RE: [ActiveDir] DC Lookup....
Title: Message Thanks Darren, looking into it now. I have been off ill for a bit and apologize for "posting and running" so to speak. I will post my resolution up as soon as I have it. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-EliaSent: 06 March 2006 11:56To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DC Lookup Brad- Have you seen this article? http://support.microsoft.com/kb/306602 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, BradSent: Monday, March 06, 2006 12:34 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DC Lookup My environment: W2K FL, Mix of W2K and W2K3 DC's, One Forest, One Domain, 60 DC's, all DC's bar one are relatively well connected (smallest link is 256k).One DCis poorly connectedon a very highly utilised 1MB line:-( Does anyone know if there is a way to specify which DC a site uses when the DC assigned to that site is offline? To be specific, I want to manage a situation where a site is assigned a DC (or a bunch of them) and then those DC's fail. The clients then will look up alternate DC's, but I want different subnets to lookup different "secondary" DC's. So Site a has DCServerA, site B has DCServerB, site C has DCServerC, Site D has DCServerDand siteE has DCServer E. When DCServer A fails, I want those clients to use DCServerE. When one of DCServerB, DCServerC or DCServerD fail, I want them to use one of DCServerB, DCServerC or DCServerD. Sort of confusing question to ask..anyone have any ideas? I know that DC dns records can be weighted, but that is accross the board and would effect all sites right ? This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. This message has been scanned for viruses by MailControl
RE: [ActiveDir] DC Lookup....
Title: Message
You might consider placing a second DC in the site with
poor connectivity.
If all DCs are unavailable in a site, the clients will be
redirected to one of the DC that have registered domain specific SRV records. By
default, this means any any DC in the domain, in any site.
A common change made is to stop spoke site DCs from
registering these records and only allow the hub site DCs to do so. When all
spoke site DCs fail (in one site) clients are referred to a hub site DC and
never to a spoke site DC.
The KB offers further info, but I thought the above
"summary" was worthwhile :)
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Smith,
BradSent: 09 March 2006 09:18To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DC
Lookup
Thanks
Darren, looking into it now. I have been off ill for a bit and apologize
for "posting and running" so to speak. I will post my resolution up as
soon as I have it.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren
Mar-EliaSent: 06 March 2006 11:56To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DC
Lookup
Brad-
Have you seen this
article?
http://support.microsoft.com/kb/306602
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Smith,
BradSent: Monday, March 06,
2006 12:34 PMTo:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] DC
Lookup
My
environment: W2K FL, Mix of W2K and W2K3 DC's, One Forest, One Domain, 60
DC's, all DC's bar one are relatively well connected (smallest link is
256k).One DCis poorly connectedon a very highly utilised
1MB line:-(
Does
anyone know if there is a way to specify which DC a site uses when the DC
assigned to that site is offline? To be specific, I want to manage a
situation where a site is assigned a DC (or a bunch of them) and then those DC's
fail. The clients then will look up alternate DC's, but I want different
subnets to lookup different "secondary" DC's. So Site a has DCServerA,
site B has DCServerB, site C has DCServerC, Site D has DCServerDand
siteE has DCServer E. When DCServer A fails, I want those clients to
use DCServerE. When one of DCServerB, DCServerC or DCServerD fail, I want
them to use one of DCServerB, DCServerC or
DCServerD.
Sort
of confusing question to ask..anyone have any ideas? I know that DC dns
records can be weighted, but that is accross the board and would effect all
sites right ?
This email and any
attached files are confidential and copyright protected. If you are not the
addressee, any dissemination of this communication is strictly prohibited.
Unless otherwise expressly agreed in writing, nothing stated in this
communication shall be legally binding.
This message has been
scanned for viruses by MailControlPLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] AD Lag Sites
Cheers Tomasz. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tomasz Onyszko Sent: 08 Mar 2006 21:39 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD Lag Sites Wyatt, David wrote: What MS paper? http://www.microsoft.com/downloads/details.aspx?FamilyID=64DB845D-F7A3-4 209-8ED2-E261A117FC6Bdisplaylang=en At the end of this document You will find information how to do this. As Jorge pointed today on our chat on IM this document is not addressing potential SYSVOL issue after such restore so BurFlags should come into play: http://support.microsoft.com/kb/290762 -- Tomasz Onyszko http://www.w2k.pl/blog/ - (PL) http://blogs.dirteam.com/blogs/tomek/ - (EN) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This message contains confidential information and is intended only for the individual or entity named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as an invitation or offer to buy or sell any securities or related financial instruments. GAM operates in many jurisdictions and is regulated or licensed in those jurisdictions as required. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Name Server records
You will also get these records if you demote DCs and if the demotion didn't do a good cleanup job after itself. M@ On 08/03/06, Figueroa, Johnny [EMAIL PROTECTED] wrote: I have an AD 2003 domain and an AD integrated DNS zone. If I look a the properties of that DNS zone and go to the Name Servers tab, I see a few servers that are not our domain controllers/DNS servers. Those servers look like DNS servers in other domains that we have a trust with. I guess I am curious as to how these servers end up as NS records for that zone?. The zone is AD integrated and is set to Dynamic updates, secure Only. I could and will delete those records but I am thinking those records will come back. The name servers in question do NOT show up with * on the IP address, which could be the result of a query. Ideas? Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] group policy creator owners
Dear all, I am looking to some information with respect to Group policy object delegation. the requirement is to allow additional users to create new GPO's without 'Domain Admins' membership. Seems the way to go is to add the user accounts to the 'Group policy creator owners' group. this allows them to create GPO's and have the necessary permissions to edit (and presumably delete) GPO's that they own by way of there creating them. how can this be implemented to support a team environment whereby say USER2 in a group would want to be able to edit a GPO created by USER1 can we add a group to the 'Group policy creator owners' group that allows the members of that group to 'share' the permissions on GPO's that members of that group create ? if not it seems the only supported mechanism is for USER1 who creates the GPO to assign permissions on the GPO that they create - hardly ideal ? Thanks GT List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Free Second Shot at any Microsoft Exam
Microsoft's offer to re-take any of their exams for free is back: http://www.microsoft.com/learning/mcp/offers/2ndchance/ Teo
RE: [ActiveDir] Bulk Import
Excel spreadsheet with First Name, Last Name Division -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, March 08, 2006 5:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Bulk Import What is your input? Where are you getting the input from, and what format is it in? Al mentioned some script laying around. I may have one stuck in one of my couches here :) Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Harding, Devon Sent: Wed 3/8/2006 1:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Bulk Import I was going to user csvde, but read that it did not support password creation. Is this supported under ADMod? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, March 08, 2006 4:22 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Bulk Import I suppose it really depends on your input data. What have you got to work with and what is the decision criteria for the OU differences? Creating the objects in a particular OU and mailbox enabling them would not be terribly difficult depending on the information you have and want to put in there. Jim's way would work, but I think I prefer to put them where they belong at creation vs. later. For that reason either one of Joe's tools (admod for example) or script would be my preference. Script would be mine but that's just because I'm funny like that. Joe's tools are faster though both at runtime and to get working if you don't have scripts laying around. Al On 3/8/06, Kennedy, Jim [EMAIL PROTECTED] wrote: Ok, I skipped a step, sounds like you need these 200 to go to separate OU's. Mass create them in one OU, mass right click them and create the mailbox then mass send them an email. The script the move if that is faster/easier than a manual drag and drop. So your spreadsheet of users is: firstname lastname password targetOU convert that to comma text for your script and use the first three for the creation and then the first two and last for the move. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] On Behalf Of Kennedy, Jim Sent: Wednesday, March 08, 2006 2:16 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Bulk Import Delegate it to HR. Short of that get HR or someone to give you a list of the names and script it, provide a default password of their SS number perhaps...must be changed on first log on. After they are created, in the same OU...mass select them in ADUC and right click them and send them a test email to create the mailbox. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] On Behalf Of Harding, Devon Sent: Wednesday, March 08, 2006 2:02 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Bulk Import What's the fast way for me to create 200 user accounts in specific OU's and create Exchange mailboxes? Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ - __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You. List
RE: [ActiveDir] group policy creator owners
When created, a new GPO will *not* inherit rights from the parent (if we
examine SYSVOL perms, for example).
