from:"Matt"

I'm curious whether there is some consistency in the clients and whether
they're the latest version of the OS, what kind of DNS you have, WINS, etc

Also, you might want to look at your DHCP and see where the DNS server is
that the clients are bouncing against, but that doesn't seem to be the
issue, since it's not consistent (that's the thing that seems to be
strangest, that the issue seems to hop from site to site)

Probably the best place to start is to track back to when the issue started
and see if there were some changes that occured around that time, whether it
be part of the physical network or something on the clients/servers

On 12/2/06, joe [EMAIL PROTECTED] wrote:

I would recommend doing a trace of one of the problem clients logging on
and watch the whole referral process, etc. Actually I would probably just
turn on a sniffer and let it watch everything from one of those machines
from boot up for some time so you catch refreshes and everything else. At
least then you should be able to nail down whether the clients are being
referred to something incorrectly or they are off making their own incorrect
decisions.

--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm

--
*From:* [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED] *On Behalf Of *Kamlesh Parmar
*Sent:* Saturday, December 02, 2006 1:55 PM
*To:* ActiveDir@mail.activedir.org
*Subject:* Re: [ActiveDir] Bulk of client going to PDC

Yes checked the correct subnets are attached to correct sites.
All clients are connected via Ethernet 100/Full Duplex.

Its like mass exodus of swarm of computers, going to PDCe, and in turn
choking the WAN links.
It happened like once a day.. and everyday it would be random site.

Have asked different site people to install netmon on some PCs and keep it
running..on Monday..hoping that one of those sites.. and in them.. one of
those PCs misbehaves.

Anything else, I should look at?

--
Kamlesh

On 12/2/06, Al Mulnick [EMAIL PROTECTED] wrote:

Site definitions - are your site definitions up to date?

How are your clients connected - Are they ethernet, 802.11x, tokenring,
??

On 12/2/06, Kamlesh Parmar [EMAIL PROTECTED] wrote:

Am sorry, I didn't follow what you are asking.. could you be more
specific.

On 12/2/06, Al Mulnick [EMAIL PROTECTED] wrote:

How are your clients connected? Site definitions?

On 12/1/06, Kamlesh Parmar [EMAIL PROTECTED] wrote:

Appreciate the efforts taken.

AFAIK, this would be more of a DFS issue then authentication, as
clients are pulling policies and files from PDCe.

When I look into details of DFS link targets for sysvol or
netlogon, PDCe is listed as distance 9th in the list of servers which
clients should contact in case there primary link target failed.

And this happens so randomly, from clients that I am not able to
setup a network trace also.

--
Kamlesh

On 12/1/06, Thomas Michael Heß [EMAIL PROTECTED] wrote:

Hi Kamlesh,

first of all, iwould enable the logging of the Netlogon Service.

I ve found an article in the WindowsITPro

*The Netlogon service is one of the key Local Security Authority
(LSA) processes that run on every Windows domain controller. When you
troubleshoot authentication problems, analyzing the Netlogon service
log
files can be useful. How do I turn Netlogon service logging on and
off, and
how do I analyze the content of the Netlogon log files? *

To turn on Netlogon service logging, type the following Nltest
command at the command line:

*nltest /dbflag:2080*

Enabling Netlogon service logging requires that you restart the
Netlogon service. To do so, use the Net Stop Netlogon and Net Start
Netlogon
commands. To disable netlogon service logging, type:

*nltest /dbflag:0*

Then, restart the Netlogon service again. The Netlogon service
stores log data in a special log file called netlogon.log, in
the %Windir%\debug folder.

Two utilities are useful in querying the Netlogon log files:
Nlparse.exe and Findstr.exe. Nlparse.exe is a GUI tool that
comes with Microsoft Account Lockout tools. You can download Account
Lockout
tools for free from the Microsoft Web site as part of the Account
Lockout
and Management Tools ALTools.exe file at

http://www.microsoft.com/downloads/details.aspx?FamilyID=7AF2E69C-91F3-4E63-8629-B999ADDE0B9Edisplaylang=en.
Figure
1 http://www.winnetmag.com/Files/42850/Figure_01.gif shows the
Nlparse GUI, which contains the most common Netlogon error codes and
their
meaning. Nlparse stores the output of its queries in two files in the
%Windir%\debug folder: netlogon.log-out.scv and
netlogon.log-summaryout.txt. *. . .*

HtH

Thomas

Re: [ActiveDir] Script to delete unwanted profiles form desktop


If you use roaming profiles it would be easier, as you can simply delete all
profiles on bootup/shutdown and it would still keep the 'owner' profile,
though if the computer is a laptop you wouldn't want that obviously



On 12/3/06, Darren Mar-Elia [EMAIL PROTECTED] wrote:


 Check out delprof.exe. Its either in the reskit or part of suppor tools
or part of the OS, depending upon which version of the OS you have. You
would have to run it in a GPO-based computer startup script so that it runs
when no users are logged on.





Darren





*From:* [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED] *On Behalf Of *Mohan Rajput
*Sent:* Sunday, December 03, 2006 4:30 PM
*To:* ActiveDir@mail.activedir.org
*Subject:* [ActiveDir] Script to delete unwanted profiles form desktop



Hi guys,



I need a Script, which deletes unwanted profiles from the desktops and I
need to run that script through Domain Policy for computers?

--
Thanks  Regards
Mohan Kumar
Mob:- (+91)981-195-7926
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]

Re: [ActiveDir] OT: Possessed PCs


There are some wireless mice/keyboards that can potentially support hundreds
of non-interfering devices - if they want to have wireless, make them use
what has been 'approved' or nothing at all :)

On 12/1/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:



Happens with my father and watches as well. The man cannot wear a watch
without it dying within weeks. But thats another story. If you can isolate
the symptoms to time of day or even the remote chance its a bad ballast
(flouresent lighting used to cause occasional problems with old CRTs), etc.
Atleast you can start to wittle things down a bit. But in this case it
sounds like RF overlap. Perhaps there is one mouse that is emitting too
strong a signal.

I was a bit thrown this morning though when I thought I read that this was
happening with corded devices as well.



Brent Eads
Employee Technology Solutions, Inc.

Office: (312) 762-9224
Fax: (312) 762-9275


The contents contain privileged and/or confidential information intended
for the named recipient of this email. ETSI (Employee Technology Solutions,
Inc.) does not warrant that the contents of any electronically transmitted
information will remain confidential. If the reader of this email is not the
intended recipient you are hereby notified that any use, reproduction,
disclosure or distribution of the information contained in the email in
error, please reply to us immediately and delete the document.

Viruses, Malware, Phishing and other known and unknown electronic threats:
It is the recipient/client's duties to perform virus scans and otherwise
test the information provided before loading onto any computer system. No
warranty is made that this material is free from computer virus or any other
defect.

Any loss/damage incurred by using this material is not the sender's
responsibility. Liability will be limited to resupplying the material.

Message scanned by TrendMicro

Re: [ActiveDir] Granting rights to 'Manage GPOs'

You might want to set the account to have non-interactive rights, since I'm
assuming that it runs a service that actually handles all the changes - then
grant it membership within the Domain Admins group - that would fix the
issue once and for all, unless you've changed Domain Admins to not have the
ability to edit GPOs, though it's automatically granted every time a new GPO
is created, regardless of what permissions were before.

On 11/25/06, Darren Mar-Elia [EMAIL PROTECTED] wrote:

Neil-

Assuming the setgpocreationpermissions script didn't fail in some way, I
think the next step would be to check the perms on the various objects that
should get this right. Namely, the service account you're granting access to
should have the Create GroupPolicyContainer right over the
cn=policies,cn=system container in AD and, similarly on the SYSVOL Policies
folder, it should have Change rights over that container.

Darren

Darren Mar-Elia

For comprehensive Windows Group Policy Information, check out
www.gpoguy.com-- the best source for GPO FAQs, video training, tools and
whitepapers. Also check out the Windows Group Policy
Guidehttp://www.amazon.com/gp/product/0735622175/qid=1122367169/sr=8-1/ref=pd_bbs_1/104-1133146-9411929?v=glancen=283155,
the
definitive resource for Group Policy information.

Group Policy Management solutions at SDM Softwarehttp://www.sdmsoftware.com/

*From:* [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED] *On Behalf Of *
[EMAIL PROTECTED]
*Sent:* Friday, November 24, 2006 6:57 AM
*To:* ActiveDir@mail.activedir.org
*Subject:* [ActiveDir] Granting rights to 'Manage GPOs'

I am attempting to assign rights to a service account [sys-zzz], used by a
Group Policy Management tool (3rd party) so that the service account has the
necessary rights to 'manage' all GPOs in the domain.

Aside from app specific rights, I have assigned the following rights using
GPMC scripts [scripts shown below]:

1. Create/edit GPO links at the root of the domain and all child
containers
cscript %programfiles%\gpmc\scripts\SetSOMPermissions.wsf xxx.yyyxxx\sys-zzz
/Permission:linkgpos /Inherit /Domain:
xxx.yyy

2. Create new GPOs in the domain
cscript %programfiles%\gpmc\scripts\SetGPOCreationPermissions.wsf
xxx\sys-zzz /Domain:xxx.yyy

3. Edit, delete and mod security rights to all existing GPOs in the domain
cscript %programfiles%\gpmc\scripts\GrantPermissionOnAllGPOs.wsf
xxx\sys-zzz /Permission:fulledit /Domain:xxx.yyy

To cut a long story short, step 2 does not appear to grant the required
'create' right [GP mgmt tool complains of an access denied issue].
However, if I manually (using GPMC) add the service account to the list of
objects permitted to create GPOs in the domain [instead of using the script
in step 2], then the GP Management app functions fine.

Has anyone encountered a similar issues? Are there newer version of the
GPMC scripts? [I have GPMC with SP1]

Just to add to the strangeness of this issue, if I execute the same
scripts above but against a different domain (same service account) the 3rd
party app functions fine in that other domain :/

Any comments?

Thanks,
neil

PLEASE READ: The information contained in this email is confidential and

intended for the named recipient(s) only. If you are not an intended

recipient of this email please notify the sender immediately and delete
your

copy from your system. You must not copy, distribute or take any further

action in reliance on it. Email is not a secure method of communication
and

Nomura International plc ('NIplc') will not, to the extent permitted by
law,

accept responsibility or liability for (a) the accuracy or completeness
of,

or (b) the presence of any virus, worm or similar malicious or disabling

code in, this message or any attachment(s) to it. If verification of this

email is sought then please request a hard copy. Unless otherwise stated

this email: (1) is not, and should not be treated or relied upon as,

investment research; (2) contains views or opinions that are solely those
of

the author and do not necessarily represent those of NIplc; (3) is
intended

for informational purposes only and is not a recommendation, solicitation
or

offer to buy or sell securities or related financial instruments. NIplc

does not provide investment services to private customers. Authorised and

regulated by the Financial Services Authority. Registered in England

no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St
Martin's-le-Grand,

London, EC1A 4NP. A member of the Nomura group of companies.

[ActiveDir] Enterprise Domain Controllers group missing...


- We recently upgraded the schema in one forest from Windows 2000 to
Windows 2003.

- We now receive the following error when trying to access group policies,
The Enterprise Domain Controllers group does not have read access to this
GPO. The Enterprise Domain Controllers group must have read access on all
GPO's in the domain in order for Group Policy Modelling to function
properly. To learn more about this issue and how you can correct it, click
Help..

- I can confirm we do not have an Enterprise Domain Controllers group in
any of the domains.

- I have found the following article 
http://technet2.microsoft.com/WindowsServer/en/library/b44ba1b5-9f85-4bee-84c9-1994921658cd1033.mspx?mfr=true
 which shows how to fix the GPO issue using
GrantPermissionOnAllGPOs.wsf...but this assumes we actually have the
group  Enterprise Domain Controllers available. From further reading I
see this group has a specific SID of S-1-5-9 so I can not simply create a
new group.

- Does anyone have any idea how the group Enterprise Domain Controllers
can be recreated with the correct SID of S-1-5-9 so that we can run the
script GrantPermissionOnAllGPOs.wsf to fix the group policy problem?

Thanks in advance,

Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs

Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott Street, Wellington CBD
E-mail: [EMAIL PROTECTED]
Web: http://www.dia.govt.nz/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

Re: [ActiveDir] Enterprise Domain Controllers group missing...

Hi there,

I read that in another article as well...

http://groups.google.co.nz/group/microsoft.public.windows.server.active_directory/browse_thread/thread/37eb3a91907d3f4e/4173fe072f7269b9?lnk=stq=The+Enterprise+Domain+Controllers+group+does+not+have+read+access+to+this+GPOrnum=2hl=en#4173fe072f7269b9

...but we have nothing under foreign security princpals which matches the
SID we are after. Does anyone know how to create a group that uses a well
known SID or how this group is created initially so we can repeat the
process?

Thanks,

Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs

Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott Street, Wellington CBD
E-mail: [EMAIL PROTECTED]
Web: http://www.dia.govt.nz/



|-+--
| |  |
| |  |
| |  |
| |   Susan Bradley, CPA aka|
| |   Ebitz - SBS Rocks  |
| |   [MVP] |
| |   [EMAIL PROTECTED] |
| |   Sent by:   |
| |   [EMAIL PROTECTED]|
| |   tivedir.org|
| |  |
| |  |
| |   22/11/2006 03:16 p.m.  |
| |   Please respond to  |
| |   ActiveDir  |
| |  |
|-+--
  
--|
  | 
 |
  |To:  ActiveDir@mail.activedir.org
 |
  |cc:  
 |
  |Subject: Re: [ActiveDir] Enterprise Domain Controllers group 
missing...   |
  
--|


View Advanced Features
Look in Foreign Security Principles that I recall?

[EMAIL PROTECTED] wrote:
 - We recently upgraded the schema in one forest from Windows 2000 to
 Windows 2003.

 - We now receive the following error when trying to access group
policies,
 The Enterprise Domain Controllers group does not have read access to
this
 GPO. The Enterprise Domain Controllers group must have read access on all
 GPO's in the domain in order for Group Policy Modelling to function
 properly. To learn more about this issue and how you can correct it,
click
 Help..

 - I can confirm we do not have an Enterprise Domain Controllers group
in
 any of the domains.

 - I have found the following article 

http://technet2.microsoft.com/WindowsServer/en/library/b44ba1b5-9f85-4bee-84c9-1994921658cd1033.mspx?mfr=true

  which shows how to fix the GPO issue using
 GrantPermissionOnAllGPOs.wsf...but this assumes we actually have the
 group  Enterprise Domain Controllers available. From further reading I
 see this group has a specific SID of S-1-5-9 so I can not simply create a
 new group.

 - Does anyone have any idea how the group Enterprise Domain Controllers
 can be recreated with the correct SID of S-1-5-9 so that we can run the
 script GrantPermissionOnAllGPOs.wsf to fix the group policy problem?

 Thanks in advance,

 Matt Duguid
 Systems Engineer for Identity Services
 Department of Internal Affairs

 Phone: +64 4 4748028 (wellington)
 Mobile: +64 21 1713290
 Fax: +64 4 4748894
 Address: Level 4, 47 Boulcott Street, Wellington CBD
 E-mail: [EMAIL PROTECTED]
 Web: http://www.dia.govt.nz/

 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir@mail.activedir.org/



--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com

If you are a SBSer and you don't subscribe to the SBS Blog... man ... I
will hunt you down...
http://blogs.technet.com/sbs

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Enterprise Domain Controllers group missing...

;-)yip sure did..sorry I should have elaborated further

Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs

Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott Street, Wellington CBD
E-mail: [EMAIL PROTECTED]
Web: http://www.dia.govt.nz/



|-+--
| |  |
| |  |
| |  |
| |   Akomolafe, Deji  |
| |   [EMAIL PROTECTED]  |
| |   Sent by:   |
| |   [EMAIL PROTECTED]|
| |   tivedir.org|
| |  |
| |  |
| |   22/11/2006 03:26 p.m.  |
| |   Please respond to  |
| |   ActiveDir  |
| |  |
|-+--
  
--|
  | 
 |
  |To:  ActiveDir@mail.activedir.org  
 |
  |cc:  
 |
  |Subject: RE: [ActiveDir] Enterprise Domain Controllers group 
missing...   |
  
--|


I can confirm we do not have an Enterprise Domain Controllers group in
any of the domains.
Really? How did you confirm that? In ADUC (with Advanced Features enabled
in View) and doing a custom search for enterprise, simply looking in the
Foreign Security Principals containers?


Sincerely,
   _
  (, /  |  /)   /) /)
/---| (/_  __   ___// _   //  _
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
   (/
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon

From: [EMAIL PROTECTED]
Sent: Tue 11/21/2006 6:04 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Enterprise Domain Controllers group missing...

- We recently upgraded the schema in one forest from Windows 2000 to
Windows 2003.

- We now receive the following error when trying to access group policies,
The Enterprise Domain Controllers group does not have read access to this
GPO. The Enterprise Domain Controllers group must have read access on all
GPO's in the domain in order for Group Policy Modelling to function
properly. To learn more about this issue and how you can correct it, click
Help..

- I can confirm we do not have an Enterprise Domain Controllers group in
any of the domains.

- I have found the following article 
http://technet2.microsoft.com/WindowsServer/en/library/b44ba1b5-9f85-4bee-84c9-1994921658cd1033.mspx?mfr=true

 which shows how to fix the GPO issue using
GrantPermissionOnAllGPOs.wsf...but this assumes we actually have the
group  Enterprise Domain Controllers available. From further reading I
see this group has a specific SID of S-1-5-9 so I can not simply create a
new group.

- Does anyone have any idea how the group Enterprise Domain Controllers
can be recreated with the correct SID of S-1-5-9 so that we can run the
script GrantPermissionOnAllGPOs.wsf to fix the group policy problem?

Thanks in advance,

Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs

Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott Street, Wellington CBD
E-mail: [EMAIL PROTECTED]
Web: http://www.dia.govt.nz/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Enterprise Domain Controllers group missing...

Awesome thanks will check it out...  ;-)

Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs

Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott Street, Wellington CBD
E-mail: [EMAIL PROTECTED]
Web: http://www.dia.govt.nz/



|-+--
| |  |
| |  |
| |  |
| |   Steve Linehan  |
| |   [EMAIL PROTECTED]|
| | |
| |   Sent by:   |
| |   [EMAIL PROTECTED]|
| |   tivedir.org|
| |  |
| |  |
| |   22/11/2006 03:17 p.m.  |
| |   Please respond to  |
| |   ActiveDir  |
| |  |
|-+--
  
--|
  | 
 |
  |To:  ActiveDir@mail.activedir.org 
ActiveDir@mail.activedir.org|
  |cc:  
 |
  |Subject: RE: [ActiveDir] Enterprise Domain Controllers group 
missing...   |
  
--|


You have to upgrade or install one of the servers in each domain to Windows
Server 2003 and then transfer the PDC Emulator role to the upgraded or
added Windows Server 2003 box.  When a Windows Server 2003 box takes over
the PDC Emulator FSMO role it will create these new security principals.
This is documented under the section titled Windows Server 2003 Well Known
Security Principals in the following link:
http://technet2.microsoft.com/WindowsServer/en/library/795229a5-8a74-4edb-a2f4-d5794d31c2a71033.mspx
.

Thanks,

-Steve


From: [EMAIL PROTECTED]
[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
[EMAIL PROTECTED]
Sent: Tuesday, November 21, 2006 8:04 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Enterprise Domain Controllers group missing...

- We recently upgraded the schema in one forest from Windows 2000 to
Windows 2003.

- We now receive the following error when trying to access group policies,
The Enterprise Domain Controllers group does not have read access to this
GPO. The Enterprise Domain Controllers group must have read access on all
GPO's in the domain in order for Group Policy Modelling to function
properly. To learn more about this issue and how you can correct it, click
Help..

- I can confirm we do not have an Enterprise Domain Controllers group in
any of the domains.

- I have found the following article 
http://technet2.microsoft.com/WindowsServer/en/library/b44ba1b5-9f85-4bee-84c9-1994921658cd1033.mspx?mfr=true

 which shows how to fix the GPO issue using
GrantPermissionOnAllGPOs.wsf...but this assumes we actually have the
group  Enterprise Domain Controllers available. From further reading I
see this group has a specific SID of S-1-5-9 so I can not simply create a
new group.

- Does anyone have any idea how the group Enterprise Domain Controllers
can be recreated with the correct SID of S-1-5-9 so that we can run the
script GrantPermissionOnAllGPOs.wsf to fix the group policy problem?

Thanks in advance,

Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs

Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott Street, Wellington CBD
E-mail: [EMAIL PROTECTED]
Web: http://www.dia.govt.nz/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Enterprise Domain Controllers group missing...

Hi there,

I finally found out where this group was...it is available from Windows
2000 AD forwards and is found at CN=Enterprise Domain
Controllers,CN=WellKnown Security
Principals,CN=Configuration,DC=x,DC=x,DC=x. Its not viewable/searchable
under ADUC even with advanced features turned on but you can use it to
apply security on an AD object.

Cheers everyone for your assistance...  ;-)

Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs

Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott Street, Wellington CBD
E-mail: [EMAIL PROTECTED]
Web: http://www.dia.govt.nz/



|-+--
| |  |
| |  |
| |  |
| |   Steve Linehan  |
| |   [EMAIL PROTECTED]|
| | |
| |   Sent by:   |
| |   [EMAIL PROTECTED]|
| |   tivedir.org|
| |  |
| |  |
| |   22/11/2006 03:33 p.m.  |
| |   Please respond to  |
| |   ActiveDir  |
| |  |
|-+--
  
--|
  | 
 |
  |To:  ActiveDir@mail.activedir.org 
ActiveDir@mail.activedir.org|
  |cc:  
 |
  |Subject: RE: [ActiveDir] Enterprise Domain Controllers group 
missing...   |
  
--|


Sorry read and responded to this to fast you should have an Enterprise
Domain Controllers group however it becomes a member of Windows
Authorization Access group after the PDC upgrade.  You will be missing
some of the other Groups and Security Principals listed in that section
until the PDC is upgraded.

Thanks,

-Steve


From: [EMAIL PROTECTED]
[EMAIL PROTECTED] On Behalf Of Steve Linehan
[EMAIL PROTECTED]
Sent: Tuesday, November 21, 2006 8:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing...

You have to upgrade or install one of the servers in each domain to Windows
Server 2003 and then transfer the PDC Emulator role to the upgraded or
added Windows Server 2003 box.  When a Windows Server 2003 box takes over
the PDC Emulator FSMO role it will create these new security principals.
This is documented under the section titled Windows Server 2003 Well Known
Security Principals in the following link:
http://technet2.microsoft.com/WindowsServer/en/library/795229a5-8a74-4edb-a2f4-d5794d31c2a71033.mspx
.

Thanks,

-Steve


From: [EMAIL PROTECTED]
[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
[EMAIL PROTECTED]
Sent: Tuesday, November 21, 2006 8:04 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Enterprise Domain Controllers group missing...

- We recently upgraded the schema in one forest from Windows 2000 to
Windows 2003.

- We now receive the following error when trying to access group policies,
The Enterprise Domain Controllers group does not have read access to this
GPO. The Enterprise Domain Controllers group must have read access on all
GPO's in the domain in order for Group Policy Modelling to function
properly. To learn more about this issue and how you can correct it, click
Help..

- I can confirm we do not have an Enterprise Domain Controllers group in
any of the domains.

