Title: DC GPO not applying event log settings
Sorry, Win2k/SP4 all current patches
applied.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric
FleischmanSent: Tuesday, July 20, 2004 8:06 PMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] DC GPO not
applying event log
yeah, also not sure whats going on, honestly dont know where 2 begin, help
is appreciated.
rgds
cyrus
Thommes, Michael M. writes:
Cyrus, your email address is showing up using our mail server too! Maybe some weird email configuration using localhost?
Mike Thommes
-Original
Are you using outlook?
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: 21 July 2004 10:16
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] two ops
yeah, also not sure whats going on, honestly dont know where 2 begin,
help
is appreciated.
rgds
cyrus
Title: Message
As I understand it... You have lost a DC which
held roles and you want to get them onto another server?
If you
can quickly and get the old DC back then do that and transfer the roles..
else...
1)
Seize thelostroles fromone of the other domain controllers
using NTDSUTIL -
Title: Message
Well, we have lost that DC, but I think,
itll be easier to bring back new DC instead and rebuild the old one as a
W2K3 member server. It is running few important applications things
that are inconvenient to run on Domain Controller. And since weve accidentally
got such an
Title: DC GPO not applying event log settings
You might want to enable verbose security policy logging
too see if it shows something. Here's the info on enabling
it:
http://support.microsoft.com/default.aspx?scid=kb;en-us;245422
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf
I have always renamed the default Administrator account on
every system build I have performed for security reasons.
I did the same on the domain but was then scolded by a more
experienced AD Administrator. The reason given to me was because there are
parts of AD that authenticate or
Title: Message
2000
security/authentication revolves around the SID. I have always
renamed the admin account, on a PC and domain level and have never had an issue.
I would sensitively ask your 'more' experienced colleague for an example of
which "other areas may use the Administrator
Anything that specifically uses the domain Administrator account by name should be
taken out and shot.
You should have no problems with renaming the account.
Here's something from Microsoft which suggests (as you do) that it would be a best
practice.
Title: Message
The
standard best practice IS to rename the Administrator account, no matter what
level it is (i.e., local Administrator, Domain Administrator). Yes, there
are some programs that refer to the account name. Those are mostly hacker
programs from what I've learned. You DON'T
there's no issue renaming it - in 2003 you can actually
disable it to make the environment more secure (but caution - this is the only
account that doesn't get locked when you have configured a lockout threshold in
your PW policy)
/Guido
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
Excellent! Thank you everyone for your
replies. I was concerned about the information that I got but I wasnt
in a position to question it since I honestly was not 100% sure.
Now, I believe I have some good ammunition
for a good argument.
Thank you Tony for that URL.
This list
Anything that specifically uses the domain Administrator account by
name should be taken out and shot.
LOL!!!
Edwin, you are obviously the more experienced AD administrator. I
think that is one of the very first things to be taught in AD courses.
A true experienced AD admin should know that.
Lana,
Bring the new DC online and seize the roles. As long as the old server
will not be brought back online, you can seize the roles without any
problem. Check out
http://support.microsoft.com/default.aspx?scid=kb;en-us;255504 which
describes this process.
Denny
-Original Message-
I have a terminal
server farm that is in a separate subnet, but in the same site as
two DCs. The subnet for that farm is correctly defined in AD, associated with
the same site as the two DCs. Were noticing that those terminal servers
frequently authenticate on one of two remote DCs rather
Title: RE: [ActiveDir] Summer Maintenance
I think you can use Unicast instead of
Multicast in the newer versions of Norton ghost. It goes slower but it wont
bog down the network. Also, make sure your hop count is set correctly.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Does anyone know of a way to get a DOS network boot diskette to
authenticate in a windows 2003 AD domain short of disabling the
following on the DC's local policy?
Domain Member: Digitally encrypt or sign secure channel data (always)
Microsoft network server: Digitally sign communication
Title: Message
Have
you checked your srv records in DNS forthe site?
Rob
-Original Message-From: Creamer, Mark
[mailto:[EMAIL PROTECTED] Sent: 21 July 2004 14:25To:
[EMAIL PROTECTED]Subject: [ActiveDir] client terminal
servers using remote DCs
I have a terminal
Title: RE: [ActiveDir] Summer Maintenance
I concur (from experience) use the
UNICAST option (From the GHOST CAST SERVER - FILE./OTPTIONS) you should be ok.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert N. Leali
Sent: Wednesday, July 21, 2004
9:37 AM
To:
I believe that you would need to do one of the following.
Either enable LanMan authentication, enable netbios over TCP/IP, disable
Security Options under Settings, Local Policies, Security Options:
Microsoft Network Server and Microsoft Network Client: Digitally sign
communications = disable.
