So what I am hearing is that I can go ahead and put the Windows 2003 server
in place after I run adprep /forestprep and adprep /domainprep. I
understand I will not have all the capabilities of W2k3 but thats not what
I am concerned about. I just want to have that box in place so when I do
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello,
I want to migrate a NT4 domain to 2003.
I need to display attribute employee-number in dsa.msa, on the user's
property. With display specifier ? do I need to create dll ?
How can I do that ?
Thanks,
Olivier BATARD, Technicien systme -
Maybe I am being ignorant but can I use sysprep if I have specialized
software that I want to have on my master image??
--
Jake
_
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Wednesday, July 21, 2004 8:09 PM
To: [EMAIL PROTECTED]
Subject:
Hy,
Can you share you experiences about how to restrict access to event viewer to
only onegroup ? local and remote access ?
Thks.AVISO LEGAL:Esta informacion es privada y confidencial y esta dirigida unicamente a su destinatario. Si usted no es el destinatario original de este mensaje y
Title: Message
Yep...
Sysprep just takes care of the base uniquewindows side of
things.
-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Jacob StablSent: 22 July 2004
14:33To: [EMAIL PROTECTED]Subject: RE:
[ActiveDir] Summer Maintenance
Title: Message
You
should of course test it anyway, post syprep to ensure.
-Original Message-From: Rutherford,
Robert Sent: 22 July 2004 15:07To:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Summer
Maintenance
Yep... Sysprep just takes care of the base uniquewindows side
Title: RE: [ActiveDir] Summer Maintenance
Most likely the answer is yes, speaking
from experience in a K-12 setting. What is the specialized
software? Why not roll out the software as an msi file using group
policies?
Robert
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
People,
OK, I know you guys are the Experts and I know MS says, rename it, but tell
me the answer to these questions please. Let's say you run NTFS permissions
on your local PCs. Lets say your standards are (for EVERY FILE/FOLDER
OBJECT ON THE PC):
Full Control for Local Admin, Domain Admin and
Cannot do this with Display specifier, you will have to create your own
DLL to do this and register on every machine you want the extension to
be visible.
Have a look in the archive for this list for some detailed posts on
this.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL
1) The easiest way to see would have been to test it - the answer is
they would see the accounts and granted permissions.
2)I'm not sure what you mean? What is a standard? There isn't really one
as it depends on the environment. A good rule is of course not to give
everybody full control and not
Is there a way to restrict access to WINS like DNS in Server 2003?
For Example, if we want the DNS admins to Administer the Wins servers, how
do you go about give them access just to WINS administration?
Any help would be appreciate it!
Thanks,
Mario
I believe access to WINS requires local admin access. To allow them to
administer WINS, they will have to be a local admin on the box where
WINS is running.
Denny
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario
Sent: Thursday, July 22,
I think Server op will do it.
-Original Message-
From: Depp, Dennis M. [mailto:[EMAIL PROTECTED]
Sent: 22 July 2004 16:04
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD and WINS
I believe access to WINS requires local admin access. To allow them to
administer WINS, they will have
Barts is the best, especially on CD :)
Clyde,
Check out www.bootdisk.com. Under the Network boot
disks give Barts a shot.
It's pretty good and customizable.
Dave
-
-
David J. Perdue
MCSE 2000, MCSE NT, MCSA, MCP+I
If all you want to do is View the attribute in ADUC's Right pane as a
column, you can with display specifies. Start with this link to add the
column
http://msdn.microsoft.com/library/en-us/ad/ad/modifying_existing_user_interf
aces.asp?frame=true
If you need to be able to modify it, you can
I'll answer the second question first: When assigning NTFS permissions
to resources, I select the local Administrators group and the local
System account with Full Control. I then select the appropriate control
group or groups, or individual accounts (domain accounts) and set them
with the
Rob,
We set permissions on our Users PCs according to Trusted Systems Services
Windows NT Security Guidelines developed for the NSA in 1999. We run in a
moderate to severe lockdown. We open up NTFS permissions only as much as is
needed for Users to operate. As such, any User can open up
The admin tools resolve the SID to the friendly name for you. In other words, you're
not actually working with the friendly names when viewing or assigning permissions,
but this is how it appears to you.
Tony
-- Original Message --
Wrom:
Umm...
In the default install NTFS permissions are set up via GROUP ACE's instead
of the individual ACE for the local administrator account. If you look at
the NTFS permissions on %systemroot%\system32 you will see permissions only
for GROUPS not individual accounts (e.g. Administrators, Creator
Title: RE: [ActiveDir] Summer Maintenance
MSI is good for some stuff but not for labs that are
reimaged a few times a week.