You may assign user1 and user2 the rights to create GPOs in the domain
(using GPMC) but each user will need to grant other users the right to
edit 'their' GPO.
FWIW, I think this is a bad practice and a recipe for disaster. I only
ever allow DAs the rights to create and edit (and link) GPOs. How do you
stop user1 or 2 from creating a GPO, editing and linking it and thus
starting a DoS on all users due to a badly configured GPO? Do you
control where they can link GPOs? Why not have the DAs create and link,
and allow user 1 and 2 to edit (only) their GPOs? You appear to have
relinquished all control of your GPOs to non-admins :(
neil
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner
Sent: 09 March 2006 13:46
To: activedir@mail.activedir.org
Subject: [ActiveDir] group policy creator owners
Dear all, I am looking to some information with respect to Group policy
object delegation.
the requirement is to allow additional users to create new GPO's without
'Domain Admins' membership.
Seems the way to go is to add the user accounts to the 'Group policy
creator owners'
group.
this allows them to create GPO's and have the necessary permissions to
edit (and presumably delete) GPO's that they own by way of there
creating them.
how can this be implemented to support a team environment whereby say
USER2 in a group would want to be able to edit a GPO created by USER1
can we add a group to the 'Group policy creator owners' group that
allows the members of that group to 'share' the permissions on GPO's
that members of that group create ?
if not it seems the only supported mechanism is for USER1 who creates
the GPO to assign permissions on the GPO that they create - hardly
ideal ?
Thanks
GT
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Issue creating forest trusts
Title: Issue creating forest trusts Hello all, I'm running into this issue where I want to create a forest trust on Windows 2003 with FFL2 level in both forests. When I enter the domain FQDN in the wizard, it tell me it cannot establish an RPC connect to server X. So I grabbed a network trace on both sidesIt does a DNS lookup and finds a DC in the target forest, pings it and send 1 microsoft-DS TCP packet. I can't see inside that one and Im curious what it's doing, well whatever it does fails because it does the same DNS lookup again and try to authenticate via NTLM as my ID in the other forest so of course it will get denied and stops. Any words of wisdom on what going on? Thanks! -Brandon
RE: [ActiveDir] group policy creator owners
I agree with Neil here with just a few other suggestions. The ability to
create GPOs in and of itself is not as interesting as controlling who
can link the GPO to the various AD containers, as Neil indicates below.
So managing delegation of the gpLink and gpOptions attributes on site,
domain and OU containers is important. But if you really want to
delegate creation and editing of GPOs, you have to deal with the problem
outlined below, which is that the rights to create a GPO are different
and don't automatically flow into rights to edit a GPO for a different
user or group. One option here is to have a documented process where
your creators create the GPO and then use GPMC to delegate edit rights
to another user/group. Another option is to modify the
defaultSecurityDescriptor attribute on the groupPolicyContainer class
object to modify the default groups that can edit GPOs when they're
created. In that way you can have a group that can create GPOs and
another, perhaps overlapping larger group that can edit them. Problem
with making such a change is that all subsequent GPOs created in the
domain will have that new group ACE on them, which may or may not be
desirable.
Darren
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, March 09, 2006 3:52 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] group policy creator owners
When created, a new GPO will *not* inherit rights from the parent (if we
examine SYSVOL perms, for example).
You may assign user1 and user2 the rights to create GPOs in the domain
(using GPMC) but each user will need to grant other users the right to
edit 'their' GPO.
FWIW, I think this is a bad practice and a recipe for disaster. I only
ever allow DAs the rights to create and edit (and link) GPOs. How do you
stop user1 or 2 from creating a GPO, editing and linking it and thus
starting a DoS on all users due to a badly configured GPO? Do you
control where they can link GPOs? Why not have the DAs create and link,
and allow user 1 and 2 to edit (only) their GPOs? You appear to have
relinquished all control of your GPOs to non-admins :(
neil
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner
Sent: 09 March 2006 13:46
To: activedir@mail.activedir.org
Subject: [ActiveDir] group policy creator owners
Dear all, I am looking to some information with respect to Group policy
object delegation.
the requirement is to allow additional users to create new GPO's without
'Domain Admins' membership.
Seems the way to go is to add the user accounts to the 'Group policy
creator owners'
group.
this allows them to create GPO's and have the necessary permissions to
edit (and presumably delete) GPO's that they own by way of there
creating them.
how can this be implemented to support a team environment whereby say
USER2 in a group would want to be able to edit a GPO created by USER1
can we add a group to the 'Group policy creator owners' group that
allows the members of that group to 'share' the permissions on GPO's
that members of that group create ?
if not it seems the only supported mechanism is for USER1 who creates
the GPO to assign permissions on the GPO that they create - hardly
ideal ?
Thanks
GT
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete
your copy from your system. You must not copy, distribute or take any
further action in reliance on it. Email is not a secure method of
communication and Nomura International plc ('NIplc') will not, to the
extent permitted by law, accept responsibility or liability for (a) the
accuracy or completeness of, or (b) the presence of any virus, worm or
similar malicious or disabling code in, this message or any
attachment(s) to it. If verification of this email is sought then please
request a hard copy. Unless otherwise stated this email: (1) is not, and
should not be treated or relied upon as, investment research; (2)
contains views or opinions that are solely those of the author and do
not necessarily represent those of NIplc; (3) is intended for
informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised
and regulated by the Financial Services Authority. Registered in
England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St
Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of
companies.
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List
Fw: [ActiveDir] Issue creating forest trusts
Title: Issue creating forest trusts long shot but are there any isa or nokia/checkpoint units between the boxes, we had to get a patch on the nokia unit because our domain controllers wouldn't communicate correctly because of rpc failues after loading sp1 for windows 2003. There was a change in how the RPC communication works in sp1 and isa 2004 and checlpoint firewalls rpc filter need to be updated.Original Message From: [EMAIL PROTECTED] Date: 09/03/2006 15:13 To: ActiveDir@mail.activedir.org Subj: [ActiveDir] Issue creating forest trusts Hello all, I'm running into this issue where I want to create a forest trust on Windows 2003 with FFL2 level in both forests. When I enter the domain FQDN in the wizard, it tell me it cannot establish an RPC connect to server X. So I grabbed a network trace on both sides…It does a DNS lookup and finds a DC in the target forest, pings it and send 1 microsoft-DS TCP packet. I can't see inside that one and I’m curious what it's doing, well whatever it does fails because it does the same DNS lookup again and try to authenticate via NTLM as my ID in the other forest so of course it will get denied and stops. Any words of wisdom on what going on? Thanks! -Brandon
RE: [ActiveDir] group policy creator owners
thanks both for views on this which make a whole load of sense
i think how i am to proceed is to leave the 'domain admins' with the task of GPO
creation and delegation to appropriate groups of people.
it would be my view that you should be able to trust the people to whom
authority
for a GPO is delegated to manage the point at which it becomes 'active' by way
of
the linking to a particular OU, and as such delegate the GpLINK.
quick question if i may though ...
the delegation of gplink is available from the 'delegate control wizards'
(Windows
2000 here sorry !)
i assume this is sufficient for the delegate to link a GPO to the OU - what
does the
delegation of GPOPTIONS allow additionally ??
GT
I agree with Neil here with just a few other suggestions. The ability to
create GPOs in and of itself is not as interesting as controlling who
can link the GPO to the various AD containers, as Neil indicates below.
So managing delegation of the gpLink and gpOptions attributes on site,
domain and OU containers is important. But if you really want to
delegate creation and editing of GPOs, you have to deal with the problem
outlined below, which is that the rights to create a GPO are different
and don't automatically flow into rights to edit a GPO for a different
user or group. One option here is to have a documented process where
your creators create the GPO and then use GPMC to delegate edit rights
to another user/group. Another option is to modify the
defaultSecurityDescriptor attribute on the groupPolicyContainer class
object to modify the default groups that can edit GPOs when they're
created. In that way you can have a group that can create GPOs and
another, perhaps overlapping larger group that can edit them. Problem
with making such a change is that all subsequent GPOs created in the
domain will have that new group ACE on them, which may or may not be
desirable.
Darren
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, March 09, 2006 3:52 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] group policy creator owners
When created, a new GPO will *not* inherit rights from the parent (if we
examine SYSVOL perms, for example).
