RE: [ActiveDir] Export Folder Members
DumpSec http://www.systemtools.com/somarsoft/ Cheers Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crawford, Scott Sent: Monday, September 12, 2005 20:50 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Export Folder Members Are you looking for something more than cacls? Cacls C:\ will show you everyone on its permission tab. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Monday, September 12, 2005 1:01 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Export Folder Members Is there any way to export or print the members of the security tab of a folder? Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 - __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] ISA 2004 and Microsoft Cluster Server
Dont bother going the clustering route. ISA has a very decent version of NLB thats built in, and will work in a highly available configuration for a single route. Adding clustering to this will obscure and complicate things. Suggest you stick with the built in NLB, since adjacent Proxy servers can be aware of each other, and can take on the other boxes load transparently. This has the obvious advantage of taking you into a MS supported configuration, and allows you to scale out, i.e. NLB, using dissimilar hardware, as opposed to scaling up and clustering using matched hardware. My $0.02 worth From: Phil Renouf [mailto:[EMAIL PROTECTED] Sent: 13 September 2005 04:58 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] ISA 2004 and Microsoft Cluster Server The real question here is: Will Microsoft support ISA running under VCS?. That is a question that only Microsoft can answer so I would send that question to your TAM, or if you don't have a TAM call into PSS and open an Advisory case to get an answer to the question. Phil On 9/12/05, Aramide Adebanjo [EMAIL PROTECTED] wrote: Hey guys, Thanks for all these...now let me go a step further...what if a company wants to consolidate their applications,build redundancy, failver capabilites and implement clustering as well using Veritas clustering Solutioncan ISA be treated as a microsoft application that can be clustered...?? And if yes..whats the best way of doing it...apparently not too many companies have towed this line..but what if it can be pulled of..whatcha ya all think...?? thx -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of [EMAIL PROTECTED] Sent: Monday, September 12, 2005 10:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ISA 2004 and Microsoft Cluster Server Clustering and Load Balancing I wouldn't really call a tomato tomoto thing Maybe not in the ordinary sense, Brian. But in the ISA 2004 Enterp realm, we should be able to do that. OR, if you prefer, we can say tomato and ketchup or something. NLB is the way to go in ISA 2004, and the way ISA uses NLB (in addition to the new Configuration Storage server concept, you do indeed have some resilience that is not usually available in the normal NLB deployments. The only time I've seen ISA installed in another clustering configuration outside of NLB is when Rain Wall was used. Of course I haven't seen every ISA server installation, but I'd wager that NLB is generally considered the standard clustering solution for ISA 2004. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday?-anon From: [EMAIL PROTECTED] on behalf of Brian Desmond Sent: Mon 9/12/2005 10:56 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ISA 2004 and Microsoft Cluster Server Clustering and Load Balancing I wouldn't really call a tomato tomoto thing. More an apples and oranges thing. Load Balancing is not a fault tolerant solution, whereas clustering if something breaks everything moves over to another node... Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Medeiros, Jose Sent: Monday, September 12, 2005 1:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ISA 2004 and Microsoft Cluster Server Greetings Aramide, I do not believe that Microsoft ISA server 2004 can be clustered per say using Microsoft Cluster service. I took the ISA server 2000 2004 class and the MOC stated that the ISA 2004 Enterprise edition is designed to be load balanced which I believe would solve your issue ( It's just a terminology thing. You say tomato, I say tomoto... ) :-) http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/network_load_bala ncing_ee.mspx Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Aramide Adebanjo Sent: Monday, September 12, 2005 9:36 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ISA 2004 and Microsoft Cluster Server Hi guys, A quick one...does anyone have any idea where I can get documentation on installing ISA 2004 Standard/Enterprise edition on a Microsoft Clustering Solution. Kindest Regards List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List
RE: [ActiveDir] ISA 2004 and Microsoft Cluster Server
Using ISA 2004 in an Enterprise array will fit your needs just fine. You can configure NLB from the ISA management console and store the array configuration data centrally. Regards, Paul From: [EMAIL PROTECTED] on behalf of Aramide Adebanjo Sent: Mon 9/12/2005 11:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ISA 2004 and Microsoft Cluster Server Hey guys, Thanks for all these...now let me go a step further...what if a company wants to consolidate their applications,build redundancy, failver capabilites and implement clustering as well using Veritas clustering Solutioncan ISA be treated as a microsoft application that can be clustered...?? And if yes..whats the best way of doing it...apparently not too many companies have towed this line..but what if it can be pulled of..whatcha ya all think...?? thx -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, September 12, 2005 10:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ISA 2004 and Microsoft Cluster Server Clustering and Load Balancing I wouldn't really call a tomato tomoto thing Maybe not in the ordinary sense, Brian. But in the ISA 2004 Enterp realm, we should be able to do that. OR, if you prefer, we can say tomato and ketchup or something. NLB is the way to go in ISA 2004, and the way ISA uses NLB (in addition to the new Configuration Storage server concept, you do indeed have some resilience that is not usually available in the normal NLB deployments. The only time I've seen ISA installed in another clustering configuration outside of NLB is when Rain Wall was used. Of course I haven't seen every ISA server installation, but I'd wager that NLB is generally considered the standard clustering solution for ISA 2004. