Thank you all for your responses !
If I understand well:
My problem is not due to the Infrastructure Master...
You are right, Guido, the DC for titi.com is a GC and the DC for toto.titi.com is
not a GC.
To correct my problem and see the directReports attribute of usertoto correctly set
at
I made the DC of the domain toto.titi.com a GC and the directReports attribute of
usertiti has been immediately correctly set ! Magic !!!
Thank you all for your help !
-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] la part de Solange
Desseignes
Envoyé : vendredi 11
True, I typed without thinking (or rather reading closely...) I just saw PAS
and typed away a canned answer... I must go on a break and clear my
head g
/Jimmy
-
Jimmy Andersson, Q Advice AB
Principal Advisor
Microsoft MVP -
Robert,
Yep, that is essentially a DR strategy, which does work. I'm looking for a
non DR-style method to do this as well.
Glenn
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert
Sent: Friday, 11 June 2004 1:21 AM
To: [EMAIL
Hunter,
Agreed, have looked into this, but am waiting for the full release of
virtual server before I start doing things like this in the prod
environment.
This will most likely be the go in the long run, and also affords some
really nice flexibility in the production environment with respect to
Title: [ActiveDir] OT: Sysprep and workstation images
Try setting a compliant password in the
image, and then putting Whatever has to go in the AdminPassword key to prompt
the user.
Yeah, that's the part the only -sorta- works. The password policy
in the image is onlybeing enforced for
Thanks Guido.
I'll check out the IADsAccessControlEntry stuff.
At the moment we are setting up a replica of the prod environment (same
namespace), however the AD design (group layering structure, security) was
inherited from the previous owners, and doesn't *quite* fit our security
model. What
Sounds like the rebuild is a good thing, given the little angels' propensity
to do things they shouldn't.
The approach I'd take is to monitor the update sequence number on the Domain
Admins, Schema Admins, and Enterprise Admins groups. If the USN changes on
any of the groups, then you know that
VMWare has a couple of fully released products right now ;-)
You may have valid reasons for wanting to go with Microsoft's product,
though.
-Original Message-
From: Glenn Corbett [mailto:[EMAIL PROTECTED]
Sent: Friday, June 11, 2004 7:04 AM
To: [EMAIL PROTECTED]
Subject: RE:
My users are inundated with spyware and adware, what are the ways you guys deal with
this?
do you change the zone settings in I.E via gpo?
can you turn spybot/spyblaster into an msi and push it out?
Its hard for me to block access to web sites via an application firewall as we're a
liquor
Additionally, it would be helpful to know how they did what they did and
what account they used to do it. I can think of many ways it's possible,
but it would be good to know what avenue they are using. You should be able
to correlate the change of USN with the Event log entry (audit) of the
You can do a combination of your suggestions. We will change the IE zones
for problem users; so far that's worked OK for us. I'll lock down the
internet zone so nothing much will run at all.
We use Spybot and Ad-Aware to clean up when needed. You can also use
Websense (or maybe another filtering
I would like to be able to view the files contained within a
users roaming profile but keep getting a permission denied
error. I have a Windows 2003 DC and testing on a Windows XP machine.
I have enabled
Computer Configuration\Administrative Templates\System\User Profiles\Add
the
I distributed AdAware (http://www.lavasoftusa.com/software/adaware/) and
made my users use it in a regular basis (once a week, at least)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: sexta-feira, 11 de Junho de 2004 15:16
To: [EMAIL
can you distribute ad-aware and spybot via a gpo?
also, for internet zones, what are some good things to disable without losing too much
functionality.
should i disable all active x(is most adware activex and javascript?)?
thanks
-Original Message-
From: Manuel Santos [mailto:[EMAIL
I have SpyBot (http://www.safer-networking.org/) installed on all PC's and
it runs as part of the local machine's Friday night routine (A/V, SpyBot
etc.) using the AT / scheduler some .bat files.
If you don't have SpyBot installed already then I would just push out what
ever program you choose.
Another option would be to make the shift from IE to another browser
like Mozilla. Better pop-up stopper, too.
We've had issues with AdAware causing more problems than it cures.
Al
-Original Message-
From: Kern, Tom [mailto:[EMAIL PROTECTED]
Sent: Friday, June 11, 2004 7:16 AM
To:
There was an interesting article the other day :
http://searchwin2000.techtarget.com/tip/0,289483,sid1_gci969259,00.html?track=NL-120ad=484520
Because of licensing issues we try to not let our users download adaware
etc
John
|-+--
| |
You can take ownership of those files and change the
permissions to include your account, as long as you don't remove the user's ACE
or the localSystem ACE,without affecting their behavior. The only caveat
here is described in http://support.microsoft.com/default.aspx?scid=kb;en-us;327462
how would you go pushing out the kill bit .reg file for active x?
gpo? batch?
i would like to push this out silently with no user intervention or even knowldge if
possible.
thanks
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Friday, June 11, 2004 11:00 AM
In case no one has mentioned it, this solution works great:
http://www.mvps.org/winhelp2002/hosts.htm
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Manuel Santos
Sent: Friday, June 11, 2004 10:49 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir]
Been using it for quite some time myself.
