Hi,Windows 2003 FFL, Single Domain.I have an issue whereby I have delegated permissions to the top of an OU Tree with 8 OU's beneath it. There are approx 15 objects.I delegated these permissions 6 months ago, but our new helpdesk team are complaining now that every so often they
James,
Is the user your modifying a member of a protected
group?
Take a look at this entry, maybe related to your issue.
http://msmvps.com/blogs/ulfbsimonweidner/archive/2005/05/29/49659.aspx
Regards,
Iain | IT Services |
Infrastructure
From: [EMAIL PROTECTED]
see:
http://blogs.dirteam.com/blogs/jorge/archive/2006/05/16/981.aspx
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of James
CarterSent: Friday, May 19, 2006 10:34To:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Delegate
Permissions not populating to every
Title: Message
Thanks
Joe. I have now used your great adfind tool to find what I'm looking
for. Now have one more question on how to use the
output.
This
is a sample output:
dn:CN=Group1,OU=Groups,OU=Production,DC=help,DC=com
dn:CN=Group5,OU=Groups,OU=Production,DC=help,DC=com
member:
For those of you that use IE7 and go to all the blogs on Dirteam(Jorge,
Tomek, Neil, GPO Guy), you might get a Suspicious website report from
IE7 (see
http://blogs.dirteam.com/blogs/carlos/archive/2006/05/17/988.aspx) this
is an incorrect report and I have contacted the IE 7 team internally
Title: The KCC and detecting DC failures
Apologies for the repeat post.
Does anyone have any experience of the change proposed
below?
Thanks,
neil
---
The following article describes how the KCC will
detect a DC failure if replication fails 1
time andcontinues
My first question would be, why are you wanting to change the interval
in the first place, do you suspect that your DCs are failing at a more
frequent interval?
Carlos Magalhaes
[EMAIL PROTECTED] wrote:
Apologies for the repeat post.
Does anyone have any experience of the change proposed
Hi Carlos,
The algorithm used is this:
- If the KCC detects that a replication partner fails to respond to a
replication request 1 time (inter site) then a timer is started.
AND
- If the partner fails to respond to subsequent attempts and the timer
reaches 2 hours, then the KCC chooses another
Ken,
Thanks for the help. The problem was someone felt the need to audit
computers objects in my testlab and was walking behind me turning off
that specific computer for delegation. Grr.
-Brandon
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ken
I have an interesting problem, any suggestions welcome.
4000 laptops
5 sites
Each site has 2 wifi access points (with aerials over the entire site)
So 10 ssid's
Windows 2003 SP2 AD infrastructure.
I need to get users to connect to a specific AP on the site where they currently are.
No more
Not sure this solves your problem however.
If you want to find out what the current site is and map the user based on that, I have to assume you're talking about AD site and not physical site. I suspect there will be a chicken and egg problem that occurs trying to figure out what ssid grouping
Hmm...
Not sure this is what you're looking for, but DSACLS will give that information to you. If you don't set permissions with it, it can report the current permissions. But it's a lot of information to wade through even when you're done. I think if you wanted to script it, you'd want to shove
Title: DSACLS bug maybe?
Has anyone seen this issue before?
If you create a computer account in ADUC, then type DSACLS DnOfComputerObject it will spit out the ACL's on it. However, if you create another computer account and delegate out who can join it DSACLS can't spit out the ACL's.
How does one undo a GTP partition/disk?
-Z.V.
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Title: DSACLS bug maybe?
Yep, this has been bugged by Ulf and myself (at the very
least) quite some time ago.
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bernier, Brandon
(.)Sent:
Title: DSACLS bug maybe?
Yes- I've
found this bug in 2k4 and have reported it to Microsoft. Recently I have been
approached (after complaining to someone in the DS-Group at MS) if this bug is
still there, and I've confirmed that's it's still there with R2 and was told it
will be looked
Title: RE: Linking an auxiliary class to a structural class
Ok, I figured it out. You can't link a systemAuxilaryClass unless its done at class creation time. This will work though. It took me a bit it figure this out since I've never done a modify with an add before.
dn:
Title: RE: Linking an auxiliary class to a structural class
Yep...
That goes for
systemAuxiliaryClasssystemMayContainsystemMustContainsystemPossSuperiors
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
---BeginMessage---
Anyone know a way to easibly filter out disabled accounts from the oldcmp
-users report? Would one have to use some sort of bitwise filter from a
translation of a useraccountcontrol 66048 value or something?
winmail.dat---End Message---
Disabled accounts are marked by having bit 1 list on userAccountControl
(value 2)
To exclude them you want -af useraccountcontrol:AND:=2 and -bit
I just realized I have an -onlydisabled switch, I should add a
-onlynotdisabled I guess...