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Brian Desmond Sent: Mon 9/12/2005 10:56 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ISA 2004 and Microsoft Cluster Server Clustering and Load Balancing I wouldn't really call a tomato tomoto thing. More an apples and oranges thing. Load Balancing is not a fault tolerant solution, whereas clustering if something breaks everything moves over to another node... Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Monday, September 12, 2005 1:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ISA 2004 and Microsoft Cluster Server Greetings Aramide, I do not believe that Microsoft ISA server 2004 can be clustered per say using Microsoft Cluster service. I took the ISA server 2000 2004 class and the MOC stated that the ISA 2004 Enterprise edition is designed to be load balanced which I believe would solve your issue ( It's just a terminology thing. You say tomato, I say tomoto... ) :-) http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/network_load_bala ncing_ee.mspx Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Aramide Adebanjo Sent: Monday, September 12, 2005 9:36 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ISA 2004 and Microsoft Cluster Server Hi guys, A quick one...does anyone have any idea where I can get documentation on installing ISA 2004 Standard/Enterprise edition on a Microsoft Clustering Solution. Kindest Regards List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all
Re: [ActiveDir] Sysvol and AV exclusions
The articles should not be inconsistent. The 822158 does mention 814263 (see bullet 2). 284947 - is how to detect and diagnose excessive FRS replication. Noting it might be caused by Anti-Virus software. And mentioning how to recover. It is not SYSVOL specific, it is FRS specific. But sincej SYSVOL is an FRS share, so it applies to SYSVOL, if this should happen to your SYSVOL. 814263 - is about Anti-Virus programs that are compatible with FRS from a generic sense. Againt not SYSVOL specific, FRS specific. You will want one of these programs to continue on with your configuration of your DC's Anti-Virus program with 822158. 822158 - Is the penultimate article for DCs and anti-virus software. You need to scroll over the very poorly formatted table, near the end. You'll note some part of the sysvol folder, are to be scanned and other parts are excluded. I believe the parts with the actual files (that people can execute during logon due to policy) are to be scanned. Let me know if you have any issues, or find my statements inaccurate ... FYI, it is important to get a good anti-virus program (per 814263) and configure it correctly (per 822158) to scan your SYSVOL shares, because I've know a major company to get a virus in it's SYSVOL, such that everyone who logged on would get the virus. This is very nasty. The first thing the admin does to check out such an issue is ... log on to a DC, which may not have actually been infected with a running copy of the virus. If you can get ahold of a virus'd exe, I'd drop it on your SYSVOL just to check it works. Cheers, BrettSh [msft] This posting is provided AS IS with no warranties, and confers no rights. On Tue, 13 Sep 2005, Tony Murray wrote: Hi all For a while now, I've been including/excluding Sysvol from AV scans based on the recommendations in these articles. Antivirus programs may modify security descriptors and cause excessive replication of FRS data in SYSVOL and DFS http://support.microsoft.com/?kbid=284947 http://support.microsoft.com/?kbid=284947 Antivirus, backup, and disk optimization programs that are compatible with the File Replication Service http://support.microsoft.com/kb/815263/ In other words, if the AV software is not FRS-compliant then I exlude Sysvol from scans. However, I recently came across the following article: Virus scanning recommendations on a Windows 2000 or on a Windows Server 2003 domain controller http://support.microsoft.com/kb/822158 http://support.microsoft.com/kb/822158 This includes a recommendation to exclude Sysvol, but doesn't really say why. The article doesn't make any reference to the KB284947 and KB815263 articles, so I don't know whether the recommendations are based on that information or new information. Can anyone clarify the situation for me? Tony List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Importing user from one domain to another
Yep. You can even have LDIF do it for you if you wanted. ;) Not sure you have the information you need to create the new users though. You may want to check that. (for example, what are you planning to do about surname or passwords or enabled vs. disabled accounts?) Any particular reason why you are creating this on the a network that can talk to the production network? I don't know the purpose of this lab, but if you want true pre-production lab it might make more sense to use something virtual and isolated. It may be that you have that already and this is something different for all I know. Al From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED] Sent: Mon 9/12/2005 5:06 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Importing user from one domain to another We are setting up our lab as the lab.company.com domain. I have an export of our production environment using ldifde -f Exportuser.ldf -s Server1 -t 3268 -d dc=Export,dc=com -p subtree -r ((objectCategory=person)(objectClass=User)(givenname=*)) -l cn,givenName,objectclass,sAMAccountName . In the file it references our production domain. Can I just replace that reference with our Lab domain? Thanks, Holland + Knight Travis Abrams IT Security Systems Manager Holland Knight LLP winmail.dat
[ActiveDir] Security Group Policy Not Applying
Hi all
I'm having an issue with ONE of my DC's (Win2003) not applying a group
policy object.
in the event viewer of the DC's i'm getting this errors after every 5 min
Event id: 1202
Security policies were propagated with warning.
