yes, this causes no issues, as the GCs contain all the
cross-domain links that the IM would update on DCs and thus the IM has
absolutely nothing to do. I've also only had good experiences with
it.
/Guido
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Donald
BauerSent:
also disable the "Domain Member: Digitally encrypt or sign
secure channel data (always)"security option in the Default Domain
Controller policy
however, don't forget to re-enable this after you've
upgraded all your Win98 clients
/Guido
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
dsquery (come with 2k3, but also works fine on
2000)
get OU from DN of user objects
get groups from memberOf attribute (will not be complete in
multi-domain forests, but maybe good enough for what you
need)
/Guido
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL
or create a sub-ou underneath the domain controllers OU which you link the GPO to.
then put those DCs into the sub-OU. not only good for testing purposes...
/Guido
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Mittwoch, 31. März
MACS runs pretty well and rather independent of MOM itself though. That
should be made clear as well. Not that folks think it's useless unless
you invest in MOM. You can use many other plattforms to add reporing and
alerting capabilities to MACS as the MACS server has full subscriber API
Hey Ulf - I see you got home from the summit safely
;-)
In your AD newsgrouppost which your referenced below
you answered the following question
Is there a comprehensive reference that
identifies each permission required to perform a task ? Giving a user the
"AddUser" permission is not
works as designed. Especially if you're using Domain Local Groups
(DLG). But in 2003 you can even not see the UG memberships of other
domains in ADUC. This will likely be fixed in SP1 as only GCs would
have the potential to show UG-memberships from other domains anyways (a
filter was added in
just want to mention, that other companies to AD consulting
as well ;-)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CIT)Sent: Dienstag, 6. April 2004 15:35To:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] AD
Consultants
I highly recommend Dean
as
would have been nice for me as well to be around with you
longer - it was definitely good to put some faces to some of the other names.
But you guys must have already been on the bus while I was still chatting with
some MS folks. And I'm sure you kept on beating on UGs even if it
wasn'tthe
through all the parent domain groups?
And BTW, copying a user no longer copies the parent domain group
memberships - argh!
Ole Thomsen
-Original Message-
From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED]
Sent: Friday, April 09, 2004 7:49 PM
To: [EMAIL PROTECTED]
Subject: RE
that was actually pretty convincing Joe.And I have to
say, I pretty much agree with you. It's probably my own position
thatdoesn't allow me tospeak up the same way.May be a personal
thing too.
And I do like Canon digital cameras
;-)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
://www.cafeshops.com/joewarenet (wear joeware)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido
Sent: Friday, April 09, 2004 1:43 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Photos in Active Directory
WARNING: let's look
domain admins is a global group and as such you can't add
users from other domains to it. While other global groups can be converted to
universal groups, you can't do so for the domain admins
group.
a solution to your problem is to use the restricted groups
GPO feature (which will not work
won't Restricted groups remove any groups that are in
the administrators group
now except for the ones you
specify?
not if you have Win2k
SP4 or Win2k3 and use the "MemberOf" option of the restricted
groups.
/Guido
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mike
Title: Message
actually, the SYSVOL folder is "just another" share
redirected via DFS (which also allows the folder to be replicated via
FRS...).
I've never really thought about it, but Jorge's comment
makes sense, as in a Win2k DFS hierarchy the client will receive a list of
link-targets
ofcourse I'm
biased, but I'd also compare OpenView for Windows with the AD SPI to the rest -
it's pretty powerful and has some awsome features (such as the 3D-View of the AD
topology etc.)
You'll like
this whitepaper, which is generally rather useful to understandwhat you
need to monitor
ou tell??) J
Thanks
for your help on this issue!
mc
-Original
Message-From:
Grillenmeier, Guido [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 13, 2004 5:47
PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] enterprise-wide
accounts
domain
admins is a global group and as such you can't
can you add, roughly WHY you want to do
this?
