RE: [ActiveDir] GPO - File and Printer Sharing.
Return Receipt Your RE: [ActiveDir] GPO - File and Printer Sharing. document: wasPeeter Ulst/BICO-LEKS Kindlustuse AS/EE received by: at: 25.06.2004 13:36:02 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Application Log Event Errors
Thank for the reply. I am only getting the error on the DC. I have two DCs with the FSMO roles divided. The DC that I am getting the errors on is the one configured to be the RID Master and PDC Emulator. The DCs are both Win2K3. All workstations in the building are Win2K Pro with the exception of on WinXP Pro machine that I am testing for potential upgrades to the existing Win2K Pro machines. I thought that it was because of the test WinXP Machine with reference to KB #810907, but I powered it down, cleared the event logs and waited. The error returned again. So I feel that it should be safe to rule this out. But the article does reference MS Office. I asked a separate question in a different thread about *.pst files and roaming profiles. Could the use of *.pst files and the error below be related? I did read an article (I cant remember which one) on the dfsutil /purgemapcache but I was confused by it because I did not see the switch as an available option when running dfsutil /?. I tried to run it anyways and received an error: Unrecognized option purgemapcache System error 87 has occurred. The parameter is incorrect. Edwin. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Thursday, June 24, 2004 2:40 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Application Log Event Errors Edwin- Where exactly are those errors appearing? On the DC or the clients that are processing GPO? Also, what version of DC are you running and what version of client? The dfsutil /purgemupcache will work on Server 2003 DCs only. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin Sent: Thursday, June 24, 2004 9:42 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Application Log Event Errors I am getting numerous errors in the Application Event logs that are provided below. Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Windows cannot access the file gpt.ini for GPO cn={4A2B990D-CE94-4AF6-BB85-5521AAEEE954},cn=policies,cn=system,DC=mydomain,DC=com. The file must be present at the location \\mydomain.com\SysVol\mydomain.com\Policies\{4A2B990D-CE94-4AF6-BB85-5521AAEEE954}\gpt.ini. (Access is denied. ). Group Policy processing aborted. According to the error the system cannot find the gpt.ini file in the path \\mydomain.com\SysVol\mydomain.com\Policies\{4A2B990D-CE94-4AF6-BB85-5521AAEEE954 because permission is denied. NTFS permissions on the directory have not been modified. The permissions defined on the directory mentioned above are: Authenticated Users: Read Execute List Folder Contents Read Creator Owner Special Permissions Domain Admins Full Control Enterprise Admins Full Control Enterprise Domain Controllers Read Execute List Folder Contents Read System Full Control Primary DC Read Execute List Folder Contents Read Secondary DC Read Execute List Folder Contents Read I have read KB Ariticle #810907 but I would rather not install a Hotfix if not absolutely necessary. Has anyone else experienced this? If so, were you able to remedy the error without the Hotfix? If so, how. Thank you.