0x4b8 : An extended error has occurred.
When I drill down to the clients winlogon.log file i see the following
entry
Error 0 to send the control flag 1 over to server.
Make a local copy of \\domain.dom\sysvol\domain.dom\Policies\{31B2F340-0160-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows
NT\SecEdit\GptTmpl.inf.
GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )
Process GP template gpt0.dom.
This is not the last GPO.
The log file also specifies:
Warning 2 - The system
cannnot find the file specified.
cannot find the remote
desktop users.
Configure the remote desktop
users.
add domainname\group
name
Error 8520 - A local group
cannot have another cross domain local group as member.
Has anyone ever seen this
error and/or know what the solution
is.
Regards,
Sudhir Kaushal
Systems Engineer (GIS)
Computer Sciences Corporation.
India - + 91 120 2582323 Ext. 2649
Denmark - + 45 70100024 Ext. 2649
“You never win Silver, You
lose Gold”
This is a PRIVATE message. If you are not the intended recipient, please
delete without copying and kindly advise us by e-mail of the mistake in
delivery. NOTE: Regardless of content, this e-mail shall not operate to
bind CSC to any order or other contract unless pursuant to explicit written
agreement or government initiative expressly permitting the use of e-mail
for such purpose.
RE: [ActiveDir] Security Group Policy Not Applying
http://www.eventid.net/display.asp?eventid=1202eventno=348source=SceClipha
se=1
Look at the 0x4b8 section.
HTH
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
From: [EMAIL PROTECTED] on behalf of Sudhir Kaushal
Sent: Tue 9/13/2005 5:10 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Security Group Policy Not Applying
Hi all
I'm having an issue with ONE of my DC's (Win2003) not applying a group policy
object.
in the event viewer of the DC's i'm getting this errors after every 5 min
Event id: 1202
Security policies were propagated with warning.
0x4b8 : An extended error has occurred.
When I drill down to the clients winlogon.log file i see the following entry
Error 0 to send the control flag 1 over to server.
Make a local copy of
\\domain.dom\sysvol\domain.dom\Policies\{31B2F340-0160-11D2-945F-00C04FB984F9
}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )
Process GP template gpt0.dom.
This is not the last GPO.
The log file also specifies:
Warning 2 - The system cannnot find the file specified.
cannot find the remote desktop users.
Configure the remote desktop users.
add domainname\group name
Error 8520 - A local group cannot have another cross domain local group as
member.
Has anyone ever seen this error and/or know what the solution is.
Regards,
Sudhir Kaushal
Systems Engineer (GIS)
Computer Sciences Corporation.
India - + 91 120 2582323 Ext. 2649
Denmark - + 45 70100024 Ext. 2649
You never win Silver, You lose Gold
-
---
This is a PRIVATE message. If you are not the intended recipient, please
delete without copying and kindly advise us by e-mail of the mistake in
delivery. NOTE: Regardless of content, this e-mail shall not operate to bind
CSC to any order or other contract unless pursuant to explicit written
agreement or government initiative expressly permitting the use of e-mail for
such purpose.
-
---
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Importing user from one domain to another
Thanks Al. The lab will be isolated, we aretrying to replicate the productionenvironment as close as possible. We will use it to test schema extensions, new apps like MIIS, etc. I was under the impression the accounts would be created butset as disabled with a null password. Please advise you have any ideas on how to make this smoother. Thanks again, Travis Abrams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Tuesday, September 13, 2005 7:23 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Importing user from one domain to another Yep. You can even have LDIF do it for you if you wanted. ;) Not sure you have the information you need to create the new users though. You may want to check that. (for example, what are you planning to do about surname or passwords or enabled vs. disabled accounts?) Any particular reason why you are creating this on the a network that can talk to the production network? I don't know the purpose of this lab, but if you want true pre-production lab it might make more sense to use something virtual and isolated. It may be that you have that already and this is something different for all I know. Al From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED]Sent: Mon 9/12/2005 5:06 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Importing user from one domain to another We are setting up our lab as the lab.company.com domain. I have an export of our production environment using ldifde -f Exportuser.ldf -s Server1 -t 3268 -d "dc=Export,dc=com" -p subtree -r "((objectCategory=person)(objectClass=User)(givenname=*))" -l "cn,givenName,objectclass,sAMAccountName" . In the file it references our production domain. Can I just replace that reference with our Lab domain? Thanks, Holland + Knight Travis Abrams IT Security Systems Manager Holland Knight LLP
RE: [ActiveDir] Security Group Policy Not Applying
Thanks for the response.. However i
have already checked this and all the related policies in win2003 are not
defined in my case.. :-(
Regards,
Sudhir Kaushal
Systems Engineer (GIS)
Computer Sciences Corporation.
