Debbie, what process did you use to move the files? Just cut/paste? Or some
other method?
Effective permissions? Are there others we should be aware of?
Can you detail the exact process you used to configure and the exact
permissions that are set?
Give us a sense of the scope of the
Hi Mark,
You would use a line such as the
following:
Const ADS_PROPERTY_DELETE = 4
Call objUser.PutEx(ADS_PROPERTY_DELETE, otherHomePhone,
_
Array(111-,444-))
This would delete the two numbers specified (111- and
444-).
Yours, Sakari
From: [EMAIL
Sorry. Please don't perceive my earlier post as disrespecting your
opinion. Simply typing in brevity. :)
At any rate, I read it as a user end permission error, not as a copy
process failure.
:m:dsm:cci:mvp
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf
Title: RE: [ActiveDir] Home Directories
Agreed Im still a little
fuzzy on the details since Debbie had responded that both share
level and file level permission on the home directory is change
and follows up with domain users have read permission to the home
share.
Debbie, can you
Easier to just get the logic of the web page to check the
status of the person being denied access - pseudocode something like
this:
if not ingroup("staff",sUserName) then
denyaccess sUserName
else
"you can't remove " sUsername " from net
access"
end if
Steve
From: [EMAIL
This may give you a lead.
http://www.readymaids.com/Portals/1/Remove%20Orphaned%20SMTP%20Addresses%20-R
US-helper%20.txt
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the
I appreciate all the feedback. I had to end up giving domain users change
access on the top level Home share folder. (On both file and share) I
removed domain users from the individual home directory/folders. The
problem I have with the solution is that won't users be able to create
folders in
Thanks Sakari ( Dèjì). That's how I set it up and it worked fine. I appreciate
the pointers, as
always.
mc
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Sakari Kouti
Sent: Friday, May 27, 2005 8:11 AM
To: ActiveDir@mail.activedir.org
Running nbtstat -an gets me this-
Failed to access NetBT driver -- NetBT may not be loaded
Also, even though netbios over tcp/ip is enabled in the nic and vpn properties,
it still shows up as disabled when doing an ipconfig
How can I load this?
I reset tcp/ip via netsh, but that did nothing.
Tom; I assume you've seen this and verified perms?
http://support.microsoft.com/?kbid=888373
**
Charlie Kaiser
MCSE, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL
Now that your share-level permissions are correct, you need to add the
individual user to their respective home folder and grant modify
permissions (ntfs). That should give them change access to their files.
:m:dsm:cci:mvp
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL
But it also allows then to create new folders under the top level Home
share. Is there a way around that?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Friday, May 27, 2005 10:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE:
Yes, make sure that the top level home folder that your share is
pointing to does not have rights for those users to make changes. They
should only have rights at their individual folder.
For instance:
Share Level Perms
\\server\home1 is your home folder share which has the following perms:
Hi,
Child domain admins reported that they could not successfully dcpromo
out a child domain DC that was located in a different site from the
other two child DCs without authenticating as a root domain admin during
the process. I know that the root domain admin must be involved when
the last
Hi,
My PDC just started acting up and is showing an error in the PDC box under
Operations Master.
The only recent change that I can think of to the server was I uninstalled
re-installed the Certificate Authority 3 or 4 times, which was installed on
the PDC.
Thanks,
--
Matt Brown
[ SELECT *
The best practice permissions for the ROOT SHARE (for home directories,
roaming profiles folder redirection) are listed below. There is a lot
of confusion about these perms, b/c there are inconsistencies in MS doc.
I've tested these to make sure they work and (as you'll see) they're
pretty well
Thanks. yeah, i've seen it. It doesn't apply as I'm logged in as local admin
when i type that command or try to join the domain.
Any other ideas?
thanks again
Charlie Kaiser wrote:
Tom; I assume you've seen this and verified perms?
http://support.microsoft.com/?kbid=888373
Here are my ideas:
1. Tell your user to bring in his system and see if you can join while it is on
your lan.
2. Open a support call with Micrososft Premier Support and see if they can help
you solve the problem.
3. Reimage the system.. you allready stated that other systems did not have a
This did it. Thanks
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Friday, May 27, 2005 11:00 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Home Directories
Yes, make sure that the top level home folder that your
I guess you want me to stop posting about this issue :)
so i will, after responding.
