Return Receipt
Your document:
RE: [ActiveDir] Is there a way to force users to logon to domain?
was received by:
nelson yong/IT/KSL
at:
17/05/2006 02:25:29 PM
first thing comes to mind is using WMI and check for the DNS server service and
that it is also started
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(
For /F %a IN ('dsquery server -o rdn') do portqry -n %a -e 53 -i|find /i
listening
This will check if the server is listening on 53, but it won't tell you
whether its MS-DNS or not.
Sincerely,
_
(, / | /) /) /)
/---| (/_
Darren,
SA rocks, although things are a bit cold at the moment - for us cold is
single figure above 0 ;)
Hm, have seen stuff around the profile as well, but not always
consistent enough to point a shaking finger at it and lay blame there.
Turns out that ADMT failed to migrate sid-history and
Feigin, Andrew wrote:
Does anyone know how to request one from MS?
I used OIDGEN for my test environment, however for production I was
advised to use a real one to avoid a possible collision.
Use this link:
http://msdn.microsoft.com/certification/ad-registration.asp
--
Tomasz Onyszko
Providing you have up to date scripting engines loaded you can encrypt
the script to keep casual eyes away:-
http://www.microsoft.com/downloads/details.aspx?FamilyId=E7877F67-C447-4
873-B1B0-21F0626A6329displaylang=en
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
Hello Freddy,
Interesting post I am (with a few others) building the same type of
tool: http://blogs.dirteam.com/blogs/carlos/archive/2006/04/26/891.aspx
this tool is built in .net though. One of the outputs we where going to
be HTML (I like what you have done) maybe you want to integrate we
Hi Carlos
Cool, are you guys building ADST similar clones? :)
Thank you and have a splendid day!
Kind Regards,
Freddy Hartono
Group Support Engineer
InternationalSOS Pte Ltd
mail: [EMAIL PROTECTED]
phone: (+65) 6330-9785
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL
You can change them remotely.
http://www.ultratech-llc.com/KB/?File=Passwords.TXT
Changing them via GPO simply means that the password will have to reside locally on the system, and there's no reason for that...
-ASB
On 5/16/06, Joe Lagreca [EMAIL PROTECTED] wrote:
Sergio,That is the approach
Lets take this offline so we don't pollute Tony's list ;)
To answer you question: ADST clones - No I was not even aware of ADST :P
I was just tired of always doing things manually or using different scripts.
C
Freddy HARTONO wrote:
Hi Carlos
Cool, are you guys building ADST similar clones?
Ok just spoke to Freddy offline ADST is known now as ADRAP internally ;)
just so we clear things up:)
Carlos Magalhaes
Carlos Magalhaes wrote:
Lets take this offline so we don't pollute Tony's list ;)
To answer you question: ADST clones - No I was not even aware of ADST
:P I was just tired
Carlos,
If you were asked to 'sell' your new utility, how would you pitch it?
What is its purpose? Why would someone buy it? What is its 'raison
d'etre'? :)
Given that we have various tools out there which help to troubleshoot
and/or administer and/or monitor the environment, I wondered where
Title: OT: Self grown AD webtool sample output - any takers in joint dev?
I'd be
happy to take a look Freddy, I'm permanently on-site now so my joint dev.
efforts would be sporadic at best but I would hope I'll have something of value
to contribute.
Nice
work!
--Dean WellsMSEtechnology*
Dump
the msDs-masteredBy attribute of the forestDNSzones NC head to determine the DCs
running 2K3 upon which MS' DNS is installed and is (or at least was)
running. You can further qualify that list using WMI or SC.EXE or any
means of remotely querying the installed services. This is quite
I agree Dean it is very good work :-)
-Original Message-
From: Dean Wells [EMAIL PROTECTED]
To: Send - AD mailing list [EMAIL PROTECTED]
Sent: 17/05/2006 12:38
Subject: RE: [ActiveDir] OT: Self grown AD webtool sample output - any takers
in joint dev ?
