and once you've got the method for updating that attribute in place, you'd
still need to add a way to grant permissions in AD to allow to use the
method - right?
I could imagine, that this would happen via additional Extended Rights,
similar to other new Rights that have already been added in
if you're running E2k3 in a Win2003 AD, you might want to use the ManagedBy
attribute of the group afterall: 2003 has a new function in ADUC, which
simplifies setting the permissions for managing group-memberships for the
user defined as the manager of a group.
You just have to select the new
single users listed as who can
manage any one group.
-
http://www.joeware.net (download joeware)
http://www.cafeshops.com/joewarenet (wear joeware)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO
(HP-Germany,ex1)
Sent
during replication you doen't need to reach a GC - but you do need to reach
the _msdcs zone of the forest root, which contains GUIDs of the domains and
all the DCs. These are used to setup the replication links (not the names
of the DCs).
hosting a secondary zone of the _msdcs zone of the forest
realize that Today is the Tomorrow you were worried about
Yesterday? -anon
From: [EMAIL PROTECTED] on behalf of GRILLENMEIER,GUIDO
(HP-Germany,ex1)
Sent: Wed 3/24/2004 9:11 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Accidentally deleted OU with lots of users
Title: [ActiveDir] disaster recovery
Ad is supposed to be a enterprise
directory where most enterprises span the globe and have multiple sister corps
or corps they've merged with or aquired. these corps have thier own domains and
IT depts.
That's not how AD is supposed to be - that's merely
the procedures are different depending on your AD infrastructure - and as
also pointed out by Eric, multi-domain forests have particular challenges,
mostly related to users being in groups in the other domains of the forest
(e.g. Universal Groups or Domain Local Groups). If you're in a single
Deji,
you'll have to go into more details of your test setup. Does multi-DC mean
more than one DC in the forest (which could also be one per domain), or does
it mean each domain has more than one DC in your lab? You won't see some of
the issues with just one DC per domain. Also, are these DCs
of. Turn that around and repopulate
groups in each domain naming context.
~Eric
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO
(HP-Germany,ex1)
Sent: Wednesday, March 24, 2004 12:48 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir
-
http://www.joeware.net (download joeware)
http://www.cafeshops.com/joewarenet (wear joeware)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
GRILLENMEIER,GUIDO (HP-Germany,ex1)Sent: Friday, March 19, 2004
3:32 PMTo: [EMAIL PROTECTED]Subject: RE:
[ActiveDir] Do
Of
GRILLENMEIER,GUIDO (HP-Germany,ex1)Sent: Friday, March 19, 2004
3:32 PMTo: [EMAIL PROTECTED]Subject: RE:
[ActiveDir] Do I really need to add UPNs?
Adding the UPN suffixes to the list of alternate UPNs
will enable configuration of TLN restrictions (Top-Level Name restrictions
Adding the UPN suffixes to the list of alternate UPNs will
enable configuration of TLN restrictions (Top-Level Name restrictions) for
forest trusts (i.e. transitive trust between two 2003 forests). The UI lists the
available UPN suffixes of the trusted forest incl. the stored alternate UPNs
domain?
I've used the LDIFDE to clone a directory structure (OU's, groups, users)
before but it's always been a one-shot deal...is there an easier way to
keep the two in synch?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO
(HP
look into the MIIS light solution
you mentioned. Thanks! :)
r/
Lou
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO
(HP-Germany,ex1)
Sent: Friday, March 19, 2004 3:44 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Mirror OU structure
if your users are in a domain (which I assume) then you can only use a GPO
at the domain level to set a PW policy. All other GPOs ignore PW policies
for the domain accounts.
However, you could set different PW policies for local accounts on machines
and manage these policies via a GPO on an OU.
on
performedWithBestMosterTruckVoice
Sunday, Sunday, Sunday
Domain local vs. Universal
Live at the ad.org memorial auditorium
he he he...
On Mar 18, 2004, at 2:53 AM, GRILLENMEIER,GUIDO (HP-Germany,ex1) wrote:
which is why I have an "All Exchange Enterprise
Servers" UG that contains all"Exchange Domain
te blanche access across the entire forest (or at least where you
run domainprep for exchange servers). No real ability to subdelegate by domain
or whatever.
