[ActiveDir] GPO Issue...
All, AD GPO issues. Have the dreaded Event ID 1030 1058 issues. DC's Windows 2003 and clients XPSP1. DC's had the issue but I was able to resolve this using: dfsutil /PurgeMupCache, have been clean for a week now...XPSP1 clients however still have the error messages and I have done the following on the server side: Made sure DFS Service is running. Made sure TCP/IP NetBIOS Service is running. On clients: Made sure TCP/IP NetBIOS Service is running. Made sure WMI Performance Adaptor Service is running. In addition to the above ran NETDIAG and tested replication on the DC's (no errors). Ran GPRESULT from the XPSP1 workstation which implied that the policies were applied however if I run a GPUDATE /FORCE from the same workstation the 1030 and 1058 errors return...It always seems to be on the one policy which is my Global User Settings one. I deleted the old policy and re-created a new one and get the same error to what is in essence the same policy but different GUID. I also ran Group Policy Results from the GPMC which insinuated that the network location cannot be reached. I also tried the patch in Q329170 and as a last resort even installed XPSP2 on one of the workstations. One thing I have not done is change our DC GPO below settings all to disabled: Network Client: Digitally Sign Client Communications Always - Disabled Network Client: Digitally Sign Client Communications (If Server Agrees) - Enabled Network Server: Digitally Sign Client Communications Always - Disabled Network Server: Digitally Sign Client Communications (If Server Agrees) - Enabled Not sure if it is a DNS/DFS issue, if I run \\FQDN\Sysvol from the XPSP1 workstation I get a network location cannot be reached error however if I do this from the DNS server which is a DC I get a return...can ping the FQDN and NetBIOS names to the right IP on the XPSP1 workstations...Any help would be appreciated... Event Type: Error Event Source: Userenv Event Category: None Event ID: 1030 Date: 18/08/2004 Time: 3:52:29 PM User: NT AUTHORITY\SYSTEM Computer: BRIL-DEV-3 Description: Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Event Type: Error Event Source: Userenv Event Category: None Event ID: 1058 Date: 18/08/2004 Time: 3:52:29 PM User: NT AUTHORITY\SYSTEM Computer: BRIL-DEV-3 Description: Windows cannot access the file gpt.ini for GPO cn={6A9D1B3F-6298-46CA-B2E4-2F2DC898BF66},cn=policies,cn=system,DC=test, DC=com. The file must be present at the location \\upstream.originenergy.com.au\SysVol\upstream.originenergy.com.au\Policies\{6A9D1B3F-6298-46CA-B2E4-2F2DC898BF66}\gpt.ini. (The network location cannot be reached. For information about network troubleshooting, see Windows Help. ). Group Policy processing aborted. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. James Blair
RE: [ActiveDir] kdc event 7
all events were logged on a single server (which as i think might be relevant is the PDCE ?) there were entries for all the DC's in the domain and i suppose all these must be related to the NT4 trust as wouldnt they have secure channel to a DC belonging to the domain with which trust was lost ?? thanks 4 yr help GT - Original Message - From: joe Date: Tue, 17 Aug 2004 11:05:09 -0400 To: Subject: RE: [ActiveDir] kdc event 7 Is the host machine listed in the error in any way related to the NT4 trust? Are you seeing this with multiple machines or are they all for the same machine? joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, August 16, 2004 9:42 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] kdc event 7 whole load of identical events as below; The Security Account Manager failed a KDC request in an unexpected way. The error is in the data field. The account name was HOST/serverfqdn and lookup type 0x48. have read somewhere in my trawling around of this regarding issues of i should definitely have included in my original post that the timing of these events is approx 26 hours after we initiated forestprep (ex2k3) - took the view that unless we have issues of latency of replication (26 hours would be this for me and we did verify replication of schema partition) that this was in fact unrelated ?? GT - Original Message - From: Tony Murray Date: Mon, 16 Aug 2004 08:49:51 -0400 To: Subject: Re: [ActiveDir] kdc event 7 Can you send a copy of the whole event. I guess you've read the following KB article already? http://support.microsoft.com/default.aspx?scid=kb;[LN];812499 Tony -- Original Message -- From: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Mon, 16 Aug 2004 11:49:16 + Was wondering if the list had any documentation of the event id 7 that is logged by the KDC - to say the least information on this is sparse for what looks to be relatively serious error as it certainly had the effect of bringing down trusts with downlevel NT4 domains GT List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] w2k authoritative restore
Guido, i appreciate this is going into what seem to be the murky depths of AD but would you be able to expand on this concept of version number - it must relate somehow to replication which i thought to be based on USN's ? GT - Original Message - From: Grillenmeier, Guido [EMAIL PROTECTED] Date: Tue, 17 Aug 2004 17:35:37 +0200 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] w2k authoritative restore Re: small correction: it's not the USNs that are increased = it the version Re: number Re: Re: and as far as I understand it, an object won't inherit an attribut until Re: it's used the first time - so only attributes which are populated for Re: an object will have a version number in the first place. Re: Re: maybe Brett can confirm this. Re: Re: As such, a previously unused attribute can't be auth. restored (unless Re: you eliminate all occurences in the domain/forest - which is equal to a Re: domain/forest recovery) Re: Re: /Guido Re: Re: -Original Message- Re: From: [EMAIL PROTECTED] Re: [mailto:[EMAIL PROTECTED] On Behalf Of Re: [EMAIL PROTECTED] Re: Sent: Tuesday, August 17, 2004 12:32 PM Re: To: [EMAIL PROTECTED] Re: Subject: RE: [ActiveDir] w2k authoritative restore Re: Re: Guido, thanks for post reply Re: Re: full recovery of the domain is what i have fallen back to - Re: Re: was looking for a sanity check on this issue of authoritative (or not so Re: as it seems ) restore Re: Re: is it a fair qu to ask though how the directory service resolves this Re: issue of replication of attribute data that is blank (but which should Re: have a higher USN by virtue of the authoritative restore) and that which Re: has been populated but has a lower USN Re: Re: does it somehow use a system of a null USN for an attribute that has no Re: data and which can be overwritten ?? Re: Re: GT Re: Re: - Original Message - Re: From: Grillenmeier, Guido Re: Date: Tue, 17 Aug 2004 11:57:32 +0200 Re: To: Re: Subject: RE: [ActiveDir] w2k authoritative restore Re: Re: sounds like you need a forest (or full domain) recovery if you screw Re: up with the ADC... - how many DCs per domain do you have? Re: Re: btw - the logic of merging data gets a new touch when you auth. Re: restore groups in Win2003: once you're at 2003 forest-functional-level Re: Re: (LVR enabled) and you wish to restore group authoritatively, you'll Re: also find members that were added to the group after the backup will Re: re-populate into the auth-restored group, since with LVR the members Re: are replicated separately as well... In this case, I usually preferr Re: this merge feature, as this will guarantee you to get the group back Re: Re: to a most up to date state (unless a specific script, virus, stupid Re: admin or whatever process accidentally populated all your groups with Re: garbage Re: data...) Re: Re: /Guido Re: Re: -Original Message- Re: From: [EMAIL PROTECTED] Re: [mailto:[EMAIL PROTECTED] On Behalf Of Re: [EMAIL PROTECTED] Re: Sent: Monday, August 16, 2004 8:25 PM Re: To: [EMAIL PROTECTED] Re: Subject: Re: [ActiveDir] w2k authoritative restore Re: Re: Auth restore will auth restore attributes that _exist_ in the backup Re: as they were at the time of backup, but not auth restore attributes Re: that didn't exist. Ergo it kind of works as a merge of old attributes Re: that were set and new attributes that were set post backup. Re: Re: ... So is the CA data perhaps in attributes that are not set on the Re: backup objects? Re: Re: Further like we merge the attributes that are auth restored over any Re: existing ones, we also merge in objects as well. So a new object post Re: backup will not get auth restored (i.e. the closes thing woudl be to Re: Re: delete the new object) Re: Re: Just grasping at straws, don't know much specifics about CA or ADC. Re: Re: Cheers, Re: Brett Shirley (msft) Re: AD Developer Re: Re: On Mon, 16 Aug 2004 [EMAIL PROTECTED] wrote: Re: Re: dear all, sorry to bomb the list with queries, but was hoping to Re: get Re: Re: a heads up on this issue of authoritative restore subsequent to a Re: directory modification using ADC Re: Re: we are testing the procedure of rollback of a domain that has been Re: modified using an ADC connection agreement Re: Re: i have a backup set taken prior to the processing of the ADC CA and Re: can confirm the successful restore of a DC to the prior state. (no Re: email address in the user objects no CA objects etc) Re: Re: despite the fact that this data is restored authoritatively as soon Re: as Re: Re: the restored DC is attached to the network with its DS started the Re: data prior to the CA processing is overwritten with the data from an Re: Re: another server Re: Re: have followed what seems to be a simple process of auth restore; Re: Re: 1. boot into DS restore Re: 2. restore system state and c: using the
RE: [ActiveDir] GPO Issue...