I'd be happy to take a look
Hello Neil good to hear from you :-) as a Microsoft employee I am not allowed
to sell software ;-) which will *probably make it free. That alone will
position the application as I am aware of the prices on similar applications.
Its not ment to be a killer app its ment to help you guys as i sure
I was reading
Carlos's blog about not running DNS on the PDC emulator. It all makes perfect
sense to not have DNS running on it. In my relatively small setup we have @60
servers, 560pc's, on 8 networks (some remote some vlans). I have 2 DC's at my
main site with one at each remote site. All
Hi Deji,
I was thinking about the following but the results are wrong (and I
don't understand why!):
For /F %a IN ('dsquery server -o rdn -forest') do srvinfo \\%a |find /i
DNS Server
Can anyone tell me what I am doing wrong? Thanks!
Mike Thommes
-Original Message-
From: [EMAIL
Have you not figured it out yet joe? I'm tormenting you ;)
not really - this is really friggin' annoying actually
The reason I haven't gone back to hotmail is that it's extremely annoying to try and read threads. Gmail is great for that vs. hotmail which can't cope. To date, I must be the only
Not that I can read these easily, but...
What occurs to me is that you want the users to start using the domain logon only. If you set the cache to 0, as you likely reasoned out already, the user would have to be always connected. That's not good in an increasingly mobile clientele.
"Force"
At the very
least it (DNS) should be on ONE of the DCs.
I personally do not have an issue with DNS
running on all of my DCs - -- which it is. I have heard/read all the arguments
for and against. I still have no issue - - (Searching for wood to knock) Ive
not had an issue/conflict once.
For some strange
reason when I use the GPMC, highlight a policy and select the settings tab I get
an "unspecified error" and the policy settings do not display on the right side.
Anyone aware of anything causing this problem. I installed the 2003 SP1 GPMC
when it came out. Please help.I
Which blog entry...
-ASB
On 5/17/06, Krenceski, William [EMAIL PROTECTED] wrote:
I was reading Carlos's blog about not running DNS on the PDC emulator. It all makes perfect sense to not have DNS running on it. In my relatively small setup we have @60 servers, 560pc's, on 8 networks (some
This one
http://blogs.dirteam.com/blogs/carlos/archive/2006/05/10/939.aspx
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
ASBSent: Wednesday, May 17, 2006 9:20 AMTo:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] DNS on a DC or
NOT
Which blog entry...
-ASB
On
Never mind...I just re-installed GPMC (with sp1) and it
works now..
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Krenceski,
WilliamSent: Wednesday, May 17, 2006 9:18 AMTo:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] GPMC error with
settings tab
For some
Let me put that into perspective (and from reading the post again I
thought it came across), the blog entry refers to networks with a large
client load. I don't mean do NOT have DNS on your server it recommends
(Option 2) releasing some of the load with the two registry settings,
i.e.
If your DNS is integrated, find a big piece of wood to
knock on... Or keep it around to bang your head on later.
I'll run DNS on DCs if I have to. I will run it integrated
if threatened badly enough.
I recently ran into a nasty DNS problem in an integrated
DNS where DNS would start but
Depending on how many DCs youhave in your environment, this might be a non-issue overall.
We have DNS on all our DCs, and no adversity has been observed thus far...
-ASB
On 5/17/06, Krenceski, William [EMAIL PROTECTED] wrote:
This one
SO you are concerned about overall load then. This is something that is
addressed in larger orgs often by segregating the PDC off in its own logical
site which is hung off the main site it would normally be part of. That
means it will usually not be used for autocoverage of other WAN sites and it
Thanks Darren that worked. I Should
have figured that out for myself from the error message. Its been a
tough week J
Much appreciated
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Interesting stuff joe ..
Many of us have used ADI zones for many (well 7+) years now
with little or no issue, in various orgs sizes and types.
I'd like to hear more about this issue, since IMO, ADI
zones offer huge advantages to a typical org over BIND text files. [I won't
expand upon
Title: OT: Self grown AD webtool sample output - any takers in joint dev?