Re: [ActiveDir] Sarbannes Oxley compliance
Title: Re: [ActiveDir] Sarbannes Oxley compliance Instead of doing a runas on explorer.exe do it on iexplore.exe (Internet Explorer) and then just point the url to the filesystem. You cant do this from the startmenu but it works rather well on the quicklaunch bar. You can also paste this text into a registry file, modify the account parts and run it. Then when you right-click on an object you get lots more options than just runas. Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\exefile\shell] [HKEY_CLASSES_ROOT\exefile\shell\open] EditFlags=hex:00,00,00,00 [HKEY_CLASSES_ROOT\exefile\shell\open\command] @=\%1\ %* [HKEY_CLASSES_ROOT\exefile\shell\Run as Domain Administrator] [HKEY_CLASSES_ROOT\exefile\shell\Run as Administrator\command] @=runas /user:domain\\administrator \%1\ %* [HKEY_CLASSES_ROOT\exefile\shell\Run as Administrative User] [HKEY_CLASSES_ROOT\exefile\shell\Run as Administrative User\command] @=runas /user:domain\\adminAccount \%1\ %* [HKEY_CLASSES_ROOT\exefile\shell\Run as Unpriviliged DomainUser] [HKEY_CLASSES_ROOT\exefile\shell\Run as Unprivileged DomainUser\command] @=runas /user:domain\\username \%1\ %* [HKEY_CLASSES_ROOT\exefile\shell\runas] [HKEY_CLASSES_ROOT\exefile\shell\runas\command] @=\%1\ %* From: Fugleberg, David A [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 24 Jun 2004 08:53:02 -0500 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Sarbannes Oxley compliance One of the issues there seems to be that admins are used to managing files and setting NTFS permissions via Explorer...as far as I know, you can't just start up a new explorer with Runas. I suppose they could use CACLS from a command prompt, but most want a GUI. So I'll add that to Mark's original question...how do y'all approach that if you use seperate 'admin' accounts for your admins ? Dave
RE: [ActiveDir] Security
As much as it's a 3rd party utility you might want to take a look at something like NetIQ's Security Manager or DRA or App Manager. Any of these have the functionality that you are looking for. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Visser Sent: 10 June 2004 18:51 To: [EMAIL PROTECTED] Subject: [ActiveDir] Security I need to know when the Domain Admin Group has a user added to it or at least have that operation audited, is there anyway to perform this with GPO or something built into win2k server. Thanks, Aaron Visser List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Sarbannes Oxley compliance
Why can't you start explorer using runas? Shortcut to the desktop for explorer.exe. Shift+Right-click, runas, etc... What about term services? You can always go that route as well if it's sensitive data. We have the separate accounts as a best practice vs. a compliance issue. The best practice came first. With minor exceptions, it works fine to date. YMMV due to particular cultural and infrastructure changes, but that's going to be for any change as far as I'm concerned. Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David ASent: Thursday, June 24, 2004 9:53 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Sarbannes Oxley compliance We try to maintain a least privilege model, and are in the process of tightening down further. 'Best practices' that you often read about suggest each admin have a'break glass' kind of administrativeaccount seperate from their 'day-to-day user' account. We're moving in that direction. One of the issues there seems to be that admins are used to managing files and setting NTFS permissions via Explorer...as far as I know, you can't just start up a new explorer with Runas. I suppose they could use CACLS from a command prompt, but most want a GUI. So I'll add that to Mark's original question...how do y'all approach that if you use seperate 'admin' accounts for your admins ? Dave -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Creamer, MarkSent: Wednesday, June 23, 2004 12:21 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Sarbannes Oxley compliance I'm curious what, if any, changes to everyday administration the folks on this list are making in preparation for Sarbannes Oxley compliance. Specifically, is anyone making a conscious effort to remove daily admin rights from people whose job it is to do domain administration, in favor of a "break the glass when needed" type of philosophy? I'm just starting to look into this, but I'm getting the feeling some companies are going overboard. Any observation from the group is always welcome... Mark Creamer
RE: [ActiveDir] Windows 9x Clients
