Stephen-
On the DCs, have you tried granting the Allow Logon through Terminal
Services user right to your non-admin group?
-Original Message-
From: Wilkinson, Stephen (DrKW) [mailto:[EMAIL PROTECTED]
Sent: Wednesday, July 02, 2003 6:25 AM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] OT
Title: Message
Yusuf-
With
respect to your Default Domain Policy problems, recopying the SYSVOL files
should have been enough if that's all that was damaged on your GPOs. Keep in
mind that a GPO has two parts--the part in SYSVOL and the part in AD under
domain naming
I think this refers to the issue recently identified where a member of
the Domain Admins group, with access to a domain controller within a
domain in the forest, could, for example, start a process within the
security context of LocalSystem (e.g. using the AT scheduler), and thus
gain privileged
- www.microsoft.com/windowsxp/expertzone
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Monday, July 07, 2003 1:37 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD DOS vulnerability
I think this refers to the issue recently
Richard-
Where are the GPOs linked? Have you checked permissions on them to ensure that the
workstation machine accounts have Read and Apply Group Policy perms? Authenticated
Users will do.
-Original Message-
From: Richard Sumilang [mailto:[EMAIL PROTECTED]
Sent: Tuesday, July 08,
that? As for Authenticated Users group, yes.
On Tuesday, July 8, 2003, at 01:48 PM, Darren Mar-Elia wrote:
Richard-
Where are the GPOs linked? Have you checked permissions on them to
ensure that the workstation machine accounts have Read and Apply Group
Policy perms? Authenticated Users will do
On other issue to consider is whether the user account your using has
sufficient WMI permissions to access the box in question. The Computer
Management snap-in largely uses WMI to cull data about the box. WMI has
a set of permissions associated with it that controls who can access
that WMI data.
Kenneth-
Its not much help, but did you see this KB article:
http://support.microsoft.com/default.aspx?scid=kb;en-us;281457 ? Do you
have individual user accounts in your ACLs rather than just groups?
Darren
-Original Message-
From: Garello, Kenneth [mailto:[EMAIL PROTECTED]
Sent:
Richard-
From the client computer, you can manually force a background refresh of policy using
secedit.exe on Win2K (e.g. secedit /refreshpolicy machine_policy). However, if there
are problems with the workstation processing policy, this won't really help much--you
need to get to the root
Title: Message
I
think what you're referring to here is the new tombstone reanimation (cute name,
huh?) API that has been added to Server 2003. This allows you to
programmatically retrieve deleted AD objects from the Deleted Objects container
before their tombstone interval has expired and
I believe that the last time I tried using a ZAP file, it didn't take
UNCs, only drive letters (e.g. z:\myapp\setup.exe). Probably worth
testing yourself though, since its been a while. As Rod's webpage notes,
ZAP files don't provide privilege escalation like MSIs do. So, the user
will need to
Title: Message
Well
it doesn't give a lot of info but the RegOpenKey failing on GetHKeyCU (Get a
handle to the user's profile in HKEY_CURRENT_USER) looks like a problem. The
policy extension can't access the user's profile. The strange thing is that it
returns a 0x0, which usually means
Title: Message
Try
turning that off (make it synchronous).
-Original Message-From: Charles Campbell
[mailto:[EMAIL PROTECTED] Sent: Wednesday, August 13, 2003 12:46
PMTo: [EMAIL PROTECTED]Subject: RE:
[ActiveDir] Group Policy and IE Zone Security
These are all 2000
Title: Message
Yuck
(technical term). Dr. Watson isn't a good thing. Loading a Win2K .adm should not
cause a Dr. Watson on the MMC. Not sure why you're getting a SQLServerAgent
error--that's pretty unrelated to policy. If its possible, you may want to
delete this GPO and start from scratch.