Thanks Dean, ive sent it to you guys via my other mail
account.
let me know offline if you have problems on it,
cheers
Thank you and have a splendid
day!
Kind Regards,
Freddy Hartono
Group Support
Engineer
I'm clear now...
Yeah, our infrastructure is very tiny compared to what you were
referencing. I believe a little tweaking the registry will at least
allow us to share the load a little better.
As for Joe.we actually are AD Integrated DNS and have been since
win2k came out. I don't have any
We have it on all of our DCs as well worldwide and have not seen an issue.
But a question about integrated zones. I had an issue recently where a system owner wanted to know if people were resolving an old CNAME for one of their systems. They wanted to remove it from the zone, but wanted to
Oh ye of little faith.*
_
* My personal views and not those of my
employer, of course.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, May 17, 2006 6:55
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS on a
DC or
William figured it was best to leave it alone without registry tweaks
(assuming anyone can read this email, I'm hoping I read that right -
William, you likely don't have to worry about it.) Carlos was aiming
that concept at people that have overloaded PDCe's and might need to
off-load some
Neil,
I dont agree with you. when you say compared with the other services
that a DC provides which services are your refering to (I was refering
in my post to non AD Suite services i.e. NOT: AD Replication, FRS, DFS)
I would like to know what other services you are referring to...
Carlos
Since we are talking about DNS and DCs, I'll post my usual request: AD
integrated secondaries would be a REAL handy thing!
winmail.dat
The output of the -forest switch is quoted. This is why you are running into
issues
This is what your Do statement would look like when using the -forest
switch:
srvinfo \\Name-Of-a-DC|find /i DNS Server
The double-quote is throwing srvinfo off. Someone needs to fix the -forest
switch in
I would say that, in general, ADI zones probably work well
for most people. When it works and things are sunny everything is great, however
when the shape is more pear like it just adds unnecessary issues into the
puzzle. It is very much like most MSFT tech, when things work great, everyone
Too bad you couldn't
enable request logging in DNS itself. Auditing the entry is only going to tell
you at least one thing asked for it, once in the cache, who knows how many
asked. Scale is everything. :)
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
Oh my... Stuart Kwan of the Ottawa Kwan clan Should
have known a thread combining DNS and AD could bring him out of the woodwork[1].
:)
Good to see your postStuart. Come to share any
interesting tidbits? How about ADI DNS running on members with ADAM?
joe
[1]
Good morning,
Dean marks his messages
special so you have to pay attention to them.
What's this windows live stuff? ;)
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al
MulnickSent: Wednesday, May 17,
Ah crap. There Al goes again. That didn't last
long.
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al
MulnickSent: Wednesday, May 17, 2006 11:26 AMTo:
ActiveDir@mail.activedir.orgSubject:
With the upcoming release of Longhorn will it be possible via a tick box or GPO
to disable authentication on a DC? For example when its used as a replication
hub or as a lag site DC? I know how I could do do it now, ie SRV records\pause
netlogon but something like this I could control via
How about just performing a query against the
directory for all objects have a value of DNS/* in their servicePrincipalName
property? Of course you could restrict this query more by limiting it
only to computer objects, etc.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
I think you should also be able to look at the
msDS-NC-Replica-Locations on the crossRef object as well.
Maybe something like
adfind -config -rb cn=partitions -f dnsroot=forestdnszones*
msDS-NC-Replica-Locations
--
O'Reilly Active Directory Third Edition -
Hi,
I'm up for helping out a bit. Not quite sure how I'll fit in. I've
got quite a bit of experience with batch file scripting, and some with
VB6. Currently playing about with VB 2005 Express (before I fully
commit to .NET). I also have a fair bit of experience with PHP and
PERL, and limited
joe,
I had considered the cache issue, but I figured that since it would be an integrated zone, it would exist on multiple DNS servers. So if eachDNS serverread the record once, it would generate enough audit flags to let us know it is still being used globally. :)
As I said, it was a standard
Oh yes, obvious like that. ;-)
Thanks.