- I have found the following article 
http://technet2.microsoft.com/WindowsServer/en/library/b44ba1b5-9f85-4bee-84c9-1994921658cd1033.mspx?mfr=true

 which shows how to fix the GPO issue using
GrantPermissionOnAllGPOs.wsf...but this assumes we actually have the
group  Enterprise Domain Controllers available. From further reading I
see this group has a specific SID of S-1-5-9 so I can not simply create a
new group.

- Does anyone have any idea how the group Enterprise Domain Controllers
can be recreated with the correct SID of S-1-5-9 so that we can run the
script GrantPermissionOnAllGPOs.wsf to fix the group policy problem?

Thanks in advance,

Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs

Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott Street, Wellington CBD
E-mail: [EMAIL PROTECTED]
Web: http

RE: [ActiveDir] Enterprise Domain Controllers group missing...

Then correct it so people can learn rather than simply point out that its
wrong which really gets no one anywhere...

Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs

Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott Street, Wellington CBD
E-mail: [EMAIL PROTECTED]
Web: http://www.dia.govt.nz/



|-+--
| |  |
| |  |
| |  |
| |   Akomolafe, Deji  |
| |   [EMAIL PROTECTED]  |
| |   Sent by:   |
| |   [EMAIL PROTECTED]|
| |   tivedir.org|
| |  |
| |  |
| |   22/11/2006 07:12 p.m.  |
| |   Please respond to  |
| |   ActiveDir  |
| |  |
|-+--
  
--|
  | 
 |
  |To:  ActiveDir@mail.activedir.org  
 |
  |cc:  
 |
  |Subject: RE: [ActiveDir] Enterprise Domain Controllers group 
missing...   |
  
--|


 Its not viewable/searchable under ADUC even with advanced features
turned on

That is an incorrect statement.

Sincerely,
   _
  (, /  |  /)   /) /)
/---| (/_  __   ___// _   //  _
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
   (/
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon

From: [EMAIL PROTECTED]
Sent: Tue 11/21/2006 9:35 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing...

Hi there,

I finally found out where this group was...it is available from Windows
2000 AD forwards and is found at CN=Enterprise Domain
Controllers,CN=WellKnown Security
Principals,CN=Configuration,DC=x,DC=x,DC=x. Its not viewable/searchable
under ADUC even with advanced features turned on but you can use it to
apply security on an AD object.

Cheers everyone for your assistance...  ;-)

Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs

Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott Street, Wellington CBD
E-mail: [EMAIL PROTECTED]
Web: http://www.dia.govt.nz/



|-+--
| |  |
| |  |
| |  |
| |   Steve Linehan  |
| |   [EMAIL PROTECTED]|
| | |
| |   Sent by:   |
| |   [EMAIL PROTECTED]|
| |   tivedir.org|
| |  |
| |  |
| |   22/11/2006 03:33 p.m.  |
| |   Please respond to  |
| |   ActiveDir  |
| |  |
|-+--

--|

  |
|
  |To:  ActiveDir@mail.activedir.org
ActiveDir@mail.activedir.org|
  |cc:
|
  |Subject: RE: [ActiveDir] Enterprise Domain Controllers group
missing...   |

--|



Sorry read and responded to this to fast you should have an Enterprise
Domain Controllers group however it becomes a member of Windows
Authorization Access group after the PDC upgrade.  You will be missing
some of the other Groups and Security Principals listed in that section
until the PDC is upgraded.

Thanks,

-Steve


From: [EMAIL PROTECTED]
[EMAIL PROTECTED] On Behalf Of Steve Linehan
[EMAIL PROTECTED]
Sent: Tuesday, November 21, 2006 8:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing...

You have

[ActiveDir] Matt Duguid/DIA is out of the office.

2006-11-13 Thread Matt . Duguid


I will be out of the office starting  13/11/2006 and will not return until
17/11/2006.

Hi there,

I am away from the office this week on training and will be back on Monday
20/05/2006.

In my absence please contact either Sean White/Michael Chen or the Helpdesk
on x8081.

Thanks,
Matt D

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

Re: [ActiveDir] Security-enable all your distribution lists?

I don't usually think of these as security-enabled distribution lists, but as mail-enabled security groups that users can manage in the same manner as they do distribution lists. When you think of them that way, it's not quite so painfully stupid.
Don't get me wrong, turning all your DLs into security-enabled DLs and then sticking resources in them isn't exactly what I'd call brilliant, as Al alluded to - just because you're turning some of your DLs into security groups doesn't mean that you should do it with all of them. Hell, I'd argue that you shouldn't do it with any of them - that you should do it the other way around, mail-enable a small portion of your security groups and have the users pick which ones while reminding them that they are still *Security* groups and they need to manage their memberships with the same diligence they did before (yeah, yeah, I know - they didn't really take that good of care of them before). If you make sure that the DLs that stay DLs have something in the name that designate them as a DL, it will make it easier.
That being said, data on a share is no less sensitive than data in an e-mail. Companies lose secrets in e-mails, get sued because of what has been said in an e-mail. The fact that the majority of us sit here going NO!! NOT MY SECURITY GROUPS!!! DON'T LET THEM HAVE SECURITY GROUPS tells me that, regardless of the fact that 99% of all leaks occur through e-mail, we still don't 'get it' that e-mail is where most of this information sneaks between the cracks and it's not the 'grunts' that have the patent-holding information, it's the higher-up muckity mucks that are leaking data (SEC sensitive information most of the time).
But to summarize - I'd recommend that you don't change the role of your DLs, but change the role of your security groups to fulfill this new need. Then you're not granting access to data based upon pre-existing groups that don't have access to data, you're simply allowing groups that already have access to data to fulfill an additional task. Mail exclusive DLs serve a number of purposes, one of them being to keep the higher-up muckity mucks out of the data that there is a *very* good chance that they don't understand anyway, but still allow them to be 'in the loop' on information that they do understand (well, kinda anyway).
On 10/27/06, Al Mulnick [EMAIL PROTECTED] wrote:
Assume. Hmm.. That's been over done so I'll pass this time :)Harvey, I just replied to a similar thread on this with my thoughts. I won't bore you with repetition. But I'm curious what makes you want to assume anything when it comes to security issues like this? I think it's way to unpredictable to assume that users will understand that concept.
That's me though. I'm not your user. On 10/27/06, Harvey Kamangwitz
[EMAIL PROTECTED]
wrote:Thanks for the doc, Jorge; I'd missed that in my searches. And my initial reaction was not only no, but hell no! to the request. But when I examine it logically it's harder to reject out of hand. A little while ago, we did change the default for new DL group requests to be security enabled.

And it seems to me that one would implicitly assume that if one were setting access to a resource like sharepoint, they would use the same thought process as when they're sending mail: Do I want everyone in this group to get this mail | have this access?

- Harvey
On 10/21/06, Al Mulnick [EMAIL PROTECTED]

wrote:
My first reaction is, NOOO don't do that. That's silly. I absolutely abhor the concept of convenience to this level when it comes to access to secured resources.
Saying that, DG's are often created by default as a security group. I'd actually be surprised, and I would applaud the person that made that choice in your organization. From my perspective, the worst thing ever done by Microsoft was to allow DG's to be security groups. Made it easier to transition PF's sure, but the layer8 contingent doesn't understand the subtle differences between a distribution list and a security-enabled-distribution-group. This loosely translates into people that want to include somebody on their regular mail lists, but don't want them to necessarily have access to the same data shares. They do NOT understand the difference in most cases.
I don't know sharepoint well enough to say, but I would be completely floored if they did not have a way to revert behavior. I also would be totally surprised if your information security people were OK with this concept for the reasons I mentioned above.
TokenBloat is not the only concern you have here, Harvey.

On 10/20/06, Harvey Kamangwitz [EMAIL PROTECTED]
wrote:

Hi all,

I'm interested in your opinion here, and perhaps a heads-up on requirements that may be coming your way.

We have a request from the sharepoint team to security-enable all of our 18,000 distribution lists. Our concern, naturally, is token size. What will this do to Joe User's access token? The issue is tied in to Sharepoint.

Re: [ActiveDir] Security-enable all your distribution lists?

I can understand your arguments, but the larger the organization, the more likelihood that the groups are controlled by users (in one way or another) anyway. When you've got 100k groups, you have someone listed as a group owner or someone authorized to approve new members of the group and the only people who even know what the group is for are either members of that group or in the direct management chain - definitely not the IT people who 'manage' the groups.
Even with smaller organizations, are the IT people the ones who should be saying who needs to have access to the CFOs information or should it be the CFO? Just to be honest, there are a lot of areas within a company that the IT people aren't qualified enough to even hazard a guess as to who should and shouldn't have access to.
I think that the biggest difference between security-enabling distribution lists and enabling mail on security lists is the way that users think of them. The same people are managing them and if they're going to screw up their security in a DL, they're probably going to screw it up by rubber-stamp approvals too. The Security groups that you enable mail on aren't going to be big mail usage lists and the distribution lists aren't going to be used 90% of the time for security. Personally, I'd rather keep mail/security hybrids to the RBS groups and avoid it for the ABS (access/task-based security) groups. If someone wants to enable his/her ABS group for mail though, I'm not one to say what they can/can't do with their group/data. This way, your RBS groups have a built-in e-mail group to communicate with, but the mail/security overlap isn't so extreme that your company's security is a nightmarish web of DL/security groups.
One important thing though, your privileged groups that grant special access to servers should always be managed by the IT persons, never let them turn into a mail-enabled security group.
On 11/7/06, Al Mulnick [EMAIL PROTECTED] wrote:
You do make a strong argument, but I'm not sold. The part I can't get past is that the users have the control over adding a sec-prin to be able to pull the data. Vs. pushing the protected data via email. The subtlety is important in my opinion.
The only issue I have with the convenience of adding users to sec-enabled-dg's is the lack of controls to prevent the mis-use (either intentional or unintentional). Outside of that, I'm all for the concept. :)
On 11/7/06, Matt Hargraves
[EMAIL PROTECTED] wrote:
I don't usually think of these as security-enabled distribution lists, but as mail-enabled security groups that users can manage in the same manner as they do distribution lists. When you think of them that way, it's not quite so painfully stupid.
Don't get me wrong, turning all your DLs into security-enabled DLs and then sticking resources in them isn't exactly what I'd call brilliant, as Al alluded to - just because you're turning some of your DLs into security groups doesn't mean that you should do it with all of them. Hell, I'd argue that you shouldn't do it with any of them - that you should do it the other way around, mail-enable a small portion of your security groups and have the users pick which ones while reminding them that they are still *Security* groups and they need to manage their memberships with the same diligence they did before (yeah, yeah, I know - they didn't really take that good of care of them before). If you make sure that the DLs that stay DLs have something in the name that designate them as a DL, it will make it easier.
That being said, data on a share is no less sensitive than data in an e-mail. Companies lose secrets in e-mails, get sued because of what has been said in an e-mail. The fact that the majority of us sit here going NO!! NOT MY SECURITY GROUPS!!! DON'T LET THEM HAVE SECURITY GROUPS tells me that, regardless of the fact that 99% of all leaks occur through e-mail, we still don't 'get it' that e-mail is where most of this information sneaks between the cracks and it's not the 'grunts' that have the patent-holding information, it's the higher-up muckity mucks that are leaking data (SEC sensitive information most of the time).
But to summarize - I'd recommend that you don't change the role of your DLs, but change the role of your security groups to fulfill this new need. Then you're not granting access to data based upon pre-existing groups that don't have access to data, you're simply allowing groups that already have access to data to fulfill an additional task. Mail exclusive DLs serve a number of purposes, one of them being to keep the higher-up muckity mucks out of the data that there is a *very* good chance that they don't understand anyway, but still allow them to be 'in the loop' on information that they do understand (well, kinda anyway).
On 10/27/06, Al Mulnick

[EMAIL PROTECTED] wrote:
Assume. Hmm.. That's been over done so I'll pass this time :)Harvey, I just replied to a similar thread on this with my thoughts. I won't bore

Re: [ActiveDir] OT: Exchange Question

Can't remember offhand if you can do this on a per-site basis or not, but you might be able to stick them in a site and have that site set to a max of 1MB e-mail, then the only way that they'll receive any e-mail is if they delete everything.
On 11/7/06, Navroz Shariff [EMAIL PROTECTED] wrote:




























Apologies if this has already been answered; cleaning out my
mailbox ;-)



Larry, you can use the ADUC and Exchange tools where you will
find the 'Exchange General' tab. From there, you can fine tune the
account for delivery restrictions.



-Shariff















From: [EMAIL PROTECTED]

[mailto:[EMAIL PROTECTED]] On Behalf Of Larry Wahlers
Sent: Wednesday, November 01, 2006 9:36 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Exchange Question







And, you can even turn the mailbox into a honeypot of sorts, by
logging into it via Outlook and creating a rule that deletes all email sent to
it!







--
Larry Wahlers
Concordia Technologies
The Lutheran Church - Missouri Synod
mailto:[EMAIL PROTECTED]
direct office line: (314) 996-1876


















From: 
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Steve Comeau
Sent: Wednesday, November 01, 2006 8:12 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Exchange Question

You can also make their incoming email addresses something
obnoxious.





Steve Comeau

IT Manager

Rutgers
Athletics

83
  Rockefeller Road

Piscataway,
 NJ 08854

732-445-7802

732-445-4623 (fax)

www.scarletknights.com











From:
[EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On
Behalf Of Daash, Amr 
Sent: Wednesday, November 01, 2006 8:44 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Exchange Question





Well there are a lot of things that could be done,



1- u can modify
the user delivery restriction tab

2- u can
create a security group add the user names to this group then open THE ESM
navigate to the your default SMTP virtual server Access tab, the
authentication, add the group u created



The job now is done





Amr EL
Daash
System Administrator, ITS Egypt
KPMG Egypt, Hazem Hassan
Pyramid
Heights Office Park
Km22 Cairo-Alex Desert Road,
Giza
Egypt
Tel +20 (2)536 22 00 / 11
Fax +20 (2)536 23 01 / 05
Mobile +20 (10) 1925369
Email: [EMAIL PROTECTED] 















From: 
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Dan DeStefano
Sent: Wednesday, November 01, 2006 3:01 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: Exchange Question





I have a client who would like certain users
to no longer receive e-mail, while still being able to access their mailboxes.
Is there a way to do this other than exporting their mailbox to PST and
mailbox-disabling the users?





Thank you in advance,





The information in this email is
confidential and may be legally privileged.

It is intended solely for the addressee.
Access to this email by anyone else is unauthorized. 

If you are not the intended recipient, any
disclosure, copying, 

distribution or any action taken or
omitted to be taken in reliance on it, is prohibited and may be unlawful. 

Any opinions or advice contained in this
email are subject to the terms and conditions expressed in the governing KPMG
client engagement letter. 













*** This message contains confidential information and is
intended only for the individual named. If you are not the named addressee you
should not disseminate, distribute or copy this e-mail. Please notify the
sender immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. E-mail transmission cannot be guaranteed
to be secure or error-free as information could be intercepted, corrupted,
lost, destroyed, arrive late or incomplete, or contain viruses. The sender
therefore does not accept liability for any errors or omissions in the contents
of this message, which arise as a result of e-mail transmission. If
verification is required please request a hard-copy version. Rutgers University
- DIA, 83 Rockafeller Road, Piscataway, NJ www.scarletknights.com ***



Dan
DeStefano
Info-lution Corporation
[EMAIL PROTECTED]
http://www.info-lution.com
Office: 727 546-9143
FAX: 727 541-5888

If
you have received this message in error please notify the sender, disregard any
content and remove it from your possession.

Re: [ActiveDir] problem in changing the default password setting

Password policies only work from the domain level and are ignored at all other OU levels.If you want this to be in effect, add that setting into the domain-level GPO, if you don't want it set for everyone in the organization, accept that you're going to have to do it manually (or with a script) on the user objects within the appropriate OU.
On 11/6/06, Sri [EMAIL PROTECTED] wrote:
Hi List, I am using AD on Win2k3 server. I have a requirement to disable the option User must change password at next login while adding a user to AD from AD Users  Computers console and enable  password never expires checkbox.
 While adding a user to a container,  User must change password at next login is checked defaultly.To disable this option, the cmd line option -pwdneverexpires yes is working from AD machine's cmd prompt.
To do the same from AD U  C console, i created a group policy and set the max and min password ages in Account Settings -- password policies. But still the option User must change password at next login is checked and not checking the password never expires.
Pls help me in
 this.Thanks in Advance.Sri

Re: [ActiveDir] list lastlogontime for every user script

2006-10-26 Thread Matt . Duguid

I have one that I have coded and I have sent it to your email address. You
can modify it easily to email you.

Cheers,

Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs

Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott Street, Wellington CBD
E-mail: [EMAIL PROTECTED]
Web: http://www.dia.govt.nz/



|-+--
| |  |
| |  |
| |  |
| |   Ramon Linan  |
| |   [EMAIL PROTECTED]  |
| |   Sent by:   |
| |   [EMAIL PROTECTED]|
| |   tivedir.org|
| |  |
| |  |
| |   27/10/2006 09:59 a.m.  |
| |   Please respond to  |
| |   ActiveDir  |
| |  |
|-+--
  
--|
  | 
 |
  |To:  ActiveDir@mail.activedir.org  
 |
  |cc:  
 |
  |Subject: [ActiveDir] list lastlogontime for every user script
 |
  
--|


Hi,

I am trying to do an script or something that will list lastlogontime for
all users so I can receive an email when someone has not use the account
for more than 30 days.

I have seen a couple of examples of half built scripts that don't work, I
get lost when they start dealing with the converting the number to a
date...

Does anyone has a script will do some similar? does Joe ware has something
similar?

Thanks

Ramon


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

Re: [ActiveDir] List Groups I'm In?

2006-10-25 Thread Matt

You can also use a _vbscript_ from the scripting center URL below and follow the path below the URL.http://www.microsoft.com/technet/scriptcenter/scripts/default.mspx?mfr=true
Script Center Home

  Script Repository

  Active Directory

  GroupstnxmmOn 10/25/06, 
[EMAIL PROTECTED] [EMAIL PROTECTED] wrote:

http://www.joeware.net/win/free/tools/memberof.htm

I don't believe there's any builtin
tool that will provide this information.
Thanks,
Andrew Fidel





Michael B Allen [EMAIL PROTECTED]

Sent by: [EMAIL PROTECTED]
10/25/2006 12:46 PM



Please respond to
ActiveDir@mail.activedir.org





To
ActiveDir@mail.activedir.org


cc



Subject
[ActiveDir] List Groups I'm
In?








Was is the easiest way for a user (say on a stock
XP client) to list
what groups they're in?

Specifically I'd like the user to be able to just type a command like
'net user list groups' or some such and get a list of NT Account names
for tokenGroups.

Or if there is a dialog somewhere that's good too.

Ideas?

Mike

-- 
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/
List info  : http://www.activedir.org/List.aspx
List FAQ  : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

Re: [ActiveDir] Blocking IE7

2006-10-20 Thread Matt Hargraves

You could be correct, it's been about 7 or 8 years since I worked with government institutions. I know that for K12 they were able to filter, but he's at a university and I didn't notice until later that it's (probably) a private institution that probably doesn't get money from the federal government. I know that when I worked for a library though, they were not able to filter at all (I asked what software they used and they said that they couldn't filter because they received government funds).. I assume that it's the same at a university, where everyone is expected to be an adult. Again though, he appears to be at a private institution, where those rules wouldn't apply.
On 10/19/06, Brian Desmond [EMAIL PROTECTED] wrote:













You might want to check on that again. To even qualify for erate
funds as a K12 you need to be doing web content filtering. 



Thanks,

Brian Desmond

[EMAIL PROTECTED]



c - 312.731.3132









From:
[EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On
Behalf Of Matt Hargraves
Sent: Thursday, October 19, 2006 1:49 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Blocking IE7







I believe that disabling the
Automatic Updates service via GPO will block them from installing it, not 100%
sure though.

Since you're in an educational environment, things can be a little dicey
there. You can't restrict the internet (government funds thing) and I
don't know offhand whether the IE7 installs through Windows Update are running
as Local System or as the user that is logged in. If it's running as the
user account, you can simply deny them the right to install software, but if
it's running as the local System, things are a little more ugly. 





On 10/19/06, Lucas, Bryan [EMAIL PROTECTED] wrote:





I see how to
block IE7 from deploying through WSUS, but what I don't see is a way to block a
user from manually installing it.



(

http://www.microsoft.com/downloads/details.aspx?FamilyID=4516A6F7-5D44-482B-9DBD-869B4A90159Cdisplaylang=en)



Our users
are 90% XP SP2 and managed through GP. What about building a restricted
software GPO that has a hash of iesetup7.exe (if that even exists)?



I want to
restrict them from getting it through microsoftupdate.com as well.



Bryan Lucas

Server
Administrator

Texas
Christian University

Re: [ActiveDir] Blocking IE7

2006-10-19 Thread Matt Hargraves

I believe that disabling the Automatic Updates service via GPO will block them from installing it, not 100% sure though.Since you're in an educational environment, things can be a little dicey there. You can't restrict the internet (government funds thing) and I don't know offhand whether the IE7 installs through Windows Update are running as Local System or as the user that is logged in. If it's running as the user account, you can simply deny them the right to install software, but if it's running as the local System, things are a little more ugly.
On 10/19/06, Lucas, Bryan [EMAIL PROTECTED] wrote:
















I see how to block IE7 from deploying through WSUS, but what
I don't see is a way to block a user from manually installing it.



(
http://www.microsoft.com/downloads/details.aspx?FamilyID=4516A6F7-5D44-482B-9DBD-869B4A90159Cdisplaylang=en)



Our users are 90% XP SP2 and managed through GP. What
about building a restricted software GPO that has a hash of iesetup7.exe (if
that even exists)?



I want to restrict them from getting it through
microsoftupdate.com as well.



Bryan Lucas

Server Administrator

Texas Christian University

[ActiveDir] ADAM / AD Sync

2006-10-19 Thread Matt Brown

Hi,

I have an Active Directory environment with an account for all my users.  I
am also in the process of setting up ADAM to store more information about
those users and have a X.500 style DN. I would like to be able to use some
sort of pass-through authentication to Active Directory, is this possible
and if so, How?

What I'm trying to do is set it up so that if somebody try's to authenticate
to the ADAM LDAP it passes authentication to the Active Directory Servers.

Thanks,
--
Matt Brown
Information Technology System Specialist V
Eastern Washington University







List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] I'm shareing the Best Kept Secret I know.

2006-10-18 Thread Matt Hargraves

See, after being married, I have found a few things are consistent:1) You are always wrong.2) If you think you might say something the wrong way, then it's DEFINITELY going to go badly - VERY badly.3) Always assume that she didn't mean it in the horrible way she phrased it.
4) She will always assume that you meant it in a much worse way then how you phrased it.5) You will hear about your mistakes for years, so try not to make any of them.6) You're mean, she's just upset.
7) Those aren't rhetorical questions, she really does want an answer.8) Logic is your way of saying that she's stupid.9) Pointing out inconsistencies between actions and statements is just changing the subject
10) No matte how much empirical evidence backs you up, see rule #1.On 10/17/06, Daniel Gilbert 
[EMAIL PROTECTED] wrote:Something tells me you should be ducking and running
  Original Message  Subject: [ActiveDir] I'm shareing the Best Kept Secret I know. From: Fleming, Dave (DotComm) 
[EMAIL PROTECTED] Date: Tue, October 17, 2006 6:29 am To:Top Ten Things Men Understand About Women 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Dave Fleming Network Administrator
 Douglas-Omaha Technology Commission 408 So. 18th St. Omaha NE 68102 [EMAIL PROTECTED] (402) 444-6290List info : 
http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] The remote computer has ended the connection.

