[ActiveDir] IP setting Script
I need a script that I can run from a server to change the DNS settings on my workstations. I have been given a new subnet. My dns servers will need to be changed. Thank you, Z.V. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] password policy in NT4 PDC
Hi, Would like to know that, in NT4.0 PDC when we apply user policy for password change, does it get apply on service accounts also ? If NO, why ? Can anyone throw some light on this. Regards, Sudhir Kaushal Systems Engineer (GIS) Computer Sciences Corporation. India - + 91 120 2582323 Ext. 2649 Denmark - + 45 70100024 Ext. 2649 "You never win Silver, You lose Gold" This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose.
RE: [ActiveDir] IP setting Script
You can do this I'm sure... one of the script wizard will no doubt come back with a solution. I am just curious why you are using static IPs on your workstations? Is DHCP not a possibility? BR Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: 26 October 2004 13:13 To: [EMAIL PROTECTED] Subject: [ActiveDir] IP setting Script I need a script that I can run from a server to change the DNS settings on my workstations. I have been given a new subnet. My dns servers will need to be changed. Thank you, Z.V. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs === List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] password policy in NT4 PDC
A service account is just a standard account and the policy should also affect it. Are you having issues with it? Can you be more specific? Rob From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sudhir Kaushal Sent: 26 October 2004 13:13 To: [EMAIL PROTECTED] Subject: [ActiveDir] password policy in NT4 PDC Hi, Would like to know that, in NT4.0 PDC when we apply user policy for password change, does it get apply on service accounts also ? If NO, why ? Can anyone throw some light on this. Regards, Sudhir Kaushal Systems Engineer (GIS) Computer Sciences Corporation. India - + 91 120 2582323 Ext. 2649 Denmark - + 45 70100024 Ext. 2649 You never win Silver, You lose Gold This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. === Scanned for virus infection by Messagelabs ===
RE: [ActiveDir] IP setting Script
The university's main DNS servers are Linux. My active directory is running its own DNS servers on its own subnet, but the workstations on getting IPs from the university's DHCP servers. Thanks, Z.V -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford Sent: Tuesday, October 26, 2004 8:19 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] IP setting Script You can do this I'm sure... one of the script wizard will no doubt come back with a solution. I am just curious why you are using static IPs on your workstations? Is DHCP not a possibility? BR Rob List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] IP setting Script
Yes, DHCP should be pretty easy. ~Athif On Tue, 26 Oct 2004 13:19:23 +0100, Robert Rutherford [EMAIL PROTECTED] wrote: You can do this I'm sure... one of the script wizard will no doubt come back with a solution. I am just curious why you are using static IPs on your workstations? Is DHCP not a possibility? BR Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: 26 October 2004 13:13 To: [EMAIL PROTECTED] Subject: [ActiveDir] IP setting Script I need a script that I can run from a server to change the DNS settings on my workstations. I have been given a new subnet. My dns servers will need to be changed. Thank you, Z.V. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs === List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- - Mohammed.Athif Khaleel - List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Extranet's
Return Receipt Your RE: [ActiveDir] Extranet's document : was Justin Leney/US/DCI received by: at: 10/26/2004 08:42:44 AM List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] password policy in NT4 PDC
If you set the attribute PASSWORD NEVER EXPIRES on Service Account, then the policy will not apply to this account, else it applies to all. HTH, Athif On Tue, 26 Oct 2004 17:43:07 +0530, Sudhir Kaushal [EMAIL PROTECTED] wrote: Hi, Would like to know that, in NT4.0 PDC when we apply user policy for password change, does it get apply on service accounts also ? If NO, why ? Can anyone throw some light on this. Regards, Sudhir Kaushal Systems Engineer (GIS) Computer Sciences Corporation. India - + 91 120 2582323 Ext. 2649 Denmark - + 45 70100024 Ext. 2649 You never win Silver, You lose Gold This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. -- - Mohammed.Athif Khaleel - List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] IP setting Script
Is this just a test AD domain? How many workstations are we talking about? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: 26 October 2004 13:36 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] IP setting Script The university's main DNS servers are Linux. My active directory is running its own DNS servers on its own subnet, but the workstations on getting IPs from the university's DHCP servers. Thanks, Z.V -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford Sent: Tuesday, October 26, 2004 8:19 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] IP setting Script You can do this I'm sure... one of the script wizard will no doubt come back with a solution. I am just curious why you are using static IPs on your workstations? Is DHCP not a possibility? BR Rob List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs === List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] IP setting Script
IP address: netsh int ip set address name=Local Area Connection source=static 1.2.3.4 255.255.255.0 1.2.3.1 1 DNS addresses: netsh int ip set dns name=Local Area Connection source=static 1.2.3.2 netsh int ip add dns name=Local Area Connection 1.2.3.3 WINS address: netsh int ip set wins name=Local Area Connection source=static 1.2.3.5 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: Tuesday, October 26, 2004 8:36 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] IP setting Script The university's main DNS servers are Linux. My active directory is running its own DNS servers on its own subnet, but the workstations on getting IPs from the university's DHCP servers. Thanks, Z.V -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford Sent: Tuesday, October 26, 2004 8:19 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] IP setting Script You can do this I'm sure... one of the script wizard will no doubt come back with a solution. I am just curious why you are using static IPs on your workstations? Is DHCP not a possibility? BR Rob List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] IP setting Script
You set machines to automatically obtain DNS settings from the DHCP server MohammedAthif Khaleel [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 10/26/2004 12:40 PM Please respond to [EMAIL PROTECTED] To [EMAIL PROTECTED] cc Subject Re: [ActiveDir] IP setting Script Yes, DHCP should be pretty easy. ~Athif On Tue, 26 Oct 2004 13:19:23 +0100, Robert Rutherford [EMAIL PROTECTED] wrote: You can do this I'm sure... one of the script wizard will no doubt come back with a solution. I am just curious why you are using static IPs on your workstations? Is DHCP not a possibility? BR Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: 26 October 2004 13:13 To: [EMAIL PROTECTED] Subject: [ActiveDir] IP setting Script I need a script that I can run from a server to change the DNS settings on my workstations. I have been given a new subnet. My dns servers will need to be changed. Thank you, Z.V. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs === List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- - Mohammed.Athif Khaleel - List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] IP setting Script
NetSH makes it easy... http://www.ultratech-llc.com/KB/?File=NetShell.TXT - ASB Cheap, Fast, Secure -- Pick Any TWO. http://www.ultratech-llc.com/KB/ On Tue, 26 Oct 2004 08:13:10 -0400, Za Vue [EMAIL PROTECTED] wrote: I need a script that I can run from a server to change the DNS settings on my workstations. I have been given a new subnet. My dns servers will need to be changed. Thank you, Z.V. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] IP setting Script