All, Further development, it is not a DNS/DFS issue seems as though some attribute in my XP Workstation Baseline GPO is causing this issue, other workstations in the domain can access the \\FQDN\Sysvol. Will try and nut it out further... James From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, 18 August 2004 5:14 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] GPO Issue... All, AD GPO issues. Have the dreaded Event ID 1030 1058 issues. DC's Windows 2003 and clients XPSP1. DC's had the issue but I was able to resolve this using: dfsutil /PurgeMupCache, have been clean for a week now...XPSP1 clients however still have the error messages and I have done the following on the server side: * Made sure DFS Service is running. * Made sure TCP/IP NetBIOS Service is running. On clients: · Made sure TCP/IP NetBIOS Service is running. · Made sure WMI Performance Adaptor Service is running. In addition to the above ran NETDIAG and tested replication on the DC's (no errors). Ran GPRESULT from the XPSP1 workstation which implied that the policies were applied however if I run a GPUDATE /FORCE from the same workstation the 1030 and 1058 errors return...It always seems to be on the one policy which is my Global User Settings one. I deleted the old policy and re-created a new one and get the same error to what is in essence the same policy but different GUID. I also ran Group Policy Results from the GPMC which insinuated that the network location cannot be reached. I also tried the patch in Q329170 and as a last resort even installed XPSP2 on one of the workstations. One thing I have not done is change our DC GPO below settings all to disabled: Network Client: Digitally Sign Client Communications Always - Disabled Network Client: Digitally Sign Client Communications (If Server Agrees) - Enabled Network Server: Digitally Sign Client Communications Always - Disabled Network Server: Digitally Sign Client Communications (If Server Agrees) - Enabled Not sure if it is a DNS/DFS issue, if I run \\FQDN\Sysvol from the XPSP1 workstation I get a network location cannot be reached error however if I do this from the DNS server which is a DC I get a return...can ping the FQDN and NetBIOS names to the right IP on the XPSP1 workstations...Any help would be appreciated... Event Type: Error Event Source: Userenv Event Category: None Event ID: 1030 Date: 18/08/2004 Time: 3:52:29 PM User: NT AUTHORITY\SYSTEM Computer: BRIL-DEV-3 Description: Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Event Type: Error Event Source: Userenv Event Category: None Event ID: 1058 Date: 18/08/2004 Time: 3:52:29 PM User: NT AUTHORITY\SYSTEM Computer: BRIL-DEV-3 Description: Windows cannot access the file gpt.ini for GPO cn={6A9D1B3F-6298-46CA-B2E4-2F2DC898BF66},cn=policies,cn=system,DC=test, DC=com. The file must be present at the location \\upstream.originenergy.com.au\SysVol\upstream.originenergy.com.au\Policies\{6A9D1B3F-6298-46CA-B2E4-2F2DC898BF66}\gpt.ini. (The network location cannot be reached. For information about network troubleshooting, see Windows Help. ). Group Policy processing aborted. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. James Blair
RE: [ActiveDir] w2k authoritative restore
Well, first GT, below I think you're thinking of version numbers, not USNs like Guido said. Both are used in replication, but for different purposes. USNs are strictly used for determining _what to replicate_, never _what wins in a replication conflict_. Replication conflicts are decided by version numbers + other junk if version numbers are equal. With version numbers (which is what gets bumped when you auth restore, not USNs*), a unset attribute has none, and as such loses to any other change with a set version number. * USNs may change, but they're not bumped up by a large amount they're just incremented from the last max USN (simplification). The meta-data attribute for an AD object (you can see through repadmin /showobjmeta (or in older repadmin use just /showmeta)), is a sparse format, meaning we only set meta-data rows** for attributes set on the object. ** they're not really DB rows, but in repadmin they come out as rows in a table. When we auth restore we only bump versions on attributes represented in the meta-data this is why you get the merge behavior, if an attribute was never set before backup then the no version will lose to even a version 1 attribute set post backup. If we set meta-data elements for all attributes for unset attributes just to get a delete of the attribute to win (remember there are 100s of unset attributes) you could experience like 5k+ bloat per object. Administrators would be very unhappy about that. Well, that scratches the surface enough, I hope? I think this is probably all documented in the Win2k Distributed System's Guide, if you've the patience to read an 1600 page volume like that. Cheers, Brett Shirley (msft) (I guess today) the auth restore dev On Wed, 18 Aug 2004 [EMAIL PROTECTED] wrote: Guido, i appreciate this is going into what seem to be the murky depths of AD but would you be able to expand on this concept of version number - it must relate somehow to replication which i thought to be based on USN's ? GT - Original Message - From: Grillenmeier, Guido [EMAIL PROTECTED] Date: Tue, 17 Aug 2004 17:35:37 +0200 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] w2k authoritative restore Re: small correction: it's not the USNs that are increased = it the version Re: number Re: Re: and as far as I understand it, an object won't inherit an attribut until Re: it's used the first time - so only attributes which are populated for Re: an object will have a version number in the first place. Re: Re: maybe Brett can confirm this. Re: Re: As such, a previously unused attribute can't be auth. restored (unless Re: you eliminate all occurences in the domain/forest - which is equal to a Re: domain/forest recovery) Re: Re: /Guido Re: Re: -Original Message- Re: From: [EMAIL PROTECTED] Re: [mailto:[EMAIL PROTECTED] On Behalf Of Re: [EMAIL PROTECTED] Re: Sent: Tuesday, August 17, 2004 12:32 PM Re: To: [EMAIL PROTECTED] Re: Subject: RE: [ActiveDir] w2k authoritative restore Re: Re: Guido, thanks for post reply Re: Re: full recovery of the domain is what i have fallen back to - Re: Re: was looking for a sanity check on this issue of authoritative (or not so Re: as it seems ) restore Re: Re: is it a fair qu to ask though how the directory service resolves this Re: issue of replication of attribute data that is blank (but which should Re: have a higher USN by virtue of the authoritative restore) and that which Re: has been populated but has a lower USN Re: Re: does it somehow use a system of a null USN for an attribute that has no Re: data and which can be overwritten ?? Re: Re: GT Re: Re: - Original Message - Re: From: Grillenmeier, Guido Re: Date: Tue, 17 Aug 2004 11:57:32 +0200 Re: To: Re: Subject: RE: [ActiveDir] w2k authoritative restore Re: Re: sounds like you need a forest (or full domain) recovery if you screw Re: up with the ADC... - how many DCs per domain do you have? Re: Re: btw - the logic of merging data gets a new touch when you auth. Re: restore groups in Win2003: once you're at 2003 forest-functional-level Re: Re: (LVR enabled) and you wish to restore group authoritatively, you'll Re: also find members that were added to the group after the backup will Re: re-populate into the auth-restored group, since with LVR the members Re: are replicated separately as well... In this case, I usually preferr Re: this merge feature, as this will guarantee you to get the group back Re: Re: to a most up to date state (unless a specific script, virus, stupid Re: admin or whatever process accidentally populated all your groups with Re: garbage Re: data...) Re: Re: /Guido Re: Re: -Original Message- Re: From: [EMAIL PROTECTED] Re: [mailto:[EMAIL PROTECTED] On Behalf Of Re: [EMAIL PROTECTED] Re: Sent: Monday, August 16, 2004 8:25 PM Re: To: [EMAIL PROTECTED] Re:
RE: [ActiveDir] GPO to copy a file to all machines
I am using this to distribute a screensaver also (machine startup vbs script). I am having a problem however. I think I know what it is, but I am not sure how to fix it. I have the screensaver sitting in the NETLOGON folder of my DC, and I am trying to copy from that location to the users %systemroot%\System32\, but it doesnt copy the file. If I run the script manually (note, I am member of Domain Admin group) the file copies over, but it doesnt copy during startup. Does the SYSTEM user have read rights to the NETLOGON folder? If not, and I place the file in the policys folder along with the .vbs (which is already there I should note), is there an environment variable that referrs to this location or an easy way to specify this location for the file copy? For instance, If I do not specify a location, does the script first check the directory it is located? Here is the subroutine in my vbs: '= ' CheckScrSaver '= public sub CheckScrSaver() ' On Error Resume Next Dim strFile, strSrc, strDst strFile = NBHSecuritySCR.scr strSrc = strDC \NETLOGON\ strFile strDst = strSysRoot \System32\ If fso.FileExists (strDst strFile) then 'Proceed else fso.CopyFile strSrc, strDst, true end if end sub Thank you, Mitchell D. Lawrence Director, Network Administrator ITS Department North Bay Hospital 1711 W. Wheeler Ave Aransas Pass, TX 78336 ph: (361) 758-0580 fx: (361) 758-0581 pg: (361) 270-0421 [EMAIL PROTECTED] [EMAIL PROTECTED] (home) ** Good | Cheap | Fast (Pick Two)** -Original Message- From: Brian Desmond [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Tuesday, August 17, 2004 9:19 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] GPO to copy a file to all machines MSI has the advantage of a) not running on every boot b) fixing anything that gets deleted, corrupted, etc. I'd spend the extra 5 minutes and make the MSI, personally. --Brian -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Tue 8/17/2004 10:15 AM To: [EMAIL PROTECTED] Cc: Subject: RE: [ActiveDir] GPO to copy a file to all machines I don't have an example but I would recommend doing this in the computer startup scripts. Just have the script pull the file from wherever. At this point you are running as localsystem of the machine so you will have the perms to put it anywhere on the box you like and will be done before the user logs on. Computer Configuration | Windows Settings | Scripts (Startup/Shutdown) Copy the files to the GPO's startup folder (click on Show Files on the interface to open an explorer window to the location) and specify the script/batch file you want to run. You could add the screen saver file to that folder as well. I guess you could do an install package as well but that might be overkill. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Gauss Sent: Tuesday, August 17, 2004 10:53 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] GPO to copy a file to all machines Does anyone have an example of using a GPO to copy a file to all machines? I have a screen saver I am supposed to distribute across the organization and really dont want to do it manually. Thanks.