2006-10-17 Thread Matt Hargraves

I read this and all I can think is that something happend to your Terminal Server mode on this server. Sometimes settings get changed when you install a security patch, you might want to verify your TS settings and make sure that it's in application mode (non-app mode means that only admins can connect). Also, go into Terminal Services Configuration and make sure that RDP isn't restricted to the local Administrators group.
Is there anything else special about this server? Is it a DC? Does it have Exchange or something else installed on it?On 10/17/06, Technical Support
 [EMAIL PROTECTED] wrote:
Hi,

I am trying to access one of my servers using 
Remote Connection. I am using mstsc but its not connecting me to the server. 
error The remote computer has ended the 
connection.However if i am using mstsc /v:IP 
Address /console it lets me connect to it.

Problem is in this mode i can use only admin id 
when connected like this. I want my engineers (who dont have administrator 
priviledges) to access this. its not possible in this mode.

This all happened when i rebooted my 
server.

Please suggest what can be done to normalize the 
things.

Thanks!!!
Ravi

Re: [ActiveDir] Seperating Database and logs on seperate disks

2006-10-16 Thread Matt Hargraves

Yeah, just to be honest, as long as you have 3+ DCs, there isn't much reason not to do it though. Even if you lose one, you just rebuild it and repromote it - never restore btw - that can make all kinds of messy issues about replication show up that nobody wants to deal with.
On 10/16/06, Brian Desmond [EMAIL PROTECTED] wrote:
No not that I can think of. If one raid group fails and corrupts thedata you're still screwed so it's not going to save you there.Thanks,Brian Desmond[EMAIL PROTECTED]
c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED]] On Behalf Of AD Sent: Monday, October 16, 2006 11:29 AM To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] Seperating Database and logs on seperate disks Is there any other reason other then performance to have the Active Directory log files and database on separate disks?
 Opinions are welcome. Thanks Yves List info : http://www.activedir.org/List.aspx List FAQ: 
http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspxList info : 
http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx

[ActiveDir] Account becomes disabled by DCs when it logs in.

2006-10-10 Thread Matt Hargraves

This is a non-interactive account, but when the service that uses the account goes to login to the PDC emulators, the account gets deleted.This is only happening to 1 account, we have deleted and recreated the account, have created a new account with the same name (and rights) after renaming the old account, no matter what we do the account (call it disableduser for simplicity's sake), it gets disabled every time it tries to do what it does. Oh yeah, the account was running for well over a year without a problem.
The PDC emulators are Win2k running in a 2003 mixed mode environment (our backup and auditing tools don't support our 64-bit 2003 DCs yet, waiting on those to be updated before moving the roles over to a 2003 DC) and the GPOs on the Domain Controllers OU haven't changed in quite some time (or at the domain level). The account hasn't expired and every time the account logs in (non-interactively), the DC Service account (servername$) disables the account with a 642 event and *not* a 629 event.

I've banged my head against this for a day or so and figured I'd fire off something here before calling MS. This is a service-type account and changing the name would take a lot of time adjusting the environment to reflect the new name. Is there some MS patch that might be biting us in the rear that may have been applied in the last 2-3 weeks? I'm just kinda baffled on this, never seen a DC disable an account for apparently no reason.

Re: [ActiveDir] RealVNC removal

2006-10-09 Thread Matt Hargraves

I'd go with just disabling the service and setting it so that only Domain Admins and System can even manage and/or see the service. This is a 10-minute solution, whereas the others could take quite a bit of time to research how to do correctly.
On 10/2/06, [EMAIL PROTECTED] [EMAIL PROTECTED]
 wrote:Return Receipt Your RE: [ActiveDir] RealVNC removal
 document: wasJustin Leney/US/DCI received by: at:10/02/2006 04:08:38 PMNEW! COSMEO, THE ONLINE HOMEWORK HELP TOOL BROUGHT TO YOU BY DISCOVERY CHANNEL.FREE TRIAL AT 
HTTP://WWW.COSMEO.COMThis e-mail, and any attachment, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, re-transmission, copying, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. The contents of this message may contain personal views which are not the views of Discovery Communications, Inc. (DCI).
List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: 
http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] ip problem

2006-10-08 Thread Matt Hargraves

There's any number of 'easy' problems that you could be running into.1) Your router isn't set as the default gateway.2) Your router's routing table is messed up.3) You've got your network all messed up (example, you're trying to route to/from a
83.161.118.x/24 subnet to your 83.161.118.XXX/28 address)If your problem is #1 then you need to set your router as the default gateway and it *should* fix your problem.If your problem is #2, then you need to fix the routing table to have your local subnet routed to the internal port and everything else routed to the external port (and whatever the IP address of what it's connected to).
If your problem is #3, then you need to fix your 2 subnets. It sounds like you've got a Class A overall (or are part of a Class A), you need to make sure that whatever you're connected to on the other side has it's routing tables and subnet correct or it won't be able to connect to you. If you're talking from a
83.161.118.XXX/28 network to a 83.161.118.XXX/24 network then what you're running into is that the /24 side won't route to you because they think your addresses are on the LAN (no need to route anything on a LAN). I'm not a router guru though, there might be ways to set this up on your router so that it will route, though I'm not thinking that's the case, as I don't think that a client tries to go to the default gateway unless something isn't on the local subnet.
As others alluded, it could also be a proxy/firewall issue. If your firewall and/or proxy are set to block ping/tracert, then you won't see it. If you don't have the ACLs set right, you won't get in or out (possibly). If you're going from a trusted network to a trusted network, then you need to make sure you've got everything setup appropriately. If you're not, it may be that you need to set up a DMZ (where your proxy/firewall go usually and maybe a web/e-mail server) and then setup certain protocols to pass to other addresses.
If all of these addresses are config'd on your side (you own the 83.x.x.x A class), then I'd bet that it's either #2 or #3. If you got your /28 subnet from an ISP, then I'd bet the problem is at your firewall/router (#1 or bad/missing ACLs on your proxy/firewall).
On 10/8/06, Quatro Info [EMAIL PROTECTED] wrote:
There is a router: funkwerk bintec r1200.All proper configured through a external company.What do youmean with layer 3 domains?Gr. J-Oorspronkelijk bericht-Van:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Namens Brian DesmondVerzonden: maandag 9 oktober 2006 5:45Aan:
ActiveDir@mail.activedir.orgOnderwerp: RE: [ActiveDir] ip problemWell you need a router to cross subnets ... routers connect layer 3domains.I'm not sure if you're expecting this to be classfully routed or
something ... the Internet hasn't worked that way for a very long time.Thanks,Brian Desmond[EMAIL PROTECTED]c - 312.731.3132 -Original Message-
From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED]
] On Behalf Of Quatro Info Sent: Sunday, October 08, 2006 11:36 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ip problem
Hi all, I have a weird issue, which seems a mask problem. I have a routed subnet at 83.161.118.XXX range, with a subnet 255.255.255.240
. 16 ip addresses. Problem is that I cant connect to this 83 range from the outside froma same 83 address like 83.98.244.148 Furthermore I cant connect from this same 83 address to a external 83 address.
So both ways is locked. Tried changing all subnets in every which way but no result. You folks got a clue? All input is appreciated. Thx Jorre
List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspxList info : http://www.activedir.org/List.aspxList FAQ:
http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspxList info :
http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive:
http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] ip problem

2006-10-08 Thread Matt Hargraves

Oh yeah, if you're getting your IP addresses from an ISP, it could very well be #2. That's where I'd start either way, make sure that the routing tables are setup correctly on your router. Your ISP (or someone who knows what they're doing on the other side) should be able to verify that they can ping the backside address on your router (usually a
10.x.x.x address) from their router (and vice-versa). If they can, and a tracert to one of the addresses on the other side of the 83.161.118.XXX Class C stops at your router, then odds on are that your routing table is messed up or that theirs is.
On 10/8/06, Matt Hargraves [EMAIL PROTECTED] wrote:
There's any number of 'easy' problems that you could be running into.1) Your router isn't set as the default gateway.2) Your router's routing table is messed up.3) You've got your network all messed up (example, you're trying to route to/from a
83.161.118.x/24 subnet to your 83.161.118.XXX/28 address)If your problem is #1 then you need to set your router as the default gateway and it *should* fix your problem.If your problem is #2, then you need to fix the routing table to have your local subnet routed to the internal port and everything else routed to the external port (and whatever the IP address of what it's connected to).
If your problem is #3, then you need to fix your 2 subnets. It sounds like you've got a Class A overall (or are part of a Class A), you need to make sure that whatever you're connected to on the other side has it's routing tables and subnet correct or it won't be able to connect to you. If you're talking from a
83.161.118.XXX/28 network to a 83.161.118.XXX/24 network then what you're running into is that the /24 side won't route to you because they think your addresses are on the LAN (no need to route anything on a LAN). I'm not a router guru though, there might be ways to set this up on your router so that it will route, though I'm not thinking that's the case, as I don't think that a client tries to go to the default gateway unless something isn't on the local subnet.
As others alluded, it could also be a proxy/firewall issue. If your firewall and/or proxy are set to block ping/tracert, then you won't see it. If you don't have the ACLs set right, you won't get in or out (possibly). If you're going from a trusted network to a trusted network, then you need to make sure you've got everything setup appropriately. If you're not, it may be that you need to set up a DMZ (where your proxy/firewall go usually and maybe a web/e-mail server) and then setup certain protocols to pass to other addresses.
If all of these addresses are config'd on your side (you own the 83.x.x.x A class), then I'd bet that it's either #2 or #3. If you got your /28 subnet from an ISP, then I'd bet the problem is at your firewall/router (#1 or bad/missing ACLs on your proxy/firewall).
On 10/8/06, Quatro Info
[EMAIL PROTECTED] wrote:
There is a router: funkwerk bintec r1200.All proper configured through a external company.What do youmean with layer 3 domains?Gr. J-Oorspronkelijk bericht-Van:

[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Namens Brian Desmond
Verzonden: maandag 9 oktober 2006 5:45Aan:
ActiveDir@mail.activedir.orgOnderwerp: RE: [ActiveDir] ip problemWell you need a router to cross subnets ... routers connect layer 3domains.I'm not sure if you're expecting this to be classfully routed or
something ... the Internet hasn't worked that way for a very long time.Thanks,Brian Desmond
[EMAIL PROTECTED]c - 312.731.3132 -Original Message-
From: [EMAIL PROTECTED] [mailto:
ActiveDir- [EMAIL PROTECTED]
] On Behalf Of Quatro Info Sent: Sunday, October 08, 2006 11:36 PM To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] ip problem
Hi all, I have a weird issue, which seems a mask problem. I have a routed subnet at 83.161.118.XXX range, with a subnet
255.255.255.240
. 16 ip addresses. Problem is that I cant connect to this 83 range from the outside froma same 83 address like
83.98.244.148 Furthermore I cant connect from this same 83 address to a external 83 address.
So both ways is locked. Tried changing all subnets in every which way but no result. You folks got a clue? All input is appreciated. Thx Jorre
List info : http://www.activedir.org/List.aspx List FAQ:
http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspxList info :
http://www.activedir.org/List.aspxList FAQ:
http://www.activedir.org/ListFAQ.aspxList archive:
http://www.activedir.org/ml/threads.aspxList info :
http://www.activedir.org/List.aspxList FAQ:
http://www.activedir.org/ListFAQ.aspxList archive:
http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] OT: wikis

2006-10-08 Thread Matt Hargraves

I wonder if you realize that what you posted was incorrect:1 (-1+1) (-1+1) ...turns into:1*0*0*0So in the end 0 = 0:)On 10/6/06, 
[EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
Very good altho dividing by zero (last step) is not permitted and (asper the below) causes an issue if permitted.How about this:(1-1) + (1-1) + (1-1) + ... = 0Re-write left hand side by moving brackets one place to the right:
1 (-1+1) (-1+1) ...Or simplified:1 + 0 + 0 + ... = 1So 1 = 0 !neilPS Glad to see I managed to get the list talking about stuff other thanIT/Windows/AD/Exch/Jet/ESE...-Original Message-
From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Crawford, Scott
Sent: 05 October 2006 23:27To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: wikisFrom: http://www.jimloy.com/algebra/two.htm
 a = x[true for some a's and x's] a+a = a+x[add a to both sides]2a = a+x[a+a = 2a] 2a-2x = a+x-2x [subtract 2x from both sides]2(a-x) = a+x-2x [2a-2x = 2(a-x)]
2(a-x) = a-x[x-2x = -x] 2 = 1[divide both sides by a-x]-Original Message-From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of joeSent: Thursday, October 05, 2006 1:22 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: wikisCareful, I recall a math professor in my differential equations class ormaybe it was higher throwing a proof up on the board showing that 1 + 1
!= 2 and it wasn't a numberical base trickI didn't follow through it, I just closed my eyes and shook my head andthought forward to my communications class as the sights were easier onthe eyes...
I still wonder why I went into a field with such a high ratio of men towomen... :)--O'Reilly Active Directory Third Edition -http://www.joeware.net/win/ad3e.htm
-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]
] On Behalf Of Laura A.RobinsonSent: Thursday, October 05, 2006 12:55 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: wikis999,998 + 2 = 1,000,000, not 100,000. ;-)
 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
] On Behalf Of Greg Nims Sent: Thursday, October 05, 2006 11:49 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: wikis
  It's funny how we quote wikis as definitive sources of information,  when they can be edited by anyone and everyone :)   Who vets the edits and how much does that person know about the
  subject matter?? Anyone can edit, which is why they are generally correct. When 100,000 people view a record, and 2 people want to change it to be incorrect, 999,998 will want to correct it.
 I wouldn't use a wiki as a great historical or technical source.But for encyclopedia entries, which give a good summation of a subject, they are great. List info : 
http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: 
http://www.activedir.org/ml/threads.aspxList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspxList info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: 
http://www.activedir.org/ml/threads.aspxPLEASE READ: The information contained in this email is confidential andintended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete yourcopy from your system. You must not copy, distribute or take any furtheraction in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,accept responsibility or liability for (a) the accuracy or completeness of,or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of thisemail is sought then please request a hard copy. Unless otherwise statedthis email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those ofthe author and do not necessarily represent those of NIplc; (3) is intendedfor informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments.NIplcdoes not provide investment services to private customers.Authorised andregulated by the Financial Services Authority.Registered in England
no. 1550505 VAT No. 447 2492 35.Registered Office: 1 St Martin's-le-Grand,London, EC1A 4NP.A member of the Nomura group of companies.List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] RE: [ActiveDir] Major screwup on AD for my company - Can't install AD on remote server now

2006-10-07 Thread Matt Hargraves

Security a goal? It's more of a journey where the destination is we didn't get hacked this week (month/year)BTW, I wasn't saying that it's the worst idea ever to put e-mail on a DC (if it's a GC it will save you the journey for authentication), but in an organization where you have 2+ sites (and probably more than 500 users), I would tend to recommend putting Exchange on a separate server.
I know that SBS isn't the *worst* tool ever (well... if you used it back in 1997 - which I did - it was), in fact, I've set up my sister/brother-in-law's network with an SBS box. Of course, they don't have 500+ users, they have 4. It's a matter of scale I guess.
On 10/6/06, Al Mulnick [EMAIL PROTECTED] wrote:
Hmm... I'm becoming more and more convinced that security on any platform is more of a goal than a destination anyway :)

Putting other apps on a server that is designed to be a security server is not best practice on any platform SBS or not.SBS exists because it makes more economic sense thanmom's75 person company buying one server per person to run Microsoft software. It's still aFrankensteinin myopinion. I have a slanted view of course, but I alsoknow some of what goes on to make those apps magically work on the same machine. Security is not my concern in that arena.

Availability also comes to mind as something that's at risk if you mix applications with your authentication services. Sadly, I saw this just the other day when a DC that's also a file/print server sigh crashed due to lack of disk space. Somebody got those picturesdown beforeI got to it darn it. I bet they were some good ones ;)

Steve, I suggested the othertools because you need an accurate and up to date picture of what's going on. Sites andServices is not going to give you what you need in thiscase. Use ADUC and use the other tools I mentioned.

Oh, and don't worry about those on*this* list when it comes to sending yourcompany's private information: we're mostly honest. Those that troll the groups with googMSNSearch on the other hand might be less trustworthy.

If you feel you'd like a second set of eyes, I'm happy to help. You can send to me directly and I'll respond directly as well. If you don't trust me, please giveMicrosoft support a call else find somebody who's more familiarwith AD and your situation that can give you that second set of eyes. You're not screwed yet based on the information you've presented. That could change though

On 10/6/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
[EMAIL PROTECTED] wrote:
Granted external FTP isn't one that SBSers recommend either and we'refreaking out going WHAT ARE YOU THINKING? as well.
As we say down here we don't get hacked... we get stupid.Tim Vander Kooi wrote: It's not speed or resources that scare most of us when it comes to sharing DC space with other apps, it's security. With SBS Microsoft has
(at least in theory) covered most of those security bases for the admin. The last time I allowed another admin to install FTP on a server he inadvertently put no security on it whatsoever and the company I was
with at the time ended up serving up 200 GB of German p0rn. He had lots of fun explaining why our new server had crashed due to lack of diskspace. -Original Message- From:
[EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Steve Egan
(Temp) Sent: Friday, October 06, 2006 6:40 PM To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Major screwup on AD for my company - Can't
install AD on remote server now Well, the servers running the DC, mail, PDC, etc. are quad-processor SuperMicros, so they aren't even sweatin' hard.I'm watching them, they're golden.(Thanks, Susan - we think alike.)
(Ahem... don't look now, but we already have 8 IBM e-Business servers (quad xeon) and are getting more.Don' neeed no steeenkin' SBS's!;P ) (Let me just unequivocally state right here that SAP is a 10,000lb
gorilla...) Steve Egan Purcell Systems System/Network Administrator desk 509 755-0341 x110 cell 509 475-7682 fax 509 755-0345 -Original Message-
From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, October 06, 2006 3:55 PM To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Major screwup on AD for my company - Can't
install AD on remote server now Yeah next they'll be SBS servers being installed there. (For some of us having our DCs do other things doesn't freak us out as much as it does you big serverland guys)
Matt Hargraves wrote: I know you probably haven't been there very long, but what in the heck are they thinking, making DCs mail servers and FTP servers.Might as
well load them up with web services next. BTW, you probably shouldn't be posting your infrastructure in a message list. On 10/6/06, *Steve Egan (Temp)*
[EMAIL PROTECTED] mailto:
[EMAIL PROTECTED] wrote: Al, will do.I tucked FTPSERVER under a desk and forgot about
it.Experience has taught

Re: [ActiveDir] Assign User rights overs computers with AD

Just to cover some things:GPOs can make adjustments to computer *or* user object policies. The only way to override these settings is to use the 'loopback processing' option (this can be ugly and I prefer to avoid it). If you have computer settings set on a GPO on an OU, it will only apply to computer objects within that OU, user settings only apply to users within that OU (again, excepting loopback processing within that GPO). This is one of the big reasons why people usually only put computer *or* user objects within a particular OU. It allows you to disable the portion of the GPO that isn't going to get applied to the objects within the OU (disable user settings on GPOs for computer OUs - unless you're using loopback processing and disable computer settings for GPOs on user OUs). There's really no reason to have a computer downloading user settings when it's not necessary and vice-versa.
This way, you end up with managing your computer settings separately from your user settings. Common computer settings: Disabling security-related settings, adjusting auditing (event logs, etc) ACLing directories. Common user settings: Setting environmental variables (default home page, home directory, application settings like Office settings, etc...). Usually the only time you want to put user settings on a computer OU (and enable loopback processing) is for kiosk type computers and then you probably want to make sure that you do something to make sure that it doesn't apply for Administrators. It's usually easier to put these settings on an OU for accounts that will be used for that type of workstation though, so you don't have to worry about loopback.
As many other people stated though, trying to restrict administrators on workstations will as often as not end up with a series of headaches because of applications that require the user to be a local administrator on the computer. Whether this is because of poor programming on the part of the application developers or something else, it doesn't matter. Unless you know that your users won't need to be local admins, you may want to handle this in a very controlled and well tested manner, possibly testing all of your applications with a non-admin account before pushing this setting out to the users.
On 9/29/06, Dave Wade [EMAIL PROTECTED] wrote:





I know its over a week since I sent this, but on thinking its 
probably worth expanding on this. The OU structure is in place to provide two 
functions:-

1) Delegation of management and 
administration.
2) Application of Group Policy 

Now because the OU structure is the ONLY way unless you use 
some added value tool to provide delegated admin, that needs to be the 
Primary driver when designing the OU Structure. 

Soif youwant different people managing Computer and 
Users, and like me.you like to keep the user and computer policies separate, it 
makes sense to have Computers and Users in separate OU trees. Because you can't 
apply a GPO to the Users and Computers containers it also makes sense not to 
use these OU.s.

On the other hand if you have a very devolved management 
structure, and you are happy with devolved management of the users and 
computers, then it might make sense to have an OU tree where the top levels 
represent management units and you store both computers and users in these 
trees.

Personally I don't like this approach, but for some organization 
structures itmay bebetter...

Dave.




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]] On Behalf Of Dave 
WadeSent: 23 September 2006 20:50To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Assign User 
rights overs computers with AD


I usually move them out as 
you can't apply GPO at the computers level...


From: [EMAIL PROTECTED] on 
behalf of Alberto OviedoSent: Fri 22/09/2006 22:40To: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Assign User 
rights overs computers with AD
Hey Dave. Do you mean separate trees under root computers? or Create 
different OU's for computers?
On 9/22/06, Al 
Mulnick  [EMAIL PROTECTED] 
wrote: 
Separate 
  Trees? That seems a little excessive. Or are we just mixing terms? 
  
  On 9/21/06, Dave 
  Wade  
  [EMAIL PROTECTED] wrote: 
  I 
prefer to keep them in seperate trees. In fact we are just doing that at 
present... From: [EMAIL PROTECTED]
 on behalf of Alberto 
Oviedo Sent: Thu 21/09/2006 17:50To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] 
Assign User rights overs computers with ADThanks for your help. 
really useful.Is it a good practice to move computer objects to OU 
where the user of the computer resides? On 9/20/06, Dave Wade 
[EMAIL PROTECTED] 
wrote:Alberto, 
Even though we made our users PowerUsers we found that we needed to make a 
number of tweaks to cater for poorly written applications. I think we now 
have about a dozen settings for various ill-behaved applications. The 
majority of these are to

Re: [ActiveDir] User account deletion

>From Microsoft's website:   Event ID: 630   Type: Success AuditDescription: User Account Deleted: Target Account Name: %1Target Domain: %2 Target Account ID: %3  Caller User Name: %4
 Caller Domain: %5  Caller Logon ID: %6 Privileges: %7Check the security logs on your DCs for 630 events.On 10/6/06, 
Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote:







by, you really cannot find it anymore when querying AD 
;-)

jorge

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]] On Behalf Of Chris 
  PohlschneiderSent: Friday, October 06, 2006 14:34To: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] User account 
  deletion
  
  
  Is there a way to tell if a user 
  account has been deleted?
  
