RE: [ActiveDir] AD Test Environment
If you do that method then the DC that you have in the test environment will have a different name to the ones in Production which may mean that when testing solutions (is that why you are doing this?) you will have a different names and stuff to worry about. We achieve what you are after here by performing a restore to identical hardware in an air gapped network. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony MurraySent: 16 January 2006 18:18To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Test Environment Hi Frank There's a suggestion on how to do this here: http://www.activedir.org/article.aspx?aid=24#22 Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank AbagnaleSent: Tuesday, 17 January 2006 4:07 a.m.To: ActiveSubject: [ActiveDir] AD Test Environment Hi, Single W2k3 Forest/domain I am planning on building anexact like for like test environment. My initial thought is to add a DC to the domain and then pull this off, do a metadata cleanup in live to remove any traces of this DC. I would like some advice onwhat steps I will need to take in order to use this DC in theTest Environment. Would I need to do anything with the legacyDC's which are no longer available in AD,do I need to clean these up?I assume I will need to seize the FSMO's I use AD Integrated DNS so this is covered, WINS is not too much of a problem. I also need to think about Exchange SUS updates... Any experience of this would be great thanks Frank Yahoo! Photos Showcase holiday pictures in hardcoverPhoto Books. You design it and well bind it! This message has been scanned for viruses by MailControl This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding.
RE: [ActiveDir] ADUC updates - Was Expired Accounts
This may be more of an Exchange management add-in, but it sure would be nice to be able to go into Exchange Tasks from ADUC and do an export of a mailboxor is there some exmerge plug-in to do this
[ActiveDir] OT: Folder password protection
Management wants to have certain folders on the serverpassword protected. I have access limited to the folders already, but they want an extra level of comfort. Does anyone do this in their system already, and if so what are suggested solutions. Windows 2003 server SP2 in a Win2000 AD environment. Thanks Mike (Almost full time lurker) Michael P. Williams Information Technology Carlyle Van Lines (660) 747-8128 X 3816 [EMAIL PROTECTED] www.carlylevanlines.com
RE: [ActiveDir] OT: Folder password protection
Well one way to do it is set up secondary accounts, put them in a group, give that group (and that group only) access to the folders, and assign the secondary accounts to the people who need the access. OR Try to ascertain what the manager is trying to accomplish, and see if there is another way to set his/her mind at rest. Such as, auditing access on the folders, proving only the accounts specified cannot access the folders, etc. Personally Id try to avoid secondary accounts for that purpose, or 3rd party solutions, as they just add more complexity. But thats just my opinion. Rich --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Williams Sent: Tuesday, January 17, 2006 9:21 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Folder password protection Management wants to have certain folders on the serverpassword protected. I have access limited to the folders already, but they want an extra level of comfort. Does anyone do this in their system already, and if so what are suggested solutions. Windows 2003 server SP2 in a Win2000 AD environment. Thanks Mike (Almost full time lurker) Michael P. Williams Information Technology Carlyle Van Lines (660) 747-8128 X 3816 [EMAIL PROTECTED] www.carlylevanlines.com ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system.
[ActiveDir] Manage Your Server - Removing from Default User
Does anyone know how to stop the Manage Your Server applet from popping up for new users who login to a Windows Server 2003 system? I am digging thru the registry and not having much luck identifying which key may control that setting. Thanks! JBL This e-mail, and any attachment, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, re-transmission, copying, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. The contents of this message may contain personal views which are not the views of Discovery Communications, Inc. (DCI).
RE: [ActiveDir] Manage Your Server - Removing from Default User
there should be a checkbox in the lower left hand corner that will allow you to turn it off at startup From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, January 17, 2006 10:43 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Manage Your Server - Removing from Default User Does anyone know how to stop the "Manage Your Server" applet from popping up for new users who login to a Windows Server 2003 system? I am digging thru the registry and not having much luck identifying which key may control that setting. Thanks!JBL This e-mail, and any attachment, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, re-transmission, copying, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. The contents of this message may contain personal views which are not the views of Discovery Communications, Inc. (DCI).
[ActiveDir] Unresolved SIDs in ACL
Title: Unresolved SIDs in ACL I have a script, which creates a pre-defined OU structure, creates groups and permissions the OUs with these groups. The script performs these steps in the order given. I have 2 test environments and have executed the script in each. In one environment (all w2k3 sp1 DCs, dfl and ffl=2), the script works fine and all OUs and ACEs/ACLs are correct. In the other environment (also w2k3 sp1 DCs and dfl/ffl=2) the script works fine but all new ACEs are shown as SIDs when viewed thru the ACL editor. Eventually, these unresolved SIDs are shown as 'account unknown'. I have used sidtoname (thanks joe!) and that shows that the SID cannot be resolved to a name (as expected, I guess). I'm sure someone must have seen this strange behaviour before and has some suggestions. I would suspect the latter environment to be at blame, but it was only built very recently and is still pristine. All suggestions very welcome. Thanks, neil ___ Neil Ruston Global Technology Infrastructure Nomura International plc PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] Manage Your Server - Removing from Default User
Theres a GP for it Admin Templates/Windows Components somewhere probably. Check the GP master spreadsheet Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, January 17, 2006 10:43 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Manage Your Server - Removing from Default User Does anyone know how to stop the Manage Your Server applet from popping up for new users who login to a Windows Server 2003 system? I am digging thru the registry and not having much luck identifying which key may control that setting. Thanks! JBL This e-mail, and any attachment, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, re-transmission, copying, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. The contents of this message may contain personal views which are not the views of Discovery Communications, Inc. (DCI).