domain mode (mixed or native) has nothing to do with it. This is often confused: the domain mode (or in 2003: domain and forest functional level) only determine, which type of DCs are allowed to be used in a domain - this then determines the features available in the domain (e.g. an NT4 DC cannot work with Universal Security Groups, or a 2000 DC has no clue what Link Value Replication is, etc.). However, a mode change does NOT change the protocols available for clients/users to authenticate. So if you can authenticate in mixed mode, you can also authenticate in native mode. Realize that there are other settings, which may prevent a Win9x client from logging onto a 2003 domain = by default 2003 domains require SMB signing and secure channel encryption, which is not supported by the legacy clients until you add the AD DS clients to them... (or turn off the new security requirements in the DC policy, which is NOT the recommended way). /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ayers, Diane Sent: Freitag, 25. Juni 2004 02:23 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Windows 9x Clients Sensitivity: Private Yes. We have we have clients that do it all the time. Win2K native mode and we did not use the AD client. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jennifer Fountain Sent: Thursday, June 24, 2004 4:29 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Windows 9x Clients Sensitivity: Private I am going to ask a really stupid question so bear with me. I want to confirm because I am getting the opposite information from my coworker - can windows 9x and NT clients autheniticate against an AD DC in native mode without the ADCE client installed? (I know that you will be authenticating in ntlm v1 without adce though) Thanks! Kind Regards, Jennifer Fountain RB Inc 3400 E Walnut Street Colmar, PA 18915 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Sarbannes Oxley compliance
We customarily use terminal server to connect tothe server we want to modify, then logon with administrator credentials. If you connect to a DC, then you have AD tools available as well. Since email, IIS, etc. are not installed on servers, the opportunity for compromising the system is minimized. - Jeff M. From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Friday, June 25, 2004 07:00To: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Sarbannes Oxley compliance Why can't you start explorer using runas? Shortcut to the desktop for explorer.exe. Shift+Right-click, runas, etc... What about term services? You can always go that route as well if it's sensitive data. We have the separate accounts as a best practice vs. a compliance issue. The best practice came first. With minor exceptions, it works fine to date. YMMV due to particular cultural and infrastructure changes, but that's going to be for any change as far as I'm concerned. Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David ASent: Thursday, June 24, 2004 9:53 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Sarbannes Oxley compliance We try to maintain a least privilege model, and are in the process of tightening down further. 'Best practices' that you often read about suggest each admin have a'break glass' kind of administrativeaccount seperate from their 'day-to-day user' account. We're moving in that direction. One of the issues there seems to be that admins are used to managing files and setting NTFS permissions via Explorer...as far as I know, you can't just start up a new explorer with Runas. I suppose they could use CACLS from a command prompt, but most want a GUI. So I'll add that to Mark's original question...how do y'all approach that if you use seperate 'admin' accounts for your admins ? Dave -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Creamer, MarkSent: Wednesday, June 23, 2004 12:21 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Sarbannes Oxley compliance I'm curious what, if any, changes to everyday administration the folks on this list are making in preparation for Sarbannes Oxley compliance. Specifically, is anyone making a conscious effort to remove daily admin rights from people whose job it is to do domain administration, in favor of a "break the glass when needed" type of philosophy? I'm just starting to look into this, but I'm getting the feeling some companies are going overboard. Any observation from the group is always welcome... Mark Creamer ___ CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
RE: [ActiveDir] OT: Exchange archiving
Sure are. There are also different classes such as those that you purchase and those that are service based such as IronMountain's offering for those that don't want the infrastructure/management associated. Depends on what you need to do and how much you want to invest in terms of time and money. I usually suggest doing this in house, but for small shops this may not make sense due to the up-front costs. Long-term, it can be more cost-effective to have this in-house if scaling up. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Depp, Dennis M. Sent: Thursday, June 24, 2004 12:41 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Exchange archiving There are several archiving tools for Exchange that might be able to do this. A few that I am aware of are: KVS EAS Legato I'm sure there are others as well. Denny -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tomasz Onyszko Sent: Thursday, June 24, 2004 11:58 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] OT: Exchange archiving Passo, Larry wrote: Since there have been several Exchange topics here recently, I wanted to ask another question. I'm looking for an add-on for Microsoft Exchange 2000 that can automatically archive emails based on a list of keywords. Archiving should be automatic for all in-bound or out-bound traffic. I don't know such tool (maybe some filtering tool like GFI or NetIQ has it) but simple script with SMTP Sink will do this job very well in my opinion -- Tomasz Onyszko [MVP] [EMAIL PROTECTED] http://www.w2k.pl List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Sarbannes Oxley compliance