-
http://www.joeware.net (download joeware)
http://www.cafeshops.com/joewarenet (wear joeware)
From: [EMAIL PROTECTED]
call it what you want - other programs handle group changes
better, and you have one of them on every client: the people search function,
where you query AD as the Address book. You can use this to change groups
and it will do true LDAP referrals to check for a writeable DC of the applicable
the datbase, produce reports (Crystal, Html,
PDF etc.) and also send script as soon as a program to modify the system
from remote location.
From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] security event log audits
now that's a cool tip - didn't know this (been using * for
years, however, I still like to use it when going down a path such as when I'm
on c: and need to get to a program's directory: cd \pro*\que*\migra*\logs
)
/Guido
From: Kevin Sullivan
[mailto:[EMAIL PROTECTED] Sent: Mittwoch, 17.
which is why I have an "All Exchange Enterprise Servers" UG
that contains all"Exchange Domain Server"GGs(just like the
DLGs) - I left theother "Exchange Enterprise Servers" DLGs as they are, as
you can't convert all of them to UGs(only one could keep the name) and the
ACE is used by default
- Original Message -
From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, March 15, 2004 4:28 PM
Subject: RE: [ActiveDir] AD SYSVOL folder
they could analyse the policies, but that won't usually help them for an
attack (I think). But they could also open
MACS (MS Audit Collector System) will do all of that for
you and likely much more efficient than what you'd do yourself (and more secure
as well) - should be released soon (I think with 2003 SP1)
/Guido
From: Creamer, Mark [mailto:[EMAIL PROTECTED]
Sent: Dienstag, 16. März 2004 19:18To:
ware)
http://www.cafeshops.com/joewarenet (wear joeware)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
GRILLENMEIER,GUIDO (HP-Germany,ex1)Sent: Thursday, March 11, 2004
10:42 AMTo: [EMAIL PROTECTED]Subject: RE:
[ActiveDir] AD Groups
fully agree on most of what you've said (except I
they could analyse the policies, but that won't usually help them for an
attack (I think). But they could also open the policy files and keep them
open to hinder replication, which could bite you.
-Original Message-
From: EN [mailto:[EMAIL PROTECTED]
Sent: Montag, 15. März 2004 22:56
ia scripts or use third party reporting
tools that support ACL level reporting
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of GRILLENMEIER,GUIDO
(HP-Germany,ex1)Sent: 10 March
2004 11:23 PMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] AD
Groups
delete one by one an
Title: Message
you can pound on FRS as much as you want, it's definitely
gotten better over time and is suitable for what it was meant to
do. Don't forget it's a replacement for the NT replicator, mainly
used to replicate small more-or less static files used during logon and GPOs.
However,
Title: Transitive Access through a trust with NT 4.0
perfect explanation, even with your limited experience
;-)
he may still want to use the NT4 account in the transition
phase after the migration.
/Guido
From: Coleman, Hunter
[mailto:[EMAIL PROTECTED] Sent: Donnerstag, 11. März 2004
you've probably configured ADMT to migrated the groups with the users -
don't do this. ADMT can't migrate any built-in or default group (like domain
admins), especially when using SIDhistory, so this could be the reason
migrating the users belonging to this group will fail.
First migrate groups,
delete one by one and see who screems
;-)
or go through a terrible audit of your whole IT environment
to see which groups are used on which resoures on any joined or trusted part of
your AD infrastructure. Welcome to the
downsides of the DACL (Discretionary Access Control List) model,
the helpfile for 2000 is correct (GSNW is included in 2000)
and so is the helpfile for 2003 (GSNW is not available for 2003)
not nice, but that's the way it is.
you'll have to use a 2000 box if you want use the function
/Guido
-Original Message-
From: Santhosh Sivarajan [mailto:[EMAIL
it's not too long ago that Stuart Kwan mentioned something along the ling
if he could go back in time, Exchange wouldn't store it's data in the
config container... I'm sure he whished they'd have had application
partitions and maybe this Program Data container before ;-)
-Original
really depends on the app and how it is related to security
in the enterprise -similar to whatEric said rgd. ADAM"But if you don't need
them (independent Schmema/DSA), don't go with it. Let's not over-engineer the
solution."
