ADMT (even in V3) doesn't support this directly, however, you can still use it
to do the re-ACLing if you want, since you can feed it with a list of SID
mappings. You would still have to perform the bulk of the work yourself, which
would be to re-create matching groups in AD and to add the
What other things did you change in the same or other GPOs that apply to the
machine you're logging on as admin? If you've applied some lockdown GPOs for
file-system permissions, those will also apply for your admins
/Guido
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bart
in it. Otherwise I would be blocking myself and that's just
the point I don't want...
Thanks,
Bart
On 1/25/07, Grillenmeier, Guido [EMAIL PROTECTED]mailto:[EMAIL PROTECTED]
wrote:
What other things did you change in the same or other GPOs that apply to the
machine you're logging on as admin
So you might have had a bit too much of the Microsoft Cool-Aid :) Exchange
2007 may not have memory limits that you'd reach - but there are limits as to
what makes sense to use with E2k7 (32GB are being communicated by MSFT).
And of course there are limits as to how much memory a 64bit OS
Happy New Year to you too J
Mexico hasn't joined in, which is why it's a bit of a hassle if you have
machines in Mexico as well: right now they use the same time zone as used in
the US [(GMT-08) Tijuana, Baja California]. But since they're not jumping on
the time zone change track, MSFT will
Why would you want to modify the change password rights on your OUs? That
doesn't make sense to delegate: unlike password reset, it's the right that only
allows you to _change_ the password if you know the old one...
So this is typically what the rights the users would need to change the PW on
That's a legacy group from NT4 that you shouldn't leverage in an AD
environment. In fact, you should remove it from the default security descriptor
of your user and group objects to keep your AD clean from unused ACEs.
/Guido
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL
Not putting any users in the groups is basically the same effect as removing
them from an operational perspective. If you don't have a user in the group,
nobody has the rights to change things that only these groups have rights to.
That's probably what your mgmt wants to achieve. You'd then
I don't - I like leveraging the capabilities of AD and this is something where
it can perform quite well. That's not true for other things you can delegate,
such as creation of objects, where you might really want to add a business
logic. These actions are often combined these days with
We have a tool that does this (although this is not its main feature), but it's
not free. It's actually a backup tool of all links in your AD forest (i.e. all
domains in the forest).
As we store all of these in an SQL DB, we can easily run reports on
group-nesting across the whole forest,
They're mixing up different statements and rephrase them to their advantage -
it is true that SBS doesn't support a second SBS DC in the same domain/forest
(as every SBS has to hold all FSMOs), but another non-SBS server can act as a
second DC in the SBS forest just fine.
/Guido
-Original
This is a common procedure, but realize that it will still not completely
isolate replication - forced replication will still go through (i.e. in an out
of the 'schema mod' site). You may not do the forced replication yourself, but
if some other friendly administrator chooses to do so in order
]] On Behalf Of Grillenmeier, Guido
Sent: 17 November 2006 11:33
To: ActiveDir@mail.activedir.orgmailto:ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to completely isolate a DC?
This is a common procedure, but realize that it will still not completely
isolate replication - forced
I certainly support joes second solution: dont
delegate this. As with some other suggestions described in the Delegation
Guide (which overall is very useful), you shouldnt implement every role
just because you can.
Your AD infrastructure will not be in any danger if the Schema FSMO
Nope, there weren't any updates on hypervisor during WinConnections - at least
none I heard of. So this info is actually quite useful. Did they actually demo
it at VMworld? Or just talk about it?
Thanks Mark for sharing.
/Guido
-Original Message-
From: [EMAIL PROTECTED]
Ah - now I see - that must be their back-door to access every system Windows is
running on ;-)
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of William Lefkovics
Sent: Friday, November 10, 2006 9:36 AM
To: ActiveDir@mail.activedir.org
Subject: RE:
Well, the tabs and even the user account creation dialog in AD can be extended,
it's just not an easy task to do for the normal administrator. Some dev-work
with c-programming would be involved. I'm not aware of mechanisms to extend the
UI or dialogs for local accounts.