India - + 91 120 2582323 Ext. 2649
Denmark - + 45 70100024 Ext. 2649
“You never win Silver, You
lose Gold”
This is a PRIVATE message. If you are not the intended recipient, please
delete without copying and kindly advise us by e-mail of the mistake in
delivery. NOTE: Regardless of content, this e-mail shall not operate to
bind CSC to any order or other contract unless pursuant to explicit written
agreement or government initiative expressly permitting the use of e-mail
for such purpose.
deji
@readymaids.com
Sent by: ActiveDir-owner
09/13/2005 06:00 PM
Please respond to ActiveDir
To:
ActiveDir@mail.activedir.org
cc:
Subject:
RE: [ActiveDir] Security Group Policy
Not Applying
http://www.eventid.net/display.asp?eventid=1202eventno=348source=SceClipha
se=1
Look at the 0x4b8 section.
HTH
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
From: [EMAIL PROTECTED] on behalf of Sudhir Kaushal
Sent: Tue 9/13/2005 5:10 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Security Group Policy Not Applying
Hi all
I'm having an issue with ONE of my DC's (Win2003) not applying a group
policy
object.
in the event viewer of the DC's i'm getting this errors after every 5 min
Event id: 1202
Security policies were propagated with warning.
0x4b8 : An extended error has occurred.
When I drill down to the clients winlogon.log file i see the following
entry
Error 0 to send the control flag 1 over to server.
Make a local copy of
\\domain.dom\sysvol\domain.dom\Policies\{31B2F340-0160-11D2-945F-00C04FB984F9
}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )
Process GP template gpt0.dom.
This is not the last GPO.
The log file also specifies:
Warning 2 - The system cannnot find the file specified.
cannot find the remote desktop users.
Configure the remote desktop users.
add domainname\group name
Error 8520 - A local group cannot have another cross domain local group
as
member.
Has anyone ever seen this error and/or know what the solution is.
Regards,
Sudhir Kaushal
Systems Engineer (GIS)
Computer Sciences Corporation.
India - + 91 120 2582323 Ext. 2649
Denmark - + 45 70100024 Ext. 2649
You never win Silver, You lose Gold
-
---
This is a PRIVATE message. If you are not the intended recipient, please
delete without copying and kindly advise us by e-mail of the mistake in
delivery. NOTE: Regardless of content, this e-mail shall not operate to
bind
CSC to any order or other contract unless pursuant to explicit written
agreement or government initiative expressly permitting the use of e-mail
for
such purpose.
-
---
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Security Group Policy Not Applying
It sounds like a restricted groups policy being attempted wrong.But,
from what I've seen, it won't even let you try that.
John
Sudhir Kaushal
[EMAIL PROTECTED]
m To
Sent by: ActiveDir@mail.activedir.org
[EMAIL PROTECTED] cc
ail.activedir.org
Subject
RE: [ActiveDir] Security Group
09/13/2005 07:39 Policy Not Applying
AM
Please respond to
[EMAIL PROTECTED]
tivedir.org
Thanks for the response.. However i have already checked this and all the
related policies in win2003 are not defined in my case.. :-(
Regards,
Sudhir Kaushal
Systems Engineer (GIS)
Computer Sciences Corporation.
India - + 91 120 2582323 Ext. 2649
Denmark - + 45 70100024 Ext. 2649
âYou never win Silver, You lose Goldâ
This is a PRIVATE message. If you are not the intended recipient, please
delete without copying and kindly advise us by e-mail of the mistake in
delivery. NOTE: Regardless of content, this e-mail shall not operate to
bind CSC to any order or other contract unless pursuant to explicit written
agreement or government initiative expressly permitting the use of e-mail
for such purpose.
deji
@readymaids.com To:
Sent by: ActiveDir@mail.activedir.org
ActiveDir-owner cc:
Subject:RE: [ActiveDir] Security
Group Policy Not Applying
09/13/2005 06:00 PM
Please respond to
ActiveDir
http://www.eventid.net/display.asp?eventid=1202eventno=348source=SceClipha
se=1
Look at the 0x4b8 section.