  
  
  Thanks,
  
  
  Chris
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.

Re: [ActiveDir] User account deletion

Just an FYI, this event will only be on the DC that the user was connected to when they deleted the account, it won't show up on all DCs, so this could be a relatively daunting task, mattering on your environment (or impossible, if your event logs roll over frequently and you don't save them off to another server or have software that saves them)
On 10/6/06, Matt Hargraves [EMAIL PROTECTED] wrote:
>From Microsoft's website:   Event ID: 630   Type: Success AuditDescription: User Account Deleted: Target Account Name: %1Target Domain: %2 Target Account ID: %3  Caller User Name: %4
 Caller Domain: %5  Caller Logon ID: %6 Privileges: %7Check the security logs on your DCs for 630 events.
On 10/6/06, 
Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote:








by, you really cannot find it anymore when querying AD 
;-)

jorge

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]] On Behalf Of Chris 
  PohlschneiderSent: Friday, October 06, 2006 14:34To: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] User account 
  deletion
  
  
  Is there a way to tell if a user 
  account has been deleted?
  
  
  
  Thanks,
  
  
  Chris
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.

Re: [ActiveDir] Assign User rights overs computers with AD

Yeah, I guess it's one of those If you don't need it, get rid of it things for me.Not going to use it? Just disable it and get rid of the excuse for some half-informed admin from going in and putting settings on there (we all know who they are and probably were him at some point in time, I'm sure I was ;) )
On 10/6/06, Darren Mar-Elia [EMAIL PROTECTED] wrote:





Minor nit below. Otherwise, spot on 
observations.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]] On Behalf Of Matt 
HargravesSent: Friday, October 06, 2006 7:56 AMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Assign User 
rights overs computers with AD

Just to cover some things:GPOs can make adjustments to computer 
*or* user object policies. The only way to override these settings is to 
use the 'loopback processing' option (this can be ugly and I prefer to avoid 
it). If you have computer settings set on a GPO on an OU, it will only 
apply to computer objects within that OU, user settings only apply to users 
within that OU (again, excepting loopback processing within that GPO). 
This is one of the big reasons why people usually only put computer *or* user 
objects within a particular OU. It allows you to disable the portion of 
the GPO that isn't going to get applied to the objects within the OU (disable 
user settings on GPOs for computer OUs - unless you're using loopback processing 
and disable computer settings for GPOs on user OUs). There's really no 
reason to have a computer downloading user settings when it's not necessary and 
vice-versa.
This 
won't happen regardless.A computer account would neverdownload user settings, even if the user side 
of a GPO is enabled. Disabling a GPO side is somewhat meaningless because if the 
side has no policy in it (i.e. its version is 0) then it won't be processed 
anyway. The only time this is useful is if you have settings on a side and you, 
for whatever reason, don't want them to be processed. Its kind of a way of 
blocking settings that would otherwise be applied by disabling them. 
This way, you end up with managing your computer settings 
separately from your user settings. Common computer settings: Disabling 
security-related settings, adjusting auditing (event logs, etc) ACLing 
directories. Common user settings: Setting environmental variables 
(default home page, home directory, application settings like Office settings, 
etc...). Usually the only time you want to put user settings on a computer 
OU (and enable loopback processing) is for kiosk type computers and then you 
probably want to make sure that you do something to make sure that it doesn't 
apply for Administrators. It's usually easier to put these settings on an 
OU for accounts that will be used for that type of workstation though, so you 
don't have to worry about loopback. As many other people stated though, 
trying to restrict administrators on workstations will as often as not end up 
with a series of headaches because of applications that require the user to be a 
local administrator on the computer. Whether this is because of poor 
programming on the part of the application developers or something else, it 
doesn't matter. Unless you know that your users won't need to be local 
admins, you may want to handle this in a very controlled and well tested manner, 
possibly testing all of your applications with a non-admin account before 
pushing this setting out to the users. 
On 9/29/06, Dave Wade 
[EMAIL PROTECTED] 
wrote:

  
  I know its over a 
  week since I sent this, but on thinking its probably worth expanding on this. 
  The OU structure is in place to provide two functions:-
  
  1) Delegation of 
  management and administration.
  2) Application of 
  Group Policy 
  
  Now because the 
  OU structure is the ONLY way unless you use some added value tool to 
  provide delegated admin, that needs to be the Primary driver when designing 
  the OU Structure. 
  
  Soif 
  youwant different people managing Computer and Users, and like me.you 
  like to keep the user and computer policies separate, it makes sense to have 
  Computers and Users in separate OU trees. Because you can't apply a GPO to the 
  Users and Computers containers it also makes sense not to use these 
  OU.s.
  
  On the other hand 
  if you have a very devolved management structure, and you are happy with 
  devolved management of the users and computers, then it might make sense to 
  have an OU tree where the top levels represent management units and you store 
  both computers and users in these trees.
  
  Personally I 
  don't like this approach, but for some organization structures itmay 
  bebetter...
  
  Dave.
  
  
  
  
  From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Dave 
  WadeSent: 23 September 2006 20:50To: ActiveDir@mail.activedir.org
Subject: RE: 
  [ActiveDir] Assign User rights overs computers with 
  AD
  
  
  I usually move them out as 
  you can't apply GPO at the computers level

Re: [ActiveDir] Folder Redirection Issue

If you're using a transform file to deploy, you should be able to define the default file location, either as a variable (%homedrive%) or alternatively, you can install the GPO extensions for MS Office and set the item via GPO and stop worrying, as long as you test it a little bit before deploying it out to everyone.
On 10/4/06, Kennedy, Jim [EMAIL PROTECTED] wrote:













"Office
was deployed to the workstations via group policy using an AIP and MST
transform."



Bet
you will find something in that MST that is pointing to the wrong location.
Blow out an Outlook profile on one as a test.









From: [EMAIL PROTECTED]

[mailto:[EMAIL PROTECTED]] On Behalf Of Dan DeStefano
Sent: Wednesday, October 04, 2006 11:02 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Folder Redirection Issue







I
am having a weird problem with folder redirection. I have set the My Documents
redirection to the subfolder of the root drive option and set the path to the
homefolders directory (\\servername\homefolders$). This is supposed to redirect
users my documents to \\servername\homefolders$\%username%\my documents and it
does. The users log onto their PCs and open their My Documents folder fine
– and looking at the properties of their my documents folder confirms
that the redirection is working properly. The problem is that in certain
applications, namely Outlook 2003 (all latest patches and SPs applied). When a
user goes to save an attachment, for example, and clicks on my documents in the
save dialog, they receive the error "cannot access
\\servername\homefolders$, which makes sense since the users do not have access
to the homefolders$ share, just to their subfolder. So Outlook, for some
reason, is not drilling down into the users my documents in the home folder,
but instead is trying to access the root of the homefolders$ share. In other
Office apps, the my documents works fine. There are also no event log entries
that reference this issue.



I
am stuck here as I am unable to find any KB articles that discuss this. Does
anyone have any suggestions? I have not yet reinstalled Outlook because all
other Office apps work fine. Office was deployed to the workstations via group
policy using an AIP and MST transform.





Any
help would be greatly appreciated.



Dan
DeStefano
Info-lution Corporation
[EMAIL PROTECTED]
http://www.info-lution.com
Office: 727 546-9143
FAX: 727 541-5888

If
you have received this message in error please notify the sender, disregard any
content and remove it from your possession.

Re: [ActiveDir] Folder Redirection Issue

Sorry, didn't read thoroughly first (oops). Yeah, it sounds like a perms issue, I usually set the root of my user shares directory to have Read/Traverse perms for users in case of an emergency and/or troubleshooting. It's an administrative share anyway, I can understand the paranoia of also setting it to basically be unbrowsable, but it sounds like you're going 1/2 a step too far (at least for the purposes of the applications in your environment).
On 10/5/06, Matt Hargraves [EMAIL PROTECTED] wrote:
If you're using a transform file to deploy, you should be able to define the default file location, either as a variable (%homedrive%) or alternatively, you can install the GPO extensions for MS Office and set the item via GPO and stop worrying, as long as you test it a little bit before deploying it out to everyone.
On 10/4/06, Kennedy, Jim 
[EMAIL PROTECTED] wrote:













Office
was deployed to the workstations via group policy using an AIP and MST
transform.



Bet
you will find something in that MST that is pointing to the wrong location.
Blow out an Outlook profile on one as a test.









From: [EMAIL PROTECTED]

[mailto:[EMAIL PROTECTED]] On Behalf Of Dan DeStefano
Sent: Wednesday, October 04, 2006 11:02 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Folder Redirection Issue







I
am having a weird problem with folder redirection. I have set the My Documents
redirection to the subfolder of the root drive option and set the path to the
homefolders directory (\\servername\homefolders$). This is supposed to redirect
users my documents to \\servername\homefolders$\%username%\my documents and it
does. The users log onto their PCs and open their My Documents folder fine
– and looking at the properties of their my documents folder confirms
that the redirection is working properly. The problem is that in certain
applications, namely Outlook 2003 (all latest patches and SPs applied). When a
user goes to save an attachment, for example, and clicks on my documents in the
save dialog, they receive the error cannot access
\\servername\homefolders$, which makes sense since the users do not have access
to the homefolders$ share, just to their subfolder. So Outlook, for some
reason, is not drilling down into the users my documents in the home folder,
but instead is trying to access the root of the homefolders$ share. In other
Office apps, the my documents works fine. There are also no event log entries
that reference this issue.



I
am stuck here as I am unable to find any KB articles that discuss this. Does
anyone have any suggestions? I have not yet reinstalled Outlook because all
other Office apps work fine. Office was deployed to the workstations via group
policy using an AIP and MST transform.





Any
help would be greatly appreciated.



Dan
DeStefano
Info-lution Corporation
[EMAIL PROTECTED]
http://www.info-lution.com
Office: 727 546-9143
FAX: 727 541-5888

If
you have received this message in error please notify the sender, disregard any
content and remove it from your possession.

Re: [ActiveDir] OT: wikis

What's funny is that actual encyclopedias have almost the same level of accuracy as Wikipedia on any particular subject. Part of that is the fact that they're always 1-3+ years out of date when they are published and the other part is that many 'facts' are actually just theories and there are commonly conflicting theories or theories that have been around for 10+ years are assumed correct because the research that proved it wrong hadn't been made widely available to those who were part of the writing of the encyclopedia (or they don't trust the new evidence).
Either way, you should try and find multiple sources of information for any subject that you're not familiar with.On 10/5/06, Ramon Linan 
[EMAIL PROTECTED] wrote:Right, and remember there is not absolute truth!! :)
-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]
] On Behalf Of Greg NimsSent: Thursday, October 05, 2006 11:49 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: wikis It's funny how we quote wikis as definitive sources of information,
 when they can be edited by anyone and everyone :) Who vets the edits and how much does that person know about the subject matter??Anyone can edit, which is why they are generally correct.When 100,000
people view a record, and 2 people want to change it to be incorrect,999,998 will want to correct it.I wouldn't use a wiki as a great historical or technical source.Butfor encyclopedia entries, which give a good summation of a subject, they
are great.List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspxList info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] OT: wikis

I thought it was 9A:DOn 10/5/06, Laura A. Robinson [EMAIL PROTECTED] wrote:
999,998 + 2 = 1,000,000, not 100,000. ;-) -Original Message- From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Greg Nims
 Sent: Thursday, October 05, 2006 11:49 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: wikis  It's funny how we quote wikis as definitive sources of information,
  when they can be edited by anyone and everyone :)   Who vets the edits and how much does that person know about the  subject matter?? Anyone can edit, which is why they are generally correct.
 When 100,000 people view a record, and 2 people want to change it to be incorrect, 999,998 will want to correct it. I wouldn't use a wiki as a great historical or technical source.But for encyclopedia entries, which give a good
 summation of a subject, they are great. List info : http://www.activedir.org/List.aspx List FAQ: 
http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspxList info : 
http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Who keeps creating this folder files?

Turn on security auditing.On 10/5/06, J B [EMAIL PROTECTED] wrote:







Argh! On one of our file servers, there is a 
public directory that allows any authenticated user to do anything within it 
(minus changing permissions). MP3 files and folders appear there every so 
often and are removed soon thereafter. Is there some way for me to tell 
who has created these folders and MP3 files?

Every time I check, no one is currently accessing 
the files - which would be an easy way for me to 
know...

Re: [ActiveDir] Who keeps creating this folder files?

Magic 8 ball?Security event logs are great things, learning how to search them for the right data can be invaluable and increase the security at your company drastically. It will mean that instead of saying Who did this?, you will know who did it. Instead of going When did that happen?, you'll know when it happened.
Unfortunately, you end up having to almost export your event logs to another location to make them searchable on active systems. The only bad part is that, once you get the data, you find yourself sitting there going Oh, that script did it... or worse - I did it?! or something similar. 95% of the time something where you're going Oh yeah, I'm gonna get them this time, you realize that there isn't anyone to get. After a little while you'll stop expecting to 'get them' this time and go OK, what do I need to fix this time and kinda dread the idea of it being someone doing something wrong and hope it's just something that you can fix in 10 minutes because it someone did something wrong, then you have to spend 2-4 hours in meetings discussing why they did it, how they did it, how to avoid it happening again, etc
On 10/5/06, J B [EMAIL PROTECTED] wrote:







I was hoping that there was some way to see who 
created it rather than wait until it happened again, or wait until someone 
accessed it...

I'll have to settle for the auditing 
though.

Thanks!

  - Original Message - 
  
From: 
  Brian 
  Desmond 
  To: 
ActiveDir@mail.activedir.org 
  
  Sent: Thursday, October 05, 2006 11:14 
  AM
  Subject: RE: [ActiveDir] Who keeps 
  creating this folder  files?!
  
  
  Set 
  some auditing on the folder that this is happening in and watch the security 
  log for the relevant audits…
  
  
  Thanks,
  Brian 
  Desmond
  [EMAIL PROTECTED]
  
  c 
  - 312.731.3132
  
  
  
  
  From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]] On Behalf Of J 
  BSent: Thursday, October 05, 2006 12:57 PMTo: ActiveDir@mail.activedir.org
Subject: 
  [ActiveDir] Who keeps creating this folder  
  files?!
  
  
  Argh! On one 
  of our file servers, there is a public directory that allows any 
  authenticated user to do anything within it (minus changing 
  permissions). MP3 files and folders appear there every so often and are 
  removed soon thereafter. Is there some way for me to tell who has 
  created these folders and MP3 files?
  
  
  
  Every time I check, 
  no one is currently accessing the files - which would be an easy way for me to 
  know...

Re: [ActiveDir] OT: Volume licensing activation

I can completely understand Microsoft's point, don't get me wrong.I guess it just kinda gets my goat that they're so tired of people using VLE keys as the new favorite of license violators that they're going to put the onus on the business owners to pay for a new server just to manage Microsoft's licenses. Also, Vista is one thing, but Longhorn? Do they really have that many server instances running with VLE keys that it justifies a company having to pay for 1-10 licensing servers (remember, not everyone is 100% in a single global region) to keep not only my workstations up and running, but the servers too?
I just kinda feel like if they're going to go this far, they should provide me with a license appliance to handle every x number of stations. Enough people are paying for software assurance where it seems like it would be a good business move to keep people happy, a little good with the bad I guess.
The scary part that I'm wondering about is what they're going to do with the retail/OEM versions of the software. There are enough people out there who will buy a computer but not have an internet connection (yes, I know it's not a *huge* number, the internet is half the reason a lot of people get computers), what are they going to have to do, call MS every 180 days to 'reactivate' their computer? Talk about a pain. My father would just end up giving his computer away if it came to that. Granted, he's 60 and doesn't know a tenth what most people under the age of 30 know about computers, but those are the people who need everything more convenient and less of a hassle.
On 10/4/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote:
Microsoft's Software Protection Platform: Protecting Software andCustomers from Counterfeiters: The company announces innovativetechnology in Windows Vista and Windows Server "Longhorn" to reduce therisk of piracy and software tampering while improving software licensing.:
http://www.microsoft.com/presspass/features/2006/oct06/10-04SoftwareProtection.mspxWindows Genuine Advantage : New technology to protect Windows Vista and
other products:http://blogs.msdn.com/wga/archive/2006/10/04/New-technology-to-protect-Windows-Vista-and-other-products.aspx
Whitepaperhttp://download.microsoft.com/download/c/2/9/c2935f83-1a10-4e4a-a137-c1db829637f5/10-03-06SoftwareProtectionWP.doc
As long as it works and works well, and when it's updated it getsdisclosed so that tinfoil folks won't be shutting off auto updatesbecause that's what's happening now.Brian Desmond wrote:
 *I read through the docs on this vl activation and it's not as bad as it sounds. They're really just trying to protect the keys.* * * *Thanks,* *Brian Desmond*
 [EMAIL PROTECTED] * * *c - 312.731.3132* * * *From:* [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED]] *On Behalf Of *Matt Hargraves *Sent:* Tuesday, October 03, 2006 1:34 PM *To:* 
ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] OT: Volume licensing activation Yeah... MS is going to get really high levels of adoption on this product... Gotta wonder what in the heck they're thinking sometimes.
 On 10/2/06, *Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]
 wrote: http://blogs.zdnet.com/microsoft/?p=26 Mary Jo Foley reports that the next version of Vista will have Volume licensing activation.
 List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ml/threads.aspx http://www.activedir.org/ml/threads.aspx
--Letting your vendors set your risk analysis these days?http://www.threatcode.comIf you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down...
http://blogs.technet.com/sbsList info : http://www.activedir.org/List.aspxList FAQ: 
http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] OT: Volume licensing activation

2006-10-03 Thread Matt Hargraves

Yeah... MS is going to get really high levels of adoption on this product...Gotta wonder what in the heck they're thinking sometimes.On 10/2/06, 
Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote:
http://blogs.zdnet.com/microsoft/?p=26Mary Jo Foley reports that the next version of Vista will have Volumelicensing activation.List info : 
http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Move all OU and USERS from one forest to another forest

2006-10-03 Thread Matt Hargraves

I'm not sure if I was going to test for an Exchange environment that I wouldn't want to make sure that, at the very least, I still had the extensions in place for Exchange in the schema.
On 10/3/06, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote:
Have a look at:http://blogs.dirteam.com/blogs/jorge/archive/2005/11/19/105.aspx
http://blogs.dirteam.com/blogs/jorge/archive/2005/11/19/107.aspxjorge-Original Message-From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Ramon LinanSent: Tuesday, October 03, 2006 16:38To:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Move all OU and USERS from one forestto another forestHi,I am trying to build a testing environment.
I have the production forest and the testing forest, notconnected at all.Is there an easy way of creating all the same OUs and usersfrom one forest to the other?, each forest only have one
domain, also, I only interested in moving some of theattributes,i.e. there is no MS exchange in the testingenvironment so I don't care about exchange attributes.
I was going to build an script that will read fromproduction LDAP and create objects in the other one, but isthere is already something that, like a tool or script itwill prefer to use it to save time.
Can I use ADAM for this?RezumaList info : http://www.activedir.org/List.aspxList FAQ:
http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive:
http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] OT: Volume licensing activation

2006-10-03 Thread Matt Hargraves

When you've got 100k workstations in your environment and it takes 2-3 minutes to run through the activation and then however much time to manage the server...100k*2.5 ends up equalling about 2 year's worth of wages for a single employee (call it $120k total). I don't mind them trying to protect keys, but it's not the companies with 1k+ workstations, it's the companies with 50 workstations and 'computer geniuses' (don't you dread it when you hear that phrase - you know something's *really* screwed up) who are using invalid or stolen keys.
I know that 120k might be 'beans' to a large company, but reality is that you just increased the deployment cost for a new tool. If I can run XP for an extra 2 years and use the version after Vista, then I just saved my company $120k.. I just paid my salary for the next year probably. This is how management personnel think - that's why we call them 'bean counters' because that 120k means something to them. They know that not using legit versions is not a valid solution, but they also know that saving $120k means something after you do it 10 times (and just saved the company 
0.1% off their costs - every little bit counts for accountants).On 10/3/06, Brian Desmond [EMAIL PROTECTED]
 wrote:












I read through the docs on this vl activation and it's not as
bad as it sounds. They're really just trying to protect the keys.



Thanks,

Brian Desmond

[EMAIL PROTECTED]



c - 312.731.3132









From:
[EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On
Behalf Of Matt Hargraves
Sent: Tuesday, October 03, 2006 1:34 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: Volume licensing activation







Yeah... MS is going to get
really high levels of adoption on this product...

Gotta wonder what in the heck they're thinking sometimes.





On 10/2/06, Susan Bradley, CPA aka
Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED]
wrote:

http://blogs.zdnet.com/microsoft/?p=26

Mary Jo Foley reports that the next version of Vista will have Volume
licensing activation.

List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

[ActiveDir] ADAM with Domain

2006-09-29 Thread Matt Brown

How does ADAM integrate with a domain? Will they be completely separate
directories or can they somehow be joined together?

I'm wanting to use an X.500 name for the ADAM instance.

Thanks in advanced for the help provided,
--
Matt Brown
IT System Specialist
Eastern Washington University


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] SID History.

2006-09-26 Thread Matt Hargraves

OK, I think that I pretty much had it figured out, just wanted to get some level of validation.Thanks for all the help.On 9/26/06, 
[EMAIL PROTECTED] [EMAIL PROTECTED] wrote:





Matt,

I went through a similar 'thought experiment' a few years 
ago. Whilst I didn't actually test my conclusions, I arrived at the decision 
that the original domain could actually be completely removed and the SID 
history data would still be valid and usable to access resources. i.e. there is 
no need to 'talk' to the DCs in the resource domain(s).

