Take a look at Netpro tools too. (ChangeManager and
ChangeAuditor)
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Peter
JohnsonSent: 19 December 2005 11:00To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]Active Directory
and Group Policy changes monitoring
Thanks for the tip. After implementing the registry key, it
seems to work;-)))
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of joe
Sent: dinsdag 20 december 2005
4:31
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Alternate
NetBIOS/DNS name for W2K3 DC
Ignoring the fairly over-discussed if every DC is a GC anyway, the
Infrastructure FSMO / Master (IM) can be on GC aspect ...
In the standard forest (if there is such a thing) with a mix of DCs and
GCs, the Infrastructure FSMO must be on a non-GC, for both win2k and
win2k3. There has been no
On 12/19/05, Tom Kern [EMAIL PROTECTED] wrote:
What are the pros and cons of using reservation with unlimited lease instead
of static addresses for servers and network printers?
You're probably better off sticking with static IPs for servers. In
case the DHCP server falls over, anything
Hi joe,
If it's not too much trouble, could you list the steps you take
(including wait times) to replace a DC with the same name? I am
especially interested in how long a particularly named DC would not be
available to the AD audience. Thanks!
Mike Thommes
-Original Message-
From:
On 12/19/05, McNicholas, Joe [EMAIL PROTECTED] wrote:
For 5 mailboxes, just export them to PST files from Outlook, and then
re-import them when connected to the new server.
Can you do that for mailboxes 2Gb?
--
AdamT
Maidenhead is *not* in Kent
List info : http://www.activedir.org/List.aspx
I see this most often when people are replacing file servers or collapsing
multiple file servers into one file server. That way they don't have to go
touch all of the clients or worry about changing logon scripts, etc.
Me, I am on the flip side of Susan, I see no issue with multiple names, I
That's what I'm after. I was hoping Al had a way to query the password policy vs. trying the new password and seeing if it works/capturing the error code else writing a function that manually checks it.
Al(M)
On 12/19/05, joe [EMAIL PROTECTED] wrote:
I think AlM is pointing out that it isn't
Excellent thanks for the info Brett.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
Sent: Tuesday, December 20, 2005 5:32 AM
To: ActiveDir@mail.activedir.org
Cc: 'Send - AD mailing list'
Subject: RE: [ActiveDir] Reducing number of Global
If i run setup for exchange 2k3 in a domain with a exchange 2k FE server will that be enough to stop the setup on exchange 2k3?
I can see that it checks for the existance of a FE server and i know exchange 2k can't be a front end for a exchange 2k3 backend but i didn't know that was a deal
With OL2003 or later you can. For earlier versions of Outlook, you'd have to use multiple PST's.
FWIW, it's not a best practice to mailboxes that are =2GB. Why? Performance can really be bad with remote access, anti-virus scanning, etc. Better to break that up or archive if you get the chance.
If you use Outlook 2003 to do the Export/Import, then you can have a PST
2Gb. Unfortunately Exmerge doesn't support PST's 2Gb yet (it would
be nice of MS to update that tool).
FYI: http://support.microsoft.com/default.aspx?scid=kb;en-us;830336
Joe Pochedley
A computer terminal is not some
Well there were two possible cases.
The first is reload in place. This is where you take a DC and reload the OS
that was on it with a newer version of the OS and repromote. We had an
automated load process that once the image was copied to the DCs spare disk
it would take about an hour or so to
You
should not be able to install a 2003 backend in an administrative group where
you have 2000 front ends. You should be able to install a 2003 front-end in an
administrative group where there are other 2000 front-ends.
function returns true if an error occurred
isFrontEnd, a byref
Querying the normal policy is easy, the hard parts are
password history and the custom complexity filters. A custom complexity filter
is not indicated in the directory at all and can bounce a password for any
reason be it length, characters, time of day, whether it is a set versus a
change,
thanks.
I assume a FE server can be a front end to any exchange server in the entire ORG regardless of domain or admin group but Exchange setup only checks for FE's in its Admin group to see what verison of exchange the FE is running?
Thanks again
On12/20/05, Michael B. Smith [EMAIL PROTECTED]
I just installed this and looked at it for the first time. Very cool.
How does it work on Win2k3 and Exchange2k3? It does seem a bit slow,
but it works good. Is anyone using this in a production environment
today?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
I have a user that
was migrated fromour old NT4 domaininto our AD domain as a domain
admin. We removed him from domain admins on the AD
side.
I set his
'adminCount' attribute to blank from 1 so others could modify his
account.
Every time I blank
out the 1 setting, I look the next day
Didn't say it was a best practice at all on DCs... it's just that as
usual on SBS we tend to throw 'best pracitices' right out the window
[and DON'T EVEN get me started on what STUPID QB 2006 requires you to do
on a server [any server] to share out the database on their new sybase
The adminsdholder process only
looks at users and groups that are defined in AD as protected objects. As
mentioned in MS-KBQ817433 - "Delegated permissions are not available and
inheritance is automatically disabled" it is possible to include or exclude some
of the default admin groups
Hmmm, I was getting the 404 error. I even
called MS and they said it wasnt available via download. Looks like I
can get to it again. Thanks
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Monday, December 19, 2005
6:02 PM
To:
Me too please
[EMAIL PROTECTED]
Thanks
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Scott Klassen
Sent: Monday, December 19, 2005 8:29 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Dir web based management
Please add me to
I am trying to find a way to write script. The scenario is a bit like this,
I have few OU under which there are Computers. I need to check if
computer names are supplied from the text file then it will have to run
against those particular OUs. If it can find machine under those particular
OUs
What language are you writing this
in?