FRS is enabled on ALL DCs in an AD forest, and that's the
way it should be as SYSVOL replication uses FRS.FRS is one of those
special services, that you don't want to screw around with (such as turning off,
make a lot of file-system changes,
retrieve the memberOf attribute of the users - if
multi-domain forest, use a GC to also catch UGs. If you want the complete
picture, you'll have to run the query against all domains to also catch local
group memberships.
/Guido
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf
as Joe already wrote, there is a difference between "out of
band" and "urgent" replication.
any DC that you use to set a PW for a user also apply
this change "out of band" to the PDCE of the domain = this is NOT urgent
replication. It is referred to as immediate replication,
as Joe already wrote, there is a difference between "out of
band" and "urgent" replication.
any DC that you use to set a PW for a user also apply
this change "out of band" to the PDCE of the domain = this is NOT urgent
replication. It is referred to as immediate replication,
reposting this again, as I still can't see it on the
list...
From: Grillenmeier, Guido Sent:
Samstag, 1. Mai 2004 10:20To:
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Replication
issues
as Joe already wrote, there is a difference between "out of
band" and "urge
om: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier,
GuidoSent: Monday, May 03, 2004 8:17 AMTo:
[EMAIL PROTECTED]Subject: FW: [ActiveDir] Replication
issues
reposting this again, as I still can't see it on the
list...
From: Grillenmeier, Guido Sent:
Samstag, 1. Mai 20
yes, the basic restores in 2003 work the same way as in
2000, however, depending on your forest-functional level and number of domains
in your environment you'll have additional tasks
IF you run at Win2003 forest functional
level AND IF this is NOT a forest that was
upgraded from Win2000
thanks for the pointer Eric - this article was long
overdue, but at least it's available now and it contains most of the information
required to be prepared for a successful recovery.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric
FleischmanSent: Montag, 3. Mai 2004
what's the problem Joe?
even Cats could be members of Universal Groups ;-)
/Guido
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Sonntag, 16. Mai 2004 16:06
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] [OT] Cats dogs (was A root dc
going from one AD domain to a new forest requires the same approach, as
migrating from an NT4 domain. Depending on the complexity of your
environment, the free MS ADMT tool can do this for you (but will only
migrate security principals, i.e. users, groups, computers).
If you want to migrate
with the admt?
thanks again.
-Original Message-
From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED]
Sent: Sunday, May 16, 2004 4:12 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] FOREST MIGRATION
going from one AD domain to a new forest requires the same approach, as
migrating from an NT4
what's the primary suffix of your clients? and how are the search
suffixes configured? or WINS?
also, did you not only check that you're service records in DNS exist,
but that they're also registered by the right machines? It's
potentially possible, that other non-DC clients could have
what's the DNS config of this client?
don't remember if Win98 has nslookup, but from a different client that
has, you should run
nslookup %DNSname_of_domain% = should get back a list of your DCs for
that domain - do you?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL
Title: RE: [ActiveDir] Exchange 2003 Question
another option is to adjust the default property sets,
which can be done in 2003 (but not in 2000) - this will even allow to change the
effective permissions instantaniously on all objects ACLed with this property
set without any re-acling on the
list mode won't help you for hiding a specific link from a group's membership list.
You'll also have to worry about many other permissions to use list-mode effectivly.
E.g. Authenticated Users by default has explicit Read-Permissions on every OU and on
every object contained within. So denying
I'll take a quick shot at this - see
inline
/Guido
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Stefano
CrivellaroSent: Freitag, 21. Mai 2004 09:08To:
[EMAIL PROTECTED]Subject: [ActiveDir] 5.5 to 2K migration
and A.D.
Hi all
I have read a lot of documentation on
that's spelled FEMAIL ;-)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Craig
CerinoSent: Donnerstag, 20. Mai 2004 15:25To:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Discontinue Mail
Membership
Please continue FEMALE membership
J
From:
[EMAIL PROTECTED]
as few as possible
just roughly: depending on how you define small, medium, large, this
would translate to none for small, 1 for medium and usually no more than
2-3 for large (mainly depends on other services using the DCs/GCs, such
as Exchange).
