Re: [ActiveDir] Symantec Corporate edition 8.1 and active directory
SAVrequires Netbios for resolution, do these machines have netbios turned off or did resolution change when they were put into the domain? Steve - Original Message - From: David Lee To: [EMAIL PROTECTED] Sent: Monday, October 18, 2004 12:13 PM Subject: [ActiveDir] Symantec Corporate edition 8.1 and active directory I'm having an interesting problem with my Symantec Antivirus Server.As I roll computers in my domain, running Symantec Antivirus Client,over to Active Directory (No problems until rollover) I loose partialaccess to them through the Symantec System Center Consol. I can still access the client to read logs, delete quarantine items and such, but said computers are no longer "checking in" with the Symantec server. As a result I cannot get information such as virus definition date, last scan date etc. Then after a period of time with the computer not checking in with the server, the server drops them due to lack of activity.The symantec server is in our active directory OU (was the first machine I rolled over into Active directory with no ill effects),running on a W3k server, no firewall, 2 NICs, 1 public network, 1 private network.All of the workstations are W2K on the public network on 2 subnets.Machines on the private network are having no difficulty, checking in normally, but only through the private network. I have attempted uninstalling, then reinstalling the antivirus clients with no change.Any hints would be greatly appreciated. David D. LeeComputer Resource Specialist IIOffice of Undergraduate Admissions[EMAIL PROTECTED]2-6417
RE: [ActiveDir] Shadow Copy
Is there any formula for figuring out how much hard drive space you will need ? Also which is better, Raid 5 or mirror sets for Shadow Copy? Debbie Ellis Systems Administrator Viasat, Inc. 4356 Communications Drive Norcross, GA 30093 678-924-2591 -Original Message- From: Robert Mezzone [mailto:[EMAIL PROTECTED] Sent: Monday, October 18, 2004 6:18 PM To: '[EMAIL PROTECTED]' Subject: Re: [ActiveDir] Shadow Copy There is an article in TechNet about formatting the drive with a certain cluster size, if you don't and you defrag the drive, all your snapshots are deleted during defrag. I've been using it for a year now wo any problems. I store all the snapshots on a dedicated set of mirrored drives. Between shadow copy and a long retention time for undelete, I have't restored anything from tape in a very long time. Robert -Original Message- From: [EMAIL PROTECTED] [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Sent: Mon Oct 18 15:41:39 2004 Subject: [ActiveDir] Shadow Copy My company is thinking of instituting Shadow Copy. Any advice would be appreciated. What are the approximate costs ? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Shadow Copy
For those that aren't aware of it... http://www.microsoft.com/windowsserver2003/technologies/activedirectory/W2K3ActDirFastRec.mspx Using the new Microsoft Windows Server 2003 services of Volume Shadow Copy Service and Virtual Disk Service, it is now possible to recover failed Microsoft Active Directory servers in minutes rather than the hours that previous recovery methods required. This paper supplies a fast recovery demonstration designed to enable system administrators to implement fast recovery solutions in their own Active Directory environments. Included in this Document *Introduction *Fast Recovery Overview *Fast Recovery Demonstration *Steps to Enable Fast Recovery From: [EMAIL PROTECTED] on behalf of Ellis, Debbie Sent: Tue 10/19/2004 04:12 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Shadow Copy Is there any formula for figuring out how much hard drive space you will need ? Also which is better, Raid 5 or mirror sets for Shadow Copy? Debbie Ellis Systems Administrator Viasat, Inc. 4356 Communications Drive Norcross, GA 30093 678-924-2591 -Original Message- From: Robert Mezzone [mailto:[EMAIL PROTECTED] Sent: Monday, October 18, 2004 6:18 PM To: '[EMAIL PROTECTED]' Subject: Re: [ActiveDir] Shadow Copy There is an article in TechNet about formatting the drive with a certain cluster size, if you don't and you defrag the drive, all your snapshots are deleted during defrag. I've been using it for a year now wo any problems. I store all the snapshots on a dedicated set of mirrored drives. Between shadow copy and a long retention time for undelete, I have't restored anything from tape in a very long time. Robert -Original Message- From: [EMAIL PROTECTED] [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Sent: Mon Oct 18 15:41:39 2004 Subject: [ActiveDir] Shadow Copy My company is thinking of instituting Shadow Copy. Any advice would be appreciated. What are the approximate costs ? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ winmail.dat
[ActiveDir] groups vs attributes
Title: groups vs attributes As our developers (as well as our 3rd party vendors) continue to create apps that leverage AD, the question comes up frequently which is a better solutionto search AD for a group membership, or for the value of a given attribute, when validating a users access to a custom application? Our standard has been to use universal groups for this sort of thing, that is, UserA can access the application, if he is a member of the appropriate universal group. However, our developers have discovered in their ad hoc queries that returning a list of users that have a given value assigned to a custom attribute is much faster that returning a list of users that are members of a universal group. So they are asking, shouldnt we be adding a custom attribute when an application requires a validation that a user can access the application, rather than using a group membership? Any notes from the field would be much appreciated! Mark Creamer Systems Engineer Cintas Corporation The Service Professionals
RE: [ActiveDir] groups vs attributes
Title: groups vs attributes Personally, I think they should have a look at why their queries take longer than they want. Likely they are checking the memberofattribute to find out what the group membership is, right? I think they could use an attribute, but I think that's not guaranteed to be faster either. I think they also may want to consider what the administrative and troubleshooting overhead is if they use an attribute vs. a group membership (why aren't they using Active Directory security again?). That's the way I think though :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Tuesday, October 19, 2004 9:21 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] groups vs attributes As our developers (as well as our 3rd party vendors) continue to create apps that leverage AD, the question comes up frequently - which is a better solution...to search AD for a group membership, or for the value of a given attribute, when validating a user's access to a custom application? Our "standard" has been to use universal groups for this sort of thing, that is, UserA can access the application, if he is a member of the appropriate universal group. However, our developers have discovered in their ad hoc queries that returning a list of users that have a given value assigned to a custom attribute is much faster that returning a list of users that are members of a universal group. So they are asking, shouldn't we be adding a custom attribute when an application requires a validation that a user can access the application, rather than using a group membership? Any notes from the field would be much appreciated! Mark Creamer Systems Engineer Cintas Corporation The Service Professionals