Title: Message
IE
Maintenance has two modes--preference and mandatory. Preference says, "hand down
IE policy but then let the user change it" whereas mandatory says, "reinforce it
all the time". You can see this by right clicking the IE Maintenance node and
choosing either Preference mode
I think the standard formulas work well as a starting point, but over the years I've
gotten stingy on pagefile size, since you can get defragmentation in the pagefile and
really big ones can get correspondingly more fragmented if they start to get up to a
fair percentage of total disk space. In
Title: Message
What
you're looking for is any log items from the IE Maintenance extension as it
tries to process the policy during user logon. Look for messages as to whether
it skipped processing for some reason or couldn't process the policy.
-Original Message-From: Charles
Charles-
Have you checked out this article:
http://support.microsoft.com/default.aspx?scid=kb;en-us;306915? Its not exactly the
same but could be your problem.
Darren
-Original Message-
From: Charles Campbell [mailto:[EMAIL PROTECTED]
Sent: Mon 8/11/2003 6:10
verbose userenv.log logging (check out this article for details:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;221833) That log will
timestamp and describe every event during the logon process related to profiles and
policies in gruesome detail.
Good luck,
Darren
Darren Mar-Elia
Jens-
In my platform SDK docs, the ulFlags field says that the possible flags
are the same as those shown in DsEnumerateDomainTrusts, which show as
the following:
DS_DOMAIN_DIRECT_INBOUND Enumerate domains that are directly trusting
the domain which has ServerName as a member.
Jenn-
Check out the Server 2003 deployment guide related to GPO deployment at
http://www.microsoft.com/downloads/details.aspx?familyid=b671967b-ef65-4ccf-9d00-89d6ae428edcdisplaylang=en
Its not really specific to having Server 2003, but rather just leverages features in
GPMC to handle the
This may sound unrelated but make sure the workstation's time is fairly close to that
of your domain controllers. Like within 5 minutes.
-Original Message-
From: Mehmet AVAR [mailto:[EMAIL PROTECTED]
Sent: Wed 9/3/2003 11:54 AM
To: [EMAIL PROTECTED]
Title: Message
Typically the better patch management tools use more than just whats in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix to
determine if patch is really applied. For example, they will use hash checks or
version checks of the actual patched system files
in uptime to assure the system has been
rebooted before we consider it patched.
-Original Message-
From: Darren Mar-Elia [mailto:[EMAIL PROTECTED]
Sent: Friday, September 12, 2003 11:36 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Any AD GURUS who Patch Systems? - using
operating
PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Friday, September 12, 2003 5:54 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Any AD GURUS who Patch Systems? - using
operating SystemHotFix
Joe-
On your request to MS, have you already looked at the mssecure.xml file
that is used
Title: Message
Of
course, you realize that RPC over HTTP is basically the same thing as the latest
craze in application integration--SOAP--part of the pantheon of Web Services
protocols. The encoding may be different, but that's about all. And SOAP usage
is exploding. So, the problem of
Title: Message
John-
What
kinds of services are you looking to tie into the Mac?
Authentication?
-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of John ParkerSent: Monday, September 22, 2003
3:27 PMTo: [EMAIL PROTECTED]Subject:
James-
I think that the riskiest thing that someone can get out of the security
logs is information on all of the user accounts and groups within your
domain. Since there isn't a way to block this information if they have
access to the live logs, it may not be something the other companies
would
What is the application that you're trying to deploy? In general, what
you're doing should not be a problem. This works as advertised. Here's a
few things to try. Run gpresult on the DC and make sure that the policy
is being received and processed. Next, you'll probably want to enable
some verbose
Title: Message
Jef-
I
don't know if it helps but the flags (145) thing means the
following:
Machine Policy is being applied as opposed to user
policy
This
policy is being applied as a background refresh (rather than
foreground)
No
changes were detected to the GPO during this processing
Title: Message
Steve-
In
order to delegate creation of GPOs, you need to grant access to the
System\Policies container within the Domain, and within the Policiesfolder
under SYSVOL rather than grantinga right at the domain level. The easiest
way to do this, without getting in and modifying
Justin-
I have to believe that you're somehow not capturing the correct NIC with
your sniffer tools. You might just want to use the PerfMon Network
Interface object to verify which interface is registering all the
traffic and then make sure that the MAC address of that interface
corresponds to
Title: Message
George-
Yes,
if you set policyin both the Default Domain and Default Domain Controllers
GPOs, then what applies to your domain controllersis any policy from the
Default Domain GPO that does not conflict with policy in the Default Domain
Controllers GPO. That is, you will get
Irwan-
I don't think that particular setting is currently exposed in policy. At
least, I didn't see it. A quick glance with Regmon seems to indicate
that this setting is controlled using the following registry value:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Title: Message
Clyde-
Somewhere buried on Microsoft's site, I once came across a WMI provider
for DHCP Servers. I will see if I can track down a URL.