Hi Mahammed You could use the netsh command - either in a startup script or login script, or run it remotely using psexecute. netsh interface ip set dns local area connection static 10.10.10.10 netsh interface ip add dns local area connection static 10.10.10.11 We have used those commands in a startup script when we change DNS at locations where they only have static addressing and it has worked well. Normally we would have 10 lines in the script for local area connections 1 to 5 - just because a lot of the older machines have had multiple replacement nics. I am sure there is a way to make it apply to all active connections but I have not spent any more time researching it. http://www.microsoft.com/windowsxp/home/using/productdoc/en/default.asp?url=/windowsxp/home/using/productdoc/en/netsh_int_ip.asp Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] MohammedAthif Khaleel mohammed.athifkhaleel@To: [EMAIL PROTECTED] gmail.com cc: (bcc: James Day/Contractor/NPS) Sent by: Subject: Re: [ActiveDir] IP setting Script [EMAIL PROTECTED] tivedir.org 10/26/2004 03:40 PM ZE3 Please respond to ActiveDir Yes, DHCP should be pretty easy. ~Athif On Tue, 26 Oct 2004 13:19:23 +0100, Robert Rutherford [EMAIL PROTECTED] wrote: You can do this I'm sure... one of the script wizard will no doubt come back with a solution. I am just curious why you are using static IPs on your workstations? Is DHCP not a possibility? BR Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: 26 October 2004 13:13 To: [EMAIL PROTECTED] Subject: [ActiveDir] IP setting Script I need a script that I can run from a server to change the DNS settings on my workstations. I have been given a new subnet. My dns servers will need to be changed. Thank you, Z.V. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs === List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- - Mohammed.Athif Khaleel - List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] IP setting Script
I have about 200 computers and 6 servers. Our campus is not a centralize campus. Every department has its own IT support and we choose what we want to run and what is best for us. There little AD forests all over campus. (This is the mess I inherited not long ago): I am consolidating a Novell 5.2(running both IPX and IP) and NT4.0 domain into a Windows 2000 Active Directory. Currently there is a mix of static and DHCP leases. We are always running into IP conflicts. Instead of using the same subnet, they gave me a new subnet and will be taking away the old subnet. Now I have to reconfigure my DNS servers and the rest of my workstations. Thank you, Z.V -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford Sent: Tuesday, October 26, 2004 8:49 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] IP setting Script Is this just a test AD domain? How many workstations are we talking about? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: 26 October 2004 13:36 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] IP setting Script The university's main DNS servers are Linux. My active directory is running its own DNS servers on its own subnet, but the workstations on getting IPs from the university's DHCP servers. Thanks, Z.V List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] IP setting Script
That's fine for a single PC, but how would you change a range of machines? How could you pull in from a list? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: 26 October 2004 13:51 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] IP setting Script IP address: netsh int ip set address name=Local Area Connection source=static 1.2.3.4 255.255.255.0 1.2.3.1 1 DNS addresses: netsh int ip set dns name=Local Area Connection source=static 1.2.3.2 netsh int ip add dns name=Local Area Connection 1.2.3.3 WINS address: netsh int ip set wins name=Local Area Connection source=static 1.2.3.5 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: Tuesday, October 26, 2004 8:36 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] IP setting Script The university's main DNS servers are Linux. My active directory is running its own DNS servers on its own subnet, but the workstations on getting IPs from the university's DHCP servers. Thanks, Z.V -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford Sent: Tuesday, October 26, 2004 8:19 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] IP setting Script You can do this I'm sure... one of the script wizard will no doubt come back with a solution. I am just curious why you are using static IPs on your workstations? Is DHCP not a possibility? BR Rob List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs === List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] IP setting Script
Using set replaces. Using add, well, adds. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: Tuesday, October 26, 2004 9:14 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] IP setting Script Does using Netsh clear the current static DNS settings? Thanks, Z.V -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, October 26, 2004 9:00 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [ActiveDir] IP setting Script Hi Mahammed You could use the netsh command - either in a startup script or login script, or run it remotely using psexecute. netsh interface ip set dns local area connection static 10.10.10.10 netsh interface ip add dns local area connection static 10.10.10.11 We have used those commands in a startup script when we change DNS at locations where they only have static addressing and it has worked well. Normally we would have 10 lines in the script for local area connections 1 to 5 - just because a lot of the older machines have had multiple replacement nics. I am sure there is a way to make it apply to all active connections but I have not spent any more time researching it. http://www.microsoft.com/windowsxp/home/using/productdoc/en/default.asp? url= /windowsxp/home/using/productdoc/en/netsh_int_ip.asp Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] MohammedAthif Khaleel mohammed.athifkhaleel@To: [EMAIL PROTECTED] gmail.com cc: (bcc: James Day/Contractor/NPS) Sent by: Subject: Re: [ActiveDir] IP setting Script [EMAIL PROTECTED] tivedir.org 10/26/2004 03:40 PM ZE3 Please respond to ActiveDir Yes, DHCP should be pretty easy. ~Athif On Tue, 26 Oct 2004 13:19:23 +0100, Robert Rutherford [EMAIL PROTECTED] wrote: You can do this I'm sure... one of the script wizard will no doubt come back with a solution. I am just curious why you are using static IPs on your workstations? Is DHCP not a possibility? BR Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: 26 October 2004 13:13 To: [EMAIL PROTECTED] Subject: [ActiveDir] IP setting Script I need a script that I can run from a server to change the DNS settings on my workstations. I have been given a new subnet. My dns servers will need to be changed. Thank you, Z.V. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs == = List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- - Mohammed.Athif Khaleel - List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Backup Strategy