Does that help?

neil


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]] On Behalf Of Matt 
HargravesSent: 25 September 2006 20:55To: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] SID 
History.
Yeah, read that document before. It doesn't say whether it's 
going to go scanning domains for SID History memberships, so I have to assume 
that unless I have a group that points to a user's SID History SID within that 
AD environment (or in that authentication chain), then it's not going to add in 
more SIDs to the user's token. Example: I have a group that points a 
user's SID history as a ForeignSecurityPrinciple, then it will add in that 
object.In other words, if user addomain\user1234 is accessing a file 
that is on server fileserver.addomain.com and only ACLs 
to groups that are within the local domain that are AD native and those groups 
only have memberships for the local domain, then is his token going to include 
his memberships from NTResourcedomain42 and NTResourcedomain78 or just his 
memberships which reside within addomain.com?
On 9/25/06, Almeida 
Pinto, Jorge de [EMAIL PROTECTED] 
 wrote:
to 
  read on how the access token is build see:
http://download.microsoft.com/download/8/f/3/8f36dfe4-47d0-4775-ad5a-5614384921aa/AccessTokenLimitation.docauthentication 
  across domains depends if NTLM is used (external trusts) or kerberos is used 
  (forest trusts and intra-forest transitive trusts) sIDHistory just 
  adds SIDs to the access token, after that the process is the 
  samejorgeMet vriendelijke groeten / Kind regards,Ing. 
  Jorge de Almeida PintoSenior Infrastructure Consultant MVP Windows 
  Server - Directory ServicesLogicaCMG Nederland B.V. (BU RTINC 
  Eindhoven)( Tel : 
  +31-(0)40-29.57.777( Mobile : +31-(0)6-26.26.62.80* E-mail : see 
  sender address From: [EMAIL PROTECTED]
 
  on behalf of Matt HargravesSent: Mon 2006-09-25 19:38To: ActiveDir@mail.activedir.org
Subject: 
  Re: [ActiveDir] SID History.Unfortunately that's not even close to 
  what I was having issues with Joe.I'm more concerned with how tokens 
  are created and whether they will by default query the old resource domains 
  that haven't been migrated into the AD environment. Theoretical 
  situtation:I am a member of 50 groups in my user domain, I'm 
  accessing something in my user domain.We have 150 trusted resource 
  domains where I have 6 group memberships in each through SID 
  history.Is the GC/DC going to query all trusted domains for my 
  memberships through SID history?(resource domains are all NT4 
  domains) I'm assuming that it's not going to, because of how the 
  authentication path works (resource server - user domain DC - user domain GC - 
  resource server DC, resource server), but everything I've seen never really 
  talks about SID History much. On 9/24/06, joe [EMAIL PROTECTED] 
  wrote:I would 
  recommend poking through the MSDN security docs. It sounds like there is a 
  break in understanding of how the SIDs are used in combination with the DACLS. 
  Start 
  here:
http://msdn.microsoft.com/library/default.asp?url="" 
  but poke around 
  that whole 
  area. 
  joe--O'Reilly 
  Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
  From: 
  [EMAIL PROTECTED] 
  [mailto: 
  [EMAIL PROTECTED]] On Behalf Of Matt 
  HargravesSent: Thursday, 
  September 21, 2006 4:59 
  PMTo: ActiveDir@mail.activedir.orgSubject: 
  [ActiveDir] SID History. 
  Conceptual 
  situation:User 
  domainResource domain 
  (s)I bring all users 
  into a single AD environment, bringing over SID History 
  information.Now I 
  start moving over file servers from the resource domain to the AD 
  environment.One of the file servers has groups ACL'd from the 
  resource domain.When the server goes to check for access rights, 
  will it pull over *all* group memberships from the appropriate resource domain 
  or simply pull over the single group membership and append that to the user's 
  token? Mostly just 
  looking at SID history impact between semi-active resource domains that are 
  being decomissioned and current domains.Microsoft's site mostly 
  seems to point to groups that are pointing to SID history objects that are 
  within the AD environment, not cross-domain SID history impact. 
  This e-mail and any attachment is for authorised use 
  by the intended recipient(s) only. It may contain p

Re: [ActiveDir] DNS entry won't delete

2006-09-26 Thread Matt Hargraves

Any chance you can edit the setting so that it points to something not in your network? (ex. you have a 10.x.x.x network, so you reset it to be a 192.168.x.x IP)On 9/26/06, 
Clingaman, Bruce [EMAIL PROTECTED] wrote:
My two DCs are Windows 2003 servers, DNS integrated, Primary,The resiliant entries are from Mac OS X clients and one OS X server. Thedomain name of the entries are from a domain that was renamed.
Bruce ClingamanInformation Technology DepartmentPensacola Christian College850.478.8496 ext. 2198[EMAIL PROTECTED]-Original Message-From: 
[EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Al MulnickSent: Tuesday, September 26, 2006 3:18 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] DNS entry won't deleteBruce, try the command that Andrew posted and see what results you get.Other things to check:Are the domains integrated? Primary? How are the reverse and forward
zones configured?I'm surprised to hear the record is not in WINS.I assume then thatit's not a Windows server then?What type of server is it? What is theOS?AlOn 9/26/06, Clingaman, Bruce 
[EMAIL PROTECTED] wrote:I got object not found error. The following script shouldenumerateall the zones on both my DCs:
=WScript.Echo Now  vbCrLfDCs = Array(dc1,dc2)for i = 0 to UBound(DCs)
strDN =CN=MicrosoftDNS,DC=DomainDNSZones,DC=mydomain,DC=intset objColl = GetObject(LDAP://  DCs(i)  / strDN)
WScript.Echo Entries in   DCs(i)WScript.Echo String(30, -)EnumColl objCollWScript.Echo nextSub EnumColl(objColl)
for each objEntry in objCollWScript.Echo objEntry.NamenextEnd Sub
==It does not display all the zones, one of which has the entiesinquestion.Bruce ClingamanInformation Technology DepartmentPensacola Christian College
850.478.8496 ext. 2198[EMAIL PROTECTED]-Original Message-From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of AndrewCaceSent: Tuesday, September 26, 2006 9:27 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS entry won't deleteYou can run the following command to see where an update isoriginating.Then, if you have auditing enabled for that operation, you can
check theoriginating DC to see who made the change.repadmin /showobjmeta yourdcdc=recordname,dc=yourzone.com,cn=MicrosoftDNS,dc=DomainDNSZones,dc=your
domain,dc=comReplace yourdc, etc with appropriate values for your domain.For areverse lookup zone, recordname will be the last octet of the IPaddressand dc=
yourzone.com will be something likedc=2.1.10.in-addr.arpa, where2.1.10 is the reverse notation of the first three octets of yourIPaddress.Be sure that you have the partition where the zone is
storedcorrect, whether it's DomainDNSZones, ForestDNSZones, or thedomainpartition.The dnsRecord attribute is the one that you areinterestedin.-Andrew
From: [EMAIL PROTECTED][mailto:
[EMAIL PROTECTED]] On Behalf OfClingaman,BruceSent: Tuesday, September 26, 2006 8:19 AMTo: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DNS entry won't deleteI have three DNS entries in my Reverse lookup zone that were forstaticaddresses that won't go away. The problem is one of them shares
theaddress and hostname (different domain name, domain was renamed)assigned to anotherserver. When I delete it, it immediatelyreappears.I am unable to determine what is putting these entries back in.
Theywere for OS X machines, one is a client, the other was a server.Theclient has been changed to DHCP. The server was reinstalled andgiven adifferent IP address.I have a single level domain with two DCs, one is a WINS server,
AD/DNSintegrated.List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspxList info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] SID History.

2006-09-25 Thread Matt Hargraves

Unfortunately that's not even close to what I was having issues with Joe.I'm more concerned with how tokens are created and whether they will by default query the old resource domains that haven't been migrated into the AD environment.
Theoretical situtation: I am a member of 50 groups in my user domain, I'm accessing something in my user domain. We have 150 trusted resource domains where I have 6 group memberships in each through SID history. Is the GC/DC going to query all trusted domains for my memberships through SID history? (resource domains are all NT4 domains)
I'm assuming that it's not going to, because of how the authentication path works (resource server - user domain DC - user domain GC - resource server DC, resource server), but everything I've seen never really talks about SID History much.
On 9/24/06, joe [EMAIL PROTECTED] wrote:





I would recommend poking through the MSDN security docs. It 
sounds like thereis a break in understanding of how the SIDs are used in 
combination with the DACLS. 

Start here:


http://msdn.microsoft.com/library/default.asp?url="">

but poke around that whole area. 


 joe


--
O'Reilly Active Directory Third Edition - 
http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]] On Behalf Of Matt 
HargravesSent: Thursday, September 21, 2006 4:59 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] SID 
History.
Conceptual situation:User domainResource domain 
(s)I bring all users into a single AD environment, bringing over SID 
History information.Now I start moving over file servers from the 
resource domain to the AD environment. One of the file servers has groups 
ACL'd from the resource domain. When the server goes to check for access 
rights, will it pull over *all* group memberships from the appropriate resource 
domain or simply pull over the single group membership and append that to the 
user's token? Mostly just looking at SID history impact between 
semi-active resource domains that are being decomissioned and current 
domains. Microsoft's site mostly seems to point to groups that are 
pointing to SID history objects that are within the AD environment, not 
cross-domain SID history impact.

Re: [ActiveDir] SID History.

2006-09-25 Thread Matt Hargraves

Yeah, read that document before. It doesn't say whether it's going to go scanning domains for SID History memberships, so I have to assume that unless I have a group that points to a user's SID History SID within that AD environment (or in that authentication chain), then it's not going to add in more SIDs to the user's token.
Example: I have a group that points a user's SID history as a ForeignSecurityPrinciple, then it will add in that object.In other words, if user addomain\user1234 is accessing a file that is on server 
fileserver.addomain.com and only ACLs to groups that are within the local domain that are AD native and those groups only have memberships for the local domain, then is his token going to include his memberships from NTResourcedomain42 and NTResourcedomain78 or just his memberships which reside within 
addomain.com?On 9/25/06, Almeida Pinto, Jorge de [EMAIL PROTECTED]
 wrote:to read on how the access token is build see:
http://download.microsoft.com/download/8/f/3/8f36dfe4-47d0-4775-ad5a-5614384921aa/AccessTokenLimitation.docauthentication across domains depends if NTLM is used (external trusts) or kerberos is used (forest trusts and intra-forest transitive trusts)
sIDHistory just adds SIDs to the access token, after that the process is the samejorgeMet vriendelijke groeten / Kind regards,Ing. Jorge de Almeida PintoSenior Infrastructure Consultant
MVP Windows Server - Directory ServicesLogicaCMG Nederland B.V. (BU RTINC Eindhoven)( Tel : +31-(0)40-29.57.777( Mobile : +31-(0)6-26.26.62.80* E-mail : see sender address
From: [EMAIL PROTECTED] on behalf of Matt HargravesSent: Mon 2006-09-25 19:38To: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] SID History.Unfortunately that's not even close to what I was having issues with Joe.I'm more concerned with how tokens are created and whether they will by default query the old resource domains that haven't been migrated into the AD environment.
Theoretical situtation:I am a member of 50 groups in my user domain, I'm accessing something in my user domain.We have 150 trusted resource domains where I have 6 group memberships in each through SID history.Is the GC/DC going to query all trusted domains for my memberships through SID history?(resource domains are all NT4 domains)
I'm assuming that it's not going to, because of how the authentication path works (resource server - user domain DC - user domain GC - resource server DC, resource server), but everything I've seen never really talks about SID History much.
On 9/24/06, joe [EMAIL PROTECTED] wrote:I would recommend poking through the MSDN security docs. It sounds like there is a break in understanding of how the SIDs are used in combination with the DACLS.
Start here:http://msdn.microsoft.com/library/default.asp?url=""
but poke around that whole area. joe--O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Matt HargravesSent: Thursday, September 21, 2006 4:59 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] SID History.
Conceptual situation:User domainResource domain (s)I bring all users into a single AD environment, bringing over SID History information.Now I start moving over file servers from the resource domain to the AD environment.One of the file servers has groups ACL'd from the resource domain.When the server goes to check for access rights, will it pull over *all* group memberships from the appropriate resource domain or simply pull over the single group membership and append that to the user's token?
Mostly just looking at SID history impact between semi-active resource domains that are being decomissioned and current domains.Microsoft's site mostly seems to point to groups that are pointing to SID history objects that are within the AD environment, not cross-domain SID history impact.
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.

[ActiveDir] SID History.

2006-09-21 Thread Matt Hargraves

Conceptual situation:User domainResource domain (s)I bring all users into a single AD environment, bringing over SID History information.Now I start moving over file servers from the resource domain to the AD environment. One of the file servers has groups ACL'd from the resource domain. When the server goes to check for access rights, will it pull over *all* group memberships from the appropriate resource domain or simply pull over the single group membership and append that to the user's token?
Mostly just looking at SID history impact between semi-active resource domains that are being decomissioned and current domains. Microsoft's site mostly seems to point to groups that are pointing to SID history objects that are within the AD environment, not cross-domain SID history impact.

Re: [ActiveDir] 3rd party vendor and AD for auth

2006-09-20 Thread Matt . Duguid

Hi there,

We recently faced the same scenario...

Do they need to use your internal AD because they require access to your
staff accounts? If not they could quite happily use ADAM.

If they do require access to your staff accounts you could get them to
perform DEV/TST/QA on ADAM as proof of concept and then give them delegated
access to the AD via a specific user or group which is what we ended up
doing. We made it very clear that all code must be tested on ADAM first
before we let them anywhere near our live environment.

Cheers,

Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs

Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott Street, Wellington CBD
E-mail: [EMAIL PROTECTED]
Web: http://www.dia.govt.nz/



|-+--
| |  |
| |  |
| |  |
| |   John Singler   |
| |   [EMAIL PROTECTED]|
| |   Sent by:   |
| |   [EMAIL PROTECTED]|
| |   tivedir.org|
| |  |
| |  |
| |   20/09/2006 05:23 a.m.  |
| |   Please respond to  |
| |   ActiveDir  |
| |  |
|-+--
  
--|
  | 
 |
  |To:  ActiveDir@mail.activedir.org 
ActiveDir@mail.activedir.org|
  |cc:  
 |
  |Subject: [ActiveDir] 3rd party vendor and AD for auth
 |
  
--|



Greetings -

We have a 3rd party vendor who wants to tie their web app into our AD
for authentication and authorization. (This is an app that has already
been purchased and is in-house but uses a local db for AAA).

What, specifically, should I be asking them about their application so
as to keep our environment in its secure and stable state?

AFAIK, all they have 'asked' for is a U/P with read access to users and
groups.  Obviously, they aren't getting anything until we work out the
details.

Curious as to what other orgs consider when in similar circumstances.

Environment (FWIW):
Single forest, single domain. All DCs w2k3 SP1, FFL/DFL are w2k3.

tia,

john
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] different version of R2 available?

2006-09-20 Thread Matt . Duguid

I have both versions here...one for standard and one for enterprise...so
yes two CD's

;-)

Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs

Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott Street, Wellington CBD
E-mail: [EMAIL PROTECTED]
Web: http://www.dia.govt.nz/



|-+--
| |  |
| |  |
| |  |
| |   Thommes, Michael M.  |
| |   [EMAIL PROTECTED] |
| |   Sent by:   |
| |   [EMAIL PROTECTED]|
| |   tivedir.org|
| |  |
| |  |
| |   21/09/2006 10:57 a.m.  |
| |   Please respond to  |
| |   ActiveDir  |
| |  |
|-+--
  
--|
  | 
 |
  |To:  ActiveDir@mail.activedir.org  
 |
  |cc:  
 |
  |Subject: [ActiveDir] different version of R2 available?  
 |
  
--|





My officemate and I were discussing whether there are different versions of
the R2 CD depending on whether you’re running Server 2003 Standard or
Server 2003 Enterprise.  Or is there only one version of R2?  TIA!



Mike Thommes
[EMAIL PROTECTED])

Re: [ActiveDir] VBScript Container Security

2006-09-17 Thread Matt . Duguid

Try starting with this document...one ohe preferred methods is to create
the System container and manally assign permissions to it...

http://www.microsoft.com/technet/prodtechnol/sms/smssp2/spsecurity/3df7a6e2-e173-4def-a81a-5bd90fbbf9d8.mspx?mfr=true


Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs

Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott Street, Wellington CBD
E-mail: [EMAIL PROTECTED]
Web: http://www.dia.govt.nz/



|-+--
| |  |
| |  |
| |  |
| |   Joe McNicholas   |
| |   [EMAIL PROTECTED]|
| |   Sent by:   |
| |   [EMAIL PROTECTED]|
| |   tivedir.org|
| |  |
| |  |
| |   15/09/2006 09:53 p.m.  |
| |   Please respond to  |
| |   ActiveDir  |
| |  |
|-+--
  
--|
  | 
 |
  |To:  ActiveDir@mail.activedir.org  
 |
  |cc:  
 |
  |Subject: [ActiveDir] VBScript Container Security 
 |
  
--|





I'm trying to create and secure the LDAP://cn=System
Management,cn=System,dc=mydomain,dc=com container, as required for SMS[1].

I'm able to create the container successfully, but haven't found any
examples of how to assign security to an OU or Container in the AD.  MS
Script Centre and a quick google have come up blank, can anyone point me to
any examples?

Thanks
Joe

[1] Ref:
https://www.microsoft.com/technet/prodtechnol/sms/smssp2/spsecurity/3df7a6e2-e173-4def-a81a-5bd90fbbf9d8.mspx?mfr=true



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Elevating privileges from DA to EA

2006-09-15 Thread Matt Hargraves

I agree with the people who are saying Either trust all of them or none of them. Realistically, unless you have a large environment (BTW, some people argue that all but maybe 10 Fortune 100 companies are 'medium' sized and the other 
99.% of organizations are 'small'), there should only be a handful of people (3-7?) and some service accounts that require that level of rights.Domain/Enterprise Admins are a tricky bunch and no matter what you do to us, we can take back whatever rights you took away from us very easily, then lock you and everyone else in the world out, destroy the on-site backups and demolish the environment to where it's going to take a major effort to get back to operational status. This would take all take significantly less time than it would take for someone to figure out who is doing what. I like Joe's recommendation of taking everyone that you don't need out of the admins groups and simply granting them various levels of rights with their account. Possibly give everyone a user and admin account (user1234567 and user1234567a), heaven knows it would make troubleshooting a lot easier.
That being said, someone asking for their own regional forest? Fine, as long as the person saying that it's necessary is willing to come up with the budget for the additional servers and additional personnel to support that forest and that they understand that they will have 0 admin level rights on anything in the 'main' forest, it wouldn't bother me, just one less thing that I have to worry about managing. Oh yeah, and they have to pay for yearly audits to validate that they are meeting the corporate standards for security at all levels.
Then again, most of those items aren't usually my concern. Thank God I'm not in management :DOn 9/15/06, Paul Williams 
[EMAIL PROTECTED] wrote:






Neil,

Try a re-read of the first couple of 
chapters of the first part of the deployment guide book designing and deploying 
directory and security services. Obviously it doesn't spell out how to do 
this -it doesn't even allude to how this is done- but does emphasise when and 
when not to go with the regional domain model.

I'm not disputing what anyone is saying 
here -I agree. I just happen to think the regional model can be a good 
one, and that if done properly works. Even from a security stand 
point. The main thing with the regional design is that there's a central 
group of service admins, or a true delegated model. 

If you have multiple groups of service 
admins it can still work, but the issue that has been raised is very real and 
you probably need to implement processes and monitor against it (if you're 
forced into such a design by the needs of the business or obtuse upper 
management ;-). Although it does seem to be possible to implement 
disparate groups of service admins if you follow the delegation whitepaper 
(you'll need to improvide, but most of the info. is pertinent), which should put 
you in a much stronger position from a security stand point. If you can 
achieve a very small number of people who are actually members of the 
builtin\Administrators group, and the rest only have delegated permissions and 
privileges (and preferably very few privileges on the DCs, i.e. no logon 
locally) you can achieve what you want. 

Joe's been there and done 
it...


--Paul

  - Original Message - 
  
From: 
  Almeida Pinto, Jorge de 
  
  To: 
ActiveDir@mail.activedir.org 
  
  Sent: Friday, September 15, 2006 8:48 
  AM
  Subject: RE: [ActiveDir] Elevating 
  privileges from DA to EA
  
  Al - we are designing a forest with regional domains (don't 
  ask!) and one region has suggested it needs to split from this forest since 
  elevating rights in any regional domain from DA to EA (forest wide) is 
  'simple' [and this would break the admin / support 
  model].
  
  What is being said is very very true. Either you 
  trust ALL Domain Admins (no matter the domain those are in) or you do not 
  trust ANY! Every Domain Admin or ANY person with physical access to a DC has 
  the possibility to turn the complete forest into crap!
  Because if that was NOT the case the DOMAIN would be 
  the security boundary. Unfortunately it is not! The Forest is the security 
  boundary, whereas EVERY single DC in the forest MUST be protected and EVERY 
  Domain Admin MUST be trusted!
  
  I am arguing that it is not simple and am looking for 
  methods which may be used to elevate rights as per the 
  above
  
  When you know HOW, it is as easy as taking candy from a 
  baby
  
  jorge
  
  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]] On Behalf Of 
[EMAIL PROTECTED]Sent: Friday, September 15, 2006 
09:36To: ActiveDir@mail.activedir.orgSubject: RE: 
[ActiveDir] Elevating privileges from DA to EA

Thanks for responses, all.

Al - we are designing a forest with regional domains 
(don't ask!) and one region has suggested it needs to split from this forest 
since

Re: [ActiveDir] Specifying builtin accounts in GPO settings.

2006-09-14 Thread Matt Hargraves

I think we discovered the problem... things were just locked down a *tad* too much.On 9/13/06, Akomolafe, Deji 
[EMAIL PROTECTED] wrote:


Look at your default recipient policy. What's set there? Just curious.



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ 
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Services
www.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon



From: Matt HargravesSent: Wed 9/13/2006 8:58 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Specifying builtin accounts in GPO settings.
Non-Exchange privileged users can't access OWA. I thought it was related to the fact that they had removed the M: drive, but that was only a small number of servers, the rest (that also aren't working) are having accessability issues to OWA (though they can still access their mailbox through Outlook). 

On 9/13/06, Brian Desmond 
[EMAIL PROTECTED] wrote: 




On W2000 running OWA on a DC this was an issue … only case I know of. What are the issues you're having?


Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132





From: [EMAIL PROTECTED]
 [mailto:mailto:[EMAIL PROTECTED]] On Behalf Of Matt Hargraves
Sent: Wednesday, September 13, 2006 10:49 PM
To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Specifying builtin accounts in GPO settings.





We're having some issues with Exchange OWA and MS said something about IWAM when we called them. We're not granting them 'logon via terminal services', just testing 'log on locally', but if it works, that just creates an entire mess that we'd like to avoid. 


On 9/13/06, Brian Desmond [EMAIL PROTECTED] wrote:



No it wouldn't. Why are you giving an IWAM account access to a remote machine?


Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132





From: mailto:[EMAIL PROTECTED]
[mailto:mailto:[EMAIL PROTECTED]] On Behalf Of Matt Hargraves
Sent: Wednesday, September 13, 2006 9:35 PM

To: ActiveDir@mail.activedir.org

Subject: Re: [ActiveDir] Specifying builtin accounts in GPO settings.


Would something like IWAM_%servername% or something like that work? I really don't want to go throuh and specify 45 account names in the Log on locally right for an OU if I can do it with a more simple command. I'll try just about anything :) 
Thanks,Matt

On 9/12/06, Brian Desmond [EMAIL PROTECTED] wrote:



And if you think about it they couldn't – if you have two DCs running IIS they both have IUSR and IWAM accounts in AD, so SIDs have to be different. 




Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132





From: mailto:[EMAIL PROTECTED]
[mailto:mailto:[EMAIL PROTECTED]] On Behalf Of Darren Mar-Elia
Sent: Tuesday, September 12, 2006 2:29 PM

To: ActiveDir@mail.activedir.org

Subject: RE: [ActiveDir] Specifying builtin accounts in GPO settings.


Matt-
I don't think these accounts have well-known SIDs, so I'm not sure that's going to help.You can easily verify using psgetsid from Sysinternals. I checked a couple accounts here (though they were domain accounts) and they were not well-knownSIDs.


Darren

Darren Mar-Elia
For comprehensive Windows Group Policy Information, check out 
http://www.gpoguy.com/-- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the 
Windows Group Policy Guide ,the definitiveresource for Group Policy information.






From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of 
Matt HargravesSent: Tuesday, September 12, 2006 10:00 AMTo: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Specifying builtin accounts in GPO settings.
I am trying to specify the builtin IWAM/IUSR accounts in GPO settings. We have a set of servers within an OU where they require the account to have rights on the local servers, call them Server1, Server2, Server3. We obviously don't want to create the setting for IWAM_Server1, IWAM_Server2, etc I believe that this account has a common SID, if I simply do a browse for the account on one machine, will it resolve to SID and apply the setting for all accounts, or is there another way to do this (like specifying Builtin\Administrator would work for the builtin Administrator account) no matter what the name happens to be on a local machine?