Return Receipt Your RE: [ActiveDir] Sarbannes Oxley compliance document : was Sunil Gupta/TheGuardian received by: at: 06/25/2004 09:53:02 - This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Sarbannes Oxley compliance
Return Receipt Your RE: [ActiveDir] Sarbannes Oxley compliance document : was Justin Leney/US/DCI received by: at: 06/25/2004 10:00:14 AM List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] OT: Exchange archiving
http://www.microsoft.com/exchange/evaluation/compliance.aspincludes infromation about several archiving products that integrate with Exchange. - Original Message - From: Passo, Larry To: [EMAIL PROTECTED] Sent: Thursday, June 24, 2004 11:42 AM Subject: [ActiveDir] OT: Exchange archiving Since there have been several Exchange topics here recently, I wanted to ask another question. Im looking for an add-on for Microsoft Exchange 2000 that can automatically archive emails based on a list of keywords. Archiving should be automatic for all in-bound or out-bound traffic. TIA
RE: [ActiveDir] DNS Issues - ipconfig /flushdns
Title: DNS Issues - ipconfig /flushdns When you do a ipconfig /displaydns what is the TTL for the incorrect values? From: Tashildar, Dinesh (Cognizant) [mailto:[EMAIL PROTECTED] Sent: Thursday, June 24, 2004 9:40 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS Issues - ipconfig /flushdns It takes 2-3 days.. From: Passo, Larry [mailto:[EMAIL PROTECTED] Sent: Thursday, June 24, 2004 8:57 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS Issues - ipconfig /flushdns When you say it always shows old ip address how long are you waiting? If you try to resolve the hostname immediately after the box gets a new ip, it is perfectly normal for the other boxes to have the old address cached. It can take up to 10 minutes for the local caches to flush. From: Tashildar, Dinesh (Cognizant) [mailto:[EMAIL PROTECTED] Sent: Thursday, June 24, 2004 7:15 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] DNS Issues - ipconfig /flushdns When we moved desktop from one location to another location (lets say from subnet 18 to subnet 19) and if we try resolve Hostname with IP address, it always shows old Ip address. If we do ipconfig /flushdns, then only it get's new information This defiantly something wrong in DNS. Is something I need to change in DNS ? Regards, Dinesh Tashildar Cognizant Technology Solutions India Pvt. Ltd. Tel : 91-20-4062600 Extn : 3119 Vnet : 23119
[ActiveDir] OT: Turn on Integrated Windows Authentication in IE 6
I have to turn on the Enable Intergrated Windows Authentication underAdvanced options in IE6 on some 400+ desktops. Does anyone know what theregistry key this is? I would like to create an ADM file and use a GPO toturn this on for all the desktops at once. I can't seem to find where it'sset though. Any help is greatly appreciated.Mike
Re: [ActiveDir] Stubborn PTR record
Could this be an issue with DHCP? http://support.microsoft.com/?kbid=837061 Tony _ Wrom: GMEPYOQKEDOTWFAOBUZXUWLSZLKBRNVWWCUFPEGAUTFJMVRESKPNK Sent: Donnerstag, 24. Juni 2004 20:23 To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Stubborn PTR record Not sure if this is OT: I have two Windows 2003 Servers running AD Integrated DNS. I added a static host record for a printer a while back which I have not been able to delete. I can delete the entry from the forward lookup zone, but every time I delete the ptr record it reappears as soon as I hit refresh. The entry in the flz does not reappear. I haven't been able to find anything on TechNet or Google, but I also do not have the best search abilities. Any suggestions are greatly appreciated. Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Enterprise Admin members
I'm after a list of tasks that can only be performed by an Enterprise Administrator and not by a domain admin in the forest root. eg Authorise a DHCP server. In general terms, what does everyone do with their Enterprise Admin membership? I'm wondering if it should have any members at all on a day-to-day basis and users only added temporarily when an Enterprise Admin task crops up, what do you all think? Also, is anyone aware of any application service accounts that require Enterprise Admin rights? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Enterprise Admin members