You may assign user1 and user2 the rights to create GPOs in the domain
(using GPMC) but each user will need to grant other users the right to
edit 'their' GPO.
FWIW, I think this is a bad practice and a recipe for disaster. I only
ever allow DAs the rights to create and edit (and link) GPOs. How do you
stop user1 or 2 from creating a GPO, editing and linking it and thus
starting a DoS on all users due to a badly configured GPO? Do you
control where they can link GPOs? Why not have the DAs create and link,
and allow user 1 and 2 to edit (only) their GPOs? You appear to have
relinquished all control of your GPOs to non-admins :(
neil
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner
Sent: 09 March 2006 13:46
To: activedir@mail.activedir.org
Subject: [ActiveDir] group policy creator owners
Dear all, I am looking to some information with respect to Group policy
object delegation.
the requirement is to allow additional users to create new GPO's without
'Domain Admins' membership.
Seems the way to go is to add the user accounts to the 'Group policy
creator owners'
group.
this allows them to create GPO's and have the necessary permissions to
edit (and presumably delete) GPO's that they own by way of there
creating them.
how can this be implemented to support a team environment whereby say
USER2 in a group would want to be able to edit a GPO created by USER1
can we add a group to the 'Group policy creator owners' group that
allows the members of that group to 'share' the permissions on GPO's
that members of that group create ?
if not it seems the only supported mechanism is for USER1 who creates
the GPO to assign permissions on the GPO that they create - hardly
ideal ?
Thanks
GT
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete
your copy from your system. You must not copy, distribute or take any
further action in reliance on it. Email is not a secure method of
communication and Nomura International plc ('NIplc') will not, to the
extent permitted by law, accept responsibility or liability for (a) the
accuracy or completeness of, or (b) the presence of any virus, worm or
similar malicious or disabling code in, this message or any
attachment(s) to it. If verification of this email is sought then please
request a hard copy.
RE: [ActiveDir] group policy creator owners
That would allow the setting of 'block inheritance' and 'force inheritance' and the like. gpLink merely grants rights to link GPOs to the OU. I'm sure Darren will fill in the large blanks left by me, again :) neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: 09 March 2006 15:44 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] group policy creator owners thanks both for views on this which make a whole load of sense i think how i am to proceed is to leave the 'domain admins' with the task of GPO creation and delegation to appropriate groups of people. it would be my view that you should be able to trust the people to whom authority for a GPO is delegated to manage the point at which it becomes 'active' by way of the linking to a particular OU, and as such delegate the GpLINK. quick question if i may though ... the delegation of gplink is available from the 'delegate control wizards' (Windows 2000 here sorry !) i assume this is sufficient for the delegate to link a GPO to the OU - what does the delegation of GPOPTIONS allow additionally ?? GT I agree with Neil here with just a few other suggestions. The ability to create GPOs in and of itself is not as interesting as controlling who can link the GPO to the various AD containers, as Neil indicates below. So managing delegation of the gpLink and gpOptions attributes on site, domain and OU containers is important. But if you really want to delegate creation and editing of GPOs, you have to deal with the problem outlined below, which is that the rights to create a GPO are different and don't automatically flow into rights to edit a GPO for a different user or group. One option here is to have a documented process where your creators create the GPO and then use GPMC to delegate edit rights to another user/group. Another option is to modify the defaultSecurityDescriptor attribute on the groupPolicyContainer class object to modify the default groups that can edit GPOs when they're created. In that way you can have a group that can create GPOs and another, perhaps overlapping larger group that can edit them. Problem with making such a change is that all subsequent GPOs created in the domain will have that new group ACE on them, which may or may not be desirable. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, March 09, 2006 3:52 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] group policy creator owners When created, a new GPO will *not* inherit rights from the parent (if we examine SYSVOL perms, for example). You may assign user1 and user2 the rights to create GPOs in the domain (using GPMC) but each user will need to grant other users the right to edit 'their' GPO. FWIW, I think this is a bad practice and a recipe for disaster. I only ever allow DAs the rights to create and edit (and link) GPOs. How do you stop user1 or 2 from creating a GPO, editing and linking it and thus starting a DoS on all users due to a badly configured GPO? Do you control where they can link GPOs? Why not have the DAs create and link, and allow user 1 and 2 to edit (only) their GPOs? You appear to have relinquished all control of your GPOs to non-admins :( neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: 09 March 2006 13:46 To: activedir@mail.activedir.org Subject: [ActiveDir] group policy creator owners Dear all, I am looking to some information with respect to Group policy object delegation. the requirement is to allow additional users to create new GPO's without 'Domain Admins' membership. Seems the way to go is to add the user accounts to the 'Group policy creator owners' group. this allows them to create GPO's and have the necessary permissions to edit (and presumably delete) GPO's that they own by way of there creating them. how can this be implemented to support a team environment whereby say USER2 in a group would want to be able to edit a GPO created by USER1 can we add a group to the 'Group policy creator owners' group that allows the members of that group to 'share' the permissions on GPO's that members of that group create ? if not it seems the only supported mechanism is for USER1 who creates the GPO to assign permissions on the GPO that they create - hardly ideal ? Thanks GT List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not
RE: [ActiveDir] Issue creating forest trusts
Title: Issue creating forest trusts no firewalls in the way (yet), both forests are at SP1. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, March 09, 2006 10:37 AMTo: ActiveDir@mail.activedir.orgSubject: Fw: [ActiveDir] Issue creating forest trusts long shot but are there any isa or nokia/checkpoint units between the boxes, we had to get a patch on the nokia unit because our domain controllers wouldn't communicate correctly because of rpc failues after loading sp1 for windows 2003. There was a change in how the RPC communication works in sp1 and isa 2004 and checlpoint firewalls rpc filter need to be updated.Original Message From: [EMAIL PROTECTED] Date: 09/03/2006 15:13 To: ActiveDir@mail.activedir.org Subj: [ActiveDir] Issue creating forest trusts Hello all, I'm running into this issue where I want to create a forest trust on Windows 2003 with FFL2 level in both forests. When I enter the domain FQDN in the wizard, it tell me it cannot establish an RPC connect to server X. So I grabbed a network trace on both sidesIt does a DNS lookup and finds a DC in the target forest, pings it and send 1 microsoft-DS TCP packet. I can't see inside that one and Im curious what it's doing, well whatever it does fails because it does the same DNS lookup again and try to authenticate via NTLM as my ID in the other forest so of course it will get denied and stops. Any words of wisdom on what going on? Thanks! -Brandon
RE: [ActiveDir] Technet Magazine Active Directory Component Jigsaw
Nathan,
On behalf of everyone...I thank you for posting the
image. I have a large format printer so I will definitely print it
postersize. It's a good thing you scanned it at a high DPI
setting.
-Nav
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Nathan
KlineSent: Wednesday, March 08, 2006 5:03 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Technet Magazine
"Active Directory Component Jigsaw"
:) Due to the large amount of requests, I've uploaded this
toweb space. :) This link should take you to the
image.
http://home.wmis.net/~nkline/adjig.html
Nathan
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Nathan KlineSent: Wednesday, March 08, 2006 1:30
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
Technet Magazine "Active Directory Component Jigsaw"
I received the same foldout and have already made a scan into JPG format
of it. Contact me off list if you are interested.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CC/DNA) [E]Sent: Wednesday, March 08, 2006 11:19
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
Technet Magazine "Active Directory Component Jigsaw"
I am working on the
Editors to post the graphic. At least you can access the articles via the
web.
Todd
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 08, 2006 11:10
AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Technet Magazine
"Active Directory Component Jigsaw"
"Subscriptions are
free" -to those in the U.S. only :(
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Myrick, Todd
(NIH/CC/DNA) [E]Sent: 08 March
2006 16:00To:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Technet Magazine
"Active Directory Component Jigsaw"
http://www.microsoft.com/technet/technetmag/
Someone in my office
just gave me a copy of this free magazine, and it came with the really neat
insert called the Active Directory Component Jigsaw. It is a wall
hanging that outlines all the AD process graphically. I will try to scan
it and post it on my Blog, but I just wanted to make you all aware of it.
I plan to hang it on my cubical wall on the outside that says What I do here
J
Subscriptions are
free.