-Original Message-
From: [EMAIL
what's the size of these 4 locations? and their network connectivity to
the next larger location that has a DC?
the locations may be large enough to absolutely require a fileprint
server - but they could very well be fine without placing a DC in the
location and you'd still find authentication
it's called Resource Hacker (reshacker.exe) and is
available at: http://www.users.on.net/johnson/resourcehacker/
Quite nice - I've also used it - but only for lab-purposes
to easily distinguish machines at logon time. However, we've moved to
bginfo from sysinternals, which is obviously much
aren't those the rules that apply to post to this
list? ;-))
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Svetlana
KouznetsovaSent: Freitag, 21. Mai 2004 15:32To:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Discontinue Mail
Membership
I like the
etiquette rules,
Title: Sysvol Damaged
here's a sample-batch that should help you get
started
/Guido
set inputfile=%1if '%inputfile%'=='' goto
ErrInput
set logfile=.\%inputfile%_log.txt
echo.echo Updating password settings for user listed in:
%inputfile%echo Logfile: %logfile%echo.
echo.
%logfile%echo
That was the impression I got too, when looking throught the ACS slides
(wasn't at the session either):
here's what it says on some slides
* ACS will ship with MOM management pack
* ACS is a Windows platform technology- not a complete solution
* ACS is specifically focused on security event
you've not been particularly verbose on your infrastructure setup:
- do the two forests (or domains within) trust each other?
- what do you use for backing up?
/Guido
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Pyron
Sent: Sonntag, 30. Mai 2004 10:48
auditing
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Marco Scalas
Sent: Dienstag, 1. Juni 2004 10:17
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Logging access to windows folders
Hi everybody,
Is there any way to logging accesses to a specific
Title: Message
this is not what firewalls are for
= someone needs to manage the FW as well... - who's
this going to be? Typically the same admins that you want to protect the data
from... And since the server is in a domain, they can still do everything
they need on the server via GPOs...
yep, this is related to the installation of MS04-011 on XP
clients - you shouldn't see this bug on other machines. I had mentioned it
before when I reported of a related issue, where MS04-011 causes Win2000 DCs to
FAIL registration of certain SRV records.
have a look at
last time I looked
at replication of DCs in a NATed network, I was rather disappointed - basically
this is was no-no. Simply due to name-resolution of the DCs (i.e. the IP-Address
of a DC on one side of the NAT is not what it should be on the other side of the
NAT etc.).
wondering how
thanks for your input Willem - yes, I was also thinking about somethink like
VPN, but maybe in a dual-homed manner = one of the legs for replication
between DCs accross NATed sites, another one for authentication in the
respective site...There's no way I
can change all resources in the
usually static records also have different ACLs - i.e.
records that were registered by machineX have an ACL which grant machineX write
privs to the respective DNS AD object.
note that by default in Win2000 a static record added to
DNS by an administrator was granting Authenticated Users
you have different options when you're trying to implement the exact
same namespace in a physically separated lab, or when you want to
integrate your lab into the production network, choosing a different
domain name.
For the first option you can go the clone DC or grab DC method as
described in
don't use the Restricted Groups feature on domain groups, especially
domain admins. This has caused various issues for companies and thus
they've backed away from this approach. However, using restricted
groups on member servers and clients works well.
\Guido
-Original Message-
From:
first of all, if titi.com and toto.titi.com are real names, then I'd
switch jobs - this would drive me crazy ;-)
Rgd. adding the directReports to the PAS: that would be nice, but isn't
possible for the backlinks of linked attribute-pairs - this is the case
here for the directReports attribute =
you may not be using a GC query, but the directReports backlink is still read from the
same linktable on a DC when it is also a GC.
in your scenario, the DC used to lookup the titi.com user must have been a GC and
the other one a normal DC. This has nothing to do with the domain hierarchy.