RE: [ActiveDir] Manage Your Server - Removing from Default User
Kelli, thanks for the feedback. Clicking the checkbox will only affect the currently logged in user. Basically, I am looking around for something system-wide, so that everyone who logs in does not recieve the Manage Your Server applet. Kelli Driesenga [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 01/17/2006 10:50 AM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject RE: [ActiveDir] Manage Your Server - Removing from Default User there should be a checkbox in the lower left hand corner that will allow you to turn it off at startup From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, January 17, 2006 10:43 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Manage Your Server - Removing from Default User Does anyone know how to stop the Manage Your Server applet from popping up for new users who login to a Windows Server 2003 system? I am digging thru the registry and not having much luck identifying which key may control that setting. Thanks! JBL This e-mail, and any attachment, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, re-transmission, copying, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. The contents of this message may contain personal views which are not the views of Discovery Communications, Inc. (DCI). This e-mail, and any attachment, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, re-transmission, copying, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. The contents of this message may contain personal views which are not the views of Discovery Communications, Inc. (DCI).
[ActiveDir] FYI: W2K3 SP1 VMWARE issue
Title: FYI: W2K3 SP1 VMWARE issue Hi Everyone, As you all may know a few months ago I posted two issues with Vmware and W2K3SP1 DCs. The issues described are: * Adding additional W2K3SP1 DCs to the forest * Creating trusts from a W2K3SP1 forest to another forest (does not matter which OS) Both the issues are described here: http://blogs.dirteam.com/blogs/jorge/archive/2005/11/14/60.aspx http://blogs.dirteam.com/blogs/jorge/archive/2005/12/18/297.aspx http://www.activedir.org/article.aspx?aid=75 This time a was setting up an environment with a w2k forest and a w2k3 sp1 forest. When setting up the trust I received the error we discussed a while ago (see articles above). A few days ago someone posted which component caused this issue. The component in error seems to be the Shared Folder component from Vmware (at least in Vmware Workstation). This time instead of changing the password of the administrator account, I deinstalled the Shared Folder component and rebooted the DC. After that I was able to create the trust without any problem. So, the Shared Folder component from Vmware does seem to be the root cause of this. Cheers, Jorge Met vriendelijke groet / Kind regards, Jorge de Almeida Pinto Infrastructure Consultant BLOG http://blogs.dirteam.com/blogs/jorge/default.aspx __ LogicaCMG Nederland B.V. (BU SD/AT) Division Industry, Distribution and Transport (IDT) Kennedyplein 248, 5611 ZT, Eindhoven . Postbus 7089 5605 JB Eindhoven ( Tel : +31-(0)40-29.57.777 2 Fax : +31-(0)40-29.57.709 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : [EMAIL PROTECTED] http://www.logicacmg.com/ - Solutions that matter - This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] Manage Your Server - Removing from Default User
why are you having multiple people log into your server? We only allow Admin access and there are only two people with that kind of access. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, January 17, 2006 11:06 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Manage Your Server - Removing from Default User Kelli, thanks for the feedback. Clicking the checkbox will only affect the currently logged in user. Basically, I am looking around for something system-wide, so that everyone who logs in does not recieve the "Manage Your Server" applet. "Kelli Driesenga" [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 01/17/2006 10:50 AM Please respond toActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject RE: [ActiveDir] Manage Your Server - Removing from Default User there should be a checkbox in the lower left hand corner that will allow you to turn it off at startup From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, January 17, 2006 10:43 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Manage Your Server - Removing from Default UserDoes anyone know how to stop the "Manage Your Server" applet from popping up for new users who login to a Windows Server 2003 system? I am digging thru the registry and not having much luck identifying which key may control that setting. Thanks!JBL This e-mail, and any attachment, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, re-transmission, copying, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. The contents of this message may contain personal views which are not the views of Discovery Communications, Inc. (DCI). This e-mail, and any attachment, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, re-transmission, copying, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. The contents of this message may contain personal views which are not the views of Discovery Communications, Inc. (DCI).
RE: [ActiveDir] Manage Your Server - Removing from Default User
Interestingly, this particular option is not in Group Policy. However, a quick check with Regmon points out the registry value in question and so I whipped up a quick custom ADM that should handle this: CLASS USER CATEGORY "My Custom Settings" POLICY "Show Manage Your Server Screen"KEYNAME "Software\Microsoft\Windows NT\CurrentVersion\srvWiz"VALUENAME ""VALUEON NUMERIC 1VALUEOFF NUMERIC 0END POLICYEND CATEGORY From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, January 17, 2006 8:06 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Manage Your Server - Removing from Default User Kelli, thanks for the feedback. Clicking the checkbox will only affect the currently logged in user. Basically, I am looking around for something system-wide, so that everyone who logs in does not recieve the "Manage Your Server" applet. "Kelli Driesenga" [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 01/17/2006 10:50 AM Please respond toActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject RE: [ActiveDir] Manage Your Server - Removing from Default User there should be a checkbox in the lower left hand corner that will allow you to turn it off at startup From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, January 17, 2006 10:43 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Manage Your Server - Removing from Default UserDoes anyone know how to stop the "Manage Your Server" applet from popping up for new users who login to a Windows Server 2003 system? I am digging thru the registry and not having much luck identifying which key may control that setting. Thanks!JBL This e-mail, and any attachment, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, re-transmission, copying, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. The contents of this message may contain personal views which are not the views of Discovery Communications, Inc. (DCI). This e-mail, and any attachment, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, re-transmission, copying, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. The contents of this message may contain personal views which are not the views of Discovery Communications, Inc. (DCI).