Darren
-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Burns, ClydeSent: Wednesday,
Steve-
Check out Sid2User, written by Euvgenii Rudnyi. You can get it at
http://www.securityfocus.com/tools/544. It will translate a SID to a text user name.
-Original Message-
From: [EMAIL PROTECTED] on behalf of Technology Listserves
Sent: Thu 10/23/2003 2:10
Mike-
I'm assuming that when you talk about viewing Windows
settings, you doing this against the GPO itself, rather than doing an RSoP
logging report? If so, then you might want to verify that you don't have a
problem with the permissions on the SYSVOL portion of that GPO, stored under
Shawn-
You can use AD auditing to see changes to a GPO, since any GPO that is
modified touches both the Group Policy Container object in AD as well as
SYSVOL. Using the AD auditing event is a quick and dirty way of finding
out who changed the GPO, although, as Gil mentioned, you can't really
tell
Marcus-
The answer to your question is yes. Basically, if a slow link is
detected, the various Client Side Extensions for stuff like Software
Installation and Folder Redirection will simply not fire, even if the
bits (e.g. MSI package) are on a fast link. One way around this is to
use Admin.
Message-
From: Darren Mar-Elia [mailto:[EMAIL PROTECTED]
Sent: Thursday, October 30, 2003 3:00 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] GPOs and additional sites
Marcus-
The answer to your question is yes. Basically, if a slow link is
detected, the various Client Side Extensions
John-
Best thing to do is use security group filtering on your GPO to exclude
those servers. You can either remove the Authenticated Users ACE from
the GPO and then grant Read and Apply Group Policy permissions to the
computer or user groups you wish the GPO to apply to or you can put your
few
KC-
What this event is saying is that an application--probably a system
application--is trying to create an event so that it can receive a
notification when a GPO changes. However, for some reason, that
application is unable to create the event for security reasons. It would
probably be useful to
Brad-
A quick suggestion is to make sure that the DC servicing
those GPO processing requests is correctly registered in DNS. Missing SRV
records for LDAP, for example,can cause GPO processing to simply fail,
which would result in no GPO processing at all on a given client.
Another option
Justin-
Because of the way software installation works in Group Policy, adding
MSTs is a one time operation. I believe this is because, as a function
of initial deployment of an application, an application advertisement
script (.aas) file is created in SYSVOL that includes the definitions of
the
Mar-Elia [mailto:[EMAIL PROTECTED]
Sent: Thursday, December 18, 2003 2:01 PM
To: [EMAIL PROTECTED]
Subject:RE: [ActiveDir] GPO Software Distribution
Justin-
Because of the way software installation works in Group Policy, adding
MSTs is a one time operation. I believe this is because
It must recreate that each time you redeploy
-Original Message-
From: Darren Mar-Elia [mailto:[EMAIL PROTECTED]
Sent: Thursday, December 18, 2003 2:45 PM
To: [EMAIL PROTECTED]
Subject:RE: [ActiveDir] GPO Software Distribution
Not sure but I don't think so, because
Graham-
Generally speaking, when you need to change CSE processing behavior, its
typically done where the CSE is registered, which is under
hklm/software/microsoft/windows nt/current version/winlogon/gp
extensions/. I don't have the 1st reg key you listed on my machines, so
I'm not sure where that
Russ-
How are you trying to trigger the install? If its a
machine-based assignment, the install will only happen on machine reboot, rather
than by using secedit or gpupdate. The message displayed below is simply saying
that software installation can't happen in the background (i.e.