/Guido
-Original
Yes, not only for Win2k, but also for Win2k3 (won't change until you deploy
Longhorn and switch to LH DFL)
/Guido
---
sent wirelessly using iPAQ 6900
-Original Message-
From: Graham Turner [EMAIL PROTECTED]
To: activedir@mail.activedir.org
Nederland B.V. (BU RTINC Eindhoven)
( Tel : +31-(0)40-29.57.777
( Mobile : +31-(0)6-26.26.62.80
* E-mail : see sender address
From: [EMAIL PROTECTED] on behalf of Grillenmeier, Guido
Sent: Thu 2006-10-19 19:25
To: ActiveDir@mail.activedir.org
Subject: RE
ABE won't necessarily reduce the number of groups you need to control access,
although it certainly controls the visibility for those that don't have any
rights to specific data in your shares.
Your approach is a very common approach and certainly nothing unusual. Not sure
how you get from 15
else not asking the right question(s).
I'm curious if that's the case?
If so, is there more information to be aware of in this
scenario that can be shared?
On 10/10/06, Grillenmeier, Guido
[EMAIL PROTECTED]
wrote:
Al, what risk has been
assumed? You're
If I were the security officer for Company B, I would have real
issues with this plan.
Most companies with sufficient understanding of AD Security
would not want any of their DCs placed in any location where the other companys
network is still active (i.e. DCs from company A and
idea. I had intended to bring
up a test forest to dry-run the migration in company A environment, but I
didn't follow the train of thought through to suggest that the actual migration
be done to that forest, and moved to the target company.
On 10/10/06, Grillenmeier, Guido
[EMAIL PROTECTED
So, where would the ant be 5 seconds after the box started to tumble, assuming
it walks at 1 inch per hour (really slow ant). I'd really like to know :-)
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, October 10, 2006 11:41 PM
To:
While this thread is OT, I'd actually consider your example to be right
on-topic ;-)
/Guido
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Thursday, October 05, 2006 4:28 PM
To: ActiveDir.org
Subject: Re: [ActiveDir] what is the
The DomainB that you want to split off still needs the root domain (DomainA) to
work.
So you can't just say screw DomainA and cut it off. You'll need at least 1 (2
for redundancy) DCs of DomainA to remain in the site you wish to split off. No
problems to get rid of DomainB in the site that
It will, but it is a solvable problem. You'll also have some headaches for the
trust itself, but that's where the nifty Win2003 features such as Name Suffix
Routing and Top Level Name Restrictions come into play.
/Guido
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL
Microsoft is working on an updated Forest Recovery guide for
Windows Server 2003, however, the basic procedures for full forest recovery are
still the same as youd have to do for a Windows 2000 AD forest. And for
the later a guide already exists:
Common question its fairly difficult to extend
ADUC with a new tab that allows you to edit the attributes you want, but its
fairly easy to add a context menu (e.g. when right-clicking on a user account)
to start a script that would pop up a dialog box and allows to enter the
appropriate
Not commenting on the elevation of rights strategies - should be clear
by now that it is simple once you know what you're doing (and Google
will help you and your enemy)
But a quick comment on using domains as a replication boundary due to
the following statement: Replication wise, the Global
Well, it will basically sit in between everything - you boot into this
environment and then you're able to restore your OS or parts of it,
including AD. The whole backup mechanism has been rewritten in LH and
WinRe is the environment used for recovery. Unsure at this time, if
you'll actually be
The AD schema analyzer is quite useful for comparing schemas to
find missing attributes and classes (and to export them to LDIF so as to allow
an import to the target schema). Note however, that it doesn’t find
differences at the level of properties you have set for your schema
Agree, isolating by site is often confused with requiring a
separate subnet and thus extra efforts on the networking infrastructure. Thats
actually not the case. You can create your AD site and just assign it a
32bit masked IP address as the subnet if the other sites are properly
Are we actually talking blocking
GPO inheritance, or ACL inheritance?