Tony, as just mentioned in my other post, this is not an IM topic, as this is about
visibility of backlinks (which are not influenced by the IM).
Backlinks are only visible on DCs, which host the naming context of the object with
the forward link (i.e. for directReports this would be those,
if your test clients are all win2k/xp, you could also use the
NT4emulator registry key on the server to prevent the machine from
accepting the kerboros auth. protocol = win2k/xp clients will search
for other DCs that allow kerb.auth. (check MS Q298713)
initially the key was added to prevent the
make the DC for toto.titi.com a GC. Right ?
Solange Desseignes
-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] la part de Grillenmeier,
Guido
Envoyé : vendredi 11 juin 2004 00:57
À : [EMAIL PROTECTED]
Objet : RE: [ActiveDir] Replication of linked attributes between
In a site called Pune we have 2 domain controllers which are physically
located in 2 different buildings connected by 8mbps line.
that's your problem = DCs in the same site will be treated the same -
and if both buildings are in the same subnet, then there's not much that
you can do about it (you
are in different subnet and I really don't want to
change any property of other sites.
Is there anything I can change in PUNE site ?
-dinesh
-Original Message-
From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED]
Sent: Monday, June 14, 2004 12:42 PM
To: [EMAIL PROTECTED]
Subject: RE
Title: Message
how about first _MOVING_ the accounts from the child domain
to the root domain (can be done via ADMT or the movetree command) - then update
these from your LDAP source afterwards.
= user will keep GUID and UG/DLG memberships and will
be dropped from GGs= user will keep same
not bad, especially since AD prior to 2003 (at 2003 forest
functional level, whichactivates LVR - link valure replication) only
supports roughly 5.000 members to a group, due to these version store
limitations... I doubt you can increase the storage for the version store,
but an intermins
Todd, you'll find out when you switch your domains ;-)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CIT)
Sent: Mittwoch, 16. Juni 2004 20:36
To: [EMAIL PROTECTED]
Subject: [ActiveDir] When a domain is Switch to Native Mode... what
this can also be a phantom object from a foreign domain in a domain
local group or UG on a DC (not a GC), which has changed it's name in the
original domain, but wasn't yet updated in the domain by the
infrastructure master.
or it could just be a very old user account ;-))
-Original
there's no problem moving the FSMO roles to your DC in A in
a working environment - no need to move the hardware, unless you have other
requirements to do so. you can easily move the roles via NTDSutil or via
various UIs (ADUC, AD Domains Trusts, Schema Manager) if you
preferr.
_should_
hey Robbie - you're still alive! Good to read you ;-)
nice blog - cheers,
Guido
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Robbie Allen
Sent: Dienstag, 22. Juni 2004 18:56
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD Monthly E-Mail Newletter?
domain mode (mixed or native) has nothing to do with it. This is often
confused: the domain mode (or in 2003: domain and forest functional
level) only determine, which type of DCs are allowed to be used in a
domain - this then determines the features available in the domain (e.g.
an NT4 DC cannot
some more
5. trigger replication of config/schema partition between DCs of
different domains
6. trigger replication of domain partition to GCs of other domains
7. manage replication topology at the forest level
8. create child domains
9. add any new objects to the config container (e.g. for
Title: Message
there is an important difference between 2000 and 2003:
true, in 2000 de-moting, renamingand then re-promoting the DC was the only
way to change the hostname of the DC (lenghty andbandwidth intensive
procedure requiring 3 reboots).