[ActiveDir] Access Denied causing replication errors
I am new to this mailing list and I am definitely a novice in comparison so forgive my ignorance. I am receiving tons of 13508, 13562, and 3034 event log errors on one of my domain controllers. I found that I was receiving access denied errors when trying to replicate by using dcdiag or one of those many admin tools. I think it might have something to do with the fact that we renamed the administrator account to Rick James out of fear that one of the students obtained the domain admin credentials. I tried to use the netdom utility to reset the computer account password on the PDC emulator as stated in the Active Directory Operations guide only to get errors, ie netdom resetpwd /server:PDC emulator name /userid:domain\administrator /password:* I am unable to put Rick James where administrator is because to me, it doesn't seem to know how to treat the space between Rick and James. I am starting to wonder if I am on the right track at all and also scared of renaming the domain admin account ever again. Any help would be greatly appreciated. Mark Orlando Systems Administrator I.T. Department Linden Public Schools List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] OT: Terminal Services Local Printer issues
Hi All, Sorry, I know this is off topic and Im in a hurry to get a resolution to an issue in driving me mad. I have little experience with TS so stick with me :O) A user logs on to Terminal Server 2003 and her local printer on her own desktop is not reflected in the Terminal Server session. It worked until this morning. I cant see anything strange in any logs. Any ideas.? BR Rob
RE: [ActiveDir] OT: Terminal Services Local Printer issues
Do you have "Connect Client Printers at logon" checked in the "Environment" Tab in ADUC? Paul Cotter Microsoft MVP - MIIS 2003 ~nodisc. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert RutherfordSent: Wednesday, August 18, 2004 9:21 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] OT: Terminal Services Local Printer issues Hi All, Sorry, I know this is off topic and Im in a hurry to get a resolution to an issue in driving me mad. I have little experience with TS so stick with me :O) A user logs on to Terminal Server 2003 and her local printer on her own desktop is not reflected in the Terminal Server session. It worked until this morning. I cant see anything strange in any logs. Any ideas.? BR Rob
RE: [ActiveDir] GPO to copy a file to all machines
When I tested this a while back, the scripts extension will impersonate the machine account to get access to network resources--so the machine account (or authenticated users will work) will need at least read access to the Netlogon share (which they should have, btw). Can you verify that the script is even running during startup? You might want to put some logging into that script at specific stages just to see where its failing and what the message might be. Also, you've got "On error, resume next" at the beginning but you don't trap for any errors that may be occurring. Putting this statement in the beginning without trapping for anythinghas the effect of having the script ignore any errors that might otherwise popup, so I'd either remove that statement or add some error handling. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of DL.ActiveDirectorySent: Wednesday, August 18, 2004 7:08 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] GPO to copy a file to all machines I am using this to distribute a screensaver also (machine startup vbs script). I am having a problem however. I think I know what it is, but I am not sure how to fix it. I have the screensaver sitting in the NETLOGON folder of my DC, and I am trying to copy from that location to the users %systemroot%\System32\, but it doesnt copy the file. If I run the script manually (note, I am member of Domain Admin group) the file copies over, but it doesnt copy during startup. Does the SYSTEM user have read rights to the NETLOGON folder? If not, and I place the file in the policys folder along with the .vbs (which is already there I should note), is there an environment variable that referrs to this location or an easy way to specify this location for the file copy? For instance, If I do not specify a location, does the script first check the directory it is located? Here is the subroutine in my vbs: '= ' CheckScrSaver '= public sub CheckScrSaver() ' On Error Resume Next Dim strFile, strSrc, strDst strFile = "NBHSecuritySCR.scr" strSrc = strDC "\NETLOGON\" strFile strDst = strSysRoot "\System32\" If fso.FileExists (strDst strFile) then 'Proceed else fso.CopyFile strSrc, strDst, true end if end sub Thank you, Mitchell D. Lawrence Director, Network Administrator ITS Department North Bay Hospital 1711 W. Wheeler Ave Aransas Pass, TX 78336 ph: (361) 758-0580 fx: (361) 758-0581 pg: (361) 270-0421 [EMAIL PROTECTED] [EMAIL PROTECTED] (home) ** Good | Cheap | Fast (Pick Two)** -Original Message-From: Brian Desmond [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Tuesday, August 17, 2004 9:19 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] GPO to copy a file to all machines MSI has the advantage of a) not running on every boot b) fixing anything that gets deleted, corrupted, etc. I'd spend the extra 5 minutes and make the MSI, personally. --Brian -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Tue 8/17/2004 10:15 AM To: [EMAIL PROTECTED] Cc: Subject: RE: [ActiveDir] GPO to copy a file to all machines I don't have an example but I would recommend doing this in the computer startup scripts. Just have the script pull the file from wherever. At this point you are running as localsystem of the machine so you will have the perms to put it anywhere on the box you like and will be done before the user logs on. Computer Configuration | Windows Settings | Scripts (Startup/Shutdown) Copy the files to the GPO's startup folder (click on Show Files on the interface to open an explorer window to the location) and specify the script/batch file you want to run. You could add the screen saver file to that folder as well. I guess you could do an install package as well but that might be overkill. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig GaussSent: Tuesday, August 17, 2004 10:53 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] GPO to copy a file to all machines Does anyone have an example of using a GPO to copy a file to all machines? I have a screen saver I am supposed to distribute across the organization and really dont want to do it manually. Thanks.