If GPO I tend to agree with
Darren (as with anything on GPO J), as I dont think
that any change in either the Default Domain or the Default Domain Controller policy
should be implemented without testing (so if
Title: Re: [ActiveDir] Any impacts to domain controller when changingits IP?
Yep, that was Win2k – once you’ve reached Win2k3 domain
functional level, you can start adding another name to your DC, make it
primary, reboot, ensure everything replicates well and registers in DNS,
a big fan of illogical hacks to help out less-cluefull
admins.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier,
Guido
Sent: Thursday, August 31, 2006 7:58 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Seperate Administrator password policy
Agree
PROTECTED] On Behalf Of Grillenmeier,
Guido
Sent: Saturday, September 02, 2006 2:15 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Seperate Administrator password policy
Eric,
can you already state publicly, what the chance of this feature
is to make it into Longhorn, if at all
Agree, a separate domain is certainly a very high price to pay
itll cause ongoing headaches with very little benefit. Other
companies add requirements for smartcard logons for Admins or also solve it via
organizational rules as mentioned by ZV.
Ive heard of plans to allow setting
That would be the Audit Collector Services (ACS) - been in Beta forever
and due to internal struggles they couldn't release it for free. AFAIK,
ACS is still planned to be a part of MOM.
The Longhorn Eventsystem is a completely different story - can handle
many more events (incl. great filtering
Dont think that auto disabling them when they dont follow your
organizational rules is too harsh. They will be certain to follow the rule in
the future.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bahta,
Nathaniel V CTR USAF NASIC/SCNA
Sent: Thursday, August 31,
For Win2000 AD thats quite a common approach. Really depends on
how many domains you have and how youve placed your DCs of these domains.
/Guido
From: Rimmerman, Russ
[mailto:[EMAIL PROTECTED]
Sent: Thursday, August 31, 2006 1:45 AM
To: ActiveDir@mail.activedir.org
Subject: RE:
I forget if this is unique to SBS's AD setup or what. but any
network attached printer will automatically get attached to each
workstation that is set up with the /connectcomputer wizard
I'm pretty sure this is unique to SBS - at least I would hope - nothing
like adding thousands of
Publishers,CN=Users,DC=X
CN=Enterprise Admins,CN=Users,DC=X
CN=Schema Admins,CN=Users,DC=X
CN=krbtgt,CN=Users,DC=X
-Nathan Muggli
RODC Program Manager
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier,
Guido
Sent: Thursday, August 03, 2006 3:38 AM
To: ActiveDir
The GPMC scripts include the ListSOMPolicyTree.wsf script which at least
creates a useful text report of which GPOs are linked to which OUs (and
sites). Combine this script with the BackupAllGPOs.wsf and the
GetReportsForAllGPOs.wsf to be well prepared to restore GPOs (and then
link them back to
Yep - but I'd also run the GetReportsForAllGPOs.wsf script during your
backup job - these reports are very useful to discover what may have
changed in a GPO after the last backup...
/Guido
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner
Nope youll have to either create a second GPO without the
setting and apply appropriate filters to both so that only one GPO is applied
to your special set and the other GPO to all others.
Or you trim your existing GPO so that it is more generic (i.e. it
doesnt contain the unwanted
No, in case you screw up a GPO (vs. deleting it by accident) there's no
need to first delete and then restore the backed-up GPO. The values
won't be merged - the existing one will be completely overwritten.
/Guido
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Adding a dummy workstation will hinder the user to logon
interactively – this could be all you want to achieve. But it won’t hinder
network logons – this may be undesired.
Another thought – if the users aren’t really using their AD
account, couldn’t you just change the
Mike, can you be a little more specific about the steps that you
took to do your restore? This should work fine using the ntdsutil - authoritative
restore - restore object Cn=test user, ou=it,dc=mycorp,dc=com
command. Obviously provided you previously took a backup, rebooted to DSRM mode
Nice one... :-)
BTW, I didn't know GOWAN was still around - used to make great music
when I still lived in Canada ;-)
/Guido
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Strongosky
Sent: Friday, August 04, 2006 1:33 AM
To:
.