-- Jake
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Robert N.
LealiSent: Thursday, July 22, 2004 10:19 AMTo:
[EMAIL PROTECTED]Subject: RE:
I have a customer who has created an OU and
populated it with objects that have many attributes. He is now encountering
this error:
[LDAP: error code
11 - 2024: SvcErr: DSID-02050AA0, problem 5008 (ADMIN
_LIMIT_EXCEEDED), data -1026
]; remaining name
Rocky
You shouldn't actually need to assign permissions directly to the domain Administrator
account. Generally the account should be left well alone and only used when
absolutely necessary. If you really need to assign permissions to domain
administrators, use the Domain Admins group
You can make a Global security group in the AD called Wins Admins and
then add the group to the local administrators group of the WINS servers
either manually or via a GPO. Then all you have to do is populate the
AD group with the users..
-Original Message-
From: [EMAIL PROTECTED]
Right!
My point exactly!
So if your policy is to include the Domain Admin in NTFS permissions,
there's no point in renaming your Domain Admin account.
Thanks Tony.
RH
-Original Message-
From: [EMAIL PROTECTED]
I apologise, but your question was not that clear to me.
1) If you want to stop them seeing an account/permissions then the
de-selecting or denying the 'read permissions' advanced permission
should work.
2) Permissions are typically based on group anyway, thus they wouldn't
see the admin name.
Potentially interesting oddity occurred
today...
Our primary and secondary Windows 2003
/ AD integrated DNS server services abended at almost the exact same time.
I have custom WMI monitoring set to auto-restart them, send email,
call the president, and of course...raise the national threat
If you just remember the principle "put users in group, assign permission to group", then you'll remember that neither JohnDoe nor Administrator should show up anywhere in your ACL enumeration Rather, you ACL will look something like this:
Computername\AdministratorS - F
System - F
etc, etc.
Potentially interesting oddity occurred
today...
Our primary and secondary Windows 2003
/ AD integrated DNS server services abended at almost the exact same time
with the following error message in the eventlog:
Reporting queued error:
faulting application dns.exe, version 5.2.3790.0, faulting
Do they have to be local Admins, or will Server op work as well?
Denny
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carr, Jonathan
(OFT)
Sent: Thursday, July 22, 2004 11:50 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD and WINS
You can make a
By the looks of this - he's getting the error when doing an
LDAP query, correct? The Admin limit limits the number of results that are
returned in a query, I believe the default is 1000 in w2k and 1500 in
w2k3. I think this is the error you're seeing.
If you need to retrieve more than this
Well there is... Not much but you may as well. It just makes it that
little bit more difficult for the novice hacker/opportunist shoulder
surfer.
-Original Message-
From: Rocky Habeeb [mailto:[EMAIL PROTECTED]
Sent: 22 July 2004 16:53
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir]
You are confusing several different user/group objects:
1. The domain account named Administrator
2. The domain group named Domain Admins
3. The local account named Administrator
4. The local group named Administrators (note the s at the end)
The security guidelines say that you should rename
I could probably tell you which admin
limit youre exceeding if you tell me the OS version service pack
level.
Most admin limits are there to protect
perf of the box prevent against DoS attacks. Better than changing the
limits would be to change the query to use LDAP RFC compliant ways
Title: GP is denying shortcuts.
I have created a Software Restriction Policy which is Disallow by default, I have created my additional rules to allow the paths to programs I want to run (ie: C:\Program Files\Microsoft Office). The Enforcement properties are to restrict all software except
Read KB 325379. Although this document is about upgrading DCs to 2003, it has some
good information you need to know - particularly if you are running Exchange 2000.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jacob Stabl
Sent: Thursday, July 22,
I have an authorized dhcp server.
when i add a new scope(i already had one pervious working scope), it won't hand out
addresses for that new scope. I have an event id 1051 logged in the event viewer
saying it is not authorized.
i know i need to be an enterprise admin to authorize a dhcp server
You could argue that. But, if you consider the fact that most hackwares and
viruses/trojans that carry their own account/password dictionaries don't do
SID enumeration, you'd understand the significance of renaming the accounts.
Because they don't do SID enumeration/translation, these hackwares
Deji,
You
know I love you (and Tony, and Guido, and Robbie and Gil, and Roger and of
course joe, and all the other heavyweights), but, we're not confused on the
accounts and their memberships. I just feel it's important to have the
Domain Admin (the individual) as Full Control on
You just prove that you are very confused about membership? Tony, Robbie,
Guido, Gil, Roger, and Joe That's an expensive club. Can't afford the
membership fee. Next thing I know, you'd be lumping me in with Dean :-P
Seriously, let's back up a bit. Let's ask why you'd want to give permission
Ok so for clarification.