HTH
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
From: [EMAIL PROTECTED] on behalf of Sudhir Kaushal
Sent: Tue 9/13/2005 5:10 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Security Group Policy Not Applying
Hi all
I'm having an issue with ONE of my DC's (Win2003) not applying a group
policy
object.
in the event viewer of the DC's i'm getting this errors after every 5 min
Event id: 1202
Security policies were propagated with warning.
0x4b8 : An extended error has occurred.
When I drill down to the clients winlogon.log file i see the following
entry
Error 0 to send the control flag 1 over to server.
Make a local copy of
\\domain.dom\sysvol\domain.dom\Policies\{31B2F340-0160-11D2-945F-00C04FB984F9
}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )
Process GP template gpt0.dom.
This is not the last GPO.
The log file also specifies:
Warning 2 - The system cannnot find the file specified.
cannot find the remote desktop users.
Configure the remote desktop users.
add domainname\group name
Error 8520 - A local group cannot have another cross domain local group as
member.
Has anyone ever seen this error and/or know what the solution is.
Regards,
Sudhir Kaushal
Systems Engineer (GIS)
Computer Sciences Corporation.
India - + 91 120 2582323 Ext. 2649
Denmark - + 45 70100024 Ext. 2649
You never win Silver, You lose Gold
RE: [ActiveDir] Importing user from one domain to another
Personally, I'm a fan of using virtualization. The scenario is something like this: Goal: evaluate new applications in real-world simulation of the production environment; be able to test applications to destruction if needed. Secondary Goal: Provide an environment or multiple environment that accurately depicts the production environment that can be provisioned with minimal effort. Possible solution: Use virtual server technology to create domain controllers that can be copied to isolated environments. More detail: By using a virtual server technology, I can introduce a new DC into the environment and try very hard to prevent it from being used by clients (think DNS and branch office deployment scenarios). That VM DC can be shutdown on a scheduled basis (or ad-hoc as needs arise) and I can then copy that VM to a lab VM that uses an isolated environment. Configure the lab as needed for the test and test away. Pros: Provides real-world scenario with point in time data for more accurate testing. Can be mostly automated with scripts and batch files etc. GPO's and other settings are exactly as they are in production. Cons: Can be labor disruptive if I have to reconfigure a lab and rejoin workstations all the time especially if that lab is used for other purposes such as desktop maintenance or development. You could use the ldif export/import. Could also use script if you wanted. Or backup tapes. None of these will allow you to fully test an environment for GPO's and other settings that otherwise wouldn't come over in an export/import. My thoughts anyway. Al From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED] Sent: Tue 9/13/2005 8:44 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Importing user from one domain to another Thanks Al. The lab will be isolated, we are trying to replicate the production environment as close as possible. We will use it to test schema extensions, new apps like MIIS, etc. I was under the impression the accounts would be created but set as disabled with a null password. Please advise you have any ideas on how to make this smoother. Thanks again, Travis Abrams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Tuesday, September 13, 2005 7:23 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Importing user from one domain to another Yep. You can even have LDIF do it for you if you wanted. ;) Not sure you have the information you need to create the new users though. You may want to check that. (for example, what are you planning to do about surname or passwords or enabled vs. disabled accounts?) Any particular reason why you are creating this on the a network that can talk to the production network? I don't know the purpose of this lab, but if you want true pre-production lab it might make more sense to use something virtual and isolated. It may be that you have that already and this is something different for all I know. Al From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED] Sent: Mon 9/12/2005 5:06 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Importing user from one domain to another We are setting up our lab as the lab.company.com domain. I have an export of our production environment using ldifde -f Exportuser.ldf -s Server1 -t 3268 -d dc=Export,dc=com -p subtree -r ((objectCategory=person)(objectClass=User)(givenname=*)) -l cn,givenName,objectclass,sAMAccountName . In the file it references our production domain. Can I just replace that reference with our Lab domain? Thanks, Holland + Knight Travis Abrams IT Security Systems Manager Holland Knight LLP winmail.dat
RE: [ActiveDir] Attribute Documentation
Thanks everyone!!! It looks like mailNickname, mail, homeMDB, mDBUseDefaults, msExchHomeServerName are the only attributes that I needed to create a mailbox enabled user. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Monday, September 12, 2005 4:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Attribute Documentation I know Joe R raised this issue a while back. From what I remember his suggestion to Microsoft was to maintain a database to provide more detail on the AD schema. I'm not sure how far this got, but I suspect Joe will have some input. A number of the attributes you show below are maintained by RUS. There are some helpful KB articles which cover the attributes touched by RUS in some detail: Tasks performed by the Exchange Recipient Update Service http://support.microsoft.com/kb/253770 XADM: Requirements for Disabling the Recipient Update Service http://support.microsoft.com/?kbid=296479 Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Tuesday, 13 September 2005 6:22 a.m. To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Attribute Documentation Is there any good documentation on AD attributes. The stuff at msdn.microsoft.com seems pretty useless to me (or maybe I just dont have a clue what they are specifying). I need to know if attributes need to be specified, or if they are automatically populated (and if so, how or what criteria are used), or dont need to be present when creating accounts. Here are the ones I am concerned with at this time, but it sure would be nice to find a good resource to look this stuff up in. mail pwdLastSet instanceType showInAddressBook showInAddressBook homeMTA homeMDB mailNickname mDBUseDefaults legacyExchangeDN textEncodedORAddress msExchHomeServerName msExchUserAccountControl Thanks This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal at Gen-i