Thanks,
Mike
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Grillenmeier, Guido
Sent: Thursday, August 03, 2006 11:14 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Authoritative Restore problems
Mike, can you be a little more specific about the steps
and Exchange, that only works a little bit. :)
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier,
Guido
Sent: Thursday, July 20, 2006 2:32 PM
To: ActiveDir
?
/Guido
-Original Message-
From: RM [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 02, 2006 6:32 AM
To: Grillenmeier, Guido
Cc: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange rollout - How much larger does
NTDS.DIT become?
On Tue, 1 Aug 2006 18:29:24 +0100, Grillenmeier
Well, at least Darren posted another mail regarding security
by obscurity which this is. Its just like removing the
Domain Admins group from the local administrators group on member servers to
secure the member server
Just because many of those domain admins dont know why they
may be
on
employees so everything goes into the GAL which means everything goes into AD.
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Grillenmeier, Guido
Sent: Friday, July 28, 2006
, GPOs, OUs, computer objects etc user count
might be a reasonable guage, but I don't think that ~6k DIT per user object is
a reasonable assumption unless it's a newer environment with a nice spanking
new RBS model.
On 8/1/06, Grillenmeier, Guido
[EMAIL PROTECTED]
wrote:
Richard
to suck bits of the AD into an ADAM for kind
of the same purpose as an ROGC would perform? I may be totally babbling now.
RE: [ActiveDir] Read-Only Domain Controller and Server
Core
From: Grillenmeier, Guido [EMAIL PROTECTED]
Date: Sat, 29 Jul 2006 17:14:51 +0100
Al, thats
Not sure if it makes sense, but this could potentially be combined
with the confidential flag RODCs wouldnt cache any confidential attributes,
unless a Confidential Data Caching Policy would allow them to do so
The confidential flag is already used by the Digital Identity
Management
We thought to upgrade the DC's first because it takes care of the
extension
of the schema and all which has to be done prior to EXCH2K3 anyhow
The upgrade of the DCs does not take care of the schema extension
youll have to prepare your schema as a separate step prior to being able
:[EMAIL PROTECTED] On
Behalf Of Grillenmeier, Guido
Sent: Friday, July 28, 2006 1:33 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Read-Only Domain Controller and Server Core
Could be worth to note that an RODC can also be a DNS server for
the respective BO. As it is designed for one
Only if your sisters name is Cindy ;-)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Crawford, Scott
Sent: Saturday, July 29, 2006 8:42 PM
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Read-Only Domain Controller and Server
easier to put back together and very
simple
to work out who has access to what.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier,
Guido
Sent: Tuesday
.
~
On 7/27/06, Grillenmeier, Guido
[EMAIL PROTECTED]
wrote:
you can migrate most objects from the source even without admin
rights to them - the default auth. user already has plenty of permissions to
read most attributes you would care to migrate.
You could still setup passwords
Title: Exchange rollout - How much larger does NTDS.DIT become?
Assuming this is after defrag, 650MB without Exchange is quite a
large AD guess youd be close to 100k users in your forest, if
youve used the standard attributes of the objects in AD
(and havent added stuff like thumbnail
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ldp in ADAM-SP1
Guido, which changes to you want to see in dsacls in B3?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier,
Guido
Sent: Tuesday, July 25, 2006 6:22 AM
To: ActiveDir
Could be worth to note that an RODC can also be a DNS server for
the respective BO. As it is designed for one-way replication from a writeable
DC, it does not allow direct dynamic updates of DNS records that are requested
to be updated by clients that use the RODC as a DNS server (same is
you can migrate most objects from the source even without
admin rights to them - the default auth. user already has plenty of permissions
to read most attributes you would care to migrate.
You could still setup passwords migration without giving
themdomain admin privs to your source domain
I guess Matheesha's original question has been answered as good as it
can for now with the information given. I just quickly want to comment
on the 3rd party tool aspect joe is mentioning below - naturally, before
spending considerable money on the tools, you'd need to test if they do
what you
, the kind words, hugs
Control-H,Control-H,Control-H,Control-H,Control-H, etc...