1. The pc is in Florida. I'm in NYC. I'm not going to Florida for a pc. Hell, I
wouldn't go to Florida for anything.
2.We don't have or pay for support with MS and I'm not gonna open one up for
one laptop.
Nope. I specifically asked them about this.
Mike Thommes
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Friday, May 27, 2005 10:34 AM
To: Send - AD mailing list
Subject: RE: [ActiveDir] permissions needed to remove child domain
Hi Tom,
I am sorry if I appear to not sound sympathetic to your issue. I can understand
your feelings about you not going to Florida for any thing, I feel the same way
( Although I would not mind visiting Disney World, but we both know that when
you travel for business you can't even have a
What does the machine question report within its event log?
--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown
Sent: Friday, May 27, 2005 11:32 AM
To:
Could you obtain the precise error/logs and paste.
--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Friday, May 27, 2005 11:44 AM
To:
Perfect. Thanks.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long
Sent: Thursday, May 26, 2005 9:19
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] SFU and
ADUC
You
just need to register the nisprop.dll DLL on the
XP
workstation.
Hey,
My company has recently purchased the same domain that our
internal domain is named so Im having to setup DNS to manage both. Not a
big deal but Im being asked to add a DNS record *.internaldomain.com
that will point to a public web server and Im not sure if this will
negatively
Well, I have quite a few weird things going on.
Roles: (both DCs in same site)
DC2 = PDC role, RID pool manager
DC1 = Infrastructure owner, schema owner, domain role owner
When I look at the Operations Masters...
- from DC1 It shows ERROR for RID PDC, shows DC1 in Infrastructure
- from DC2
It seems the FSMO errors you're receiving are merely symptoms of another
more significant problem; my guess is that your DCs have been ignoring one
another for quite some time, i.e. - not replicating.
Before proceeding, can you give me some more info. -
1. Number of DCs/Domain/Sites
2. OS
Hi. Our domain is at the Windows 2003 server
functional level. I have registered acctinfo.dll from the 2003 resource kit and
have the Additional Account Info tab in ADUC. I am finding a big discrepancy
between the lastlogontimestamp date on the Additional
Account Info tab and the actual
It *should* be fine. A catch-all will only be mapped for non-existent
records, so if the records exists in DNS, the lookup for that record will
resolve to the right resource.
Now, I qualify should because there are some interesting behaviors you will
see when using DNS wildcards. One of them is
Title: Message
I have
seen the same discrepancy. There is a newer dll (acctinfo2.dll) available
now. I don't know if it rectifies this particular issue, but it does allow
the Additional Account Info tab to appear ina users properties that was
returned as a result of a query.
Andrew Gould
Title: Message
Hi Andrew
Where can I get the acctinfo2.dll? Would be nice to have J
Thank you and have a splendid day!
Kind Regards,
Freddy Hartono
Windows Administrator (ADSM/NT Security)
Spherion Technology Group, Singapore
For Agilent Technologies
E-mail: [EMAIL
1. Number of DCs/Domain/Sites
3 Sites
- Site A has DC1 DC2
- Site B DC3
- Site C DC4
2. OS version of DCs
- All DCs are running Windows 2003 Server Standard
3. Are the remaining DCs replicating successfully?
- According to DC diag they all
Where can I get the acctinfo2.dll?
On someone here's suggestion, I just asked our TAM for it and an
engineer sent it to me.
Excerpt from instructions-
One of the most common problems reported with the original version of
ACCTINFO.DLL, was the fact that it didn't appear as an option when users
That's what I expected.
Choice 1 -
Mod. the registry and permit the errant DC to re-enter the replication
topology (not recommended)
Choice 2 -
Forcibly demote the errant DC, cleanup its metadata and reintroduce it
through DCpromo
Caveats -
Choice 1: lingering objects may exist
Choice 2:
Split the difference, grab adfind from www.joeware.net in the free windows tools
section and see what it decodes the values to. I can't speak to acctinfo dll as
I never used it. _vbscript_ decoding of int8 values is often troublesome, it is
possible the code below isn't doing a very accurate
All,
I am attempting to delegate full control of one OU to a particular
group of Admins. I have run the Delegation Wizard, selected the group,
customized a task to delegate permissions to the folder, all existing
objects in the folder and the creation of new objects and then selected
Hi Joe,
Quick question, I have always just used the NET USER /DOM (username ) at a
command prompt which gives me the following output:
C:\Documents and Settings\jmedeirosnet user /dom jmedeiros
The request will be processed at a domain controller for domain
Sounds like it could be the AdminSDHolder. Have a look at the following
articles.
http://support.microsoft.com/?kbid=232199
http://support.microsoft.com/default.aspx?scid=kb;en-us;817433
Tony
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL
I thought that net user /dom queries lastlogon, which is not rep'ed, not
lastlogontimestamp?