Re: [ActiveDir] groups vs attributes
Title: Re: [ActiveDir] groups vs attributes >From a Dev standpoint using attributes and requiring schema extensions is undeniably sexier. And you would be extending the schema eventually possibly for every application that you deploy. There are only so many attributes to use for this sort of thing before you start wanting your own specific one. >From an administrative standpoint, Im with Al only Ill go a level further managing that would become a nightmare, and every application that gets rolled out would make things even more convoluted. There are lots of good reasons to populate attributes with different values, but circumventing AD security probably isnt one of them! (The term Recipe for Disaster comes to mind) On 10/19/04 9:36 AM, Mulnick, Al [EMAIL PROTECTED] wrote: Personally, I think they should have a look at why their queries take longer than they want. Likely they are checking the memberof attribute to find out what the group membership is, right? I think they could use an attribute, but I think that's not guaranteed to be faster either. I think they also may want to consider what the administrative and troubleshooting overhead is if they use an attribute vs. a group membership (why aren't they using Active Directory security again?). That's the way I think though :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Tuesday, October 19, 2004 9:21 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] groups vs attributes As our developers (as well as our 3rd party vendors) continue to create apps that leverage AD, the question comes up frequently - which is a better solution...to search AD for a group membership, or for the value of a given attribute, when validating a user's access to a custom application? Our standard has been to use universal groups for this sort of thing, that is, UserA can access the application, if he is a member of the appropriate universal group. However, our developers have discovered in their ad hoc queries that returning a list of users that have a given value assigned to a custom attribute is much faster that returning a list of users that are members of a universal group. So they are asking, shouldn't we be adding a custom attribute when an application requires a validation that a user can access the application, rather than using a group membership? Any notes from the field would be much appreciated! Mark Creamer Systems Engineer Cintas Corporation The Service Professionals Sent using the Microsoft Entourage 2004 for Mac Test Drive.
[ActiveDir] Digital Sign Communications
Working with the GPMC from a Windows XP machine running SP2, when looking at the GPO's, how would you go about configuring Digital Sign Communications and where do you set the Required, Secure or Client settings for this? Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Information Bar in IE 6 after SP 2 Install
I have noticed a Information Bar in IE 6 that got installed when I put SP2 on my laptop. I find this bar to be very annoying and can't figure out how to stop it. Everytime I am downloading a file from one of our internal intranets I have this bar come up, I then have to click download file, which doesn't do anything and then I have to ask for the file again, and then answer if I want to open or save it. I want this off and was wondering if anyone has figured it out. I have already turned off the popup blocker after I configured the settings to not use the information bar, and this did not work. Thanks Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Shadow Copy
assuming you're talking about Shadow Copy Restore feature: - how many changes do your users make per day and how many versions of the documents do you want to keep? = this will determine the space you should calculate for each volume. Add 105 MB, which is what the feature requires for itself. - how much extra fault-tolerance do you need? you don't need to put the previous versions data on a particular safe disk = could also be RAID 0 or separte disks. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ellis, Debbie Sent: Tuesday, October 19, 2004 1:12 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Shadow Copy Is there any formula for figuring out how much hard drive space you will need ? Also which is better, Raid 5 or mirror sets for Shadow Copy? Debbie Ellis Systems Administrator Viasat, Inc. 4356 Communications Drive Norcross, GA 30093 678-924-2591 -Original Message- From: Robert Mezzone [mailto:[EMAIL PROTECTED] Sent: Monday, October 18, 2004 6:18 PM To: '[EMAIL PROTECTED]' Subject: Re: [ActiveDir] Shadow Copy There is an article in TechNet about formatting the drive with a certain cluster size, if you don't and you defrag the drive, all your snapshots are deleted during defrag. I've been using it for a year now wo any problems. I store all the snapshots on a dedicated set of mirrored drives. Between shadow copy and a long retention time for undelete, I have't restored anything from tape in a very long time. Robert -Original Message- From: [EMAIL PROTECTED] [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Sent: Mon Oct 18 15:41:39 2004 Subject: [ActiveDir] Shadow Copy My company is thinking of instituting Shadow Copy. Any advice would be appreciated. What are the approximate costs ? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] groups vs attributes
Title: groups vs attributes I may be missing something in the reading, but why not just query AD based on the username and determine if that user object is a member of the group in question instead of returning a list of all users for a given group? Another possibility (one you may well have thought of already but didnt mention) is that you can filter your search [searcher.Filter = ((objectCategory=user)(sAMAccountName= Trim(userName) ))] r/ Lou
RE: [ActiveDir] groups vs attributes