On 7/25/06, Grillenmeier, Guido [EMAIL PROTECTED] wrote:
I guess Matheesha's original question has been answered as good as it
can for now with the information given. I just quickly want to comment
on the 3rd party
Control-H,Control-H,Control-H,Control-H,Control-H, etc...
On 7/25/06, Grillenmeier, Guido [EMAIL PROTECTED] wrote:
I guess Matheesha's original question has been answered as good as
it
can for now with the information given. I just quickly want to
comment
on the 3rd party tool
hehe, yep I've seen that (the difference of the Schema.ini
files; i.e. missing entry for the tombstonelifetime property) but didn't think
too much of it because for now I've only had to handle upgrading from Win2000 or
2003 to R2 where the Schema.ini doesn't play a role. It is "only" used to
just to be clear:
step 3 (R2 adprep) is NOT needed at all if you build a new
forest - your not doing an upgrade here.
Whenever you do an upgrade, you do NOT change the
TSL.
The documentation is wrong as the TSL is always the
hardcoded value of 60, if the value is "not set". If you've
I don't have a lot of experience yet with x64 DCs but my gut says that
assuming you have enough RAM to cache the entire DIT and you aren't
constantly rebooting the DC or doing things that force the cache to be
trimmed, the disk subsystem is really only going to be important for
writes
(which
Renaming the thead due to change of focus
topic
I've been doing quite a bit with my own 64bit notebook
(using WinXP x64) in the past few weeks and I do have to say that there are
plenty of little surprises. Many of which don't play a role for servers, which
are used with a much lesser
t; any more :)
On 7/22/06, Grillenmeier,
Guido [EMAIL PROTECTED]
wrote:
you
might want to describe to us what your actual goal is for creating a non-fully
trusted domain in your AD forst. Maybe you can reach a similar goal by
using the fairly powerful capabilities in AD to del
doesn't have a released 64 bit client
released for a 64 bit Windows and you have to set them up as securenat
clients. adoption by vendors has not occurred.
Grillenmeier, Guido wrote:
/Renaming the thead due to change of focus topic/
I've been doing quite a bit with my own 64bit notebook
first
item...
On 7/23/06, Grillenmeier,
Guido
[EMAIL PROTECTED] wrote:
because the objects that need to go in that domain really
do need to get out of our current user environment.
Matt,
this doesn't yet sound to me like administrative isolation. Really depends
Will the application run off of an ADAM
instance instead of a full blown forest?
That was going through my mind as well - why would the
vendor want to use a NOS AD for his application? Again, there must be some
reason for this.
joe makes great points rgd. the support issues of an
you might want to describe to us what your actual goal is
for creating a non-fully trusted domain in your AD forst. Maybe you can
reach a similar goal by using the fairly powerful capabilities in AD to delegate
administration of objects within a domain. You can also use these features to
I think everyone would be conceptually opposed - would be
good to hear the vendor's reasoning for this.
What does the app do?
What benefit do you have from running their app in a
speparate (single domain) forest?
I can think of many downsides, but if the app is supposed
to protect really
yes Tony, this is standard behaviour - you'll only see domains that
are directly trusted. Trust type doesn't matter. Even though a forest
trust will be transitive to all child domains by default, you'll have to
use UPN to authenticate to a child domain. Which is another reason why
empty
of is new to me, and another one of
those
slight, interesting changes, so thanks for that.
Can you elaborate on this new behaviour? What, exactly, happens and in
what
order?
--Paul
- Original Message -
From: Grillenmeier, Guido [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent
several fixes related though and that
behavior might have changed several times.
On 7/14/06, Grillenmeier,
Guido [EMAIL PROTECTED]
wrote:
I'd
have to do some more digging as to *why* the duplicateapp-partitions were
created, but I've had to troubleshoot this prior to SP1
just found the description of the error and the pre-SP1
hotfix to the duplicate DNS app-partitions issue:
http://support.microsoft.com/kb/836534/en-us
From: Grillenmeier, Guido Sent:
Freitag, 14. Juli 2006 20:34To:
'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir] Always point a
DC
a
tenedancy to wreak havoc with integrated dns zones when a dc would come up and
create a new zone and then replicate that. There were several fixes
related though and that behavior might have changed several times.