SV: [ActiveDir] configure port exceptions in windows xp firewall via gpo
Ok, thanks i guess =) Is there another way of achieving this goal, without buying certain hardware or expensive licenses? Or is ipsec policies the best/only way to go? -Ursprungligt meddelande- Från: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] För Darren Mar-Elia Skickat: den 16 januari 2006 21:43 Till: ActiveDir@mail.activedir.org Ämne: RE: [ActiveDir] configure port exceptions in windows xp firewall via gpo Right, not only can you not specify port ranges as you have done, but you can not specify subnet ranges as you have done. You can specific an address, a subnet or * but not ranges of a subnet. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, January 16, 2006 10:56 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] configure port exceptions in windows xp firewall via gpo Looking at the docs, I would say that you can only specify a specific port as that field is defined as Port where Port is a decimal number. You could try putting in a * as a wildcard and see if that works. If not, you may consider using ipsec policies instead. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Jakobsson Sent: Monday, January 16, 2006 10:48 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] configure port exceptions in windows xp firewall via gpo Hello, I am trying to configure the Windows firewall:define port exceptions policy on my clients (xpsp2). What I want is to block the communication from clients on all ports; and enable the servers (win2k3), printers and gateways to communicate with the clients (on all ports) I have been using strings looking like 1-65536:tcp:192.19.100.101-192.19.100.200/24:disable:disable client communication 1-65536:tcp:192.19.100.1-192.19.100.40/24:enable:enable server and printer communication 1-65536:tcp:192.19.100.250-192.19.100.254/24:enable:enable gateway communication (You could say that the disable client communication string works since the clients are inaccessible, however you cannot access them from the server either, so...) =) Perhaps you cannot specify multiple ports the way I did or is there something else wrong with my strings. Suggestions? Regards Peter List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Manage Your Server - Removing from Default User
Imagine an environment where servers are built on a daily basis - there is a need to stop the 'manage your server' page from appearing on all servers. It can be done as follows: Computer config / admin templates / system / "do not display manage your server at logon" neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kelli DriesengaSent: 17 January 2006 16:19To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Manage Your Server - Removing from Default User why are you having multiple people log into your server? We only allow Admin access and there are only two people with that kind of access. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, January 17, 2006 11:06 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Manage Your Server - Removing from Default User Kelli, thanks for the feedback. Clicking the checkbox will only affect the currently logged in user. Basically, I am looking around for something system-wide, so that everyone who logs in does not recieve the "Manage Your Server" applet. "Kelli Driesenga" [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 01/17/2006 10:50 AM Please respond toActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject RE: [ActiveDir] Manage Your Server - Removing from Default User there should be a checkbox in the lower left hand corner that will allow you to turn it off at startup From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, January 17, 2006 10:43 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Manage Your Server - Removing from Default UserDoes anyone know how to stop the "Manage Your Server" applet from popping up for new users who login to a Windows Server 2003 system? I am digging thru the registry and not having much luck identifying which key may control that setting. Thanks!JBL This e-mail, and any attachment, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, re-transmission, copying, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. The contents of this message may contain personal views which are not the views of Discovery Communications, Inc. (DCI). This e-mail, and any attachment, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, re-transmission, copying, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. The contents of this message may contain personal views which are not the views of Discovery Communications, Inc. (DCI).PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] Manage Your Server - Removing from Default User
Ha. Thanks Neil. And I wasted a perfectly good 5 minutes creating a custom ADM because I didn't bother to look under Computer Config From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, January 17, 2006 8:45 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Manage Your Server - Removing from Default User Imagine an environment where servers are built on a daily basis - there is a need to stop the 'manage your server' page from appearing on all servers. It can be done as follows: Computer config / admin templates / system / "do not display manage your server at logon" neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kelli DriesengaSent: 17 January 2006 16:19To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Manage Your Server - Removing from Default User why are you having multiple people log into your server? We only allow Admin access and there are only two people with that kind of access. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, January 17, 2006 11:06 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Manage Your Server - Removing from Default User Kelli, thanks for the feedback. Clicking the checkbox will only affect the currently logged in user. Basically, I am looking around for something system-wide, so that everyone who logs in does not recieve the "Manage Your Server" applet. "Kelli Driesenga" [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 01/17/2006 10:50 AM Please respond toActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject RE: [ActiveDir] Manage Your Server - Removing from Default User there should be a checkbox in the lower left hand corner that will allow you to turn it off at startup From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, January 17, 2006 10:43 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Manage Your Server - Removing from Default UserDoes anyone know how to stop the "Manage Your Server" applet from popping up for new users who login to a Windows Server 2003 system? I am digging thru the registry and not having much luck identifying which key may control that setting. Thanks!JBL This e-mail, and any attachment, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, re-transmission, copying, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. The contents of this message may contain personal views which are not the views of Discovery Communications, Inc. (DCI). This e-mail, and any attachment, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, re-transmission, copying, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. The contents of this message may contain personal views which are not the views of Discovery Communications, Inc. (DCI). PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT
RE: [ActiveDir] Manage Your Server - Removing from Default User