Title: Re: [ActiveDir] groups vs attributes Im not following Rick and Al on the security factor. Why would using the attribute method be less secure, assuming we control who can populate the attribute, the same as we control who can add members to a group? Maybe Im missing the point thoughthanks for your thoughts guys mc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Boza Sent: Tuesday, October 19, 2004 10:05 AM To: ActiveDir List Subject: Re: [ActiveDir] groups vs attributes From a Dev standpoint using attributes and requiring schema extensions is undeniably sexier. And you would be extending the schema eventually possibly for every application that you deploy. There are only so many attributes to use for this sort of thing before you start wanting your own specific one. From an administrative standpoint, Im with Al only Ill go a level further managing that would become a nightmare, and every application that gets rolled out would make things even more convoluted. There are lots of good reasons to populate attributes with different values, but circumventing AD security probably isnt one of them! (The term Recipe for Disaster comes to mind) On 10/19/04 9:36 AM, Mulnick, Al [EMAIL PROTECTED] wrote: Personally, I think they should have a look at why their queries take longer than they want. Likely they are checking the memberof attribute to find out what the group membership is, right? I think they could use an attribute, but I think that's not guaranteed to be faster either. I think they also may want to consider what the administrative and troubleshooting overhead is if they use an attribute vs. a group membership (why aren't they using Active Directory security again?). That's the way I think though :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Tuesday, October 19, 2004 9:21 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] groups vs attributes As our developers (as well as our 3rd party vendors) continue to create apps that leverage AD, the question comes up frequently - which is a better solution...to search AD for a group membership, or for the value of a given attribute, when validating a user's access to a custom application? Our standard has been to use universal groups for this sort of thing, that is, UserA can access the application, if he is a member of the appropriate universal group. However, our developers have discovered in their ad hoc queries that returning a list of users that have a given value assigned to a custom attribute is much faster that returning a list of users that are members of a universal group. So they are asking, shouldn't we be adding a custom attribute when an application requires a validation that a user can access the application, rather than using a group membership? Any notes from the field would be much appreciated! Mark Creamer Systems Engineer Cintas Corporation The Service Professionals Sent using the Microsoft Entourage 2004 for Mac Test Drive.
RE: [ActiveDir] groups vs attributes
Title: groups vs attributes Sorry, I didnt word that very well. Youre right, Lou, that is what they do. I guess their main point is that querying an attribute that we create for the purpose seems faster than when they check the group membership. I dont know how valid that is mc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lou Vega Sent: Tuesday, October 19, 2004 10:28 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] groups vs attributes I may be missing something in the reading, but why not just query AD based on the username and determine if that user object is a member of the group in question instead of returning a list of all users for a given group? Another possibility (one you may well have thought of already but didnt mention) is that you can filter your search [searcher.Filter = ((objectCategory=user)(sAMAccountName= Trim(userName) ))] r/ Lou
RE: [ActiveDir] groups vs attributes
Title: Re: [ActiveDir] groups vs attributes Two other questions on why it might be slower to enumerate the members of a universal group. Since UGs are kept by GCs, are your developers doing a query in a site with a GC? Are all of your DCs also GCs? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Tuesday, October 19, 2004 7:35 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] groups vs attributes Im not following Rick and Al on the security factor. Why would using the attribute method be less secure, assuming we control who can populate the attribute, the same as we control who can add members to a group? Maybe Im missing the point thoughthanks for your thoughts guys mc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Boza Sent: Tuesday, October 19, 2004 10:05 AM To: ActiveDir List Subject: Re: [ActiveDir] groups vs attributes From a Dev standpoint using attributes and requiring schema extensions is undeniably sexier. And you would be extending the schema eventually possibly for every application that you deploy. There are only so many attributes to use for this sort of thing before you start wanting your own specific one. From an administrative standpoint, Im with Al only Ill go a level further managing that would become a nightmare, and every application that gets rolled out would make things even more convoluted. There are lots of good reasons to populate attributes with different values, but circumventing AD security probably isnt one of them! (The term Recipe for Disaster comes to mind) On 10/19/04 9:36 AM, Mulnick, Al [EMAIL PROTECTED] wrote: Personally, I think they should have a look at why their queries take longer than they want. Likely they are checking the memberof attribute to find out what the group membership is, right? I think they could use an attribute, but I think that's not guaranteed to be faster either. I think they also may want to consider what the administrative and troubleshooting overhead is if they use an attribute vs. a group membership (why aren't they using Active Directory security again?). That's the way I think though :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Tuesday, October 19, 2004 9:21 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] groups vs attributes As our developers (as well as our 3rd party vendors) continue to create apps that leverage AD, the question comes up frequently - which is a better solution...to search AD for a group membership, or for the value of a given attribute, when validating a user's access to a custom application? Our standard has been to use universal groups for this sort of thing, that is, UserA can access the application, if he is a member of the appropriate universal group. However, our developers have discovered in their ad hoc queries that returning a list of users that have a given value assigned to a custom attribute is much faster that returning a list of users that are members of a universal group. So they are asking, shouldn't we be adding a custom attribute when an application requires a validation that a user can access the application, rather than using a group membership? Any notes from the field would be much appreciated! Mark Creamer Systems Engineer Cintas Corporation The Service Professionals Sent using the Microsoft Entourage 2004 for Mac Test Drive.