RE: [ActiveDir] Attribute Documentation
Be aware that creating a mailbox without using CreateMailbox is not a supported operation. J From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Tuesday, September 13, 2005 10:29 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Attribute Documentation Thanks everyone!!! It looks like mailNickname, mail, homeMDB, mDBUseDefaults, msExchHomeServerName are the only attributes that I needed to create a mailbox enabled user. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Monday, September 12, 2005 4:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Attribute Documentation I know Joe R raised this issue a while back. From what I remember his suggestion to Microsoft was to maintain a database to provide more detail on the AD schema. I'm not sure how far this got, but I suspect Joe will have some input. A number of the attributes you show below are maintained by RUS. There are some helpful KB articles which cover the attributes touched by RUS in some detail: Tasks performed by the Exchange Recipient Update Service http://support.microsoft.com/kb/253770 XADM: Requirements for Disabling the Recipient Update Service http://support.microsoft.com/?kbid=296479 Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Tuesday, 13 September 2005 6:22 a.m. To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Attribute Documentation Is there any good documentation on AD attributes. The stuff at msdn.microsoft.com seems pretty useless to me (or maybe I just dont have a clue what they are specifying). I need to know if attributes need to be specified, or if they are automatically populated (and if so, how or what criteria are used), or dont need to be present when creating accounts. Here are the ones I am concerned with at this time, but it sure would be nice to find a good resource to look this stuff up in. mail pwdLastSet instanceType showInAddressBook showInAddressBook homeMTA homeMDB mailNickname mDBUseDefaults legacyExchangeDN textEncodedORAddress msExchHomeServerName msExchUserAccountControl Thanks This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal at Gen-i
RE: [ActiveDir] Security Group Policy Not Applying
Unless you are entering the group as free text (i.e. just typing it in). Couple of points here. Using restricted group policy on DCs to control domain group membership is bad news. I would simply avoid it. This particular error indicates that you are trying to add a group to a domain local group that is from another domain, and that this is not allowed--at least not on a domain local group. I would go into the Restricted Groups policies that are applying to your DCs (either linked to the Domain Controllers OU or to the Domain) and figure which policy is doing this. You can also run rsop.msc on the DC in question to see which GPO is delivering the winning restricted groups policy. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, September 13, 2005 6:13 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security Group Policy Not Applying It sounds like a restricted groups policy being attempted wrong.But, from what I've seen, it won't even let you try that. John Sudhir Kaushal [EMAIL PROTECTED] m To Sent by: ActiveDir@mail.activedir.org [EMAIL PROTECTED] cc ail.activedir.org Subject RE: [ActiveDir] Security Group 09/13/2005 07:39 Policy Not Applying AM Please respond to [EMAIL PROTECTED] tivedir.org Thanks for the response.. However i have already checked this and all the related policies in win2003 are not defined in my case.. :-( Regards, Sudhir Kaushal Systems Engineer (GIS) Computer Sciences Corporation. India - + 91 120 2582323 Ext. 2649 Denmark - + 45 70100024 Ext. 2649 “You never win Silver, You lose Gold” This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. deji @readymaids.com To: Sent by: ActiveDir@mail.activedir.org ActiveDir-owner cc: Subject:RE: [ActiveDir] Security Group Policy Not Applying 09/13/2005 06:00 PM Please respond to ActiveDir http://www.eventid.net/display.asp?eventid=1202eventno=348source=SceClipha se=1 Look at the 0x4b8 section. HTH Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Sudhir Kaushal Sent: Tue 9/13/2005 5:10 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Security Group Policy Not Applying Hi all I'm having an issue with ONE of my DC's (Win2003) not applying a group policy object. in the event viewer of the DC's i'm getting this errors after every 5 min Event id: 1202 Security policies were propagated with warning. 0x4b8 : An extended error has
RE: [ActiveDir] Group policy security setting
I've set the IE home page to our intranet, which is the only site allowed; everything else goes to a bit-bucket proxy. So in: User config\windows settings\internet explorer maintenance\URLs\Important URLs, I've set the home page. But it doesn't work. With a new user login, IE starts by going to MS site, and since the proxy won't let it, it doesn't move forward from there. I can type in the intranet URL manually and get there. If I allow the browser to reach the internet, it goes to the MS site first, then to windows update on the second launch, then to the expected home page on the third launch. Any way to get around this? Thanks! Set HKCU\Software\Microsoft\Internet Explorer\Main\First Home Page to the page you want to visit first. I can't find this documented anywhere on the Microsoft web site except for Windows 98 so I'm not absolutely sure it's still relevant but it's got to be worth a go! (We set it for all machines in the logon script but I'd guess you could easily do it in a group policy) Steve List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Security Group Policy Not Applying
You setting restricted groups in a policy? DCs dont have local groups,
they just have the domain database, so, this is to be expected depending on
what youre trying ot nest int eh domain version of this group.
