provided when going to the Routing and Remote Access program. I thought just following that and testing that the client connects fine is all I needed to do. I set the router to forward all data coming from port 1723 to the server also. I just got home, start up my personal computer running Windows 2000 and create a VPN connection to the office and it connected and authenticated my user information fine. Now heres the problem, I thought when I VPN into a network it is like actually physically being their with your computer so thus I should be able to ping and connect to shared files on the network but I cant? I don't see anything?!?!?!?! All I get is this little monitor connection sitting in my system tray saying that I am connected. I also thought it would be interesting to check the IP I am when I go to the internet and it gave the office's IP http://www.whatismyip.com/ and my internet IP when I disconnect so thus I know something is working. Can anyone help me with this problem? I want to be able see all the computers on the network, ping them, and access shares. Thanks - Richard S. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Do you allow users to add computers to AD themselves?
Too cool. I like this A LOT! And, *I'd* get fired in a heartbeat for doing it! :-D But, I still LIKE IT! Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Sent: Friday, July 25, 2003 10:45 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Do you allow users to add computers to AD themselves? We allow local site admins to create and join workstations. We require them to submit tickets to the domain admins to create server objects. We have a script that scans the domains and if we find server objects in workstation OU's (i.e. not created by the domain admins) we put them in jail - i.e. an OU only enterprise admins have access to and wipe the ACL on the server object and disable it. It prevents them from using it and reusing the name. Also if we find workstations not following the standards we jail them as well. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Friday, July 25, 2003 7:04 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Do you allow users to add computers to AD themselves? We're having some internal debates at work and I'm curious how other people do it and their reasons. I know authenticated users can add up to 10 computers to AD, but do you leave it at that or restrict it to some type of admin group? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