But in 2003 (once your DOMAIN is at 2003
you might appreciate this little Outlook Attachment Options
tool:
http://www.pcworld.co.nz/PCWorld/fileworld.nsf/0/1FEB65E47ADDAF37CC256DFE0078B067?OpenDocument
/Guido
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
ManjeetSent: Montag, 28. Juni 2004 06:59To:
[EMAIL
Only 5 user accounts exist and these have
full admin rights. These accounts are required to start the SAP
applications and are contained within the SAP app. for its built in
security.
why in the world would you want to setup a seprate
domain to manage a different PW policy for your 5
nope that's wrong - it is absolutely no problem to do an Auth Restore of
an object, whithout first doing a non-auth restore (e.g. from tape).
the challenge is to have a valid object in the database you're trying to
do the auth restore against... - i.e. you'll need to be sure, that the
respective
I didn't yet do a comprehensive check against every possible attribute,
however I do know that you can't include back-linked attributes in the
tombstone (e.g. memberOf). This mainly causes issues for multi-domain
environments and even single-domain, if Win2000 AD. Likely there are
also some
What specifically?
e.g. the capability to udpate existing objects in AD...
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Freitag, 9. Juli 2004 04:42
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Exporting Workstation Information
I can confirm that you have to tranfer the role manually - 2003 won't
try to do this by itself.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Freitag, 9. Juli 2004 16:32
To: Send - AD mailing list
Subject: RE: [ActiveDir] 2003 DC Promo
now as I had it in my mind it was a
possibility. Now it seems it insn't so what happened?
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier,
Guido
Sent: Friday, July 09, 2004 5:40 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] 2003 DC
unless you really have a badly designed or misbehaving Win2k AD today,
there is no reason for you to go through a migration with all the
hassles involved (the hassles are worth it for consolidation and other
reasons, but not to go from 2000 to 2003). So stick to an inplace
upgrade and check out
as far as I know, you have to be at 2003 domain functional level (native domain),
since 2000 (or even NT4) DCs wouldn't know how to handle the redirection.
/Guido
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Sonntag, 11. Juli 2004
if this is normal or not really depends on the security you've set in
your AD or on the objects. With the default permissions this doesn't
work (i.e. would it not be normal), since a normal user can only edit
specific attributes on his own account object (everything that's granted
to be writable
that
tells me what items are using old OS configurations versus new
configurations and what I would have to do to correct them to the new
configurations.
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier,
Guido
Sent: Tuesday, July 13, 2004 8
maybe it's useful when you have problems with creating new users in
either a child domain or it's parent domain ;-)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Mittwoch, 14. Juli 2004 22:38
To: '[EMAIL PROTECTED]'
Subject:
there's no issue renaming it - in 2003 you can actually
disable it to make the environment more secure (but caution - this is the only
account that doesn't get locked when you have configured a lockout threshold in
your PW policy)
/Guido
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
sounds like groups with hidden group-memberships, where the
Exchange store process kindly "screws-up" the ACLs of the groups for you =
Exchange puts the ACEs in a non-canonical order, which basically allows an Allow
ACE (for the Exchange Enterprise Server group) to be listed before the
Deny
Rocky - this thread is actually quite incredible - you're wandering from user and
group names and object types to NTFS permission and nesting objects into groups, over
to discussing SIDs and friendly names, and now you're talking about the visibility of
memberships of groups in AD ;-)
Also, I
first of all - are you sure you're
a) talking about a volume (e.g. physical or logical disk?)
that you want to mount on one box, or
b) are you talking about a share with data, which you want
to make available to others, but they should only read from
it?
if a), this is simply related to
really depends on your situation - if you always want the same
user-policies to be applied to these machines, then you can live with a
single GPO and configure it for loopback-processing.
This will then apply the computer-policy part for the machine and will
apply the user-policy part for any
yes, for DLs this would definitely be an issue - in a multi-domain
forest be sure only to use UGs as DLs... (and DON'T nest GGs into the
UGs). In a single domain forest it doesn't matter.
/Guido
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony
there are a lot of provisioning and sync-apps that can do
this for you in a very automated fashion - search for "user provisioning" and
you'll get lots of hits on google
alternatively, you can leverage the new DS cmdline-tools
from 2003 (DSADD, DSMOD etc.) and/or a couple of scripts that
it's not a CSVDE *problem* - it is the *solution* to keep the data
transferrable via CSVDE... You'll find the same issue when trying to
export address-fields which include carriage returns.
you should be able to export the data in a readable format via normal
LDAP queries e.g. via DSQUERY or
this
would seem to contradict the concept of authoritative
restore?
that's because of everyone's notion of what you EXPECT an
auth. restore to do and how it is being promised in trainings etc. = "Auth.