-- nme
From: Darren Mar-Elia
[mailto:[EMAIL PROTECTED]
Sent: Tuesday, May 16, 2006 9:39
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to
Determine Who Has Authenticated Against DC
Noah-
Yes, any
That
was actually my original post ... but it was harder to identify the DN of the
crossRef than that of the NC head (which is kinda easy ;0) and keeping the
"query efficiency" mantra in mind,I preferred not to query period and thus
changed my thinking and subsequently my post. In
hmmm
...interesting idea but since it must be scoped to a onelevel query at
best, a subtree query at worst ... it consumes more resources than merely
dumping a single property from the NC head (using a base scope). It may
provide a more up-to-date state though ... I don't recollect if the
It's
not the thread's topic per se... you inferred a criticism directed toward
his "@work" children ;0) ... haha
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
joeSent:
Ignore joe ... he's just an LDAP/DS purist ... as a general rule of thumb,
keep the AD representative DNS zones within the directory configured to
accept secure updates only. Use app. NCs or don't depending upon the
forest's config., too many variables and much discussion for me right now on
that
On 5/17/06, joe [EMAIL PROTECTED] wrote:
But enough about DNS, I don't speak about services that start with D. You
have to draw the line somewhere. DFS, DNS, DHCP, Damn SQL Server... You
get the drift. ;)
Doesn't 'Exchange' start with an 'E', though? Or are we dismissing
that as an Off by 1
No I save up my D strength so I CAN talk about Exchange. I talk about and
troubleshoot Exchange more than any AD person who hates Exchange that I
know. :o)
Dean and I just had our annual (or is it quarterly) IM debate on ADIDNS. We
apparently have no influence over each other's opinions in this
I think my company users Lotus Notes just because it doesn't integrate with anything so less headaches. :(
From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [OT] DNS on a DC or NOT Date: Wed, 17 May 2006 15:32:15 -0400
Ignore Dean. He's going to try and D.O.S. a couple of companies I specified
to him. If you see Dean's name in the papers next to buildings that are
burning to the ground then you can listen to the conspiracy theories that
require running S-DDNS. ;o) How many times was your NT environment DOS'ed
LOL!
--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, May 17, 2006 3:32 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] DNS on
http://dictionary.reference.com/search?q=mucker
mucker
\Muck"er\, n. A term of reproach for a low or vulgar labor person. [Slang]
Let the Ragin' begin!
(Thought I could have sworn it was a lazy way to say "mofo" :) )
From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Subject: RE:
I have a Win 2003 -installed exchenge server 2003Scenario:
I have an user who has configure her exchange mailbox properly; the user is using a cache mode file(.ost), so far good. Yesterday I configured her laptop because she is leaving the country, I configured (Exchange access over HTTP) plus
Try again -
http://www.peevish.co.uk/slang/m.htm-
"Noun. Friend. E.g."Alright my old
mucker." [1940s]"
... Neil or Mark or any of the other English
folk will no doubt attest to its usage.
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
From:
Did I not get the memo about this list changing to the
Exchange list?
Hmmm... Maybe I need to re-evaluate my
filters.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Milton
SanchoSent: Wednesday, May 17, 2006 1:24 PMTo:
ActiveDir@mail.activedir.orgSubject: [ActiveDir]
BTW, anyone know what a mucker is? I am trying to figure out if I am
supposed to be morally outraged. eg
joe
I use mucker as a compliment, but in my vernacular it's used in
reference to a semi-skilled hockey player whose lack of scoring
ability is balanced by his ability to check an opposing
Ah, so that would be a
no. I am indeed a low and vulgar laborer. Some of my best work was done when I
was a perl diver and I don't mean writing code in a language that came from
Larry Wall or dating lovely women in the orient. eg
Course anyone else tries
to call me a mucker and I will have
Don't back peddle now ya
bloodylimey.
(a)
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean
WellsSent: Wednesday, May 17, 2006 4:35 PMTo: Send - AD
mailing listSubject: RE:
Title: [OT] IIS6 - Kerb/NTLM
OKI've got a nice issue here and I've been bashing my head against my desk to the point where I need help.