[ActiveDir] Domain and Forest Functional Levels
Using VBScript, I would like to pull the domain and forest functional levels in a mixed 2000 and 2003 forest. What attributes am I looking for? Thanks Mark Hocraffer RockwellCollins
RE: [ActiveDir] GPO to copy a file to all machines
The script is running, as I have it also distributing a GPC.DAT file from a virus server (I am changing parent servers on Symantec). The files in that subroutine distribute ok. I am at a loss as to why it is not distributing the scr. I have the error submerge commented out. I will throw in some echos for feedback into the script and see if I can locate the problem. Any other ideas or specific scripting I can use to trap errors? Thank you, Mitchell D. Lawrence Director, Network Administrator ITS Department North Bay Hospital 1711 W. Wheeler Ave Aransas Pass, TX 78336 ph: (361) 758-0580 fx: (361) 758-0581 pg: (361) 270-0421 [EMAIL PROTECTED] [EMAIL PROTECTED] (home) ** Good | Cheap | Fast (Pick Two)** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Posted At: Wednesday, August 18, 2004 9:50 AM Posted To: ~AD Discussion~ Conversation: [ActiveDir] GPO to copy a file to all machines Subject: RE: [ActiveDir] GPO to copy a file to all machines When I tested this a while back, the scripts extension will impersonate the machine account to get access to network resources--so the machine account (or authenticated users will work) will need at least read access to the Netlogon share (which they should have, btw). Can you verify that the script is even running during startup? You might want to put some logging into that script at specific stages just to see where its failing and what the message might be. Also, you've got On error, resume next at the beginning but you don't trap for any errors that may be occurring. Putting this statement in the beginning without trapping for anythinghas the effect of having the script ignore any errors that might otherwise popup, so I'd either remove that statement or add some error handling. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of DL.ActiveDirectory Sent: Wednesday, August 18, 2004 7:08 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] GPO to copy a file to all machines I am using this to distribute a screensaver also (machine startup vbs script). I am having a problem however. I think I know what it is, but I am not sure how to fix it. I have the screensaver sitting in the NETLOGON folder of my DC, and I am trying to copy from that location to the users %systemroot%\System32\, but it doesnt copy the file. If I run the script manually (note, I am member of Domain Admin group) the file copies over, but it doesnt copy during startup. Does the SYSTEM user have read rights to the NETLOGON folder? If not, and I place the file in the policys folder along with the .vbs (which is already there I should note), is there an environment variable that referrs to this location or an easy way to specify this location for the file copy? For instance, If I do not specify a location, does the script first check the directory it is located? Here is the subroutine in my vbs: '= ' CheckScrSaver '= public sub CheckScrSaver() ' On Error Resume Next Dim strFile, strSrc, strDst strFile = NBHSecuritySCR.scr strSrc = strDC \NETLOGON\ strFile strDst = strSysRoot \System32\ If fso.FileExists (strDst strFile) then 'Proceed else fso.CopyFile strSrc, strDst, true end if end sub Thank you, Mitchell D. Lawrence Director, Network Administrator ITS Department North Bay Hospital 1711 W. Wheeler Ave Aransas Pass, TX 78336 ph: (361) 758-0580 fx: (361) 758-0581 pg: (361) 270-0421 [EMAIL PROTECTED] [EMAIL PROTECTED] (home) ** Good | Cheap | Fast (Pick Two)** -Original Message- From: Brian Desmond [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Tuesday, August 17, 2004 9:19 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] GPO to copy a file to all machines MSI has the advantage of a) not running on every boot b) fixing anything that gets deleted, corrupted, etc. I'd spend the extra 5 minutes and make the MSI, personally. --Brian -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Tue 8/17/2004 10:15 AM To: [EMAIL PROTECTED] Cc: Subject: RE: [ActiveDir] GPO to copy a file to all machines I don't have an example but I would recommend doing this in the computer startup scripts. Just have the script pull the file from wherever. At this point you are running as localsystem of the machine so you will have the perms to put it anywhere on the box you like and will be done before the user logs on. Computer Configuration | Windows Settings | Scripts (Startup/Shutdown) Copy the files to the GPO's startup folder (click on Show Files on the interface to open an explorer window to the location) and specify the script/batch file you want to run. You could add the screen saver file to that folder as well. I
RE: [ActiveDir] OT: Terminal Services Local Printer issues
Hi Rob, In order for the printer to be visible on the TS server for the client, you need to install the print driver on the TS server for that specific printer. On the TS server go to Start, Printers Faxes, File, Server Properties, Drivers. Install the print driver for that specific printer. I know you mention that the printer was visible at one point. However, I have found when I install the specific print driver, the printer always shows up on the user session. Cheers, George From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford Sent: Wednesday, August 18, 2004 16:21 To: [EMAIL PROTECTED] Subject: [ActiveDir] OT: Terminal Services Local Printer issues Hi All, Sorry, I know this is off topic and Im in a hurry to get a resolution to an issue in driving me mad. I have little experience with TS so stick with me :O) A user logs on to Terminal Server 2003 and her local printer on her own desktop is not reflected in the Terminal Server session. It worked until this morning. I cant see anything strange in any logs. Any ideas.? BR Rob Informacija sa Opportunity International Serbia putem e-maila je bez garancije. Zakljucivanje pravnih poslova putem ovog medija nije dozvoljeno. Ovaj e-mail moze sadrzati poverljive i/ili povlascene informacije. Ukoliko ste ovaj e-mail primili greskom, ovim putem vas obavestavamo da je svako otkrivanje, kopiranje, distribucija ili preduzimanje bilo kakvih aktivnosti u vezi njegovog sadrzaja strogo zabranjeno i moze biti nezakonito. Ukoliko ste e-mail primili greskom, molimo Vas da nas odmah obavestite tako sto cete odgovoriti na ovaj email, a zatim ga izbrisite iz vaseg sistema. The exchange of messages with Opportunity International Serbia via e-mail is not binding. Declarations regarding legal transactions must not be exchanged via this medium. The information contained in this e-mail message is confidential and intended exclusively for the addressee. Persons receiving this e-mail message who are not the named addressee (or his/her co-workers, or persons authorized to take delivery) must not use, forward or reproduce its contents. If you have received this e-mail message by mistake, please contact us immediately and delete this email message beyond retrieval.
RE: [ActiveDir] Domain and Forest Functional Levels
To determine the DFL Attribute nTMixedDomain of the domain-object (blabla.com) DC=BLABLA,DC=COM Attribute msDS-Behavior-Version of the domain-object (blabla.com) DC=BLABLA,DC=COM If nTMixedDomain = 1 And msDS-Behavior-Version = 0 Then DFL = Windows 2000 Mixed (DEFAULT INSTALL VALUE) If nTMixedDomain = 0 And msDS-Behavior-Version = 0 Then DFL = Windows 2000 Native If nTMixedDomain = 0 And msDS-Behavior-Version = 1 Then DFL = Windows Server 2003 Interim If nTMixedDomain = 0 And msDS-Behavior-Version = 2 Then DFL = Windows Server 2003 To determine the FFL Attribute msDS-Behavior-Version of the partitions-object (root domain = blabla.com) CN=Partitions, CN=Configuration,DC=BLABLA,DC=COM If msDS-Behavior-Version = 0 Then FFL = Windows 2000 (DEFAULT INSTALL VALUE) If xNTFORESTdsbeh = 1 Then FFL = Windows Server 2003 Interim If xNTFORESTdsbeh = 2 Then FFL = Windows Server 2003 Regards, Jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: woensdag 18 augustus 2004 17:03 To: [EMAIL PROTECTED] Subject: [ActiveDir] Domain and Forest Functional Levels Using VBScript, I would like to pull the domain and forest functional levels in a mixed 2000 and 2003 forest. What attributes am I looking for? Thanks Mark Hocraffer RockwellCollins This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] w2k authoritative restore
thanks Brett for the confirmation and clarification If we set meta-data elements for all attributes for unset attributes just to get a delete of the attribute to win (remember there are 100s of unset attributes) you could experience like 5k+ bloat per object. Administrators would be very unhappy about that. agreed, but Administrators also don't like not be able to restore something to a known version. I guess a viable solution could be to figure out the most critital of the 100s of unset attributes and pre-populate them with NULL or some other meaningless data at the time of creation of normal admin objects (i.e. users, groups, computers, contacts etc., but not config items like site-links etc.). These settings could be removed right afterwards, but the versioning of the attribute remains - this could allow you to get the best of both worlds. A tedious job though... /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, August 18, 2004 3:29 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] w2k authoritative restore Well, first GT, below I think you're thinking of version numbers, not USNs like Guido said. Both are used in replication, but for different purposes. USNs are strictly used for determining _what to replicate_, never _what wins in a replication conflict_. Replication conflicts are decided by version numbers + other junk if version numbers are equal. With version numbers (which is what gets bumped when you auth restore, not USNs*), a unset attribute has none, and as such loses to any other change with a set version number. * USNs may change, but they're not bumped up by a large amount they're just incremented from the last max USN (simplification). The meta-data attribute for an AD object (you can see through repadmin /showobjmeta (or in older repadmin use just /showmeta)), is a sparse format, meaning we only set meta-data rows** for attributes set on the object. ** they're not really DB rows, but in repadmin they come out as rows in a table. When we auth restore we only bump versions on attributes represented in the meta-data this is why you get the merge behavior, if an attribute was never set before backup then the no version will lose to even a version 1 attribute set post backup. If we set meta-data elements for all attributes for unset attributes just to get a delete of the attribute to win (remember there are 100s of unset attributes) you could experience like 5k+ bloat per object. Administrators would be very unhappy about that. Well, that scratches the surface enough, I