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jitendra
KalyankarSent: Tuesday, December 20, 2005 11:10 AMTo:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Script to find
Computers under particular OUs
I am trying to find a way
Wouldnt it be faster/more efficient
to search for all computer objects and output the entire distinguishedname (which
would obviously include the ou name)?
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jitendra Kalyankar
Sent: Tuesday, December 20, 2005
11:10 AM
_vbscript_ing would be great. I can do the dump of entire AD but just want to know how to script
for particular set of OUs.
Sincerely,
J
On 12/20/05, Creamer, Mark [EMAIL PROTECTED] wrote:
Wouldn't it be faster/more efficient to search for all computer objects and output the entire
If youve got the logic to dump it
all, can you not set the base to the OU youre wanting?
:m:dsm:cci:mvp marcusoh.blogspot.com
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jitendra Kalyankar
Sent: Tuesday, December 20, 2005
11:31 AM
To:
Okay I got it. I will script as you mentioned in your second para.
I know I can count on you guys
Sincerely,
J
On 12/20/05, joe [EMAIL PROTECTED] wrote:
Writing it this wayis very inefficient. It would take x queries to look for each computer where X is the number of OUs you want to check
The user was removed from all protected groups long
ago. The problem is, his adminCount attribute is still getting set back to
1. I set it to not set, enable ACL inheritence and set his default
permissions back, and an hour later I re-check his account and adminCount is set
back to 1, and
I did just find that he's a member of a group which is a
member of Account Operators group. So I need to remove him from this group
in order for his adminCount to stay not set? If that's true, then
I will have to delegate him permissions at the top since he can't be an Account
Operator
I don't remember reading this in any of the materials I've seen to date. Is
it true that after flipping the Forest Functional Level to Windows 2003, any
subsequent domain added to the Forest after the flip will default to DFL
2003? This appears to be the case in my tests, and I am wondering if I
That's correct. In Windows 2000 SP4 and in Windows
Server 2003 the Account Operators group is protected.
For a full list of protected groups and accounts, see the
following KB article.
http://support.microsoft.com/?kbid=907434
Tony
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Thats basically it, Russ.
:m:dsm:cci:mvp marcusoh.blogspot.com
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, December 20, 2005
2:24 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
adminCount attribute
I did
Hi,
What do you mean with I will have to delegate him permissions at the top since
he can't be an Account Operator anymore. And by the way... which top?
Jorge
From: [EMAIL PROTECTED] on behalf of Tony Murray
Sent: Tue 12/20/2005 8:55 PM
To:
Hi Deji,
Yes, it is true. If the FFL is set to W2K3, then that means that all CURRENT
and FUTURE domains will be at DFL W2K3. If that was not the case and you would
be able to introduce a domain with DFL W2K native then it would also be
possible to introuce W2K DCs. And that is impossible in
Well he's a helpdesk guy that needs to be able to reset
passwords for everyone in the domain, so I would need to delegate him
permissions at the highest level OU, whereas right now he's in account operators
so he automatically can do it. Once I remove him from account operators,
I'll have
Thanks, Joe. I'd just take it as a given - especially now that you've chimed
in :)) - and go with the flow.
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCT
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were
Yeah, Jorge. I guess this will have to do for now. Many of the people I deal
with like to ask but why?, so that's why I tend to look for the whys of a
function. At least now I have something along the line of because Joe, and
Jorge and MS say so :)
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCT
If all he needs to do is reset passwords you want to do
this anyway. Acc Ops have considerable rights over groups and users as well as
the capability to add groups/users as desired. Obviously delegate to a group
versus the person directly. You may want to delegate the ability to unlock
M A is certainly one of the scenarios. The most pressing need for me to
know the reasoning behind it is the possibility that I may have to stand in
front of a bunch of folks who would want to know WHY. Being able to
technically articulate the reasoning is always very helpful. Having a
supporting
BTW, Jorge (and Tony), the Trust thing works fine inside Virtual Server -
without a need to make passwords identical :) You think it's time for you
guys to switch from VMWare? LOL
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCT
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
Yes absolutely that is exactly how it works.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of TIROA
YANNSent: Tuesday, December 20, 2005 4:55 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] adminCount
attribute
Hi joe,
Just a notice:
"this delegation will not
Yeah understood. The why is the simple explanation of things would break. It
is why the requirements exist in the first place for the functional level of
the domains. Anything that can't support that domain level can't work in
that level forest so are disallowed forever of becoming part of it.
http://www.microsoft.com/downloads/details.aspx?familyid=49caf978-49e9-4eb6-9cc9-72b5dd160505displaylang=en
http://www.microsoft.com/downloads/details.aspx?familyid=49caf978-49e9-4eb6-9cc9-72b5dd160505displaylang=en
Describes key scenarios for using DFSRAdmin Command-line Tool
--
Letting your
Title: RE: [ActiveDir] FYI: Failing to create a trust
Hi Jorge
Just finished testing with Virtual PC 2004 SP1. No
issues found. The trust was established without having to match username
and passwords.
You've probably seen Deji's email saying he also had no
issue with Virtual Server.
I'm
45 matches
Mail list logo
