Now do your users spell shit right in these messages? Every last one of them
had a typo today. One of them they even botched the subject - Pruchasing
Newsletter. Yesterday or two days ago I forget the Pruchasing department had
to send two blast messages, you see they forgot the time date in
Hi,Our IT Operations team will require access to our remote Windows 2003 DC's which act as File Print Servers.
At the moment, they are members of the Built-in domain Server Operators group which they use Remote Desktop to connect through to the DC's for data/print services
Hi,
Our IT Operations team will require access to our remote Windows 2003 DC's which act as File Print Servers.
At the moment, they are members of the Built-in domain Server Operators group which they use Remote Desktop to connect through to the DC's for data/print services support/administration
Hi,
Our IT Operations team will require access to our remote Windows 2003 DC's which act as File Print Servers.
At the moment, they are members of the Built-in domain Server Operators group which they use Remote Desktop to connect through to the DC's for data/print services
Hello,
How can I use sites to prevent traffic from flowing from one site to another?
I have a domain controller for each site, and I want to stop traffic
flowing in certain
direction (kind of like the trust relationships in windows NT).
thanks
r.c.
List info :
If you have your site links and costs setup correctly to reflect your
underlying network topology and infra, then this should not be a concern, since
you have already informed AD where and how it should replicate data.
If 2 sites are replicating and you do not want them to, then either remove
One for all you RIS experts out there. When I rebuild a workstation, using the
same name, it creates a new duplicate entry in the default computers OU,
instead of using the existing entry.
Secondly, I'd like to set a default OU for newly built machines. I've tried
setting it in the RIS
Hi joe,
Yep, the lack of a SC back to the PDC is puzzling. The MS analyst I was
working with said, That's just the way it is!. sigh. All DCs are running
2003/SP1. Regarding my issue, we determined that one of the two child domain
DCs was really just unfixable, and it's state was
Hi Jose,
We're not actually a CTEC nor do we deliver MOC materials. In addition to
our core consulting practice, we deliver, develop and technically edit
internal-only materials for Microsoft's PSS, ROSS, TAM and MCS teams.
I'll have a copy of the latest public outline sent over to you upon my
Title: RE: [ActiveDir] Sites to restrict traffic,
For your first question:
Verify these two settings:
1. Open up your ristndrd.sif in \\(RISSERVER)\REMINST\Setup\English\Images\(ImageName)\i386\templates
Under the
[UserData] section there should be a line that reads:
ComputerName =
Don't get me started on attachments. Since I am a contractor for the
government we have to do what they say even though it goes against good IT
practices and even when we try to tell them why it is not smart they want to do
it anyway. Email attachments in excess of 20MB are not uncommon in my
Hi,
In the domain the group "Remote
Desktop Users" exists. This groups has permissions on the RDP-protocol on each
DC (Terminal Services Configuration MMC) but does not have the user right "Allow
logon through Terminal Services" in the Default Domain Controllers
GPO.
For member servers
Title: RE: [ActiveDir] Sites to restrict traffic,
These are as you say - they are the default settings, but I
still have the problem. Also, there has to be an entry in the .sif file
for anything you want to manipulate with variables - not sure the OU one is
possible, but I may be wrong
* - Add an account to the console
-
WMIC RDPermissions where TerminalName="Console"
call AddAccount "domain\user",2
... where 0=guest,1=user,2=full
access
* -
Deny an account access to the console -
WMIC rdaccount where
"terminalname='console' and
accountname='domain\\group'" call
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy
[Contractor]
Sent: Friday, June 10, 2005 8:39 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange Mailbox Limits
Don't get me started on attachments. Since I am a
Oops I forgot to send this last night when I responded to the rest of the
emails...
===
You guys seems to be on the right track here.
On the question of setting all objects configured with admincount=1 to
admincount=0 is perfectly fine. As Robert indicated, it will get reset based
on group
Title: RE: [ActiveDir] Sites to restrict traffic,
Yes there is but it is a static option. The option is
MachineObjectOU and can be entered under the [Identification] section of the
ristndrd.sif file.
The better choice may be to use a customized custom.osc if
you have multiple possibleOU's
All of these stories beg for a moderated DL facility in Exchange. Some
people can submit, someone has to moderate and release prior to allowing it
to really go out. That same facility could spell check and strip
attachments, convert to plain text, stagger the send so it doesn't go out in
one huge
If you want to have more seamless domain moves, it is
probably worth doing that education. Also I think there is some reg entry or GPO
entry you can apply that will disable options (and hence the domain dropdown) by
default (though it can be reenabled by the user) which could help.
