i need to create msi to install internet explorer 6 though the group policy, is this the way you folks do it? how do you upgrade the client's internet explorer\?
On 11/27/05, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote:
Making .msi
Found it...thanks...
http://support.microsoft.com/default.aspx?scid=kb;en-us;889030
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: 25 November 2005 16:00
To: ActiveDir.org
Subject: Re: [ActiveDir] Trusts.
Brad,
I am not in the
Grr. This thing won't budge. I have implemented the settings from the
article below, but still no joy. I will hopefully have missed something and
will re-check.watch this space.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad
Sent: 28
I don't know if you are trying to bait me or your head
recently got stuck between your gluteus maximi.
Obviously since you have your mouth to thefirehose
you know that I was pointing out that the ACL change on an object that
previously couldn't have the ACL changed now disallows a normal
I think it is a great idea to increase the TSL. Do you actually think it
would be easier to create a new user and re-ACL when all you have to do is
undelete and set a password instead?
Not only would I increase the TSL, I would also look at all of the
attributes and figure out which ones I would
You mention that it is a legacy trust. I don't know how far back it goes
legacy wise but I ran into an issue where a legacy trust could not be
upgraded (modified) as the trust existed prior to upgrade (way back in NT
4.0 land) and the solution was to delete the trust entirely and recreate.
Thanks Diane but that isn't the issue here as these domains have never seen
each other before. They were deployed specifically to figure out how they
would trust each other. The W2K3 build is fairly locked down, so I wanted
to troubleshoot it and get it working. I have down everything I can
We have an extranet that we are finally trying to set up correctly. The
*only* problem we are having is serving up the Project Server content.
Let me briefly go over the setup and configuration. ISA EE is on our DMZ.
Our sharepoint and project servers (and SQL back-end) are on the LAN. ISA
I recall some
discussions about this before and understand Windows 2003 offers a lot better
options, but what are the current best solutions for allowing users to backup
their PDF, DOC, XLS, PPT type important files, and also backing up their e-mail
(PST)? I could quickly script something,
As anyone found any issues in disabling the "distributed link tracking server" onwindows 2000 server domain controllers?
I would like to take a two step approachin disabling this useless service. First on the DCs and them on all workstations. Iwas just wondering if there would be an impact on
Hi everyone,
We have a Windows 2003 SP1 server with Exchange 2003 installed. I need
to change the domain name. Doing some reading up on the subject, I'm
getting conflicting information on whether this is even possible in our
case. For the record, this is our DC (and the only DC in the domain) and
Definitely turn it off on the DCs and delete the tracking
objects. MS actually recommends this for the configuration and K3 it is disabled
by default.
Here is the KB about it
http://support.microsoft.com/default.aspx?scid=312403
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
nope, no known impact (unless you have specifically
deployed an app that makes use of this service - none of the MS apps do, which
is why the service is disabled by default in Win2003).
however, if you want to make sure, why don't you just
reverse your disabling process: first disable all
Coincidental timing, second time I've answered this in as many days -
Max: 999,999,999 days or 2,739,726 years (not including leap years)
Min: 2 days
AFAIK, these thresholds have remained unchanged since 2K RTM.
--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com
Pick the right community.
While the AD community may be of help have you gone to the
www.isaserver.org site and asked there?
Grab a book, grab a community.
J B wrote:
We have an extranet that we are finally trying to set up correctly.
The *only* problem we are having is serving up the
Hello list,
Is there a way to prevent members of the local admin group
on a server from rebooting the servers? We are trying to prevent some
developers that need admin rights from rebooting the servers.
Thanks in advance,
Pavel
---
-- Even
to answer one of your main questions: yes, when you've installed the box
with RTM it's 60 days and if the box was installed using the SP1
version, you'll be at 180 days.
The best way to find out what you have is just to check the
tombstoneLifetime value in CN=Directory Service, CN=Windows
hmm, can that Max value be increased in any way? Not sure that's enough
;-)
/Guido
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Montag, 28. November 2005 17:49
To: Send - AD mailing list
Subject: RE: [ActiveDir] Tombstone value
2,736,726 years, 11 months, and 13 days, given a start date of January
1, on a leap year.
---
Rich Milburn
MCSE, Microsoft MVP - Directory Services
Sr Network Analyst, Field Platform Development
Applebee's International, Inc.