Or
I could be wrong, but you're likelylooking
forthis:
http://msdn.microsoft.com/library/default.asp?url="">
Which takes you to: http://tinyurl.com/674d2and an example
in vb.
Al
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Creamer,
MarkSent: Tuesday, July 20, 2004 4:00
Title: Message
I see srv
records in several places in DNS, and Im not sure I know what youre
referring to
Under
[domain]/_tcp I see:
2 records for _kerberos (for the two remote DCs)
2 records for _kpassword (for the 2 remote DCs)
4 records for _ldap (for each of the 4 DCs, two local,
Title: Message
I built an Exchange server at
one site and shipped to another site. In AD Sites and Services, I thought I had
deleted it. But this server is under two sites and I can't delete it from the
first site. I get the error "The DSA object cannot be deleted."Any suggestions
on the
Is there a way to tell via vbs?
Thank you,
Mitch Lawrence
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brown, Bill
[contractor]
Posted At: Tuesday, July 20, 2004 1:21 PM
Posted To: ~AD Discussion~
Conversation: win2k pro or server?
Subject: RE:
Title: Message
Under [domain]/_sites/[my site]/_tcp I
see:
2 records
for _ldap (for the two LOCAL DCs)
I would expect to see Kerberos and GC
(assuming you have a GC in the site)records under this site. Well at least
Kerberos... hmm.
If you do a ipconfig/ registerdns on
of the DC's.. do
Title: Message
It does tell you the time you logged
into the PC. Very useful tool. I have it scripted into my logon.vbs, using it
to force a background out to the PCs.
For reference (yeah, I know its probably
ugly, I am by no means a pro vbs scripter):
It may be more than you want but what the heck. I'm not a programmer so
YMMV
Diane
-
On Error Resume Next
Set Network = WScript.CreateObject(WScript.Network)
strComputer = InputBox (Enter NETBIOS name of computer,
GetComputerLocation In AD,
sounds like groups with hidden group-memberships, where the
Exchange store process kindly "screws-up" the ACLs of the groups for you =
Exchange puts the ACEs in a non-canonical order, which basically allows an Allow
ACE (for the Exchange Enterprise Server group) to be listed before the
Deny
Thanks that did the trick.
Nick
-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido
Sent: Wednesday, July 21, 2004
9:39 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Empty
Group Lists
sounds like groups with hidden
Title: Message
Noticed a small error (wouldnt
have noticed it until we changed the background image).
Error shown in red below.
Thank you,
Mitchell D. Lawrence
Director, Network Administrator
ITS Department
North Bay Hospital
1711 W. Wheeler Ave
Aransas Pass, TX 78336
ph:
Can anyone suggest best books for someone
who needs to get a very strong understanding of ADAM.
Thanks,
Sonya
I haven't seen any books myself. It could use one
though :)
Here's some online information though that may be
helpful. http://tinyurl.com/lkqp
Al
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]Sent: Wednesday, July 21, 2004 1:05
PMTo: [EMAIL
Clyde,
Check out www.bootdisk.com. Under the Network boot disks give Barts a shot.
It's pretty good and customizable.
Dave
--
David J. Perdue
MCSE 2000, MCSE NT, MCSA, MCP+I
Network Security Engineer, InDyne Inc
Comm: (805)
I posted on this topic before but I think I can explain the issue more
clearly now...
If I use the /S switch of DSACLS to restore the ACLS of an object back
to the default as defined in the schema, the object no longer inherits
auditing entries. The simplest test to observe this is:
1. create a
Hy,
Can you share you experiences about how to restrict access to event viewer to
only onegroup ? local and remote access ?
Thks.AVISO LEGAL:Esta informacion es privada y confidencial y esta dirigida unicamente a su destinatario. Si usted no es el destinatario original de este mensaje y
Would a book on AD be a good start?
Mulnick, Al
[EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
07/21/2004 10:18 AM
Please respond to
[EMAIL PROTECTED]
To
'[EMAIL PROTECTED]'
[EMAIL PROTECTED]
cc
Subject
RE: [ActiveDir] good books
I haven't seen any books myself.
It could
Wouldn't hurt, but it is significantly different.
AD/AM is more of a subset of the same technology (think
what a product would look like if we just took one feature from it and turned it
into it's own product after removing the larger product dependencies)and
therefore there are things
Well on the adam home page that Al pointed out is the
Technical Reference document, this is a GREAT document on ADAM its really worth
the read, trust me I know I wrote a few articles on ADAM and that document has
pretty much everything you need to know
***Shout out to AL!!!***
Carlos
I have about 200 users setup to connect h: to \\goofy\home\username. I am
moving the data on \\goofy\home\ to \\mickey\home\. Is there a script
laying around somewhere that would allow me to change this path in
everyone's profile at once? It should would beat doing this manually for
every
Hi James
If you use the AD tools for 2003 you can just bulk select all of the users
at once and make the change.