Todd
PLEASE READ: The information
contained in this email is confidential and
intended for the named recipient(s)
only. If you are not an intended
recipient of this email please
notify the sender immediately and delete your
copy from your system. You must not
copy, distribute or take any further
action in reliance on it. Email is
not a secure method of communication and
Nomura International plc ('NIplc')
will not, to the extent permitted by law,
accept responsibility or liability
for (a) the accuracy or completeness of,
or (b) the presence of any virus,
worm or similar malicious or disabling
code in, this message or any
attachment(s) to it. If verification of this
email is sought then please request
a hard copy. Unless otherwise stated
this email: (1) is not, and should
not be treated or relied upon as,
investment research; (2) contains
views or opinions that are solely those of
the author and do not necessarily
represent those of NIplc; (3) is intended
for informational purposes only and
is not a recommendation, solicitation or
offer to buy or sell securities or
related financial instruments. NIplc
does not provide investment services
to private customers. Authorised and
regulated by the Financial Services
Authority. Registered in England
no. 1550505 VAT No. 447 2492 35.
Registered Office: 1 St Martin's-le-Grand,
London, EC1A
4NP. A member of the Nomura group of
companies.
This E-mail, including
any attachments, may contain confidential information and is intended solely for
use by the individual to whom it is addressed. If you received this E-mail
in error, please notify the sender, do not disclose its contents to others, and
delete it from your system. Any other use of this E-mail and/or
attachments is prohibited. This message is not meant to constitute an
electronic signature or intent to contract
electronically.
RE: [ActiveDir] Technet Magazine Active Directory Component Jigsaw
Here is their Contact Us
page: http://www.microsoft.com/technet/technetmag/contact.aspx
Their email address is: [EMAIL PROTECTED]
BB
Hutchins, Mike
[EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
03/09/2006 11:26 AM
Please respond to
ActiveDir@mail.activedir.org
To
ActiveDir@mail.activedir.org
cc
Subject
RE: [ActiveDir] Technet Magazine Active
Directory Component Jigsaw
Is there an easy way to contact
them? email/postal/etc?
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick,
Todd (NIH/CC/DNA) [E]
Sent: Thursday, March 09, 2006 9:16 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Technet Magazine Active Directory Component
Jigsaw
I got word back from the editors
that if you send them a request, they will send you a poster but they
dont have the image file. I didnt tell them about the file that
has be made available on the Internet.
Thanks,
Todd
(Disclaimer: I am sure that
you all in other countries will not have the ability to get free shipping
of the diagram but feel free to try)
From: Navroz Shariff [mailto:[EMAIL PROTECTED]
Sent: Thursday, March 09, 2006 11:47 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Technet Magazine Active Directory Component
Jigsaw
Nathan,
On behalf of everyone...I thank you for posting the image.
I have a large format printer so I will definitely print it poster size.
It's a good thing you scanned it at a high DPI setting.
-Nav
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Nathan
Kline
Sent: Wednesday, March 08, 2006 5:03 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Technet Magazine Active Directory Component
Jigsaw
:) Due to the large amount
of requests, I've uploaded this to web space. :) This link
should take you to the image.
http://home.wmis.net/~nkline/adjig.html
Nathan
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Nathan
Kline
Sent: Wednesday, March 08, 2006 1:30 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Technet Magazine Active Directory Component
Jigsaw
I received the same foldout and
have already made a scan into JPG format of it. Contact me off list
if you are interested.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick,
Todd (NIH/CC/DNA) [E]
Sent: Wednesday, March 08, 2006 11:19 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Technet Magazine Active Directory Component
Jigsaw
I am working on the Editors
to post the graphic. At least you can access the articles via the
web.
Todd
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 08, 2006 11:10 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Technet Magazine Active Directory Component
Jigsaw
Subscriptions are free
- to those in the U.S. only :(
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick,
Todd (NIH/CC/DNA) [E]
Sent: 08 March 2006 16:00
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Technet Magazine Active Directory Component
Jigsaw
http://www.microsoft.com/technet/technetmag/
Someone in my office just gave
me a copy of this free magazine, and it came with the really neat insert
called the Active Directory Component Jigsaw. It is a wall hanging
that outlines all the AD process graphically. I will try to scan
it and post it on my Blog, but I just wanted to make you all aware of it.
I plan to hang it on my cubical wall on the outside that says What
I do here J
Subscriptions are free.
Todd
PLEASE READ: The information contained in
this email is confidential and
intended for the named recipient(s) only.
If you are not an intended
recipient of this email please notify the
sender immediately and delete your
copy from your system. You must not copy,
distribute or take any further
action in reliance on it. Email is not a
secure method of communication and
Nomura International plc ('NIplc') will not,
to the extent permitted by law,
accept responsibility or liability for (a)
the accuracy or completeness of,
or (b) the presence of any virus, worm or
similar malicious or disabling
code in, this message or any attachment(s)
to it. If verification of this
email is sought then please request a hard
copy. Unless otherwise stated
this email: (1) is not, and should not be
treated or relied upon as,
investment research; (2) contains views or
opinions that are solely those of
the author and do not necessarily represent
those of NIplc; (3) is intended
for informational purposes only and is not
a recommendation, solicitation or
offer to buy or sell securities or related
financial instruments. NIplc
does not provide investment services to private
customers. Authorised and
regulated by the Financial Services Authority.
Registered in England
no. 1550505 VAT No. 447 2492 35. Registered
Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura
group of companies.
This E-mail, including
any attachments, may contain
[ActiveDir] Active Directory IRC discussion channels/servers?
Could anyone recommend any good Active Directory IRC discussion channels/servers? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] What do you do when ooops won't work?
I just f-fingered a synch between my PDA and Outlook. Short story, all my contacts (painfully built over several years) just took a road-trip to neverland on a one-way ticket. Local backup? I was meaning to do it tomorrow. Really ;) Server backup restore? Yeah. I have a greater chance of being the next King of insert-favorite-empire-here than getting my corporate server admin to help me here. Just won't happen. So, am I really SOL? Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] What do you do when ooops won't work?
Ouch... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, March 09, 2006 12:46 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] What do you do when ooops won't work? I just f-fingered a synch between my PDA and Outlook. Short story, all my contacts (painfully built over several years) just took a road-trip to neverland on a one-way ticket. Local backup? I was meaning to do it tomorrow. Really ;) Server backup restore? Yeah. I have a greater chance of being the next King of insert-favorite-empire-here than getting my corporate server admin to help me here. Just won't happen. So, am I really SOL? Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] What do you do when ooops won't work?
Do you have Deleted Item Recovery turned on your message store? KB 178630 and check it out. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hutchins, Mike Sent: Thursday, March 09, 2006 3:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] What do you do when ooops won't work? Ouch... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, March 09, 2006 12:46 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] What do you do when ooops won't work? I just f-fingered a synch between my PDA and Outlook. Short story, all my contacts (painfully built over several years) just took a road-trip to neverland on a one-way ticket. Local backup? I was meaning to do it tomorrow. Really ;) Server backup restore? Yeah. I have a greater chance of being the next King of insert-favorite-empire-here than getting my corporate server admin to help me here. Just won't happen. So, am I really SOL? Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] What do you do when ooops won't work?
The 'Dumpster Always On' regitry setting will enable the Recover Deleted Items option in Outlook so that you may recover any items (not just mail) that were deleted within the server's retention period. File allows setting reg key on locked down desktops. Found at http://campus.umr.edu/it/helpdesk/resources/reg_fixes/ Mike O'Toole - Message from [EMAIL PROTECTED] - Date: Thu, 9 Mar 2006 12:45:48 -0800 From: [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Subject: [ActiveDir] What do you do when ooops won't work? To: ActiveDir@mail.activedir.org I just f-fingered a synch between my PDA and Outlook. Short story, all my contacts (painfully built over several years) just took a road-trip to neverland on a one-way ticket. Local backup? I was meaning to do it tomorrow. Really ;) Server backup restore? Yeah. I have a greater chance of being the next King of insert-favorite-empire-here than getting my corporate server admin to help me here. Just won't happen. So, am I really SOL? Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ - End message from [EMAIL PROTECTED] - List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] What do you do when ooops won't work?