[ActiveDir] Active Directory Cookbooks...

2006-09-14 Thread Matt . Duguid


Hi there,

I have already read and use the Active Directory Cookbook for Windows 2003
and Windows 2000 and see there are 2nd and 3rd editions. Is there anywhere
on the net which lists the contents of each so I can have a look before
purchase?

Thanks in advance,

Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs

Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott Street, Wellington CBD
E-mail: [EMAIL PROTECTED]
Web: http://www.dia.govt.nz/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Active Directory Cookbooks...

2006-09-14 Thread Matt . Duguid

hahaha no worries cheers for that i'll just swim around the fish bowl one
more time...;-)

Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs

Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott Street, Wellington CBD
E-mail: [EMAIL PROTECTED]
Web: http://www.dia.govt.nz/



|-+--
| |  |
| |  |
| |  |
| |   David Adner  |
| |   [EMAIL PROTECTED] |
| |   Sent by:   |
| |   [EMAIL PROTECTED]|
| |   tivedir.org|
| |  |
| |  |
| |   15/09/2006 02:21 p.m.  |
| |   Please respond to  |
| |   ActiveDir  |
| |  |
|-+--
  
--|
  | 
 |
  |To:  ActiveDir@mail.activedir.org  
 |
  |cc:  
 |
  |Subject: RE: [ActiveDir] Active Directory Cookbooks...   
 |
  
--|



*points at joe's signature...*

And in case that was too vague, try here.
http://www.joeware.net/win/ad3e.htm


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, September 14, 2006 9:13 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Active Directory Cookbooks...


Hi there,

I have already read and use the Active Directory Cookbook for Windows 2003
and Windows 2000 and see there are 2nd and 3rd editions. Is there anywhere
on the net which lists the contents of each so I can have a look before
purchase?

Thanks in advance,

Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs

Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott Street, Wellington CBD
E-mail: [EMAIL PROTECTED]
Web: http://www.dia.govt.nz/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Active Directory Cookbooks...

2006-09-14 Thread Matt . Duguid

I have just purchased the 2nd one and will be on to the 3rd one as soon as
I have finished that...

Cheers,

Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs

Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott Street, Wellington CBD
E-mail: [EMAIL PROTECTED]
Web: http://www.dia.govt.nz/



|-+--
| |  |
| |  |
| |  |
| |   joe  |
| |   [EMAIL PROTECTED] |
| |   Sent by:   |
| |   [EMAIL PROTECTED]|
| |   tivedir.org|
| |  |
| |  |
| |   15/09/2006 03:14 p.m.  |
| |   Please respond to  |
| |   ActiveDir  |
| |  |
|-+--
  
--|
  | 
 |
  |To:  ActiveDir@mail.activedir.org  
 |
  |cc:  
 |
  |Subject: RE: [ActiveDir] Active Directory Cookbooks...   
 |
  
--|



Actually I did the Active Directory Third Edition. The Active Directory
Cookbook is in the Second Edition now and that was done by Laura Hunter. My
book you can find in my signature, the Cookbook you can find at

http://www.amazon.com/gp/product/059610202X/ref=pd_cp_b_title/002-4991631-48

70433?ie=UTF8


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, September 14, 2006 10:41 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory Cookbooks...

hahaha no worries cheers for that i'll just swim around the fish bowl one
more time...;-)

Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs

Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott Street, Wellington CBD
E-mail: [EMAIL PROTECTED]
Web: http://www.dia.govt.nz/



|-+--
| |  |
| |  |
| |  |
| |   David Adner  |
| |   [EMAIL PROTECTED] |
| |   Sent by:   |
| |   [EMAIL PROTECTED]|
| |   tivedir.org|
| |  |
| |  |
| |   15/09/2006 02:21 p.m.  |
| |   Please respond to  |
| |   ActiveDir  |
| |  |
|-+--

---

---|
  |
|
  |To:  ActiveDir@mail.activedir.org
|
  |cc:
|
  |Subject: RE: [ActiveDir] Active Directory Cookbooks...
|

---

---|



*points at joe's signature...*

And in case that was too vague, try here.
http://www.joeware.net/win/ad3e.htm


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, September 14, 2006 9:13 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Active Directory Cookbooks...


Hi there,

I have already read and use the Active Directory Cookbook for Windows 2003
and Windows 2000 and see there are 2nd and 3rd editions. Is there anywhere
on the net which lists the contents of each so I can have a look before
purchase?

Thanks in advance,

Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs

Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott Street, Wellington CBD
E-mail: [EMAIL PROTECTED]
Web: http://www.dia.govt.nz/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org

Re: [ActiveDir] Isolating a DC

Isolating via site will still leave the DC available in case of emergencies (your authentication DCs go down), whereas IPSec makes them completely unavailable for any purposes for clients. I've actually never heard of anyone doing this and would consider it a very bad idea unless you have significant redundancy in your 'normal' environment.
BTW, from a Microsoft presentation a little over a year ago, they have 4 Exchange server sites, only 1 of them (Redmond) isolates their DCs from authentication and reserves it for Exchange, the other 3 use their Exchange (a *very* DC/GC intensive app) servers for authentication also.
Site is only a logical separation. IPSec might as well be a physical barrier. Unless there is a serious reason why you would rather have none of your clients to be able to authenticate instead of authenticating against these DCs (as I said, in case of an emergency), then you should probably avoid putting a IP filter on these boxes. If you isolate via site, then the only way that clients are going to authenticate against them is if all DCs are down in their site, which since you're a single physical site org, means that all of the authentication DCs are down, which is probably a more serious problem than OMG, a (gasp) *user* authenticated against my application DC.
On 9/13/06, Lucas, Bryan [EMAIL PROTECTED] wrote:
Thanks to all for the responses.This (isolating via ipsec) is probably the right direction for me.We're a single site, single domain at a single physical location, butthe idea of building another site isn't appealing from a keep it
simple perspective.Are there any technical reasons why a separate site would be better thanisolation through IPSec?Will I cause clients/apps, who initially don'tknow they are denied, delays when they try to access the ipsec isolated
DC?Bryan LucasServer AdministratorTexas Christian University-Original Message-From: [EMAIL PROTECTED][mailto:
[EMAIL PROTECTED]] On Behalf Of James Eaton-LeeSent: Wednesday, September 13, 2006 5:39 AMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Isolating a DCAkomolafe, Deji wrote: I highly recommend that you read
http://www.windowsitpro.com/articles/print.cfm?articleid=37935 Then, as a fall-back option, look for the isolation using IPSec whitepapers on Microsoft site. I can't find them now, but I know that
 they exist. They show you how to restrict communication with aspecific server or network using IPSec.I think what you're referring to is the excellent Server and DomainIsolation using IPSec content, at:
http://www.microsoft.com/technet/security/topics/architectureanddesign/ipsec/default.mspxIf all you're looking for is host-based firewalling, however,
there's other content online that'll explain this a little moreconcisely, such as this presentation from the Virginia Tech WindowsUsers Group:
http://vtwug.w2k.vt.edu/pdf/w2k_ipsec_firewall.pdf#search=%22using%20ipsec%20as%20a%20firewall%22And also Using IPSec to Lock Down a Server from technet..
http://www.microsoft.com/technet/itsolutions/network/security/ipsecld.mspxHope that helps!- James.-- James (njan) Eaton-Lee | 10807960 | http://www.jeremiad.org
 Semper Monemus Sed Non Audiunt, Ergo Lartus - (Jean-Croix)sites: https://www.bsrf.org.uk ~ http://www.security-forums.com
ca: https://www.cacert.org/index.php?id=3List info : http://www.activedir.org/List.aspxList FAQ: 
http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspxList info : 
http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Isolating a DC

Yeah, I didn't mean to sound so negative it just seems like isolating by site (which is a logical, not physical barrier) is a more holistic solution which provides the isolation required, while allowing the DCs to continue to potentially (in an emergency situation) perform the duties of user authentication without having to change anything.
The IPSec solution just seems like serious overkill that's unnecessary.On 9/13/06, Akomolafe, Deji 
[EMAIL PROTECTED] wrote:


I thought his original request was to make sure that no other client talks to the isolated server except those permitted.



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ 
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Services
www.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon



From: Matt HargravesSent: Wed 9/13/2006 7:26 AM
To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Isolating a DC

Isolating via site will still leave the DC available in case of emergencies (your authentication DCs go down), whereas IPSec makes them completely unavailable for any purposes for clients. I've actually never heard of anyone doing this and would consider it a very bad idea unless you have significant redundancy in your 'normal' environment. 
BTW, from a Microsoft presentation a little over a year ago, they have 4 Exchange server sites, only 1 of them (Redmond) isolates their DCs from authentication and reserves it for Exchange, the other 3 use their Exchange (a *very* DC/GC intensive app) servers for authentication also. 
Site is only a logical separation. IPSec might as well be a physical barrier. Unless there is a serious reason why you would rather have none of your clients to be able to authenticate instead of authenticating against these DCs (as I said, in case of an emergency), then you should probably avoid putting a IP filter on these boxes. If you isolate via site, then the only way that clients are going to authenticate against them is if all DCs are down in their site, which since you're a single physical site org, means that all of the authentication DCs are down, which is probably a more serious problem than OMG, a (gasp) *user* authenticated against my application DC. 

On 9/13/06, Lucas, Bryan [EMAIL PROTECTED] wrote:
 
Thanks to all for the responses.This (isolating via ipsec) is probably the right direction for me.
We're a single site, single domain at a single physical location, butthe idea of building another site isn't appealing from a keep it simple perspective.Are there any technical reasons why a separate site would be better than
isolation through IPSec?Will I cause clients/apps, who initially don'tknow they are denied, delays when they try to access the ipsec isolated DC?Bryan LucasServer AdministratorTexas Christian University
-Original Message-From: [EMAIL PROTECTED][mailto: 
[EMAIL PROTECTED]] On Behalf Of James Eaton-LeeSent: Wednesday, September 13, 2006 5:39 AMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Isolating a DCAkomolafe, Deji wrote: I highly recommend that you read
http://www.windowsitpro.com/articles/print.cfm?articleid=37935 Then, as a fall-back option, look for the isolation using IPSec whitepapers on Microsoft site. I can't find them now, but I know that 
 they exist. They show you how to restrict communication with aspecific server or network using IPSec.I think what you're referring to is the excellent Server and DomainIsolation using IPSec content, at: 
http://www.microsoft.com/technet/security/topics/architectureanddesign/i
psec/default.mspxIf all you're looking for is host-based firewalling, however, there's other content online that'll explain this a little moreconcisely, such as this presentation from the Virginia Tech Windows
Users Group:http://vtwug.w2k.vt.edu/pdf/w2k_ipsec_firewall.pdf#search=%22using%20ips
ec%20as%20a%20firewall%22And also Using IPSec to Lock Down a Server from technet..
http://www.microsoft.com/technet/itsolutions/network/security/ipsecld.mspxHope that helps!- James.--James (njan) Eaton-Lee | 10807960 | 
http://www.jeremiad.org/Semper Monemus Sed Non Audiunt, Ergo Lartus - (Jean-Croix)sites: https://www.bsrf.org.uk/
 ~ http://www.security-forums.com/ca: 
https://www.cacert.org/index.php?id=3List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: 
http://www.activedir.org/ml/threads.aspxList info : http://www.activedir.org/List.aspxList FAQ: 
http://www.activedir.org/ListFAQ.aspxList archive: 
http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] DNS Entries --Laptop Users--

I'm not s huge DNS geek, so I'm not sure whether you can do this, but can't you just set the DHCP to have a short expiration (1 hour?) and it will unregister the 'old' entry for a machine? There would be a small amount of vulnerability, but it would go away after the client's reservation expires.
On 9/13/06, Ravi Dogra [EMAIL PROTECTED] wrote:
No, Laptop Users are getting IP Addresses from my VPN Box and whenthey are on site its DHCP.On machines Register in DNS option Is checked, hence machines areattempting to register its own records in DNS. Although i have made my
LAN DHCP to register only its Clients in DNS.Credentials used are abviously my Administrator Account.But Al,The Issue we had is laptop users are using LAN DHCP as well as usingVPN Connection from home. Both are getting registered in My DNS with
different IP. Which is obvious.But the thing is SOPHOS gave us this as one of the reasons for mylaptop machines not showing in Sophos Enterprise Console because ituses DNS to build existing machines list.
Now everything is working fine and this reason was totally not applicable.but still there are other machines which are only in our network usingonly my LAN DHCP and are not showing up in EC.Sophos Support team is working on this.
Thanks and RegardsRavi DograOn 9/13/06, Al Mulnick [EMAIL PROTECTED] wrote: I swear this is the last question and then I'll make a suggestion. :)
Is the DHCP server that the remote clients are getting their ip addr's from the same as the one that you are using for lan connected clients? You are obviously allowing the user's machine to update it's own records, but is
that consistent or is the DHCP server on the lan registering the records for you possibly under a different set of credentials or in a different zone? On 9/11/06, Ravi Dogra
[EMAIL PROTECTED] wrote: yes its correct. No we have mobile users.. On 9/11/06, Al Mulnick
[EMAIL PROTECTED] wrote: Besides the obvious of telling Sophos to adjust their management to deal with this, here's what I understand of your problem to date.
VPN clients that are also trusted network clients (i.e. mobile users that traverse both trusted and non-trusted networks can end up with seemingly duplicate entries for the same device but different ip addresses. This
confuses some antivirus management applications and presumably some management applications such as SMS or similar class of app, that rely on reverse name resolution.
Is that correct? Do you have workers that are remote-based only? Al
On 9/8/06, Ravi Dogra [EMAIL PROTECTED] wrote:According to Sophos Support if one host has 2 DNS Entries, SophosEnterprise Manager might not be able to detect this Host and auto
update will also dont work. As you know jolly;- We are in process of migration from Trend toSophos as our Antivirus Solution.
Working on a solution will update soon. ThanksRavi Dogra On 9/8/06, Jaspreet Singh
[EMAIL PROTECTED] wrote: Ravi, As Rob said, If your VPN box is forwarding requests to your internal
network the your DNS will automatically update the records according to the new IP which in your case is x.x.5.x.
Can you explain exactly what is the problem that you are facing due to this? Regards,
Jaspreet Singh Jolly On 9/7/06, Al Mulnick
[EMAIL PROTECTED] wrote:1. I Didnt understand what exactly u r asking? 2. Yes DHCP Is configured properly.
That's not what I asked.I asked if it's updating the records for the device or is it letting the devices update their own?
Al
On 9/6/06, Ravi Dogra [EMAIL PROTECTED] wrote:1. I Didnt understand what exactly u r asking?
2. Yes DHCP Is configured properly. 3. Yes it is running on DC 4. No, not running any other credential.
5. VPN Machine is entirely a different BOX on other site. 6. It doesnt register in my DNS. (Will extract other information from
Site B Admin) update you very soon... Thanks
RD List info : http://www.activedir.org/List.aspx List FAQ:
http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx

-- Regards, Jaspreet Singh Jolly --Ravi Dogra
9899647200This e-mail, together with any attachments, is confidential. It may beread, copied and used only by the intended recipient. If you have
received it in error, please notify the sender immediately by e-mailor telephone. Please then delete it from your computer without makingany copies or disclosing it to any other person.
List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
-- Ravi Dogra

Re: [ActiveDir] Specifying builtin accounts in GPO settings.

Would something like IWAM_%servername% or something like that work? I really don't want to go throuh and specify 45 account names in the Log on locally right for an OU if I can do it with a more simple command. I'll try just about anything :)
Thanks,MattOn 9/12/06, Brian Desmond [EMAIL PROTECTED] wrote:














And if you think about it they couldn't – if you have two DCs
running IIS they both have IUSR and IWAM accounts in AD, so SIDs have to be
different. 





Thanks,

Brian Desmond

[EMAIL PROTECTED]



c - 312.731.3132











From:
[EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On
Behalf Of Darren Mar-Elia
Sent: Tuesday, September 12, 2006 2:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Specifying builtin accounts in GPO settings.







Matt-

I don't think these accounts have well-known SIDs, so I'm not sure
that's going to help.You can easily verify using psgetsid from
Sysinternals. I checked a couple accounts here (though they were domain
accounts) and they were not well-knownSIDs.



Darren



Darren
Mar-Elia

For comprehensive Windows Group Policy Information, check out 
www.gpoguy.com-- the
best source for GPO FAQs, video training, tools and whitepapers. Also check out
the Windows
Group Policy Guide,the definitiveresource for Group Policy
information.













From: 
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Matt Hargraves
Sent: Tuesday, September 12, 2006 10:00 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Specifying builtin accounts in GPO settings.

I am trying to specify the builtin IWAM/IUSR accounts in GPO
settings. We have a set of servers within an OU where they require the
account to have rights on the local servers, call them Server1, Server2,
Server3. We obviously don't want to create the setting for IWAM_Server1,
IWAM_Server2, etc I believe that this account has a common SID, if I simply
do a browse for the account on one machine, will it resolve to SID and apply
the setting for all accounts, or is there another way to do this (like specifying
Builtin\Administrator would work for the builtin Administrator
account) no matter what the name happens to be on a local machine?

Re: [ActiveDir] Specifying builtin accounts in GPO settings.

We're having some issues with Exchange OWA and MS said something about IWAM when we called them. We're not granting them 'logon via terminal services', just testing 'log on locally', but if it works, that just creates an entire mess that we'd like to avoid.
On 9/13/06, Brian Desmond [EMAIL PROTECTED] wrote:














No it wouldn't. Why are you giving an IWAM account access to a
remote machine?



Thanks,

Brian Desmond

[EMAIL PROTECTED]



c - 312.731.3132









From:
[EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On
Behalf Of Matt Hargraves
Sent: Wednesday, September 13, 2006 9:35 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Specifying builtin accounts in GPO settings.







Would something like
IWAM_%servername% or something like that work? I really don't want to go
throuh and specify 45 account names in the Log on locally right for
an OU if I can do it with a more simple command. I'll try just about
anything :) 

Thanks,
Matt



On 9/12/06, Brian Desmond [EMAIL PROTECTED] wrote:







And if you think about it
they couldn't – if you have two DCs running IIS they both have IUSR and IWAM
accounts in AD, so SIDs have to be different. 









Thanks,

Brian Desmond

[EMAIL PROTECTED]



c - 312.731.3132















From: [EMAIL PROTECTED]

[mailto:
[EMAIL PROTECTED]] On Behalf Of Darren Mar-Elia
Sent: Tuesday, September 12, 2006 2:29 PM






To: ActiveDir@mail.activedir.org





Subject: RE: [ActiveDir] Specifying builtin accounts
in GPO settings.











Matt-

I don't think these accounts have
well-known SIDs, so I'm not sure that's going to help.You can easily
verify using psgetsid from Sysinternals. I checked a couple accounts here
(though they were domain accounts) and they were not well-knownSIDs.



Darren



Darren Mar-Elia

For comprehensive Windows Group
Policy Information, check out www.gpoguy.com
--
the best source for GPO FAQs, video training, tools and whitepapers. Also check
out the Windows Group Policy Guide
,the
definitiveresource for Group Policy information.













From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
On Behalf Of Matt Hargraves
Sent: Tuesday, September 12, 2006 10:00 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Specifying builtin accounts in GPO settings.

I am trying to specify the builtin IWAM/IUSR accounts in GPO settings.
We have a set of servers within an OU where they require the account to have
rights on the local servers, call them Server1, Server2, Server3. We
obviously don't want to create the setting for IWAM_Server1, IWAM_Server2,
etc I believe that this account has a common SID, if I simply do a browse
for the account on one machine, will it resolve to SID and apply the setting
for all accounts, or is there another way to do this (like specifying
Builtin\Administrator would work for the builtin Administrator
account) no matter what the name happens to be on a local machine?

Re: [ActiveDir] Specifying builtin accounts in GPO settings.

Non-Exchange privileged users can't access OWA. I thought it was related to the fact that they had removed the M: drive, but that was only a small number of servers, the rest (that also aren't working) are having accessability issues to OWA (though they can still access their mailbox through Outlook).
On 9/13/06, Brian Desmond [EMAIL PROTECTED] wrote:














On W2000 running OWA on a DC this was an issue … only case I know
of. What are the issues you're having?



Thanks,

Brian Desmond

[EMAIL PROTECTED]



c - 312.731.3132









From:
[EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On
Behalf Of Matt Hargraves
Sent: Wednesday, September 13, 2006 10:49 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Specifying builtin accounts in GPO settings.







We're having some issues with
Exchange OWA and MS said something about IWAM when we called them. We're
not granting them 'logon via terminal services', just testing 'log on locally',
but if it works, that just creates an entire mess that we'd like to avoid. 







On 9/13/06, Brian Desmond [EMAIL PROTECTED] wrote:







No it wouldn't. Why are you
giving an IWAM account access to a remote machine?







Thanks,

Brian Desmond

[EMAIL PROTECTED]



c - 312.731.3132













From: [EMAIL PROTECTED]

[mailto:
[EMAIL PROTECTED]] On Behalf Of Matt Hargraves
Sent: Wednesday, September 13, 2006 9:35 PM






To: ActiveDir@mail.activedir.org





Subject: Re: [ActiveDir] Specifying builtin accounts
in GPO settings.











Would something like IWAM_%servername% or
something like that work? I really don't want to go throuh and specify 45
account names in the Log on locally right for an OU if I can do it
with a more simple command. I'll try just about anything :) 

Thanks,
Matt



On 9/12/06, Brian Desmond [EMAIL PROTECTED] wrote:







And if you think about it
they couldn't – if you have two DCs running IIS they both have IUSR and IWAM
accounts in AD, so SIDs have to be different. 









Thanks,

Brian Desmond

[EMAIL PROTECTED]



c - 312.731.3132















From: [EMAIL PROTECTED]
[mailto:
[EMAIL PROTECTED]] On Behalf Of Darren Mar-Elia
Sent: Tuesday, September 12, 2006 2:29 PM






To: ActiveDir@mail.activedir.org





Subject: RE: [ActiveDir] Specifying builtin accounts in GPO settings.











Matt-

I don't think these accounts have well-known
SIDs, so I'm not sure that's going to help.You can easily verify using
psgetsid from Sysinternals. I checked a couple accounts here (though they were
domain accounts) and they were not well-knownSIDs.



Darren



Darren Mar-Elia

For comprehensive Windows Group
Policy Information, check out www.gpoguy.com
-- the best source for GPO FAQs, video training, tools and whitepapers.
Also check out the 
Windows Group Policy Guide ,the
definitiveresource for Group Policy information.













From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
On Behalf Of Matt Hargraves
Sent: Tuesday, September 12, 2006 10:00 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Specifying builtin accounts in GPO settings.

I am trying to specify the builtin IWAM/IUSR accounts in GPO settings.
We have a set of servers within an OU where they require the account to have
rights on the local servers, call them Server1, Server2, Server3. We
obviously don't want to create the setting for IWAM_Server1, IWAM_Server2,
etc I believe that this account has a common SID, if I simply do a browse
for the account on one machine, will it resolve to SID and apply the setting
for all accounts, or is there another way to do this (like specifying
Builtin\Administrator would work for the builtin Administrator
account) no matter what the name happens to be on a local machine?