If the 2003 Server is a DC and Wins it needs Server Ops
If it's a 2003 Standalone server make it a local admin?
Did I get that right?
Thanks for everyone's help!
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob
Sent:
Title: Customize Group Permissions
Yes,
this is possible. Check out restricted groups in group policy.
--Brian Desmond
[EMAIL PROTECTED]
Payton on the
Web! Http://www.wpcp.org
v: 773.534.0034
x135
f: 773.534.0035
From: Jared Manhat
[mailto:[EMAIL PROTECTED]
Title: RE: [ActiveDir] Summer Maintenance
Yes.
There are no circumstances under which you should not sysprep an image that you
plan to deploy. The only time you should not is if youre using ghost to
*replace* a machine.
--Brian Desmond
[EMAIL PROTECTED]
Payton on the
Web!
Title: RE: [ActiveDir] Summer Maintenance
I beg to
differ. Im in a highschool with thousands of machines. I image labs, pcs,
etc all the time. 95% of software is deployed via group policy and MSIs. Havent
had any problems in the past year of doing this.
--Brian Desmond
[EMAIL
I'm betting there's a control access right (aka extended right) you can
delegate this group on your server OUs to manage WINS. No evidence, but, I'm
inclined to believe there is such a thing. Look at the Server Ops
delegations.
--Brian Desmond
[EMAIL PROTECTED]
Payton on the Web!
Hello! Please assist, sorry for the slightly OT post:
Situation: We have a security
root domain (root) and below it our primary child domain (Domain A). We recently
created a second domain underneath the root domain (domain B) with a two way
trust between the two child domains (A and
Return Receipt
Your RE: [ActiveDir] AD and WINS
document
:
Return Receipt
Your document:
RE: [ActiveDir] AD and WINS
was received by:
Justin Leney/US/DCI
at:
07/22/2004 02:27:37 PM
They can handle more. Sounds like you
found a bug of some sort unless you have some other application that is using
msvcrt.dll and isn't cleaning up well. I don't see the same results with
similar configuration.
Al
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL
Sent that last one a little faster than I should
have. :)
Since I have a similar config and don't see the same issue,
it's possible that you have a configuration issue such as a name resolution loop
or other problem that results in this type of crash. It might pay to look
at the
I have an authorized dhcp server.
when i add a new scope(i already had one pervious working scope), it won't
hand out addresses for that new scope. I have an event id 1051 logged in the
event viewer saying it is not authorized.
i know i need to be an enterprise admin to authorize a dhcp server
If the 2003 Server is a DC and Wins it needs Server Ops
No sorry, the point I was trying to make was merely that [A] server ops
did not exist on a member server and [B] that it is a moot point because
even IF WINS is running on a DC, Server Operators can NOT manage WINS..
To be able to
Do you
have any custom recipient policies or did you modify the default recipient
policy?
Jeremy
-
Jeremy Burkes SSP MIS Department [EMAIL PROTECTED] PH: 202-764-1270
-Original Message-From: Pelle, Joe
[mailto:[EMAIL
I'll take that bet :-)
Many have bemoaned the fact that you can't delegate WINS administration
or that there is no equivalent of DnsAdmins for WINS.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Thursday, July 22, 2004 11:21 AM
To:
Sorry
I meant to say do you have any custom recipient policies above the default
recipient policy and/or do you have a RUS for your second domain, domain
B.
Jeremy
- Jeremy Burkes SSP
MIS Department [EMAIL PROTECTED] PH:
202-764-1270
Okay,
First off, yes the club's expensive. And rightly so, but, do you know what
joe wanted to come to my little shop and point out to me exactly what I
already know (which is exactly how much I don't know already.)? Now HE
was expensive. Serves him right for getting fired. ;-O. No wait. He
Anyone have thoughts on this?
--- David Adner [EMAIL PROTECTED] wrote:
I know if I modify an automatically generated
connection object, it gets renamed to its GUID and
takes on the behavior of a manually created CO
(meaning the KCC will no longer automatically
maintain
it).
What if I
We have a mixed E5.5 and 2003 environment
and the only recipient policies we have are the 5.5 policies and the default policy.
I have not changed any of them.