Regards;
James R. Day
National Parks Service - AD Core Team
(202) 354-1464
Fax (202) 371-1549
[EMAIL PROTECTED]
|-+--
| |
Hi James,
Hyena (which I think still has a 30 day free trial) does this job
wonderfully. In fact, it will also create the new directories with specified
permissions.
Hope this helps...
Original Message Follows
From: James Payne [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
To: [EMAIL
You have a very poorly configured mail client. In your
efforts to be as succinct as possible, you've neglected to configure your last
name and full email address. See headers below.
-Brad
Received: with MailEnable Postoffice Connector; Wed, 21 Jul 2004
05:22:40 -0400Received: from
http://www.microsoft.com/technet/community/scriptcenter/compmgmt/scrcm26.mspx
If you need more info, post specifics.
Sincerely,
Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow
Title: Customize Group Permissions
I though I read somewhere in the MS Server 2003 Deployment Kit under Designing a Managed Environment that it was possible to modify to local pcs group permissions using GP. Has anyone heard of this?
What Im trying to do is assign Install Printer Drivers to
Title: RE: [ActiveDir] Summer Maintenance
I have word of using sysprep along with Ghost. From
what I have read sysprep is just do the OS and allows for different
configurations. If I am doing a lab that has special software and the same
hardware config, is it not better to just use ghost
Title: RE: [ActiveDir] Summer Maintenance
Yes, just use Ghost and run Sysinternals
NewSID on each pc BEFORE ADDING IT TO THE DOMAIN.
http://www.sysinternals.com/ntw2k/source/newsid.shtml
Jared Manhat
Systems Administrator
Accutest Laboratories
2235 Route 130
Dayton, NJ 08810
Sorry if this is a dup - didn't see it after several hours..
I posted on this topic before but I think I can explain the issue more
clearly now...
If I use the /S switch of DSACLS to restore the ACLS of an object back
to the default as defined in the schema, the object no longer inherits
Let's agree that there is no PDC/BDC concept. Now, if all you want to do is
get your Domain ready for when you will eventually move to 2003, then you
should just run the adprep /forestprep and adprep /domainprep in your domain
and wait. IF you want to get a win2K3 DC into the Domain now, then
If option two doesn't do it, this might be a good starting point (Deji's
option 2)
http://tinyurl.com/5jne3
The code here assumes you already have the userdn. That's easy enough to
get if they're all in the same ou. If not, modify Deji's script -- it'll be
faster.
Once you bind to the user
Do so - at your peril, Sir!
and, while you are at it, don't tell Joe :)
Sincerely,
Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
Title: OT: Newsgroup Feeds for microsoft newsgroups?
I have stumbled upon a little used feature in my protocols folder. NNTP. Are there any public feeds available for getting the Microsoft newsgroups? I am especially interested in those dealing with vbs, ad, exchange.
TIA
Thank you,
Mitch
msnews.microsoft.com is MS's newsgroup server. Its groups are hosted on
other servers, too.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
DL.ActiveDirectory
Sent: Wednesday, July 21, 2004 17:27
To: [EMAIL PROTECTED]
Subject: [ActiveDir] OT:
This is my first attempt at answering a question here on the list, but I
believe that I have an accurate answer to the question in this thread. If I
am incorrect, I apologize for any confusion that I may have caused.
200 or so members would be a lot to perform updates on individually but I
would
google to download admodify.net. It's af ree tool from MS.
--Brian
-Original Message-
From: James Payne [mailto:[EMAIL PROTECTED]
Sent: Wed 7/21/2004 2:30 PM
To: [EMAIL PROTECTED]
Cc:
Subject: [ActiveDir] home directory modifications
NO NO NO. Always always always use sysprep. Sysprep strips other things like SIDs,
which are the machince identifier. For that matter it strips all identifying
information from the PC image. Otherwise you have bunches of problems with duplicate
names, sids, etc.
--Brian
-Original
Please explain the reasoning here. Running newsid does not constitute running sysprep.
--Brian
-Original Message-
From: Jared Manhat [mailto:[EMAIL PROTECTED]
Sent: Wed 7/21/2004 4:00 PM
To: [EMAIL PROTECTED]
Cc:
Subject: RE:
MSNews, MS' newsgroup folder is locked down so that you cannot pull from it, but, you
might find another server which has a copy to pull from.
--Brian
-Original Message-
From: DL.ActiveDirectory [mailto:[EMAIL PROTECTED]
Sent: Wed 7/21/2004 5:26 PM
Unless you have a special relationship with Microsoft, I don't think you'll
be able to pull directly from them. I remember that this was possible in the
good old days of Exchange 5.0/5.5, but I have never been able to leach from
MS since then. It would be wonderful if someone could reveal the new
58 matches
Mail list logo