RE: [ActiveDir] groups vs attributes
I guess they've indexed their attribute? Either way, it shouldn't be any faster than querying group membership. The only danger I see with the custom attribute approach is that it could be the thin end of the wedge. The more applications that use this approach the more custom attributes you will have. You could end up with a messy schema. Unless of course you use a single attribute and make it multi-valued. But then you're still no different to using group membership. If the developers think the group membership lookup is slow they could include a cache mechanism in the application and set a cache refresh interval for the queries against AD. Tony -- Original Message -- From: Creamer, Mark [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Tue, 19 Oct 2004 10:44:36 -0400 Sorry, I didn't word that very well. You're right, Lou, that is what they do. I guess their main point is that querying an attribute that we create for the purpose seems faster than when they check the group membership. I don't know how valid that is... mc _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lou Vega Sent: Tuesday, October 19, 2004 10:28 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] groups vs attributes I may be missing something in the reading, but why not just query AD based on the username and determine if that user object is a member of the group in question instead of returning a list of all users for a given group? Another possibility (one you may well have thought of already but didn't mention) is that you can filter your search [searcher.Filter = ((objectCategory=user)(sAMAccountName= Trim(userName) ))] r/ Lou Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Setting Logon Hours
Is there a way to set logon hours in the user profiles using GPOs? If not how do I go about changing the bulk of my users in one go? Or am I going to be stuck going into each profile to make the changes? David D. Lee Computer Resource Specialist II Office of Undergraduate Admissions [EMAIL PROTECTED] 2-6417
RE: [ActiveDir] Digital Sign Communications
What is the difference between the IP Security Policies in Active Directory within the Computer Configuration of a GPO, under Windows Settings | Security Settings to the items listed under Computer Configuration | Windows Settings | Security Settings | Local Policies | Security Options, specifically the Digitally encrypt the secure data channel and the Digitally Sign Communications Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Tuesday, October 19, 2004 10:18 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Digital Sign Communications Working with the GPMC from a Windows XP machine running SP2, when looking at the GPO's, how would you go about configuring Digital Sign Communications and where do you set the Required, Secure or Client settings for this? Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] groups vs attributes
Title: Message Al - could you elaborate on the comment "why aren't they using Active Directory security again?" ? When I read Mark's question I assumed (maybe incorrectly) that these were apps on external systems that simply used AD as an LDAP server, and made access-control decisions based on group membership. We have several such apps here... Are you advocating another approach that's more in line with ACLs on AD objects ? Or something else ? Maybe I'm reading too much into the comment, but I'm very curious, since I've struggled with some of these issues in the past... Anyhow, Mark, for what its worth on the groups vs attributes thing, one reason to stick with groups is the reality that applications come and go. A few years from now when the shiny new app is retired, you can just delete the groups (or reuse them for the replacement app). If you create and populate a bunch of app-specific attributes, chances are good that they will never get cleaned up. Another reason is that granting access to resources via group membership is a well-understood concept, and you likely have defined processes and tools to do so. Managing custom attributes will involve some code, very likely buried in the admin interface of the associated application. The palatability of that probably depends a great deal on how you manage administration and audit of access tothese applications. Dave -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Tuesday, October 19, 2004 8:37 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] groups vs attributes Personally, I think they should have a look at why their queries take longer than they want. Likely they are checking the memberofattribute to find out what the group membership is, right? I think they could use an attribute, but I think that's not guaranteed to be faster either. I think they also may want to consider what the administrative and troubleshooting overhead is if they use an attribute vs. a group membership (why aren't they using Active Directory security again?). That's the way I think though :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Tuesday, October 19, 2004 9:21 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] groups vs attributes As our developers (as well as our 3rd party vendors) continue to create apps that leverage AD, the question comes up frequently - which is a better solution...to search AD for a group membership, or for the value of a given attribute, when validating a user's access to a custom application? Our "standard" has been to use universal groups for this sort of thing, that is, UserA can access the application, if he is a member of the appropriate universal group. However, our developers have discovered in their ad hoc queries that returning a list of users that have a given value assigned to a custom attribute is much faster that returning a list of users that are members of a universal group. So they are asking, shouldn't we be adding a custom attribute when an application requires a validation that a user can access the application, rather than using a group membership? Any notes from the field would be much appreciated! Mark Creamer Systems Engineer Cintas Corporation The Service Professionals
RE: [ActiveDir] groups vs attributes
A very clean way to manage access rights for apps is to create new extended access rights objects in the Extended-Rights container that represent the different categories of access to your app, then create an object that represents the application in the CN=Services container, and create object-ACEs in the SD for the application object for each security principal that is allowed to access the application. Its clean, flexible, extensible, provides any level of granularity you might want, and you can use the Windows access control APIs to determine access level. We've used this strategy in a couple of our applications and are very happy with it. That's what the extended rights objects are there for anyway :) -gil Gil Kirkpatrick CTO, NetPro Got DEC? From: [EMAIL PROTECTED] on behalf of Tony Murray Sent: Tue 10/19/2004 7:55 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] groups vs attributes I guess they've indexed their attribute? Either way, it shouldn't be any faster than querying group membership. The only danger I see with the custom attribute approach is that it could be the thin end of the wedge. The more applications that use this approach the more custom attributes you will have. You could end up with a messy schema. Unless of course you use a single attribute and make it multi-valued. But then you're still no different to using group membership. If the developers think the group membership lookup is slow they could include a cache mechanism in the application and set a cache refresh interval for the queries against AD. Tony -- Original Message -- From: Creamer, Mark [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Tue, 19 Oct 2004 10:44:36 -0400 Sorry, I didn't word that very well. You're right, Lou, that is what they do. I guess their main point is that querying an attribute that we create for the purpose seems faster than when they check the group membership. I don't know how valid that is... mc _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lou Vega Sent: Tuesday, October 19, 2004 10:28 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] groups vs attributes I may be missing something in the reading, but why not just query AD based on the username and determine if that user object is a member of the group in question instead of returning a list of all users for a given group? Another possibility (one you may well have thought of already but didn't mention) is that you can filter your search [searcher.Filter = ((objectCategory=user)(sAMAccountName= Trim(userName) ))] r/ Lou Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ winmail.dat
[ActiveDir] New tree in an existing forest Weirdness!