[ActiveDir] Specifying builtin accounts in GPO settings.

I am trying to specify the builtin IWAM/IUSR accounts in GPO settings. We have a set of servers within an OU where they require the account to have rights on the local servers, call them Server1, Server2, Server3. We obviously don't want to create the setting for IWAM_Server1, IWAM_Server2, etc I believe that this account has a common SID, if I simply do a browse for the account on one machine, will it resolve to SID and apply the setting for all accounts, or is there another way to do this (like specifying Builtin\Administrator would work for the builtin Administrator account) no matter what the name happens to be on a local machine?

Re: [ActiveDir] Isolating a DC

Your best bet is to place it in a separate site within AD Sites and Services I believe.This is the method that MS recommends for segregating DCs that are used for Exchange servers.
On 9/12/06, Lucas, Bryan [EMAIL PROTECTED] wrote:
















I'd like to isolate a DC from regular user
authentication. I only want certain applications/processes using it.
Obviously it will need to replicate with the other DC's. I don't
have an interface on the firewall to use, so I would probably have to do something
software based on the DC itself. Any recommendations on what to read, how to
isolate it and what ports are required?



Bryan Lucas

Server Administrator

Texas Christian University

Re: [ActiveDir] Locking Down Wireless

I think this is one of those Why in the heck things. Like Why in the heck would you give someone a laptop with wireless if you don't want them connecting anywhere other than work? and Why in the heck are you giving them a laptop in the first place?.
There are some ways to do this, none of them are pretty.1) Specify DNS Server and WINS settings. This is only a little ugly and after a few tries, they'll give up on connecting to anything other than the local network.
2) Disable DHCP and specify everything manually. In a smallish environment this isn't too much of a problem, the larger the environment, the more of a nightmare this becomes. This is really ugly though because now they can't connect to anything that isn't local to their local site.
The most obvious solution is to stop giving people laptops. If you don't want them doing things outside of your network, give them desktop computers and you won't have to worry about spending twice as much on hardware and then spending twice as much managing the items also. Lock down the desktop with a lockdown device and forget about this problem.
Alternatively, I think you could ACL the directory (or executable) where the application runs from and only allow SYSTEM to run it (this might break it though, so you'd want to do some testing first obviously). I haven't messed with the wireless connection wizard much and you might end up with people installing the wireless connection wizard for their particular wireless card, which would completely defeat the purpose of whatever you're doing anyway, unless they're not local admins.
Also, if they are using PC wireless cards, they can simply change PC card ports and they'll get a new device that they can probably configure however they want.On 9/12/06,
Dave Wade [EMAIL PROTECTED] wrote:

Folks,

Have I missed
something in the new XPSP2 wireless configuration stuff. As far as I can see
you can't prevent users connecting to non-preferred networks, even with Policy
lockdown. Even if you hide the networks page on the adaptor, when the user is in
a location where this no network, the connection wizard still pops up. Any one
any solution to this?

Dave
Wade

Stockport MBC

**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act.

If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED]
and then permanently remove it from your system.

Thank you.

http://www.stockport.gov.uk
**

Re: [ActiveDir] OT: Management Solutions

Yeah, I was thinking a combination of RIS, GPO deployed applications and LANDesk. I've been on projects where we utilized a combination of those methods to manage and deploy software. Worked great and unlike wonderful solutions like SMS, we could put in scripts as part of the application installation that would check to see if the app (patch, service pack, whatever) was installed first. The nice thing about this is that it would allow you to patch up a computer and then put it on the network if you wanted or just stick the box on the network and let the GPO do the work for you.
LANDesk does have some weaknesses though, mostly due to information overload.On 9/12/06, Tim Vander Kooi 
[EMAIL PROTECTED] wrote:













Have you looked at the beta for System Center Essentials from
Microsoft? I think it would do a lot of what you are looking at. And for far
less money than Altiris. Altiris makes a great product, but it is very
much on the high end price-wise. Another product I would recommend looking at
would be LANDesk, last time I checked they were quite a bit cheaper than
Altiris.

Tim







From: [EMAIL PROTECTED]

[mailto:[EMAIL PROTECTED]] On Behalf Of Alan J. Gendron
Sent: Tuesday, September 12, 2006 7:06 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Management Solutions







Thanks for the suggestions. I'll go look around
further. We're only around a 100+ user shop and while a
full-featured solution would be nice, I'm very concerned it would be
over-kill and not money well-spent. I want to be a "good
steward" of the church's money.







Alan

Alan J. Gendron

Senior Network Specialist

Lutheran
Church Extension Fund

Sunset Corporate Center

10733 Sunset Office Drive

St. Louis, MO 63127-1219

314.885.6596













From:
[EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On
Behalf Of Brian Desmond
Sent: Monday, September 11, 2006 10:21 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Management Solutions





Never used/heard of Kace. Looks like a kind of limited use
appliance? 





Thanks,

Brian Desmond

[EMAIL PROTECTED]



c - 312.731.3132











From:
[EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On
Behalf Of Patrick Paul
Sent: Monday, September 11, 2006 10:47 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Management Solutions







Have you tried HelpStar – works great. Inventory - use
Kace box running FreeBSD.











From:
[EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On
Behalf Of Brian Desmond
Sent: Monday, September 11, 2006 9:34 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Management Solutions





I use WSUS for patching in some decent size places. My strategy
has been to combine a variety of free products into a single system –
I've gotten good at it and I've also written glue when I need to.
My overall feeling is that I get more flexibility just gluing things together
than with a single baked product. 





Thanks,

Brian Desmond

[EMAIL PROTECTED]



c - 312.731.3132











From:
[EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On
Behalf Of Robert Rutherford
Sent: Monday, September 11, 2006 6:31 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Management Solutions







I agree with Brian that Ghost does tend to be the front runner for
imaging (IMHO).. I've tested and used many but Ghost is a mature project
which does what it says on the tin. You'll be surprised how forgiving it
is and how much you can do with varying software and hardware with a little
work. 



In terms of helpdesk… well it's a minefield and a road
of I have travelled many times. I have actually found that most of the time
it's actually easier to get a dev guy to come in and build a system which
actually meets your requirements. I have found this to be cheaper (most of the
time) in the larger organisations as every organisation has different
SLA's, contracts, processes, methods, etc.



I just recommend going onto sourceforge.net and typing
'helpdesk' initially. This should get you going and you may find
something that suits your needs or something you can amend to fit. Yes, you can
go for the bigger boys, i.e. Hornbill but you'll pay for it….. have
a sniff around and see what fits your requirements.



In terms of patch deployment… I do like Patchlink. It will
give you patch deployment across most applications with good reporting. You
also get software and hardware inventory included in the price.



Cheers,



Rob 

Robert Rutherford 
QuoStar Solutions Limited


T: +44 (0) 8456 440 331 
F: +44 (0) 8456 440 332 
M: +44 (0) 7974 249 494 
E:  [EMAIL PROTECTED]
 
W:  www.quostar.com
 

 











From:
[EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On
Behalf Of Brian Desmond
Sent: 11 September 2006 20:26
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Management Solutions





I have a lot of experience using Ghost for all of that but
helpdesk. Helpdesk I have worked with Peregrine (will empty your

[ActiveDir] Active Directory DN for new setup

2006-09-12 Thread Matt Brown

Hi,
 
I'm wondering if it's possible to make the Active Directory DN like an LDAP
DN?
 
something like:
 
o=company,st=wa,c=us
 
instead of: dc=mydomain,dc=edu
 
I've been tasked with converting our OpenLDAP system over to an Active
Directory system and it help the programmers out if I didn't change the DN
on them. Although I'm sure some of the things may change.
 
Thanks,
--
Matt Brown
Information Technology System Specialist V 
Eastern Washington University 
 


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

[ActiveDir] Converting OpenLDAP to Active Directory

2006-09-12 Thread Matt Brown

Anybody seen any good resources or info on converting OpenLDAP to Active
Directory?

Thanks,
--
Matt Brown
Information Technology System Specialist V
Eastern Washington University




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] W. in hell [List owner]

2006-09-05 Thread Matt Hargraves

In case nobody figured it out, this was a mistake. Brandon hasn't been receiving anything from the activedir list. Apparently he's been banned or something. (in case you didn't figure the rest out, I know him and asked if he was the same OP Brandon, which he confirmed)
He accidentally added the activedir list to a DL. I can understand blocking someone from sending until something like this is resolved, but he hasn't been receiving anything from the list either. Apparently this is a zero tolerance zone. Oddly enough, that's not in the FAQ, maybe it should be added.
MattOn 9/3/06, Tony Murray [EMAIL PROTECTED] wrote:
Hey BrandonAmusing though it is, the list is not really the place for this.Tony (list owner)-- Original Message --From: Brandon Pierce 
[EMAIL PROTECTED]Reply-To: ActiveDir@mail.activedir.orgDate:Sat, 2 Sep 2006 23:13:41 -0600George Bush has a heart attack and dies.He goes to hell, where the Devil
is waiting for him.I'm not sure what to do, says the Devil.You're on my list, but I haveno room for you.As you definitely have to stay here, I'm going to have tolet someone else go.I've got three folks here who weren't quite as bad as
you.I'll let you decide who leaves.George thought that sounded pretty good, so he agreed.The Devil opened the first room.In it were Richard Nixon and a large poolof hot water.He kept diving in and climbing out, over and over.Such was
his fate in hell.No! said George.I don't think so, I'm not a good swimmer and don'tthink I could stay in hot water all day.The Devil led him to the next room.In it was Tony Blair with a
sledgehammer and a room full of rocks.All he did was swing the hammer,time after time.No! I've got this problem with my shoulder.I would be in constant agony ifall I could do was break rocks all day. commented George.
The Devil opened the third door.In it, George saw Bill Clinton lying onthe floor with his arms staked over his head, and his legs staked in aspread-eagle pose.Bent over him was Monica Lewinsky, doing what she does
best.George Bush looked at this in disbelief for a while, and finally said Yeah,I can handle this.The Devil smiled and said, OK, Monica, you're free to go!
List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: 
http://www.activedir.org/ml/threads.aspxSent via the WebMail system at 
mail.activedir.orgList info : http://www.activedir.org/List.aspxList FAQ: 
http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] [OT]The last departmental picnic [list owner]

2006-09-05 Thread Matt Hargraves

Yeah, I just let him know he messed up on this one. Can't argue with banning him after 2 messups. :(On 9/5/06, Tony Murray 
[EMAIL PROTECTED] wrote:Not sure what's going on so I have temporarily suspended his subscription.
TonyList owner and humourless [EMAIL PROTECTED]Sent via the WebMail system at mail.activedir.org
List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Exclude from GPO

2006-08-23 Thread Matt Hargraves

Yeah, it's called creating a GPO that has that setting disabled (not not defined, disabled).You could always look at it as having to create a whole new GPO because they want to define whatever that object is on everything else. If they didn't want to define that, you'd be golden and wouldn't have to do it.
In other words: Remove the setting from everything or you get to create a GPO to disable that setting.On 8/23/06, Harding, Devon 
[EMAIL PROTECTED] wrote:














Is it possible to exclude a group of computers from ONE setting
from a particular GPO, but apply everything else in that GPO? I'd have
to create a whole new GPO just for one setting.



-Devon 



---

This message (including any attachments) is intended only for
the use of the individual or entity to which it is addressed and
may contain information that is non-public, proprietary,
privileged, confidential, and exempt from disclosure under
applicable law or may constitute as attorney work product.
If you are not the intended recipient, you are hereby notified
that any use, dissemination, distribution, or copying of this
communication is strictly prohibited. If you have received this
communication in error, notify us immediately by telephone and
(i) destroy this message if a facsimile or (ii) delete this message
immediately if this is an electronic communication.

Thank you.

Re: [ActiveDir] Restoring RID

2006-08-13 Thread Matt Hargraves

I always recommend transferring FSMO roles from a box before upgrading it, then moving it back after the upgrade is completed successfully.If you've got enough DCs to justify splitting FSMO roles, you've got enough to move it to another box for a week to upgrade the box.
On 8/13/06, Chong Ai Chung [EMAIL PROTECTED] wrote:
When the RID flexible single-master operations DC is restored, it may use old RID pool values, and it can cause the restored RID flexible single-master operations DC to begin issuing duplicate SIDs.

The best way is:

-to use another DC to seize the RID master role. 
- Rebuild the OS on crashed DC and promote it back as Domain Controller
- transfer the RID master role back to the rebuild DC.

Regards,

Ai Chung

On 8/14/06, Lucia Washaya [EMAIL PROTECTED] wrote:


Colleagues, We have a server which crashed during upgrade (2000 to 2003). Now we want to restore it. 

Problem is this server is the RID holder and the documentation on the technet says 







Restoring the RID Master can result in Active Directory data corruption, so it is not recommended. So what is the best way to restore this server? 

Thank you in advance for your assistance Regards, Lucia WashayaCITS UNIOSILTel.: 022-295-526 xtn. 5497
Int'l Tel.: Via Italy + (39) 083123-5497Via USA +1(212) 963-9588 (after audio response dial 174-5497)==The cobra will bite whether you call it Cobra or Dear Mr. Cobra.
==

RE: [ActiveDir] Computer bootup speeds

2006-08-09 Thread Matt Plahtinsky

Most times consulting when I see slow login times its dew to DNS miss
configuration issues. Are your computers pointing to your internal DNS
servers or an external DNS?  If they point to an external it will take
about 5 min before it times out and looks inside. 


Matt




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Wednesday, August 09, 2006 2:29 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Computer bootup speeds


Is there any easy way to determine why it's taking so long for PCs in
our AD to boot up?  It sits at applying settings for quite awhile, so
I'm thinking it may have something to do with GPOs, but most computers
only have 2 or 3 GPOs applied to them.  I wouldn't think the GPOs would
take that long to apply though.  Sometimes it literally sits at applying
settings for 4 or 5 minutes!  
I guess I could move a computer to an OU with no GPOs and see, but is
there any other ways?  

Thanks

~~
This e-mail is confidential, may contain proprietary information of
Cameron and its operating Divisions and may be confidential or
privileged.

This e-mail should be read, copied, disseminated and/or used only by the
addressee. If you have received this message in error please delete it,
together with any attachments, from your system.
~~
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Exchange rollout - How much larger does NTDS.DIT become?

I'm not sure what else he's running on his DC. He might be running complex intrusion detection software, DNS, WINS, etcI have to assume that he's got 4GB worth of RAM and plenty of 'crap' (ok, maybe not crap, but you know what I'm saying) running on the DC that I'm sure plenty of us would love to see running on a different box.
The 1.25GB comment wasn't regarding any limitations to 32-bit Windows. It was more involving I seriously doubt that your DIT is going to double in size unless you're populating as few as possible fields and have like 3 groups per user than anything.
You made a comment about him having a large environment with 100k+ users to have a 650MB DIT and I just kinda went Huh? because we're running a 3+GB DIT with just over half that number. Every environment is completely different and there are a lot of different things that impact the DIT outside of user count. Groups, GPOs, OUs, computer objects etc user count might be a reasonable guage, but I don't think that ~6k DIT per user object is a reasonable assumption unless it's a newer environment with a nice spanking new RBS model.
On 8/1/06, Grillenmeier, Guido [EMAIL PROTECTED] wrote:














Richard doesn't seem to be too keen on giving us further
details – too bad.



But not sure why you – Matt - are talking about "breaking
1.25 GB" with respects to the 32-bit capabilities. By default 32-bit
Win2003 DCs can cache a DIT up to approx. 1.5GB, which grows to 2.6-2.7GB using
the /3GB switch (provided sufficient physical memory). 



But irrespective of these limitations, I'd argue you should
move to Win2003 64bit DC anyways if you can. For example if you are doing a
hardware refresh at the same time. It is cheaper (meaning you can support more
memory for less licensing costs) and it will give you much more room to grow
for the future. 64bit drivers for x64 server hardware are no longer an issue
and even other important add-ons and management tools such as AV and Backup
etc. are catching up quickly. So try not to use the 32bit WinOS versions for AD
DCs, even if they still handle the load today – you'll do yourself
a favor by moving to 64bit DCs as soon as you can. Time to learn all those
little quirks and challenges around handling this OS. This way you'll be
best prepared for when you really need to use 64bit Windows for other
applications.



/Guido







From:
[EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On
Behalf Of Matt Hargraves
Sent: Tuesday, August 01, 2006 12:02 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Exchange rollout - How much larger does
NTDS.DIT become?





I guess the gist of what
everyone is saying can be summed up with the following:

What does the current environment look like?
How extensive is your Exchange deployment going to be?

Without some of that information, it's only going to be a vague guess that
anyone can give. I seriously doubt you need to worry about breaking 1.25
GB, which is still well within the capability of a 32-bit server to handle.







On 7/29/06, joe  [EMAIL PROTECTED] wrote:





To further add to this, it depends considerably on how populated
you want your GAL to be. Some people just let the mandatory Exchange attributes
get populated, others want the GAL to be the one stop shop for info on
employees so everything goes into the GAL which means everything goes into AD. 







--

O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm


















From: [EMAIL PROTECTED]

[mailto:[EMAIL PROTECTED]]
On Behalf Of Grillenmeier, Guido
Sent: Friday, July 28, 2006 4:41 AM




To: ActiveDir@mail.activedir.org





Subject: RE: [ActiveDir] Exchange rollout -
How much larger does NTDS.DIT become?









Assuming this is after defrag,
650MB without Exchange is quite a large AD – guess you'd be close to 100k
users in your forest, if you've used the standard attributes of the
objects in AD (and haven't added stuff like thumbnail pictures to your
users…).



After adding the Exchange schema
mods, the DIT shouldn't grow substantially, since AD doesn't use any space for
unused attributes – and the Exchange attributes for your object won't be
filled magically, until you mail-enable them. But once they are filled, it will
impact your AD (e.g. E2k3 adds 130 attributes to the Public Information
property set used by user class objects) 



It is very tough to make a guess
at the actual size you'd have with a fully deployed Exchange, but if you do
mail-enable the majority of your users (i.e. give them Exchange mailboxes) and
add DLs etc. and assuming my guess with 100k users is in the right ballpark
your AD DIT would easily grow to 3-5 GB.



/Guido







From: [EMAIL PROTECTED]

[mailto:
[EMAIL PROTECTED]] On Behalf Of RM
Sent: Thursday, July 27, 2006 6:46 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Exchange rollout - How much larger does NTDS.DIT
become?







NTDS.DIT is currently 650megs. Once Exchange has been fully dep

Re: [ActiveDir] Exchange rollout - How much larger does NTDS.DIT become?

Just to be honest, it sounds like I made a bad assumption... that AD holds as much information (or more) natively as it does for Exchange. From what Joe is saying, it sounds like Exchange is a huge AD bloat monster.
Not that it's a problem for many environments, just the larger ones.I'd be interested to hear about that environment that Joe was talking about where a DIT went from 900MB to  6GB (and was that defragged?). I mean... holding  5x the native infromation of AD in *just* the Exchange extensions? Wow... I'd swear if someone wouldn't send me naughty boy messages.
On 8/1/06, Grillenmeier, Guido [EMAIL PROTECTED] wrote:














Not disagreeing with you Matt – we're all just in a
guess mode without RM providing more information. I love those posts to lists
where the original poster never get's back the questions being posted to
his questions…



Anyways – I just made the point that his DIT size is not
small for a company not running Exchange. The number of users given was just an
example – more likely 100k vs. 5k users… And naturally most "corporate"
environments then have a similar amount of computer accounts and a strongly
varying number of groups (totally depends on group model being used). And even if
his AD already included Exchange we couldn't easily tell how large his
environment is, simply because there are so many dependencies. That's why
I gave those numbers using assumptions – certainly nothing to take as a fixed
value.



Heck, we don't even know his DC version (Win2003 single
instance storage of ACE has a huge impact on DIT size) or if he has disabled
Distributed Link Tracking (DLT), which adds a ton of garbage to every DC. Provided
you have sufficient file servers in your AD and are happily moving data around between
the servers (or between volumes), DLT alone can eat up many hundred meg of your
AD DIT. Did he defrag or not? Etc. 





/Guido





From:
[EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On
Behalf Of Matt Hargraves
Sent: Tuesday, August 01, 2006 10:46 PM
To: ActiveDir@mail.activedir.org

Subject: Re: [ActiveDir] Exchange rollout - How much larger does
NTDS.DIT become?





I'm not sure what else he's
running on his DC. He might be running complex intrusion detection
software, DNS, WINS, etc

I have to assume that he's got 4GB worth of RAM and plenty of 'crap' (ok, maybe
not crap, but you know what I'm saying) running on the DC that I'm sure plenty
of us would love to see running on a different box. 

The 1.25GB comment wasn't regarding any limitations to 32-bit
Windows. It was more involving I seriously doubt that your DIT is
going to double in size unless you're populating as few as possible fields and
have like 3 groups per user than anything. 

You made a comment about him having a large environment with 100k+ users to
have a 650MB DIT and I just kinda went Huh? because we're running a
3+GB DIT with just over half that number. Every environment is completely
different and there are a lot of different things that impact the DIT outside
of user count. Groups, GPOs, OUs, computer objects etc user count
might be a reasonable guage, but I don't think that ~6k DIT per user object is
a reasonable assumption unless it's a newer environment with a nice spanking
new RBS model. 






On 8/1/06, Grillenmeier, Guido
[EMAIL PROTECTED]
wrote:







Richard doesn't seem to be too
keen on giving us further details – too bad.



But not sure why you – Matt
- are talking about breaking 1.25 GB with respects to the 32-bit
capabilities. By default 32-bit Win2003 DCs can cache a DIT up to approx.
1.5GB, which grows to 2.6-2.7GB using the /3GB switch (provided sufficient
physical memory). 



But irrespective of these
limitations, I'd argue you should move to Win2003 64bit DC anyways if you can.
For example if you are doing a hardware refresh at the same time. It is cheaper
(meaning you can support more memory for less licensing costs) and it will give
you much more room to grow for the future. 64bit drivers for x64 server
hardware are no longer an issue and even other important add-ons and management
tools such as AV and Backup etc. are catching up quickly. So try not to use the
32bit WinOS versions for AD DCs, even if they still handle the load today
– you'll do yourself a favor by moving to 64bit DCs as soon as you can.
Time to learn all those little quirks and challenges around handling this OS.
This way you'll be best prepared for when you really need to use 64bit
Windows for other applications.



/Guido







From: [EMAIL PROTECTED]

[mailto:
[EMAIL PROTECTED]] On Behalf Of Matt Hargraves
Sent: Tuesday, August 01, 2006 12:02 AM






To: ActiveDir@mail.activedir.org





Subject: Re: [ActiveDir] Exchange rollout - How much
larger does NTDS.DIT become?









I guess the gist of what everyone is saying can
be summed up with the following:

What does the current environment look like?
How extensive is your Exchange deployment going to be?

Without some of that i

[ActiveDir] Need some user/group tools...

This might be something that I can do with a combination of scripts, though I'm not sure where I'd get them from.1) I need to be able to export a list of users (the userID is fine) with their group memberships. (AD objects)
2) I need to be able to export a list of groups with their list of members and memberships. (AD objects)3) I need to be able to export a list of groups with their list of members and memberships. (NT objects)
Once I get all of that information, I need to 'connect the dots' between domains to determine overall group membership (across domains), including nesting. If the tool doesn't exist to do this last part I'm sure I can find someone to do the gruntwork of putting together a _vbscript_ 
to do the grunt work of it in Access or something like that.Preferably all of this would go into CSV files so that it can go into Access or maybe pull it all into SQL.Thanks for any help that can be provided.