The padawan teaches the teacher :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-EliaSent: 17 January 2006 17:01To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Manage Your Server - Removing from Default User Ha. Thanks Neil. And I wasted a perfectly good 5 minutes creating a custom ADM because I didn't bother to look under Computer Config From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, January 17, 2006 8:45 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Manage Your Server - Removing from Default User Imagine an environment where servers are built on a daily basis - there is a need to stop the 'manage your server' page from appearing on all servers. It can be done as follows: Computer config / admin templates / system / "do not display manage your server at logon" neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kelli DriesengaSent: 17 January 2006 16:19To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Manage Your Server - Removing from Default User why are you having multiple people log into your server? We only allow Admin access and there are only two people with that kind of access. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, January 17, 2006 11:06 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Manage Your Server - Removing from Default User Kelli, thanks for the feedback. Clicking the checkbox will only affect the currently logged in user. Basically, I am looking around for something system-wide, so that everyone who logs in does not recieve the "Manage Your Server" applet. "Kelli Driesenga" [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 01/17/2006 10:50 AM Please respond toActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject RE: [ActiveDir] Manage Your Server - Removing from Default User there should be a checkbox in the lower left hand corner that will allow you to turn it off at startup From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, January 17, 2006 10:43 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Manage Your Server - Removing from Default UserDoes anyone know how to stop the "Manage Your Server" applet from popping up for new users who login to a Windows Server 2003 system? I am digging thru the registry and not having much luck identifying which key may control that setting. Thanks!JBL This e-mail, and any attachment, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, re-transmission, copying, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. The contents of this message may contain personal views which are not the views of Discovery Communications, Inc. (DCI). This e-mail, and any attachment, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, re-transmission, copying, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. The contents of this message may contain personal views which are not the views of Discovery Communications, Inc. (DCI). PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation,
RE: [ActiveDir] FYI: W2K3 SP1 VMWARE issue
Title: FYI: W2K3 SP1 & VMWARE issue scratches head That was unexpected. Good result though. Thanks for posting the info Jorge. Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge deSent: Wednesday, 18 January 2006 5:16 a.m.To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] FYI: W2K3 SP1 VMWARE issue Hi Everyone, As you all may know a few months ago I posted two issues with Vmware and W2K3SP1 DCs. The issues described are: * Adding additional W2K3SP1 DCs to the forest * Creating trusts from a W2K3SP1 forest to another forest (does not matter which OS) Both the issues are described here: http://blogs.dirteam.com/blogs/jorge/archive/2005/11/14/60.aspx http://blogs.dirteam.com/blogs/jorge/archive/2005/12/18/297.aspx http://www.activedir.org/article.aspx?aid=75 This time a was setting up an environment with a w2k forest and a w2k3 sp1 forest. When setting up the trust I received the error we discussed a while ago (see articles above). A few days ago someone posted which component caused this issue. The component in error seems to be the "Shared Folder" component from Vmware (at least in Vmware Workstation). This time instead of changing the password of the administrator account, I deinstalled the "Shared Folder" component and rebooted the DC. After that I was able to create the trust without any problem. So, the "Shared Folder" component from Vmware does seem to be the root cause of this. Cheers, Jorge Met vriendelijke groet / Kind regards, Jorge de Almeida Pinto Infrastructure Consultant BLOG http://blogs.dirteam.com/blogs/jorge/default.aspx __ LogicaCMG Nederland B.V. (BU SD/AT) Division Industry, Distribution and Transport (IDT) Kennedyplein 248, 5611 ZT, Eindhoven . Postbus 7089 5605 JB Eindhoven ( Tel : +31-(0)40-29.57.777 2 Fax : +31-(0)40-29.57.709 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : [EMAIL PROTECTED] " http://www.logicacmg.com/ - Solutions that matter - This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
[ActiveDir] Migrate domain to separate forest
Hello, colleagues, One of our organizations is in their own domain, a child domain of our root. They want to be in their own forest. Are there tools to migrate them to their own separate forest, or will I need to build the forest first, presumably with 2 new DC's, and then make all their servers join the new forest? And, of course, they have about 140 users. Thanks, folks. -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Folder password protection
This might be the problem that people can see a folder exists and don't understand that the permissions will stop "bad guys" getting into it. With 2003 you can set things so that if they don't have rights to read the folder then they don't see the folder - this list has discussed "access based enumeration" before and there's lots to be googled! Another way might be some obfuscation - if you don't use folders called things like "finance director - top secret" but just stuff like "folder 1", "folder 2" then it's less obvious what's going on. Normal users will see "folder 1" but if they try to look in then they won't find anything there (assuming permissions are correct!) The FD will look in "folder 1" and find "top secret" etc as a folder in there. Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich MilburnSent: 17 January 2006 15:40To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Folder password protection Well one way to do it is set up secondary accounts, put them in a group, give that group (and that group only) access to the folders, and assign the secondary accounts to the people who need the access. OR Try to ascertain what the manager is trying to accomplish, and see if there is another way to set his/her mind at rest. Such as, auditing access on the folders, proving only the accounts specified cannot access the folders, etc. Personally Id try to avoid secondary accounts for that purpose, or 3rd party solutions, as they just add more complexity. But thats just my opinion. Rich ---Rich MilburnMCSE, Microsoft MVP - Directory ServicesSr Network Analyst, Field Platform DevelopmentApplebee's International, Inc.4551 W. 107th StOverland Park, KS 66207913-967-2819--I love the smell of red herrings in the morning - anonymous From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike WilliamsSent: Tuesday, January 17, 2006 9:21 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Folder password protection Management wants to have certain folders on the serverpassword protected. I have access limited to the folders already, but they want an extra level of comfort. Does anyone do this in their system already, and if so what are suggested solutions. Windows 2003 server SP2 in a Win2000 AD environment. Thanks Mike (Almost full time lurker) Michael P. Williams Information Technology Carlyle Van Lines (660) 747-8128 X 3816 [EMAIL PROTECTED] www.carlylevanlines.com ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system.