Take a look at this-
http://blogs.technet.com/exchange/archive/2004/08/30/222719.aspx
On 11/28/05, Steve Sorenson [EMAIL PROTECTED] wrote:
Hi everyone,We have a Windows 2003 SP1 server with Exchange 2003 installed. I needto change the domain name. Doing some reading up on the subject, I'm
getting
Brad,
Have you attempted to connect to the C$ (or any other) share between
the PDCe of the two domains? Is this successful? Aka Do you have RPC
connectivity outside of the share creation process?
Aric
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
nope. It'll be easier to question the fact that the
developers "need admin rights" = while not easy, you could propably give
them a non-admin account on the box and increase their priviledges to meet their
needs.
/Guido
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
It is not supported to change the name of a server on which Exchange is
installed.
Thus you can't change the name of a DC while Exchange is installed upon
it. Exchange will break.
For more information: http://support.microsoft.com/kb/842116
-Original Message-
From: [EMAIL PROTECTED]
Frank,
The manager should really be asking for a
notification and let you figure out the best way to make that happennot
specify the how which this list roundly trounced (while I was
trouncing turkey on Thursday.)
Ive used blat on a member server
(not a dc, though). There were
Thanks for info the joe and Guido,
Because of our politics where I work, modifiying 4 workstations is not that easy. Changing 20 DCs on the other hand is a walk in the park.
If I do not remove all of the filelinks manually, aren't they going to age out automatically after 60 days?
Thanks
Errr.trust creation process! :)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric
Sent: Monday, November 28, 2005 9:18 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Trusts.
Brad,
Have you attempted to connect to the C$
Max: 999,999,999 days or 2,739,726 years (not including leap years)
the network latency must be very very high if even this is not enoughmaybe
we can undelete some dinosaurs... ;-)
Jorge
From: [EMAIL PROTECTED] on behalf of Dean Wells
Sent: Mon
Rick Kingslan burped the following on 25/11/2005 4:24 PM:
So Rick, you have started burping answers? ;-))
jorge
From: [EMAIL PROTECTED] on behalf of Harald
Sent: Mon 11/28/2005 6:11 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Server
Can you create a new group of these users, then apply a GPO
granting them all the rights/permissions they need but simply disallowing them
the Shutdown the System right?
Regards,
Mike Burns
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Santos,
PavelSent: Monday,
Actually not true, this changed in Exchange SP1...now that said. we
STILL do not recommend renaming in SBSland because of Sharepoint. That
is what gets totally screwed these days with a domain rename on our
boxes. [yes a MVP tried it, Exchange made the trip just fine, Sharepoint
did not]
What are you using to backup?
Most backup applications ( i.e. Veritas) will
mail notifications via the SMTP protocol with no need for an actual mail
client.
I concur with Joe - -you should run as
little (un-needed) applications on a DC as possible - -youre asking for
trouble with
I did it in the Default Domain Controller policies several years ago
while still at 2000 native when the recommendation first came to light
and it's never proven to be an issue in our environment
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Right back at ya :O)
--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com
-Original Message-
From: joe [mailto:[EMAIL PROTECTED]
Sent: Monday, November 28, 2005 10:30 AM
To: [EMAIL PROTECTED]
Subject: FW: [ActiveDir] Tombstone value
You are alive!
Happy
I don't see anything in that article that disagrees with what I said.
You can't change the name of a DC while Exchange is installed on it.
In fact, the article you quote specifically agrees with me:
Exchange must not be installed on domain controllers
To use the domain rename operation,
Okay so maybe that was a lousy link
Download details: Microsoft Exchange Server Domain Rename Fixup
(XDR-Fixup):
http://www.microsoft.com/downloads/details.aspx?FamilyID=24B47D4A-C4B9-4031-B491-29839148A28Cdisplaylang=en
Exchange for Experts: Be The Master Of Your Domain Rename With Exchange
Oh sorry ... DCs. hello. not readingit's Monday.
Reality is that we've tried it on a SBS box ... Exchange 'can' make the
trip. Not Microsoft approved of course, would not recommend it and
Sharepoint freaks.
Michael B. Smith wrote:
I don't see anything in that article that
How well does SharePoint deal with a domain rename in a NON-SBS
environment?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Monday, November 28, 2005 10:01 AM
To: ActiveDir@mail.activedir.org
Subject:
where are these users storing these files? Locally?
From: Rimmerman, Russ [EMAIL PROTECTED]
Reply-To: ActiveDir@mail.activedir.org
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] File Synchronization
Date: Mon, 28 Nov 2005 10:27:47 -0600
I recall some discussions about this before
All,
For reasons too long and boring to mention, I have been
asked about the following scenario:
Create a regular normal everyday user
Give that user full control over all objects in the domain
The user is NOT part of the Domain Admins group
Does the membership of the domain
Well, if they truly have full control over all objects,
then they could add themselves into the Domain Admins group. Moot
point...