Restore" will allow you to turn back the hands of time...
But once you dig into it and
, and the link reference/membership was added post forest mode
change, then we even auth restore restore references. That's sort of
merging from the other angle.
Cheers,
Brett Shirley
(msft) AD Dev
On Tue, 17 Aug 2004, Grillenmeier, Guido wrote:
sounds like you need a forest (or full domain
USN for an attribute that has no
data and which can be overwritten ??
GT
- Original Message -
From: Grillenmeier, Guido
Date: Tue, 17 Aug 2004 11:57:32 +0200
To:
Subject: RE: [ActiveDir] w2k authoritative restore
sounds like you need a forest (or full domain) recovery if you screw
up
depths of AD but would you be able to expand on this concept of
version number - it must relate somehow to replication which i
thought to be based on USN's ?
GT
- Original Message -
From: Grillenmeier, Guido [EMAIL PROTECTED]
Date: Tue, 17 Aug 2004 17:35:37 +0200
To: [EMAIL
Title: DFS on Domain Controllers
there's nothing wrong with what you're doing - DCs can host
DFS roots perfectly well and can contain link targets which point to shares on
any server in your infrastructure.The one thing that you need to be aware
of in this respect is that whoever manages the
Hey Kevin - good to "read you" ;-)
just want to add, that you, Edwin, need to differentiate
where you want your non-admin user to place the computer account. The
method given by Kevin is only applicable to add computers to the default
computers container in the domain. Unless you're running
The File Replication Service cannot replicate f:\users because it
overlaps
the replicating directory f:\users.
are you trying to use a LOCAL drive as a link target in DFS and then
replicate data from this to a local drive on some other server (via
FRS)?
you should always use UNC path's for
actually, it all depends on how you run ADMT.
Often you'd want to split the requirements between user/group migration
and computer migration.
The rules for migrating users and groups are:
1. for the PES (Password export server) to work, the account used to
migrate the users must be a member of
-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier,
Guido
Sent: Tuesday, August 24, 2004 6:56 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] admt2.0 permissioning
actually, it all depends on how you run ADMT.
Often you'd want to split the requirements between user/group
Hello Graham - as always: it depends... and this is mostly about if
you're in a single domain or multi-domain forest.
in a single domain, the group-scope obviously doesn't matter - you can
even nest groups of the same type to achieve any nesting, if you need
it.
Nesting still makes sense at
You actually did something - you just didn't see it: you switched the
current directory for the C: drive to C:\directory. So if you'd
switch to the drive (via c: [enter]) even after you typed the change
directory command, you should be in C:\directory.
-Original Message-
From: [EMAIL
I have a new empty forest root (efr.something.com which is W2K3, brand
new and
I have not set a functional level yet, it's what it would be natively
upon creation).
That would be Win2000 mixed mode at the domain level (which doesn't
support SID-History anyways) and Win2000 mode at the forest
usually works like a charm
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Stockbrugger,
Brian L.Sent: Saturday, September 04, 2004 6:09 AMTo:
[EMAIL PROTECTED]Subject: [ActiveDir] Raising of
functional levels
We are getting ready to
raise the forest and domain
that's correct - even if you configure an additional UPN suffix for the
forest (or for an OU) and assign this to an account when you create the
account (e.g. via ADUC), every account will still have an implicit UPN
suffix that is made up of his samAccountName + the domain-suffix of his
AD domain.
Title: RE: [ActiveDir] Fun with Kerberos
Al, realize that the user accounts Guy is talking about are
all in one forest - so the issue is not related to UPNs being unique accross
more than one forest. They're just logging in from a machine in a different
forest.
I've already discussed
1 - 100 of 733 matches
Mail list logo