Honestly any time someone asks a question like this my
response is make them domain admins because any time they want it they can take
it and making them server ops is just a way so you can report you have fewer
admins, basically you are adhering to the letter of some rule instead of the
I read that differently than you did Neil.
I read it as how do I allow replication to go in one direction... Into a
site but not from the site back say like in a weird DMZ type configuration
or something.
If that is what the question is. The answer is you don't... Successfully.
You may get it
Unfortunately, in this case, I can't give any better answer than the MS
Engineer in the that is just the way it works as I indicated below. I
would loop in ~Eric on this one but I don't think he would know either, this
isn't an AD thing, it is a Windows Secure Channel thing that has been around
Only 10? :-)
Listserv functionality is an area they've identified for third parties. I'm
not a C++ programmer; but a simple facility in perl or vbscript is easy.
But to do it all in Exchange (i.e., no external databases), I needed a feature
that was promised for Mercury. Regardless, most of
Yeah instead of saying a good 10, I probably should have said at least 10.
They are spread through a variety of feedback channels over the last 3 or so
years from PSS to MVP Wish to Ladybug. I think I have 9 in ladybug right now
plus 2 recommendations for things that already should be in the
OK, that makes sense, although as you say, this is still not possible.
We don't (yet) have read-only DCs so this is just a non-starter :)
I'd still like to hear the justification / explanation for such a behaviour.
neil
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL
I received asome offline questions on this that can
be collected into three main questions
1. What are the things these non-admin but natively
enhanced users do to compromise the DC or enhance their
permissions?
2. What would you do in this situation?
3. SBS seems to contradict everything
Yep. The times I have fielded questions for this functionality both in the
public space and in private consulting was all for people who wanted to pump
AD Info to some remote site or DMZ and did not want the possibility of
someone at the site or in the DMZ to compromise the machine and pump the
Hi, I need to add a trust to a AD 2003 domain and a AD 2000
domain.
I need Domain A users to be able to access resources in
Domain B.
Do I do it from Domain B side or both?
Thanks,
Juan
Hi Juan
Are these domains in separate forests? If
so you use the Active Directory Domains and Trusts snap in to create the trusts
with Domain B trusting domain A. Create Domain A as a trusted domain in Domain
B and then add Domain B as a trusting domain in Domain A IIRC. If they are in
They are in different forest.
Thanks,
Juan
From: Peter Johnson
[mailto:[EMAIL PROTECTED]
Sent: Friday, June 10, 2005 8:54
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] One way
Trust
Hi Juan
Are these domains in separate forests? If
so you use the Active
Title: Message
I
believe the new Trust Wizard will allow *both* sides of the trust to be created
from the same wizard, assuming credentials in the trusting domain can be
provided.
If the
domains exist in the same forest, then there *may* be an argument for a shortcut
trust, but that's
I have an issue with Folder Redirection in GPO. The individual user
folders, Application data, My Documents, Desktop, are created on the remote
server. However, the folders are empty. User have modified rights to their
redirection folder.
Environment: W3K
Thank you,
Z.V.
I have a redirection issue w/GPO.
I can see the user redirected folders: My documents, Desktop, and
application data, however,
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
If you have folder redirection and ie branding enabled, you'll need a hotfix,
to enable both to work.
I can't give you the Q number as I an on the I4, coming back from TechED.
Mark
-Original Message-
From: Za Vue [EMAIL PROTECTED]
Date: Fri, 10 Jun 2005 12:10:23
Q # is 888254
Rick
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Friday, June 10, 2005 11:50 AM
To: ActiveDir.org
Subject: Re: [ActiveDir] Redirection
If you have folder redirection and ie branding enabled, you'll need a
hotfix, to
Does anyone have and experience yet enabling ABE on a DFS root share? If I
enable ABE on the DFS root share, DFS links from the root to other shares only
show up when accessed by an admin. ABE is not enabled on the linked shares. Any
ideas?
Thanks
Nathan
List info :
Thanks guys, well actually its not a DMZ issue,
I have few subnets:sudent subnet, faculty subnet, financial system
subnet, and serivces subnet for example,
I would like to have the teacher access the student's computers but
not vice versa, or if not possible to have it work this way then block
all
Greetings --
Using adfind to identify users who have the AdminCount attribute set to 1.
Looking at the output there are users who are expected to have that set
seeing that they are Domain Admins BUT i also see a handful of users who
are not members of a protected group.
Using admod to set
I would like to have the teacher access the student's computers but
not vice versa
Hmm..I think he is talking about the computer access issue not the AD
replication.