On 7/14/06, Grillenmeier, Guido [EMAIL PROTECTED]
wrote:
I'd have to do some more
note that DNS startup behavious changes with SP1, which is another
reason not to choose the DC itself as the preferred DNS server: with
SP1, AD will not allow the DNS service to read any records, until it has
successfully replicated with one of it's replication partners. This is
to avoid false or
not a problem for AD or most apps that use it - potentially
an issue with scripts that use hardcoded names.
Clients will fail to find their DC that they've last used
and will need to do a generic DNS query prior to finding the renamed site
again. Usually no big deal.
If your DFS root
I'd have to check out myself if an OU move is possible to
audit with the built-in auditing events - I'm pretty sure though it is possbile
with AD specific auditing software such as NetPro's ChangeAuditor AD and Quest's
Intrust for AD.
you may also want to disable drag drop in your
forest,
I wasn't aware that this was a change in SP1, but it sounds
as if StrictNameChecking is enabled on your server after you've added SP1
(http://support.microsoft.com/default.aspx?scid=kb;en-us;281308)
You ca disable it in general by configuring the
DisableStrictNameChecking reg-key as the KB
1.7GB for 250.000 users is pretty small already - I guess
you don't use Exchange for messaging or use extremely few attributes of your
objects in AD. With the steps outlined by Ulf you should get a fair idea
on how much whitespace you currently have, however, you shouldn't expect to have
... because there could be other explicit rights on the
objects further below in the tree that do allow to view all kind of objects and
properties. For example: Authenticated Users. Unless you've removed
these rights, it is likely that if you search for objects in you the OU (if it
has
servers first? workstations first?
first what?
I assume you're talking about migrating your servers and workstations
from an NT4 domain to an AD domain - correct? If so, the order strongly
depends on various aspects, such as the status of your user and group
migration and how you handle
glad Brett picked up on
analysing the different errors you were getting - I've not seen these
before.
curious to hear what type
of issue you aretesting to recover from? From what you write, I gather you are testing to
restore your production domain to another (hopefully physically
same question here: there's nothing you can really do to
control the addition of specific SIDs to the security token of any account
during logon - the Authenticated Users SID is one of those (besides many other
well-known-security-principals controlled by the system).
but if you tell us
not until you send us your resume
;-)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ajay
KumarSent: Mittwoch, 21. Juni 2006 08:38To:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] How to block
particular Subjects
Hi all,
I just wanna to know that, Is that possible
"Isn't this what you
want?"
yes and no - it really
depends on what you're trying to achieve. Josh was trying to do a complete
AD DR - not a recovery of a failed DC. For a failed DC you'd want it to
replicate the other changes after a successful (non-auth) restore.
But if you want to
unchecked
5. Migrate Servers using the Security Translation Wizard and then the
Computer Migration Wizard.
john
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier,
Guido
Sent: Tuesday, June 20, 2006 11:48 PM
To: ActiveDir@mail.activedir.org
yep, that's it - no need
to perform the auth restore of AD in your scenario
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joshua
CoffmanSent: Mittwoch, 21. Juni 2006 17:56To:
ActiveDir@mail.activedir.orgSubject: RE: Re: [ActiveDir] Errors
During Authoritative Restore
Mike, as others have mentioned, users and groups from
externally trusted domains can only be added to domain local groups (DLG) in
another forest. This is by design for any type of trust that you
establish.
If all you're trying to do is to manage the member servers
in your DMZ with the
just in case you've not yet proceeded with any of your
actions: a trust is not a requirement to migrate your users and do the profile
updates on the clients or in fact to migrate objects from one domain to
another. You can work just fine with passthrough-authentication instead
(i.e. using
1 - 100 of 733 matches
Mail list logo