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c -
312.731.3132
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sudhir Kaushal
Sent: Tuesday, September 13, 2005
8:10 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Security
Group Policy Not Applying
Hi all
I'm having an issue with ONE of my DC's (Win2003) not applying a group policy
object.
in the event viewer of the DC's i'm getting this errors after every 5 min
Event id: 1202
Security policies were propagated with warning.
0x4b8 : An extended error has occurred.
When I drill down to the clients winlogon.log file i see the following entry
Error 0 to send the control flag 1 over to server.
Make a local copy of
\\domain.dom\sysvol\domain.dom\Policies\{31B2F340-0160-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows
NT\SecEdit\GptTmpl.inf.
GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )
Process GP template gpt0.dom.
This is not the last
GPO.
The log file also
specifies:
Warning 2 - The system
cannnot find the file specified.
cannot find the remote
desktop users.
Configure the remote
desktop users.
add
domainname\group name
Error 8520 - A local
group cannot have another cross domain local group as member.
Has anyone ever seen this error and/or
know what the solution is.
Regards,
Sudhir Kaushal
Systems Engineer (GIS)
Computer Sciences Corporation.
India
- + 91 120 2582323
Ext. 2649
Denmark
- + 45 70100024 Ext.
2649
You never win Silver, You lose Gold
This is a PRIVATE message. If you are not the intended recipient, please delete
without copying and kindly advise us by e-mail of the mistake in delivery.
NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any
order or other contract unless pursuant to explicit written agreement or
government initiative expressly permitting the use of e-mail for such purpose.
RE: [ActiveDir] Group policy security setting
OK; that's got it. I found another KB article (289902) that talks about another part of this; it's a file called homepage.inf. I could probably play with that to get what I need as well, but this worked. Thanks! ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Rochford Sent: Tuesday, September 13, 2005 10:13 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Group policy security setting I've set the IE home page to our intranet, which is the only site allowed; everything else goes to a bit-bucket proxy. So in: User config\windows settings\internet explorer maintenance\URLs\Important URLs, I've set the home page. But it doesn't work. With a new user login, IE starts by going to MS site, and since the proxy won't let it, it doesn't move forward from there. I can type in the intranet URL manually and get there. If I allow the browser to reach the internet, it goes to the MS site first, then to windows update on the second launch, then to the expected home page on the third launch. Any way to get around this? Thanks! Set HKCU\Software\Microsoft\Internet Explorer\Main\First Home Page to the page you want to visit first. I can't find this documented anywhere on the Microsoft web site except for Windows 98 so I'm not absolutely sure it's still relevant but it's got to be worth a go! (We set it for all machines in the logon script but I'd guess you could easily do it in a group policy) Steve List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Synchronizing AD
Title: Synchronizing AD Does anyone have any recommendations on products or information on synchronizing data from a SQL database to AD. For example, we want to synch data from the HR database to the users account. Thanks in advance Travis Abrams
Re: [ActiveDir] Synchronizing AD
You could use MIIS(http://www.microsoft.com/windowsserversystem/miis2003/default.mspx) which is a fully functional meta-directorysolution from Microsoft or there is another tool called SimpleSync(http://www.cps-systems.com/simplesync/)which I believe will provide you simpler but similiar functionality.I prefer to use MIIS however it is costly, and perhaps overly complex for your particular situation. On 9/13/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Does anyone have any recommendations on products or information on synchronizing data from a SQL database to AD. For example, we want to synch data from the HR database to the users account. Thanks in advance Travis Abrams -- Tnx, Matt
RE: [ActiveDir] Security Group Policy Not Applying