We are currently pursuing a company called AmeriVault to store our data in their eVault. They have a wonderful product that will enable 9 different organizations to operate in a centralized manner and enable us to develop the required specifications for HIPAA Compliance. Their product ends up costing less then a internal solution. Take a look at them. Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano Sent: Monday, October 25, 2004 11:52 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Backup Strategy I am sorry if this is off-topic, but I greatly respect the opinions/suggestions that come from this list. I am working on a backup strategy for my company. We have just over 300GB of data to back up. I have been asked to estimate storage capacity/cost required to keep data for 1 month and 3 months, so this means that we will need between 1 and 3 TB of storage. The current backups are stored on a SCSI array and the plan is to use USB drives for offsiting our data. This means that we will need 4-12 300GB USB drives to store our offsite data. I personally do not like this solution and am in favor of a disk/tape solution; using a disk array for onsite backups and using tape for offsite backups. The company prefers disk-based backup because of its speed. However, I think that disks are less reliable than tape and that using USB drives is not an enterprise-class solution (I have also heard that those 300GB USB drives are not too reliable). Not to mention the fact that these drives are bulky and our server room is already pretty cramped. Does anyone have any suggestions? Are my concerns valid? Is my suggestion of disk/tape the best solution? _ Daniel DeStefano PC Support Specialist IAG Research 345 Park Avenue South, 12th Floor New York, NY 10010 T. 212.871.5262 F. 212.871.5300 www.iagr.net Measuring Ad Effectiveness on Television The information contained in this communication is confidential, may be privileged and is intended for the exclusive use of the above named addressee(s). If you are not the intended recipient(s), you are expressly prohibited from copying, distributing, disseminating, or in any other way using any of the information contained within this communication. If you have received this communication in error, please contact the sender by telephone 212.871.5262 or by response via e-mail.
RE: [ActiveDir] IP setting Script
You wanna give us a complete problem description then? I can't help you renamed your connections. :-P -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: Tuesday, October 26, 2004 9:27 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] IP setting Script Also the fact that NOT all lan connections are named Local Area Connection Thanks, Z.V. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford Sent: Tuesday, October 26, 2004 9:11 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] IP setting Script That's fine for a single PC, but how would you change a range of machines? How could you pull in from a list? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: 26 October 2004 13:51 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] IP setting Script IP address: netsh int ip set address name=Local Area Connection source=static 1.2.3.4 255.255.255.0 1.2.3.1 1 DNS addresses: netsh int ip set dns name=Local Area Connection source=static 1.2.3.2 netsh int ip add dns name=Local Area Connection 1.2.3.3 WINS address: netsh int ip set wins name=Local Area Connection source=static 1.2.3.5 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: Tuesday, October 26, 2004 8:36 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] IP setting Script The university's main DNS servers are Linux. My active directory is running its own DNS servers on its own subnet, but the workstations on getting IPs from the university's DHCP servers. Thanks, Z.V -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford Sent: Tuesday, October 26, 2004 8:19 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] IP setting Script You can do this I'm sure... one of the script wizard will no doubt come back with a solution. I am just curious why you are using static IPs on your workstations? Is DHCP not a possibility? BR Rob List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs === List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Password policy in NT 4.0 PDC
Hi, Would like to know that, in NT4.0 PDC when we apply user policy for password change, does it get apply on service accounts also ? If NO, why ? Can anyone throw some light on this. Regards, Sudhir Kaushal Systems Engineer (GIS) Computer Sciences Corporation. India - + 91 120 2582323 Ext. 2649 Denmark - + 45 70100024 Ext. 2649 "You never win Silver, You lose Gold" This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose.
Re: [ActiveDir] IP setting Script
Are you prohibited from setting up your own DHCP server for your segment? - ASB Cheap, Fast, Secure -- Pick Any TWO. http://www.ultratech-llc.com/KB/ On Tue, 26 Oct 2004 09:08:09 -0400, Za Vue [EMAIL PROTECTED] wrote: I have about 200 computers and 6 servers. Our campus is not a centralize campus. Every department has its own IT support and we choose what we want to run and what is best for us. There little AD forests all over campus. (This is the mess I inherited not long ago): I am consolidating a Novell 5.2(running both IPX and IP) and NT4.0 domain into a Windows 2000 Active Directory. Currently there is a mix of static and DHCP leases. We are always running into IP conflicts. Instead of using the same subnet, they gave me a new subnet and will be taking away the old subnet. Now I have to reconfigure my DNS servers and the rest of my workstations. Thank you, Z.V -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford Sent: Tuesday, October 26, 2004 8:49 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] IP setting Script Is this just a test AD domain? How many workstations are we talking about? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: 26 October 2004 13:36 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] IP setting Script The university's main DNS servers are Linux. My active directory is running its own DNS servers on its own subnet, but the workstations on getting IPs from the university's DHCP servers. Thanks, Z.V List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] IP setting Script
Not prohibited, just don't want an extra service to manage. Also there are always politic involved. I may just have to come in this weekend and touch all machines. Thank you, Z.V -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ASB Sent: Tuesday, October 26, 2004 11:54 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] IP setting Script Are you prohibited from setting up your own DHCP server for your segment? - ASB Cheap, Fast, Secure -- Pick Any TWO. http://www.ultratech-llc.com/KB/ On Tue, 26 Oct 2004 09:08:09 -0400, Za Vue [EMAIL PROTECTED] wrote: I have about 200 computers and 6 servers. Our campus is not a centralize campus. Every department has its own IT support and we choose what we want to run and what is best for us. There little AD forests all over campus. (This is the mess I inherited not long ago): I am consolidating a Novell 5.2(running both IPX and IP) and NT4.0 domain into a Windows 2000 Active Directory. Currently there is a mix of static and DHCP leases. We are always running into IP conflicts. Instead of using the same subnet, they gave me a new subnet and will be taking away the old subnet. Now I have to reconfigure my DNS servers and the rest of my workstations. Thank you, Z.V -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford Sent: Tuesday, October 26, 2004 8:49 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] IP setting Script Is this just a test AD domain? How many workstations are we talking about? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: 26 October 2004 13:36 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] IP setting Script The university's main DNS servers are Linux. My active directory is running its own DNS servers on its own subnet, but the workstations on getting IPs from the university's DHCP servers. Thanks, Z.V List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Password policy in NT 4.0 PDC
There is no difference between user accounts and service accounts. They are both accounts subject to the domain password policy. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sudhir Kaushal Sent: Tuesday, October 26, 2004 7:12 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Password policy in NT 4.0 PDC Hi, Would like to know that, in NT4.0 PDC when we apply user policy for password change, does it get apply on service accounts also ? If NO, why ? Can anyone throw some light on this. Regards, Sudhir Kaushal Systems Engineer (GIS) Computer Sciences Corporation. India - + 91 120 2582323 Ext. 2649 Denmark - + 45 70100024 Ext. 2649 You never win Silver, You lose Gold This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose.