Anything that goes outside the scope of a domain 1. Authorize a DHCP server 2. Create sites 3. Create a subnet object 4. Assign subnet objects to sites Of course, the above tasks could be delegated -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, June 25, 2004 8:10 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Enterprise Admin members I'm after a list of tasks that can only be performed by an Enterprise Administrator and not by a domain admin in the forest root. eg Authorise a DHCP server. In general terms, what does everyone do with their Enterprise Admin membership? I'm wondering if it should have any members at all on a day-to-day basis and users only added temporarily when an Enterprise Admin task crops up, what do you all think? Also, is anyone aware of any application service accounts that require Enterprise Admin rights? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Turn on Integrated Windows Authentication in IE 6
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableNegotiate DWORD value 1 0 is off From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Celone, Mike Sent: Friday, June 25, 2004 8:06 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] OT: Turn on Integrated Windows Authentication in IE 6 I have to turn on the Enable Intergrated Windows Authentication under Advanced options in IE6 on some 400+ desktops. Does anyone know what the registry key this is? I would like to create an ADM file and use a GPO to turn this on for all the desktops at once. I can't seem to find where it's set though. Any help is greatly appreciated. Mike List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] SSL exchange
Hi, I want to SSL on our webmail function in exchange. I found some info about it on the Microsoft site but it doesnt get me further. When I turn it goto directory security at default website and follow the wizard there, it finally waits for processing a pending certificate request. Do I have to buy a request?.cant I issue one myself. I looked upthe certificates in mmc. But that isnt really clear to me. Some help would be appreciated. Gr Jorre
RE: [ActiveDir] SSL exchange
You can issue your own or purchase one. I would suggest purchasing one if you are dealing with multiple platforms. Verisgn, offers a free 14-day certificate, which takes about 5 minutes to sign up for (because I type slow), seconds to recieve the mail with the certificate, and seconds to process the pending request. There are also various other companies out there, some of which will give you a certificate for free. And remember, the higher the encryption, the more overhead the CPUs will be processing. Also, 40-bit encryption is the max you can use if the information is traveling outside the US. http://www.freessl.com/resources/install/starterssl/exchange-owa.html http://www.petri.co.il/configure_ssl_on_owa.htm -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Quatro InfoSent: Friday, June 25, 2004 1:20 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] SSL exchange Hi, I want to SSL on our webmail function in exchange. I found some info about it on the Microsoft site but it doesnt get me further. When I turn it goto directory security at default website and follow the wizard there, it finally waits for processing a pending certificate request. Do I have to buy a request?.cant I issue one myself. I looked upthe certificates in mmc. But that isnt really clear to me. Some help would be appreciated. Gr Jorre
RE: [ActiveDir] SSL exchange
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q320291 [Exchange 2000] http://support.microsoft.com/default.aspx?scid=kb;en-us;327800 http://support.microsoft.com/default.aspx?scid=kb;en-us;555126 Implementing and Maintaining the Outlook Web Access S/MIME Control [Part of Security Hardening Guide] http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/exmessec.mspx Client Access: http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/cliaccgde.mspx -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Quatro Info Sent: Friday, June 25, 2004 1:20 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] SSL exchange Hi, I want to SSL on our webmail function in exchange. I found some info about it on the Microsoft site but it doesnt get me further. When I turn it goto directory security at default website and follow the wizard there, it finally waits for processing a pending certificate request. Do I have to buy a request?.cant I issue one myself. I looked upthe certificates in mmc. But that isnt really clear to me. Some help would be appreciated. Gr Jorre
RE: [ActiveDir] OT: Turn on Integrated Windows Authentication in IE 6
Title: RE: [ActiveDir] OT: Turn on Integrated Windows Authentication in IE 6 Thanks Bob. Just curious where did you find this information? Mike -Original Message- From: Free, Bob [mailto:[EMAIL PROTECTED]] Sent: Friday, June 25, 2004 11:38 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Turn on Integrated Windows Authentication in IE 6 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableNegotiate DWORD value 1 0 is off From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Celone, Mike Sent: Friday, June 25, 2004 8:06 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] OT: Turn on Integrated Windows Authentication in IE 6 I have to turn on the Enable Intergrated Windows Authentication under Advanced options in IE6 on some 400+ desktops. Does anyone know what the registry key this is? I would like to create an ADM file and use a GPO to turn this on for all the desktops at once. I can't seem to find where it's set though. Any help is greatly appreciated. Mike List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: RE: [ActiveDir] OT: Turn on Integrated Windows Authentication in IE 6