Wouldn't that be just wonderful? Only if the admin were human :) Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Gil Kirkpatrick Sent: Thu 3/9/2006 1:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] What do you do when ooops won't work? Can you get the server admin to pull a tape? You could do the restore yourself in a VM environment. -g -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, March 09, 2006 1:46 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] What do you do when ooops won't work? I just f-fingered a synch between my PDA and Outlook. Short story, all my contacts (painfully built over several years) just took a road-trip to neverland on a one-way ticket. Local backup? I was meaning to do it tomorrow. Really ;) Server backup restore? Yeah. I have a greater chance of being the next King of insert-favorite-empire-here than getting my corporate server admin to help me here. Just won't happen. So, am I really SOL? Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] What do you do when ooops won't work?
The dumpster only works if the items were marked as deleted. I'm not sure what those pocket PC's do when they sync their nothingness, but they definitely don't mark the items as deleted. I've run into the same situation with users and PocketPC's and haven't found an acceptable solution... Deji: Do you by chance have an Outlook 2003 client somewhere, running cached mode, that you haven't synced back to the server yet? Joe Pochedley Software suppliers are trying to make their software packages more user-friendly... Their best approach, so far, has been to take all the old brochures, and stamp the words, 'user-friendly' on the cover. - Bill Gates. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike O'Toole Sent: Thursday, March 09, 2006 4:09 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] What do you do when ooops won't work? The 'Dumpster Always On' regitry setting will enable the Recover Deleted Items option in Outlook so that you may recover any items (not just mail) that were deleted within the server's retention period. File allows setting reg key on locked down desktops. Found at http://campus.umr.edu/it/helpdesk/resources/reg_fixes/ Mike O'Toole - Message from [EMAIL PROTECTED] - Date: Thu, 9 Mar 2006 12:45:48 -0800 From: [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Subject: [ActiveDir] What do you do when ooops won't work? To: ActiveDir@mail.activedir.org I just f-fingered a synch between my PDA and Outlook. Short story, all my contacts (painfully built over several years) just took a road-trip to neverland on a one-way ticket. Local backup? I was meaning to do it tomorrow. Really ;) Server backup restore? Yeah. I have a greater chance of being the next King of insert-favorite-empire-here than getting my corporate server admin to help me here. Just won't happen. So, am I really SOL? Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ - End message from [EMAIL PROTECTED] - List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] What do you do when ooops won't work?
What's your favorite kingdom? I'll get myself a crown, then maybe (just maybe) the chances of a restore happening will be greatly enhanced :) Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Thu 3/9/2006 12:58 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] What do you do when ooops won't work? Exchange right? 2003? Plead with your admin to restore your Outlook mailbox? See if they are in Deleted items if VSS is enabled? [EMAIL PROTECTED] wrote: I just f-fingered a synch between my PDA and Outlook. Short story, all my contacts (painfully built over several years) just took a road-trip to neverland on a one-way ticket. Local backup? I was meaning to do it tomorrow. Really ;) Server backup restore? Yeah. I have a greater chance of being the next King of insert-favorite-empire-here than getting my corporate server admin to help me here. Just won't happen. So, am I really SOL? Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] What do you do when ooops won't work?
How good are you at forensic recovery of data on a handheld devices? http://www.paraben-forensics.com/handheld_forensics.html [EMAIL PROTECTED] wrote: Right. I was . errr meaning to do that :) Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Mike O'Toole Sent: Thu 3/9/2006 1:08 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] What do you do when ooops won't work? The 'Dumpster Always On' regitry setting will enable the Recover Deleted Items option in Outlook so that you may recover any items (not just mail) that were deleted within the server's retention period. File allows setting reg key on locked down desktops. Found at http://campus.umr.edu/it/helpdesk/resources/reg_fixes/ Mike O'Toole - Message from [EMAIL PROTECTED] - Date: Thu, 9 Mar 2006 12:45:48 -0800 From: [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Subject: [ActiveDir] What do you do when ooops won't work? To: ActiveDir@mail.activedir.org I just f-fingered a synch between my PDA and Outlook. Short story, all my contacts (painfully built over several years) just took a road-trip to neverland on a one-way ticket. Local backup? I was meaning to do it tomorrow. Really ;) Server backup restore? Yeah. I have a greater chance of being the next King of insert-favorite-empire-here than getting my corporate server admin to help me here. Just won't happen. So, am I really SOL? Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ - End message from [EMAIL PROTECTED] - List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] What do you do when ooops won't work?
??? I'm running Windows Mobile 5. I deleted a contact from my handheld (an i-mate Jasjar) and synched it. The contact I deleted was in my deleted items folder, just as I expected. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Pochedley Sent: Thursday, March 09, 2006 4:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] What do you do when ooops won't work? The dumpster only works if the items were marked as deleted. I'm not sure what those pocket PC's do when they sync their nothingness, but they definitely don't mark the items as deleted. I've run into the same situation with users and PocketPC's and haven't found an acceptable solution... Deji: Do you by chance have an Outlook 2003 client somewhere, running cached mode, that you haven't synced back to the server yet? Joe Pochedley Software suppliers are trying to make their software packages more user-friendly... Their best approach, so far, has been to take all the old brochures, and stamp the words, 'user-friendly' on the cover. - Bill Gates. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike O'Toole Sent: Thursday, March 09, 2006 4:09 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] What do you do when ooops won't work? The 'Dumpster Always On' regitry setting will enable the Recover Deleted Items option in Outlook so that you may recover any items (not just mail) that were deleted within the server's retention period. File allows setting reg key on locked down desktops. Found at http://campus.umr.edu/it/helpdesk/resources/reg_fixes/ Mike O'Toole - Message from [EMAIL PROTECTED] - Date: Thu, 9 Mar 2006 12:45:48 -0800 From: [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Subject: [ActiveDir] What do you do when ooops won't work? To: ActiveDir@mail.activedir.org I just f-fingered a synch between my PDA and Outlook. Short story, all my contacts (painfully built over several years) just took a road-trip to neverland on a one-way ticket. Local backup? I was meaning to do it tomorrow. Really ;) Server backup restore? Yeah. I have a greater chance of being the next King of insert-favorite-empire-here than getting my corporate server admin to help me here. Just won't happen. So, am I really SOL? Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ - End message from [EMAIL PROTECTED] - List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] What do you do when ooops won't work?
Really -- if DIR is turned on, you shouldn't have to do that. They should either be in your Deleted Items folder or in Deleted Item Recovery. I just tested and it worked for me. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, March 09, 2006 4:23 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] What do you do when ooops won't work? What's your favorite kingdom? I'll get myself a crown, then maybe (just maybe) the chances of a restore happening will be greatly enhanced :) Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Thu 3/9/2006 12:58 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] What do you do when ooops won't work? Exchange right? 2003? Plead with your admin to restore your Outlook mailbox? See if they are in Deleted items if VSS is enabled? [EMAIL PROTECTED] wrote: I just f-fingered a synch between my PDA and Outlook. Short story, all my contacts (painfully built over several years) just took a road-trip to neverland on a one-way ticket. Local backup? I was meaning to do it tomorrow. Really ;) Server backup restore? Yeah. I have a greater chance of being the next King of insert-favorite-empire-here than getting my corporate server admin to help me here. Just won't happen. So, am I really SOL? Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] What do you do when ooops won't work?
Do you by chance have an Outlook 2003 client somewhere How does one say NO in pig-Latin? Hmmm S-O-L :) Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Joe Pochedley Sent: Thu 3/9/2006 1:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] What do you do when ooops won't work? The dumpster only works if the items were marked as deleted. I'm not sure what those pocket PC's do when they sync their nothingness, but they definitely don't mark the items as deleted. I've run into the same situation with users and PocketPC's and haven't found an acceptable solution... Deji: Do you by chance have an Outlook 2003 client somewhere, running cached mode, that you haven't synced back to the server yet? Joe Pochedley Software suppliers are trying to make their software packages more user-friendly... Their best approach, so far, has been to take all the old brochures, and stamp the words, 'user-friendly' on the cover. - Bill Gates. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike O'Toole Sent: Thursday, March 09, 2006 4:09 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] What do you do when ooops won't work? The 'Dumpster Always On' regitry setting will enable the Recover Deleted Items option in Outlook so that you may recover any items (not just mail) that were deleted within the server's retention period. File allows setting reg key on locked down desktops. Found at http://campus.umr.edu/it/helpdesk/resources/reg_fixes/ Mike O'Toole - Message from [EMAIL PROTECTED] - Date: Thu, 9 Mar 2006 12:45:48 -0800 From: [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Subject: [ActiveDir] What do you do when ooops won't work? To: ActiveDir@mail.activedir.org I just f-fingered a synch between my PDA and Outlook. Short story, all my contacts (painfully built over several years) just took a road-trip to neverland on a one-way ticket. Local backup? I was meaning to do it tomorrow. Really ;) Server backup restore? Yeah. I have a greater chance of being the next King of insert-favorite-empire-here than getting my corporate server admin to help me here. Just won't happen. So, am I really SOL? Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ - End message from [EMAIL PROTECTED] - List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] What do you do when ooops won't work?