RE: [ActiveDir] script logic question
That's going to be tough. That's not indexed nor in the GC by default which may make it a little tougher/slower. However, because you need to know that the users with that attribute equal to S are in fact properly in a particular group, I don't think you meet your criteria if you instead use the group as the authoritative source of information. You pretty much have to iterate each user and if they have that attribute set to S then check their group memberships and report if a member of the particular group. Otherwise, you could get a situation where a person should be a member of the group and somehow was missed. If the reverse is true, i.e. the user is a member and shouldn't be, you'd be looking at some other authoritative source for that information anyway. Because of that last bit, you could start with a list of those that are supposed to be in that group and then look each of them up to validate the attribute value and the group membership. Again, you run the risk of having the wrong people in the group though. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Tuesday, October 26, 2004 1:08 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] script logic question I need to make sure all users where the value of attribute employeeType is S are members of a given group. Right now I only want to report on it, not actually change the group membership. Logically, what is the most efficient way to achieve this? 1. do I place the membership of the group into an array and then loop through all the users to see if they are in the array 2. do I loop through all the users and check each one's memberOf for the existence of the group? I think option 1 seems better than 2, but I'm willing to bet someone has a much better idea. Thanks! Mark List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] script logic question
I'll agree with Al that you want to make sure that your group membership cross checks. Regarding your point #1. If you have a large number of users involved, you will get better performance with a dictionary instead of an array. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Tuesday, October 26, 2004 10:25 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] script logic question That's going to be tough. That's not indexed nor in the GC by default which may make it a little tougher/slower. However, because you need to know that the users with that attribute equal to S are in fact properly in a particular group, I don't think you meet your criteria if you instead use the group as the authoritative source of information. You pretty much have to iterate each user and if they have that attribute set to S then check their group memberships and report if a member of the particular group. Otherwise, you could get a situation where a person should be a member of the group and somehow was missed. If the reverse is true, i.e. the user is a member and shouldn't be, you'd be looking at some other authoritative source for that information anyway. Because of that last bit, you could start with a list of those that are supposed to be in that group and then look each of them up to validate the attribute value and the group membership. Again, you run the risk of having the wrong people in the group though. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Tuesday, October 26, 2004 1:08 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] script logic question I need to make sure all users where the value of attribute employeeType is S are members of a given group. Right now I only want to report on it, not actually change the group membership. Logically, what is the most efficient way to achieve this? 1. do I place the membership of the group into an array and then loop through all the users to see if they are in the array 2. do I loop through all the users and check each one's memberOf for the existence of the group? I think option 1 seems better than 2, but I'm willing to bet someone has a much better idea. Thanks! Mark List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Revoked GPO Still Applying
Title: Revoked GPO Still Applying -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 One of my admins accidentally moved a critical workstation account into my jail OU, which completely locks down the account in question. Of course, to add more joy to the situation, he absolutely cannot figure out the local administrator account password. I re-enabled the account and moved it back to its original container, but still no joy - the machine still wants to process the jail GPO. Using ERD Commander (which gives full disk access), I moved/renamed the files in C:\Windows\Security\Templates\Policies and renamed SecEdit.sdb. All of the files in the Policies folder reflected the old GPO, and were successfully replaced with the correct GPO settings upon reboot, but still no joy. The old GPO still seems to be applied, so when I try to log in, I get the error (which I'm paraphrasing), The domain XXX cannot be contacted. If I boot the machine with no network connection, it boots up very quickly, as though it ignores the cached GPO. However, if it is plugged in, it takes a good five minutes to boot up, and provides some interesting messages on the banner that I've never seen. Namely, it pauses on MUP is initializing... How can I force the machine to either process the new GPO or not process any GPO? Many thanks! -James R. Rogers Thank You, James R. Rogers First National Bank of Three Rivers The information transmitted is intended only for the person(s) or entity(ies) to which it is addressed and may contain confidential and/or privileged material. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy, disseminate, distribute, disclose, or deliver this message to anyone. If you have received this e-mail transmission in error, please reply to the sender so that arrangements can be made for proper delivery, after which, please delete the message. Thank You. -BEGIN PGP PUBLIC KEY BLOCK- mQGiBD8Ejz8RBADyLgYvQ4o6OW2T1O6maExsMgNWw2IJdI47rtogW/vMzLQp/xGG QLZeY5ea9GB8S3DShOE0f1KXzhN4N0Q9y8UfohQgemFGl618I+LNqRzzX7nVXCI2 zVqX0Nok34A8LM/+Xyb/HFzT8HH1eWJjGNKKzOoBvOi9kS8zSbjT8eawLwCg/0uj l8ePD4XXF03JuLGAg475RfEEANhld9iLGXm0urGAQokOjp10rkhm1XyqtgVqtn6x j1BqPQS4nbeTgw+fzT7FrFbwenYBNPsb6ctoJNz2NgJZE4oTSHV/PyztZqBb8MF/ Yqcjc1pFlmiqn8TKBBINlrmnaKh7rFXVLMkJm31K+bf9RFH1UZ+1arf5P1sNMfoK 9kM6A/oCheoNFypeEgZKJflBtNLa8j6SxJ6XoMan90PJyrL9BeSCmN2bKTznBqnI +N/oSu0NguknnC/HMIHHWvmDvTIl/tlQKgWeTI/0/yASyM4gUTA944J4+sfjoEmj /Q0JzQGqBzvlUkHMhQWijT//VDuVRwE/DssPjZf6mbtXmXDb9LQqSmFtZXMgUi4g Um9nZXJzIDxSb2dlcnMtSkBCQ0lOZXR3b3Jrcy5OZXQ+iQBXBBARAgAXBQI/BI8/ BwsJCAcDAgoCGQEFGwMACgkQx7th0kPmEcXuxACfefK4gHIlYemREA7dmfWD 1hbAtI0AnjweHhnWApyN5tvHkMcAyX688P9VtFpKYW1lcyBSb2dlcnMgPC9vPUJD SSBPcmdhbml6YXRpb24vb3U9Rmlyc3QgQWRtaW5pc3RyYXRpdmUgR3JvdXAvY249 UmVjaXBpZW50cy9jbj1yb2dlcnMtaj6JAE4EEBECAA4FAj8Ej0MHCwkIBwMCCgAK CRDHu2HSQ+YRxVdhAJwLsi1R8AkmT0UhWFlqXH7wn72cswCdGYqQD3+fBPB99jZS /dIavPo0dUi5Ag0EPwSPQBAIAPZCV7cIfwgXcqK61qlC8wXo+VMROU+28W65Szgg 2gGnVqMU6Y9AVfPQB8bLQ6mUrfdMZIZJ+AyDvWXpF9Sh01D49Vlf3HZSTz09jdvO 1ckxalWQ+73Y8+UMG8HCBv81VBf5X0pKTOnB76YuT+ -END PGP PUBLIC KEY BLOCK-
[ActiveDir] Revoked GPO Still Applying
Return Receipt Your [ActiveDir] Revoked GPO Still Applying document : was Justin Leney/US/DCI received by: at: 10/26/2004 02:17:49 PM List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Revoked GPO Still Applying
Title: Revoked GPO Still Applying James- Which GP settings are still being applied, or do you know? Can you run gpresult or rsop.mscon that box to determine this? I'm not sure what you mean by, All of the files in the "Policies" folder reflected the old GPO, and were successfully replaced with the correct GPO settings upon reboot. Are you saying that security policy appears correct now? It would be good to know the exact error, because a message indicating the domain can't be contacted sounds more like a name resolution error than a GP problem. Also, the reason the machine boots quickly when not on the network is because no GP processing is done in that scenario. GPOs aren't cached per-se. GP settings are processed and changes are made to the appropriate registry entries, local SAM, etc. So, there is nothing cached that is processed when a machine is not on the network. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rogers, JamesSent: Tuesday, October 26, 2004 11:10 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Revoked GPO Still Applying -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 One of my admins accidentally moved a critical workstation account into my "jail" OU, which completely locks down the account in question. Of course, to add more joy to the situation, he absolutely cannot figure out the local administrator account password.I re-enabled the account and moved it back to its original container, but still no joy - the machine still wants to process the "jail" GPO. Using ERD Commander (which gives full disk access), I moved/renamed the files in C:\Windows\Security\Templates\Policies and renamed SecEdit.sdb. All of the files in the "Policies" folder reflected the old GPO, and were successfully replaced with the correct GPO settings upon reboot, but still no joy. The old GPO still seems to be applied, so when I try to log in, I get the error (which I'm paraphrasing), "The domain XXX cannot be contacted."If I boot the machine with no network connection, it boots up very quickly, as though it ignores the cached GPO. However, if it is plugged in, it takes a good five minutes to boot up, and provides some interesting messages on the banner that I've never seen. Namely, it pauses on "MUP is initializing..."How can I force the machine to either process the new GPO or not process any GPO? Many thanks!-James R. Rogers Thank You, James R. Rogers First National Bank of Three Rivers The information transmitted is intended only for the person(s) or entity(ies) to which it is addressed and may contain confidential and/or privileged material. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy, disseminate, distribute, disclose, or deliver this message to anyone. If you have received this e-mail transmission in error, please reply to the sender so that arrangements can be made for proper delivery, after which, please delete the message. Thank You. -BEGIN PGP PUBLIC KEY BLOCK- mQGiBD8Ejz8RBADyLgYvQ4o6OW2T1O6maExsMgNWw2IJdI47rtogW/vMzLQp/xGG QLZeY5ea9GB8S3DShOE0f1KXzhN4N0Q9y8UfohQgemFGl618I+LNqRzzX7nVXCI2 zVqX0Nok34A8LM/+Xyb/HFzT8HH1eWJjGNKKzOoBvOi9kS8zSbjT8eawLwCg/0uj l8ePD4XXF03JuLGAg475RfEEANhld9iLGXm0urGAQokOjp10rkhm1XyqtgVqtn6x j1BqPQS4nbeTgw+fzT7FrFbwenYBNPsb6ctoJNz2NgJZE4oTSHV/PyztZqBb8MF/ Yqcjc1pFlmiqn8TKBBINlrmnaKh7rFXVLMkJm31K+bf9RFH1UZ+1arf5P1sNMfoK 9kM6A/oCheoNFypeEgZKJflBtNLa8j6SxJ6XoMan90PJyrL9BeSCmN2bKTznBqnI +N/oSu0NguknnC/HMIHHWvmDvTIl/tlQKgWeTI/0/yASyM4gUTA944J4+sfjoEmj /Q0JzQGqBzvlUkHMhQWijT//VDuVRwE/DssPjZf6mbtXmXDb9LQqSmFtZXMgUi4g Um9nZXJzIDxSb2dlcnMtSkBCQ0lOZXR3b3Jrcy5OZXQ+iQBXBBARAgAXBQI/BI8/ BwsJCAcDAgoCGQEFGwMACgkQx7th0kPmEcXuxACfefK4gHIlYemREA7dmfWD 1hbAtI0AnjweHhnWApyN5tvHkMcAyX688P9VtFpKYW1lcyBSb2dlcnMgPC9vPUJD SSBPcmdhbml6YXRpb24vb3U9Rmlyc3QgQWRtaW5pc3RyYXRpdmUgR3JvdXAvY249 UmVjaXBpZW50cy9jbj1yb2dlcnMtaj6JAE4EEBECAA4FAj8Ej0MHCwkIBwMCCgAK CRDHu2HSQ+YRxVdhAJwLsi1R8AkmT0UhWFlqXH7wn72cswCdGYqQD3+fBPB99jZS /dIavPo0dUi5Ag0EPwSPQBAIAPZCV7cIfwgXcqK61qlC8wXo+VMROU+28W65Szgg 2gGnVqMU6Y9AVfPQB8bLQ6mUrfdMZIZJ+AyDvWXpF9Sh01D49Vlf3HZSTz09jdvO 1ckxalWQ+73Y8+UMG8HCBv81VBf5X0pKTOnB76YuT+ -END PGP PUBLIC KEY BLOCK-
[ActiveDir] Changing domain case?