Also, lastlogontimestamp is only updated if it changed a week or more ago. so
it could always be a week off..
Medeiros, Jose wrote:
Hi Joe,
Quick question, I have always just used the NET USER /DOM
Because I believe my errant DC to by my PDC will that be a problem demoting
it and then re-introducing it to the domain?
Here is a screen shot of my Operations Masters...
http://www.mjbdesignz.com/temp/OM.htm
Thanks,
--
Matt Brown
[ SELECT * FROM IT WHERE EyeContact=True ]
Information
Part of the problem I see with your output below is that it doesn't show
which domain controller you last logged on to. While that's not a
problem if you have only one DC in your forest, it can be if you have
more than that. LastLogon is not replicated. LastLogonTimeStamp is and
as such you
When you are complete with the /forceremoval of this errant DC and have
performed the metadata cleanup on one of the other DC's, you should be
able to seize the PDC Emulator role using the GUI or NTDSUtil. After
that's all done, just ensure that the changes have replicated
around...then you can
Yes, but a fleeting one in most cases. You'll need to seize the roles
assigned to the errant DC. In terms of who owns the roles, you are only
interested in the perspective of the other DCs.
The PDC FSMO serves many purposes and is indeed an important DC but even it
can tolerate downtime.
--
Hi Al,
Thank you for taking the time to reply, and I very much appreacite your effort
on researching this. You know that I recall using USRSTAT on a NT4 Domain and
it would show the Domain Controller that actually authenticated the user
account, however it does not seem to display this output
In NT4, all updates go up to the PDC. This is why you will get a true last
login report.
Post NT4, most updates take place on any DC, and lastlogon is one such
update. Because it is possible that a user can be authenticated by different
DC at different time, AND because lastlogon is NOT
In 2003 RTM lastLogonTimeStamp gets updated during Kerberos authentications
and interactive NTLM authentications. Remote NTLM auths do not cause it to
be updated. There was talk to get this changed in SP1.
-Original Message-
To make matters worse, there is a fix out there somewhere
That explains the change. Thank you for sharing this.
Jose :-)
-
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of
[EMAIL PROTECTED]
Sent: Friday, May 27, 2005 2:26 PM
To: ActiveDir@mail.activedir.org
Subject: RE:
In NT4, all updates go up to the PDC. This is why you will get a true last
login report
Not that my small wattage can hold a candle to the brain power for the
others on the list but isn't this incorrect? IIRC, under NT 4.0 the last
logon went to the authenticating DC. That is why you had to
Yes, I agree with you, it is incorrect.
BDC's weren't entirely read only, non-replicating attributes such as last
logon, bad password count, etc were written locally and yes you had to query
all DCs to get an accurate accounting of what happened.
If this were the architecture of NT4, the PDC
I'll yield on this and stand corrected. Although I did not exactly remember
reading about (or observing) this behavior, current materials I just
consulted say that Joe and Diane are correct - as always.
note to self
Got to read more.
/note to self
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M
Thanks Deji,
Awesome, thanks for the reply. Everything makes sense except the part about
query for domain other than my innternal domain, will resolve to the Wildcard.
I thought that MS (NT 4.0 and later I think) will put a . at the end of each
unqualified multi label query. Also, I was under
I will be Out of the Office
Start Date: 2005-05-27.
End Date: 2006-01-01.
Hej,
Jag har slutat hos CSC. Du kan nå min chef Henrik Staberg på
[EMAIL PROTECTED]
Min nya e-postadress är [EMAIL PROTECTED] ([EMAIL PROTECTED]
inom kort).
Mvh Fredrik
List info :
53 matches
Mail list logo