--
O'Reilly Active Directory Third Edition -
Title: DC Demotion and Certificate Services
We will be demoting one of our domain controllers to a member server, which also happens to be running certificate services. Before demoting, however, I must of course remove certificate services. The only certificates it has issued are for domain
Title: DC Demotion and Certificate Services
I take it your using an Enterprise CA and issuing via the
Domain Controller Template?
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian
ClineSent: Friday, May 19, 2006 1:52 PMTo:
ActiveDir@mail.activedir.orgSubject:
Title: DC Demotion and Certificate Services
That is correct.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bernier, Brandon
(.)Sent: Friday 19 May 2006 13:55To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DC Demotion and
Certificate Services
I take it your using
hmmm
How about -onlyenabled? :)
Ya know...just because...
From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OldCmp question Date: Fri, 19 May 2006 11:41:21 -0400 Disabledaccountsaremarkedbyhavingbit1listonuserAccountControl (value2)
Hmm that may work. I will
have to send it into the design committee and see what they think.
;o)
TGIF.
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jef
KazimerSent: Friday, May 19,
I just realized I told you how to INCLUDE disabled accounts - you want NOT
DISABLED accounts. So you want to NOT what I indicated, however you have to
add to it to avoid a false positive.
-af ((useraccountcontrol=*)(!(useraccountcontrol:AND:=2)))
One thing to note with NOT filters... Well two
OK cool. If you add the -onlyenabled switch, that would be REALLY cool! :)
From: [EMAIL PROTECTED] on behalf of joe
Sent: Fri 5/19/2006 2:41 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OldCmp question
I just realized I told you how to
+1 for onlynotdisabled g
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731.3132
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, May 19, 2006 3:34 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OldCmp question
Thanks Jef, I'll give it a whirl
From: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] [ActiveDir Digest]
Date: Tue, 16 May 2006 09:12:09 -0500
Reply-To: ActiveDir@mail.activedir.org
Jeri,
System ODBC DSN's are stored in the registry at
HKLM\SOFTWARE\ODBC\ODBC.INI\DSN NAME.
The DSN names themselves
Title: DC Demotion and Certificate Services
When opening my GPMC under User
Configuration Windows Settings, I only have one optionRemote
Installation Services. I am missing all the other options, any suggestions? I
downloaded and installed the latest from Microsofts site today but that
Hmm...then you could add -notonlynotdisabled to return disabled users just to keep with the flow...
Subject: RE: [ActiveDir] OldCmp questionDate: Fri, 19 May 2006 17:08:03 -0400From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org
+1 for –onlynotdisabled g
Thanks,Brian Desmond
[EMAIL
Title: DC Demotion and Certificate Services
Check out the KB article I wrote on this: http://support.microsoft.com/default.aspx?scid=kb;en-us;555218
Darren
Darren
Mar-Elia
For comprehensive
Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO tips,
tools
Ok, heres my scenario. In the process of rebuilding
a domain because of misconfiguration by a previous vendor, we decided that wed
just replace the server completely with a newer server. The old servers
AD domain was company.com, and running Windows 2000 Server. However, its
not a
This is how Id configure a server
for peace of mind. One drive for the OS, and then a separate RAID 5 for
the data. When building the server from scratch, you can create an image
of the system drive after youre done. If the drive crashes,
you can just restore the image, restore any system
Can't you just seize the FSMO roles?
If the old PDC isn't there... ntdsutil and just seize them?
When you can only have one PDC/FSMO holder in SBSland... and we're
migratiing across... we just rip the little suckers across and seize
them. Now mind you ... keeping the same domain is way better
Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller:
http://support.microsoft.com/?id=255504
The command will take a few nanoseconds longer as it says sorry can't
transfer, I'm seizing... but would that work?
Didn't know if this would help in any way as well...but this
Wow - that would be frustrating. Glad you got it sorted.
Cheers
Ken
--
My IIS Blog: www.adOpenStatic.com/cs/blogs/ken
Tech.Ed Boston 2006 See you there: Everything the web administrator needs to
know about MOM 2005
: -Original Message-
: From: [EMAIL PROTECTED] [mailto:ActiveDir-
:
Thinking along with Susan here.
First:
but in mixed mode AD, their NetBIOS domain names are just company.
Nothing to do with the mode here. NetBIOS names are whatever you set it to
be.
So, in your situation, I'd power down the old DC. Seize all the roles that
has been given up by this new
Thanks for the info. Since most of the data has been copied over, I can
remove the old server from the network and just use a USB drive to copy
anything over that I missed. So I think I will go this route. I'll try it
this weekend to see.
Thanks again. Glad it's not completely hopeless.
39 matches
Mail list logo