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Morley,
ScottSent: Monday, November 28, 2005 12:59 PMTo:
ActiveDir@mail.activedir.orgSubject:
Those still agree with me.
You can't change the name of a DC while Exchange is installed on it.
This means you can't rename a domain if Exchange is installed on a DC.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS
I've tried it on a single server box (i.e., Windows Server 2003, DC/GC
with Exchange Server installed), not SBS though. Most works. Mobility
didn't work and FBA didn't work. I spent some time looking through A/D
and the metabase to figure out why, and those could be fixed. Not worth
the hassle IMO
See follow up note regarding reading comprehension level on a Monday.
Michael B. Smith wrote:
Those still agree with me.
You can't change the name of a DC while Exchange is installed on it.
This means you can't rename a domain if Exchange is installed on a DC.
-Original Message-
From:
You can't guarantee to stop them but you can slow them down
by creating a new group and adding it to the shutdown computer right and remove
admins.
I did this at a company that had previously given out admin
to everyone who had any app on a server in the datacenter. The servers were
They don't age out. You need to delete them. MS cleans up
very little in the directory automatically. Actually I was having an offlist
conversation with one of my MS friends about this topic in regards to the
previous FSP question. When deleting them it isn't too much impact, however,
when
Ditto.
I also added a piece to the DC Scripts that are run on a machine after it
has become a DC so that it gets shutdown before the first reboot after the
policy applies (which is when policy will not restart it). If you don't use
DC Scripts or other processes like that you could add it to the
Other than Hunter's extremely valid point, being a full
admin of all AD objects does not imply you have all the rights of a DA. DAs are
by default part of the domain's local admins group which is also not captured by
having full control of all objects in AD but grants all sorts of
I will admin to being one of those
Admins.
Can you recommend a good book that shows a clean up
best practices for all those items that require manual
cleanup?
Thanks!
Bob
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joePosted
At: Monday, November 28, 2005 3:10
ehhh... according to the KB article (http://support.microsoft.com/?id=312403)
objects do age out..
QUOTE
It is not critical that you manually delete the Distributed Link Tracking
objects after you stop the Distributed Link Tracking server service unless you
have to reclaim the disk space that
If I understand what you want to do correctly,
you can parse the contents of individual cells in Excel via the Data - Text
to Columns dropdown dialog.
Al Maurer
Service
Manager, Naming and Authentication Services
IT
| Information Technology
Agilent
Technologies
(719)
590-2639;
Hmmm interesting thing you bring up Joe
cleanup defaults and for that matter, other configuration
defaults. Microsoft could set defaults on all these things, but I doubt
the defaults would work as one-size-fits-all. A book could be written
giving lots of various things like this that
Just a quick question here. I thought a new group was
the way to go here, being given the appropriate rights/permissions. But
why would you give this group the Shutdown computer right when that is the
problem in the first place? The admins would still have the right and so
would the new
Dear joe,
Did you really mean "and remove
admins" or did you mean to say "and remove TheNewlyCreatedGroup"? If the
former, could you please explain?
Thanks.
RH
-Original Message-From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]On Behalf Of
Might be a problem if the service is disabled, no?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Monday, November 28, 2005 1:22 PM
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
I guess if I had to do this, I'd cheat. Create a new DC, demote the
Exchange/DC box to just Exchange, then do the rename. That's assuming we're
not talking about SBS (I didn't see that in the original post) and that just
demoting the DC without a replacement was not feasible.
Al Maurer
here is a script that you can
use. It dumps the group to a spreadsheet with column headers. Modify
as you see fit
Diane
On Error Resume Next
CRLF=CHR(13)+CHR(10)
strADName = InputBox("Enter Complete LDAP DN for desired
group","Group
Yes, but if you have disabled the service on all servers as the thread
is discussing what is going to do the cleanup?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Posted At: Monday, November 28, 2005 3:22 PM
Posted To:
So they don't age out if you disable the DLT-S-S, only if you stop the
DLT-C-S and let the DLT-S-S run for another 90 days.
Hmm - thinking if it wouldn't be neat to use dynamic objects for DLT (and
DNS?)
Ulf
|-Original Message-
|From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
I think he said to then remove the Admins from that
right also. Then you would only add users who "SHOULD" be able to shut it
down to the special group.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
MikePosted At: Monday, November 28, 2005 4:00 PMPosted
To:
Shhh, I wasn't going to say anything though I did submit a correction to MS
for the KB
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric
Sent: Monday, November 28, 2005 4:59 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
If you want somehow prevent admins from rebooting the system remove
them from the local security setting which enables them to shutdown the system.