I'm writing a very directory intensive application in C# with ASP.Net 2.0. If I authenticate to the webpage via NTLM my directory calls will fail, this
Just an FYI to anyone working on ADAM SP1 and looking
to bundle it... the bundling docs are all wrong. The commands and switches do
not work for ADAM SP1. I have started workingwith MSFT on getting that
corrected in the help file, bundling doc, and some otheritems on the ADAM
downloads
Sorry ... I don't understand your comment
On 5/17/06, Hutchins, Mike [EMAIL PROTECTED] wrote:
Did I not get the memo about this list changing to the Exchange list?
Hmmm... Maybe I need to re-evaluate my filters.
From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Milton
Milton (and everyone else), it would be good if you can use OT:
in the subject field if you plan to post something off the topic of AD.
That way others can use Inbox rules to filter the messages out if they dont
want to see them.
In response to your question, I think we need a little
Whats all this mucking about,
eh? Enough skivin off, ya buggas, theres workabe done, and
every little elps ;-)
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Wednesday, May 17, 2006 3:35
PM
To: Send - AD mailing list
Subject: RE: [ActiveDir][OT]
Title: Removing ADAM from configuration set
I'm currently blowing away the server object and nTDSDSA object I wish to separate from CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,CN=GUID. Is there a better way to knock it out of the configuration set? I tried using
Title: ADAM Schema Questions
1.) If you have a ton of server in a configuration set, when you do a schema extension and one box is down will it work? In my test I had two ADAM servers and it would not take the schema update because it couldnt replicate (I purposely broke replication with
That would imply I had a reason to ya
pillock ... believe me, you'll know when I insult you ;0)
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
joeSent: Wednesday, May 17, 2006
Laura, a Mucker is, in English, a good friend.
You are probably not to be termed a Mucker, other words might apply, but
Jimmy is one of mine and Dean/Joe is one of yours.
Oh, and Joe is old and smells of wee, so pay no heed to his Exchange rants.
Exchange is indeed special because it's such a
What are your requirements? Also if you can get over .Net big footprint,
it's very easy to learn (I came from a VBS background). Nowadays I
struggle more trying to write cmdlets in powershell then anything I can
do in C#.
-Brandon
-Original Message-
From: [EMAIL PROTECTED]
Give the guy a break, instead of giving him a hard time, suggest an alternative
method of resolution. Reading his message he is trying to do the best with the
tools he has/knows about.
-Original Message-
From: Hutchins, Mike [EMAIL PROTECTED]
Date: Wed, 17 May 2006 14:36:14
Milton,
What he is suggesting is that the topic of discussion
typically is about Active Directory (although there are a few off topic posts
about Exchange). I think you'll find that there are better lists out there
that deal specifically with Exchange (the exchange2003-yahoo group is a good
Bernier, Brandon (.) wrote:
OK…I've got a nice issue here and I've been bashing my head against my
desk to the point where I need help.
I'm writing a very directory intensive application in C# with ASP.Net
2.0. If I authenticate to the webpage via NTLM my directory calls will
fail, this is
We've always tried to answer Exchange questions here. YMMV, but most
Exchange admins I know are also buried deep in AD world. Most AD admins I
know also work daily on Exchange. With the close integration between Exc and
AD, I feel that asking Exc-related question here is to be expected.
I agree
then he reconfigured the mailbox and set to use a new .ost file .
The missing emails are very likely sitting in a .pst on the user's computer
and just needs to be attached to the new profile.
Sincerely,
_
(, / | /) /) /)
Ensure that there is no filter view on that Outlook client.
Attach via remote access to those workstations. There are times that
the end user has clicked things in Outlook. It's amazing how things
just work when I walk near a desktop.. don't know what that is...
If you can see the ost file
Well, nothing against him at all. I think it is fair enough to ask a tremendous
pool of talent on this list a vaguely (potentially) directory related question.
I am merely voicing my opinion that there seems to have been a rash of Exchange
related questions to the list in the last week or so.