Joe
Pelle
Infrastructure Architect
Information Technology
Valassis / IT
19975 Victor Parkway Livonia, MI
48152
Tel
Title: Customize Group Permissions
One thing to be really careful of though. It will
replace the contents of the local group. The only exception to this is the
default local Admin account in the local Administrators group. That
account will stay. If you are using software, like SMS, that
Did you authorize it by fqdn or by address? I think it needs to be authorized by
address.
nme
From: Kern, Tom
[mailto:[EMAIL PROTECTED]
Sent: Thursday, July 22, 2004 11:57 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] DHCP
I have an authorized dhcp server.
when i
If you want to continue using Kix scripting you can create
security groups and assign the appropriate users to those security groups,
afterwards use the InGroup (Kix) function and assign drive mappings etc.
accordingly
Atleast that's one way of doing
it
From: [EMAIL PROTECTED]
AH, thanks for the clarification. Im
a little slow!
Anyway, I do have custome recipient
policies above the default but they were copied over from the 5.5 sites. do you have a RUS for your second domain, domain B. I have
not added anything additional so I guess the answer is NO. Do I
I have not yet created a RUS. I didnt
know I had to I have to domainprep B first, right?!
Joe
Pelle
Infrastructure Architect
Information Technology
Valassis / IT
19975 Victor Parkway Livonia, MI
48152
Tel 734.591.7324 Fax 734.632.6151
[EMAIL PROTECTED]
As I remember each domain has to have a
recipient update service setup in order to update the email addresses. Do you
have one for the second domain? Did you run domainprep on the new domain?
Jacqui
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pelle, Joe
In addition, take a closer look at that Recipient Policy. It's possible that
it's configured to stamp ONLY mail-enable objects of DomainA. Will need to
create another one for DomainB, if that's the case.
Sincerely,
Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Directory Services
This is by design. You open adsiedit.msc, navigate to the top
DC=youdomainname under the Domain partition, right-click on the
DC=yourdomainame and click properties. In the security tab, you will see that
Authenticated users have Read access to the whole tree down.
You can remove this permission
Rocky - this thread is actually quite incredible - you're wandering from user and
group names and object types to NTFS permission and nesting objects into groups, over
to discussing SIDs and friendly names, and now you're talking about the visibility of
memberships of groups in AD ;-)
Also, I
Title: Message
I
don't understand your question fully. You say you want to "set a variable" which
will control drive mappings, but then you go on to say that you want to look up
an attribute in AD to set the location. What attribute would that
be?
Can
you be more specific?
Jacqui,
I have not domainprepd the new
domain and have not created a recipient update service for the new domain. I
did not know I needed to do that thank you for the posts! VERY
HELPFUL! Im still learning about Exchange!
Joe
Pelle
Infrastructure Architect
Information Technology
If it's a new scope, is the scope within the range of IP addresses and
subnet masks available on that router segment? I fought an issue like this
once and it was a subnet mask problem, but we were looking for something
harder to fix... :-)
Took a while to see it right under our noses...
Do you mean that you want to control permissions on the
different logs within Event Viewer?
If so, it's absolutely possible if you change the SDDL in
the Registry, however you need to write a customized GPO template to push them
out to the servers unless you want to manually edit each
Check out the Exchange Admin guide, Exchange Deployment Guide and Planning
an Exchange Messaging System, all on microsoft.com/exchange/library. I'm
reading the admin guide, all three have helped with with Exchange 5.5 to
2003 migration.
Robert
-Original Message-
From: [EMAIL PROTECTED]
yes it is. the router is fine. if i use a static address on that subnet, it works and
there is connectivity. if i configure the client to use dhcp, nothing. all it gets is
the scope options.
i guess what my question really is, is- if a dhcp server has been authorized by an
enterprise admin
Check out the %USERDOMAIN% AND %USERDNSDOMAIN% environment variables. Run set from
a command prompt to get a list of them.
--Brian
-Original Message-
From: Jacqui Hurst [mailto:[EMAIL PROTECTED]
Sent: Thu 7/22/2004 2:31 PM
To: [EMAIL PROTECTED]
Where does everyone have their NTP services come from? We are getting rid
of our current firewall which has NTP on it and everything is pointed to it
for NTP services. Our new firewall won't have NTP built in, so we are going
to have to set up an internal NTP server for all our internal hosts
Hey Russ,
This link describes how W2K and W2K3 handle NTP:
http://www.netpro.com/products/techdocs/ad_timesync.pdf
This link lists public Stratum 1 and Stratum 2 time servers:
http://www.eecis.udel.edu/~mills/ntp/servers.html
It would make sense to use the PDC emulator as the time server for
I use my PDC. It syncs with the government. All you rclients automatically talk to the
PDC unless you told em not to.
--Brian
-Original Message-
From: Rimmerman, Russ [mailto:[EMAIL PROTECTED]
Sent: Thu 7/22/2004 7:24 PM
To: '[EMAIL PROTECTED]'
76 matches
Mail list logo