For some reason, someone in our org. upgraded an NT4 domain to a Windows 2000 child domain and used Capital Letters in the fully qualified domain name. All our other domain names are lower case. How can I change this domain to lower case to match the others? -Devon __This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You.
RE: [ActiveDir] Revoked GPO Still Applying
Title: Message The files in the "Policies" folder did have all the "jailed" GPO attributes listed, but when I removed them and rebooted, the files were replaced with the correct GPO settings. The security policy in these files appears to be correct now, but the old policy still appears to be the one that is actually applied. If it'd help, I can provide a dump from the old files that shows what was being applied. Unfortunately, I can't access the OS directly, so there is no way for me to run the GPResult or RSoP MMC's. For some reason, the system BSoD's when I try to boot into any variation of safemode, so no joy there, either. Thanks for you help, it's very much appreciated. -James R. Rogers -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-EliaSent: Tuesday, October 26, 2004 2:25 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Revoked GPO Still Applying James- Which GP settings are still being applied, or do you know? Can you run gpresult or rsop.mscon that box to determine this? I'm not sure what you mean by, All of the files in the "Policies" folder reflected the old GPO, and were successfully replaced with the correct GPO settings upon reboot. Are you saying that security policy appears correct now? It would be good to know the exact error, because a message indicating the domain can't be contacted sounds more like a name resolution error than a GP problem. Also, the reason the machine boots quickly when not on the network is because no GP processing is done in that scenario. GPOs aren't cached per-se. GP settings are processed and changes are made to the appropriate registry entries, local SAM, etc. So, there is nothing cached that is processed when a machine is not on the network. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rogers, JamesSent: Tuesday, October 26, 2004 11:10 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Revoked GPO Still Applying -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 One of my admins accidentally moved a critical workstation account into my "jail" OU, which completely locks down the account in question. Of course, to add more joy to the situation, he absolutely cannot figure out the local administrator account password.I re-enabled the account and moved it back to its original container, but still no joy - the machine still wants to process the "jail" GPO. Using ERD Commander (which gives full disk access), I moved/renamed the files in C:\Windows\Security\Templates\Policies and renamed SecEdit.sdb. All of the files in the "Policies" folder reflected the old GPO, and were successfully replaced with the correct GPO settings upon reboot, but still no joy. The old GPO still seems to be applied, so when I try to log in, I get the error (which I'm paraphrasing), "The domain XXX cannot be contacted."If I boot the machine with no network connection, it boots up very quickly, as though it ignores the cached GPO. However, if it is plugged in, it takes a good five minutes to boot up, and provides some interesting messages on the banner that I've never seen. Namely, it pauses on "MUP is initializing..."How can I force the machine to either process the new GPO or not process any GPO? Many thanks!-James R. Rogers Thank You, James R. Rogers First National Bank of Three Rivers The information transmitted is intended only for the person(s) or entity(ies) to which it is addressed and may contain confidential and/or privileged material. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy, disseminate, distribute, disclose, or deliver this message to anyone. If you have received this e-mail transmission in error, please reply to the sender so that arrangements can be made for proper delivery, after which, please delete the message. Thank You. -BEGIN PGP PUBLIC KEY BLOCK- mQGiBD8Ejz8RBADyLgYvQ4o6OW2T1O6maExsMgNWw2IJdI47rtogW/vMzLQp/xGG QLZeY5ea9GB8S3DShOE0f1KXzhN4N0Q9y8UfohQgemFGl618I+LNqRzzX7nVXCI2 zVqX0Nok34A8LM/+Xyb/HFzT8HH1eWJjGNKKzOoBvOi9kS8zSbjT8eawLwCg/0uj l8ePD4XXF03JuLGAg475RfEEANhld9iLGXm0urGAQokOjp10rkhm1XyqtgVqtn6x j1BqPQS4nbeTgw+fzT7FrFbwenYBNPsb6ctoJNz2NgJZE4oTSHV/PyztZqBb8MF/ Yqcjc1pFlmiqn8TKBBINlrmnaKh7rFXVLMkJm31K+bf9RFH1UZ+1arf5P1sNMfoK 9kM6A/oCheoNFypeEgZKJflBtNLa8j6SxJ6XoMan90PJyrL9BeSCmN2bKTznBqnI +N/oSu0NguknnC/HMIHHWvmDvTIl/tlQKgWeTI/0/yASyM4gUTA944J4+sfjoEmj /Q0JzQGqBzvlUkHMhQWijT//VDuVRwE/DssPjZf6mbtXmXDb9LQqSmFtZXMgUi4g Um9nZXJzIDxSb2dlcnMtSkBCQ0lOZXR3b3Jrcy5OZXQ+iQBXBBARAgAXBQI/BI8/ BwsJCAcDAgoCGQEFGwMACgkQx7th0kPmEcXuxACfefK4gHIlYemREA7dmfWD 1hbAtI0AnjweHhnWApyN5tvHkMcAyX688P9VtFpKYW1lcyBSb2dlcnMgPC9vPUJD
RE: [ActiveDir] Revoked GPO Still Applying
Title: Message Just for future reference, the files in that Policies folder don't need to be removed manually. Those are temporary files that the Security CSE creates when it downloads the GPO-based security policy. They will be updated automatically if security policy processing is occurring correctly. Keep in mind that security policy won't apply unless the GPO has changed. You can force it to apply using gpupdate /force or security policy will automatically re-apply itself every 16 hours by default. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rogers, JamesSent: Tuesday, October 26, 2004 12:31 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Revoked GPO Still Applying The files in the "Policies" folder did have all the "jailed" GPO attributes listed, but when I removed them and rebooted, the files were replaced with the correct GPO settings. The security policy in these files appears to be correct now, but the old policy still appears to be the one that is actually applied. If it'd help, I can provide a dump from the old files that shows what was being applied. Unfortunately, I can't access the OS directly, so there is no way for me to run the GPResult or RSoP MMC's. For some reason, the system BSoD's when I try to boot into any variation of safemode, so no joy there, either. Thanks for you help, it's very much appreciated. -James R. Rogers -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-EliaSent: Tuesday, October 26, 2004 2:25 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Revoked GPO Still Applying James- Which GP settings are still being applied, or do you know? Can you run gpresult or rsop.mscon that box to determine this? I'm not sure what you mean by, All of the files in the "Policies" folder reflected the old GPO, and were successfully replaced with the correct GPO settings upon reboot. Are you saying that security policy appears correct now? It would be good to know the exact error, because a message indicating the domain can't be contacted sounds more like a name resolution error than a GP problem. Also, the reason the machine boots quickly when not on the network is because no GP processing is done in that scenario. GPOs aren't cached per-se. GP settings are processed and changes are made to the appropriate registry entries, local SAM, etc. So, there is nothing cached that is processed when a machine is not on the network. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rogers, JamesSent: Tuesday, October 26, 2004 11:10 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Revoked GPO Still Applying -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 One of my admins accidentally moved a critical workstation account into my "jail" OU, which completely locks down the account in question. Of course, to add more joy to the situation, he absolutely cannot figure out the local administrator account password.I re-enabled the account and moved it back to its original container, but still no joy - the machine still wants to process the "jail" GPO. Using ERD Commander (which gives full disk access), I moved/renamed the files in C:\Windows\Security\Templates\Policies and renamed SecEdit.sdb. All of the files in the "Policies" folder reflected the old GPO, and were successfully replaced with the correct GPO settings upon reboot, but still no joy. The old GPO still seems to be applied, so when I try to log in, I get the error (which I'm paraphrasing), "The domain XXX cannot be contacted."If I boot the machine with no network connection, it boots up very quickly, as though it ignores the cached GPO. However, if it is plugged in, it takes a good five minutes to boot up, and provides some interesting messages on the banner that I've never seen. Namely, it pauses on "MUP is initializing..."How can I force the machine to either process the new GPO or not process any GPO? Many thanks!-James R. Rogers Thank You, James R. Rogers First National Bank of Three Rivers The information transmitted is intended only for the person(s) or entity(ies) to which it is addressed and may contain confidential and/or privileged material. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy, disseminate, distribute, disclose, or deliver this message to anyone. If you have received this e-mail transmission in error, please reply to the sender so that arrangements can be made for proper delivery, after which, please delete the message. Thank You. -BEGIN PGP PUBLIC KEY BLOCK- mQGiBD8Ejz8RBADyLgYvQ4o6OW2T1O6maExsMgNWw2IJdI47rtogW/vMzLQp/xGG QLZeY5ea9GB8S3DShOE0f1KXzhN4N0Q9y8UfohQgemFGl618I+LNqRzzX7nVXCI2
[ActiveDir] Problems Adding Computers to AD
We've delegate the permission to add computer accounts to our AD environment to some admins. They can go into ADUC and add the computer account without problem. However, when they go to the PC to change it's domain membership, on some PC's they get an error about not enough storage space. But, some PC's work fine. We cannot determine why this is happening. Any ideas? _ FREE pop-up blocking with the new MSN Toolbar get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] OT: Windows XP automatic profile deletion suggestions
We have many labs that many students use and in this one particular lab we do not have any desktop controls (DeepFreeze, Fortress or even strict GPOs) set for a number of reasons. Most of the students do not have a home folder to redirect roaming profiles to and we would rather not set that up. We want to get away from having them log in using a generic user account. So I am looking for an easy way to automatically delete the user profile upon logout so the machine does not accumulate many profiles over time. I have done this using Terminal Services and Citrix. For those students that have home folders we are implementing roaming profiles to fix this but we really do not want to add the rest of these students into that category. My goal is to have them login with their unique userid and then once they logout the profile is deleted either with a script or some other unknown mechanism that escapes me right now. Any suggestions? Thanks -- Brian
[ActiveDir] Event ID:675
I have a W2K DC that is giving me an error in the Security Log every minute, this error is a failure Audit on the Domain Admin account, I have no idea wherethis is coming from! This is a domain controller isrunning all the service packs and patches, it also has Exchange server 5.5 with service pack 4. Our domain iscomposed of two DC's and has one child domain with one DCthat we use for testing purposes. Any help will be appreciated. See error details: Event Type:Failure AuditEvent Source:SecurityEvent Category:Account Logon Event ID:675Date:10/26/2004Time:3:47:56 PMUser:NT AUTHORITY\SYSTEMComputer:machine-nameDescription:Pre-authentication failed:User Name:domain-adminUser ID:DOMAIN\domain-adminService Name:krbtgt/DOMAIN.COMPre-Authentication Type:0x2Failure Code:0x18Client Address:127.0.0.1 For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Thanks, Art -- -- FutureSoft, Inc. 12012 Wickchester Lane, Suite 600 Houston, TX 77079 If you no longer want to receive commercial e-mail correspondence from FutureSoft, you may remove your address from our records by visiting www.futuresoft.com/emailremoval.asp --
RE: [ActiveDir] DSACLS question