http://support.microsoft.com/default.aspx?scid=kb;en-us;299838 http://support.microsoft.com/default.aspx?scid=kb;DE;308074 jerold has a batchfile to turn it on from a script at www.jsiinc.com/SUBK/tip5000/rh5068.htm - Original Message - From: Celone, Mike [EMAIL PROTECTED] Date: Fri, 25 Jun 2004 15:54:43 -0400 Subject: RE: [ActiveDir] OT: Turn on Integrated Windows Authentication in IE 6 To: [EMAIL PROTECTED] [EMAIL PROTECTED] Thanks Bob. Just curious where did you find this information? Mike -Original Message- From: Free, Bob [mailto:[EMAIL PROTECTED] Sent: Friday, June 25, 2004 11:38 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Turn on Integrated Windows Authentication in IE 6 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableNegotiate DWORD value 1 0 is off From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Celone, Mike Sent: Friday, June 25, 2004 8:06 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] OT: Turn on Integrated Windows Authentication in IE 6 I have to turn on the Enable Intergrated Windows Authentication under Advanced options in IE6 on some 400+ desktops. Does anyone know what the registry key this is? I would like to create an ADM file and use a GPO to turn this on for all the desktops at once. I can't seem to find where it's set though. Any help is greatly appreciated. Mike List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Enterprise Admin members
some more 5. trigger replication of config/schema partition between DCs of different domains 6. trigger replication of domain partition to GCs of other domains 7. manage replication topology at the forest level 8. create child domains 9. add any new objects to the config container (e.g. for special applications) 10. restore any cross-domain links (such as group-memberships) in a recovery scenario 11. ability to manage all objects (e.g. users, groups etc.) in any domain 12. ability to locally logon or TS to any DC in the forest 13. managing Application Partitions there should be no service accounts that require membership in EA to do their work. Unless you have an app that perform any of the listed activities in an automated fashion, which isn't what I'd recommend to do (i.e. if you're auto-creating sites + subnets, then it would be worthwhile to delegate this to a special group and make the service account a member of this group). rgd. your approach to leave the EA group empty until required: this is an approach I definitely recommend for the Schema Admin group, as it's permissions are very limited in scope and are not required very often. Doing the same thing with EA really depends on how you currently manage AD and how willing you are to adjust some of the default security to delegate the required permissions for the most frequent of the taks listed (e.g. 1,5,6,11,12). Also realize, if you would do the latter (delegate permissions for some of the most frequent tasks where EA is required), then you're basically introducing another group with great power over your forest, which may not be as well protected as the EA itself. And if you don't delegate these tasks, then I'm afraid you'll find yourself adding a user to EA very often. Maybe too often for comfort; maybe up to a level of certain frustration... At last, every Domain Admin is basically an Enterprise Admin (or could become one, no matter which domain in the forest - should be clear what I mean). So whatever you do, keep the members in DA restricted to the same bare-minimum possible as your EA members. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry Sent: Freitag, 25. Juni 2004 17:22 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Enterprise Admin members Anything that goes outside the scope of a domain 1. Authorize a DHCP server 2. Create sites 3. Create a subnet object 4. Assign subnet objects to sites Of course, the above tasks could be delegated -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, June 25, 2004 8:10 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Enterprise Admin members I'm after a list of tasks that can only be performed by an Enterprise Administrator and not by a domain admin in the forest root. eg Authorise a DHCP server. In general terms, what does everyone do with their Enterprise Admin membership? I'm wondering if it should have any members at all on a day-to-day basis and users only added temporarily when an Enterprise Admin task crops up, what do you all think? Also, is anyone aware of any application service accounts that require Enterprise Admin rights? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] ScriptLogic
We are migrating from Netware 5.1 to AD and are looking at Scriptlogic to replace our Novell logon scripts. Any opinions about Scriptlogic would be appreciated. Thanks Nathan