Note: the other group joe mentioned is created so you can controll
whos able to shutdown the system (such as domain admins)
Note 2: the
You add the new group to the shutdown the server user
right. You remove the admins group from it. Then you add anyone who SHOULD be
able to shutdown the server to that new group.
Obviously the *correct* way to fix this is to remove the
developers from the admin group, but I expect if you
Yep, that is what I meant, I explained it a little more in
another response I just sent.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rocky
HabeebSent: Monday, November 28, 2005 5:01 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Preventing local
admin from
Exactly.
My point in the offlist discussion was that MS absolutely
needed to come up with better ways to determine if something was actually being
used or not. For instance, are user IDs really being used or not? Are mailboxes
really being used or not. It definitely isn't an easy problem
Base assumption that I took and I expect Hunter took is
that FC was granted to all objects, that includes correcting the permissions on
adminsdholder.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of TIROA
YANNSent: Monday, November 28, 2005 4:24 PMTo:
Aric,
You are correct on that... I'm referring to Joe's remark They don't age out.
You need to delete them
As the article mentions, if the DLT client service does not update them the DLT
server service on the DCs will age them out. Another solution could be disable
all DLT client services
Heh. I don't think one exists.
Items off the top of my head that need to be cleaned
up
oInactive users (temp users and/or
turnover)
o Inactive computers
o Inactive groups
o Group memberships of groups that are still active but
contain members that shouldn't have access
o Unused or
If you are stopping / disabling DLT-S-S, I am assuming you would also do the
same for DLT-C-S? If you don't have a server service, not much for a client
service to do, right?
Thanks,
JD
-Original Message-
From: Ulf B. Simon-Weidner [mailto:[EMAIL PROTECTED]
Sent: Monday, November
Can AD have a mix of OS Domain Controllers?
I have an AD with windows 2000 DC and I wanted to add another DC with windows
2003 OS. Will there be any issues? Will the process be different?
Thanks
Antonio
It's not supported to run dcpromo on an Exchange server.
Ed Crowley MCSE+Internet MVP
Freelance E-Mail Philosopher
Protecting the world from PSTs and Bricked Backups!T
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Monday,
Title: RE: [ActiveDir] Disabling "Distributed Link Tracking Server" on domain Controllers
The objects don't age out. A service cleans
them up.
AD doesn't clean them up. It is on par with saying that old
computers age themselves out because you run oldcmp to clean them.
Something that
Yes, 2000 server can participate in a mixed 2003 domain (or 2000
functional domain).
Once you add a 2003 DC, you'll be running a 2003 domain.
-ASB
FAST, CHEAP, SECURE: Pick Any TWO
http://www.ultratech-llc.com/KB/
On 11/28/05, Antonio Aranda [EMAIL PROTECTED] wrote:
Can AD have a mix of
Hello,
I got
a weird problem on a member server (2003) running MS CRM, SQL and our intranet.
Every
time you are accessing the intranet or the CRM site you get a pop up window for
identification. It then does not accept any user name and password. Everything
worked fine until last week
Once you add a 2003 DC, you'll be running a 2003 domain.
It depends what you mean by a 2003 domain. There are some important
changes when you run adprep /domainprep (the Everyone group change in
particular), but the domain functional level will remain at 0 until all
the DCs in the domain have
What are the errors you are getting in the error logs? IIS access logs?
CRM 1.2 or 3.0? {I'm assuming 1.2 since 3.0 is just out}
CRM uses integrated authentication on that web app if memory serves me
right...given that its both your CRM and your intranet what IIS changes
did he/she make? I
What Ed wrote.
To add on: See KB 822179 and the proper method of cheating would be to
use the swing server method, also known as the Ed Crowley Server Move
Method for most of the last decade, to move the Exchange stores to
another server and remove Exchange from the DC/server, even if
Should be error messages in your IIS log files though and if you have a
system state backup from before the changes that would have those [or
should have those] old AD values?
When if fails to log in what's the resulting error code? 401.1?
Something like that?
Also I've seen permiission
Now this is fun...
The AD Schema contains the following attribute:
distinguishedName=CN=drink,CN=Schema,CN=Configuration,DC=ADCORP,DC=LAN
CN=drink
adminDescription=The drink (Favourite Drink) attribute type specifies the
favorite drink of an object (or person).
isSingleValued=FALSE
;-)
78 matches
Mail list logo