On MY Exchange servers, yes. On the CORPORATE Exchange servers? What was the question again? Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Michael B. Smith Sent: Thu 3/9/2006 1:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] What do you do when ooops won't work? Do you have Deleted Item Recovery turned on your message store? KB 178630 and check it out. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hutchins, Mike Sent: Thursday, March 09, 2006 3:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] What do you do when ooops won't work? Ouch... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, March 09, 2006 12:46 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] What do you do when ooops won't work? I just f-fingered a synch between my PDA and Outlook. Short story, all my contacts (painfully built over several years) just took a road-trip to neverland on a one-way ticket. Local backup? I was meaning to do it tomorrow. Really ;) Server backup restore? Yeah. I have a greater chance of being the next King of insert-favorite-empire-here than getting my corporate server admin to help me here. Just won't happen. So, am I really SOL? Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] 1025/tcp open NFS-or-IIS
Hi, Just wanted to know what is this and how disabling or enabling it can affect my DC? -- Ravi Dogra List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] What do you do when ooops won't work?
You know what they say about you? Don't tell anyone, but they call you wizard. I just followed your instructions, and before you could say dumpster, the contacts are showing up in deleted items You made my day :) Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Michael B. Smith Sent: Thu 3/9/2006 1:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] What do you do when ooops won't work? ??? I'm running Windows Mobile 5. I deleted a contact from my handheld (an i-mate Jasjar) and synched it. The contact I deleted was in my deleted items folder, just as I expected. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Pochedley Sent: Thursday, March 09, 2006 4:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] What do you do when ooops won't work? The dumpster only works if the items were marked as deleted. I'm not sure what those pocket PC's do when they sync their nothingness, but they definitely don't mark the items as deleted. I've run into the same situation with users and PocketPC's and haven't found an acceptable solution... Deji: Do you by chance have an Outlook 2003 client somewhere, running cached mode, that you haven't synced back to the server yet? Joe Pochedley Software suppliers are trying to make their software packages more user-friendly... Their best approach, so far, has been to take all the old brochures, and stamp the words, 'user-friendly' on the cover. - Bill Gates. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike O'Toole Sent: Thursday, March 09, 2006 4:09 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] What do you do when ooops won't work? The 'Dumpster Always On' regitry setting will enable the Recover Deleted Items option in Outlook so that you may recover any items (not just mail) that were deleted within the server's retention period. File allows setting reg key on locked down desktops. Found at http://campus.umr.edu/it/helpdesk/resources/reg_fixes/ Mike O'Toole - Message from [EMAIL PROTECTED] - Date: Thu, 9 Mar 2006 12:45:48 -0800 From: [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Subject: [ActiveDir] What do you do when ooops won't work? To: ActiveDir@mail.activedir.org I just f-fingered a synch between my PDA and Outlook. Short story, all my contacts (painfully built over several years) just took a road-trip to neverland on a one-way ticket. Local backup? I was meaning to do it tomorrow. Really ;) Server backup restore? Yeah. I have a greater chance of being the next King of insert-favorite-empire-here than getting my corporate server admin to help me here. Just won't happen. So, am I really SOL? Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ - End message from [EMAIL PROTECTED] - List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] What do you do when ooops won't work?
come on Deji - forget whoever you've had in your contact list until now and just get some new friends :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Donnerstag, 9. März 2006 23:17 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] What do you do when ooops won't work? Wouldn't that be just wonderful? Only if the admin were human :) Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Gil Kirkpatrick Sent: Thu 3/9/2006 1:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] What do you do when ooops won't work? Can you get the server admin to pull a tape? You could do the restore yourself in a VM environment. -g -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, March 09, 2006 1:46 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] What do you do when ooops won't work? I just f-fingered a synch between my PDA and Outlook. Short story, all my contacts (painfully built over several years) just took a road-trip to neverland on a one-way ticket. Local backup? I was meaning to do it tomorrow. Really ;) Server backup restore? Yeah. I have a greater chance of being the next King of insert-favorite-empire-here than getting my corporate server admin to help me here. Just won't happen. So, am I really SOL? Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] What do you do when ooops won't work?
Actually, I think all three of Deji's friends are on this list anyway... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Thursday, March 09, 2006 3:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] What do you do when ooops won't work? come on Deji - forget whoever you've had in your contact list until now and just get some new friends :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Donnerstag, 9. März 2006 23:17 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] What do you do when ooops won't work? Wouldn't that be just wonderful? Only if the admin were human :) Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Gil Kirkpatrick Sent: Thu 3/9/2006 1:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] What do you do when ooops won't work? Can you get the server admin to pull a tape? You could do the restore yourself in a VM environment. -g -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, March 09, 2006 1:46 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] What do you do when ooops won't work? I just f-fingered a synch between my PDA and Outlook. Short story, all my contacts (painfully built over several years) just took a road-trip to neverland on a one-way ticket. Local backup? I was meaning to do it tomorrow. Really ;) Server backup restore? Yeah. I have a greater chance of being the next King of insert-favorite-empire-here than getting my corporate server admin to help me here. Just won't happen. So, am I really SOL? Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] What do you do when ooops won't work?
Three? Don't tell me you are including yourself :) Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Gil Kirkpatrick Sent: Thu 3/9/2006 2:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] What do you do when ooops won't work? Actually, I think all three of Deji's friends are on this list anyway... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Thursday, March 09, 2006 3:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] What do you do when ooops won't work? come on Deji - forget whoever you've had in your contact list until now and just get some new friends :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Donnerstag, 9. März 2006 23:17 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] What do you do when ooops won't work? Wouldn't that be just wonderful? Only if the admin were human :) Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Gil Kirkpatrick Sent: Thu 3/9/2006 1:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] What do you do when ooops won't work? Can you get the server admin to pull a tape? You could do the restore yourself in a VM environment. -g -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, March 09, 2006 1:46 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] What do you do when ooops won't work? I just f-fingered a synch between my PDA and Outlook. Short story, all my contacts (painfully built over several years) just took a road-trip to neverland on a one-way ticket. Local backup? I was meaning to do it tomorrow. Really ;) Server backup restore? Yeah. I have a greater chance of being the next King of insert-favorite-empire-here than getting my corporate server admin to help me here. Just won't happen. So, am I really SOL? Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] What do you do when ooops won't work?