RE: [ActiveDir] Migrate domain to separate forest
If they need their own forest you need to create it first. But even before you create it, design it. First setup what the requirement should be and then design it to meet the requirements. Migration high level steps are: * Make sure the AD has been configured (sites, subnets, replication, OUs, GPOs, delegations, DNS, WINS, DHCP, etc.) * Setup name resolution (WINS or DNS) between source and target domain/forest * Setup trusts (if an external trust is configured and sidhistory is used, disable sid filtering) * Install and configure migration tooling * Migrate groups, user accounts with passwords and group memberships (with sidhistory) * Migrate clients from the source domain to the target domain, translate security on the client, and translate profiles (at this moment users start logging on with their new AD account on the migrated clients that have been migrated previously to the w2k3 domain) * Migrate mailboxes if needed * Migrate servers to the new domain or migrate data to new servers * Translate security (Re-ACL) of the data from source security principals to target security principals (replace the security descriptors from the old domain with the security descriptors from the new domain ) * Cleanup temporary configurations * Cleanup sidhistory (recommended!). sIDHistory is used to access resources while those resources still have security descriptors from the old domain. As soon as all data (file, folders, mailboxes, etc.) have been re-ACL-ed sIDHistory can be cleaned. Sidhistory should only be used temporary for migration purposes! * Remove trusts * Decommission old domain(s) For more info on migrating to an AD domain also see: http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/cookbook/default.mspx ADMTv3 has been out for a while, so be sure to use that version. (http://www.microsoft.com/downloads/details.aspx?familyid=6F86937B-533A-466D-A8E8-AFF85AD3D212displaylang=en) If you have exchange you need to setup the target Exchange organization and perform an inter-org migration Cheers, jorge From: [EMAIL PROTECTED] on behalf of Larry Wahlers Sent: Tue 2006-01-17 19:28 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Migrate domain to separate forest Hello, colleagues, One of our organizations is in their own domain, a child domain of our root. They want to be in their own forest. Are there tools to migrate them to their own separate forest, or will I need to build the forest first, presumably with 2 new DC's, and then make all their servers join the new forest? And, of course, they have about 140 users. Thanks, folks. -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] Migrate domain to separate forest
Title: [ActiveDir] Migrate domain to separate forest Many thanks, Jorge. And I hear congratulations on your MVP status are in order. Congrats! --Larry WahlersConcordia TechnologiesThe Lutheran Church - Missouri Synodmailto:[EMAIL PROTECTED]direct office line: (314) 996-1876 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge deSent: Tuesday, January 17, 2006 1:27 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Migrate domain to separate forest If they need their own forest you need to create it first. But even before you create it, design it. First setup what the requirement should be and then design it to meet the requirements. Migration high level steps are:* Make sure the AD has been configured (sites, subnets, replication, OUs, GPOs, delegations, DNS, WINS, DHCP, etc.) * Setup name resolution (WINS or DNS) between source and target domain/forest * Setup trusts (if an external trust is configured and sidhistory is used, disable sid filtering) * Install and configure migration tooling* Migrate groups, user accounts with passwords and group memberships (with sidhistory)* Migrate clients from the source domain to the target domain, translate security on the client, and translate profiles (at this moment users start logging on with their new AD account on the migrated clients that have been migrated previously to the w2k3 domain)* Migrate mailboxes if needed* Migrate servers to the new domain or migrate data to new servers* Translate security (Re-ACL) of the data from source security principals to target security principals (replace the security descriptors from the old domain with the security descriptors from the new domain )* Cleanup temporary configurations* Cleanup sidhistory (recommended!). sIDHistory is used to access resources while those resources still have security descriptors from the old domain. As soon as all data (file, folders, mailboxes, etc.) have been re-ACL-ed sIDHistory can be cleaned. Sidhistory should only be used temporary for migration purposes!* Remove trusts* Decommission old domain(s) For more info on migrating to an AD domain also see: http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/cookbook/default.mspx ADMTv3 has been out for a while, so be sure to use that version. (http://www.microsoft.com/downloads/details.aspx?familyid=6F86937B-533A-466D-A8E8-AFF85AD3D212displaylang=en) If you have exchange you need to setup the target Exchange organization and perform an inter-org migration Cheers, jorge From: [EMAIL PROTECTED] on behalf of Larry WahlersSent: Tue 2006-01-17 19:28To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Migrate domain to separate forest Hello, colleagues,One of our organizations is in their own domain, a child domain of ourroot. They want to be in their own forest. Are there tools to migratethem to their own separate forest, or will I need to build the forestfirst, presumably with 2 new DC's, and then make all their servers jointhe new forest? And, of course, they have about 140 users.Thanks, folks.--Larry WahlersConcordia TechnologiesThe Lutheran Church - Missouri Synodmailto:[EMAIL PROTECTED]direct office line: (314) 996-1876List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Folder password protection