Please some one help ME LLL Today I tried to DCPROMO a New domain tree into an existing forest. It DCPROMOs alright, but I am having difficulty with DNS! at the dcpromo stage I asked it to install and configure DNS for the new domain tree and it said it did, but I cant find any of the folders like _msdcs, _sites, _tcp, _DomainDnsZones etc etc! - when the server came back up after the reboot, I made the new DNS zone to replicate to all DNS servers in the forest, but nothing happened and I cant to anything with the new tree now! e.g. cant DCPROMO another server (cos it fails with DNS lookup errors). I even tried to DCPROMO out the new domain to try again, but it fails with the same DNS lookup error! have I completely messed things up? Please please please someone out there say NO and let me have a workaround? Regards Anton Pararajasingam Sea Containers Information Services London. [EMAIL PROTECTED] *** The information contained in this email is confidential. It may also be protected by legal privilege. It is intended only for the stated addressee(s). If you are not an addressee you must not disclose, copy, circulate nor use the information contained in it. If you have received this email in error please inform the sender immediately and delete it and any copies from your system. ***
Re: [ActiveDir] Setting Logon Hours
some resources: HOW TO: Limit User Logon Time in a Domain in Windows 2000 http://support.microsoft.com/default.aspx?scid=kb;en-us;318714#10 How do I run commands on my domain controller for every user? (see section for: net user username /times) http://www.jsiinc.com/SUBJ/tip4600/rh4646.htm Copying Allowed Logon Hours from One Account to Another (no idea why i can't find this on the English/US site ...) http://www.microsoft.com/china/technet/community/scriptcenter/user/scrug89.mspx hth, john David Lee wrote: Is there a way to set logon hours in the user profiles using GPOs? If not how do I go about changing the bulk of my users in one go? Or am I going to be stuck going into each profile to make the changes? David D. Lee Computer Resource Specialist II Office of Undergraduate Admissions [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] groups vs attributes
Title: Message Some LDAP 'consumers' get around these problems by first searching the directory for the user to get their current full DN, and then doing a bind with that. Of course, that means that you need to search on something that you know to be globally unique, like samAccountName. Alternatively, you couldbind using the UPN. As someone else pointed out, this ought to be done over SSL if you're using simple binds. Good food for thought in Gil's post...I'll have to play with that. Dave -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Tuesday, October 19, 2004 11:14 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] groups vs attributes Anytime you use LDAP binding you create two problems: 1) Active Directory was designed to let users be moved around when needed. It happens as a matter of course and will often break LDAP applications that rely on LDAP bind. When the RDN changes, so does the user name right? 2) You are downgrading the security, because you're often only checking for the existence of an value vs. a challenge/response and strong password etc. Applications that do this are often web or database based. For example, several "security" applications allow access based on what your DN value is (that's the identity portion of the transaction) and your group membership (that's the authorization portion of the transaction) but they often assume that you've authenticated. Typically, an authentication process includes identification, authentication, and authorization to resources. That's what AD provides for you and you are no longer using that with LDAP bind. Not that you couldn't, but it's often left out. Older version of Siteminder do it this way for example if you choose to use a different LDAP store. Mark, I certainly didn't mean to imply that attribute vs. group is any more or less secure. It's the same. The speed difference would be due to the way they write their code and because if you have a multi-valued attribute such as memberOf, you have to iterate through the array until you find your matched group or fail. Using a custom, indexed attribute could be faster (and is certainly sexier as Rick mentions) because you can have a single value in there. No iteration required. Personally, I've found that using arrays in memory for a user is still very fast. In fact, I wasn't able to discern a difference when using proper search filter criteria. It's a few lines of code to check and only a few ticks of the clock cycle extra along with a slightly more on the wire. Not a big enough deal to warrant the confusion and change in administrative practice it would inevitably produce, nor as Rick mentioned, the problems of accommodating applications that come and go on a different cycle than your AD infrastructure. If they want to post the filters, I think we could easily help them optimize if that's all that's needed. And don't get me wrong, I think you can see from all of this that it can be done either way that works for you. That's the flexibility and power of AD. The questions to answer are why? how long? and what do I really gain at what cost? I wouldn't let them unless they had a REALLY good reason.They are a consumer of the service, not the other way around :) Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Tuesday, October 19, 2004 10:35 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] groups vs attributes I'm not following Rick and Al on the security factor. Why would using the attribute method be less secure, assuming we control who can populate the attribute, the same as we control who can add members to a group? Maybe I'm missing the point though...thanks for your thoughts guys mc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick BozaSent: Tuesday, October 19, 2004 10:05 AMTo: ActiveDir ListSubject: Re: [ActiveDir] groups vs attributes From a Dev standpoint using attributes and requiring schema extensions is undeniably sexier. And you would be extending the schema eventually - possibly for every application that you deploy. There are only so many attributes to use for this sort of thing before you start wanting your own specific one. From an administrative standpoint, I'm with Al - only I'll go a level further - managing that would become a nightmare, and every application that gets rolled out would make things even more convoluted. There are lots of good reasons to populate attributes with different values, but circumventing AD security probably isn't one of them! (The term 'Recipe for Disaster' comes to mind)On 10/19/04 9:36 AM, "Mulnick, Al" [EMAIL PROTECTED] wrote: Personally, I think
