So what if your DHCP is running on a DC? Should I move them into the group
or not. If not what problems could this cause.
I also use a RIS to do my 2000 and XP installs. This machine is not a DC.
Should I put the RIS into the group?
Thanks,jb
-Original Message-
From: Todd Povilaitis
You don't have scavenging set up for your reverse DNS zones. Set the
scavenging up (I think its called Delete Stale Records) to match your DHCP
lease duration.
--
Roger D. Seielstad - MCSE
Sr. Systems Administrator
Inovis - Formerly Harbinger
And it conveniently leaves out the part about how the DHCP client on Win2k
and later machines automagically handles it without that setting.
--
Roger D. Seielstad - MCSE
Sr. Systems Administrator
Inovis - Formerly Harbinger and Extricity
Your second statement, about the DNS proxy group, is only true for
supporting downlevel clients. In addition, it opens up some new and
interesting security issues, because now your DHCP servers can injecy ANY
record they want into DNS, including bogus DC and GC records.
Which isn't strictly necessary, unless you plan on disabling all client
based updates.
Personally, we don't use that setting here, with a mix of Win9x on through
XP and have no issues with the DNS updates happening correctly.
--
Roger D.
Then you have zero reason to have any members of that group, and a few
security reasons not to.
--
Roger D. Seielstad - MCSE
Sr. Systems Administrator
Inovis - Formerly Harbinger and Extricity
Atlanta, GA
-Original Message-
From:
Is this also true where only secure updates are allowed for the server or zone? One
of the immediate effects of allowing only secure updates (in addition to scavenging)
was the removal of all non-member (9x, NT) machine's A records from the zone. This is
what we wanted.
-Original
I have a policy set for passwords; the passwords are set to expire every
90 days. When the passwords are about to expire, users are told that
Your password will expire in 5 days. Do you want to change your
password now? (The number changes, it does a countdown). However, if
the user says yes to
Do you have a minimum password age set? Or do you check the User
cannot change password box checked?
-Original Message-
From: John Balos [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, February 18, 2003 12:42 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Policy on password
I have a policy
Answer:
The
NT Domain had the 'user must log in to change
password'
policy set. Since the user wasn't really
logging
in to access the web page, it was being
denied.
Best
thing to do is impersonate the user , is annon
acces
for that folder switched off?
Are
you using a asp.net
Probaly the everyone group dont have permission on all users to change
password. See http://support.microsoft.com/?kbid=242795.
regards, Marcio Schneider
-Mensagem original-
De: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]Em nome de John Balos
Enviada em: terca-feira, 18 de
The everyone group had access to this however, the authenticated users
didn't. I went ahead and added this group. What's the difference between
authenticated and everyone? Shouldn't it of worked even if you have the
everyone group on there? Thank you.
John
-Original Message-
From: Tim
Graham:
The password export server is only required for migration of accounts from Win2K to
Win2K. It is not required for NT 4.0 to Win2K migrations.
Diane
-Original Message-
From: Graham Turner [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, February 18, 2003 10:40 AM
To: [EMAIL
Graham,
Though I don't have a link to them in front of me at the moment, as you
might recall, Microsoft submitted for and passed the Common Criteria.
Microsoft (via SAIC) published a configuration and an administration
guide that is a bit more current with templates, et. al. Look into
those for
Funny, I was just looking at those :-]
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/issues/W2kCCSCG/W2kSCGcf.asp
-Original Message-
From: Rick Kingslan [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, February 18, 2003 3:22 PM
To: [EMAIL PROTECTED]
Subject: RE:
Thanks, Bob! ;-)
Rick Kingslan MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Free, Bob
Sent: Tuesday, February 18, 2003
Hello Everyone,
The simplest domain model is the Single Forest / Single Domain. I
was thinking of using this model with an empty root domain? Does anyone
have any experience with empty root domain? Is it really beneficial? We
are only a small company with a few hundred users and have 4
Hi Cliff,
There are two pros that I am aware of...
1. In the case of radical naming hierarchy surgery, e.g., acquisition of
another company, it provides a convenient place to merge in the new domains.
2. Enhanced security for the Enterprise Admins and Schema Admins groups is
often claimed, but
In my opinion, the benefit to going with a dedicated forest root is
recoverability. You will have a domain that you are doing most of your
management. All of your user accounts, groups, computers and everything will
be in that domain. If something goes wrong, you don't have to worry about
blowing
19 matches
Mail list logo