Santhosh Sivarajan
MCSE(W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),CCNA,Network+
Houston, TX
On 6/10/05, rubix cube [EMAIL PROTECTED]
In my opinion I would only enable ABE on the actual shares that are used for
the DFS links
Cheers
#JORGE#
-Original Message-
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: 6/10/2005 7:01 PM
Subject: [ActiveDir] DFS and Access Based Enumeration
Does anyone have and
Jorge --
I was following those threads which unfortunately did not clue me in.
The users that have AdminCount=1 but shouldn't have never been in a
protected group nor are they in a non protected group that is nested in
protected group.
I have even gone so far as to remove all group
John,
OK, the users you are talking about are non-default-admin-users and are not
members of protected groups and never have been.
Mayba a strange question.. which groups is the domain users group a member
of?
#JORGE#
-Original Message-
From: [EMAIL PROTECTED]
To:
Got it going. Thanks to all for your
help.
Juan
From: Ruston, Neil
[mailto:[EMAIL PROTECTED]
Sent: Friday, June 10, 2005 9:01
AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] One way
Trust
I believe the new Trust Wizard will allow
*both* sides of the trust
not a strange question ... i looked into that when i first started the
troubleshooting process Domain Users is a member of the Builtin
Users group which is not a protected group in my environment.
Just so i have it straight:
If a user is a member of a protected group it's AdminCount
What do you mean by have the teacher access the students computers? Do you
mean access the students workstations as admins?
If that is what you, you could set up a couple of groups in the domain.
Students and Teachers. All workstations get teachers in the administrators
group and only student
Joe, I disagree.
And since that has not happened often with your posts, I'll take some time to
elaborate. :)
We all
understand that someone on a DC console can take control of the data on it, and
via replication the forest.However this is not achievable without
"hacking" (for lack of a
have you also changed the inheritance setting of those accounts?
#JORGE#
-Original Message-
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: 6/10/2005 10:54 PM
Subject: Re: [ActiveDir] troubleshooting object permission inheritance
not a strange question ... i looked into
Actually, higher limits are possible, but require modifying the AD attributes
outside of the normal GUI. For example using ADSI Edit to change these
attributes of a user/mailbox:
mDBStorageQuota - Warning Limit
mDBOverQuotaLimit - Prohibit Send
mDBOverHardQuotaLimit - Prohibit Send / Receive
You could test it in a lab, but since ABE works on ACLs on shared
folders, and since the actual folders in the DFS target folder are not
ACLed, I think you'd be making a big mistake.
I agree wholeheartedly with Jorge.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
If a user is only in Domain Users (obviously the primary group for the user)
and when I mean only I mean not in any other security OR distribution groups
and the domain users group is not nested into any groups other than
BUILTIN\Users. Then you clear admincount and reset the protection on the
We can agree to disagree. :o)
You make someone a server operator on a domain controller
because you don't trust them to be a domain admin due to their judgement or
perceived skill set. Making them a server operator does nothing to protect the
DC from that judgement nor skill set. If you can
The Group is already a member of the Remote Desktop User group and has the allow logon through terminal services so I assume I will need to do something along the lines of what Dean has suggested unless you have any other ideas!?
thanks
Frank
Jorge de Almeida Pinto [EMAIL PROTECTED] wrote:
thanks joe - that is exactly what i am experiencing.
i'll update the list when/if i get a fix/solution.
again many thanks,
john
Quoting joe [EMAIL PROTECTED]:
If a user is only in Domain Users (obviously the primary group for the user)
and when I mean only I mean not in any other security
yes, admod'd them to 0 then changed the perms to Default (which turns on
inheritance).
Quoting Jorge de Almeida Pinto [EMAIL PROTECTED]:
have you also changed the inheritance setting of those accounts?
#JORGE#
-Original Message-
From: [EMAIL PROTECTED]
To:
Hi
I am trying to reset the permissions for a home
directory. The directories are created and redirected by GPO; the security
specified as in Microsoft KB 274443. The owner of this directory also has a
separate administrator account. He used his admin rights to get into console on
the
You can first take ownership and reset the permissioning and after doing
that you can give away the ownership the same way like taking ownership!
To give away ownership to someone else you need full control permissions AND
the user right restore files and directories on the particular server
Title: RE: [ActiveDir] Sites to restrict traffic,
Fscked up man? All my installs report a
dup GUID in AD, and wont let you do it? Problem at your site?
Take a look at the OSC files, in there you
can do some really neat customization. Email me offline, or search the web,
there are some
57 matches
Mail list logo