Hi All, Thanks to everyone for guiding me to the solution. It was because of the restricted group policy on the DC's to control the domain group membership. I removed it and updated the GP.and it worked. Have a nice day... :-) Regards, Sudhir Kaushal Systems Engineer (GIS) Computer Sciences Corporation. India - + 91 120 2582323 Ext. 2649 Denmark - + 45 70100024 Ext. 2649 “You never win Silver, You lose Gold” This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. Darren Mar-Elia darren.marelia @quest.com Sent by: ActiveDir-owner 09/13/2005 10:29 PM Please respond to ActiveDir To: ActiveDir@mail.activedir.org cc: Subject: RE: [ActiveDir] Security Group Policy Not Applying Unless you are entering the group as free text (i.e. just typing it in). Couple of points here. Using restricted group policy on DCs to control domain group membership is bad news. I would simply avoid it. This particular error indicates that you are trying to add a group to a domain local group that is from another domain, and that this is not allowed--at least not on a domain local group. I would go into the Restricted Groups policies that are applying to your DCs (either linked to the Domain Controllers OU or to the Domain) and figure which policy is doing this. You can also run rsop.msc on the DC in question to see which GPO is delivering the winning restricted groups policy. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, September 13, 2005 6:13 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security Group Policy Not Applying It sounds like a restricted groups policy being attempted wrong.But, from what I've seen, it won't even let you try that. John Sudhir Kaushal [EMAIL PROTECTED] m To Sent by: ActiveDir@mail.activedir.org [EMAIL PROTECTED] cc ail.activedir.org Subject RE: [ActiveDir] Security Group 09/13/2005 07:39 Policy Not Applying AM Please respond to [EMAIL PROTECTED] tivedir.org Thanks for the response.. However i have already checked this and all the related policies in win2003 are not defined in my case.. :-( Regards, Sudhir Kaushal Systems Engineer (GIS) Computer Sciences Corporation. India - + 91 120 2582323 Ext. 2649 Denmark - + 45 70100024 Ext. 2649 “You never win Silver, You lose Gold” This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. deji @readymaids.com To: Sent by: ActiveDir@mail.activedir.org ActiveDir-owner cc: Subject: RE: [ActiveDir] Security Group Policy Not Applying 09/13/2005 06:00 PM Please respond to ActiveDir http://www.eventid.net/display.asp?eventid=1202eventno=348source=SceClipha se=1 Look at the 0x4b8 section. HTH Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com -
Fw: [ActiveDir] Security Group Policy Not Applying
Hi All, One small query in this regard.. The problem i was facing because of one domain local group added in the restricted group in the default domain controller policy. Can we have global group defined in the restricted groups in the default domain controller policy instead of domain local group ?? Regards, Sudhir Kaushal Systems Engineer (GIS) Computer Sciences Corporation. India - + 91 120 2582323 Ext. 2649 Denmark - + 45 70100024 Ext. 2649 “You never win Silver, You lose Gold” This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. - Forwarded by Sudhir Kaushal/GIS/CSC on 09/14/2005 11:11 AM - Sudhir Kaushal/GIS/CSC @CSC Sent by: ActiveDir-owner 09/14/2005 10:36 AM Please respond to ActiveDir To: ActiveDir@mail.activedir.org cc: Subject: RE: [ActiveDir] Security Group Policy Not Applying Hi All, Thanks to everyone for guiding me to the solution. It was because of the restricted group policy on the DC's to control the domain group membership. I removed it and updated the GP.and it worked. Have a nice day... :-) Regards, Sudhir Kaushal Systems Engineer (GIS) Computer Sciences Corporation. India - + 91 120 2582323 Ext. 2649 Denmark - + 45 70100024 Ext. 2649 “You never win Silver, You lose Gold” This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. Darren Mar-Elia darren.marelia @quest.com Sent by: ActiveDir-owner 09/13/2005 10:29 PM Please respond to ActiveDir To:ActiveDir@mail.activedir.org cc: Subject:RE: [ActiveDir] Security Group Policy Not Applying Unless you are entering the group as free text (i.e. just typing it in). Couple of points here. Using restricted group policy on DCs to control domain group membership is bad news. I would simply avoid it. This particular error indicates that you are trying to add a group to a domain local group that is from another domain, and that this is not allowed--at least not on a domain local group. I would go into the Restricted Groups policies that are applying to your DCs (either linked to the Domain Controllers OU or to the Domain) and figure which policy is doing this. You can also run rsop.msc on the DC in question to see which GPO is delivering the winning restricted groups policy. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, September 13, 2005 6:13 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security Group Policy Not Applying It sounds like a restricted groups policy being attempted wrong.But, from what I've seen, it won't even let you try that. John Sudhir Kaushal [EMAIL PROTECTED] m To Sent by: ActiveDir@mail.activedir.org [EMAIL PROTECTED] cc ail.activedir.org Subject RE: [ActiveDir] Security Group 09/13/2005 07:39 Policy Not Applying AM Please respond to [EMAIL PROTECTED] tivedir.org Thanks for the response.. However i have already checked this and all the related policies in win2003 are not defined in my case.. :-( Regards, Sudhir Kaushal Systems Engineer (GIS) Computer Sciences Corporation. India - + 91 120 2582323 Ext. 2649 Denmark - + 45 70100024 Ext. 2649 “You never