Hi Mark,
You are right - Exchange is great - what I love especially is it's
capabilities of administrative delegation.
See you in Boston?
Gruesse - Sincerely,
Ulf B. Simon-Weidner
Profile Publications:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D
As well as referring to thugs in the NHL, a mucker also refers to a
mineworker. The act of removing recently blasted rock is known as
mucking.
Thomas
P.S: The old Ricci, Sundstrom, S Thornton line (during the D. Sutter
days) for the Sharks were also known as the Mucking Line. Principally
for
LOL.
For those not at the DEC 2006 Dean and joe show presentation, Mark's
'Exchange is SPECIAL' comment is a direct reference to something I said
when bouncing around talking about AD and bad applications. I miraculously
stopped and looked straight at a Microsoft MVP for Exchange (Mark) while
As much as it pains me, I have to agree with Deji, we do handle a
considerable number of Exchange questions here. Most tend towards server
side operation over outlook but all should get the OT badge because they
aren't strictly AD unless the question is Exchange but directly related to
AD
Sorry, should have been a smiley in there somewhere around the first line.
;o)
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, May 17, 2006 7:25
Yep...
Attributes added to the global catalog. ms-DS-Trust-Forest-Trust-Info.
Trust-Direction, Trust-Attributes, Trust-Type, Trust-Partner,
Security-Identifier, ms-DS-Entry-Time-To-Die, Message
Queuing-Secured-Source, Message Queuing-Multicast-Address, Print-Memory,
Print-Rate, Print-Rate-Unit
Thnaks very much to the people who understand my concern about the question...
I posted the question here altought it is not the right place because there are many intelligente people who might understand my petition.
I am going to consider your comments and try to find the right please to
If by period of time you mean "ever" then you have a "cute"
little trick you can use and it doesn't require that you ever had auditing
enabled...
adfind -h somedc-default -f
"(samaccounttype=805306368)(logoncount=1)" logoncount
-csv
I know some folks who track that attribute on all DCs
I am not familiar with anything like this being on the drawing board.
Doesn't mean it isn't though.
This is one topic that definitely doesn't need the OT moniker in my opinion.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-Original
Absolutely concur. In fact, one of my recommendations to Microsoft for the
RODCs that get admin delegation is to disallow domain admin interactive
logons to them once the administrator delegation is enabled. Anyone who
allows non-DAs onto a DC and then still logs on with their DA ID is asking
to
Don't you love GPOs?
I was just chatting with a good friend about them the other
day about GPOs. Seems someone modified a GPO (allegedly only one small unrelated
thing) and all of a sudden the NIC was broken and clustering was screwed and all
sorts of stuff was happening. This prompted me
I agree 100% that it is NOT exchange intolerant, again, just makin an
off the wall comment, didn't mean to p*** anyone off. :-)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, May 17, 2006 3:10 PM
To:
You just like it. :-)
And, for the record, I up until about 2 months ago did Exchange as well
as the AD stuff, we are trying to separate the 2 so I now I do AD and
just help out as sort of Tier 3.5 on Exchange.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Wasn't one of the infamous Dr. J stories about how they had attempted to
gain access to one of the msn servers by having a boobie trap script
like that. If a person had logged in with certain creds it was indeed
set to fire off a script?
Pen test proof of concept story?
joe wrote:
Events and Logging
The Group Policy infrastructure has changed significantly in
Windows Vista and Windows Server Longhorn. Group Policy processing no
longer exists within the Winlogon process but is hosted as its own
service. Additionally, the Group Policy engine no longer relies on the
Hi guys
Just wondering is there a techie solutions to this, example like putting on
a logon script for the domain admins or any other priv accounts - that
pauses any logon scripts or override local scripts.
Logon scripts are still performed LSDO (local site domain ou) models isnt
it? So Local
The solution is do not log on interactively on non-trusted machines. There
is no technical solution. If you think you found one, I can assure you it
can be sidestepped. Administrators own the machines they administrate
completely, there are not levels of ownership where say a domain admin is
more
100 matches
Mail list logo