I wouldn't want app specific data, which is very much
related to
only glanced over this thread - tough to read it all in a minute ;-)
however, I don't think it mentions, that Win2k3 has actually reduced the
compression ratio over the benefit of less CPU usage on DCs. I.e. the
compression is now not as good as it was in 2000 (can be changed back to the
2000
Would you believe we did not have to open the firewall between the
resource server and the domain controller in the opposite forest? Michael Parent MCSE MCTAnalyst I - Web Services ITOS -
Systems EnablementMaritime Life Assurance Company(902) 453-7300
x3456
"GRILLENMEIER,GUI
://www.joeware.net (download joeware)
http://www.cafeshops.com/joewarenet (wear joeware)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO
(HP-Germany,ex1)
Sent: Sunday, March 07, 2004 1:04 AM
To: [EMAIL PROTECTED]
Subject: RE
thanks Joe for the heads up - haven't had this one myself, however, I wonder
what you're using to day to monitor replication of your AD? I suspect you'd
have had similar replication issues with the european partition all along -
no?
Or was the bad data on a multivalued attribute of a printer
changes to groups,
after these start replicating the linked values (members) of groups
separately, instead of the whole multivalued attribute as it's done in 2000.
I just wonder, how many other apps will have similar issues...
/Guido
-Original Message-
From: GRILLENMEIER,GUIDO (HP-Germany
in time ;-)
-Original Message-From:
GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED]
Sent: Friday, March 05, 2004 5:51 AMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Protecting
Active Directory
Al, I think it's appropriate to explain a little more, to
avoid
ed by a volcano that came out of nowhere... How do we make
sure we can recover. - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
GRILLENMEIER,GUIDO (HP-Germany,ex1)Se
tp://www.joeware.net (download joeware)
http://www.cafeshops.com/joewarenet (wear joeware)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
GRILLENMEIER,GUIDO (HP-Germany,ex1)Sent: Thursday, March 04, 2004
2:36 AMTo: [EMAIL PROTECTED]Subject: RE:
[ActiveDir] Protecting Active Dire
will only be good for restoring the DC hardware, but
depending on your setup won't be sufficient to fully recover accidentally
deleted objects.
I've worked with Aelita on this whitepaper to discuss the
potential issues:
Of
GRILLENMEIER,GUIDO (HP-Germany,ex1)Sent: Wednesday, March 03,
2004 3:01 AMTo: [EMAIL PROTECTED]Subject: RE:
[ActiveDir] Protecting Active Directory
will only be good for restoring the DC hardware, but
depending on your setup won't be sufficient to fully recover accidentally
deleted objects.
I've worked
Excellent - I've previously always worked by defining a
group's Member attribute instead - it's clear now, how MemberOf should make the
difference...
However, the following restriction is still not so cool:
"Restricted Groups policies
for the same group do not merge across GPOs. The
there isn't a simple answer to this, as it depends on
multiple factors
- the domain model within your forests and the trusts that
you've setup between the two
- the SP level of 2000
(and it works quite a bit different once you have 2003
forests)
but as a start: when you are _accessing_ a
would be good to know some details on this. I've done a bit of testing on
2003 machines, as one of the things that was also was supposed to work was
addition of various restricted groups, if you wanted to add different
groups at different levels in your OU (another nice to have...). Couldn't
get
is the DC used for other things that you'd like to recover on the server?
If not, I would definitely chime into Al's suggestions = don't restore it
(if another DC is available), instead install a new OS and re-promote it.
-Original Message-
From: Mulnick, Al [mailto:[EMAIL PROTECTED]
Much to my dismay ???
GPUpdate works like a charm and is much less to type! So I've been more
than happy with it for quite a while now (and 'much to my dismay' I still
have to use the old method on some 2k boxes ;-))
-Original Message-
From: Lou Vega [mailto:[EMAIL PROTECTED]
Sent:
Title: Extended Rights
Although I totally agree with what Nicolas said on the
topic of how to go at managing Delegation (better to use tools or scripts), I
would simply not suggest to implement the role at all which you're planning on
setting up.