hope? I think this is probably all documented in the Win2k Distributed System's Guide, if you've the patience to read an 1600 page volume like that. Cheers, Brett Shirley (msft) (I guess today) the auth restore dev On Wed, 18 Aug 2004 [EMAIL PROTECTED] wrote: Guido, i appreciate this is going into what seem to be the murky depths of AD but would you be able to expand on this concept of version number - it must relate somehow to replication which i thought to be based on USN's ? GT - Original Message - From: Grillenmeier, Guido [EMAIL PROTECTED] Date: Tue, 17 Aug 2004 17:35:37 +0200 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] w2k authoritative restore Re: small correction: it's not the USNs that are increased = it the version Re: number Re: Re: and as far as I understand it, an object won't inherit an attribut until Re: it's used the first time - so only attributes which are populated for Re: an object will have a version number in the first place. Re: Re: maybe Brett can confirm this. Re: Re: As such, a previously unused attribute can't be auth. restored (unless Re: you eliminate all occurences in the domain/forest - which is equal to a Re: domain/forest recovery) Re: Re: /Guido Re: Re: -Original Message- Re: From: [EMAIL PROTECTED] Re: [mailto:[EMAIL PROTECTED] On Behalf Of Re: [EMAIL PROTECTED] Re: Sent: Tuesday, August 17, 2004 12:32 PM Re: To: [EMAIL PROTECTED] Re: Subject: RE: [ActiveDir] w2k authoritative restore Re: Re: Guido, thanks for post reply Re: Re: full recovery of the domain is what i have fallen back to - Re: Re: was looking for a sanity check on this issue of authoritative (or not so Re: as it seems ) restore Re: Re: is it a fair qu to ask though how the directory service resolves this Re: issue of replication of attribute data that is blank (but which should Re: have a higher USN by virtue of the authoritative restore) and that which Re: has been populated but has a lower USN Re: Re: does it somehow use a system of a null USN for an attribute that has no Re: data and which can be overwritten ?? Re: Re: GT Re: Re: - Original Message - Re: From: Grillenmeier, Guido Re: Date: Tue, 17 Aug 2004 11:57:32 +0200 Re: To: Re: Subject: RE: [ActiveDir]
RE: [ActiveDir] Access Denied causing replication errors
Have you tried it with the samaccountname attribute (the pre-windows2000 name of the account which won't have spaces) and received the same results? As for the reasons of replication problems, what drove you to reset the computer account? Can you give us a background on the steps taken to date that led you there and include the errors received? I'm wondering about DCDIAG and NETDIAG outputs as well as what else has changed besides the account name. Even log details would be helpful as well. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Orlando Sent: Wednesday, August 18, 2004 10:12 AM To: Active Directory Mailing List Subject: [ActiveDir] Access Denied causing replication errors I am new to this mailing list and I am definitely a novice in comparison so forgive my ignorance. I am receiving tons of 13508, 13562, and 3034 event log errors on one of my domain controllers. I found that I was receiving access denied errors when trying to replicate by using dcdiag or one of those many admin tools. I think it might have something to do with the fact that we renamed the administrator account to Rick James out of fear that one of the students obtained the domain admin credentials. I tried to use the netdom utility to reset the computer account password on the PDC emulator as stated in the Active Directory Operations guide only to get errors, ie netdom resetpwd /server:PDC emulator name /userid:domain\administrator /password:* I am unable to put Rick James where administrator is because to me, it doesn't seem to know how to treat the space between Rick and James. I am starting to wonder if I am on the right track at all and also scared of renaming the domain admin account ever again. Any help would be greatly appreciated. Mark Orlando Systems Administrator I.T. Department Linden Public Schools List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Domain and Forest Functional Levels
One minor recommendation - use the partitions container's crossRef objects to determine the domain functional level as it allows you (in a multi-domain forest) to retrieve everything from a single DC (no GC requirement or purpose here). For the most up-to-date dom. func. level, use the PDC FSMO per domain or the Schema FSMO for the forest. Further, you can determine a great deal using an unauthenticated connection against a 2003 DC's RootDSE, see LDP sample output below - 1 domainFunctionality: 2 = ( DS_BEHAVIOR_WIN2003 ); 1 forestFunctionality: 2 = ( DS_BEHAVIOR_WIN2003 ); 1 domainControllerFunctionality: 2 = ( DS_BEHAVIOR_WIN2003 ); -- Dean Wells MSEtechnology* Email: dwells@msetechnology.com http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida PintoSent: Wednesday, August 18, 2004 11:31 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Domain and Forest Functional Levels To determine the DFL Attribute nTMixedDomain of the domain-object (blabla.com) DC=BLABLA,DC=COM Attribute msDS-Behavior-Version of the domain-object (blabla.com) DC=BLABLA,DC=COM If nTMixedDomain = "1" And msDS-Behavior-Version = "0" Then DFL = "Windows 2000 Mixed (DEFAULT INSTALL VALUE)" If nTMixedDomain = "0" And msDS-Behavior-Version = "0" Then DFL = "Windows 2000 Native" If nTMixedDomain = "0" And msDS-Behavior-Version = "1" Then DFL = "Windows Server 2003 Interim" If nTMixedDomain = "0" And msDS-Behavior-Version = "2" Then DFL = "Windows Server 2003" To determine the FFL Attribute msDS-Behavior-Version of the partitions-object (root domain = blabla.com) CN=Partitions, CN=Configuration,DC=BLABLA,DC=COM If msDS-Behavior-Version = "0" Then FFL = "Windows 2000 (DEFAULT INSTALL VALUE)" If xNTFORESTdsbeh = "1" Then FFL = "Windows Server 2003 Interim" If xNTFORESTdsbeh = "2" Then FFL = "Windows Server 2003" Regards, Jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: woensdag 18 augustus 2004 17:03To: [EMAIL PROTECTED]Subject: [ActiveDir] Domain and Forest Functional Levels Using VBScript, I would like to pull the domain and forest functional levels in a mixed 2000 and 2003 forest. What attributes am I looking for? Thanks Mark Hocraffer RockwellCollinsThis e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
Re: [ActiveDir] GPO to copy a file to all machines
Title: Re: [ActiveDir] GPO to copy a file to all machines If you have a copy of Wise or some other MSI packager, you could just create a simple msi package that writes the .scr file to %systemroot% and install it via machine GPO. Just something to consider. From: DL.ActiveDirectory [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 18 Aug 2004 10:24:42 -0500 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] GPO to copy a file to all machines The script is running, as I have it also distributing a GPC.DAT file from a virus server (I am changing parent servers on Symantec). The files in that subroutine distribute ok. I am at a loss as to why it is not distributing the scr. I have the error submerge commented out. I will throw in some echos for feedback into the script and see if I can locate the problem. Any other ideas or specific scripting I can use to trap errors? Thank you, Mitchell D. Lawrence Director, Network Administrator ITS Department North Bay Hospital 1711 W. Wheeler Ave Aransas Pass, TX 78336 ph: (361) 758-0580 fx: (361) 758-0581 pg: (361) 270-0421 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] (home) ** Good | Cheap | Fast (Pick Two)** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Posted At: Wednesday, August 18, 2004 9:50 AM Posted To: ~AD Discussion~ Conversation: [ActiveDir] GPO to copy a file to all machines Subject: RE: [ActiveDir] GPO to copy a file to all machines When I tested this a while back, the scripts extension will impersonate the machine account to get access to network resources--so the machine account (or authenticated users will work) will need at least read access to the Netlogon share (which they should have, btw). Can you verify that the script is even running during startup? You might want to put some logging into that script at specific stages just to see where its failing and what the message might be. Also, you've got On error, resume next at the beginning but you don't trap for any errors that may be occurring. Putting this statement in the beginning without trapping for anything has the effect of having the script ignore any errors that might otherwise popup, so I'd either remove that statement or add some error handling. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of DL.ActiveDirectory Sent: Wednesday, August 18, 2004 7:08 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] GPO to copy a file to all machines I am using this to distribute a screensaver also (machine startup vbs script). I am having a problem however. I think I know what it is, but I am not sure how to fix it. I have the screensaver sitting in the NETLOGON folder of my DC, and I am trying to copy from that location to the users %systemroot%\System32\, but it doesnt copy the file. If I run the script manually (note, I am member of Domain Admin group) the file copies over, but it doesnt copy during startup. Does the SYSTEM user have read rights to the NETLOGON folder? If not, and I place the file in the policys folder along with the .vbs (which is already there I should note), is there an environment variable that referrs to this location or an easy way to specify this location for the file copy? For instance, If I do not specify a location, does the script first check the directory it is located? Here is the subroutine in my vbs: '= ' CheckScrSaver '= public sub CheckScrSaver() ' On Error Resume Next Dim strFile, strSrc, strDst strFile = NBHSecuritySCR.scr strSrc = strDC \NETLOGON\ strFile strDst = strSysRoot \System32\ If fso.FileExists (strDst strFile) then 'Proceed else fso.CopyFile strSrc, strDst, true end if end sub Thank you, Mitchell D. Lawrence Director, Network Administrator ITS Department North Bay Hospital 1711 W. Wheeler Ave Aransas Pass, TX 78336 ph: (361) 758-0580 fx: (361) 758-0581 pg: (361) 270-0421 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] (home) ** Good | Cheap | Fast (Pick Two)** -Original Message- From: Brian Desmond [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Tuesday, August 17, 2004 9:19 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] GPO to copy a file to all machines MSI has the advantage of a) not running on every boot b) fixing anything that gets deleted, corrupted, etc. I'd spend the extra 5 minutes and make the MSI, personally. --Brian -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Tue 8/17/2004 10:15 AM To: [EMAIL PROTECTED] Cc: Subject: RE: [ActiveDir] GPO to copy a file to all machines I don't have an example but I would recommend doing this in the computer startup scripts. Just have the script pull the file from wherever.