Ok, so maybe its only two... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, March 09, 2006 3:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] What do you do when ooops won't work? Three? Don't tell me you are including yourself :) Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Gil Kirkpatrick Sent: Thu 3/9/2006 2:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] What do you do when ooops won't work? Actually, I think all three of Deji's friends are on this list anyway... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Thursday, March 09, 2006 3:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] What do you do when ooops won't work? come on Deji - forget whoever you've had in your contact list until now and just get some new friends :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Donnerstag, 9. März 2006 23:17 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] What do you do when ooops won't work? Wouldn't that be just wonderful? Only if the admin were human :) Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Gil Kirkpatrick Sent: Thu 3/9/2006 1:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] What do you do when ooops won't work? Can you get the server admin to pull a tape? You could do the restore yourself in a VM environment. -g -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, March 09, 2006 1:46 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] What do you do when ooops won't work? I just f-fingered a synch between my PDA and Outlook. Short story, all my contacts (painfully built over several years) just took a road-trip to neverland on a one-way ticket. Local backup? I was meaning to do it tomorrow. Really ;) Server backup restore? Yeah. I have a greater chance of being the next King of insert-favorite-empire-here than getting my corporate server admin to help me here. Just won't happen. So, am I really SOL? Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] ADMT v3 implementation questions
My problems seemed to have been solved by simply logging in as the Administrator from the source domain, on the target domain. Then I was able to access all shares in the source domain, as well as run the ADMT agent with no problems. I am trying to finish up my ADMT v3.0 migration document to help others who are running into problems. I will let you all know when it is ready. Thanks for the help. Joe On 3/8/06, Joe Lagreca [EMAIL PROTECTED] wrote: I got ADMT running in a test environment, but now have a few problems. Problem #1 When I use the wizard to migrate a computer from the source domain to the target, I then have the same machine account in both domains. Making it impossible for the target domain to access the shares of the workstation in the source domain. I have experienced this problem, and found it documented here: http://www.jsifaq.com/SUBJ/tip4600/rh4655.htm 4655 » Logon Failure error when accessing a child domain controller from the parent domain? 08-Jan-02 When you attempt to access a child domain controller from the parent domain, you receive: Logon Failure: The target account name is incorrect. This error will occur if a computer in the parent domain has the same computer name as a computer in the child domain. To resolve the problem, rename one of the computers. NOTE: If the computer no longer exists, delete it's machine account. If I delete the the newly migrated computer from the target domain, I can then access the shares on the workstation in the source domain. Anyone have an idea of how I can get around this limitation? I don't think it is possible to remove the workstation from the source domain yet, as it hasn't had the agent dispatched to it to change its domain ownership. Problem #2 Even though I have already added the opposite Domain Admins group to the local Administrator group of each machine, I don't appear to have admin rights across the trust between domains. One example is that the target domain cannot access the Admin$ share of the workstation in the source domain. If I go to the source domain workstation and add the administrator of the target domain to the local Administrator group of the workstation, I can then access the Admin$ share and dispatch the ADMT agent to the workstation. Since this is not practical in a widespread migration, I need to figure out how to get administrative privileges across the trust between domains. Thanks. Joe List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] [List Owner] Chatter
Is it just my imagination or is the list getting chattier? Don't make me bring out the List Nanny! Oh, and please remember use the OT: prefix for off topic posts. This allows people the option of setting up Inbox rules to filter them out. Tony This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] What do you do when ooops won't work?
A perfect example of the difference between big server world and SBS-land. In big server world the tendency is to try and turn everything off that doesn't absolutely have to be on where I think the tendency in SBS-land is to have everything on, heck the DC is even running Exchange, it can't get much worse than that... Seriously though, most companies have found that many cool Microsoft technologies rarely scale well to large environments. All of the little broadcasts and such that are fine on a small network with 15 PCs are ok but once you get into segments with hundreds of machines on networks with hundreds of thousands of machines things can get ugly. The less you have turned on, the less you have to worry about breaking and then trying to figure out how to fix. Big companies have enough other issues to deal with like how to change the email addresses of some 10,000 users who are now in a new division that needs a new name but is still in the main email system, etc. In general new cool things are adopted much more slowly if ever in large environments unless those things were initially scaled to enterprise sizes in design and are intended to make the enterprise more liveable in a way that the admins and management feel it needs to be more liveable. Unfortunately, most of the MS stuff doesn't qualify, usually on the first points. Active Directory things, now those are often cool and needed, but not say link tracking which worked great in mom and pop areas but devastated some large companies until they knew they could delete all of that useless crap. Microsoft has always had and seems to still have serious issues in testing several things 1. Scaled deployments 2. Reduced permission sets 3. Disjoint namespace or other unusual deployments that are not the result of clicking ok all of the time 4. Generic group selection (for instance LCS requires Global Groups... What century is this? Boneheads) 5. Multidomain forests 6. Multiforest deployments Basically if you do not have an environment that you built with point and click and hitting OK several times then you need to test test test before you implement most MS anything. Even if you do, I still think you should test test test before you implement anything. But since you are probably small too and the idea of a test lab makes you laugh uncontrollably because you could barely get production hardware, I understand. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Thursday, March 09, 2006 4:23 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] What do you do when ooops won't work? If this is a 2k3 environment and that admin doesn't have VSS agents on the workstations so that you can restore your own deleted items...then shame on that admin. I have an entire drive snapping snapshots every hour on the hour (yes, every hour on the hour) for data, and mailbox retention is 30 days. [EMAIL PROTECTED] wrote: Wouldn't that be just wonderful? Only if the admin were human :) Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Gil Kirkpatrick Sent: Thu 3/9/2006 1:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] What do you do when ooops won't work? Can you get the server admin to pull a tape? You could do the restore yourself in a VM environment. -g -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, March 09, 2006 1:46 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] What do you do when ooops won't work? I just f-fingered a synch between my PDA and Outlook. Short story, all my contacts (painfully built over several years) just took a road-trip to neverland on a one-way ticket. Local backup? I was meaning to do it tomorrow. Really ;) Server backup restore? Yeah. I have a greater chance of being the next King of insert-favorite-empire-here than getting my corporate server admin to help me here. Just won't happen. So, am I really SOL? Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info :
RE: [ActiveDir] group policy creator owners
Yep, Neil is spot on with that. gpOptions simply lets you set block inheritance on the container object. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, March 09, 2006 4:57 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] group policy creator owners That would allow the setting of 'block inheritance' and 'force inheritance' and the like. gpLink merely grants rights to link GPOs to the OU. I'm sure Darren will fill in the large blanks left by me, again :) neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: 09 March 2006 15:44 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] group policy creator owners thanks both for views on this which make a whole load of sense i think how i am to proceed is to leave the 'domain admins' with the task of GPO creation and delegation to appropriate groups of people. it would be my view that you should be able to trust the people to whom authority for a GPO is delegated to manage the point at which it becomes 'active' by way of the linking to a particular OU, and as such delegate the GpLINK. quick question if i may though ... the delegation of gplink is available from the 'delegate control wizards' (Windows 2000 here sorry !) i assume this is sufficient for the delegate to link a GPO to the OU - what does the delegation of GPOPTIONS allow additionally ?? GT I agree with Neil here with just a few other suggestions. The ability to create GPOs in and of itself is not as interesting as controlling who can link the GPO to the various AD containers, as Neil indicates below. So managing delegation of the gpLink and gpOptions attributes on site, domain and OU containers is important. But if you really want to delegate creation and editing of GPOs, you have to deal with the problem outlined below, which is that the rights to create a GPO are different and don't automatically flow into rights to edit a GPO for a different user or group. One option here is to have a documented process where your creators create the GPO and then use GPMC to delegate edit rights to another user/group. Another option is to modify the defaultSecurityDescriptor attribute on the groupPolicyContainer class object to modify the default groups that can edit GPOs when they're created. In that way you can have a group that can create GPOs and another, perhaps overlapping larger group that can edit them. Problem with making such a change is that all subsequent GPOs created in the domain will have that new group ACE on them, which may or may not be desirable. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, March 09, 2006 3:52 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] group policy creator owners When created, a new GPO will *not* inherit rights from the parent (if we examine SYSVOL perms, for example). You may assign user1 and user2 the rights to create GPOs in the domain (using GPMC) but each user will need to grant other users the right to edit 'their' GPO. FWIW, I think this is a bad practice and a recipe for disaster. I only ever allow DAs the rights to create and edit (and link) GPOs. How do you stop user1 or 2 from creating a GPO, editing and linking it and thus starting a DoS on all users due to a badly configured GPO? Do you control where they can link GPOs? Why not have the DAs create and link, and allow user 1 and 2 to edit (only) their GPOs? You appear to have relinquished all control of your GPOs to non-admins :( neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: 09 March 2006 13:46 To: activedir@mail.activedir.org Subject: [ActiveDir] group policy creator owners Dear all, I am looking to some information with respect to Group policy object delegation. the requirement is to allow additional users to create new GPO's without 'Domain Admins' membership. Seems the way to go is to add the user accounts to the 'Group policy creator owners' group. this allows them to create GPO's and have the necessary permissions to edit (and presumably delete) GPO's that they own by way of there creating them. how can this be implemented to support a team environment whereby say USER2 in a group would want to be able to edit a GPO created by USER1 can we add a group to the 'Group policy creator owners' group that allows the members of that group to 'share' the permissions on GPO's that members of that group create ? if not it seems the only supported mechanism is for USER1 who creates the GPO to assign permissions on the GPO that they create - hardly ideal ? Thanks GT List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx
[ActiveDir] Upgrade of a Windows 2000 Server Cluster
Greetings AD gurus, Has anyone on the list attempted a rolling upgrade of a Windows 2000 Server Cluster running SQL 2000 to Windows 2003 server with SQL 2000 yet? If so have you had any issues with the nodes coming back online? Any Gotchas I should know about? http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/clustering/rllupnet.mspx Sincerely, Jose Medeiros MCP+I, MCSE, NT4 MCT 408-765-0437 Direct 408-449-6621 Cell
Re: [ActiveDir] 1025/tcp open NFS-or-IIS
1025/tcp is in the range of ephemeral ports. If it were some versions of BSD, that would be 1025-4999 but for Windows is pretty much 1025-65535 (TCP in this case). RPC endpoints are typically negotiated and pick from the ephemeral ports that Windows has available (above 1024 or implicitly 1025-65535 with some exceptions). If you disable that port on a standalone machine, especially a DC you can easily break it's normal function or at least whatever is based on RPC connectivity. You *could* lock down the ports that the RPC endpoint mapper hands out however, which would allow you to use some other port and thereby disable that port if you really wanted to for some reason. The end result is that when asked, your server would always hand out the same port number to communicate vs. picking one at random. Was there a particularly interesting reason you want to disable that access? From outside your network you certainly do, but any particular reason why you would on the machine? Al On 3/9/06, Ravi Dogra [EMAIL PROTECTED] wrote: Hi,Just wanted to know what is this and how disabling or enabling it canaffect my DC?-- Ravi DograList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] 1025/tcp open NFS-or-IIS
Al, do you have success with that rpc port limitation? With win2k, it did not work as advertised as I recall :m:dsm:cci:mvp marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Thursday, March 09, 2006 9:42 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 1025/tcp open NFS-or-IIS 1025/tcp is in the range of ephemeral ports. If it were some versions of BSD, that would be 1025-4999 but for Windows is pretty much 1025-65535 (TCP in this case). RPC endpoints are typically negotiated and pick from the ephemeral ports that Windows has available (above 1024 or implicitly 1025-65535 with some exceptions). If you disable that port on a standalone machine, especially a DC you can easily break it's normal function or at least whatever is based on RPC connectivity. You *could* lock down the ports that the RPC endpoint mapper hands out however, which would allow you to use some other port and thereby disable that port if you really wanted to for some reason. The end result is that when asked, your server would always hand out the same port number to communicate vs. picking one at random. Was there a particularly interesting reason you want to disable that access? From outside your network you certainly do, but any particular reason why you would on the machine? Al On 3/9/06, Ravi Dogra [EMAIL PROTECTED] wrote: Hi, Just wanted to know what is this and how disabling or enabling it can affect my DC? -- Ravi Dogra List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] OT: Netlogon Service
Well I know this is a little off topic but I cannot find any answers so I have decided that I need to tap into this huge fountain of knowledge. Computer - Win XP Pro SP2 latest Updates Problem - Computer was working fine and all of a sudden after a reboot today I can no longer login to it via the Domain (it says that the NetLogon Service is not started) So I logged onto another computer and remotely connected to the computer thru the Computer Management MMC Snap-In and checked the Netlogon Service and sure enough it was disabled, so I set it to Auto and then proceeded to start the Service. But it will not start because it says that the RPC Locator Service (to the best of my recollection) needs to be started, so I check that and sure enough it is disabled also. So I try to start that service but it gives me some error that I cannot recall at this time. Anyways trying to make this story short I am pretty sure that the computer in question was targeted from within the LAN remotely. So the big question or questions are is it possible to attack a computer in this manner? If it is possible does anyone have any info on how to accomplish this so that I can try and figure out how or what what used and maybe even nail the person (student) who did this. Thanks, Aaron List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Netlogon Service
Title: [ActiveDir] OT: Netlogon Service For allwe know, someone did exactly what you did (connect remotely using administrative credentials) and disabled the services. Do you have logon auditing enabled? If so, have you checked to see who's logged onto the machine? Cheers Ken From: [EMAIL PROTECTED] on behalf of Aaron VisserSent: Fri 3/10/2006 4:47 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Netlogon Service Well I know this is a little off topic but I cannot find any answers so Ihave decided that I need to tap into this huge fountain of knowledge.Computer - Win XP Pro SP2 latest UpdatesProblem - Computer was working fine and all of a sudden after a reboot todayI can no longer login to it via the Domain (it says that the NetLogonService is not started) So I logged onto another computer and remotelyconnected to the computer thru the Computer Management MMC Snap-In andchecked the Netlogon Service and sure enough it was disabled, so I set it toAuto and then proceeded to start the Service. But it will not start becauseit says that the RPC Locator Service (to the best of my recollection) needsto be started, so I check that and sure enough it is disabled also. So Itry to start that service but it gives me some error that I cannot recall atthis time. Anyways trying to make this story short I am pretty sure thatthe computer in question was targeted from within the LAN remotely. So thebig question or questions are is it possible to attack a computer in thismanner? If it is possible does anyone have any info on how to accomplishthis so that I can try and figure out how or what what used and maybe evennail the person (student) who did this.Thanks,Aaron
Re: [ActiveDir] OT: Netlogon Service
Malware? Malware can hork up the tcp/ip stack really good. Ken Schaefer wrote: For all we know, someone did exactly what you did (connect remotely using administrative credentials) and disabled the services. Do you have logon auditing enabled? If so, have you checked to see who's logged onto the machine? Cheers Ken *From:* [EMAIL PROTECTED] on behalf of Aaron Visser *Sent:* Fri 3/10/2006 4:47 PM *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] OT: Netlogon Service Well I know this is a little off topic but I cannot find any answers so I have decided that I need to tap into this huge fountain of knowledge. Computer - Win XP Pro SP2 latest Updates Problem - Computer was working fine and all of a sudden after a reboot today I can no longer login to it via the Domain (it says that the NetLogon Service is not started) So I logged onto another computer and remotely connected to the computer thru the Computer Management MMC Snap-In and checked the Netlogon Service and sure enough it was disabled, so I set it to Auto and then proceeded to start the Service. But it will not start because it says that the RPC Locator Service (to the best of my recollection) needs to be started, so I check that and sure enough it is disabled also. So I try to start that service but it gives me some error that I cannot recall at this time. Anyways trying to make this story short I am pretty sure that the computer in question was targeted from within the LAN remotely. So the big question or questions are is it possible to attack a computer in this manner? If it is possible does anyone have any info on how to accomplish this so that I can try and figure out how or what what used and maybe even nail the person (student) who did this. Thanks, Aaron List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] 1025/tcp open NFS-or-IIS
Marcus, I have tested that with 2003 SP1 dc's. Works like a charm. I used the following KB: http://support.microsoft.com/kb/154596/ Cheers. On 3/10/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Al, do you have success with that rpc port limitation? With win2k, it did not work as advertised as I recall… :m:dsm:cci:mvp marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Thursday, March 09, 2006 9:42 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 1025/tcp open NFS-or-IIS 1025/tcp is in the range of ephemeral ports. If it were some versions of BSD, that would be 1025-4999 but for Windows is pretty much 1025-65535 (TCP in this case). RPC endpoints are typically negotiated and pick from the ephemeral ports that Windows has available (above 1024 or implicitly 1025-65535 with some exceptions). If you disable that port on a standalone machine, especially a DC you can easily break it's normal function or at least whatever is based on RPC connectivity. You *could* lock down the ports that the RPC endpoint mapper hands out however, which would allow you to use some other port and thereby disable that port if you really wanted to for some reason. The end result is that when asked, your server would always hand out the same port number to communicate vs. picking one at random. Was there a particularly interesting reason you want to disable that access? From outside your network you certainly do, but any particular reason why you would on the machine? Al On 3/9/06, Ravi Dogra [EMAIL PROTECTED] wrote: Hi, Just wanted to know what is this and how disabling or enabling it can affect my DC? -- Ravi Dogra List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Ambition is a dream with a V8 engine. ~ Elvis Presley List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