You don't want other people but those who
Title: RE: [ActiveDir] DNS Permissions
This is possible, however, the users must be local admin on
the clients they're using the DNS MMC on. Especially if you're running 2003, you
should then be fine by granting them read-only permissions on the respective DNS
zone object in AD. Win 2000 has
does the DC still boot up at all in DC-mode? with Win2k SP4 you get the
same DCPROMO /forceremoval switch as you have with Win2k3. That would be
the preferred method to remove AD.
Otherwise you could still clean it up manually, however with your routine,
you'd likely also kill the other apps.
how much are you willing to pay? :-)
in general
- concentrate on preparing the schema update (E2K conflicts etc)
= read Q325379: How to Upgrade Windows 2000 Domain Controllers to Windows
Server 2003 http://support.microsoft.com/default.aspx?scid=kb;en-us;325379
- pitfalls are very specific to
even if you don't like it, the PDC of the NT4 Domain and the PDC emulator of
the AD Domain have to reach each other via NetBios nameresolution (which is
usually achieved by WINS). After you've configured this, you shouldn't have
an issue setting up the trust.
This can be achieved by
1.
Hello Rich,
yes, Kerberos uses DNS for identity checking, but only when
you require mutual authentication - e.g. it's used between DCs to ensure they
only replicate with trustworthy machine. It's also use, if you've trusted a
machine for delegation.
This will also become important, if
2000 Domain or Forest
http://support.microsoft.com/Default.aspx?kbid=309628
~Eric
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of GRILLENMEIER,GUIDO
(HP-Germany,ex1)Sent:
Thursday, February 19, 2004 11:46 AMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Schema changes
between
the
simplest way to get what you want is to do a schema dump before and after
ADPREPing a 2000 AD - you can then do a simple file compare with WinDiff and
voila, you'll get all the changes. I'd use CSVDE to dump the classes and
attributes.
csvde f
classes.txt d
Title: RE: [ActiveDir] Site Configurations and SMS2003
sites are also used to
- locate the closest DFS root server or share (if you have
created replicas)
- pick GCs that an Exchange Server will use for lookups and
tells clients to use as the GAL
- allow printer location tracking
and
Title: AD Protected groups
"We don't want ADminSDHolder to
inherit permissions - MS don't recommend this. We just want Server Operators to
inherit permissions (directly or indirectly)."
you shouldn't want to use the Server Operators group at
all to assign permissions on DCs - this group
Title: Message
switching to native doesn't change the security model
(other than allowing you to do new things, such as the creation of universal
security groups and leveraging SIDhistory).
Apps would have failed already, after you've
inplace-upgraded your NT4 domain to 2000 and at this
Title: Message
what version OS are we talking about? and are
these the only domains in your forest - i.e. this domain is also the forest
root?
and I guess we are assuming that you're using AD
integrated DNS for this domain only (and as such the DNS zone data exists on all
DCs) - right?
Title: Message
Roger makes an important point - shouldn't forget that
clients can "use" the DHCP server to hijack the DCs address simply by
registering the same name (MS DHCP servers will happily overwrite their own name
record in DNS, if configured to register client's names in DNS
!!!)
SID always changes when moving objects
Even between Domains in same AD forest. Only GUID would stay the same in
this case (which is enough to keep the user-profile on Win2000 / XP client -
although there are some limitations). If you're in native mode, you'd at
least keep the old SID in the
Title: Message
I'm pretty sure this was the same as in Win2000 = 14
days prior to expiry
/Guido
From: Rosales, Mario
[mailto:[EMAIL PROTECTED] Sent: Montag, 9. Februar 2004
16:39To: '[EMAIL PROTECTED]'Subject:
[ActiveDir] Password Expiration
I know
that this is an AD List but I was
if it was the only DC, you don't need to worry about restoring anything
authoritatively (or do a primary SYSVOL restore)... - just restore
systemstate, and you should be fine. May have to re-create connection
objects to other DCs in the forest (and be sure to synch the time first)
/Guido
more likely the missing GC, than DNS, when you're local on the box. So
disabling the requirement for needing a GC may be worthwhile for your
situation as an interims solution.