Ah every time that comes up I recall the bank I worked for a while back, and the new server they named CASHVAULT Nothing to see here people, move along, nothing to see here --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Rochford Sent: Tuesday, January 17, 2006 12:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Folder password protection This might be the problem that people can see a folder exists and don't understand that the permissions will stop bad guys getting into it. With 2003 you can set things so that if they don't have rights to read the folder then they don't see the folder - this list has discussed access based enumeration before and there's lots to be googled! Another way might be some obfuscation - if you don't use folders called things like finance director - top secret but just stuff like folder 1, folder 2 then it's less obvious what's going on. Normal users will see folder 1 but if they try to look in then they won't find anything there (assuming permissions are correct!) The FD will look in folder 1 and find top secret etc as a folder in there. Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: 17 January 2006 15:40 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Folder password protection Well one way to do it is set up secondary accounts, put them in a group, give that group (and that group only) access to the folders, and assign the secondary accounts to the people who need the access. OR Try to ascertain what the manager is trying to accomplish, and see if there is another way to set his/her mind at rest. Such as, auditing access on the folders, proving only the accounts specified cannot access the folders, etc. Personally Id try to avoid secondary accounts for that purpose, or 3rd party solutions, as they just add more complexity. But thats just my opinion. Rich --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Williams Sent: Tuesday, January 17, 2006 9:21 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Folder password protection Management wants to have certain folders on the serverpassword protected. I have access limited to the folders already, but they want an extra level of comfort. Does anyone do this in their system already, and if so what are suggested solutions. Windows 2003 server SP2 in a Win2000 AD environment. Thanks Mike (Almost full time lurker) Michael P. Williams Information Technology Carlyle Van Lines (660) 747-8128 X 3816 [EMAIL PROTECTED] www.carlylevanlines.com ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have
RE: [ActiveDir] Outlook Exchange
Title: Outlook Exchange Just to add... You need to set the client Mail Account to DELIVER TO PST. TOOLS | EMAIL ACCOUNTS | View Existing Notice near the bottom of the window where it is titled: "Deliver new e-mail to the following location: You can create a PST here and then point the delivery to the PST. This is assuming you are using Outlook 2003. Nikki Peterson From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of patrickSent: Friday, January 13, 2006 10:33 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Outlook Exchange NOBODY??? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of patrickSent: Thursday, January 12, 2006 10:20 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Outlook Exchange Could someone please expand on how to setup a PST and how to get it to download to the pst so as not to stay on the email server? Thanks
[ActiveDir] ADPrep Version Questions
Hi- I am preparing to upgrade a W2k domain to W2k3. I want to use the latest version of ADPrep. I have found the following info and am confused: For ADPrep on the following - From Windows Server 2003 CD: 5.2.3790.0 July 22, 2004, 9:07:08 AM from WindowsServer2003-KB889101-SP1-x86-ENU.exe: 5.2.3790.1830 November 07, 2005, 5:48:59 PM listed in MSKB / Hotfix 3243925.2.3790.196 July 23, 2004, 9:04 Am I reading that correctly: the one from SP1 is a lower version and later date than the one in the hotfix? Which one is the latest? Thanks. -- nme -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 267.14.19/231 - Release Date: 1/16/2006
RE: [ActiveDir] ADPrep Version Questions
Are you asking if 1830 196 ? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah EigerSent: Tuesday, January 17, 2006 6:44 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] ADPrep Version Questions Hi- I am preparing to upgrade a W2k domain to W2k3. I want to use the latest version of ADPrep. I have found the following info and am confused: For ADPrep on the following - From Windows Server 2003 CD: 5.2.3790.0 July 22, 2004, 9:07:08 AM from WindowsServer2003-KB889101-SP1-x86-ENU.exe: 5.2.3790.1830 November 07, 2005, 5:48:59 PM listed in MSKB / Hotfix 324392 5.2.3790.196 July 23, 2004, 9:04 Am I reading that correctly: the one from SP1 is a lower version and later date than the one in the hotfix? Which one is the latest? Thanks. -- nme --No virus found in this outgoing message.Checked by AVG Free Edition.Version: 7.1.375 / Virus Database: 267.14.19/231 - Release Date: 1/16/2006
RE: [ActiveDir] Unresolved SIDs in ACL