RE: [ActiveDir] OT: Terminal Services Local Printer issues
It has been my experience that you do not need to install the printer drivers on the TS server with TS 2003. If you use the latest Remote Desktop client, the printers should be visible automatically. Download it here, install it on the client and try again: http://www.microsoft.com/downloads/details.aspx?FamilyID=a8255ffc-4b4a-40e7-a706-cde7e9b57e79DisplayLang=en Steve --- George Arezina [EMAIL PROTECTED] wrote: Hi Rob, In order for the printer to be visible on the TS server for the client, you need to install the print driver on the TS server for that specific printer. On the TS server go to Start, Printers Faxes, File, Server Properties, Drivers. Install the print driver for that specific printer. I know you mention that the printer was visible at one point. However, I have found when I install the specific print driver, the printer always shows up on the user session. Cheers, George _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford Sent: Wednesday, August 18, 2004 16:21 To: [EMAIL PROTECTED] Subject: [ActiveDir] OT: Terminal Services Local Printer issues Hi All, Sorry, I know this is off topic and I'm in a hurry to get a resolution to an issue in driving me mad. I have little experience with TS so stick with me :O) A user logs on to Terminal Server 2003 and her local printer on her own desktop is not reflected in the Terminal Server session. It worked until this morning. I can't see anything strange in any logs. Any ideas..? BR Rob Informacija sa Opportunity International Serbia putem e-maila je bez garancije. Zakljucivanje pravnih poslova putem ovog medija nije dozvoljeno. Ovaj e-mail moze sadrzati poverljive i/ili povlascene informacije. Ukoliko ste ovaj e-mail primili greskom, ovim putem vas obavestavamo da je svako otkrivanje, kopiranje, distribucija ili preduzimanje bilo kakvih aktivnosti u vezi njegovog sadrzaja strogo zabranjeno i moze biti nezakonito. Ukoliko ste e-mail primili greskom, molimo Vas da nas odmah obavestite tako sto cete odgovoriti na ovaj email, a zatim ga izbrisite iz vaseg sistema. The exchange of messages with Opportunity International Serbia via e-mail is not binding. Declarations regarding legal transactions must not be exchanged via this medium. The information contained in this e-mail message is confidential and intended exclusively for the addressee. Persons receiving this e-mail message who are not the named addressee (or his/her co-workers, or persons authorized to take delivery) must not use, forward or reproduce its contents. If you have received this e-mail message by mistake, please contact us immediately and delete this email message beyond retrieval. __ Do you Yahoo!? New and Improved Yahoo! Mail - 100MB free storage! http://promotions.yahoo.com/new_mail List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Terminal Services Local Printer issues
Thanks All... It was working without the drivers. I did however load the drivers again and all is working now. Group Hug x -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Johnston Sent: 18 August 2004 16:54 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Terminal Services Local Printer issues It has been my experience that you do not need to install the printer drivers on the TS server with TS 2003. If you use the latest Remote Desktop client, the printers should be visible automatically. Download it here, install it on the client and try again: http://www.microsoft.com/downloads/details.aspx?FamilyID=a8255ffc-4b4a-4 0e7-a706-cde7e9b57e79DisplayLang=en Steve --- George Arezina [EMAIL PROTECTED] wrote: Hi Rob, In order for the printer to be visible on the TS server for the client, you need to install the print driver on the TS server for that specific printer. On the TS server go to Start, Printers Faxes, File, Server Properties, Drivers. Install the print driver for that specific printer. I know you mention that the printer was visible at one point. However, I have found when I install the specific print driver, the printer always shows up on the user session. Cheers, George _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford Sent: Wednesday, August 18, 2004 16:21 To: [EMAIL PROTECTED] Subject: [ActiveDir] OT: Terminal Services Local Printer issues Hi All, Sorry, I know this is off topic and I'm in a hurry to get a resolution to an issue in driving me mad. I have little experience with TS so stick with me :O) A user logs on to Terminal Server 2003 and her local printer on her own desktop is not reflected in the Terminal Server session. It worked until this morning. I can't see anything strange in any logs. Any ideas..? BR Rob Informacija sa Opportunity International Serbia putem e-maila je bez garancije. Zakljucivanje pravnih poslova putem ovog medija nije dozvoljeno. Ovaj e-mail moze sadrzati poverljive i/ili povlascene informacije. Ukoliko ste ovaj e-mail primili greskom, ovim putem vas obavestavamo da je svako otkrivanje, kopiranje, distribucija ili preduzimanje bilo kakvih aktivnosti u vezi njegovog sadrzaja strogo zabranjeno i moze biti nezakonito. Ukoliko ste e-mail primili greskom, molimo Vas da nas odmah obavestite tako sto cete odgovoriti na ovaj email, a zatim ga izbrisite iz vaseg sistema. The exchange of messages with Opportunity International Serbia via e-mail is not binding. Declarations regarding legal transactions must not be exchanged via this medium. The information contained in this e-mail message is confidential and intended exclusively for the addressee. Persons receiving this e-mail message who are not the named addressee (or his/her co-workers, or persons authorized to take delivery) must not use, forward or reproduce its contents. If you have received this e-mail message by mistake, please contact us immediately and delete this email message beyond retrieval. __ Do you Yahoo!? New and Improved Yahoo! Mail - 100MB free storage! http://promotions.yahoo.com/new_mail List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs === List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] w2k authoritative restore
thanks 2 from me i have to say i am indebted to this mail list for this level of documentation of this beast called active directory that we have come to love GT - Original Message - From: Grillenmeier, Guido [EMAIL PROTECTED] Date: Wed, 18 Aug 2004 17:32:58 +0200 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] w2k authoritative restore Re: thanks Brett for the confirmation and clarification Re: Re: If we set meta-data elements for all attributes for unset attributes Re: just to get a delete of the attribute to win (remember there are Re: 100s Re: of unset attributes) you could experience like 5k+ bloat per object. Re: Re: Administrators would be very unhappy about that. Re: Re: agreed, but Administrators also don't like not be able to restore Re: something to a known version. Re: Re: I guess a viable solution could be to figure out the most critital of Re: the 100s of unset attributes and pre-populate them with NULL or some Re: other meaningless data at the time of creation of normal admin objects Re: (i.e. users, groups, computers, contacts etc., but not config items like Re: site-links etc.). These settings could be removed right afterwards, but Re: the versioning of the attribute remains - this could allow you to get Re: the best of both worlds. Re: Re: A tedious job though... Re: Re: /Guido Re: Re: -Original Message- Re: From: [EMAIL PROTECTED] Re: [mailto:[EMAIL PROTECTED] On Behalf Of Re: [EMAIL PROTECTED] Re: Sent: Wednesday, August 18, 2004 3:29 PM Re: To: [EMAIL PROTECTED] Re: Subject: RE: [ActiveDir] w2k authoritative restore Re: Re: Well, first GT, below I think you're thinking of version numbers, not Re: USNs like Guido said. Re: Re: Both are used in replication, but for different purposes. USNs are Re: strictly used for determining _what to replicate_, never _what wins in a Re: replication conflict_. Replication conflicts are decided by version Re: numbers + other junk if version numbers are equal. Re: Re: With version numbers (which is what gets bumped when you auth restore, Re: not USNs*), a unset attribute has none, and as such loses to any other Re: change with a set version number. Re: * USNs may change, but they're not bumped up by a large amount Re: they're just incremented from the last max USN Re: (simplification). Re: Re: The meta-data attribute for an AD object (you can see through repadmin Re: /showobjmeta (or in older repadmin use just /showmeta)), is a sparse Re: format, meaning we only set meta-data rows** for attributes set on the Re: object. Re: ** they're not really DB rows, but in repadmin they come out as Re: rows in a table. Re: Re: When we auth restore we only bump versions on attributes represented in Re: the meta-data this is why you get the merge behavior, if an attribute Re: was never set before backup then the no version will lose to even a Re: version 1 attribute set post backup. Re: Re: If we set meta-data elements for all attributes for unset attributes Re: just to get a delete of the attribute to win (remember there are 100s Re: of unset attributes) you could experience like 5k+ bloat per object. Re: Administrators would be very unhappy about that. Re: Re: Well, that scratches the surface enough, I hope? I think this is Re: probably all documented in the Win2k Distributed System's Guide, if Re: you've the patience to read an 1600 page volume like that. Re: Re: Cheers, Re: Brett Shirley Re: (msft) (I guess today) the auth restore dev Re: Re: Re: On Wed, 18 Aug 2004 [EMAIL PROTECTED] wrote: Re: Re: Guido, i appreciate this is going into what seem to be the murky Re: depths of AD but would you be able to expand on this concept of Re: version number - it must relate somehow to replication which i Re: thought to be based on USN's ? Re: Re: GT Re: Re: - Original Message - Re: From: Grillenmeier, Guido [EMAIL PROTECTED] Re: Date: Tue, 17 Aug 2004 17:35:37 +0200 Re: To: [EMAIL PROTECTED] Re: Subject: RE: [ActiveDir] w2k authoritative restore Re: Re: Re: small correction: it's not the USNs that are increased = it the Re: version Re: Re: number Re: Re: Re: Re: and as far as I understand it, an object won't inherit an attribut Re: Re: until Re: Re: it's used the first time - so only attributes which are Re: populated for Re: Re: an object will have a version number in the first place. Re: Re: Re: Re: maybe Brett can confirm this. Re: Re: Re: Re: As such, a previously unused attribute can't be auth. restored Re: (unless Re: Re: you eliminate all occurences in the domain/forest - which is equal Re: Re: to a Re: Re: domain/forest recovery) Re: Re: Re: Re: /Guido Re: Re: Re: Re: -Original Message- Re: Re: From: [EMAIL PROTECTED] Re: Re: [mailto:[EMAIL PROTECTED] On Behalf Of Re: Re: [EMAIL PROTECTED] Re: Re: Sent: Tuesday, August 17, 2004 12:32 PM Re: Re: To: [EMAIL PROTECTED] Re: Re: Subject: RE: [ActiveDir] w2k authoritative restore
RE: [ActiveDir] GPO to copy a file to all machines