Hi Mike, Try the following: DSACLS DN of OU /G NetBios DOMAIN name\samaccountname of security principal:ca;Generate Resultant Set of Policy (Planning) e.g. DSACLS OU=ORG,DC=INFRA,DC=LOCAL /G INFRA\GLOBALGROUP:ca;Generate Resultant Set of Policy (Planning) DSACLS DN of OU /G NetBios DOMAIN name\samaccountname of security principal:ca;Generate Resultant Set of Policy (Logging) e.g. DSACLS OU=ORG,DC=INFRA,DC=LOCAL /G INFRA\GLOBALGROUP:ca;Generate Resultant Set of Policy (Logging) Regards, Jorge -Original Message- From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: 26-10-2004 21:40 Subject: [ActiveDir] DSACLS question Is there any way to automate the delegation of Generate Resultant Set of Policy (Planning) and (Logging) to a global group via DSACLS? If not, is there another tool that can do it? I'm trying to develop a repeatable method to set up our RBAC delegation across all AD domains. I've been able to use DSACLS to delegate just about everything else, but this. Thanks, Mike *** PLEASE NOTE *** This E-Mail/telefax message and any documents accompanying this transmission may contain privileged and/or confidential information and is intended solely for the addressee(s) named above. If you are not the intended addressee/recipient, you are hereby notified that any use of, disclosure, copying, distribution, or reliance on the contents of this E-Mail/telefax information is strictly prohibited and may result in legal action against you. Please reply to the sender advising of the error in transmission and immediately delete/destroy the message and any accompanying documents. Thank you. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Event ID:675
Hi, Try the following link for more info: http://www.eventid.net/display.asp?eventid=675eventno=62source=Securityph ase=1 Regards, Jorge -Original Message- From: [EMAIL PROTECTED] To: '[EMAIL PROTECTED]' Sent: 26-10-2004 23:35 Subject: [ActiveDir] Event ID:675 I have a W2K DC that is giving me an error in the Security Log every minute, this error is a failure Audit on the Domain Admin account, I have no idea where this is coming from! This is a domain controller is running all the service packs and patches, it also has Exchange server 5.5 with service pack 4. Our domain is composed of two DC's and has one child domain with one DC that we use for testing purposes. Any help will be appreciated. See error details: Event Type: Failure Audit Event Source: Security Event Category: Account Logon Event ID: 675 Date: 10/26/2004 Time: 3:47:56 PM User: NT AUTHORITY\SYSTEM Computer: machine-name Description: Pre-authentication failed: User Name: domain-admin User ID: DOMAIN\domain-admin Service Name: krbtgt/DOMAIN.COM Pre-Authentication Type: 0x2 Failure Code: 0x18 Client Address: 127.0.0.1 For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp http://go.microsoft.com/fwlink/events.asp. Thanks, Art -- -- FutureSoft, Inc. 12012 Wickchester Lane, Suite 600 Houston, TX 77079 If you no longer want to receive commercial e-mail correspondence from FutureSoft, you may remove your address from our records by visiting www.futuresoft.com/emailremoval.asp http://www.futuresoft.com/emailremoval.asp -- This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Windows XP automatic profile deletion suggestions
Brian- There is already a policy for this. Check out Computer Configuration|Administrative Templates|System|user Profiles|Delete cached copies of roaming profiles. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stockbrugger, Brian L.Sent: Tuesday, October 26, 2004 1:44 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] OT: Windows XP automatic profile deletion suggestions We have many labs that many students use and in this one particular lab we do not have any desktop controls (DeepFreeze, Fortress or even strict GPOs) set for a number of reasons. Most of the students do not have a home folder to redirect roaming profiles to and we would rather not set that up. We want to get away from having them log in using a generic user account. So I am looking for an easy way to automatically delete the user profile upon logout so the machine does not accumulate many profiles over time. I have done this using Terminal Services and Citrix. For those students that have home folders we are implementing roaming profiles to fix this but we really do not want to add the rest of these students into that category. My goal is to have them login with their unique userid and then once they logout the profile is deleted either with a script or some other unknown mechanism that escapes me right now. Any suggestions? Thanks -- Brian
RE: [ActiveDir] OT: Windows XP automatic profile deletion suggestions
Darren, You can create a logoff/login script using delprof version 5.2 in the XP resource kit using the /Q switch, alternatively it could be a scheduled task at login/logoff James From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Wednesday, 27 October 2004 9:40 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Windows XP automatic profile deletion suggestions Brian- There is already a policy for this. Check out Computer Configuration|Administrative Templates|System|user Profiles|Delete cached copies of roaming profiles. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stockbrugger, Brian L. Sent: Tuesday, October 26, 2004 1:44 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] OT: Windows XP automatic profile deletion suggestions We have many labs that many students use and in this one particular lab we do not have any desktop controls (DeepFreeze, Fortress or even strict GPOs) set for a number of reasons. Most of the students do not have a home folder to redirect roaming profiles to and we would rather not set that up. We want to get away from having them log in using a generic user account. So I am looking for an easy way to automatically delete the user profile upon logout so the machine does not accumulate many profiles over time. I have done this using Terminal Services and Citrix. For those students that have home folders we are implementing roaming profiles to fix this but we really do not want to add the rest of these students into that category. My goal is to have them login with their unique userid and then once they logout the profile is deleted either with a script or some other unknown mechanism that escapes me right now. Any suggestions? Thanks -- Brian