[ActiveDir] FW: KDC Errors--Help
Running Windows 2000 AD with SP 3. Since October 9th we have been getting event errors Source: KDC Event 11 There are multiple accounts with name MSSQLSvc/ourserver.ourdomain.org:1523 of type 10. This error has been happening on just one of our domain controllers. I installed setspn.exe on the problem server and it lists only one account. I also used LDP.exe which did displayed 0 results. I tried all the resolutions on 321044, but I got nada. Has anyone else had this issue? If anyone can explain why this would happen all of a sudden I would really appreciate it. Thanks! -ChristineChristine N. AllenCitrix/Windows 2000 EngineerBMC Healthnet PlanOne Design Center PlaceBoston, MA 02210Work: 617-748-6034Cell: 617-290-4407
RE: [ActiveDir] FW: KDC Errors--Help
Yep. Seen it. If you're not finding it with LDP, you may just have the search criteria wrong. When you search, it should be starting from the root of the domainshould have a filter of something like: (serviceprincipalname=MSSQLSvc/ourserver.ourdomain.org:1523) That should return all accounts that have this entered. Do you still get different results? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christine AllenSent: Tuesday, October 19, 2004 1:47 PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] FW: KDC Errors--Help Running Windows 2000 AD with SP 3. Since October 9th we have been getting event errors Source: KDC Event 11 There are multiple accounts with name MSSQLSvc/ourserver.ourdomain.org:1523 of type 10. This error has been happening on just one of our domain controllers. I installed setspn.exe on the problem server and it lists only one account. I also used LDP.exe which did displayed 0 results. I tried all the resolutions on 321044, but I got nada. Has anyone else had this issue? If anyone can explain why this would happen all of a sudden I would really appreciate it. Thanks! -ChristineChristine N. AllenCitrix/Windows 2000 EngineerBMC Healthnet PlanOne Design Center PlaceBoston, MA 02210Work: 617-748-6034Cell: 617-290-4407
[ActiveDir] AD through a firewall
Hello all, Environment - Mixed mode Windows 2000 and 2003 domain controllers. One empty root and 8 child domains. Most domains have 3-5 DCs for redundancy and DR. One domain has 25 DCs for their branch offices, but they are not behind any firewalls. Two of the domains are behind separate internal firewalls. We currently have the communication going through the firewall via IPSec, but one of the domains wants the traffic to be visible for auditing purposes. Questions - Regarding ports required for AD replication over a firewall (using the MS white paper as a reference), would limiting RPC to one port make ourselves susceptible to saturation? There is some client communication to worry about, from a few clusters. Is there a way to make this entry a range versus just one port? Would we have to make this registry modification on all DCs that are not behind a firewall or just the ones that we would like to limit? Scenario: Rootdc is on the Corporate side of the firewall with most of the DCs. ChildDC1 is also on the Corporate side of the firewall. ChildDC2 is behind a divisional firewall. We make the limited RPC registry entry on Rootdc and ChildDC2, but do we have to make it on ChildDC1 as well? Another q article, 154596, mentions RPC dynamic port allocation as well, but I noticed it was different registry key than the DC-DC communication. Would creating a range this way solve the one port listing from above? Thank you for your assistance, Charles -- The information in this e-mail and any attachments are for the sole use of the intended recipient and may contain privileged and confidential information. If you are not the intended recipient, any use, disclosure, copying or distribution of this message or attachment is strictly prohibited. If you believe that you have received this e-mail in error, please contact the sender immediately and delete the e-mail and all of its attachments. == List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] groups vs attributes
Title: Message Yes, a sticky issue indeed. Many of these 'solutions' are only workable if you have some processes and standards in place beforehand, and you're reasonably sure they are followed (i.e., they're automated). The 'service account' approach to allow the 'consumer' system to search for the full DN seems like the lesser of two evils, imho. Given that many of these apps don't run on Windows boxes, the LocalSystem approach isn't always feasible. Yes, the reason for all of this is usually because the vendor can't assume which flavor of directory the customer has, so they try to use fairly generic mechanisms rather than dive into full AD integration. Seems to me that if you use extended rights objects as Gil suggests, apps that run on non-Windows boxes would still need a 'service account' or some such in order to read and use them. Maybe I'm missing something here - I'm thinking primarily of stuff like web applications on Unix servers. Dave -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Tuesday, October 19, 2004 12:48 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] groups vs attributes Right. Some do. But once they go that route, you almost have to question why they just didn't integrate with the Active Directory authentication mechanisms in the first place. I would guess it has more to do with trying to be interoperable with multiple directory stores, but that's just a guess. Commonsimple LDAP bind uses a DN such as cn=amulnick,cn=Admins,dc=domain,dc=com to 'uniquely' identify the user. That'san RDN in many environments though, so you have no guarantee that it's unique in the ecosystem of directories that you have. Instead, you have to rely on process and procedure being defined, followed and enforced. That can be a tall order in many environments. Sincethe bind operation must be the firstoperation request of the protocol, you wouldhave either have the RDNof the user + authentication mechanism (kerb or plain-text password) else allow anonymous binds so youcould find the user and return the return thecurrent DN. You *could*provide the application a user account to usefor authentication to allow the search, but that's going even further outof the way and acts like a service account which we try to get away from whenever possible.You could also allow it to run under a localsystem account and trust the workstation to allow for the search, but that doesn't allow you to go cross platformto other directory stores. Using SSL is fine, but you still would have to allow anonymous or come up with some way to allow the user to be uniquely identified such as allowing anonymous binds to AD. It's a sticky issue to be sure. Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David ASent: Tuesday, October 19, 2004 1:30 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] groups vs attributes Some LDAP 'consumers' get around these problems by first searching the directory for the user to get their current full DN, and then doing a bind with that. Of course, that means that you need to search on something that you know to be globally unique, like samAccountName. Alternatively, you couldbind using the UPN. As someone else pointed out, this ought to be done over SSL if you're using simple binds. Good food for thought in Gil's post...I'll have to play with that. Dave -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Tuesday, October 19, 2004 11:14 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] groups vs attributes Anytime you use LDAP binding you create two problems: 1) Active Directory was designed to let users be moved around when needed. It happens as a matter of course and will often break LDAP applications that rely on LDAP bind. When the RDN changes, so does the user name right? 2) You are downgrading the security, because you're often only checking for the existence of an value vs. a challenge/response and strong password etc. Applications that do this are often web or database based. For example, several "security" applications allow access based on what your DN value is (that's the identity portion of the transaction) and your group membership (that's the authorization portion of the transaction) but they often assume that you've authenticated. Typically, an authentication process includes identification, authentication, and authorization to resources. That's what AD provides for you and you are no longer using that with LDAP bind. Not that you couldn't, but it's often left out. Older version of Siteminder do it this way for example if you choose to
RE: [ActiveDir] groups vs attributes
Title: Message I don't think you're missing anything. I think you also have articulatedthe reason that third-party authentication systems exist. It's been easier to integrate a third party authentication system for web apps, than to work in the non-windows systems. That's changing, but it's taking time. Those same apps could have used Kerberos realms for the most part, but then there's the whole directory management nightmare, maintaining trusted realms, etc. Using a third-party authentication intermediary gives you many more options to work this out. As *nix apps get better integrated into Active Directory (think Vintella and others yet to be released), this issue starts to become more simplified. FWIW, the reverse is also true. If you try to put a Windows host into a non-Microsoft directory/authentication ecosystem, it's tough to get it integrated for the same reasons. In the coming months, as RedHat digests it's latest acquisition and as Novell digests it's acquisitions, we may see some interesting products crop up for the same reasons.One never knows though. My opinion anyway. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David ASent: Tuesday, October 19, 2004 2:07 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] groups vs attributes Yes, a sticky issue indeed. Many of these 'solutions' are only workable if you have some processes and standards in place beforehand, and you're reasonably sure they are followed (i.e., they're automated). The 'service account' approach to allow the 'consumer' system to search for the full DN seems like the lesser of two evils, imho. Given that many of these apps don't run on Windows boxes, the LocalSystem approach isn't always feasible. Yes, the reason for all of this is usually because the vendor can't assume which flavor of directory the customer has, so they try to use fairly generic mechanisms rather than dive into full AD integration. Seems to me that if you use extended rights objects as Gil suggests, apps that run on non-Windows boxes would still need a 'service account' or some such in order to read and use them. Maybe I'm missing something here - I'm thinking primarily of stuff like web applications on Unix servers. Dave -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Tuesday, October 19, 2004 12:48 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] groups vs attributes Right. Some do. But once they go that route, you almost have to question why they just didn't integrate with the Active Directory authentication mechanisms in the first place. I would guess it has more to do with trying to be interoperable with multiple directory stores, but that's just a guess. Commonsimple LDAP bind uses a DN such as cn=amulnick,cn=Admins,dc=domain,dc=com to 'uniquely' identify the user. That'san RDN in many environments though, so you have no guarantee that it's unique in the ecosystem of directories that you have. Instead, you have to rely on process and procedure being defined, followed and enforced. That can be a tall order in many environments. Sincethe bind operation must be the firstoperation request of the protocol, you wouldhave either have the RDNof the user + authentication mechanism (kerb or plain-text password) else allow anonymous binds so youcould find the user and return the return thecurrent DN. You *could*provide the application a user account to usefor authentication to allow the search, but that's going even further outof the way and acts like a service account which we try to get away from whenever possible.You could also allow it to run under a localsystem account and trust the workstation to allow for the search, but that doesn't allow you to go cross platformto other directory stores. Using SSL is fine, but you still would have to allow anonymous or come up with some way to allow the user to be uniquely identified such as allowing anonymous binds to AD. It's a sticky issue to be sure. Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David ASent: Tuesday, October 19, 2004 1:30 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] groups vs attributes Some LDAP 'consumers' get around these problems by first searching the directory for the user to get their current full DN, and then doing a bind with that. Of course, that means that you need to search on something that you know to be globally unique, like samAccountName. Alternatively, you couldbind using the UPN. As someone else pointed out, this ought to be done over SSL if you're using simple binds. Good food for thought in Gil's post...I'll have to play with that. Dave -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
[ActiveDir] IIS 6.0 AGAIN...