Ah stupid me. Found the simple file not found problem and fixed. Thanks all Thank you, Mitchell D. Lawrence Director, Network Administrator ITS Department North Bay Hospital 1711 W. Wheeler Ave Aransas Pass, TX 78336 ph: (361) 758-0580 fx: (361) 758-0581 pg: (361) 270-0421 [EMAIL PROTECTED] [EMAIL PROTECTED] (home) ** Good | Cheap | Fast (Pick Two)** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Posted At: Wednesday, August 18, 2004 11:01 AM Posted To: ~AD Discussion~ Conversation: [ActiveDir] GPO to copy a file to all machines Subject: RE: [ActiveDir] GPO to copy a file to all machines If you're using on error resume next, then I usually put something likethe following if statement after every major step: if err.number 0 then Wscript.echo err.description end iff From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of DL.ActiveDirectory Sent: Wednesday, August 18, 2004 8:25 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] GPO to copy a file to all machines The script is running, as I have it also distributing a GPC.DAT file from a virus server (I am changing parent servers on Symantec). The files in that subroutine distribute ok. I am at a loss as to why it is not distributing the scr. I have the error submerge commented out. I will throw in some echos for feedback into the script and see if I can locate the problem. Any other ideas or specific scripting I can use to trap errors? Thank you, Mitchell D. Lawrence Director, Network Administrator ITS Department North Bay Hospital 1711 W. Wheeler Ave Aransas Pass, TX 78336 ph: (361) 758-0580 fx: (361) 758-0581 pg: (361) 270-0421 [EMAIL PROTECTED] [EMAIL PROTECTED] (home) ** Good | Cheap | Fast (Pick Two)** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Posted At: Wednesday, August 18, 2004 9:50 AM Posted To: ~AD Discussion~ Conversation: [ActiveDir] GPO to copy a file to all machines Subject: RE: [ActiveDir] GPO to copy a file to all machines When I tested this a while back, the scripts extension will impersonate the machine account to get access to network resources--so the machine account (or authenticated users will work) will need at least read access to the Netlogon share (which they should have, btw). Can you verify that the script is even running during startup? You might want to put some logging into that script at specific stages just to see where its failing and what the message might be. Also, you've got On error, resume next at the beginning but you don't trap for any errors that may be occurring. Putting this statement in the beginning without trapping for anythinghas the effect of having the script ignore any errors that might otherwise popup, so I'd either remove that statement or add some error handling. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of DL.ActiveDirectory Sent: Wednesday, August 18, 2004 7:08 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] GPO to copy a file to all machines I am using this to distribute a screensaver also (machine startup vbs script). I am having a problem however. I think I know what it is, but I am not sure how to fix it. I have the screensaver sitting in the NETLOGON folder of my DC, and I am trying to copy from that location to the users %systemroot%\System32\, but it doesnt copy the file. If I run the script manually (note, I am member of Domain Admin group) the file copies over, but it doesnt copy during startup. Does the SYSTEM user have read rights to the NETLOGON folder? If not, and I place the file in the policys folder along with the .vbs (which is already there I should note), is there an environment variable that referrs to this location or an easy way to specify this location for the file copy? For instance, If I do not specify a location, does the script first check the directory it is located? Here is the subroutine in my vbs: '= ' CheckScrSaver '= public sub CheckScrSaver() ' On Error Resume Next Dim strFile, strSrc, strDst strFile = NBHSecuritySCR.scr strSrc = strDC \NETLOGON\ strFile strDst = strSysRoot \System32\ If fso.FileExists (strDst strFile) then 'Proceed else fso.CopyFile strSrc, strDst, true end if end sub Thank you, Mitchell D. Lawrence Director, Network Administrator ITS Department North Bay Hospital 1711 W. Wheeler Ave Aransas Pass, TX 78336 ph: (361) 758-0580 fx: (361) 758-0581 pg: (361) 270-0421 [EMAIL PROTECTED] [EMAIL PROTECTED] (home) ** Good | Cheap | Fast (Pick Two)** -Original Message- From: Brian Desmond [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Tuesday, August 17, 2004 9:19 PM
[ActiveDir] OT: DNS error
I can't find anything about the cause of this on the net. I am getting Event ID 7050 in the DNS logs (2003 AD integrated). Error says The DNS server recv() function failed. The event data contains the error. Nothing seems to be affected by it (at least not as far as I can tell), but you know how it is to have event floating around out there that you have no clue what they are. Anyone have any ideas? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: IISadmpwd security vulnerability???
If you do find any vulnerability, don't forget to let everyone know. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer Sent: Tuesday, August 17, 2004 10:34 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: IISadmpwd security vulnerability??? Hi, IIRC the ISAPI extension that was used to provide this functionality originally had various buffer overflow issues. I would check this out: http://support.microsoft.com/?id=331834 Change password functionality replaced with Active Server Pages Also this: http://support.microsoft.com/?id=833734 FIX: You experience various problems when you use the Password Change pages in IIS 6.0 HTH Cheers Ken Original Message: From: Mulnick, Al [EMAIL PROTECTED] To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: IISadmpwd security vulnerability??? Date: Tue, 17 Aug 2004 13:20:49 -0400 What vulnerabilities were they specifically worried about? There were many changes made in IIS6.0 that were meant to address security concerns but without knowing what they're concerned about specifically it can be tough to help out. Al _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Flesher Sent: Tuesday, August 17, 2004 11:29 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] OT: IISadmpwd security vulnerability??? I know this is off topic, but this does pertain to AD authentication. I know there were serious vulnerabilities in IIS4/5 for IISadmpwd, but was wondering if the same is true for IIS 6.0? There are some folks over here that are worried about doing anything with IIS. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] hiding a field from global catalog
HI all, I need to hide a field from AD (windows 2003/exchange 2003) from displaying in the GAL from exchange. Ideally, I could block all students from seeing one or two fields and allow all staff to view that field. (company name or company number as an example) I tried to set permissions using adsi edit and that did not seem to work (deny students read) but that didnt seem to work. TIA, Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED]
RE: [ActiveDir] hiding a field from global catalog
Rick, Would this happen to be for compliance to FERPA? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Wednesday, August 18, 2004 1:59 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] hiding a field from global catalog HI all, I need to hide a field from AD (windows 2003/exchange 2003) from displaying in the GAL from exchange. Ideally, I could block all students from seeing one or two fields and allow all staff to view that field. (company name or company number as an example) I tried to set permissions using adsi edit and that did not seem to work (deny students read) but that didnt seem to work. TIA, Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED]
RE: [ActiveDir] hiding a field from global catalog
That is part of it Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Wednesday, August 18, 2004 2:08 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] hiding a field from global catalog Rick, Would this happen to be for compliance to FERPA? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Wednesday, August 18, 2004 1:59 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] hiding a field from global catalog HI all, I need to hide a field from AD (windows 2003/exchange 2003) from displaying in the GAL from exchange. Ideally, I could block all students from seeing one or two fields and allow all staff to view that field. (company name or company number as an example) I tried to set permissions using adsi edit and that did not seem to work (deny students read) but that didnt seem to work. TIA, Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED]
RE: [ActiveDir] hiding a field from global catalog
You can create separate Address Lists and set the permissions for these. I believe this is an approach used by some ISPs. http://support.microsoft.com/default.aspx?scid=kb;EN-US;319213#8 Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, RickSent: Mittwoch, 18. August 2004 20:15To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] hiding a field from global catalog That is part of it Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. LongSent: Wednesday, August 18, 2004 2:08 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] hiding a field from global catalog Rick, Would this happen to be for compliance to FERPA? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, RickSent: Wednesday, August 18, 2004 1:59 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] hiding a field from global catalog HI all, I need to hide a field from AD (windows 2003/exchange 2003) from displaying in the GAL from exchange. Ideally, I could block all students from seeing one or two fields and allow all staff to view that field. (company name or company number as an example) I tried to set permissions using adsi edit and that did not seem to work (deny students read) but that didnt seem to work. TIA, Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED]
RE: [ActiveDir] hiding a field from global catalog
Well, the problem with only hiding the GAL is that information still exists if anyone does an ldap query. Since I dont have an answer to your question, I will just tell you what we are doing. If a student elects to exercise either FERPA or the Buckley amendment, there name is nowhere in active directory. We use a different field to uniquely identify them (such as a social security number---now we dont actually use the SS, that is just an example.something that should only be known by them). Then we create a generic username for them, such as user1 (which is off course cross referenced with the unique identifier). We also hide the user totally from the GAL, not just specific fields. This makes them totally anonymous (the purpose of FERPA) unless someone has access to records containing the unique identifying, in which case, you have still upheld your commitment because you didnt give the person access to that information. Does this make sense? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Wednesday, August 18, 2004 2:15 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] hiding a field from global catalog That is part of it Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Wednesday, August 18, 2004 2:08 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] hiding a field from global catalog Rick, Would this happen to be for compliance to FERPA? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Wednesday, August 18, 2004 1:59 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] hiding a field from global catalog HI all, I need to hide a field from AD (windows 2003/exchange 2003) from displaying in the GAL from exchange. Ideally, I could block all students from seeing one or two fields and allow all staff to view that field. (company name or company number as an example) I tried to set permissions using adsi edit and that did not seem to work (deny students read) but that didnt seem to work. TIA, Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED]