You did the right thing. I've never understood why MS
enabled fast logon optimization by default on XP. It causes no end of problems
with Folder Redirection and Software Installation. It won't have a huge effect
for your users unless you get paid based on how long it takes for them to get a
Mark-
This worked for me on XP as expected--I chose to hide the
C: drive using this policy and it was hidden in both My Computer and Explorer.
One thing I did note was that, if I enabled this policy while I had Explorer up
and running, the C: drive would only get "partially" hidden. That is,
- Original Message -
From: Darren Mar-Elia [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, December 30, 2003 5:51 PM
Subject: RE: [ActiveDir] group policy processing of IE settings
Graham-
Generally speaking, when you need to change CSE processing behavior, its
typically done where
location of
msnews.microsoft.com/microsoft.public.win2000.grouppolicy but here i
have an ongoing thread with MSFT - this seems to have run its course.
help in the further debug of this will be most gladly received
GT
- Original Message -
From: Darren Mar-Elia [EMAIL PROTECTED]
To: [EMAIL
- i assume they are written to the registry somewhere ?
GT
- Original Message -
From: Darren Mar-Elia [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, January 02, 2004 6:35 PM
Subject: RE: [ActiveDir] group policy processing of IE settings
Happy New Year Graham-
Yes, I think
Hey Joe-
You're right, AOD did not become Quest's Spotlight on AD. I haven't seen
AOD since the Win2K JDP, but Spotlight does have a graphical
site/replication topology viewer similar to what I remember about AOD.
Darren
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL
Russ-
Couple of things to check. The easy thing to check is to make sure you don't have the
view option checked in the GPO Editor that says, Only show configured policy
settings. If that is checked, that would explain why the other stuff is gone.
If that isn't it, then it could be that the
the same GPO editor?
-Original Message-
From: Darren Mar-Elia [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Monday, January 05, 2004 6:00 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] GPO problem
Russ
Mark-
What you're doing should work. The only differenceis
that I usually also includethe Read permission in the Deny, but since you
need both Read and Apply GPO to process a policy, your wayshould
work.Is it possible you have a loopback policy enabled on that GPO?
Darren
From: [EMAIL
No, the merge/replace issues should't affect the fact that your admins
are still getting desktop lockdown even though they no longer have
permission to process that GPO. Desktop Lockdown (i.e. Admin Template
policy) should be undone (un-tattooed) when the GPO no longer applies.
Have you tried
for that policy, those user settings
| will still be applied (!!) which is not what I'd expect at all, but it
| is (unclearly)
| documented)
|
| --On 06/01/2004 12:03 -0800 Darren Mar-Elia wrote:
|
|| No, the merge/replace issues should't affect the fact that your
|| admins
|
|| are still getting
Title: Intellimirror Question
Cory-
What I have found is that GPO-based software installation
is keyed off the MSI Product Codethat comes in an MSI package. If the
MSIproductCode of the version that is installed already is the same
as the one you're deploying via GPO, then GPO won't install
Title: AD and GPO registry question
Neil-
HKCU is simply an alias to the key under
HKEY_USERSthat you're seeing the changes appear in below. In reality, you
should see it in both places since they should be one in the same.
Darren
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Title: Message
I know this may seem obvious, but are you refreshing the
view in regedit when you're focused on HKCU? I tested this to confirm and I can
see the changes appearing simultaneously in both places (well as simultaneously
as I can switch from one key to the other).
From: [EMAIL
Check the lastKnownParent attribute on the deleted object.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Monday, January 19, 2004 7:37 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] How to track object deletion?
Hello, AD
Marvin-
Given where this computer resides, its likely that its
receiving policy instructions from whatever GPOs you have linked to the domain.
It could just be the default policy settings in the Default Domain Policy, in
this case under Computer Configuration, Windows Settings, Security
I read with interest this post.
don't suppose there is any related policy that allows the administrator
to suppress the processing of login script (as set in the user a/c
property) when logging on locally ??