Hi all. Has anyone seen the error below? I am running IIS 6.0 on a Windows 2003 server. Every time this error comes on my website asked for a username and password. I restart IIS services and things are fine afterward. Event Type: Error Event Source: W3SVC Event Category: None Event ID: 1007 Date: 10/19/2004 Time: 3:59:49 PM User: N/A Computer: WebServer Description: Cannot register the URL prefix 'http://*:80/' for site '1'. The necessary network binding may already be in use. The site has been deactivated. Help greatly appreciated. Thank you, Z. V. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] IIS 6.0 AGAIN...
Forgot to mention that I am running in IIS 5.0 Isolation Mode if that makes a different. Thank you, Z.V. -Original Message- From: Za Vue [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 19, 2004 4:30 PM To: '[EMAIL PROTECTED]' Subject: IIS 6.0 AGAIN... Hi all. Has anyone seen the error below? I am running IIS 6.0 on a Windows 2003 server. Every time this error comes on my website asked for a username and password. I restart IIS services and things are fine afterward. Event Type: Error Event Source: W3SVC Event Category: None Event ID: 1007 Date: 10/19/2004 Time: 3:59:49 PM User: N/A Computer: WebServer Description: Cannot register the URL prefix 'http://*:80/' for site '1'. The necessary network binding may already be in use. The site has been deactivated. Help greatly appreciated. Thank you, Z. V. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] MOM alerts
All, I know this is OT, but I am sure you guys will help me out. We are using MOM in our setup, everything is working fine except that we are getting one mom alert on daily basis for the same server for LOW DISK SPACE and its says Failed to create the object 'ExchKP.PubKeyPublisher'.. But if I check the free disk space on the server, all volumes are having more than 60 % free disk space available. I am getting the below alert. Severity: Error Status: New Source: Exchange MOM Name: Low free disk space. Description: NOTE: Be sure to check the events associated with this alert, in order to get the most recent measurement of the space left on this drive. The initial event reported: Failed to create the object 'ExchKP.PubKeyPublisher'. Domain: USITCB Agent: MSTAEO0H Time: 10/18/2004 00:34:00 Can someone give any idea why this alert is generating? Thanks for your responses. Regards Manjeet Do you Yahoo!?vote.yahoo.com - Register online to vote today!
[ActiveDir] Hyperlinks
Hey all, Where do you change the color of Hyperlinks? I have a user who has changed the color and I cannot find where he did it... Thank you. John Parker, MCSE IS Admin. Senior Technical Specialist Alpha Display Systems. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Hyperlinks
Hi, In IE - Tools - Internet Options. At the bottom (left side) button COLORS Regards, Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Parker Sent: dinsdag 19 oktober 2004 23:32 To: [EMAIL PROTECTED] Subject: [ActiveDir] Hyperlinks Hey all, Where do you change the color of Hyperlinks? I have a user who has changed the color and I cannot find where he did it... Thank you. John Parker, MCSE IS Admin. Senior Technical Specialist Alpha Display Systems. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Hyperlinks
Oeps, forgot to mention. GENERAL tab -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: dinsdag 19 oktober 2004 23:36 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Hyperlinks Hi, In IE - Tools - Internet Options. At the bottom (left side) button COLORS Regards, Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Parker Sent: dinsdag 19 oktober 2004 23:32 To: [EMAIL PROTECTED] Subject: [ActiveDir] Hyperlinks Hey all, Where do you change the color of Hyperlinks? I have a user who has changed the color and I cannot find where he did it... Thank you. John Parker, MCSE IS Admin. Senior Technical Specialist Alpha Display Systems. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Hyperlinks
Man, Talk about being too close... I looked at that page so many times and it was right there. Feel free to flame, I accept the newbie point. Thank you. John Parker, MCSE IS Admin. Senior Technical Specialist Alpha Display Systems. Alpha Video 7711 Computer Ave. Edina, MN. 55435 952-896-9898 Local 800-388-0008 Watts 952-896-9899 Fax 612-804-8769 Cell 952-841-3327 Direct [EMAIL PROTECTED] Be excellent to each other ---End of Line--- -Original Message- From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 19, 2004 4:39 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Hyperlinks Oeps, forgot to mention. GENERAL tab -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: dinsdag 19 oktober 2004 23:36 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Hyperlinks Hi, In IE - Tools - Internet Options. At the bottom (left side) button COLORS Regards, Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Parker Sent: dinsdag 19 oktober 2004 23:32 To: [EMAIL PROTECTED] Subject: [ActiveDir] Hyperlinks Hey all, Where do you change the color of Hyperlinks? I have a user who has changed the color and I cannot find where he did it... Thank you. John Parker, MCSE IS Admin. Senior Technical Specialist Alpha Display Systems. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Useful Group Policy Tool:
Playing around on the web last night and found this thought some of you may be interested http://ntsecurity.nu/toolbox/gplist/ James Blair IT Support Admin Upstream IT Origin Energy CSG Limited (07) 3858-0628