Title: Unresolved SIDs in ACL Do the SIDs at least have the Domain portion of the SID correct? How far off are they from the real SID of the groups? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, January 17, 2006 10:55 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Unresolved SIDs in ACL I have a script, which creates a pre-defined OU structure, creates groups and permissions the OUs with these groups. The script performs these steps in the order given. I have 2 test environments and have executed the script in each. In one environment (all w2k3 sp1 DCs, dfl and ffl=2), the script works fine and all OUs and ACEs/ACLs are correct. In the other environment (also w2k3 sp1 DCs and dfl/ffl=2) the script works fine but all new ACEs are shown as SIDs when viewed thru the ACL editor. Eventually, these unresolved SIDs are shown as 'account unknown'. I have used sidtoname (thanks joe!) and that shows that the SID cannot be resolved to a name (as expected, I guess). I'm sure someone must have seen this strange behaviour before and has some suggestions. I would suspect the latter environment to be at blame, but it was only built very recently and is still pristine. All suggestions very welcome. Thanks, neil ___Neil RustonGlobal Technology InfrastructureNomura International plc PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] Migrate domain to separate forest
Just out of curiosity, why do they think they want their own forest? In any case, there's no way that I'm aware of to carve off a domain and make it a new forest root... I think you'll have to create the forest and migrate the users and resources. ADMT would seem to be a reasonable way to go. Or one of the commercial migration products. -g -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers Sent: Tuesday, January 17, 2006 11:28 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Migrate domain to separate forest Hello, colleagues, One of our organizations is in their own domain, a child domain of our root. They want to be in their own forest. Are there tools to migrate them to their own separate forest, or will I need to build the forest first, presumably with 2 new DC's, and then make all their servers join the new forest? And, of course, they have about 140 users. Thanks, folks. -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LDAPS SRV Records?
On the DNS server option, a couple of interesting things when I relooked at the API (on a lunch break this time Deji ;oP ) It doesn't let you specify the server to make the change on, only the server to send the FAZ (Find Auth Zone) request. I would have to play with that to see how that might cause an issue. Also Microsoft did something they don't normally do and they changed the da** format of the parameter between 2K/K3/XP and Vista/Longhorn. So I would have to add additional code to determine OS version. RE: the forreal. Well yes, someone could delete all records, but not with a single command from DNSSRVRec without specifying each SRV record individually. You can't do a zone *.*. Again, it doesn't look anything up, it simply sends the command you send so if you want all _ldap._tcp.dc._msdcs.dom.com you can send that in a clear and bang they are gone, but you just asked for that to happen so I expect you would be disappointed if they didn't go away. Not sure why you would say /clear _ldap._tcp.dc._msdcs.dom.com unless that is what you intended. Am I missing something here? On the config file, that is exactly how nsupdate works now. It doesn't have the defaults that you mention in the 'also', but you can write to a file exactly what you want done for records and it does it. I am definitely working through my head possible variations that would be cool/fun to have for it though. I was pinged offline from a list member about the possibility of doing other types of records, not just SRV records. Can anyone see that being valuable to them and could you explain why? I am waiting for the response from that list member as well. The intent wasn't reallyto write a DNS management tool but I guess if nothing else is really fitting the bill, maybe its needed? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh ParmarSent: Monday, January 16, 2006 5:17 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] LDAPS SRV Records? joe,Thanks for the link.As you mentioned, adding DNS server option turned out to be quite trickier, why not one server at a time. I know it makes sense to add/delete same records on multiple servers, but who says they can't be serialized. After all, it is not that time critical operation.For CLEAR switch, I was trying to say that, someone can accidentally delete ALL the records related to domain or site and make clients who are primarily pointing at that DNS server suffer, for the time those records are re registered/replicated back again.For config file, my idea was that, if you provide a way to specify server and read SRV operations from a file. (something like ldifde.exe). I could create a config file in which I could list down all the operations/records I want to manage. of course, this can be scripted and given to DNSSrvRec as command line options, but putting all together in a file where each operation is separated on single line, would give nice readability. (something like LDF file)Also, like adfind.exe if we can define some defaults for port,weight and ttl etc. in config file which are used for same RUN of the command.Currently what I am doing is, preparing a excel sheet containing all the sites in my forest and manually defining the priority order in which clients in each site will get authenticated by DCs (like first same site DCs, then nearest site DCs, basically making sure clients never have to look for generic SRV records). Afterwards based on this sheet, I will prepare a list of SRV records to create/delete on each DNS server and push those SRV records to respective servers.--Kamlesh On 1/16/06, joe [EMAIL PROTECTED] wrote: Hi Kamlesh, you can get the initial version at http://www.joeware.net/win/free/tools/DNSSrvRec.htm.I posted it to the site last night and announced on my blog, there are over 50 downloadsalready which surprises me a bit. The initial version does not let you specify the DNS Server to make the change in. I had started to add it and backed out as I wanted to think over the whole SOA portion of it plus if I want to handle sending to multiple servers at the same time and how to handle the errors coming back. This is all I have for specifying specific servers at the moment, a commented out insertion to validate the command. // ValidOptions.push_back(L"dnssrv"); // Which DNS Server(s) Not sure what you are hoping for out of the clear option in terms of forreal. The tool doesn't look records up first and then clear then one by one. It simply sendsa singleclear command for the DNS Name, that is an option for one of the functions. Having a forreal option would only basically echo what you sent in via the parameters. I might consider having it try to pull the record first and then display what would get wiped out. But that brings up even more questions on the specifyingmultiple DNS servers thoughts. Like