GT
- Original Message -
From: Darren Mar-Elia [EMAIL PROTECTED]
To: [EMAIL
Clay-
Are you sure you're talking about user logon and logout scripts here? My
tests have always shown the these scripts run in the context of the user
while machine startup and shutdown scripts run under LocalSystem. A
quick test that I've done to confirm this is to use the whoami.exe
utility in
Bruce-
What is the script doing? It may interactively just fine but when run in
the background, it could be having problems.
Darren
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bruce Clingaman
Sent: Tuesday, January 27, 2004 12:02 PM
To: ActiveDir
Hmm. I'm assuming that when the user runs it interactively, it doesn't
throw up any dialogs or expect response, correct? Also, are you using or
relying on any environment variables in the script? I have seen weird
behavior in logon scripts related to when certain environment variables
are
Or leverage the low-hanging fruit of core competencies to
drill down into our game plan and do the heavy lifting to become world
class!
(courtesy of Business Buzzword bingo: http://isd.usc.edu/~karl/Bingo/bbbingo.html)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Title: Message
This is just a guess, but since this is Win2K, I wonder if
forcing a full synchronization of all GCs by adding a new attribute to the PAS
would clear this up?
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida
PintoSent: Thursday, January 29,
Todd-
Congrats on your MVP!
#1 below is correct. #2 is also correct. As far as losing settings that
have been retrograded, my experience is that you don't. That is, if
you take an XP-created GPO, make some changes to it and then downgrade
it by editing it with a Win2K box, when you then go back
Joe-
If I follow what you're asking for, I think you could use a machine-based Restricted
Groups Policy on a GPO linked to the LaptopUsers OU to accomplish what you want. In
most cases on XP, the local Power Users group should give a user sufficient rights to
install software. So, if you set up
Bruce-
I looked through your script that you had posted here previously (I'm assuming its the
same one you're having problems with). I didn't see anything that immediately popped
out. One thing I would suggest is to modify the script to add some debugging info at
key points, using the
Planning mode requires a service running on a DC that is only available
in Win2k3--specifically the RSoP Provider service.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Monday, March 01, 2004 8:13 AM
To: ActiveDir (E-mail)
]'
Subject: RE: [ActiveDir] RSoP
Do I will only be able to use the planning mode on 2003 machines? What
about XP? I was running the RsoP from an XP machines against a 2003
Member server in a 2000 domain, can this not work?
-Original Message-
From: Darren Mar-Elia [mailto:[EMAIL
Todd-
You should be able to do what you want actually, without having to be at
a DC. Its kind of kludgy, but just try typing the word Administrators
(without quotes) into the dialog where you would normally browse for the
group. This is perfectly acceptable and should be resolved to the SID of
the
If I follow your scenario, then it is entirely possible to get user
group policy from a Win2k device within an NT 4 domain. I can't think of
any good way to prevent them from getting that policy, other than using
user or user group-based security filtering on that GPO to prevent these
users from
Edward-
I've never seen a way to delete a value using ADM files. In fact, I've
never seen a way to rename a value, so I'd like to see how you do that
if you could share it.
Thanks
Darren
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Parker, Edward
DCs get their Account Policy, and a couple of other security settings,
from any GPO linked to the domain, not necessarily just the Default
Domain Policy. If you have no domain-linked policy, then the DCs will
just use the local policy they have by default, out of the box. A quick
test with my
Enterprise Admin should be able to do this. You might want to double
check the permissions on the GPO in the child domain you're trying to
edit. Make sure EAs really do have write perms on that GPO. You should
be able to view and change GPO perms by either looking at the Properties
on the GPO in
:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Monday, March 15, 2004 11:39 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Group Policy
DCs get their Account Policy, and a couple of other security settings,
from any GPO linked to the domain, not necessarily just the Default
Domain Policy
Yea, that's the right way to do it Joe.
Guy, I'm kinda surprised you actually saw that behavior. I was under the
impression that password complexity was one of those account policies
that was completely ignored by DCs unless its linked to a domain policy.