Re: [ActiveDir] 80/20 ..... Was: Read-Only Domain Controller and Server Core

Well, the problem of the postit note is that the people doing it are a bit more circumspect than they used to be. They don't post it with Password: ilikebananas and they don't necessarily put it on their monitor (though it hasn't been that long since I saw that and I always at the very least scold them and always make sure they take it down and throw it away themselves... taking ownership of disposing of eliminating their security risk). They stick it under their keyboards, in the top drawer of their desk... basically taking it out of sight so that we won't catch them. Unfortunately the people who are trying to breach your security are at least smart enough to check the top drawer, under the keyboard, under the monitor, under the paperweight, etc...
I for one, would love to see AD related security taken a lot more seriously. Restricting the Domain Admins group members, applying more granular security throughout the environment so that if I need to create computer objects in the User workstations OU, then I can create them there and only there. If I can only change the user's homedrive location, then that's all I get the rights to do. It's only a lot of work when you first implement it and after it's done, then your overhead is mostly done and the minor cost of maintaining it is relatively low. Unfortunately it's difficult to get the momentum going to implement this level of security.
As for security models, whether RBS or ABS... problems are abound. RBS is easy to audit, but grants rights that aren't necessarily required. ABS bloats quickly and ends up with someone having membership in many groups that haven't been needed for the past 18 months (or longer) because the group administrator added the user for a one-time reason and never removed them and on the last 18 once per month (or quarter or whatever) security audits, they verified that the user still needs those group memberships, out of sync with reality.
Which is better? I think both can be ugly on their face when taken alone. Using a combination of the two is hopefully better (when people aren't getting added into both), but with the volume of data in many environments, it gets more and more difficult to control that data with any reasonable level of confidence, no matter what you do with your security model.
On 8/1/06, joe [EMAIL PROTECTED] wrote:
Interesting thoughts there...My only tongue in cheek response right off (though this will bubble in myhead for some time) is that most predators are brighter than many peopledoing admin work and we still need them to be able to find the systems...
;o)Raise your hand if in the last year you saw a postit with a password on it?Keep your hand up if you did anything about it like ripping it up andtalking to the person? If your hand went down, was it yours by any chance?
How many people now see a security problem and shake their head and say, wowthat isn't good but there isn't anything I can do about it and then continueon your day. That is the kind of stuff that really needs to stop.
joe--O'Reilly Active Directory Third Edition -http://www.joeware.net/win/ad3e.htm-Original Message-From: 
[EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Susan Bradley, CPAaka Ebitz - SBS Rocks [MVP]Sent: Tuesday, August 01, 2006 3:28 PM
To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] 80/20 . Was: Read-Only Domain Controller andServer CoreOn a totally serious note to Joe's tongue in cheek posting Go to a
zoo(1).. and you'll hear stories of how each animal has natural'protection' from their predators.Each animal has evolved to ensure they have some level of camouflage inthe way of color/features etc so that when their predator targets them
they attempt to blend into the background.Some plants and animalsdepend on other plants and animals to survive.There's a unique falconthat will only nest in leftover Weaver bird nests.. they don't build
their own..but by moving into a Weaver bird area, they act as bouncersat the door and keep out the predators that prey on the Weaver birds.Given that here's what nature does to protect itself what (if
anything) has the computing industry done to camouflage to reduce risk?(call me wacko) but it seems to me that we do a lot of footballishtype of security models.. offensive moves and defensive moves.(Isn't
RODC a defensive move?)Do we and can we add lessons from nature intofuture networks?(1)Lessons learned from camping in a zoo...yes.. this high maintenancefemale stayed in a tent in a zoo... if you are going to be without power
and electricity camping in a zoo at the San Diego Zoo's Wild AnimalPark's Roar and Snore is the way to do it.Matt Hargraves wrote: Joe's blog doesn't seem to say anything about what DSI actually *is*.
 I'm not seeing it as a security model beyond my impression of it being Don't tell anyone what your security infrastructure looks like or something like that. On 8/1/06, *Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]*
 [EMAIL

Re: [ActiveDir] Need some user/group tools...

That's not even fair I own that book already.I was hoping to avoid doing the scripting part... but that being said, how much of that will work in NT domains to get groups and their members/memberships?
On 8/1/06, Michael B. Smith [EMAIL PROTECTED] wrote:





You can certainly get all the piece parts from 
here:

http://rallenhome.com/books/adcookbook/code.html


And you can use joe's wonderful adfind (or dsquery if you 
were to insist) to do much of the gruntwork. I show you some examples 
here:

http://blogs.brnets.com/michael/archive/2004/06/24/168.aspx



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]] On Behalf Of Matt 
HargravesSent: Tuesday, August 01, 2006 7:29 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Need some user/group 
tools...
This might be something that I can do with a combination of scripts, 
though I'm not sure where I'd get them from.1) I need to be able to 
export a list of users (the userID is fine) with their group memberships. (AD 
objects) 2) I need to be able to export a list of groups with their list 
of members and memberships. (AD objects)3) I need to be able to export a 
list of groups with their list of members and memberships. (NT objects) 
Once I get all of that information, I need to 'connect the dots' between 
domains to determine overall group membership (across domains), including 
nesting. If the tool doesn't exist to do this last part I'm sure I can 
find someone to do the gruntwork of putting together a _vbscript_ to do the 
grunt work of it in Access or something like that.Preferably all of this 
would go into CSV files so that it can go into Access or maybe pull it all into 
SQL.Thanks for any help that can be provided.

Re: [ActiveDir] Revoke domain administrator's right to create GPO?

By revoking Domain Admins I mean revoking their membership...On 7/31/06, Matt Hargraves [EMAIL PROTECTED] wrote:
I'd think of revoking Domain Admins and grant them their rights via an RBS group in AD. Changing the rights of the builtin admin groups isn't something that you should necessarily do, primarily because so many applications out there require special privileges and fail out because the application doesn't check to see if the user has the required rights, but instead checks to see if they're a member of the Domain Admins group.
Domain and Enterprise Admins are a very powerful group of people. If you don't trust them to be able to do what they can do (or better yet, not do what they don't know how to do), then they shouldn't have those rights. I know that it's a constant battle to try and keep our membership in these groups down.
Seriously... RBS is your friend. Rip those people out of the Domain Admins group. You can grant them the ability to do whatever they need to on users, computers or even OUs via AD security. Do it there and keep people out of the Domain Admins group if you can.
On 7/31/06, Andy Wang
[EMAIL PROTECTED] wrote:
Hi,I have a Group Policy delegation question. By default, only domain administrators, enterprise administrators, Group Policy Creator Owners, and the operating system can create new Group Policy objects. Since our company has lots of domain administrators, I'm thinking revoke domain administrators rights to create GPOs, then add only several of them to enterprise admin group /
Group Policy Creator Owners. Is it possible? Thanks in advance.Andy

Re: [ActiveDir] Revoke domain administrator's right to create GPO?

I'd think of revoking Domain Admins and grant them their rights via an RBS group in AD. Changing the rights of the builtin admin groups isn't something that you should necessarily do, primarily because so many applications out there require special privileges and fail out because the application doesn't check to see if the user has the required rights, but instead checks to see if they're a member of the Domain Admins group.
Domain and Enterprise Admins are a very powerful group of people. If you don't trust them to be able to do what they can do (or better yet, not do what they don't know how to do), then they shouldn't have those rights. I know that it's a constant battle to try and keep our membership in these groups down.
Seriously... RBS is your friend. Rip those people out of the Domain Admins group. You can grant them the ability to do whatever they need to on users, computers or even OUs via AD security. Do it there and keep people out of the Domain Admins group if you can.
On 7/31/06, Andy Wang [EMAIL PROTECTED] wrote:
Hi,I have a Group Policy delegation question. By default, only domain administrators, enterprise administrators, Group Policy Creator Owners, and the operating system can create new Group Policy objects. Since our company has lots of domain administrators, I'm thinking revoke domain administrators rights to create GPOs, then add only several of them to enterprise admin group / 
Group Policy Creator Owners. Is it possible? Thanks in advance.Andy

Re: [ActiveDir] Exchange rollout - How much larger does NTDS.DIT become?

I guess the gist of what everyone is saying can be summed up with the following:What does the current environment look like?How extensive is your Exchange deployment going to be?Without some of that information, it's only going to be a vague guess that anyone can give. I seriously doubt you need to worry about breaking 
1.25 GB, which is still well within the capability of a 32-bit server to handle.On 7/29/06, joe 
[EMAIL PROTECTED] wrote:






To further add to this, it depends considerably on how 
populated you want your GAL to be. Some people just let the mandatory Exchange 
attributes get populated, others want the GAL to be the one stop shop for info 
on employees so everything goes into the GAL which means everything goes into 
AD. 


--
O'Reilly Active Directory Third Edition - 
http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]] On Behalf Of Grillenmeier, 
GuidoSent: Friday, July 28, 2006 4:41 AMTo: 
ActiveDir@mail.activedir.orgSubject:
 RE: [ActiveDir] Exchange rollout 
- How much larger does NTDS.DIT become?


Assuming 
this is after defrag, 650MB without Exchange is quite a large AD – guess you'd 
be close to 100k users in your forest, if you've used the "standard" attributes 
of the objects in AD (and haven't added stuff like thumbnail pictures to your 
users…).

After 
adding the Exchange schema mods, the DIT shouldn't grow substantially, since AD 
doesn't use any space for unused attributes – and the Exchange attributes for 
your object won't be filled magically, until you mail-enable them. But once they 
are filled, it will impact your AD (e.g. E2k3 adds 130 attributes to the Public 
Information property set used by user class objects) 

It is 
very tough to make a guess at the actual size you'd have with a fully deployed 
Exchange, but if you do mail-enable the majority of your users (i.e. give them 
Exchange mailboxes) and add DLs etc. and assuming my guess with 100k users is in 
the right ballpark your AD DIT would easily grow to 3-5 
GB.

/Guido



From: 
[EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] 
On Behalf Of RMSent: Thursday, July 27, 2006 6:46 
PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
Exchange rollout - How much larger does NTDS.DIT 
become?

NTDS.DIT is currently 650megs. Once Exchange has been fully deployed, 
any guesses as to how much larger it will become? Just looking for a 
ballpark figure...
thx,
RM

Re: [ActiveDir] schema extensions for Vista wireless networking GP support

I thought all that stuff was part of the Server 2003 R2 schema extensions and would work in XP also.On 7/28/06, Darren Mar-Elia 
[EMAIL PROTECTED] wrote:




In case anyone is 
interested, here's a doc that describes the AD schema extensions that will be 
required to support the new wireless networking Group Policy stuff in 
Vista:

http://www.microsoft.com/technet/itsolutions/network/wifi/vista_ad_ext.mspx


Darren


Darren Mar-Elia
For comprehensive 
Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO FAQs, 
video training, tools and whitepapers. Also check out the 
Windows 
Group Policy Guide,the definitiveresource for Group Policy 
information.

Re: [ActiveDir] OT: HP disk array expansion

2006-07-27 Thread Matt Hargraves

I'm not understanding why the OP doesn't just stick the new drives in, create the new RAID set from those, create the drives and restore from tape to the new RAID drives. As long as he does it on a Sunday, it shouldn't really take more than an hour to get the old drives out and the new ones in (and the RAID built), then he just needs to worry about restoring from tape to the new location.
On 7/27/06, [EMAIL PROTECTED] [EMAIL PROTECTED]
 wrote:






Maybe I misunderstand the post but why re build in this 
scenario?

All the OP needs / wants to do is to add disks and to 
expand the existing arrays. He requires no or minimal downtime too. This can be 
achieved as the OP described.

FWIW: I have performed this (not in the last 5 years) on 
many occasions and whilst the process can take some time to complete, it is 
relatively trivial to accomplish and AFAIK can be performed with zero 
downtime.

neil


From: [EMAIL PROTECTED]
 
[mailto:[EMAIL PROTECTED]] 
On Behalf Of Ed 
BufordSent: 27 July 2006 00:49To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: HP disk 
array expansion


I would use the ghost 
method, I've done this numerous times with servers and never ran into a problem. 
All in all it really is a fast solution. And since you're doing it over the wire 
you can speed the process up by using gigabit components. 






From: 
[EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] 
On Behalf Of Derek 
HarrisSent: Wednesday, July 
26, 2006 6:12 PMTo: 
ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: HP disk array 
expansion

This sounds like the 
safest way to do it, but you will have some downtime. I've done it (on a 
Dell box) the way you described: swapping one disk at a time, and there is 
downtime that way, too. (in addition to the severe performance hit of the array 
having to rebuild several times) 




From:
 Blair, 
James [mailto:[EMAIL PROTECTED]
] Sent: Wednesday, July 26, 2006 3:52 
PMTo: 
ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: HP disk array 
expansion
James,

Have been in a similar 
situation on numerous occasions with HP ML350 G3/G4's. In our case we installed 
a firewire card and a Lacie drive or utilised the native USB to portable HD and 
Acronis True Image. We imaged the disks and then pulled them out and put the new 
ones in and imaged it back, works nicely…This solution even worked for an 
Exchange server and if it all fails you can simply put the old disks back in and 
be back where you started…

James 






From: 
[EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] 
On Behalf Of James 
CarterSent: Thursday, 27 July 
2006 7:36 AMTo: 
ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: HP disk array 
expansion


Hi,



I have a HP ML370 Proliant Server. It currently has 4 x 
36GB in a RAID 5 set.



I want to upgrade the disk capacity of this server. I 
have bought 4 x 300gb disks as replacements.



At present I have 4 x 36GB disks in the server. I was 
told I couldreplace one disk in the RAID with a 300GB, let the raid 
rebuild and do the next disk.Repeat until all of the disks are 300GB and 
then I can look in the ACU and create a second logical drive that sees all that 
new space.



Can this be done? Anyone know how long it would take to 
rebuild? currently there is 90gb used in the current 
volume.



My other alternative is to buy a Tape Drive, backup, 
break array, create new array and then restore but this department don't want 
any downtime.



Anyway shed some light as to which is the best method to 
take?



thanks James
__Do 
You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
PLEASE READ: The information contained in this email is confidential and

intended for the named recipient(s) only. If you are not an intended

recipient of this email please notify the sender immediately and delete your

copy from your system. You must not copy, distribute or take any further

action in reliance on it. Email is not a secure method of communication and

Nomura International plc ('NIplc') will not, to the extent permitted by law,

accept responsibility or liability for (a) the accuracy or completeness of,

or (b) the presence of any virus, worm or similar malicious or disabling

code in, this message or any attachment(s) to it. If verification of this

email is sought then please request a hard copy. Unless otherwise stated

this email: (1) is not, and should not be treated or relied upon as,

investment research; (2) contains views or opinions that are solely those of

the author and do not necessarily represent those of NIplc; (3) is intended

for informational purposes only and is not a recommendation, solicitation or

offer to buy or sell securities or related financial instruments.  NIplc

does not provide investment services to private customers.  Authorised and

regulated by the Financial Services Authority.  Registered in England

no. 1550505 VAT No. 447

Re: [ActiveDir] Domain Local Groups vs Global Groups

Having went through this quite a bit recently, I'll see if I can give you some help on this. Every security group on a user's token adds about 45 bytes to the token and sometime around 80 security groups, you can expect a token to break 4k and bump up to 8k. This will have the most impact to Exchange until you bump up to Exchange 2007 and 64-bit OS.
When debating between server local and domain groups (whether domain global or domain local), you have to decide between ease of management (domain groups) and ease on tokens (server local groups).Ideally, you will have an RBS model in place where a user is a member of a half dozen or so role-based groups which will grant access to shares instead of an Access Based Security (ABS) model. ABS creates a group (or groups) for each resource that needs access defined and then places all users and/or groups within that group. That's great in a user domain/resource domain architecture. If you don't have that though, you are just using a lot of redundant groups.
I would recommend securing your shares and/or resources with role-based groups first, then if additional persons need access to a share or resourse, then grant them access through the ABS group at the domain level. Having to connect to 25 different file shares to manage share security is insane and nesting each group into 2-12 other groups ends up with a security model that quickly becomes very convoluted and difficult to map out. The one thing that an ABS model does do is make auditing access easier. But if you're making your day to day management of that model significantly more time consuming (by going with server local groups), then it's probably just easier to start defining items by RBS groups instead anyway. Not to mention that auditing server local groups is almost as much of a pain, if not more of one, as getting a tool that will go out and show you the share-level (or even file/directory level) ACLs (
www.winzero.ca has one).I know that MS recommends local server groups as an alternative when users end up with large amounts of security groups, but I feel that managing those objects is unwieldy enough (particularly in larger environments with a large number of file servers) to where you'd almost need to add a small team just to manage the shares. I'd rather double my number of Exchange servers and have everyone at an 8k tokens than add 4 employees at $x per hour just to manage server local groups.
That's my take on it... I'm sure you'll end up with another 20 other opinions from 20 other people though.

On 7/26/06, Wyatt, David [EMAIL PROTECTED] wrote:

I'd be interested to
hear peoples strategy for permissioning windows based file servers when the
server is in a Windows 2003 domain. I have read the best practices about
putting users into global groups then put the global groups into local groups
then permission the resource with the local group.
But:

1. Is it
better practiceto put the domain local group into a local group on the
file server and then use this local group to permission the share/folder?
Is this excessive? I have read something about performance or avoiding
limits by using the server local group when the access token is
created.

2. What
shortcomings would there be in putting users into global groups then simply
permissioning the global group onto the resource. We only have a single
forest/domain.

I am also aware of
Universal groups but lets put these to one side.for the
moment..;-)

Thanks
David

This message contains confidential information and is intended only

for the individual or entity named. If you are not the named addressee

you should not disseminate, distribute or copy this e-mail.

Please notify the sender immediately by e-mail if you have received

this e-mail by mistake and delete this e-mail from your system.

E-mail transmission cannot be guaranteed to be secure or error-free

as information could be intercepted, corrupted, lost, destroyed, arrive

late or incomplete, or contain viruses. The sender therefore does not

accept liability for any errors or omissions in the contents of this

message which arise as a result of e-mail transmission.

If verification is required please request a hard-copy version.

This message is provided for informational purposes and should not

be construed as an invitation or offer to buy or sell any securities or

related financial instruments.

GAM operates in many jurisdictions and is

regulated or licensed in those jurisdictions as required.

Re: [ActiveDir] Domain Local Groups vs Global Groups

Somehow I avoided answring your question the first time...Going global role-based group and local task-based group is pretty standard in larger environments.You create the global group to hold users and the local group to hold users. The purpose for this is so that you can nest multiple role-based groups into your task-based group and quickly modify the task-based group and have it apply across the share/resource.
The only problem with this model is being careful how you quantify when a new task-based group is needed. Be careful not to create a new task-based group (and similarly named role-based group for that task-based group) for everything under the sun or you'll find your users quickly becoming members through nesting of 100+ groups and finding your Exchange servers running out of paged pool memory space.
There are plenty of articles on Microsoft's site about Exchange and paged pool memory, you can also look at the Exchange Team Blog site (msexchangeteam.com I think).
On 7/26/06, Wyatt, David [EMAIL PROTECTED] wrote:

2. What
shortcomings would there be in putting users into global groups then simply
permissioning the global group onto the resource. We only have a single
forest/domain.

I am also aware of
Universal groups but lets put these to one side.for the
moment..;-)

Thanks
David

This message contains confidential information and is intended only

for the individual or entity named. If you are not the named addressee

you should not disseminate, distribute or copy this e-mail.

Please notify the sender immediately by e-mail if you have received

this e-mail by mistake and delete this e-mail from your system.

E-mail transmission cannot be guaranteed to be secure or error-free

as information could be intercepted, corrupted, lost, destroyed, arrive

late or incomplete, or contain viruses. The sender therefore does not

accept liability for any errors or omissions in the contents of this

message which arise as a result of e-mail transmission.

If verification is required please request a hard-copy version.

This message is provided for informational purposes and should not

be construed as an invitation or offer to buy or sell any securities or

related financial instruments.

GAM operates in many jurisdictions and is

regulated or licensed in those jurisdictions as required.

Re: [ActiveDir] Question on restricted group policy.

>From my experience, Restricted Groups settings simply state what the computer (or domain controller if you stick the setting in your DCs GPO) will make sure what the group memberships are going to be when it checks the GPO. If you set the Administrators group to be Domain Admins; groupa; groupb then when the computer applies the GPO settings, it will check to make sure that the local Administrators group (Or domain group for a DC) contains Domain Admins; groupa; groupb; builtin\Administrator. 
Just so you know, like with any GPO setting, anyone who has the right to change that group can still change it, but when the GPO applies, the group memberships will be verified again, removing whatever was added, or adding whatever was removed. This may be 2 minutes later or 2 hours later. This is the same if you set a service to disabled an administrator can still change it to enabled, but when the GPO goes back through, it will re-disable the service (though if the user also started the service it will remain started until the computer is restarted or someone manually stops it).
If you remove the GPO setting, then it simply won't check the group memberships for those groups any more. Or at least that's my interpretation. Kind of like when you move a computer out of an OU where there is a GPO applied to it and into an OU without any GPOs applied to it; it won't change the current settings, though you can now manually change them and they won't be reverted.
I guess I think of a GPO being a Go make sure that everything is like this and if it isn't, make it like this kind of thing and that's the way I always see it actually get applied. If the GPO isn't there, then nothing gets altered to a previous state, but it won't continue reverting settings to what the prior GPO settings stated that they would be.
On 7/26/06, Derek Harris [EMAIL PROTECTED] wrote:





Yes -- I've done that, and that's how it worked for 
me.


From: Darren Mar-Elia [mailto:[EMAIL PROTECTED]
] 
Sent: Wednesday, July 26, 2006 5:23 PMTo: 
ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Question on 
restricted group policy.

This somewhat depends upon which side of Restricted Groups 
you're using (i.e. Members of this Group or This group is a member of). If 
its the former, and you clear out the users in the list but leave the local 
Administrators group under control, then it will clear out the members of that 
local Admin group on the target machines (but will leave the local Administrator 
account in (always)). If the latter, and you clear out the members of the group, 
I think what you will find is that those users/groups are simply left in the 
group that you made them members of. If you simply delete or unlink the GPO, 
then the groups should be left the way they were before you deleted/unlinked it 
(i.e. the group membership changes do not get unapplied in the case of 
restricted group policy). 

Darren


Darren Mar-Elia
For comprehensive 
Windows Group Policy Information, check out www.gpoguy.com
-- the best source for GPO FAQs, 
video training, tools and whitepapers. Also check out the 
Windows 
Group Policy Guide,the definitiveresource for Group Policy 
information.



From: [EMAIL PROTECTED]
 
[mailto:[EMAIL PROTECTED]] 
On Behalf Of John 
StrongoskySent: Wednesday, July 26, 2006 4:08 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Question on 
restricted group policy.

Hey,

 Created a restricted group policy for my domain 
that's adds some groups to the local administrators group of the workstations. 
My question is now management wants me to delete it. If I understand the way 
this works is that if I delete it then it will delete the groups that were 
associated with this policy thus leaving nobody in the local admin group. Am I 
correct...

v/r
john

Re: [ActiveDir] Domain Local Groups vs Global Groups