RE: [ActiveDir] ADPrep Version Questions
yes From: joe [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 17, 2006 3:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADPrep Version Questions Are you asking if 1830 196 ? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Tuesday, January 17, 2006 6:44 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ADPrep Version Questions Hi- I am preparing to upgrade a W2k domain to W2k3. I want to use the latest version of ADPrep. I have found the following info and am confused: For ADPrep on the following - From Windows Server 2003 CD: 5.2.3790.0 July 22, 2004, 9:07:08 AM from WindowsServer2003-KB889101-SP1-x86-ENU.exe: 5.2.3790.1830 November 07, 2005, 5:48:59 PM listed in MSKB / Hotfix 324392 5.2.3790.196 July 23, 2004, 9:04 Am I reading that correctly: the one from SP1 is a lower version and later date than the one in the hotfix? Which one is the latest? Thanks. -- nme -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 267.14.19/231 - Release Date: 1/16/2006 -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 267.14.19/231 - Release Date: 1/16/2006 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 267.14.19/231 - Release Date: 1/16/2006
RE: [ActiveDir] ADPrep Version Questions
one thousand eight hundred and thirty is greater than one hundred ninety six. The SP1 version is the most recent and highest version of adprep. 0 1 2 3 4 5 6 ... 194 195 196 197 198 199 200 ... 1826 1827 1828 1829 1830 1831 1832 1833 1834 1835 ... joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah EigerSent: Tuesday, January 17, 2006 7:12 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADPrep Version Questions yes From: joe [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 17, 2006 3:48 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADPrep Version Questions Are you asking if 1830 196 ? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah EigerSent: Tuesday, January 17, 2006 6:44 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] ADPrep Version Questions Hi- I am preparing to upgrade a W2k domain to W2k3. I want to use the latest version of ADPrep. I have found the following info and am confused: For ADPrep on the following - From Windows Server 2003 CD: 5.2.3790.0 July 22, 2004, 9:07:08 AM from WindowsServer2003-KB889101-SP1-x86-ENU.exe: 5.2.3790.1830 November 07, 2005, 5:48:59 PM listed in MSKB / Hotfix 324392 5.2.3790.196 July 23, 2004, 9:04 Am I reading that correctly: the one from SP1 is a lower version and later date than the one in the hotfix? Which one is the latest? Thanks. -- nme --No virus found in this outgoing message.Checked by AVG Free Edition.Version: 7.1.375 / Virus Database: 267.14.19/231 - Release Date: 1/16/2006 --No virus found in this incoming message.Checked by AVG Free Edition.Version: 7.1.375 / Virus Database: 267.14.19/231 - Release Date: 1/16/2006 --No virus found in this outgoing message.Checked by AVG Free Edition.Version: 7.1.375 / Virus Database: 267.14.19/231 - Release Date: 1/16/2006
RE: [ActiveDir] ADPrep Version Questions
Oh (blush) Dont mind me. Im just over here re-learning that whole tens, hundreds, thousands, etc thing. Ugh! (eyes roll skyward, head shakes) ;-) Sorry for the wasted bandwidth. From: joe [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 17, 2006 5:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADPrep Version Questions one thousand eight hundred and thirty is greater than one hundred ninety six. The SP1 version is the most recent and highest version of adprep. 0 1 2 3 4 5 6 ... 194 195 196 197 198 199 200 ... 1826 1827 1828 1829 1830 1831 1832 1833 1834 1835 ... joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Tuesday, January 17, 2006 7:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADPrep Version Questions yes From: joe [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 17, 2006 3:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADPrep Version Questions Are you asking if 1830 196 ? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Tuesday, January 17, 2006 6:44 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ADPrep Version Questions Hi- I am preparing to upgrade a W2k domain to W2k3. I want to use the latest version of ADPrep. I have found the following info and am confused: For ADPrep on the following - From Windows Server 2003 CD: 5.2.3790.0 July 22, 2004, 9:07:08 AM from WindowsServer2003-KB889101-SP1-x86-ENU.exe: 5.2.3790.1830 November 07, 2005, 5:48:59 PM listed in MSKB / Hotfix 324392 5.2.3790.196 July 23, 2004, 9:04 Am I reading that correctly: the one from SP1 is a lower version and later date than the one in the hotfix? Which one is the latest? Thanks. -- nme -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 267.14.19/231 - Release Date: 1/16/2006 -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 267.14.19/231 - Release Date: 1/16/2006 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 267.14.19/231 - Release Date: 1/16/2006 -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 267.14.19/231 - Release Date: 1/16/2006 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 267.14.19/231 - Release Date: 1/16/2006