/Guido
-Original Message-
From: Tony Murray [mailto:[EMAIL PROTECTED]
Sent: Mittwoch, 4. Februar 2004 17:20
.. This solution may solve one problem, but I think it
will also cause other points of attention
Regards,
Jorge
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO
(HP-Germany,ex1)
Sent: Monday, February 02, 2004 09:39
To: [EMAIL PROTECTED]
Subject: RE
be a great opportunity for
overall data corruption and confusion. :o)
I need more time to play with things like that. :op
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO
(HP-Germany,ex1)
Sent: Monday, February 02, 2004 3:39 AM
Bob pointed out all there was to say to the original post, but some useful
information to add in the whole DC-failover scenario is, how long does a DC
wait itself for calculating additional connection objects, in case the
original replication partner doesn't react and it needs to look for another
Jorge,
are all of these stale objects in the same (or few) OU(s)? If so, I wonder
what would happen, when you now delete these empty OUs on a DC of DOM_B
(if they're not really empty, it may be worth to move whatever objects it
contains to a different OU first)?
This change will obviously
realize an important change in 2003 rgd. the last logon/logoff/bad pw...
attributes: they are replicated between DCs in 2003, while in 2000 (like
NT4) they are only stored locally on each DC as we all know.
I.e. in 2000/NT if you want to find the true last logon time of a user, you
have to query
This will be interessting for many folks on this
list:
http://biz.yahoo.com/bw/040128/285921_1.html
/Guido
we're using it very successfully and yes, there are various advantages:
- I agree, limitation of replication would be the main thing, but it is
often overlooked that the benefit are not only rgd. replication within a
domain = today each DNS record is not only replicated to every DC in the
domain,
ner is a writeable NC in the forest, and
available on all DCs. But, by DN - is anchored at the root,
yes?
-rtk
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
GRILLENMEIER,GUIDO (HP-Germany,ex1)Sent: Saturday, January 24,
2004 4:59 AMTo: [EMAIL PROTECTED]Subject: RE:
[Active
the configuration container is not in the root - it's a
writable naming context on any DC in the forest (obviously it is created when
you create the root).
one more minor correction: Child DAs do have the
permissions to create connection objects on DCs in their own domain (to
replicate
] On Behalf Of Free, Bob
Sent: Donnerstag, 22. Januar 2004 01:16
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Help, file locked
GRILLENMEIER,GUIDO (HP-Germany,ex1) mailto:[EMAIL PROTECTED]
wrote:
or openfile.exe from the Win2k3 Reskit...
I remember the old Novell openfile.exe but there isn't one
ctional level Active
Directory in native mode? Or mixed 2000/2003 in 2000 functional
level? Seen any documents that say otherwise that you could pass
along?
Al
-Original Message-From:
GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED]
Sent: Wednesday, Januar
on anything older than XP.
Sincerely,Dèjì Akómöláfé,
MCSE MCSA
MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now
realize that Today is the Tomorrow you were worried about Yesterday?
-anon
From: GRILLENMEIER,GUIDO
(HP-Germany,ex1)Sent: Thu 1/22/2004 4:05 AMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir
or openfile.exe from the Win2k3 Reskit...
-Original Message-
From: Free, Bob [mailto:[EMAIL PROTECTED]
Sent: Montag, 19. Januar 2004 23:00
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Help, file locked
handle usually always comes through for me-
Title: Message
You do have to calculate an additional 15-20% of DIT-space
on your 2000 DCs during the upgrade of a forest to 2003 (assuming the current
2000 DIT doesn't contain a load of whitespace). This is mainly due to the
fact, that ADPREP adds various additional permissions on objects
using a FW drive, you may run into issues with available drivers to allow
you to copy the data without first re-installing an OS on the box. There
are some cool free-utilities (such as a disk-cloner) that you may want to
look at - but I have no idea if they support drives connected via FW:
included proprietary or protected information. This message and the
information contained herein are not to be further communicated without my
express written consent.
From:
GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED]
Sent: Saturday, January 10,
2004 5:13 PMTo:
[EMAIL
it basically means: store the password in such an unsafe way, that it can be
read by other sources... unless you have a really important requirement for
this, it's nothing that you'd want to do.
-Original Message-
From: Fugleberg, David A [mailto:[EMAIL PROTECTED]
Sent: Montag, 12.
you'll want to apply your GPOs for the library computers in loopback mode
(depends on other requirements if you choose to go for merge or replace) -
this way you can use the settings of the library computer to override the
same IE settings that come from other User related GPOs.