RE: [ActiveDir] hiding a field from global catalog
I am looking at this one. Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Wednesday, August 18, 2004 2:22 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] hiding a field from global catalog You can create separate Address Lists and set the permissions for these. I believe this is an approach used by some ISPs. http://support.microsoft.com/default.aspx?scid=kb;EN-US;319213#8 Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Mittwoch, 18. August 2004 20:15 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] hiding a field from global catalog That is part of it Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Wednesday, August 18, 2004 2:08 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] hiding a field from global catalog Rick, Would this happen to be for compliance to FERPA? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Wednesday, August 18, 2004 1:59 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] hiding a field from global catalog HI all, I need to hide a field from AD (windows 2003/exchange 2003) from displaying in the GAL from exchange. Ideally, I could block all students from seeing one or two fields and allow all staff to view that field. (company name or company number as an example) I tried to set permissions using adsi edit and that did not seem to work (deny students read) but that didnt seem to work. TIA, Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED]
RE: [ActiveDir] hiding a field from global catalog
I understand where you are coming from, but that doesnt quite get what I need. If I can hide a couple of fields that are available from the global catalog and give permissions to the people who need to view them, it makes my life a whole lot easier. For example: we have a student ID number that is used for a lot of different things. If I populate AD with that number, and a student gets some one elses, it will cause all kinds of grief. But IF I could make that number available to select users, then we reduce a lot of help desk calls. ADEmail is a natural place for it. Another example, I put a up a password reset page, I need something that will uniquely ID the students, I can query the field and verify the student is who they say they are. IT is part of FERPA, but it more as a safeguard against ID theaft. Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Wednesday, August 18, 2004 2:26 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] hiding a field from global catalog Well, the problem with only hiding the GAL is that information still exists if anyone does an ldap query. Since I dont have an answer to your question, I will just tell you what we are doing. If a student elects to exercise either FERPA or the Buckley amendment, there name is nowhere in active directory. We use a different field to uniquely identify them (such as a social security number---now we dont actually use the SS, that is just an example.something that should only be known by them). Then we create a generic username for them, such as user1 (which is off course cross referenced with the unique identifier). We also hide the user totally from the GAL, not just specific fields. This makes them totally anonymous (the purpose of FERPA) unless someone has access to records containing the unique identifying, in which case, you have still upheld your commitment because you didnt give the person access to that information. Does this make sense? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Wednesday, August 18, 2004 2:15 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] hiding a field from global catalog That is part of it Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Wednesday, August 18, 2004 2:08 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] hiding a field from global catalog Rick, Would this happen to be for compliance to FERPA? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Wednesday, August 18, 2004 1:59 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] hiding a field from global catalog HI all, I need to hide a field from AD (windows 2003/exchange 2003) from displaying in the GAL from exchange. Ideally, I could block all students from seeing one or two fields and allow all staff to view that field. (company name or company number as an example) I tried to set permissions using adsi edit and that did not seem to work (deny students read) but that didnt seem to work. TIA, Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED]
[ActiveDir] DFS on Domain Controllers
Title: DFS on Domain Controllers Is it a bad idea to make DFS Root Targets on Domain Controllers? If I browse to my AD 2003 domain \\example.com I see the two folders: Netlogon Sysvol. But if I browse to \\example.com\DFS-Root I see my Links which point to shares on file servers \\example.com\DFS-Root\Acctg -- \\File-Server-1\Acctg \\example.com\DFS-Root\Eng -- \\File-Server-2\Engineering Thanks
[ActiveDir] GPO's, RIS and Software Deployment
Can anyone provide me with good documentation on RIS and software deployment through GPO? We currently use MS ADS and I dont like it and I believe it to be the cause of problems. Aside from that, I think that I can benefit more from RIS if my plan goes through well. I am not interested in using RipRep since it act similar to MS ADS and documentation of the product is similar in its requirements to successfully use. I have two Wind2K3 Enterprise Domains, a Win2K3 Standard File server and Win2K Pro workstations. The main pieces of software that I would like to push out would be MSSQL 2000 (client tools only), MS Office 2000, Symantec AV Corporate Edition. I have read some documentation on this but would like to know if any of you have other good known sources. My information comes from a book and the help files that are found within the DEPLOY.CAB file in the /support/tools/ folder of the Win2K3 CD. Thank you all for your replies. Edwin
RE: [ActiveDir] DFS on Domain Controllers
Title: DFS on Domain Controllers I wasn't going to have any real files on the DCs just the DFS root and links the point to real shares on file servers. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruce ClingamanSent: Wednesday, August 18, 2004 3:44 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DFS on Domain Controllers The sysvol shares are not handled by dfs. You can put dfs roots on DCs but as a matter of policy it's not a good idea to have any file shares other than sysvol on a DC. But for a small network and limited resources... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cary, MarkSent: Wednesday, August 18, 2004 3:01 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] DFS on Domain Controllers Is it a bad idea to make DFS Root Targets on Domain Controllers? If I browse to my AD 2003 domain \\example.com I see the two folders: Netlogon Sysvol. But if I browse to \\example.com\DFS-Root I see my Links which point to shares on file servers \\example.com\DFS-Root\Acctg -- \\File-Server-1\Acctg\\example.com\DFS-Root\Eng -- \\File-Server-2\Engineering Thanks
[ActiveDir] Specify Delimiter in output using DSQuery?
Got to love one day requirements and deadlines, need some help formatting an output file from DSQuery. I need to export all users one OU (All objects are contacts) with their CN and mailNickName attributes ONLY. The export file doesn't appear to have a delimiter when using DSQuery, I'm needing to import this into SQL Server 2000. Any utilities that will allow to export to an txt file with a delimiter on certain attributes from AD. HELP! STeve Schofield [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] AD Restoring In Different Hardware.
Dear all, I will really appreciate if someone can share some information to enhance my Knowledge about AD Restoration in a different hardware. Problem is i want to Restore my AD to a different harware. But i m unable to do it. Is it Possible to Do so? Kindly show me the way out... Thanking You All. Ravi Dogra.
RE: [ActiveDir] Specify Delimiter in output using DSQuery?
Always provide your current syntax, it's immensely useful in assisting with outlining your problem. That said, post what you've got so far ... this sounds quite doable. Deano -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Schofield Sent: Wednesday, August 18, 2004 6:18 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Specify Delimiter in output using DSQuery? Got to love one day requirements and deadlines, need some help formatting an output file from DSQuery. I need to export all users one OU (All objects are contacts) with their CN and mailNickName attributes ONLY. The export file doesn't appear to have a delimiter when using DSQuery, I'm needing to import this into SQL Server 2000. Any utilities that will allow to export to an txt file with a delimiter on certain attributes from AD. HELP! STeve Schofield [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Specify Delimiter in output using DSQuery?
dsquery * OU=My Email Contacts,OU=EmailOU,DC=Steve,DC=Schofield,DC=com -limit 4 -attr mailNickName cn c1.txt Is the syntax I'm using, apologize for not posting at first. Hard to troubleshoot when not saying here is the error or code. Thanks Steve [EMAIL PROTECTED] 08/18/04 06:17PM Got to love one day requirements and deadlines, need some help formatting an output file from DSQuery. I need to export all users one OU (All objects are contacts) with their CN and mailNickName attributes ONLY. The export file doesn't appear to have a delimiter when using DSQuery, I'm needing to import this into SQL Server 2000. Any utilities that will allow to export to an txt file with a delimiter on certain attributes from AD. HELP! STeve Schofield [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Specify Delimiter in output using DSQuery?
I was able to take this output as a .csv file, then open it in excel, and use the text-to-columns feature and fixed-width rather than delimited, and then save it. It produced a comma-delimited file that accurately separated the two fields. If you can't figure out a way to create the appropriate delimiter through DSQuery, this might help... ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: Steve Schofield [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 18, 2004 3:35 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Specify Delimiter in output using DSQuery? dsquery * OU=My Email Contacts,OU=EmailOU,DC=Steve,DC=Schofield,DC=com -limit 4 -attr mailNickName cn c1.txt Is the syntax I'm using, apologize for not posting at first. Hard to troubleshoot when not saying here is the error or code. Thanks Steve [EMAIL PROTECTED] 08/18/04 06:17PM Got to love one day requirements and deadlines, need some help formatting an output file from DSQuery. I need to export all users one OU (All objects are contacts) with their CN and mailNickName attributes ONLY. The export file doesn't appear to have a delimiter when using DSQuery, I'm needing to import this into SQL Server 2000. Any utilities that will allow to export to an txt file with a delimiter on certain attributes from AD. HELP! STeve Schofield [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/