This, in conjunction with the SpyBot Resident have kept me free for
months
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rod Trent
Sent: Friday, June 11, 2004 11:33 AM
To: [EMAIL PROTECTED]
Subject: RE:
We use spybot along with the resident program that came out in the 1.3
release. So far it's been pretty good. I was wondering, what did you do to
get it to run with the scheduler and bat files? I haven't been able to get
it to cooperate yet.
-Chris
-Original Message-
From: [EMAIL
SpybotSD.exe /AUTOCHECK /AUTOFIX /AUTOCLOSE is the command I run in the
scheduler file. It runs off of a local account. I am not sure if it would
work running as system or not though. If you use the advanced features of
SpybotSD there is a scheduler option under Settings/Scheduler that helps out
a
The only other idea I can think of is to create a
user account on the samba box with the exact same name / password as the user on
the windows box. Then use smbpasswd -a to grant them access to smb.
Sure there is a better way, but I can not think of
one at the moment.
- Original
You could probably put it into a gpo, might be a lot of work maintaining...
Probably a login script, using vbs or something...You can set them to run
silently in the GPO.
I was looking at the reg.exe command, doesn't seem to be a silent switch on
import.
I'm sure one of the scripters would
Thanks for the details, but I was hoping that Guido would provide some of the reasons
whay Restricted Groups was a bad idea. Although, I would consider having all of the
Domain groups be locked out to not be a graet idea.
-Original Message-
From: Aaron Visser [mailto:[EMAIL PROTECTED]
Can anyone share an end-to-end
business process or a listing of security controls used to manage Kerberos
Delegation in Windows 2000 Advanced Server or Windows Server
2003?
Thanks,
-
Alan
Personally I like using VB for any registry manipulation, and I usually do
sneaky things (Read: things that keep the users from doing what they
shouldn't be doing anyways) at log off or shutdown through GPO. Just my
$.02
Thanks,
Raymond
-Original Message-
From: [EMAIL PROTECTED]
So you are saying that liquor leads to porn and gambling?
- Original Message -
From: Kern, Tom [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, June 11, 2004 7:16 AM
Subject: [ActiveDir] spyware(OT)
My users are inundated with spyware and adware, what are the ways you guys
deal
It always has for me :-)
I'm kidding. No Really.
mc
-Original Message-
From: Doug Hampshire [mailto:[EMAIL PROTECTED]
Sent: Friday, June 11, 2004 4:09 PM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] spyware(OT)
So you are saying that liquor leads to porn and gambling?
- Original
always. isn't that the point?
-Original Message-
From: Doug Hampshire [mailto:[EMAIL PROTECTED]
Sent: Friday, June 11, 2004 4:09 PM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] spyware(OT)
So you are saying that liquor leads to porn and gambling?
- Original Message -
From:
glad you got it working - how I love this magic, although at times it is difficult to
explain to folks how certain things in AD really work...
now all that's left to do is to rename those domains ;-))
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Don't know about the rest of the list server folks. But I'm all for a
field trip to test out that theory.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Friday, June 11, 2004 4:26 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir]
Anyone using MS ADS? I've run into an odd issue...
I'm trying to PXE-boot a Dell dimension into the deployment agent. When it
gets to loading Ramdisk image it seems to load it but then tosses a
windows could not start because the following file is missing or corrupt
windows
(All servers
running Windows 2003 Standard. Domain/forest functional levels all set to
Windows 2003.)
I have a two-level
domain structure, like this:
DOMAIN
- DOMAIN-CHILD1
-
DOMAIN-CHILD2
My SQL Server lives
in DOMAIN, and i'm trying to add the machine account for a machine in
Title: Re: [ActiveDir] OT: Samba guest access?
I can put it in the lab on Tuesday and probably have you an answer by that afternoon. I just need a little time.
From: Kirk Marple [EMAIL PROTECTED]
Organization: Agnostic Media, Inc.
Reply-To: [EMAIL PROTECTED]
Date: Fri, 11 Jun 2004 09:30:28
There was a thread about this on another forum. Some guy figured out how to
do this and run scheduled scans without user intervention. It was one of the
security forums, securityfocus, perhaps. One thing I have noticed, at least
for me, is SpyBot hasn't released any updates for a while now, a
Why not create a group and modify the default rights to it (allow
interactive logon and the like) then set as the default group for the people
in question. I have done this for questionable users in the past with
decent results.
Thanks,
Raymond
-Original Message-
From: [EMAIL
Late to the Party, as usual. Better late than never, uh?
Someone asked this same question on this list about a month or so ago and I responded that I would post some code snippets of how I do this in some of my environments. I never really got around to contacting that person.
I have a demo
40 matches
Mail list logo