/Guido
2003 has SID-Filterning turned on by default for any
external trusts to and from domain - i.e. access with SID-History should work
fine as long as the resources your accessing are on servers that are members of
the 2003 forest.
you can turn off SID-Filtering - this should resolve your
12. re-join all your Win2000/XP/2003 clients + servers to the new domain as
their secure channel will have likely been broken (unless you had previously
configured all AD DCs to run in NT4Emulator mode)
13. re-create all your OUs and delegation permissions that you had
previously set on them
14.
] On Behalf Of
GRILLENMEIER,GUIDO (HP-Germany,ex1)Sent: Wednesday, January 07,
2004 5:44 PMTo: [EMAIL PROTECTED]Subject: RE:
[ActiveDir] Windows 2000 Security Log Rights
That's where something like MACS comes in (MS Audit
Collector Service) - should be available shortly after SP1 for 2003
Hello Todd - a couple of thoughts:
0.when you move computer accounts
from one domain to another, the local file system or the local user profile do
NOT need to be re-ACLed (providing, that the account domain doesn't change)
= as the user can continue to use the same user-id he will keep
yeap, MemberOf (backlink) is system-owned and Member (forward link) is
editable by an admin. Looks different when you're using UIs like ADUC,
where you open the MemberOf tab of a User and add groups to the user =
infact you're adding the user to the group's Member attribute and the
Backlink to
just analyse the pwLastSet attribute of the accounts - how about using the
PW age policy to force user's to change the PW... (although this is always
difficult for accounts that hardly logon interactively - i.e. remote users)
- that's why we send out automated eMails to remind users of an upcoming
meant to say VPN and Wireless Access for clients but it was
getting late.
Thanks.
Todd
-Original Message-From:
GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED]
Sent: Thursday, January 08, 2004 2:00 PMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Computer
.
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO
(HP-Germany,ex1)
Sent: Tuesday, January 06, 2004 2:39 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Wierd issue with security descriptor reverting on
replication
I also tend
Title: Windows 2000 Security Log Rights
That's where something like MACS comes in (MS Audit
Collector Service) - should be available shortly after SP1 for 2003 (but will
also collect security logs from 2000 machines). You auditor will then be
able to access all collected security event logs
agreed, blocking the tools won't help bit - the users will already get
quite far simply by using the built-in Find People feature (with Look in
set to Active Directory) and there are many other powerful LDAP browsers for
easy download. With Win2k clients you could also easily browse through the
yes, the adminSDholder is good for these kind of surprises, but the main
reason it exists is that you don't accidentally grand a downlevel
group/user enough permissions to reset the PW on a highly priviledged
account - thus compromising security.
You should definitely go with the separate admin
Title: Raise domain/forest function level, any caveats?
you should be fine to perform the switch on DC1 - the main
thing is to wait for the domain-level change to replicate prior to changing the
forest functional level (FFL). However, it seems like you only have a single
domain (which is
and with 2003 you can change the name of the DC afterwards to match the
retired DC's name...
/Guido
-Original Message-
From: Tony Murray [mailto:[EMAIL PROTECTED]
Sent: Dienstag, 6. Januar 2004 16:38
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Upgrading the only DC in a domain to
the only DC in a domain to new hardware
I didn't think that worked if Exchange was in the mix...
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
GRILLENMEIER,GUIDO (HP-Germany,ex1)
Sent: Tuesday, January 06, 2004 11:23 AM
To: [EMAIL PROTECTED]
Subject
with the special
character in
the name.
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
GRILLENMEIER,GUIDO
(HP-Germany,ex1)
Sent: Tuesday, January 06, 2004 6:50 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Wierd issue
agreed - one of the most confusing things with multi-tree single forests
(which is one of the reasons I preferr multi-forests single domains
instead...)
check DNS - ensure that DC1 of corporate.company1.com can resolve the
corporate.company2.com DNZ zone and vice versa. Also check that your DCs
nope, that's with 500 members (by default) to limit the
amount of time it takes the UI to display the list of users. Usually ADUC
goes and fetches the enabled/disabled status of each user when displaying the
users in the list (showing the white x in a red circle on the user-icon for
1 - 100 of 196 matches
Mail list logo