-Original Message-
From:
..
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Monday, March 15, 2004 2:36 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Unable to modify GPO Policy
Enterprise Admin should be able to do this. You might want to double
check
Robert-
I've seen this behavior too, and yes, manually adding the XP ADMs into a
GPO is safe. However, because XP is supposed to support this
automatically, you might want to check the following policy on your XP
machine that you're using to edit those GPOs:
User Configuration|Administrative
I'll add one more to the mix. Not sure its much better than using an CSVDE dump, but
the GPMC comes with two scripts that are designed to create a test domain that is a
mirror of your production one. They are called:
CreateXMLFromEnvironment.wsf (dump production)
CreateEnvironmentFromXML.wsf
For everyone's reference, the spreadsheet of all ADM
settings is here:
http://www.microsoft.com/downloads/details.aspx?FamilyId=7821C32F-DA15-438D-8E48-45915CD2BC14displaylang=en
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]Sent: Wednesday, March 24, 2004
Agreed. Not much downside to this as long as you're not putting policies
on these other GPOs that conflict with any set in the DDC policy. Even
in that case, you just have to manage the conflicts.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
. Is this the
expected behavior? If so, how could we accomplish this? TIA!
Mike Thommes
-Original Message-
From: Darren Mar-Elia [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 24, 2004 12:14 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Linking other GPO objects to Domain
You can use this custom ADM to enable that little check box. I can't
claim credit for it however. It was posted by a guy named Joe Elway from
Ireland on the GPO forum I moderate. Pretty useful.
;;;
CLASS MACHINE ;;
;;;
CATEGORY
Title: Server Membership
30 days is the default machine account password renewal
interval--I believe--on Win2k and above.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Strand,
TedSent: Thursday, March 25, 2004 8:45 AMTo:
[EMAIL PROTECTED]Subject: [ActiveDir] Server
to reverse.
|-+--
| | Darren Mar-Elia |
| | [EMAIL PROTECTED]|
| | om|
| | Sent by: |
| | [EMAIL PROTECTED
Actually, if you want to set local user account expiration
date, this isn't a policy option, but rather an attribute on the local SAM
account. You can set it using a script like this:
Set usr =
GetObject("WinNT://machinename/darren")usr.AccountExpirationDate =
"06/06/2005"usr.SetInfo
behavior? If so, how could we accomplish this? TIA!
Mike Thommes
-Original Message-
From: Darren Mar-Elia [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 24, 2004 12:14 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Linking other GPO objects to Domain Controllers
Agreed. Not much
Of Darren Mar-Elia
Sent: Sunday, March 28, 2004 12:45 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Linking other GPO objects to Domain Controllers
Oh get over it Joe. Don't be such a weenie. Live life on the edge and
use security group filtering on GPOs. Its good fun and good for you
That would be cool. If I'm not mistaken, I think NDS has allowed a
similar capability for years in that you can cleave off parts of a tree
and replicate it to those servers that need it most.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent:
to manage the domain from the Parent DC. It just does not work
from my desk nor logging into the child DC. Could there be a
communication problem, operations master, etc.??... I guessing here..
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar
/fwlink/events.asp.
Hope this helps.
Thanks,
Steve
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Tuesday, March 30, 2004 3:06 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Unable to modify GPO Policy
I think Tim has a good idea
Yes, that's exactly it. Grant those specific DCs the Read and Apply
Group Policy rights on the GPO.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala
Sent: Wednesday, March 31, 2004 12:08 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Testing
Michael-
Anything is possible, so a DC reboot *might* help. A couple of
questions. Where are you defining this policy? Is it on a GPO linked to
someplace in AD or on the local GPO? If an AD-linked one, then have a
look on the DC that the workstation is authenticating to (echo
%logonserver% from
Chuck-
Try granting the Replication Synchronization right on the domain
object (domainDNS class) that you want the user to be able to replicate.
Note that this provides the synchronization right for just that domain
NC. You'll have to do the same thing to the schema and config objects to
delegate
1 - 100 of 558 matches
Mail list logo
